Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Secure Internal Network
New Posts  All Forums:Forum Nav:

Secure Internal Network

post #1 of 14
Thread Starter 
Greetings networkers!

I'm a bit confused about my networking issue. My partner and I run a business in a rented space with residential units as upstairs neighbors. The leases in the building require that the landlord provide internet to all renters. As such, the landlord provides one DSL connection for the building.

They have an AT&T modem/router combination that we have full access to, well insofar as AT&T allows it anyway. We have a WNDR3700v2 with the latest build of dd-wrt installed. We also have two computers, two cellphones, a scanner, and a printer that are all networked via wifi.

The AT&T combination provides internet access via wifi to all of the upstairs apartments. It is also somehow wired into a hardline with one wall-port in our office.

I'd like to have a private network that has the WNDR3700 providing all of the DHCP services to our offices which passes directly to the internet without individual computers & accessories being detectable by the network.

My first attempt had the WNDR3700 hardlined into the modem/router via a LAN port. The WNDR3700 was set to act as a router, instead of a gateway; but otherwise had static DNS and DHCP service. While I could connect to the network and setup everything internally, there was a persistent DNS error that regardless of what I tried remained. I was only able to resolve the DNS issue by disabling DHCP service. Of course, this puts the DHCP on the modem/router and lets our hardware be viewed outside the network. I assume that there was a conflict of DHCP services for the computers inside the private network as we have heard no complaints from the residents.

We can operate with the exposed network for the time being, but we'd like to setup the private network as soon as possible.

I'm at a loss as to what needs to be configured in order for the WNDR3700 to avoid the DNS problems. Do any of you have advice?
post #2 of 14
Quote:
Originally Posted by Droviin View Post

Greetings networkers!

I'm a bit confused about my networking issue. My partner and I run a business in a rented space with residential units as upstairs neighbors. The leases in the building require that the landlord provide internet to all renters. As such, the landlord provides one DSL connection for the building.

They have an AT&T modem/router combination that we have full access to, well insofar as AT&T allows it anyway. We have a WNDR3700v2 with the latest build of dd-wrt installed. We also have two computers, two cellphones, a scanner, and a printer that are all networked via wifi.

The AT&T combination provides internet access via wifi to all of the upstairs apartments. It is also somehow wired into a hardline with one wall-port in our office.

I'd like to have a private network that has the WNDR3700 providing all of the DHCP services to our offices which passes directly to the internet without individual computers & accessories being detectable by the network.

My first attempt had the WNDR3700 hardlined into the modem/router via a LAN port. The WNDR3700 was set to act as a router, instead of a gateway; but otherwise had static DNS and DHCP service. While I could connect to the network and setup everything internally, there was a persistent DNS error that regardless of what I tried remained. I was only able to resolve the DNS issue by disabling DHCP service. Of course, this puts the DHCP on the modem/router and lets our hardware be viewed outside the network. I assume that there was a conflict of DHCP services for the computers inside the private network as we have heard no complaints from the residents.

We can operate with the exposed network for the time being, but we'd like to setup the private network as soon as possible.

I'm at a loss as to what needs to be configured in order for the WNDR3700 to avoid the DNS problems. Do any of you have advice?

It sounds like your DHCP isn't handing out good DNS servers.

Have you looked at your DHCP options, and looked at the address of the DNS server it is handing out?
Desktop!
(13 items)
 
Spare Gaming Rig
(11 items)
 
 
CPUMotherboardGraphicsRAM
R7 1700X 3912 Mhz @ 1.375v BIOSTAR X370GT7 eVGA GTX 1080 ACX 3.0  CORSAIR Vengeance White LED 3200 Mhz (4x8GB) 32GB 
Hard DriveHard DriveCoolingMonitor
256GB Samsung 850 Pro 1TB Samsung 850 Evo NZXT Kraken X52 Dell S2417DG 165Hz 1440p G-Sync 
KeyboardPowerCaseMouse
Razer Ornata Corsair 750 RM Phanteks Evolv ATX Logitech G602 
CPUMotherboardGraphicsRAM
i7 4790k @ 4.6Ghz Asus MAXIMUS VII GENE GTX 980 Ti @ 1400 Mhz 4 x 4GB (16GB) Corsair LPX DDR3 
Hard DriveHard DriveCoolingOS
240GB Seagate 1TB RAID HDD Cosair H240 Windows 10 
MonitorKeyboardPower
Asus P278Q Razer BlackWidow Corsair 650W 
  hide details  
Reply
Desktop!
(13 items)
 
Spare Gaming Rig
(11 items)
 
 
CPUMotherboardGraphicsRAM
R7 1700X 3912 Mhz @ 1.375v BIOSTAR X370GT7 eVGA GTX 1080 ACX 3.0  CORSAIR Vengeance White LED 3200 Mhz (4x8GB) 32GB 
Hard DriveHard DriveCoolingMonitor
256GB Samsung 850 Pro 1TB Samsung 850 Evo NZXT Kraken X52 Dell S2417DG 165Hz 1440p G-Sync 
KeyboardPowerCaseMouse
Razer Ornata Corsair 750 RM Phanteks Evolv ATX Logitech G602 
CPUMotherboardGraphicsRAM
i7 4790k @ 4.6Ghz Asus MAXIMUS VII GENE GTX 980 Ti @ 1400 Mhz 4 x 4GB (16GB) Corsair LPX DDR3 
Hard DriveHard DriveCoolingOS
240GB Seagate 1TB RAID HDD Cosair H240 Windows 10 
MonitorKeyboardPower
Asus P278Q Razer BlackWidow Corsair 650W 
  hide details  
Reply
post #3 of 14
That is a really crap clause to have. How are you supposed to secure your transmissions without having your own line? The fact that other resident machines are on your same broadcast domain is a huge issue.

I would see if you could first get a dedicated connection by negotiating with the landlord, or if not then investigate VPNing your data into a remote endpoint such as a datacenter, although if you're still behind the NAT of that one consumer-grade router you may have some issues if the tunnel tries to initiate from the remote end.
Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
post #4 of 14
Thread Starter 
Quote:
Originally Posted by Shiftstealth View Post

It sounds like your DHCP isn't handing out good DNS servers.

Have you looked at your DHCP options, and looked at the address of the DNS server it is handing out?

I'm using static DNS as I find Google and UW-Madison's to be more reliable. Both of the DNS servers are also in use by my home router, so they are reliable.
Quote:
I would see if you could first get a dedicated connection by negotiating with the landlord, or if not then investigate VPNing your data into a remote endpoint such as a datacenter, although if you're still behind the NAT of that one consumer-grade router you may have some issues if the tunnel tries to initiate from the remote end.

The consumer grade router is our own firm's. If I can set that up to only have our own devices on that router then we should be fine. Most of our communications are encrypted anyway so I'm less worried once they leave the network. I was hoping to setup something similar to that VPN tunnel although with the security on our end rather than remotely. Is that possible?
post #5 of 14
If someone wants your data and you're running it through wifi they can get it if they are willing to go to your location. If your really feeling paranoid I would consider going wired and turn off all wifi. All the other suggestion so far are higher priority though.
New gaming rig
(15 items)
 
  
CPUMotherboardGraphicsRAM
4770k some mid range asrock. extreme 4 maybe? 2x gigabyte windforce 7950 2 x 8 corsair balistix sport 
Hard DriveOptical DriveCoolingOS
crucial ct960 LG blu-ray used venamous x win 8.1 pro 
MonitorKeyboardPowerCase
Crossover 30Q5 PRO 30" 2560X1600  cheapest piece of crud I could find antec HCG 750 some thermaltake microcenter blue-light-special... 
MouseMouse PadAudio
came with the cheapass keyboard who cares? some $30 no name 2+sub speakers I bought at mic... 
  hide details  
Reply
New gaming rig
(15 items)
 
  
CPUMotherboardGraphicsRAM
4770k some mid range asrock. extreme 4 maybe? 2x gigabyte windforce 7950 2 x 8 corsair balistix sport 
Hard DriveOptical DriveCoolingOS
crucial ct960 LG blu-ray used venamous x win 8.1 pro 
MonitorKeyboardPowerCase
Crossover 30Q5 PRO 30" 2560X1600  cheapest piece of crud I could find antec HCG 750 some thermaltake microcenter blue-light-special... 
MouseMouse PadAudio
came with the cheapass keyboard who cares? some $30 no name 2+sub speakers I bought at mic... 
  hide details  
Reply
post #6 of 14
Couldn't he just separate himself from the residents by creating a separate network?

ATT modem/router
192.168.0.0/24 - dns for residents
192.168.10.1/30 - static for business
static route 192.168.11.x to that connection

WNDR3700v2
Hard wire into ATT modem
static 192.168.10.2/30
dns 192.168.11.0/24

He would then have all of his stuff on .11.0 by itself.
post #7 of 14
Thread Starter 
Quote:
If someone wants your data and you're running it through wifi they can get it if they are willing to go to your location. If your really feeling paranoid I would consider going wired and turn off all wifi. All the other suggestion so far are higher priority though.

I'm not really paranoid, I just don't want to make it so easy. Plus, I don't want the neighbors printing stuff to my networked printer.
Quote:
Originally Posted by Tom B View Post

Couldn't he just separate himself from the residents by creating a separate network?

ATT modem/router
192.168.0.0/24 - dns for residents
192.168.10.1/30 - static for business
static route 192.168.11.x to that connection

WNDR3700v2
Hard wire into ATT modem
static 192.168.10.2/30
dns 192.168.11.0/24

He would then have all of his stuff on .11.0 by itself.

This looks like the correct solution. I have access to both so I should be able to configure both setups.

I'm not clear on what you mean by " static route 192.168.11.x to that connection". Do I setup a static route that fixes the IP of the router? Also do I need my own subdomain on the private network?
post #8 of 14
Quote:
Originally Posted by Droviin View Post

I'm not clear on what you mean by " static route 192.168.11.x to that connection". Do I setup a static route that fixes the IP of the router? Also do I need my own subdomain on the private network?
The 192.168.11.0/24 network will be created on your WNDR3700v2 router. The ATT router won't know where it is so you will need to route to it.
post #9 of 14
Thread Starter 
That's just complicated enough that a wiki page would be helpful. Would you know where to find one? I think I'm failing to grasp the core concept mostly.
post #10 of 14
To be honest, I'm not even sure if this is possible with consumer routers but basically, all you're doing is creating two networks on each router.

On the ATT router, you have the default network which I'm assuming is 192.168.0.0/24. That one you leave alone for the residents. You create a second network of 192.168.10.0/30. The problem you might be running into is you need to assign one of the router's switch ports to that network alone and that may not be possible on that router. Assuming it is, you assign a static ip address to that port (192.168.10.1/30). Finally, you will need to create a static route from the ATT router to the network you are going to create on the WNDR router (192.168.11.0/24)

On your WNDR router, you create the second half of the router-to-router network (192.168.10.2/30) and assign it a switch port. You then set the default gateway of the router to 192.168.10.1 so all outgoing traffic will use that network. Hard wire the two routers together on the assigned switch ports and they should communicate. Once that is set up, you create a second network on the WNDR for all of your devices to use (192.168.11.0/24). That second network could be either wired, wireless, or both.

Again, this is all assuming it is possible to do this on your consumer routers. I could set it up in about 5 minutes on a couple of Cisco enterprise routers but I can't say for sure if you will be able to set it up there with what you have.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Secure Internal Network