Reliably determine range of IP addresses that could be assigned to router

Like many of us with home internet service provided by ISPs, my router/modem is dynamically assigned an external IP address, typically within a range. When the router is reset (e.g. by a power outage) the router negotiates a new lease on a different IP address from the ISP.

I connect from home to a server to which I have admin rights. I'd like to open the firewall on the server to only the IP address range that may be assigned to my home router.

How can I reliably determine what this range is? I am assuming that the ISP will not be able to tell me this information if I call (either because policy may not permit it, or staff have no idea what I am talking about).

I'd also like it to be the smallest range (or set of ranges possible) for security reasons.

digitalmaps

Posted 2012-05-19T03:18:30.667

Reputation: 233

side thought; you could reliably keep the same IP through its lease if you had the modem on a UPS like the same one shared by the computer. – Psycogeek – 2012-05-19T03:58:20.820

Answers

Don't assume that someone at your ISP can't tell you this information. You may be right, but in all honesty, they are the people who will have this information. Since you could purchase a static IP from them (even though you don't want one) they are the ones in the know.

You can't reliably narrow down the range... at all, really. I mean, let's just throw numbers out there. For example...

If your IP address one day was 69.79.10.230... who is to say that your ISP has only leased 69.79.10.xxx for use for their customers. They could have 69.79.xxx.xxx available to them, which means that there are more than 65,000 addresses available there. And if you monitor the addresses to which you are assigned for... say... a week, who is to say that these are the only subnets they operate in? Do you have to watch for a month? What if they rotate subnets every 6 months or every year? This is why I say you can't reliably guess at a narrow range.

Of course, this really depends on how you define "narrow" and "reliably" for the purpose of this.

This is why I say you should take the chance and call your ISP tech support. Tell them what you need and exactly why you need it, and ask to speak to a level 2 tech or a supervisor. Honestly, they are usually far more supportive than you would think, especially when they are telling you things that do not make them directly responsible. They won't be as helpful telling you how to set up your router (because they don't want to be liable for equipment they don't own), but giving you the range you can expect your IP addresses to come from is not something you would not already experience on your own over time. They might turn you down, but hey... you never know if you don't ask.

Bon Gart

Posted 2012-05-19T03:18:30.667

Reputation: 12 574

I know it is less secure, obviously, but opening 69.xxx.xxx.xxx in your example is certainly better than having no firewall at all. Or is this too risky? – digitalmaps – 2012-05-19T04:04:55.147

1Sure, opening "only" to 69.0.0.0 range is better than nothing but it is a very big hole... – laurent – 2012-05-19T04:14:50.187

116 million address hole, give or take... – Bon Gart – 2012-05-19T04:17:13.993

I agree with Bon, contact their Tech Support and ask for a level 2 or 3 tech. The level 1 techs won't know what you're talking about but the level 2 or 3 techs most likely will. Be persistent. Level 1 techs are more or less the front line grunts, and most of them will do what they can to get you off the phone as quickly as possible, keep asking for a level 2 or 3 tech or ask for a supervisor to transfer you to them.

Since you're paying for the service I think it's only fair for you to get support for them. The worst the level 2 / 3 techs can say is no. – White Phoenix – 2012-05-19T07:04:54.263

As Bon Gart said, your ISP is the only one to know this info and you won't guess it with reliability and this can change with time.

Anyways, I don't think this is a secure way to open your server firewall to connect to it. Depending on the OS you use, what you want to do on the server and how and what you have available, there are more secure ways to connect to it. Here are a few ideas:

register with a Dynamic DNS provider (dynDNS or DNSExit for example) and open the firewall only to the host address (A pointer) assigned to your home machine
use a VPN with ssl certificates on both sides (openvpn for example)
use SSH with keys or keys and password but not only passwords
only open ssh (or other) port (with ssh keys) and make encrypted tunnels to the ports you need to use on the server so you connect to a local port on your machine
in all cases, use fail2ban or something like that to block IPs after a few wrong attempts

laurent

Posted 2012-05-19T03:18:30.667

Reputation: 4 166

Unfortunately server is Windows 2003 using RRAS firewall. IP addresses only can be specified, so the nice DNS-based solution doesn't work. And I'd like to limit VPN access as well to only my home computer -- or is this overly secure. – digitalmaps – 2012-05-19T04:03:01.517

Nothing is overly secure :) I think but a VPN (like openvpn) with 1 encryption key on each side and with the server checking if the client has the key is a fair security in my opinion, mainly if you automatically ban IPs trying unsuccessful connections. – laurent – 2012-05-19T04:11:34.137

Using a service like DynDNS or FreeDNS to negotiate the connection, with a script on the server to set the DNS entry correctly when the IP address changes. You can then set up security as normal. – ChimneyImp – 2012-05-19T06:01:06.427