Three Dumb Router question

  • SpinRite v6.1 Release #3
    Guest:
    The 3rd release of SpinRite v6.1 is published and may be obtained by all SpinRite v6.0 owners at the SpinRite v6.1 Pre-Release page. (SpinRite will shortly be officially updated to v6.1 so this page will be renamed.) The primary new feature, and the reason for this release, was the discovery of memory problems in some systems that were affecting SpinRite's operation. So SpinRite now incorporates a built-in test of the system's memory. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

I'd recommend trying the Pi as a router. I've built my own custom images of Openwrt but it's difficult to trust a router to stay truly dumb. Debian's nftables does a pretty good job of just passing through traffic and not allowing the OS to be probed directly. It takes about 100 lines of code to convert a vanilla Raspberry Pi image to my current setup. If you setup two SD cards, you can capture all your non-tunneled (not port 1194 or 22) traffic and go through your packet captures every couple of weeks. I process mine through Zeek to minimize pcap retention. Best of all, running things this way gives you real visibility into your network so you don't just have to hope for the best. If I actually suspect anything is afoul, I'll setup a second Pi to capture on a passive network tap and keep it out-of-band. If you really learn what you're doing and you're paranoid, you can basically be running your own SIEM this way for next to nothing. I use an old android throwaway as a screen to the second pi through usb tethering and vnc. It basically becomes second nature to notice misbehaving apps from my wife's phone through termshark on the throwaway.

I've shared the code I use to set this up. Don't worry; it's not malicious. ;)
 

Attachments

  • routerpi.txt
    2.7 KB · Views: 279
I'd recommend trying the Pi as a router.
Because the Pi doesn't have two Ethernet ports and because if you add one, it will be on the slower USB bus. I don't think the Pi is great at this particular task, depending on your bandwidth (it wouldn't work well for me, for example.) By the time you build out a Pi to the useful level, you're starting to hit one hundred or more dollars, and you might as well buy something like the smaller, purpose built, Ubiquity devices or pfSense focused devices, IMHO.
 
Hi,

You might look into a using an Ubiquiti ER-X Router in conjunction with Ubiquiti's Access Point(s) for your needs.

This $60 router supports multiple VLANS (VLANS provide network segmentation / isolation), and has 5 built-in Ethernet ports.
The Access Point is the Wi-Fi portion. Typically priced less than $150, each AP supports four VLAN-separated (isolated) SSIDs.
So you can have four isolated networks, typically: Home Network, Guest Network, and IOT Network.
You can make more isolated networks, example work from home, if they are Ethernet wired only.

Steve (very favorably) mentioned my setup guide in SN podcasts #641 and #649.
The link to my guide is on his linkfarm page:
https://www.grc.com/linkfarm.htm
Ensure you use the live link and DON'T use Steve's cached link, as his cache is about 25 commits and 100 pages out of date.
Direct Link
https://github.com/mjp66/Ubiquiti

@sggrc It might be time for a new SN mention of this guide, since IOT segmentation is so important lately.

This setup should work very nicely at 300mpbs, router peak rates can be about 900mbps unidirectional.

The only trouble (right now) is finding these routers in stock, since we live in a post-pandemic supply-chain world.
Note1: ui.com's out-of-stock email-notification-system is broken.
Note2: Maybe try this: https://www.reddit.com/r/UbiquitiInStock/


-Mike
I confess that I ran out and bought one of these after hearing @Steve speak so highly of it. I read about how I could have the IOT network isolation of my dreams, home and work networks, self-hosted VPN, etc... And I wondered, could I VPN in from out of the country and access Xfinity content and/or my TiVo?!? I think the answer to that last question USED TO BE Yes. But I think any Xfinity/Comcast apps now detect VPN connections.

But, alas, I am a software engineer, not a network engineer. So - like so many other things in life - I spent enough time playing with it to grasp just how much more I would have to learn before I dared try to do much with it. Someday... You know, that day that never comes.

When my company closed the office and we all had to work from home, Verizon's crappy works-well-on-dry-sunny-days DSL was out and I forced myself to drink the Xfinity/Comcast Kool-aid. I bought my own ARRIS telephony modem (no $10/mo rental but also no X1 goodies) and, along with the Ubiquity EdgeRouter X, a new ethernet cable run down to the basement office, and two TP-Link wired/Wi-Fi routers as access points (one upstairs for the house, one downstairs for the office) I have a working network. But it is all pretty much still in the brain-dead default configuration with just enough network isolation to make the printer upstairs inaccessible from the system downstairs, unless I drop the ethernet connection and switch over to the upstairs wi-fi.

I have dreamed of someone publishing some useful X configuration models that I could be lazy and adopt. Or maybe a new release of the X firmware with a comprehensible UX. @mjp66's https://github.com/mjp66/Ubiquiti/blob/master/Ubiquiti Home Network.pdf looks great! But when even the improved and clarified documentation is still 200 pages, I fear Someday may be no closer than it has been since we all first heard about SQRL. I guess I'll have to give that nice PDF a thorough read... someday. Some day soon. Though that Three (ok, four or five) Dumb Routers implementation sounds better and better.
 
@Dave I haven't read every single word of this thread. I run data from the house out to the internet on Comcast via TorGuard VPN all the time. I don't know about inbound traffic. Comcast doesn't seem to care. They may throttle me sometimes on long downloads but I cannot prove it. Why not try a literal physical 2 dumb routers or 3 dumb routers setup. This is what I do. Control the network topology with physical wires. Forgive me if I don't completely understand your setup. I have a Comcast telephony modem but otherwise have my own equipment. My cable modem. My routers. No Xfinity anything. And no unwanted shared WiFi. Assume router A is your border router. Its WAN output goes to your cable modem. Attach your printer via Ethernet to a LAN port on router A. Assume router B is your downstairs router. Attach router B's WAN port to a LAN port on Router A. Attach your downstairs equipment to LAN ports on router B. Assume router C is your upstairs router. Attach router C's WAN port to a LAN port on router A. If you need more ports, you can attach a switch to the LAN ports on a router. Attach your upstairs equipment to LAN ports on router C. All your equipment will be able to access the internet and all your equipment will be able to access the printer. You will have strong isolation between upstairs and downstairs. Upstairs equipment will not be able to access downstairs equipment and vice versa. I've been doing this ever since @Steve talked about 3 dumb routers years ago. It works well. I don't do anything that requires unsolicited data coming from the internet into the house. Below is a blog post I put out on the topic years ago. If you needed another IOT segment, for example, you could add a 4th router with its WAN port going to a LAN port on router A. Note, however, that anything that's hostile in your network could potentially attack the printer or the border router. Hope this hopes.


May your bits be stable and your interfaces be fast. :cool: Ron
 
  • Like
Reactions: Dave
I've been tempted by the Synology routers. They seem like very good gear. Lots of security-minded features and good performance.

Although it may work for you, as @PHolder suggests, this is the opposite of wifi best practice. Ideally your WAPs should xmit on channels that don't conflict with any nearby access points. And only use 1, 6, 11 for 2.4Ghz (because they're the only ones that don't overlap). Perhaps given your "stone" house, the WAPs never see the other APs. However, there is no need to use different channels to "seamlessly connect from one AP to another..." Just using the same SSID/passphrase does that. Cheers.
I've had a Synology RT2600ac since it was released in June 2017. I added a MR2200 mesh router the next year. I have good Wi-Fi coverage all over the house (over 3000 sq/ft.)

Synology has announced the release of their RT6600ax. This is a tri-band wifi6 router. Reviews I have seen state that the Wi-Fi range performance is excellent. It comes with a new version of SRM (Synology Router Manager, their OS) which will be released in 3rd quarter for the older RT2600 and MR2200, which will likely allow them all to operate as a mesh. The new version of SRM also allows for multiple VLANs to be setup.

I am a solid fan of the Synology router for its features, and protections. It offers a lot of protections and even online time quotas on a per-device basis if you have kids. Safe browsing in standard and can be configured to block undesirable traffic, including ads. This provides protection and ad blocking to phones and tablets which don't have the ad blocking add-ons like browsers. There is also the Threat prevention add-on in addition to VPN Server, and others.

I will likely stay with my current setup, at least for now. Once the newest SRM version is release for older models, the only thing I won't have is the ax Wi-Fi, but none of my clients support it either at this point.

In addition, these devices are rock solid. Typically, reboots only occur when I'm upgrading the SRM version, or extended power outages that exceed the uptime on my UPS.
 
  • Like
Reactions: jlariviere
I recently added a Synology router behind my cable modem. I am still learning about its security features which I like, and locked myself out of it a few times along the way. One of the (many) settings I have a question about is whether or not to enable reboots on a schedule. My initial thought is no, but I also recall from a past SN that a reboot can remove some types of malware. Another thing in the mix is I have a Raspberry Pi server hooked up to the Synology which is online 7x24. I have done manual reboots of the Synology and the Pi came back online, so I don't think that is an issue. Any ideas pro and con about scheduled reboots?
 
I recently added a Synology router behind my cable modem. I am still learning about its security features which I like, and locked myself out of it a few times along the way. One of the (many) settings I have a question about is whether or not to enable reboots on a schedule. My initial thought is no, but I also recall from a past SN that a reboot can remove some types of malware. Another thing in the mix is I have a Raspberry Pi server hooked up to the Synology which is online 7x24. I have done manual reboots of the Synology and the Pi came back online, so I don't think that is an issue. Any ideas pro and con about scheduled reboots?
Not having done it either way before, just thinking about reboots as a user... Pro, it might help updates get installed and cache cleared. Con, it might interrupt usage. Or if it has issues and you had it reboot overnight when not used, might not be able to address issues for a while.
 
From a security point of view, if this is your outermost router (closest to the internet), you want to make sure all its external ports are stealthed unless you have a need for incoming open ports. You want the DMZ off. And, you want all remote administration off unless you have a special need for it and have taken substantial precautions for security for that. I have my routers running DD-WRT and I immediately went into the control panel and turned all that off or verified that it was off. You also want all external services off which relates to open ports. Having nothing running externally minimizes the attack surface for malware against the router from outside. It doesn't protect the router if you have malware in your PC and you log into it from inside.

In answer to your actual question, and just my personal opinion, I have each router set to reboot at 3 AM every day. If the router has an automatic time sync function (NTP), turn that on so its clock stays correct. Sometimes these little devices can become unstable if running for months without a reboot. If devices don't reconnect properly, you can set the boot times to go from outermost to innermost items. You might be able to get the RPI to auto reboot too if you wanted but you have to be careful that its software doesn't get damaged. I don't autoreboot my PC's and tablets, but I generally manually reboot every week or two, or there will be an electrical storm that makes me shut down, etc.

May your bits be stable and your interfaces be fast. :cool: Ron
 
Any ideas pro and con about scheduled reboots?
Up to date security is good news, but on the other hand, if you allow updates to cause reboots, then you may suffer the failure mode of a light bulb. (The old fashioned kind not necessarily the LED kind.) Most light bulbs fail when powering up. This is the point where they have the most work to do as they have to heat up to their operating temperature.

If your device updates and then reboots in the middle of the night, while you are "absent from keyboard", then it's possible that is the time when a bug will surface that will cause an outage. This probably won't happen often... if ever, but if it does happen to you, it will probably be quite confusing when you're just waking up (or someone wakes you to tell you) and things are hosed.

This is probably not a motivating factor for or against any particular choice, but just something to be aware of for the future.
 
@PHolder Yeah, I'm leery of auto updates as they do periodically change things. Unfortunately, one has to be leery of never getting updates. It's hard to know the best answer. I guess, with a router, and especially with something like DD-WRT and with all outside services turned off, I'm more inclined to want my updates to be only manually installed. It's probably a good idea to be on the email list of your router maker but I honestly don't know if I'm on DD-WRT's list or not. They have so many versions and years of products that I don't even know if they could issue customized emails.

May your bits be stable and your interfaces be fast. :cool: Ron
 
I was always hesitant about turning electronic things off or rebooting unless absolutely necessary. A good (bad?) habit from my early days working with equipment where if something turned off it was hit and miss whether it would come back up OK. I turned the reboot on schedule back off on the router. For now, until I get tired of it I log into the router daily to look around and try to figure out what some of the settings do- it's still a 'new toy'. As far as I can tell it hasn't done any reboots aside from the ones I caused. I have a small UPS for both routers I haven't installed yet. My cable modem doesn't seem to take to power glitches too well and often comes back up without internet connection.

I did schedule the various update checks at different times during the night so nothing would happen while something else is active. Thanks for the thoughts on that. Now I have no auto reboot set and I left auto updates enabled. One of the menus has an 'up time' counter so I'll keep an eye on that to see if it reboots by itself.

Funny, I just recalled from my mainframe days when some programmers would update software during the week that needed a reboot to become active. Their thinking was to save a trip into work on the weekend. A number of times there were unexpected problems where they needed to IPL/ reboot the system off schedule and the patches took effect, sometimes with very bad results.
 
Last edited: