Adding a second router: Living with the new setup

This is the last posting in a trilogy about adding a second router to a Local Area Network to provide an additional layer of protection for high value computers.

The first thing I noticed after setting up a network as described in the previous posting was that a newly protected computer, plugged into the second router just worked. All the hard work is in configuring the new router. Any computer using DHCP, which is the norm, shouldn't need any changes to enable the additional protection.

One side effect of the new LAN segregation is remote control. On the network I tested with, I sometimes use Real VNC to remotely control another computer on the LAN. This is no longer possible across the divide that the second router was brought in to create. To continue with the adult/kid scenario from before, it is no longer possible for an adult to remotely control the computer of a child.

The newly created digital divide also prevents file sharing between an adult and a child. Of course, that's by design.

Also by design, an adults computer can no longer connect to the kids router to make configuration changes. Or so I thought. While this is true when dealing with private IP addresses, the kids router also has a public IP address (you can see your public IP address using www.ipchicken.com). I was surprised to find that entering the public IP address into the Web browser on an adults computer, brought up the internal Web site in the kids router.

From a kids computer, the Web site in the kids router could also be accessed by its public IP address. The router in question was a Belkin Wi-Fi G F5D7230. I'm not sure that other routers will also act this way.

From outside the LAN, the website in the kids router is not reachable. This was expected as the remote administration feature was purposely turned off--a recommended Defensive Computing step.

I use an SSL VPN from WiTopia.net whenever I access an untrusted network. The VPN worked just fine from an adults computer. In fact, it worked so well, that I could no longer see the Web site in the kids router using its public IP address. Thanks to the VPN, I was accessing the Internet from WiTopia rather than from the LAN.

Leo Notenboom, whose article "How do I protect myself from my children?" prompted this trilogy, uses Hamachi, another type of VPN. He said it works fine in this type of network configuration. There are other types of VPNs, such as IPsec, which I can't test.

Wi-Fi should present no problem in a double-router LAN. In fact, each router can have its own Wi-Fi network.

In the best case, one wireless network would use the crowded 2.4GHz band (Wi-Fi B, G and N) and another would use the 5GHz band (Wi-Fi A and N) to avoid stepping on each others feet. But most consumer routers only use the 2.4GHz band, so, if possible, configure each router to use a different Wi-Fi channel.

In my case, the adults router was a Ruckus 2825 which has a "Smart select" option for the Wi-Fi channel. Testing it on different days, it did indeed chose different channels. So far, the Ruckus router has shown excellent range, but I haven't yet put it to the acid test.

Another way to avoid having the two wireless networks interfere with each other is to turn off the wireless radio in a router when not in use. This is done using the internal Web site in the router and, as noted above, an adults computer can configure both routers. I've yet to see a Wi-Fi router with a physical switch for turning off the radio, if you know of one please leave a comment below.

All in all, the cost and inconvenience seem pretty small for the extra protection a second router can offer adult/high-value computers.

Update: September 29, 2008.The point about remote control needs to be clarified. There are two approaches to establishing the connection between the two computers: direct and with a middle-man. On a normal LAN, you can use the direct approach by entering the IP address of the controllee from the controller machine. Adding a second router limits this option to adults controlling adults or children controlling children. However, since all computers can still access the Internet, the middle-man approach still works. With this scheme, each computer first connects to a middle-man website. GoToMyPC is an example of the middle-man approach whereas Real VNC is an example of the direct approach.

See a summary of all my Defensive Computing postings.

[mbenedict]

1) It is possible to remotely control a child's computer, properly configured.

2) Technical controls does not mean security. In this case there is no security due to lack of physical controls. E.g., a) the kids can physically get to the parents computer console when they're not looking; b) the kids can plug-in their computer right into the parents router; etc.

3) This arrangement can actually open a security hole which didn't exist before. E.g., kids can rewire the connection from the parent router to the kids router, to go through one of their machines instead, operating in promiscuous mode. This allows the kids to intercept any non-encrypted traffic. Whereas before (with just one router), the single switch will segregate each other's traffic so tcpdump, wireshark etc., wouldn't work. More devices means larger attack surface.

4) The "extra protection" from the double-NAT is negated in this case by having Wi-Fi. An outside intruder does not need to break into the kids network, then into the parents network. He can just attack the parents network directly via W-iFi. There is no "defense in depth" with this arrangement.

5) Parents are usually better of using "administrative controls" when dealing with their kids. One effective way is to put the kids computer in a common area instead of in their bedrooms.

[john5540]

This is a non-issue. Having kids on a network with work computers is asking for problems. Just keep the two systems separate. KISS. (of course, not having kids is an alternative)

[scottbuster]

Cradlepoint make a router with a physical Wi-Fi on-off switch. The MBR1000 is the best router I've ever used. It accepts an Ethernet WAN input, or a Mobile Broadband device from Sprint, Verizon, ATT, or Alltel.

I currently have mine set up with my cable modem as the primary connection, but if that fails it switches to Sprint EVDO within seconds.
Usually when that happens i plug in my Verizon EVDO device as well, with both plugged in a does load balancing and doubles the bandwidth.

[mhinnewyork]

I have a Cradlepoint router which I use with a Verizon EVDO card, but the model you are describing sounds like a higher end router than mine. Michael Horowitz

[DLWilson61]

If you are having problems with what your children are accessing on the internet, either move their PC to where it can be monitored or purchase a monitoring program such as CyberPatrol to do it for you. I use this program because I have 5 computers connected wireless in the home. I put it on all of them and it keeps us all honest and the kids from things they should not be in to. Also if you have the proper anti-virus protection on each pc a double router become mute.
Respectfully
David

[nrfnrf]

this discussion suggests a big question - what was the root cause that led to the whole exercise? what were the kids doing to the adults' computers? that would suggest whether this solution was helpful or not.

[mhinnewyork]

Sorry if that wasn't clear. The basic assumption is that the Internet is a dangerous place and kids, without an appreciation of the dangers, are more likely to do get infected with malicious software. Also, unless software is kept current, infections are more likely. Then too, some computers just deserve more protection because they serve a very important function, such as someone who works at home full time.
Michael Horowitz

[techdoodle]

Trendnet also makes a couple of routers with a physical wireless on/off switch. Models TEW633GR and TEW672GR.

[dixie281]

I have a Linksys WRT54GL running Tomato firmware. One of the options that you have when using Tomato (and most other aftermarket firmware I would imagine) is to change the function of the Secure Easy Setup button on the router. Mine is set to where pressing and holding the button for 1 second switches the wireless on/off.