What's new

challenging problem/configuration with multiple Asus routers

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

swipee

New Around Here
Hi everyone!

I've been using Asus since n66u and now sit on multiple routers from them with a continued appreciation of the power in these products!

My question to all you networkers: Can I secure access from a router in AP mode to another router in repeater mode as the one AP mode is exposed outside my home, to avoid anyone just plugging in a cable and automatically given an IP address, as the repeater mode router is directly connected to the main router with DHCP enabled?

Background: With two n66u serving as APs to my ac86 I have made a connection down to the apartment building basement via an ethernet cable. Down there I have put my 3d printer (have permission from the board to use the basement for this stuff) and one of the APs is located with the printer to be able to have wifi down there and connect other equipment as well. As this is a huge security flaw in my network I would like to create an authentication between the APs in the picture and put a watchdog for any changes on this link, either breaking or new devices. if something happens it should disconnect the basement AP immediately.

I'm looking for a solution that doesnt involve disabling automatic DHCP. Anyone come across a similar challenge before and does the ASUS routers support such config tweaks/setup?

Annotation 2019-08-28 113456.png

Very thankful for any guidance on this matter!
 
Last edited:
I'm not sure I follow exactly what you're saying. I think it goes like this...

From your diagram, the upper N66U ("AP apartment router") is configured as a Media Bridge (not an access point) and connected over WiFi to the AC86U. An Ethernet cable runs from the Media Bridge to the "AP Basement router" which is configured as an access point. Correct?

The only person that should have access to any of the network is yourself.

All the WiFi connections are secured with WPA2 security so that is not an issue. Your concern is that anyone with physical access to the equipment can just plug an Ethernet cable into either of the N66U's and get access to the entire LAN? Additionally, anyone with physical access to the basement's N66U could factory reset it and do whatever they wanted to with it.

So, assuming the above is correct, the first question is how much (if any) of the physical infrastructure can be secured?
 
Last edited:
I'm not sure I follow exactly what you're saying. I think it goes like this...

From your diagram, the upper N66U ("AP apartment router") is configured as a Media Bridge (not an access point) and connected over WiFi to the AC86U. An Ethernet cable runs from the Media Bridge to the "AP Basement router" which is configured as an access point. Correct?

The only person that should have access to any of the network is yourself.

All the WiFi connections are secured with WPA2 security so that is not an issue. Your concern is that anyone with physical access to the equipment can just plug an Ethernet cable into either of the N66U's and get access to the entire LAN? Additionally, anyone with physical access to the basement's N66U could factory reset it and do whatever they wanted to with it.

So, assuming the above is correct, the first question is how much (if any) of the physical infrastructure can be secured?

Hi Colin and thanks for the reply! I understand it's not fully clear what I aim for and I will try to clarify but in general your understanding is correct.

To answer your question first the two routers upstairs are secure except for the fact the N66U router in repeater mode (not AP as I initially stated) has a long cable downstairs that anyone with knowledge about can just plugin to and get immediate access to my whole network, so it's here I would need some authentication before allowed access.

What happens to the basement router doesnt matter as long as the router upstairs or the main router will react to any changes happening in the basement, either when someone is unplugging the basement router or trying to connect more devices to the RJ45 ports on the router meaning more DHCP requests from this route, and disconnect the route between basement and "upstairs" completetly and notify me.

I hope that makes sense?

Best regards, Christian
 
Last edited:
Quick question: Why is the upper N66U in repeater mode and not media bridge mode?

What is the main objective here? Is it to prevent unauthorised access to the LAN (and/or internet), or is it merely to notify you when an unknown device is connected? The latter is a security issue because by the time you saw and reacted to the notification the intruder would have already had time to do what he wanted.

If you want to prevent unauthorised access the only reliable way I can think of is to connect a smart switch to the upper N66U and configure an ACL on it.
 
Last edited:
If someone has physical access to your LAN by plugging into a physical port there is little you can do software wise to block access as both IPs and MAC addresses can easily be spoofed.

The best solution might be to secure the end point devices in a locked plastic container.

If your goal is only to secure your primary LAN network then using port based VLANs or 802.1Q VLANs so that end point devices and their open ports are segregated from your more secure network.
 
Hi everyone!

I've been using Asus since n66u and now sit on multiple routers from them with a continued appreciation of the power in these products!

My question to all you networkers: Can I secure access from a router in AP mode to another router in repeater mode as the one AP mode is exposed outside my home, to avoid anyone just plugging in a cable and automatically given an IP address, as the repeater mode router is directly connected to the main router with DHCP enabled?

Background: With two n66u serving as APs to my ac86 I have made a connection down to the apartment building basement via an ethernet cable. Down there I have put my 3d printer (have permission from the board to use the basement for this stuff) and one of the APs is located with the printer to be able to have wifi down there and connect other equipment as well. As this is a huge security flaw in my network I would like to create an authentication between the APs in the picture and put a watchdog for any changes on this link, either breaking or new devices. if something happens it should disconnect the basement AP immediately.

I'm looking for a solution that doesnt involve disabling automatic DHCP. Anyone come across a similar challenge before and does the ASUS routers support such config tweaks/setup?

View attachment 19152

Very thankful for any guidance on this matter!

I'd say the most likely thing to happen is vandalism/theft of the equipment in the public basement. If you can't tolerate that, then you need better physical security and that will likely solve your network security concern.

If the Ethernet cable to the basement is hanging down the outside of the building, then that's a security issue.

If you accept you current level of physical security, can you stay in the basement during equipment use and unplug the basement cable when you leave and return to your apartment. I suspect the print jobs take awhile, so it's not convenient to hang out in the basement.

OE
 
desolder all LAN/WAN ports on downstairs router, go with cable through housing and make a soldered connection inside.
And dont forget to do the same on printer or LAN-clients.
Better dont use LAN to clients over there at all, Wifi will be good enough as your speed limiting factor will be wifi-bridge upstairs.
 
desolder all LAN/WAN ports on downstairs router, go with cable through housing and make a soldered connection inside.
And dont forget to do the same on printer or LAN-clients.
Better dont use LAN to clients over there at all, Wifi will be good enough as your speed limiting factor will be wifi-bridge upstairs.

Someone could cut the hot Ethernet cable, one conductor at a time,and terminate in less than 5 minutes.

OE
 
You can use a 10-pin LAN cable and use 2 pins as tamper (alarming loop 1-10kOhm). If there is any manipulation (open loop or short circuit) autopower off the upstairs repeater with an external power switching device.
Or you could use this additional pins for powering the router and have power adapter upstairs too.

Nobody who doesnt know could assume how to do ...

Additionally I would set a guest wifi on main router and connect upstairs bridge to this guest wifi, so all extended clients wont get access to your master-router or intranet.
 
Last edited:
Protected by Smith & Wesson
 
Protected by Smith & Wesson

Very restricted gun law in my country but thanks for the idea :)

To Grisu, OzarkEdge, CaptainSTX and Colin - thanks! I've been evaluating the managed switch (most likely a Netgear GS108TV2) idea and also thought about the idea of setting a physical tamper alarm and put an event monitor somewhere to send a notification to my HomeAssistant and then cut the power until I have a chance to investigate. 802.1x is not an option as the equipment - 3d printer e.g, will not support it.

The router downstairs is in a wooden cabinet so it's also an easy entry point to just break that open. What happens to the gear if someone gets access doesn't matter as long as they do get access to my upstairs network.
 
Last edited:
What happens to the gear if someone gets access doesn't matter as long as they do get access to my upstairs network.
Depending on how serious you are about security and the potential of unauthorized access, any exposed wiring is also a potential weak point. Cutting a cable mid-run and crimping a new connector gives instant connectivity.

Bottom line, when you cannot control all physical security issues, you are taking a risk. But, is anyone who may have physical access actually likely to go through the effort to connect? Only you can guess at the answer.

Disabling DHCP and using a non-typical subnet may provide a tiny bit of additional protection. I would certainly consider double-,NAT to isolate the segments where physical security is an issue. On the "outside" subnet you could really limit the functions, yet on the "inside" run a normal network (DHCP etc).
 
Depending on how serious you are about security and the potential of unauthorized access, any exposed wiring is also a potential weak point. Cutting a cable mid-run and crimping a new connector gives instant connectivity.

Bottom line, when you cannot control all physical security issues, you are taking a risk. But, is anyone who may have physical access actually likely to go through the effort to connect? Only you can guess at the answer.

Disabling DHCP and using a non-typical subnet may provide a tiny bit of additional protection. I would certainly consider double-,NAT to isolate the segments where physical security is an issue. On the "outside" subnet you could really limit the functions, yet on the "inside" run a normal network (DHCP etc).

Ok, the only challenge I see with double NAT is that it will allow anyone to plugin any device to the exposed ethernet cable and still get an IP from the DHCP server on the main router. Do you recommend any guide to setup the double NAT feature on the N66U and above?
 
I assume you can shutdown all the Ethernet ports. Otherwise your network is wide open if someone plugs in. This is why they make wiring closets that lock.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top