I usually run a LAN made of two computers (one Win7pro the other Win8.1) which are connected to a four entry wireless deprived router. In order to provide wireless capabilities to a couple of smartphones and a netbook I connect a second wireless router to the first one, just for a few hours a day (it uses same range and subnet) Now I have a few questions about my setup: 1-If i use computer A with my usual provider and computer B with a VPN, (Comodo firewall in B will not accept connections from physical adress A) can a web site remotely see any network hint of a double location? If yes, will having computer A in suspension be enough to avoid this? If i connect the wireless router to the LAN and consequently run two smartphones with it, will the VPN connection be affected to the point of leaking anything?
To me the first and obvious thing to do is to run TWO separate LAN's since you are running two hardware routers anyway. As an example; you could easily place the VPN connected computer on its own different LAN. All devices running on normal LAN could interact with each other but the devices on the VPN device LAN would be invisible to your smartphone devices, which would be on the normal LAN. This process is as simple as going to the VPN device router Admin panel and setting a new LAN address and then plugging that router WAN port into one of the Gigabit LAN ports on the normal LAN router. Your normal LAN will only see the second router's MAC and not any devices connected to it because the LAN is different and the second router blocks the other network from getting past it. This is easy stuff so don't be intimidated by the terminology. This is where I would start on your configuration because its easy and pretty bulletproof.
Thank you Palancar. As a matter of fact I've already tried a few months ago to set up things exactly as you suggested,but I was unable to properly connect things to my second wireless router with a different LAN: obviously I was making a mistake of sorts along the way. I was hard pressed to have the network working so I decided to 'downgrade' to Router Wireless B with the same LAN number and no security certainty. I just run computer with VPN only when Wireless Router is switched off and the other computer is either suspended or off altogether. I gather you suggest that, being Router A (wireless disabled) for instance 192.168.1.1 , I should change the second Router (wireless) into say 192.168.2.1 ? Any hints configuring the DHCP?
You can select for yourself, but if it was MY system with YOUR goals I would have Router A (your example above) with wireless ON. Then I would have Router B with wireless off and that router would be my VPN computer/device LAN. The LAN addresses example you cited above is fine. This keeps the VPN computer on its own unique LAN while all other devices would share the same network LAN. By default Router A could only see Router B but not anything connected to it. You of course would still configure normal VPN security and even isolate that computer from Router B. This is accomplished by limiting internet traffic to the VPN tunnel only. This means that neither router could see any traffic and Router A can't even see the computer on the network. I hope this helps. I wouldn't worry about the DHCP for this thread.
What you suggest makes perfect sense and i'll try to implement that configuration asap. Only drawback could be that wireless is theoretically always on,but of course i can temporarily disable it via router button. First day i dont need internet I switch the router functions. I hope you'll be around if i find any difficulties and thanks again!
One thing that helps with wireless security is to MAC lock the router Admin panel to the exact MACs of the smartphones you are allowing. You can also stop broadcasting the SSID (network name) but that is effective only against rank script kiddie's. WPA2 and long passwords is good against "normal" network hackers. Make sure WPS is disabled, and even better would be to use dd-wrt software on your router where WPS is removed completely. I run Nmap on my desktops so that by doing a simple click I can see all devices on the network. The items in this post are just "cherry on top" things you can do after getting it running in simple mode. Frankly, these are simple too. The thing I like about the overall process using two separate hardware LAN's, is that IF you have a traitor device on the main network it can't get to your critically private VPN machine. Coupled with tunneling that machine you are beyond betrayal by any part of your home network. Its such a false assumption that LAN is always friendly!
@Palancar My two D-Link Routers dont support ddt-wrt software and this is a problem, which,due to the Easter festivities,is going to be solved for me in a few days when I can buy at least one new router which does support ddt-wrt. I already had in use all you suggested,including MAC binding,no SSID broadcast,long WAP2 password and disabled WPS. I plan to remove WPS completely with the new router. "Coupled with tunneling that machine you are beyond betrayal by any part of your home network." Are you referring to the ordinary VPN tunnelling or to some other special software which some VPN providers advertise? (like for instance the SSH2 Tunnel provided by one VPN I found , tuvp.com) And now there's also the WebRTC bug outlined by mood in this section to care about!
My stance now is that smartphones, gaming machines, and Iot are automatically unfriendly, potentially actively hostile, and will never be connected to my real network. They get to see the internet, that's it. Who knows what privacy-disastrous snooping they could/will do on the real network, even at the simple level of correlating mac addresses they can see or sniff. That's without them being taken over by malware, it seems to be default Google and FB behaviour e.g. with the location-busting on WLAN snooping Google do given anyone says OK to share location. I'm also using VLANs to segregate WLAN networks, and sometimes VLANs are practical and useful when physical cabling has to be considered.
deBoetie, I am conflicted in that I have two internet modes. Real Name things like my bank and email and smartphones all point to me in every way already. If I am logged in as real name I employ basic security, although tighter than most home networks. I restrict my real name computer use to "logged in" real name stuff. When I want to basically surf around and read stuff I use a basic two hop VPN setup to avoid sniffing and data collection on myself. When I want to participate in my several hobby personna's I go a bit crazy on the config. Anyway, I fully support your notion that LAN is full of dangers. karad, Tunneling can be a confusing term. I use that term to refer to firewall control. Using linux my VPN creates a tun0 adapter as a gateway to get into and out of the machine during its use. By using an easy to write and very dependable firewall rule set you can limit access to ONLY tun0. LAN devices cannot get into the tun0 tunnel so they have no access to the traffic. The machine can be set to actually ignore even a ping from outside of the tunnel. In your scenario the vpn machine would be tunneled and sitting behind Router B, which makes all devices on that router invisible to Router A right out of the box. Many VPN providers provide a great client that can do this for you, but let me warn you that there are crappy providers with crappy clients. Just stick with the top 5 that circulate in this forum. Better yet, learn to write your own code and control the firewall yourself. Nobody cares more about your security that YOU.
@Palancar - indeed this intersects with opsec for our differing personas, although the virtual machine/virtual network world takes more of that burden. I agree that we have no choice but to have a banking, real-name mode there, they know where you live.... My personal choice is to keep that separate from the smartphone world, in particular because I do not have one!
