1 |
On Wed, Mar 29, 2017 at 11:28 AM, Kai Krakow <hurikhan77@×××××.com> wrote: |
2 |
> Am Wed, 29 Mar 2017 04:52:08 -0700 |
3 |
> schrieb Jorge Almeida <jjalmeida@×××××.com>: |
4 |
> |
5 |
>> On Wed, Mar 29, 2017 at 12:45 AM, Neil Bothwick <neil@××××××××××.uk> |
6 |
>> wrote: |
7 |
>> > On Tue, 28 Mar 2017 22:52:25 -0700, Jorge Almeida wrote: |
8 |
>> > |
9 |
>> |
10 |
>> > |
11 |
> > |
12 |
>> > |
13 |
>> The ISP provided router is officially managed (whatever this means) by |
14 |
>> them. As to privacy, I know a packet is visible once it leaves the |
15 |
>> router via Wan port. What I worry a bit is about the possibility of |
16 |
>> foul play towards the home network. The computers are firewalled via |
17 |
>> iptables, but accept connections from 192.168.... What prevents a |
18 |
>> hacked router of impersonating a local origin? |
19 |
> |
20 |
> Block packets originating from the router MAC address and that don't |
21 |
> belong to a known connection. Then deploy a managed switch that can do |
22 |
> MAC address filtering so it allows only the one MAC address on the |
23 |
> router port. This should be safe enough. It would be difficult to get |
24 |
> around such a setup. To be even more safe, use VLAN and exclude all |
25 |
> your computers from the management port. |
26 |
> |
27 |
> This, however, doesn't prevent tampering with packets on their way |
28 |
> through the router. You could use VPN and place the tunnel endpoints |
29 |
> only on trusted routers. That way, your ISP only relays VPN traffic, |
30 |
> and ensures the transfer networks below are only used for VPN and your |
31 |
> machines accept nothing else. |
32 |
> |
33 |
> -- |
34 |
Assuming that the router speed issue has no solution, I think I'll |
35 |
adopt a different setup: All computers (just 3) with 2 network cards; |
36 |
one card connected to the ISP router, rejecting all incoming packets |
37 |
that are not part of an established connection; the other card |
38 |
connected to one of my routers, accepting local connections |
39 |
(different subnet from the one associated with the ISP router; |
40 |
computers with static IPs, for good measure); This secondary router |
41 |
has the Wan port disconnected (is this the same as a switch?). This |
42 |
should allow the home computers to communicate with each other without |
43 |
any outside interference. Am I missing something? |
44 |
|
45 |
Regards |
46 |
|
47 |
Jorge |