Using Multiple routers to secure a home network

I was viewing a podcast on Twit regarding using three routers to secure a network and it seemed very interesting however being a newbie I wanted to see what others might say?
The URL to the podcast is: https://www.youtube.com/watch?v=uVBP30nd6_Q

My current configuration is as follows:
I am running a windows 7 desktop machine.
I have a ISP supplied Router/Modem ( TP-Link TD-8817 ADSL2-Modem Router ).
Connected to the router with an Ethernet cable is a Linksys Wireless-G broad band router. ( Running Tomato Software)
Finally I have a D-Link 8 port Gigabyte switch that runs to my 4-PC network.
The network consists of a desktop computer, a home theater computer, a MXQ Pro 4K TV box in a bedroom and finally a FreeNas server.

I want to isolate my environment as much as possible and from what I understand that if I in the future
need to add an appliance they should be connected to another router.

What are your thoughts?

1 Like

You could just use vlans with a single router if you want network isolation. PFSense would work well for this. I do this with my MikroTik router to isolate my wireless access point. Having more than one router on your network could be asking for trouble.

2 Likes

It sounds like you are already doing this. What Steve is arguing for is having all your IOT devices and wireless devices separate from the rest of your home network. All you have to do is connect those clients to the ISP router instead of to your Tomato router and then they can't see what's going on behind your Tomato router.

2 Likes

Thank you all for your input it is much appreciated. Due to me having limited space where my ADSL cable comes in to my home I cannot place a computer there to support PFSense, I need a small foot print.

NicKF, the issue is that the ISP supplied modem ( TP-Link TD-8817 ADSL2-Modem Router) has only one ethernet port. If I was to change this out to a router that had more than one RJ45 ports then I could keep future appliacnces separate.

This is my configuration as it is now!

1 Like

My setup uses a lab/guest router, connected to another router, setup so that it cannot access my server or other systems. This can certainly be done via VLAN.

2 Likes

the hardpart with all of this is making sure they gateway and such does not get messed up

1 Like

The easiest way to do it, other than to get a router/firewall with multiple interfaces (more than just LAN and WAN) would be to split your network up in to zones and have a router between each zone. So you have the least secure at the top, which is the internet. Then public facing servers, then wifi, then LAN (as an example). You connect the WAN interface of each router to the zone above it and the LAN interface to the zone bellow. That way traffic can only travel up and not down. This is a simple way of doing it that won't require much configuration.

A better way of doing it is having a single router/firewall which connects to all networks which you can configure the way you want.

EDIT: A cheap way of getting a router with multiple interfaces is to use openwrt (dd-wrt may also work but I haven't tried). You can assign different ports to different VLAN interfaces. You won't get the speed of having multiple physical interfaces but you can still use it to route and firewall multiple networks. It's much cheaper than buying a bunch of routers and will give you better configuration options.

3 Likes

I believe you helped me with my config a while back. The way you explain it is much easier to understand than most.

The router closest to the internet is considered the least secure; the systems on this router cannot talk to anything else on the lan. I use this router for guest wireless and testing purposes.

The next router, connected as @Dexter_Kane described, houses my local systems, freenas box and supplies wireless for my laptop and phones. The systems on this router can talk to the systems on the guest router. The guest router is the default gateway in my setup.

1 Like

Thank you all for the feedback.
Dexter_Kane has what I believe is the solution that I was looking for.
Regards

Al

2 Likes

I am trying to learn how to set myself up. I just keep on getting taken over with other networkers..

I understood some..I am keen to learn...

Thank you

This isn't really the sort of thing you would set up in a 'normal' home network. You'd set something like this up if you needed to separate your network between secure parts and more vulnerable parts.

If you're just starting out learning about networking then you might not want to start with routing and firewalls.

1 Like

I know i should not need to know all this. I really do want 'normal' and simple as i am not technical minded. Unfortunately i am needing to learn as it is turning out i am a hot spot for gaming..Not the nice ones unfortunately.

I thought it was only hackers on line but it turns out my system has been set up as a hot spot by a so called friend.

Right now i just have to live with it and learn. When i do get sorted my set up will be as simple as possible..

I'm not really sure what that means. But what were talking about here won't really help. Unless you have multiple networks that you want to separate from each other all you need is a router between your modem and the rest of your network.

Im not sure how much you know about networking but assuming you know what a switch is a router is very similar. The difference is it works at the IP level whereas a switch operates at the MAC or physical level. So a switch is used to pass traffic between devices physically and on the same network whereas a router is used to pass data logically across different networks. The internet is just a big network or routers (hence why it is in originally named the internet, as in inter-network) which is why you need a router to connect your network to the internet.

If you have two networks, such as your local network and a public WiFi network (for example) then you would need a router between those two networks for data to pass between them. If you wanted to limit what can pass between networks you would need a firewall on one or both sides of the router.

But I your case it sounds like your computer is infected, I'd suggest either replacing it or just formatting it and reinstalling windows or Linux, this will likely solve your problems. Id recommend Linux as it's harder to get viruses and is more secure than windows, plus it's free.

Anyway I think we're derailing this thread a little, so the gist of what I'm saying is don't worry too much about the networking side of things for now, focus on getting your computer secure before worrying about the rest of your network.

1 Like

I am just spending my time learning how to be safe. I am being hacked by two routers that are not mine.

That will all fall in place as i will be moving soon..

I have had new pc's.

OS changed..lots and lots..

Things are starting to fall into place now..I am enjoying learning now..Where i hated it at first..Youtube videos help because i can follow them and copy. Rather than searching every other word..because i don't know the language..

A lot of it is made that way too..I also see and understand other points online..

Funny i was reading about switches and routers yesterday. I kept the links to keep at it..

And yes, i will be changing to Linux..I will post asking for help when i get to that stage..

Thank you very much for the help...Much appreciated.

The only reason I set this up is for guest internet access. My wife is working from home and her boss comes to my house sometimes to work as well. As I've found out from working on a lot of other people's computers, they are far from secure and malware free. I don't want these infected machines on the same network as my server or personal rigs. This segmentation will keep my computers a little safer.

As a side note, I told her boss I was keeping her computer for a day or two to give it a thorough malware cleaning. Everything looks good now, but it is still not going to connect to my primary network!

1 Like

Most routers which have a guest network option allow for this kind of separation, it's definitely something that everyone running a public or shared network should do if they have secure systems that they wish to keep secure.

It's good to have one network which you know is safe, and another which might not be safe but it doesn't matter because you're safe stuff will stay safe. Having everything together makes it really difficult to contain a problem.

Especially if you're running a public facing server, like a Web server. If that becomes compromised then an attacker can use it as a pivot to attack other systems on the network. Stuff like that should definitely be kept isolated from important stuff like file servers and whatever.

I am pulling my hair out..Not only are my pc's infected but my house is full of devices, I have found all new wires and gadgets that are tracking to make sure my machines stay on..

Today i bought my friends laptop and two minutes in my house and it's hijacked..As this is not hacking..It is proper stealing and taking over my life .

The thing is they use the exact same files over and over,,

You all say how safe you want to keep your networks, with what i see is it is practically impossible if you are being singled out..Which i am..

This is just a few shots of some files...

At this moment i feel lost and want to throw the towel in..

Any advice would be very grateful..

What do you mean they use the files? These look like drivers and other programs which are being run by the system. Can you a be specific about what you think is happening?

My operating system seems to be for developers. I am always on a public connection roaming publically...If i download another browser, it will download, then change, When i connect to my router it always changes to a different configuration,,

I am on a different router, a Thomsons and mine is talktalk..

I am taken as a mobile connection.

My emails are not safe.. with a file on the message..I just delete them..

I have now got 35 - 40 emails being used , some accounts have been stolen, some have been made up for sites i have not created,,

My facebook is fake

<img

I cannot go to sites as these mac addresses are blocked..

The files that keep on appearing are old ones from my first noticed pc..Note some of them are from 2013..This is a new pc..with a new OS..

I really don't know what is normal...but i never wanted to become a hotspot or in a big network as i am not experienced enough to keep anyone safe

I would like to know if this is normal..

A big thanks for your help once again..

My browser closed down 3 times when i was connected just now...

Firefox and IE are hidden from me..

phewwww! Sorry but it is making me quite ill..

src="/uploads/default/original/3X/0/5/054f68d47c250d9ed7513a2c786eed2ec3420984.JPG" width="465" height="550">