Can my landlord access my personal network because he controls the upstream connection?

Can my landlord access the things on my personal router's network because he controls the upstream connection? For example: the DLNA on my NAS, a public file share on my NAS, or the media server running on my laptop?

My configuration: I have my own router and connected to it are a NAS (wired) and a laptop (wireless.) The INTERNET/WAN port on my router is plugged into a LAN port on my landlord's router. The INTERNET/WAN port on my landlord's router goes to the cable modem. I am the only one with access and the password to my router. I don't have access or the password to my neighbor's router or the cable modem.

newperson1

Posted 2014-12-10T20:46:08.163

Reputation: 239

Presumably you don't have your own "landline" telephone? – Jodrell – 2014-12-11T11:36:49.053

Answers

No, your router should block incoming access to your LAN just like it would if it was connected directly to the Internet. He may be able to sniff your Internet traffic though (since he's between you and the Internet).

Perhaps check out these other SU questions:

Ƭᴇcʜιᴇ007

Posted 2014-12-10T20:46:08.163

Reputation: 103 763

Nice to see such a concise answer. Afaik (correct me if I'm wrong), if the landlord's router is off-the-shelf, and you can verify that the cables are going where they say, that sniffing all internet traffic isn't possible. – Jason – 2014-12-11T17:09:15.153

1@Jason Depends on the router used. For example many routers allow port capturing and dumping. You can capture traffic going across whichever port for however long, then dump it to a file and load it into Wireshark (or alike) to view the traffic. Also, if it has a way to turn on a monitoring port, then you can actually monitor that single port live and see all traffic on the fly. – Ƭᴇcʜιᴇ007 – 2014-12-11T17:14:31.497

1By off-the-shelf, I meant your home/soho products with factory firmware. I've never seen one with the capabilities you mention. – Jason – 2014-12-11T17:16:53.497

If you know what model it is, then you can look up its features, regardless of where/how it was bought, or what classification it may have. Otherwise, assume the worst. ;) – Ƭᴇcʜιᴇ007 – 2014-12-11T17:21:33.777

@Jason Anyone who can follow simple instructions can install custom firmware on home/soho routers. They could also use a linux box with two ethernet ports. – BlueRaja - Danny Pflughoeft – 2014-12-11T18:46:42.920

They could even install a network tap that doesn't require any power, like this http://www.instructables.com/id/Make-a-Passive-Network-Tap/

– ponsfonze – 2014-12-11T22:21:47.697

@Jason, I don't know about the situation in Canada, but in Germany routers by AVM are quite popular, and rebranded variants often are given/sold to people by their ISPs. On those you can initiate a traffic dump via the web interface, even though that function is undocumented. – Carsten S – 2014-12-12T01:16:48.823

The other answers are basically correct, but I thought I'd expand on the topic. Hopefully this information will be useful.

As long as you have your router in a standard configuration, it should block unsolicited incoming network connection attempts, essentially acting as a blunt firewall.

Port Forwarding

Settings which increase your exposure surface would be forwarding any ports into your local area network (the devices connected to your router).

Be aware that some services on your network might open ports via UPnP (universal plug and play), so if you want to be certain that no-one is snooping inside your network, consider disabling UPnP in your router's settings. Be aware that will prevent anyone connecting to a service on your network, such as hosting a video game.

Wi-Fi

If your router has wi-fi, consider that someone can potentially connect to it. Someone who connects to your wi-fi service is essentially on your local network and can see everything.

So, if you use wi-fi, make sure you use the maximum security settings. At a minimum, set the network type to WPA2-AES, disable legacy support, set keys to reset a minimum of once per 24 hours and choose a complex wi-fi password.

Protocol Sniffing and VPNs

As your landlord sits between you and the public internet, he could potentially look at all traffic going into and out of your router. This is relatively easy to do and there are freely available network diagnostic tools to do this with.

Encrypted traffic between your browser and a website is generally safe as far as the content goes, however your landlord would be able to see what websites you visit (though not necessarily the specific pages).

However, consider that many web pages are not encrypted, and then there are all your mobile apps, email and other online activity which is potentially sent in the clear.

If you want ALL your traffic to be encrypted then you need to use an encrypted virtual private network (VPN). A VPN connects your network to the network of a VPN operator (usually a commercial enterprise), using encrypted protocol tunneling.

Ideally, the VPN would encrypt using AES encryption and the connection would be established at the router level so that all WAN traffic (to the internet) is encrypted and routed via the VPN.

If the router doesn't support VPN, then you'll need to set it up on each and every device (computer, phone, tablet, console, etc) who's traffic you want to secure.

Encryption

As a general security principle, I advocate strongly encrypting all traffic. If everything is strongly encrypted, anyone snooping on you will not know where to begin. But if you only encrypt "important stuff", then they will know exactly where to attack.

Mark Micallef

Posted 2014-12-10T20:46:08.163

Reputation: 379

3Good answer, although note that YOU will likely be able to see more of HIS network, if he's not been careful with how he set his router up.... – Jon Story – 2014-12-11T16:08:08.560

1I would like to add to this that most routers have an access list for WiFi connections. Should you enable this only APPROVED MAC Address can even be allowed any access. – Virusboy – 2014-12-12T01:45:04.870

@VirusBoy Generally correct, though I would point out that MAC address spoofing is fairy easily to do for the determined hacker. I left it out because I felt IMHO that the hassle of setting it up for each device the OP wants to connect to his network (if he uses Wi-Fi) outweighs the security benefit it provides. – Mark Micallef – 2014-12-15T06:52:50.153

PS. For those of you who live in countries where the government regularly snoops on you, the theory is the same, just make sure the VPN you choose is outside your state's control. Specifically, choose a VPN in another country so that the traffic is safely encrypted during its entire journey through your national network. – Mark Micallef – 2015-05-15T01:29:36.520

The router should stop any connections originating from outside the WAN port - Eg, if your NAS is behind the router and the router has no port forwarding on, you are safe.

That being said, if your internet traffic goes through his router then he can (assuming he has the know-how) see all the sites and traffic you visit so just keep that in mind.

Arthur

Posted 2014-12-10T20:46:08.163

Reputation: 1 097

Your landlord cannot access your network behind the router just like his ISP cannot access the network behind his router due to Network Address Translation. He is basically your ISP and has assigned you an IP address. All he can see is your router as long as you have it secured. You can however, see what is on his network as he is outside the security of your router. His network is secured from the ISP but is exposed to your network, while you are secured by your own router. Think of it as living in a house where you have to go through his room to get to your room. You lock your door, so he can't go into your room, but you can go through his room to get outside.

someone

Posted 2014-12-10T20:46:08.163

Reputation: 11

-4

Not to be a nay sayer, but I'm not convinced, I'm actually sure your landlord can see your any of your public devices as his router has assigned your IP to your router meaning with some minor tweaks he can access your network with pretty much ease. I would make sure your LAN Subnet is very different from the usual 192.168.0.1 etc e.g. 10.0.0.1 or something a lot more uncommon.

I'm not sure if DLNA will be exposed for you, but I know it does on mine. :(

Mr Legend79 Brown

Posted 2014-12-10T20:46:08.163

Reputation: 1

2That wouldn't matter; if he has his own router, it blocks the items on the WAN side from accessing the LAN – Canadian Luke – 2014-12-12T17:44:06.330