Web security

[Carlos Alvarez]

It's impossible to give a step by step since we don't know what hardware you have. First off, if at all possible, your best bet is to eliminate any carrier-provided equipment. With cable that's normal; you can just go guy a cable modem and hook up your own router. Sometimes you can with DSL, and on FIOS they seem to always provide the hardware. For DSL, the easy trick is to turn on "pass-through" or "bridge mode" or "invisible mode" or similar. Basically telling the carrier-provided modem/router combo to behave as a modem only. Then plug in your own router. I never deal with FIOS so I don't have any recommendations on that, but I'd bet there's something similar.

Keep in mind that most of these issues aren't really a threat to YOU personally. Overall for society there's a problem, but your individual risk level is still very low. If your router is compromised that still won't give anyone access to secure connections such as your bank, or even this site. That data is independently encrypted and nothing on your router can change that.

[Jim Becker]

Carlos, on FiOS, one can use their own router, but it can set up some limitations. The STBs get guide and VOD information via MOCA and the VZ-provided gateway is the bridge from Ethernet to COAX for that communication. (The primary STB can only be on COAX but the small, slave units in other rooms can be on Ethernet however) Some folks will use their own gateway/router for primary and just use the G1100 or Actontec gateway for bridging purposes. Some will invest in a dedicated MOCA bridge, but not many want to spend the money when they already have a device that can be used for this purpose in-hand. Further, if one wants to use certain mobility features, the Verizon provided gateway must be in the primary position, not behind a used provided gateway/router. These choices may become more difficult in the future as a recent testing phase for IPTV utilized a combination ONT/Gateway Router at the fiber demark. While that testing was discontinued and the IPTV shelved for the moment, the fact that they were testing a combination optical interface to the PON and router in the same device speaks loudly.

Folks on Comcat's XFinity may also have some limitations if they don't use the ISP-provided gateway.

[Carlos Alvarez]

Carlos, on FiOS, one can use their own router, but it can set up some limitations. The STBs get guide and VOD information via MOCA and the VZ-provided gateway is the bridge from Ethernet to COAX for that communication. (The primary STB can only be on COAX but the small, slave units in other rooms can be on Ethernet however) Some folks will use their own gateway/router for primary and just use the G1100 or Actontec gateway for bridging purposes. Some will invest in a dedicated MOCA bridge, but not many want to spend the money when they already have a device that can be used for this purpose in-hand. Further, if one wants to use certain mobility features, the Verizon provided gateway must be in the primary position, not behind a used provided gateway/router. These choices may become more difficult in the future as a recent testing phase for IPTV utilized a combination ONT/Gateway Router at the fiber demark. While that testing was discontinued and the IPTV shelved for the moment, the fact that they were testing a combination optical interface to the PON and router in the same device speaks loudly.

Folks on Comcat's XFinity may also have some limitations if they don't use the ISP-provided gateway.

Thanks for the details. I work in commercial networking and just have never played with FIOS. My brother has it and I forget to even look at the gear. For residential, around here, coax still rules. Gigabit down, 35 up. I'd love to get more upload since I sometimes move large files to our servers from home.

From a support perspective, we randomly have issues with customers who use stacked routers (ISP router plus personal router) if they don't put the ISP router in bridge or pass-through mode. This causes double NAT, and while in theory that's acceptable, in reality it causes issues sometimes. Particularly with VoIP phones.

[Curt Harms]

Curt, please give an example of what services could be turned off and how you can go about doing that. As I mentioned earlier, I don't even know how to change the default password. Thanks

WiFi, for starters. The device we have for Verizon FiOS is fairly basic, 2.4 Ghz wifi only and we live in a townhouse community. The 2.4 Ghz band it pretty crowded and the 5 Ghz band is virtually empty. The router that is downstream supports 5 Ghz and 'virtual' wifi networks so I use those. I can also vary the wifi transmit power so I turn it down so I get good wifi throughput but the signal doesn't carry far beyond our 4 walls. That may or may not be seen as a benefit depending on your needs and desires. I've selected a 3rd party DNS provider that can help a little with security. Lots of inexpensive things you can do to make yourself not the low hanging fruit for those of ill will. There are people on here far more knowledgeable than me.

[Dave Zellers]

From a support perspective, we randomly have issues with customers who use stacked routers (ISP router plus personal router) if they don't put the ISP router in bridge or pass-through mode. This causes double NAT, and while in theory that's acceptable, in reality it causes issues sometimes. Particularly with VoIP phones.

After adding my router last night, it worked fine at first but when I woke up this morning, I could not access the internet on my phone. It didn't matter which wi-fi network I joined. So I removed my router and things are back to normal. I spent some time on my Comcast account online and can't find anything about setting their router for pass-through. Is this a switch or a software adjustment?

[Curt Harms]

After adding my router last night, it worked fine at first but when I woke up this morning, I could not access the internet on my phone. It didn't matter which wi-fi network I joined. So I removed my router and things are back to normal. I spent some time on my Comcast account online and can't find anything about setting their router for pass-through. Is this a switch or a software adjustment?

This sounds like a problem Carlos mentioned with VoIP. "Stacking routers" can also cause problems if both have DHCP enabled, you can only have one DHCP server per LAN. Maybe if you can put the Comcast device in pass thru or bridge mode, it may work. We have Verizon FiOS which may work somewhat differently. The ONT (Optiical Network Terminal) has a separate output for phone and hooks into the existing phone wires. The Verizon tech I talked to made it sound like Verizon FiOS phone service is sort of a POTS/VoIP hybrid. I don't know how Comcast works.

[Carlos Alvarez]

This sounds like a problem Carlos mentioned with VoIP. "Stacking routers" can also cause problems if both have DHCP enabled, you can only have one DHCP server per LAN. Maybe if you can put the Comcast device in pass thru or bridge mode, it may work. We have Verizon FiOS which may work somewhat differently. The ONT (Optiical Network Terminal) has a separate output for phone and hooks into the existing phone wires. The Verizon tech I talked to made it sound like Verizon FiOS phone service is sort of a POTS/VoIP hybrid. I don't know how Comcast works.

I didn't say anything about DHCP, I said NAT. You can have multiple DHCP servers on a network (and I do). Since DHCP doesn't cross routers, if you have two routers in series, you can and should have it enabled on both. If you put the ISP-provided router into its transparent mode, then that automatically disables both NAT and DHCP, as well as all routing. The device becomes just a media converter and not a router.

[Curt Harms]

I didn't say anything about DHCP, I said NAT. You can have multiple DHCP servers on a network (and I do). Since DHCP doesn't cross routers, if you have two routers in series, you can and should have it enabled on both. If you put the ISP-provided router into its transparent mode, then that automatically disables both NAT and DHCP, as well as all routing. The device becomes just a media converter and not a router.

I read someplace - don't remember where that there should only be one DHCP server per network, guess not.

[Carlos Alvarez]

I read someplace - don't remember where that there should only be one DHCP server per network, guess not.

I don't know how technical you want to get, but the basics... If you have two, there's the potential for some issues. That's mitigated by proper configuration. Even with a random out-of-the-box config, the way most home routers work, it should be fine. Since a network can't really work for the users without DHCP, I put at least two of them on every business network I design. So you probably heard the advice based on the fact that if you don't know what you're doing, you MIGHT end up with problems.

But again, not routers in series. In series, the DHCP cannot pass through the routers to the next one. So you still only have one DHCP server "per network" because in this context the networks are separated by routers. If you have two in PARALLEL, then the are both on the same network.

Either way, all the issues I talked about are because of NAT, not DHCP. I'm happy to cover their details if anyone cares, but many times I make people's eyes glaze over getting too technical.

[Jim Becker]

I'm of the notion that for "most people" in a home network environment, one actual gateway/router with DHCP is a best practice to keep things simple and "less mysterious". Any other devices that are not endpoints should be passive/transparent/bridged and only provide a particular service, such as wireless access. But I also agree with Carlos that there are circumstances that having multiples is warranted. On example might be where there is a separate "guest network", with the operative idea, "separate network". And Carlos's example of having more than one DHCP for resiliency is quite common on business networks.

[Carlos Alvarez]

I'm of the notion that for "most people" in a home network environment, one actual gateway/router with DHCP is a best practice to keep things simple and "less mysterious". Any other devices that are not endpoints should be passive/transparent/bridged and only provide a particular service, such as wireless access. But I also agree with Carlos that there are circumstances that having multiples is warranted. On example might be where there is a separate "guest network", with the operative idea, "separate network". And Carlos's example of having more than one DHCP for resiliency is quite common on business networks.

Totally agreed.

Also just realized nobody answered this:

can't find anything about setting their router for pass-through. Is this a switch or a software adjustment?

It's a checkbox in the router software. Here's an example of one such change: https://actiontecsupport.zendesk.com...iontec-MI424WR

[Dave Zellers]

Totally agreed.

Also just realized nobody answered this:



It's a checkbox in the router software. Here's an example of one such change: https://actiontecsupport.zendesk.com...iontec-MI424WR

Thanks for that. I'm working on it and have found a few web pages that might help but they are 3-5 years old and might not be relevant anymore. Also, I have bigger fish to fry right now- I gotta get the garden planted!

[Curt Harms]

I don't know how technical you want to get, but the basics... If you have two, there's the potential for some issues. That's mitigated by proper configuration. Even with a random out-of-the-box config, the way most home routers work, it should be fine. Since a network can't really work for the users without DHCP, I put at least two of them on every business network I design. So you probably heard the advice based on the fact that if you don't know what you're doing, you MIGHT end up with problems.

But again, not routers in series. In series, the DHCP cannot pass through the routers to the next one. So you still only have one DHCP server "per network" because in this context the networks are separated by routers. If you have two in PARALLEL, then the are both on the same network.

Either way, all the issues I talked about are because of NAT, not DHCP. I'm happy to cover their details if anyone cares, but many times I make people's eyes glaze over getting too technical.

I think you've hit it, at least in my case. The 2 devices are connected LAN port to LAN port. I tried LAN to WAN but was never able to print from a machine connected to the other router.

[Carlos Alvarez]

but they are 3-5 years old and might not be relevant anymore. Also, I have bigger fish to fry right now- I gotta get the garden planted!

Nothing has really changed in this area. Well, there may be cosmetic changes to the menus and such, but the functionality has always been the same.

Just now planting? We're well into our second harvest!

As far as the issues of LAN-WAN-LAN-WAN or LAN-LAN-WAN... Back to back routers, in series, where one's WAN goes to the other's LAN port, allow you to add another router if you want to ignore the ISP-provided router. But yeah, anything connected to the ISP router cannot see anything behind your router. On purpose, by design. It's a good cheap way to have a "guest" network that can't see your network. Connecting the LAN ports together puts two DHCP servers on the same network, and creates a variety of potential problems. You really need to understand networking to do this.