7

I have a BT Smart Hub as my router which has no guest network functionality, I also have a Netgear Nighthawk D7000.

Initially I attempted to use only the D7000 and take advantage of the guest wifi feature but I couldn't get the setup right so that BT's YouView and Internet TV Channels worked as required (some are encrypted eg BT Sport so wonder if this was the problem).

I was considering a setup like this:

 Phone Line
     |
     |
 Main router, BT Smart Hub (has guest access)
     |      |        |                \  
     |     TV     YouView etc      Guest wireless devices
     | 
     |
 2nd / D7000 router (LAN on Main router -> Internet port on 2nd / D7000)

Is the setup destined to cause endless headaches setting up or is it quite straight forward?

The BT Smart Hub actually has an extra WAN port too, I wasn't certain if it was even a possibility to go from this WAN port to the Internet (WAN?) port on the D7000? Are there any extra benefits to this if it is possible? More secure? Any harder to setup?

Tackling the issue that the Guest wireless device (or LAN connected) could take over the Main router and effectively track all traffic to and from the Internet from the Private router (which has my laptop / pc / mac etc), would using a VPN like F-Secure Freedome on all devices on the 2nd Private router significantly mitigate or even stop any MITM there? Is there any risk of direct access to the devices on the 2nd router via the main router or will the firewall in the 2nd router block this?

This question is sort of a follow up to the one here as one of the answers suggested the setup here was backward but even if reversed would open the setup to Man In The Middle attacks and have all network out of the 2nd router potentially exposed.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Stibstibstib
  • 71
  • 3
  • 1
    Are you trying to protect against accidental access, or against deliberate attempts at hacking? Basically, whenever you ask "is this secure?", you have to answer the question "secure against *what*?". – user Oct 31 '17 at 14:13
  • Ideally the network on the 2nd router safe from accidental access and also it would be nicer knowing I can 'freely' give access to my wifi to guests, clients and potential clients who may come to my house for parties or meetings etc without completely exposing my network shares or worse. As I have the second router already too, I thought I could make use of it. – Stibstibstib Oct 31 '17 at 14:40
  • And just to clarify, I'd give guests Wifi access to the main router (BT Smart Hub) and personally only use the Wifi on the second router (D7000). – Stibstibstib Oct 31 '17 at 14:50
  • 1
    @Stibstibstib how'd this go? – bashCypher Apr 17 '18 at 15:33

1 Answers1

2

This is a great question and as a hands on pentester who is constantly setting up layered networks... I can tell you that it's not a straight forward answer. In my experience it's going to be more about how well designed these routers/switches are than good set up practices.

1: try it. Just set it up, open wireshark, and go. If you run into issues, check wireshark. Be especially observant of ARP and DHCP calls. One major issue you might run into is confusion about having two arp tables. If the first router thinks an IP has changed (DHCP) but the 2nd router (functioning as a layer 3 switch basically) has not refreshed it's arp table... that device will be a ghost. Don't be afraid to unplug and plug the 2nd router to help issues like this.

2: How routers handle multiple "gateways" is not always great. If you plug D700 into the main router on the D700's WAN port, it can get confused. Some routers have features to mitigate this, some don't. If one of the routers can't handle the config you're setting up, I'd suggest making the IP range of the second router different from the first (10.0.0.0/24 and 192.168.0.0/24) to help with trouble shooting and confirmation of proper routing. It will force a route table on the 2nd router which might help with confusions (why is there multiple DHCP?!, says the router and devices).

3: MITM is confusing in the context used here. Most common MITM: fake SSID that imitates -either router- and when someone logs in it SSL strips and collects passwords and etc. This is a pretty specific and nasty type of attack. 2nd most common man in the middle happens if someone has already breached your network and I won't go into it because you're in serious trouble at that point no matter how you look at it. Your set up, in my opinion, doesn't really affect your exposure to MITM for a motivated attacker.

Hook it all up, and report back with errors? Happy to help troubleshoot. Good luck.

bashCypher
  • 1,839
  • 11
  • 21