Hi all, quick Q as worrying myself about my home network security…
Question:
DMZ, is my 1st network safe? Can the network be infiltrated, having pre firewalled Internet flowing through the 1st network looking for WAN’s IP x.x.x.254 feels bad.
Thanks, TT24
Back Story:
Basically my flatmates brought a Virgin Media fiber line here in the UK, the bill payer has fallen for the marketing “best wifi ever” etc and says its snappy yet only uses a XB360 and phones. So he wants to use the free and rather basic router from Virgin rather than putting that in modem mode and using my RT-AC87U as the access point.
I have now setup a DMZ on the 1st router to the WAN IP of my AC87U. Most of the house use the 1st router as normal but I have my Plex/Backup server, media devices, mobiles etc all connected to the 2nd router (RT-AC87U). Works like a charm, QoS, VPN, logging all good.
Now today I wanted to research about having network 1 talk to network 2 locally. e.g. network 1 devices able to use my server, network 2 devices able to stream to network 1 speakers. *If anyone has advice here say hi.
What I know and learned when setting this network up was a DMZ set to IP x.x.x.254 will open only that IP to the web, or rather the router open the doors to any traffic for that IP. But I keep seeing/hearing you should only use network 2, network 1 is unsafe. Started getting me worried, opening everyones but my devices to the open web, without knowing.
You would probably be better served flattening the network and putting the virgin modem into bridged mode. It will make your life a little easier if you have devices/software that depends broadcasts for discovery (Chromecasts, steam in home streaming, ect). You mention that’s not possible so its going to lead to more fiddling and going down the networking rabbit hole - Welcome to the club we have jackets.
It wasn’t clear so I am guessing:
Network 1 is the top level (ISPs modem)
Network 2 is your network (served by AC87u).
Putting the AC87U in the DMZ means it bypasses the firewall. No it won’t be any more insecure assuming:
-The cable goes out of the virgin modem switch ports (non wan port) and into the WAN side of the AC87u
-You apply the necessary firewall rules on both modems so that you aren’t opening unnecessary ports to the internet.
Cabling into the switch port on the AC87U will mean traffic heading to network 2 will bypass both firewalls will be potentially at risk. By doing this you would need separate IP addressing scheme + DHCP (assuming you use it) for both networks. You will need be careful about your port forwarding for any incoming traffic as you now have a messy double NAT.
From the OP, he would greatly prefer to put the ISP’s router in bridge mode, but his flatmate, who happens to pay for the connection, won’t allow him to do it. That would of course be the best solution by far.
Don’t put your Asus router in the DMZ as that exposes it to the internet. Your only real choice is to double-NAT and then double-forward ports to stuff like Plex. That generally works OK, it only really causes problems with P2P/bittorrent.
Thinking it over Ruffalo is probably right re DMZ (unless you know what your doing it is an allow all rule).
Another option is to run the AC87u as an access point. Assuming you trust your housemates, and the supplied modem has the features you need this would eliminate the double NAT. It does mean his client are on the same LAN as your clients.
Yes, he said something about not allowing them to see his network so I assumed that’s what he wanted. If he doesn’t care about all being on the same network, the Asus router can be put in bridge mode and work as an wireless AP and switch.
Yes your network 1 is safe. It’s no different than if it was hooked up to a modem. I’m not sure why anyone is suggesting otherwise. You still have the NAT and firewall of your router.
Regarding communication through the dmz. That’s going to require opening of ports for those services you want to work on your wan port. Most DMZ settings on home gamer stuff are not really a DMZ in the sense that you still have and can use your intranet private IP. Opening ports for this doesn’t make a whole lot of sense.
There is the AP mode as others have mentioned. That’s how I run my N66U and it works like a charm. There should be no performance loss this way.
If it were me, I would just rename my AP to whatever the ISP one is, same encryption and all. Set the ISP device to whatever modem like option you can find, then put your stuff in place when no one is the wiser. See if they actually notice. Yeah, I’m an asshole like that.
Thanks for the reply.
It would be a lot easier, but it is what it is.
Yep, network 1 is top with network 2 served by AC87u.
Good! Yes, a cable from network 1 LAN to the WAN on the AC87u in router mode. DMZ directed to AC87u’s static WAN IP. I was sure it was ok until my mind started doubting me thinking demilitarized zone could mean the whole network.
Thanks for the advice.
Im looking at maybe connecting network 1 and 2 but firewall block the DHCP ports. Maybe hooking the DMZ to a LAN on the AC87U then a LAN to WAN for the DMZ, split both networks DHCP range to half each. DMZ on a higher IP range.
The DMZ is set to the IP of the WAN on the AC87U, the AC87u then deals with firewall etc for network 2.
The ISP router for me is sketchy, it cant handle the number of network clients well and things like no QoS cause performance issues when everyones online. Using the AC87U with a DMZ from the ISP router has been flawless in terms of networking. Plex etc work out the box as if im connected to the modem router no problem.
Forgive my ignorance, how does the TiVo stop this from working? I unplugged from cable a long time ago and dont keep up with these things.
Edit, If you ran a different subnet mask you might be able to make this work with another cable LAN-LAN while still running the LAN-WAN setup with DMZ. So 2 ethernet total.
For example you probably have a class C 192.168.x.x with a subnet mask of 255.255.255.0 which means if you change your third octet you effectively change subnet. If you change the subnet mask to 255.255.0.0 you can now change your third octet to anything 0-254 and still be in the same subnet. Third octet meaning the third number separated by periods just incase im talking over your head. I’m not meaning to talk down to you either.
In my example the default on the ISP device might be 192.168.1.1 and it would hand out DHCP 192.168.1.xxx to the devices connected to it. You would set your router to 192.168.2.1 and it would hand out 192.168.2.xxx. Both would be using the subnet mask of 255.255.0.0 which should let them communicate with each other without having overlapping DHCP. The other option would be a static setup on your end which would be a PITA but you would have more control of course.
The Virgin Media setup is not that bad, as for security as long as you’re on ipv4 only, you get a stateful firewall via NAT, if you get ipv6 (ds-lite) you’re slightly less safe as there’s no stateful firewall there.
You can run your own network in the home to secure yourself from your flatmate, but generally you can’t have devices sitting on both subnets/networks.
Might want to consider security of your individual devices a little, usually you’d do well just to keep everything updated and that’s usually fine as long as you don’t hoard iot stuff.
Ive had no problems with VM in the past, this is the first time ive used fiber with them.
My issue here is their modem/router, its simply too weak and basic for our use. Bandwidth is allover the place, local pings wildly fluctuate depending on network load, the webui is painfully slow, no way to update the device, and the WIFI that has very good range but very little bandwidth even in the same room and again no real control over its settings.
My ASUS gear has QoS internet responsiveness is very good regardless of other traffic, the same goes for local pings being much more steady under load, Steaming via Steam Home Streaming works a charm. WebUI works and it still receives updates. Local network transfer at 60MB/s via WiFi. VPN Server. etc etc
The VM "Super"hub 3 as with any ISP router is intolerable. I guess its like using an IPS panel for some time and going back to TN, everything’s noticeable.
No iot, even the Philips Hue has been barred haha!
DMZ seemed to create some latency along with some trouble using OpenVPN and the 2 networks so scrapped the idea. I put the VM box into modem only mode, hooked that to the RT-AC87U in router mode, hooked that into a RP-AC68U in access point mode. So now the network as a whole is working at peak performance.
Thanks all, its been a great bit of fun and learning for me.