Export thread

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

Three Dumb Router question

#1

jlariviere

jlariviere

Apologies if these are dumb questions. If this type of question was answered earlier on this forum, searches didn't bring it up so if you have a good post here or elsewhere feel free to forward me to that one :) My current OnHub router (that I should've replaced a long time ago) is getting discontinued by Google and I will be replacing it of course. It is just for my personal use (IOT devices, laptops, computers, etc.), so nothing too complex is needed (and reasonably cheap is of course good).

In 2022, do you think hardware separation with the "three dumb router" idea still ideal, or do some of the routers (like the Edgerouter X and those with one or more Guest Wifi) actually offer sufficient network separation at a hardware level, to satisfy a somewhat paranoid / cautious individual?

If I go with the three dumb routers, I am currently in a subdivision so there is some wifi congestion. Some available routers that support DD-WRT or OpenWRT only have 2.4 GHz. Would you recommend I be sure to get routers that supports 5GHz?

Thanks!


#2

bobmcn

bobmcn

In the past, Steve has recommended pfSense running on a Netgate SG-1100. I would strongly recommend AGAINST using that device. I have one, and have found it so under powered to the point of being unusable. It takes 10s of seconds after entering the login and password into the gui to bring up the status screen, and similar time to save a configuration change or switch between screens. There is no native wifi hardware, and limited support for 3rd party hardware, so you will need a second router anyway.

I am looking around for an alternative, and am strongly leaning towards something the will run OpenWRT.

5GHz does not carry very far, and my experience has been that it is only every better than 2.4GHz if you are in the same room as the router. So not worth paying extra for.


#3

P

PHolder

Having wireless devices both on your "secure" network and on your "insecure" IoT network would entail having two wireless routers. This will have you causing your own extra congestion... so ideally it would be better to keep your secure network wired only and put all devices, such as your cell phone on the IoT network. You could potentially achieve this with a personal VPN into your secure network, but boy that all starts to sound really complicated. It makes a lot of sense to put your phone on the IoT network if it's going to be running apps to control the IoT devices anyway.

If you can restrict yourself to just one wireless access point, then you just need simple wired only routers for the other two devices. (No you don't strictly need two use three routers, but the premise is a defense in depth... if one of the routers fails to block an attack, the other two should contain the damage.)


#4

jlariviere

jlariviere

Having wireless devices both on your "secure" network and on your "insecure" IoT network would entail having two wireless routers. This will have you causing your own extra congestion... so ideally it would be better to keep your secure network wired only and put all devices, such as your cell phone on the IoT network. You could potentially achieve this with a personal VPN into your secure network, but boy that all starts to sound really complicated. It makes a lot of sense to put your phone on the IoT network if it's going to be running apps to control the IoT devices anyway.

If you can restrict yourself to just one wireless access point, then you just need simple wired only routers for the other two devices. (No you don't strictly need two use three routers, but the premise is a defense in depth... if one of the routers fails to block an attack, the other two should contain the damage.)
for the congestion, would it be better if two different wireless routers were on different channels?


#5

jlariviere

jlariviere

In the past, Steve has recommended pfSense running on a Netgate SG-1100. I would strongly recommend AGAINST using that device. I have one, and have found it so under powered to the point of being unusable. It takes 10s of seconds after entering the login and password into the gui to bring up the status screen, and similar time to save a configuration change or switch between screens. There is no native wifi hardware, and limited support for 3rd party hardware, so you will need a second router anyway.

I am looking around for an alternative, and am strongly leaning towards something the will run OpenWRT.

5GHz does not carry very far, and my experience has been that it is only every better than 2.4GHz if you are in the same room as the router. So not worth paying extra for.
thanks, that is helpful to hear about that netgate


#6

P

PHolder

two different wireless routers were on different channels
Yes, but most modern routers can manage this on their own anyway, I believe. (Certainly the higher end/mesh ones do.) If you wanted to spend some money, and do some messing about/heavy learning, you could buy a single wireless system... something business class like Ubiquity and then you would have better control over which devices can see what other devices. (But then you might end up with a full time job of figuring things out too.)


#7

D

Dave New

After going through a series of Cisco/fka Linksys devices that kept going out of support, IMO much too soon, for the price paid, I ended up going the eero route. Between the fiber modem and the rest of the network, I have a 24-port gigabit LAN switch, with 1 or 2 outlets with 1 or 2 LAN sockets each in each main floor room, wired from below from the basement through the walls. The upstairs is half the size of the main floor, and there are convenient hall closets stacked on both floors, so it was easy running a drop up to the 2nd floor to a 5-port gigabit LAN switch that feeds a few wired PCs and printers upstairs. The entertainment system in the living room takes another 5-port gigabit LAN switch to feed the DirecTV, Roku, TV, and BluRay player. So much for all the direct wired devices. Next comes the eero WiFi 6 mesh routers. The main one is in the basement ham shack and has two gigabit ports and forms the firewall/gateway between the fiber modem and the 24-port LAN switch. It meshes with a wireless satellite on the main floor, and another one on the 2nd floor.

They operate on both 2.4 and 5 GHz, and I get flawless wireless coverage throughout the house, where I used to get cold spots with the previous non-mesh systems. WiFi 6 can easily keep up with my 300 mbit/bidirectional fiber-to-the-home AT&T service, which beats my prior Comcast 100 mbit up/6 mbit down service all hollow, and for half the price. On the 2nd floor satellite on my smartphone, running Ookla speedtest, I get 172 mbit/bidir. This is mainly a function of the backhaul speed between satellites, which will vary depending on the signal strength between them. On the basement main node, I routinely get 350 mbit/bidir on the same test, same phone.

Support? eero updates my system at LEAST once a month, if not more often. It all runs on an app on your smartphone, and you can control all aspects from there easily.

You can get an eero 6 3-pk for under $300. It's been the best money I've ever spent on a WiFi system. And no, I don't work for them or get any kickback from them. Just a very happy customer.


#8

rfrazier

rfrazier

I haven't read every word of this thread but only skimmed it. I'm not familiar with mesh systems. I haven't searched for routers in a while so I cannot cite model numbers. But, I definitely like the idea of DDWRT or OpenWRT type systems. Turn off ALL external features and special services you don't need and ALL remote admin. I still think the 3 dumb routers is a good idea if you don't do the same thing with virtual LANS, etc. You can also get away with 2 routers ganged in series but it's not as clean. In that case I think you put your IOT LAN on the router closest to the internet.

May your bits be stable and your interfaces be fast. :cool: Ron


#9

Sushi

Sushi

Apologies if these are dumb questions. If this type of question was answered earlier on this forum, searches didn't bring it up so if you have a good post here or elsewhere feel free to forward me to that one :) My current OnHub router (that I should've replaced a long time ago) is getting discontinued by Google and I will be replacing it of course. It is just for my personal use (IOT devices, laptops, computers, etc.), so nothing too complex is needed (and reasonably cheap is of course good).

In 2022, do you think hardware separation with the "three dumb router" idea still ideal, or do some of the routers (like the Edgerouter X and those with one or more Guest Wifi) actually offer sufficient network separation at a hardware level, to satisfy a somewhat paranoid / cautious individual?

If I go with the three dumb routers, I am currently in a subdivision so there is some wifi congestion. Some available routers that support DD-WRT or OpenWRT only have 2.4 GHz. Would you recommend I be sure to get routers that supports 5GHz?

Thanks!
The “3 dumb routers” is still as acceptable today as it was before. I wouldn’t go out and buy 3 dumb routers, but if you have them, go for it ASSUMING they are still being supported by their respective manufacturers. Otherwise, that could be a security issue. Also, don’t forget to turn off WiFi on the edge device to reduce congestion, and make sure the other 2 are on different channels and/or frequencies. In regards to an Edgerouter X, it will accomplish the same thing assuming you configure it correctly. If you are fairly savvy, pfsense would also be a great option providing you have a spare box and appropriate NICs.


#10

saguaro

saguaro

Perhaps too late, a few notes on the ER-X. First, yes it's cheap, but also low-powered, like the SG-1100. It will work, but perhaps no better than an SG-1100. In a moderately complicated setup you're probably limited to 300-450Mbps using routing and firewall functions. EdgeOS is similarly less powerful than pfsense. The ER-X is great stuff for $50. You can learn a lot and access most config via webgui, but there's not much room to grow.


I have an ER-Lite and use a ER-X only as an internal router. My ER-Lite is barely enough for my recently-upgraded 800Mbps connection. Arguably the ER-L is slightly better hardware. YMMV. Both Ubuiquiti devices are pretty old in terms of support and expansion/growth. If I were buying en EdgeRouter today, I'd get the ER-4.

I keep thinking of buying one of those NUCs Steve has recommended for pfsense....


#11

P

PHolder

limited to 300-450Mbps
Yeah, I found the ER-X is not as powerful as I had hoped. It would be nice if it was line speed, but it's definitely less. There is a setting you can enable to allow for hardware assist, but it affects availability of other features, so I haven't done that.

Do you know if the ER-4 is capable of line speed throughput?

Bell Canada offers an option for 1.5G fibre, but they say you can only achieve maximum throughput by using their modem/router's WiFi as well as a wired link. (I don't think their router offers 2.5G or higher links.) Never the less, a slow firewall is not going to touch anything close to that.

I guess I should try a PC that has an option for a couple of PCIe NIC that could also go faster than 1G and see just how much throughput pfSense could push.


#12

rfrazier

rfrazier

I'm not being critical in any way by saying this. My internet is 90 Mbps down / 12 Mbps up and some of my networking gear is probably capable of 1 Gbps and other parts probably 100 Mbps. Many people on DSL have 3 Mbps internet. Do people REALLY need to push 1 Gbps in and out and around the house consistently? Maybe they do. But, it's certainly not me.

May your bits be stable and your interfaces be fast. :cool: Ron


#13

P

PHolder

By "people" you're implying "joe average" I guess. In my case, if I am going to pay the money for the service, I see no point to let my networking gear be the limiting factor in my connection... whether I actually use it to the maximum or not. On the other hand, time is money, and so if I can download a large file 10x faster then why waste the time?


#14

D

Dave New

I have two work-at-home adults that stream video conferences all day and two-game-playing adults, plus a 4K TV with streaming services. So far, a 300 mbps un-capped bidirectional service hasn't cramped our style, but the old 100 mbps down/ 6 mbps up 1 Gb/mo capped service certainly did, especially when using BackBlaze to back up all those systems. Without throttling, BackBlaze would saturate the uplink and knock the game-players off their game, so to speak.

And as a bonus, the 300 mbps un-capped bidirectional service is half the price of the old 1/3 speed capped unidirectional service. It pays to shop around, if you have the opportunity in your neighborhood. Not everyone has a choice, unfortunately. No competition breeds high prices, and lousy service, in my opinion.


#15

rfrazier

rfrazier

Interesting. Guess I have to get my gaming on. I can see what you're saying about the teleconferencing. My wife does that and I do occasionally but not usually at the same time. Come to think of it, I guess it does bog down a bit on occasion especially if I'm doing a big download or backup. I've got backups scheduled to occur in the middle of the night. Also, I bought a gadget from (I think) Western Digital a decade or more ago called a prioritizer. It looks like a wired router or hub. My router and her router are plugged into it. If I'm contending with her for internet access, her packets get priority. It generally works pretty well.

May your bits be stable and your interfaces be fast. :cool: Ron


#16

M

mjp66

Hi,

You might look into a using an Ubiquiti ER-X Router in conjunction with Ubiquiti's Access Point(s) for your needs.

This $60 router supports multiple VLANS (VLANS provide network segmentation / isolation), and has 5 built-in Ethernet ports.
The Access Point is the Wi-Fi portion. Typically priced less than $150, each AP supports four VLAN-separated (isolated) SSIDs.
So you can have four isolated networks, typically: Home Network, Guest Network, and IOT Network.
You can make more isolated networks, example work from home, if they are Ethernet wired only.

Steve (very favorably) mentioned my setup guide in SN podcasts #641 and #649.
The link to my guide is on his linkfarm page:
https://www.grc.com/linkfarm.htm
Ensure you use the live link and DON'T use Steve's cached link, as his cache is about 25 commits and 100 pages out of date.
Direct Link
https://github.com/mjp66/Ubiquiti

@sggrc It might be time for a new SN mention of this guide, since IOT segmentation is so important lately.

This setup should work very nicely at 300mpbs, router peak rates can be about 900mbps unidirectional.

The only trouble (right now) is finding these routers in stock, since we live in a post-pandemic supply-chain world.
Note1: ui.com's out-of-stock email-notification-system is broken.
Note2: Maybe try this: https://www.reddit.com/r/UbiquitiInStock/


-Mike


#17

S

squirrel

I have a problem which is less common than most peoples. I have a long house built of stone and I want the wifi to reach out into the garden too. Having heard Steve‘s suggestion a few years ago to ‘make a new year’s resolution to isolate devices’, I set about resolving the whole issue. First, I bought a Synology router which contains a packet inspection facility which inspects every packet against a threat database maintained by Google and IBM I believe. This is brilliant as even if there is a single pixel containing a malicious ‘advert’, it will block any ‘phoning home’. I then connect this router into the router provided free by my ISP. I configured the Synology router to provide a different subnet IP range to the devices that connect to it and to select ‘isolate devices’ so they can see each other. Thats the crucial part. I connect IoTs that need internet access, eg my smart TV, they get connected to ISP‘s router. I don’t care much about how good the ISP’s router is at isolation as the devices I do care about are behind a NAT router and on a different subnet.

If I had a house where the Synology router could reach everywhere that would be the end of the story, but I not in that position. I solved my problem by buying a 16 port managed switch capable of running VLANs, and to provide the wifi I bought 2 EAP115 access points sited to access the whole house and the main areas of the garden, but not the greenhouse. I set each of these access points to have the same channel frequencies so we can walk around the house and our devices seamlessly connect to one or the other access point. I set each device connected to the access points to be isolated from each other, and I set up the SSIDs to define different groups, IoTs that work form wifi only eg Amazon firesticks, a guest SSID so when family members come and then travel the country and this SSID is broadcasted the ‘guest’ SSID can‘t be traced to my house as ‘guest’ is so widely used. For the SSIDs that I use I terminate them with optout and nomap.

Next I set up the VLANs in the managed switch which route the packet headers to provide the isolation. My NAS goes onto the most secure VLAN, IoTs firesticks have no access to this VLAN.

Interestingly, although the supplier was extremely helpful in trying to setup the VLAN, they couldn’t answer my questions other than to point to website instructions Which were for the most basic of configurations so I spent many weeks of great fun trying to understand how VLANs work and to get the seamless walk through from one access point to the other and the data swapping from one VLAN to the other transparently.

I got it all working correctly after a few months of trial and error. I regularly check the device isolation by running a LAN scan on the individual SSIDs.

I heard you say, “but what about the greenhouse when working out there?” In those times I plug in a mains extender and connect the Ethernet cable into one of the ports depending upon which VLAN I want access to when using the internet. If I just want the TV on my iPad, YouTube I’ll connect the mains extender into an IoT port, or if I need access to my NAS I’ll connect it into the secure VLAN by using another port.

I’ve got a smart printer, that’s a horror as it needs to be on my secure VLANs so we can print from our phones and iPads. I’ve configured the router to block access of the printer to the internet and I only turn it on when we want to print something, and every so often I plug it into the ISPs router and check for any updates.

I think is about as secure as any domestic user can get.


#18

P

PHolder

these access points to have the same channel frequencies
I don't think the channels need to be identical, and that would theoretically cause the two devices to overlap each other, actually reducing your signal strength. On the other hand, it may prevent a device from holding on too long to an AP which is sub-optimally far away and using a weaker signal. It's clearly working for you, so without experimenting it's hard to know if changing channels on one would make things better or worse or make no difference at all.


#19

saguaro

saguaro

First, I bought a Synology router which contains a packet inspection facility which inspects every packet against a threat database maintained by Google and IBM I believe. This is brilliant as even if there is a single pixel containing a malicious ‘advert’, it will block any ‘phoning home’.
I've been tempted by the Synology routers. They seem like very good gear. Lots of security-minded features and good performance.
I set each of these access points to have the same channel frequencies so we can walk around the house and our devices seamlessly connect to one or the other access point.
Although it may work for you, as @PHolder suggests, this is the opposite of wifi best practice. Ideally your WAPs should xmit on channels that don't conflict with any nearby access points. And only use 1, 6, 11 for 2.4Ghz (because they're the only ones that don't overlap). Perhaps given your "stone" house, the WAPs never see the other APs. However, there is no need to use different channels to "seamlessly connect from one AP to another..." Just using the same SSID/passphrase does that. Cheers.


#20

saguaro

saguaro

Do you know if the ER-4 is capable of line speed throughput?

Bell Canada offers an option for 1.5G fibre, but they say you can only achieve maximum throughput by using their modem/router's WiFi as well as a wired link. (I don't think their router offers 2.5G or higher links.) Never the less, a slow firewall is not going to touch anything close to that.
Sorry to have let this go so long. Was typing a reply last night and my ERL-3 crashed for the second time in 8-days. Then it crashed 3 more times after ~20 min each. Short version: power supply apparently bad, which seems to be happening to many people over the past year...

The ER-4 answer depends on your configuration. My ERL-3 seems to route at nearly line speed, but add on multiple VLANs, Firewall Rules, still ok. But add QoS and things get bad. With QoS enabled my ERL seems capped at about 180Mbps. But I now have 800Mbps down, mainly so I can get 20Mbps up! (This is the problem in the US and why so many people look like garbage on Zoom... they have 5Mbps up and 8-12 devices online!) Right now with firewall and 5 VLANs, without QoS enabled I can get ~800+Mbs through the device.

I'm sure the ER-4 will route better than the ERL. In this 3-yr old thread they say ER-4 *should* get 400Mbps with QoS enabled.

I found this new site that does buffer-bloat test, and it mentions ER-4 as good for up to 300 Mbps!? Shows only the Eero mesh router able to handle QoS at gigabit rates. https://www.waveform.com/tools/bufferbloat via https://www.bufferbloat.net/projects/bloat/wiki/Tests_for_Bufferbloat/#best-bufferbloat-tests

@mjp66 I love your well done EdgeRouter reference. Haven't looked at it lately though: it was so good I hardly need to do anything more. :)


#21

JakeofArk

JakeofArk

I'd recommend trying the Pi as a router. I've built my own custom images of Openwrt but it's difficult to trust a router to stay truly dumb. Debian's nftables does a pretty good job of just passing through traffic and not allowing the OS to be probed directly. It takes about 100 lines of code to convert a vanilla Raspberry Pi image to my current setup. If you setup two SD cards, you can capture all your non-tunneled (not port 1194 or 22) traffic and go through your packet captures every couple of weeks. I process mine through Zeek to minimize pcap retention. Best of all, running things this way gives you real visibility into your network so you don't just have to hope for the best. If I actually suspect anything is afoul, I'll setup a second Pi to capture on a passive network tap and keep it out-of-band. If you really learn what you're doing and you're paranoid, you can basically be running your own SIEM this way for next to nothing. I use an old android throwaway as a screen to the second pi through usb tethering and vnc. It basically becomes second nature to notice misbehaving apps from my wife's phone through termshark on the throwaway.

I've shared the code I use to set this up. Don't worry; it's not malicious. ;)

Attachments


  • routerpi.txt
    2.7 KB · Views: 290

#22

P

PHolder

I'd recommend trying the Pi as a router.
Because the Pi doesn't have two Ethernet ports and because if you add one, it will be on the slower USB bus. I don't think the Pi is great at this particular task, depending on your bandwidth (it wouldn't work well for me, for example.) By the time you build out a Pi to the useful level, you're starting to hit one hundred or more dollars, and you might as well buy something like the smaller, purpose built, Ubiquity devices or pfSense focused devices, IMHO.


#23

Dave

Dave

Hi,

You might look into a using an Ubiquiti ER-X Router in conjunction with Ubiquiti's Access Point(s) for your needs.

This $60 router supports multiple VLANS (VLANS provide network segmentation / isolation), and has 5 built-in Ethernet ports.
The Access Point is the Wi-Fi portion. Typically priced less than $150, each AP supports four VLAN-separated (isolated) SSIDs.
So you can have four isolated networks, typically: Home Network, Guest Network, and IOT Network.
You can make more isolated networks, example work from home, if they are Ethernet wired only.

Steve (very favorably) mentioned my setup guide in SN podcasts #641 and #649.
The link to my guide is on his linkfarm page:
https://www.grc.com/linkfarm.htm
Ensure you use the live link and DON'T use Steve's cached link, as his cache is about 25 commits and 100 pages out of date.
Direct Link
https://github.com/mjp66/Ubiquiti

@sggrc It might be time for a new SN mention of this guide, since IOT segmentation is so important lately.

This setup should work very nicely at 300mpbs, router peak rates can be about 900mbps unidirectional.

The only trouble (right now) is finding these routers in stock, since we live in a post-pandemic supply-chain world.
Note1: ui.com's out-of-stock email-notification-system is broken.
Note2: Maybe try this: https://www.reddit.com/r/UbiquitiInStock/


-Mike
I confess that I ran out and bought one of these after hearing @Steve speak so highly of it. I read about how I could have the IOT network isolation of my dreams, home and work networks, self-hosted VPN, etc... And I wondered, could I VPN in from out of the country and access Xfinity content and/or my TiVo?!? I think the answer to that last question USED TO BE Yes. But I think any Xfinity/Comcast apps now detect VPN connections.

But, alas, I am a software engineer, not a network engineer. So - like so many other things in life - I spent enough time playing with it to grasp just how much more I would have to learn before I dared try to do much with it. Someday... You know, that day that never comes.

When my company closed the office and we all had to work from home, Verizon's crappy works-well-on-dry-sunny-days DSL was out and I forced myself to drink the Xfinity/Comcast Kool-aid. I bought my own ARRIS telephony modem (no $10/mo rental but also no X1 goodies) and, along with the Ubiquity EdgeRouter X, a new ethernet cable run down to the basement office, and two TP-Link wired/Wi-Fi routers as access points (one upstairs for the house, one downstairs for the office) I have a working network. But it is all pretty much still in the brain-dead default configuration with just enough network isolation to make the printer upstairs inaccessible from the system downstairs, unless I drop the ethernet connection and switch over to the upstairs wi-fi.

I have dreamed of someone publishing some useful X configuration models that I could be lazy and adopt. Or maybe a new release of the X firmware with a comprehensible UX. @mjp66's https://github.com/mjp66/Ubiquiti/blob/master/Ubiquiti Home Network.pdf looks great! But when even the improved and clarified documentation is still 200 pages, I fear Someday may be no closer than it has been since we all first heard about SQRL. I guess I'll have to give that nice PDF a thorough read... someday. Some day soon. Though that Three (ok, four or five) Dumb Routers implementation sounds better and better.


#24

rfrazier

rfrazier

@Dave I haven't read every single word of this thread. I run data from the house out to the internet on Comcast via TorGuard VPN all the time. I don't know about inbound traffic. Comcast doesn't seem to care. They may throttle me sometimes on long downloads but I cannot prove it. Why not try a literal physical 2 dumb routers or 3 dumb routers setup. This is what I do. Control the network topology with physical wires. Forgive me if I don't completely understand your setup. I have a Comcast telephony modem but otherwise have my own equipment. My cable modem. My routers. No Xfinity anything. And no unwanted shared WiFi. Assume router A is your border router. Its WAN output goes to your cable modem. Attach your printer via Ethernet to a LAN port on router A. Assume router B is your downstairs router. Attach router B's WAN port to a LAN port on Router A. Attach your downstairs equipment to LAN ports on router B. Assume router C is your upstairs router. Attach router C's WAN port to a LAN port on router A. If you need more ports, you can attach a switch to the LAN ports on a router. Attach your upstairs equipment to LAN ports on router C. All your equipment will be able to access the internet and all your equipment will be able to access the printer. You will have strong isolation between upstairs and downstairs. Upstairs equipment will not be able to access downstairs equipment and vice versa. I've been doing this ever since @Steve talked about 3 dumb routers years ago. It works well. I don't do anything that requires unsolicited data coming from the internet into the house. Below is a blog post I put out on the topic years ago. If you needed another IOT segment, for example, you could add a 4th router with its WAN port going to a LAN port on router A. Note, however, that anything that's hostile in your network could potentially attack the printer or the border router. Hope this hopes.


May your bits be stable and your interfaces be fast. :cool: Ron


#25

R

Roger Rabbit

I've been tempted by the Synology routers. They seem like very good gear. Lots of security-minded features and good performance.

Although it may work for you, as @PHolder suggests, this is the opposite of wifi best practice. Ideally your WAPs should xmit on channels that don't conflict with any nearby access points. And only use 1, 6, 11 for 2.4Ghz (because they're the only ones that don't overlap). Perhaps given your "stone" house, the WAPs never see the other APs. However, there is no need to use different channels to "seamlessly connect from one AP to another..." Just using the same SSID/passphrase does that. Cheers.
I've had a Synology RT2600ac since it was released in June 2017. I added a MR2200 mesh router the next year. I have good Wi-Fi coverage all over the house (over 3000 sq/ft.)

Synology has announced the release of their RT6600ax. This is a tri-band wifi6 router. Reviews I have seen state that the Wi-Fi range performance is excellent. It comes with a new version of SRM (Synology Router Manager, their OS) which will be released in 3rd quarter for the older RT2600 and MR2200, which will likely allow them all to operate as a mesh. The new version of SRM also allows for multiple VLANs to be setup.

I am a solid fan of the Synology router for its features, and protections. It offers a lot of protections and even online time quotas on a per-device basis if you have kids. Safe browsing in standard and can be configured to block undesirable traffic, including ads. This provides protection and ad blocking to phones and tablets which don't have the ad blocking add-ons like browsers. There is also the Threat prevention add-on in addition to VPN Server, and others.

I will likely stay with my current setup, at least for now. Once the newest SRM version is release for older models, the only thing I won't have is the ax Wi-Fi, but none of my clients support it either at this point.

In addition, these devices are rock solid. Typically, reboots only occur when I'm upgrading the SRM version, or extended power outages that exceed the uptime on my UPS.


#26

R

Ralph

I recently added a Synology router behind my cable modem. I am still learning about its security features which I like, and locked myself out of it a few times along the way. One of the (many) settings I have a question about is whether or not to enable reboots on a schedule. My initial thought is no, but I also recall from a past SN that a reboot can remove some types of malware. Another thing in the mix is I have a Raspberry Pi server hooked up to the Synology which is online 7x24. I have done manual reboots of the Synology and the Pi came back online, so I don't think that is an issue. Any ideas pro and con about scheduled reboots?


#27

jlariviere

jlariviere

I recently added a Synology router behind my cable modem. I am still learning about its security features which I like, and locked myself out of it a few times along the way. One of the (many) settings I have a question about is whether or not to enable reboots on a schedule. My initial thought is no, but I also recall from a past SN that a reboot can remove some types of malware. Another thing in the mix is I have a Raspberry Pi server hooked up to the Synology which is online 7x24. I have done manual reboots of the Synology and the Pi came back online, so I don't think that is an issue. Any ideas pro and con about scheduled reboots?
Not having done it either way before, just thinking about reboots as a user... Pro, it might help updates get installed and cache cleared. Con, it might interrupt usage. Or if it has issues and you had it reboot overnight when not used, might not be able to address issues for a while.


#28

rfrazier

rfrazier

From a security point of view, if this is your outermost router (closest to the internet), you want to make sure all its external ports are stealthed unless you have a need for incoming open ports. You want the DMZ off. And, you want all remote administration off unless you have a special need for it and have taken substantial precautions for security for that. I have my routers running DD-WRT and I immediately went into the control panel and turned all that off or verified that it was off. You also want all external services off which relates to open ports. Having nothing running externally minimizes the attack surface for malware against the router from outside. It doesn't protect the router if you have malware in your PC and you log into it from inside.

In answer to your actual question, and just my personal opinion, I have each router set to reboot at 3 AM every day. If the router has an automatic time sync function (NTP), turn that on so its clock stays correct. Sometimes these little devices can become unstable if running for months without a reboot. If devices don't reconnect properly, you can set the boot times to go from outermost to innermost items. You might be able to get the RPI to auto reboot too if you wanted but you have to be careful that its software doesn't get damaged. I don't autoreboot my PC's and tablets, but I generally manually reboot every week or two, or there will be an electrical storm that makes me shut down, etc.

May your bits be stable and your interfaces be fast. :cool: Ron


#29

P

PHolder

Any ideas pro and con about scheduled reboots?
Up to date security is good news, but on the other hand, if you allow updates to cause reboots, then you may suffer the failure mode of a light bulb. (The old fashioned kind not necessarily the LED kind.) Most light bulbs fail when powering up. This is the point where they have the most work to do as they have to heat up to their operating temperature.

If your device updates and then reboots in the middle of the night, while you are "absent from keyboard", then it's possible that is the time when a bug will surface that will cause an outage. This probably won't happen often... if ever, but if it does happen to you, it will probably be quite confusing when you're just waking up (or someone wakes you to tell you) and things are hosed.

This is probably not a motivating factor for or against any particular choice, but just something to be aware of for the future.


#30

rfrazier

rfrazier

@PHolder Yeah, I'm leery of auto updates as they do periodically change things. Unfortunately, one has to be leery of never getting updates. It's hard to know the best answer. I guess, with a router, and especially with something like DD-WRT and with all outside services turned off, I'm more inclined to want my updates to be only manually installed. It's probably a good idea to be on the email list of your router maker but I honestly don't know if I'm on DD-WRT's list or not. They have so many versions and years of products that I don't even know if they could issue customized emails.

May your bits be stable and your interfaces be fast. :cool: Ron


#31

R

Ralph

I was always hesitant about turning electronic things off or rebooting unless absolutely necessary. A good (bad?) habit from my early days working with equipment where if something turned off it was hit and miss whether it would come back up OK. I turned the reboot on schedule back off on the router. For now, until I get tired of it I log into the router daily to look around and try to figure out what some of the settings do- it's still a 'new toy'. As far as I can tell it hasn't done any reboots aside from the ones I caused. I have a small UPS for both routers I haven't installed yet. My cable modem doesn't seem to take to power glitches too well and often comes back up without internet connection.

I did schedule the various update checks at different times during the night so nothing would happen while something else is active. Thanks for the thoughts on that. Now I have no auto reboot set and I left auto updates enabled. One of the menus has an 'up time' counter so I'll keep an eye on that to see if it reboots by itself.

Funny, I just recalled from my mainframe days when some programmers would update software during the week that needed a reboot to become active. Their thinking was to save a trip into work on the weekend. A number of times there were unexpected problems where they needed to IPL/ reboot the system off schedule and the patches took effect, sometimes with very bad results.