you and your network - fixed ip addresses and what they do
This topic--which seems obvious in retrospect--just came up on tumblr with someone's oscilloscope with a fixed internal IP address was unable to connect to the internet because a wifi bulb took its ip.
If you run a home media server that you want to access from home or regularly connect to your computer remotely, or if you are thinking of that, or you have a home network period, this entry is for you.
You probably know all this but we'll start with very basics for my sake so I don't get confused and go out of order, which happens to me like a lot.
Home Network Basics
Your home connects to the internet with a modem and your network connects to the modem with a router.
INTERNET ---> MODEM ---> ROUTER ---> ALL NETWORK ITEMS (PC, laptop, phone, gaming console, TV)
Your home may have streamlined this with a router/modem combo. In that case:
INTERNET ---> MODEM/ROUTER ---> ALL NETWORK ITEMS (PC, laptop, phone, gaming console, TV)
Routers come in two flavors: ones with wifi and ones that don't. Most homes have wifi routers, so that's our standard.
Routers have two kinds of IP addresses: external and internal. The external IP address is the one that is assigned by your router by your ISP and we don't care about at all for this entire entry. Today, we are all about internal IPs.
To organize a crazy number of items (PC, laptop, phone, gaming console, tablet, smart home shit) to use one internet connection (modem), the router is the organizer: to each individual item, it gives an internal IP address, as in, an IP that is only used within your home network, which is also known as the LAN. Each router has an internal IP address of xxx.xxx.x.1 and a range of internal IP addresses to assign to the items on your network starting usually at xxx.xxx.x.2 and ending at xxx.xxx.x.255.
LAN == your home network
Internal IP == number assigned to an item in your home network (LAN)
Router's Internal IP Address === xxx.xxx.x.1
Internal IP Number Range Router Can Assign To Network Items === xxx.xxx.x.2 to xxx.xxx.x.255
This is a one-to-one process: each item in the network will get one IP.
Your Home Network - Lets Get Some Constants Among the Variables
For the remainder of this entry, we're going to pretend the following:
Router's Internal IP address: 192.168.1.1
Internal IP Number Range Router Can Assign To Network Items: 192.168.1.2 to 192.168.1.255
How Internal IP Addresses Are Assigned
Short version: first-come, first serve.
You have five items: laptop, phone, PS4, tablet, TV. They will be assigned random IP addresses in the order they connect to the router, and in general, each will be assigned the lowest IP address available. This is not a hard and fast rule--routers be crazy--but assume this happens every single time and take some uncertainty out of your life.
Assuming they connect in the order I listed above:
Laptop: 192.168.1.2
Phone: 192.168.1.3
PS4: 192.168.1.4
Tablet: 192.168.1.5
TV: 192.168.1.6
Fixed IP Addresses
You may be wondering why, if that's true about first-come, first-serve, your router is always 192.168.1.1. Using the above logic, that would be because it connected first, which is not wrong (it does) but not really; its because it's a fixed IP.
Specifically, it's a fixed IP that is hardwired into your router. Every primary router for a home network is assigned to xxx.xxx.x.1 in the very bowels of the firmware. Yes it can be changed, but the reasons you would do so are many and varied and you simply wouldn't if this was your primary router aka the one connected to the modem.
In your network, a giving something a fixed IP means that when that specific item connects to your router, the router will give it a specific IP address every time. A fixed IP can an assigned IP located in an assignment table on your router, a static IP located in static IP table on your router, or it can be an item--like your router--that has a hardwired IP address in its own firmware or you are required to give that item to use it in the first place.
For the purposes of this article, a fixed IP in an assignment table and a static IP in a static ip table are identical. Those are both accomplished in your router. Or ignore the existence of static ip, since we don't really care right now
The third type of fixed IP, however is something else entirely, and we'll get to that.
Why Should I Care About Fixed IPs Other Than Winning Jeopardy?
You probably won't, except in the following situations:
1.) Remote Access:
- you have a home server you want to share outside your home network, like with a friend
- you want to access your home computer/server/item from a remote location like work or Escapade
- you're a gamer and some kinds of games need it to play with others
2.) Internal (LAN) access:
- you have a home server you want to access while in your home and don't want to look up the IP address every single time you need to access it because it might have changed.
- above but replace 'home server' with any network item
3.) Other:
- your item may come with or require you to give it a fixed address to use it. If you buy a network switch, some that have interfaces--like mine--require you to give them a fixed IP address to connect to on the router and they will only connect to the router using that IP address.
If you have even one item that requires a fixed IP address, then you need to care like a lot.
How to Assign a Fixed IP Address
This part is easy but each router calls it something different. In general, it'll be referred to as Address Reservation and can usually be found on your LAN setup page. Every router has this functionality, though, it's there somewhere, so don't despair; if you can't find it, your router handbook or google will tell you.
Google Search Terms: How do I assign a fixed IP address 'enter router name'
All you do is enter the MAC number of your item into one box and your chosen IP into the other. Sometimes--hopefully--it also lets you give a friendly name as well, but those are the basics. Sometimes, friendly name chas to be accomplished on a separate page if it's available at all.
Example:
Box One: MAC Address
45:56:B5:56:I5:NB
Box Two: IP Address
192.168.1.5
(optional)Box Three: Name
My Laptop
Hit enter and you should see a table with one entry: that. Now, every time your laptop connects, the router will give it that IP address.
Most of the time. Yeah.
Fixed IP Addresses Part 2: Wait, what?
This is where we go into the difference between theory and practice; no matter what anyone says about a router, or their router, or the Law of the Internet and Networks, or the very documentation of your router, don't trust it. There is no law, there are suggestions, and they fail like a lot. I could breakdown what it's supposed to do and sometimes does, but that way ends in madness.
Assume all of the following are true and will always happen.
When you assign a fixed IP to your laptop, the router, when it sees your laptop, will always assign it that IP. Every time. This is true.
This is also practically true: that will only happen if that IP number has nothing else using it at that moment. And in a home with a lot of items and first-come, first-serve, it's a lottery.
When you assigned your laptop that IP address in the router, the only thing that's being guaranteed here is that your laptop is given preference for that IP. That does not mean no one else can connect to that IP ever. If that IP comes free--you close your laptop--and an item without a fixed IP--like your phone-- comes online, that IP is part of first-come, first-serve. If it's the lowest IP number available at that moment, the chances are high your phone will get it and if your phone is still using it when you open your laptop, your laptop will not be assigned that IP.
In general, the router will eventually assign your laptop another open IP, but sometimes, that takes some time and sometimes--yeah. If your item, however, has a hardwired IP address--like my switches above--your item will not be able to connect until whatever is using its hardwired IP goes offline and stays offline long enough for it to notice, which depends on how often your item checks, which could be five minutes or a day, who the fuck knows.
What the Hell Do I Do Then?
You have two options: changing the range of IPs your router is free to assign--therefore removing them from first-come, first-serve--or give everything you own its own fixed IP address. You can also do both; exclude a range of IP numbers and assign everything in your network an IP. But let's go over how to do them before we go into why.
Option 1: Edit the IP Range Available for First-Come First-Serve Assignment
This is very easy, very straightforward, and very fast.
1.) Go into your LAN settings and where it assigns the IP range, change it to exclude a range of IPs. With most consumer routers, you only have two box groups: the start range and end range. So your choices are limited to removing some from the start or from the end and they have to be contiguous. However, you can remove as many as you want
Examples:
Original Range: 192.168.1.2 - 192.168.1.255
Option 1: Remove 8 IP numbers from beginning
New Range of Available IP for Assignment: 192.168.1.10 - 192.168.1.255
Excluded: 192.168.1.2 - 192.168.1.9
Option 2: Remove 10 IP numbers from the end
New Range of Available IP for Assignment: 192.168.1.2 - 192.168.1.245
Excluded: 192.168.1.246 - 192.168.1.255
(Some consumer routers--and any router using DD-WRT or Open-WRT firmware--will allow you to be more insane and exclude multiple separate ranges or even ranges and single IPs, either in the interface or by command line. Generally, however, the reasons you'd need to do that are pretty specialized, and if you are one of the people who need to do that, you are doing it and aren't reading this for any other reason than curious amusement on how us non-network-experts live. Hi! Doing great, thanks.)
2.) Anything you want to give a fixed IP address or anything that requires a fixed IP address gets one in the excluded range. So you go to your assignment table and enter the MAC Address of each item and assign it one of those excluded IP numbers.
Option 2: Give Everything in the Network a Fixed IP
This is easy, straightforward, and not fast. It's work, sometimes a lot of work.
1.) make a full list of everything--wifi and ethernet--that connects to your router.
2.) get the MAC of each item
3.) in your IP assignment table on your router, enter each MAC number and the IP for it one by one.
Note: you're going to want a spreadsheet now rather than later, just saying. I"ll send you a copy of mine for a template, just email me.
Which One Do I Use?
If you don't have many items that need a fixed IP, you don't anticipate needing many, or you just want this over fast and have no special circumstances, Option 1, go for it.
I use Option 2 and sometimes combine it with Option 1 (though not with my latest network iteration). Now we'll go into circumstances. You can stop right here if you want, you know all you need for about ninety-nine percent of home networks.
I'm Going To Regret This, But Go On
First, quick review and one new thing:
1.) IP numbers are assigned first-come, first serve.
2.) Generally, the lowest available IP will be selected. This is not a rule, but pretend it is because your life will be easier that way.
3.) Some routers--possibly--don't like the first ten IP numbers in a range (2-9) being fixed ips. This requires explanation because it--questionable.
This wasn't learned in documentation, network messageboard, or any networking reference I could find and I looked like everywhere; I found this in a single message on a messageboard when I'd exhausted every other solution and it was confirmed by others. I do know that leaving 192.168.1.2-192.168.1.9 solved the problem my router randomly dropping anything given fixed IPs of 2 through 9 and I tested this. Later, I assigned 2, 3, and 4 to routers and access points and it continued to be fine, but at least check, assigning all of 2-9 is still a no-go. However, I haven't pushed further (and plan in my next iteration to move everything not the router to start at 20) and the reason is coming up next.
There are many reasons you might want to have everything in your network on a fixed IP in your router. One that pretty much applies to everyone reading is network intrusion, or someone not authorized using your wifi.
If your password is secure--and when I say secure, I mean sixteen characters or greater, no matter what those characters are (router may require special ones and numbers in there)--that probably won't happen, but we still live in this world and if there's a will, there's probably a way.
Because of first-come, first-serve, and lowest IP selected, any intruders will generally show up in the lowest IP numbers available as well as any new items in a network, like a new phone or wifi lightbulb. Having everything on a fixed IPs starting at say, 192.168.1.20, means that intruders or new items will generally end up in IPs ending with 2-19, which is super easy for you to see on your router's attached devices page. If the intruders or new item--as happens--are randomly assigned to a higher number, however, if everything in your network has an assigned IP, you can check your IP assignment table on your router and see if that IP number is assigned to something in your home. (Or your spreadsheet, which really, if you did All Fixed IPs, you should have already made.)
If the Unknown Item is not in the table, and you don't have a friend over or just added something (a wifi lightbulb for example) or you got a new phone/computer you haven't added yet, then yes, that Unknown is an intruder.
What To Do First
1.) If your router doesn't allow you to kick them off individually, you can block them by MAC, so do that. Block the MAC either way, though.
2.) Write down that MAC somewhere on your computer (or put it in your fixed IP spreadsheet on a sheet called "Blocked MACs"). You're going to need this later.
3.) Take steps to re-secure your router as listed below. I recommend you use paranoid rules at minimum (and prefer Super Paranoid Rules) but ymmv.
Steps to Securing a Compromised Router
1.) Disconnect the modem and router.
1a.) Paranoid rules: disconnect the modem and router, then manually shut down your router. Leave off for five to fifteen minutes before turning it back on.
2.) Connect your computer to the router with an ethernet cable.
3.) Change the wifi password to a minimum of sixteen characters and use passphrase rules, which you can easily combine with special characters. Ihateeverything#4 Dogcat#1mMouserat
4.) Restart your router using the router interface.
4a.) Paranoid rules: shut down your router using the router interface. Wait five to fifteen minutes.
5.) Reconnect modem and router and turn on router.
6.) Login to your router and go to logs--if available--and watch everything reconnect. Update all items on your network with new wifi password as needed.
Now, a section for Very Paranoid Rules. Starting with Step 5 above:
5b.) Disconnect everything that is connected to router by ethernet cable. Do NOT reconnect modem and router. Turn on router.
6b.) Login to your router, write down or screenshot all your settings, and then go to the update/reset page--probably under Admin--and reset router to factory settings and restart. Do not back up anything first. While this is happening, delete all existing router backups on your computer with one exception: if you have one that you did the day you first got this router, you can keep that one.
7b.) After reset and restart, you may either use the backup allowed in Step 6b or (preferred) start over and enter everything like this is a brand new router. Then create a new backup and give it a name like BackupFromEvil-Basic Settings-[Date].
7b2.) You can at this time install any router updates, like firmware updates that have occurred since you bought the router. If you do, create a second backup after you're done, BackupFromEvil-Basic Settings After Firmware[number] Update-[Date].
8b.) Turn wifi off, either in the interface or if there's a manual switch on the router. You can also do this before 7b2.
9b.) Go to your router settings and find a page that may be called Access Control but has many names. Our goal is to block everything that we do not personally authorize by MAC address, so either your router documentation will tell you or google but set it to block everything and I mean everything.
9b2.) Enter the MAC address of the intruder from earlier in blocked list if that's available in this mode.
10b.) If you didn't create that Fixed IP address spreadsheet, you're doing it now. Make a full list of everything that connects to your router by internet or wifi.
Format:
First column should be name of the item.
Second column is the name of the item as it appears on the router (if you know it right now, leave blank otherwise.) If your router allows you to rename, you can change it to that later.
Third Column should be the MAC address.
Fourth Column is the IP address it will be assigned.
Fifth Column is whether it connects by ethernet cable (LAN) or wifi
11b.) Enter into Access Control (or your router equivalent) everything that is allowed access one by one.
12b.) Create a second (or third if you installed firmware updates in 7b2) backup with a new name BackupFromEvil-[AccessControlSomethingHere]-[Date].
13b.) Reconnect your ethernet cables for all network items that use ethernet cables.
14b.) Turn on wifi back on.
15b.) Change wifi password for each wifi item one by one and add them back into the network.
16b.) After about a week (or a month) with no intruders and no problems, you can switch off MAC filtering, so anything with the right wifi password is able to connect to your network.
17b.) If you switch, enter the MAC address of that intruder to the blocked list if you couldn't back in 9b2.
If you think there was an intruder, and your first password was under sixteen characters or not very strong, always use Super Paranoid Rules. And generally, when there's a confirmed intruder, don't use any of your backups no matter when you did them.
About Why Super Paranoid Rules Should Be Used
Strong passwords and being normal people will cover 99.99% of intruder problems. Which leads to another reason why you really really really need your wifi password and the router password (the one that lets you log into the GUI) to both be very strong and be very, very, very different.
I am not a genius, nor a hacker, nor even visit hacking sites, I am not even adequate at this, I barely understand it, but after five minutes of googling and a couple of guesses, I could telnet into my router with full access aka the ability to change any and all settings on my router.
(Note: And have done so, but that's another story and a plethora of resets but no regrets.)
This means anyone connected to my network could do it and do way more than what the GUI will let you do. As I assume pretty much anyone who would do this is better than me, they could either erase/alter all my settings and/or successfully inject/write useful code into it in under five minutes. If my router's hard drive is large enough, they could also partition off a piece of it and put shit in there, where unless I logged in to telnet and went looking, I wouldn't even know it existed or was a problem, as well as delete the log entries showing they'd ever been there (though anyone who could use telnet and was looking for intruder changes wouldn't need or trust the logs anyway). A factory reset would be the only thing that would erase everything and also that partition and though yeah, that's the consensus, I haven't personally tested the bit about the partition.
(Now granted, I don't see how a partition would survive a full flash, and people who actually know this shit agree, but all that means is that either no one has discovered how to do it yet, or if they have, they aren't telling.)
My rule of thumb is: if I can do it using google and no idea what I'm doing, anyone can do it and better, faster, and with custom-designed programs to help, and can do a fuckload more. And when it comes to network security, the Super Paranoid method's only drawbacks is that it takes longer to do and can be inconvenient when you have friends over if you want them to use your wifi and you locked everything by MAC. In which case, enabling your guest network while they're around is your best and fastest option instead of adding them in by MAC address.
Any additions, corrections--again, not an expert or even like, an adequate amateur--clarifications, or questions are welcome, as always.
Posted at Dreamwidth: https://seperis.dreamwidth.org/1065705.html. | You can reply here or there. |
comments
If you run a home media server that you want to access from home or regularly connect to your computer remotely, or if you are thinking of that, or you have a home network period, this entry is for you.
You probably know all this but we'll start with very basics for my sake so I don't get confused and go out of order, which happens to me like a lot.
Home Network Basics
Your home connects to the internet with a modem and your network connects to the modem with a router.
INTERNET ---> MODEM ---> ROUTER ---> ALL NETWORK ITEMS (PC, laptop, phone, gaming console, TV)
Your home may have streamlined this with a router/modem combo. In that case:
INTERNET ---> MODEM/ROUTER ---> ALL NETWORK ITEMS (PC, laptop, phone, gaming console, TV)
Routers come in two flavors: ones with wifi and ones that don't. Most homes have wifi routers, so that's our standard.
Routers have two kinds of IP addresses: external and internal. The external IP address is the one that is assigned by your router by your ISP and we don't care about at all for this entire entry. Today, we are all about internal IPs.
To organize a crazy number of items (PC, laptop, phone, gaming console, tablet, smart home shit) to use one internet connection (modem), the router is the organizer: to each individual item, it gives an internal IP address, as in, an IP that is only used within your home network, which is also known as the LAN. Each router has an internal IP address of xxx.xxx.x.1 and a range of internal IP addresses to assign to the items on your network starting usually at xxx.xxx.x.2 and ending at xxx.xxx.x.255.
LAN == your home network
Internal IP == number assigned to an item in your home network (LAN)
Router's Internal IP Address === xxx.xxx.x.1
Internal IP Number Range Router Can Assign To Network Items === xxx.xxx.x.2 to xxx.xxx.x.255
This is a one-to-one process: each item in the network will get one IP.
Your Home Network - Lets Get Some Constants Among the Variables
For the remainder of this entry, we're going to pretend the following:
Router's Internal IP address: 192.168.1.1
Internal IP Number Range Router Can Assign To Network Items: 192.168.1.2 to 192.168.1.255
How Internal IP Addresses Are Assigned
Short version: first-come, first serve.
You have five items: laptop, phone, PS4, tablet, TV. They will be assigned random IP addresses in the order they connect to the router, and in general, each will be assigned the lowest IP address available. This is not a hard and fast rule--routers be crazy--but assume this happens every single time and take some uncertainty out of your life.
Assuming they connect in the order I listed above:
Laptop: 192.168.1.2
Phone: 192.168.1.3
PS4: 192.168.1.4
Tablet: 192.168.1.5
TV: 192.168.1.6
Fixed IP Addresses
You may be wondering why, if that's true about first-come, first-serve, your router is always 192.168.1.1. Using the above logic, that would be because it connected first, which is not wrong (it does) but not really; its because it's a fixed IP.
Specifically, it's a fixed IP that is hardwired into your router. Every primary router for a home network is assigned to xxx.xxx.x.1 in the very bowels of the firmware. Yes it can be changed, but the reasons you would do so are many and varied and you simply wouldn't if this was your primary router aka the one connected to the modem.
In your network, a giving something a fixed IP means that when that specific item connects to your router, the router will give it a specific IP address every time. A fixed IP can an assigned IP located in an assignment table on your router, a static IP located in static IP table on your router, or it can be an item--like your router--that has a hardwired IP address in its own firmware or you are required to give that item to use it in the first place.
For the purposes of this article, a fixed IP in an assignment table and a static IP in a static ip table are identical. Those are both accomplished in your router. Or ignore the existence of static ip, since we don't really care right now
The third type of fixed IP, however is something else entirely, and we'll get to that.
Why Should I Care About Fixed IPs Other Than Winning Jeopardy?
You probably won't, except in the following situations:
1.) Remote Access:
- you have a home server you want to share outside your home network, like with a friend
- you want to access your home computer/server/item from a remote location like work or Escapade
- you're a gamer and some kinds of games need it to play with others
2.) Internal (LAN) access:
- you have a home server you want to access while in your home and don't want to look up the IP address every single time you need to access it because it might have changed.
- above but replace 'home server' with any network item
3.) Other:
- your item may come with or require you to give it a fixed address to use it. If you buy a network switch, some that have interfaces--like mine--require you to give them a fixed IP address to connect to on the router and they will only connect to the router using that IP address.
If you have even one item that requires a fixed IP address, then you need to care like a lot.
How to Assign a Fixed IP Address
This part is easy but each router calls it something different. In general, it'll be referred to as Address Reservation and can usually be found on your LAN setup page. Every router has this functionality, though, it's there somewhere, so don't despair; if you can't find it, your router handbook or google will tell you.
Google Search Terms: How do I assign a fixed IP address 'enter router name'
All you do is enter the MAC number of your item into one box and your chosen IP into the other. Sometimes--hopefully--it also lets you give a friendly name as well, but those are the basics. Sometimes, friendly name chas to be accomplished on a separate page if it's available at all.
Example:
Box One: MAC Address
45:56:B5:56:I5:NB
Box Two: IP Address
192.168.1.5
(optional)Box Three: Name
My Laptop
Hit enter and you should see a table with one entry: that. Now, every time your laptop connects, the router will give it that IP address.
Most of the time. Yeah.
Fixed IP Addresses Part 2: Wait, what?
This is where we go into the difference between theory and practice; no matter what anyone says about a router, or their router, or the Law of the Internet and Networks, or the very documentation of your router, don't trust it. There is no law, there are suggestions, and they fail like a lot. I could breakdown what it's supposed to do and sometimes does, but that way ends in madness.
Assume all of the following are true and will always happen.
When you assign a fixed IP to your laptop, the router, when it sees your laptop, will always assign it that IP. Every time. This is true.
This is also practically true: that will only happen if that IP number has nothing else using it at that moment. And in a home with a lot of items and first-come, first-serve, it's a lottery.
When you assigned your laptop that IP address in the router, the only thing that's being guaranteed here is that your laptop is given preference for that IP. That does not mean no one else can connect to that IP ever. If that IP comes free--you close your laptop--and an item without a fixed IP--like your phone-- comes online, that IP is part of first-come, first-serve. If it's the lowest IP number available at that moment, the chances are high your phone will get it and if your phone is still using it when you open your laptop, your laptop will not be assigned that IP.
In general, the router will eventually assign your laptop another open IP, but sometimes, that takes some time and sometimes--yeah. If your item, however, has a hardwired IP address--like my switches above--your item will not be able to connect until whatever is using its hardwired IP goes offline and stays offline long enough for it to notice, which depends on how often your item checks, which could be five minutes or a day, who the fuck knows.
What the Hell Do I Do Then?
You have two options: changing the range of IPs your router is free to assign--therefore removing them from first-come, first-serve--or give everything you own its own fixed IP address. You can also do both; exclude a range of IP numbers and assign everything in your network an IP. But let's go over how to do them before we go into why.
Option 1: Edit the IP Range Available for First-Come First-Serve Assignment
This is very easy, very straightforward, and very fast.
1.) Go into your LAN settings and where it assigns the IP range, change it to exclude a range of IPs. With most consumer routers, you only have two box groups: the start range and end range. So your choices are limited to removing some from the start or from the end and they have to be contiguous. However, you can remove as many as you want
Examples:
Original Range: 192.168.1.2 - 192.168.1.255
Option 1: Remove 8 IP numbers from beginning
New Range of Available IP for Assignment: 192.168.1.10 - 192.168.1.255
Excluded: 192.168.1.2 - 192.168.1.9
Option 2: Remove 10 IP numbers from the end
New Range of Available IP for Assignment: 192.168.1.2 - 192.168.1.245
Excluded: 192.168.1.246 - 192.168.1.255
(Some consumer routers--and any router using DD-WRT or Open-WRT firmware--will allow you to be more insane and exclude multiple separate ranges or even ranges and single IPs, either in the interface or by command line. Generally, however, the reasons you'd need to do that are pretty specialized, and if you are one of the people who need to do that, you are doing it and aren't reading this for any other reason than curious amusement on how us non-network-experts live. Hi! Doing great, thanks.)
2.) Anything you want to give a fixed IP address or anything that requires a fixed IP address gets one in the excluded range. So you go to your assignment table and enter the MAC Address of each item and assign it one of those excluded IP numbers.
Option 2: Give Everything in the Network a Fixed IP
This is easy, straightforward, and not fast. It's work, sometimes a lot of work.
1.) make a full list of everything--wifi and ethernet--that connects to your router.
2.) get the MAC of each item
3.) in your IP assignment table on your router, enter each MAC number and the IP for it one by one.
Note: you're going to want a spreadsheet now rather than later, just saying. I"ll send you a copy of mine for a template, just email me.
Which One Do I Use?
If you don't have many items that need a fixed IP, you don't anticipate needing many, or you just want this over fast and have no special circumstances, Option 1, go for it.
I use Option 2 and sometimes combine it with Option 1 (though not with my latest network iteration). Now we'll go into circumstances. You can stop right here if you want, you know all you need for about ninety-nine percent of home networks.
I'm Going To Regret This, But Go On
First, quick review and one new thing:
1.) IP numbers are assigned first-come, first serve.
2.) Generally, the lowest available IP will be selected. This is not a rule, but pretend it is because your life will be easier that way.
3.) Some routers--possibly--don't like the first ten IP numbers in a range (2-9) being fixed ips. This requires explanation because it--questionable.
This wasn't learned in documentation, network messageboard, or any networking reference I could find and I looked like everywhere; I found this in a single message on a messageboard when I'd exhausted every other solution and it was confirmed by others. I do know that leaving 192.168.1.2-192.168.1.9 solved the problem my router randomly dropping anything given fixed IPs of 2 through 9 and I tested this. Later, I assigned 2, 3, and 4 to routers and access points and it continued to be fine, but at least check, assigning all of 2-9 is still a no-go. However, I haven't pushed further (and plan in my next iteration to move everything not the router to start at 20) and the reason is coming up next.
There are many reasons you might want to have everything in your network on a fixed IP in your router. One that pretty much applies to everyone reading is network intrusion, or someone not authorized using your wifi.
If your password is secure--and when I say secure, I mean sixteen characters or greater, no matter what those characters are (router may require special ones and numbers in there)--that probably won't happen, but we still live in this world and if there's a will, there's probably a way.
Because of first-come, first-serve, and lowest IP selected, any intruders will generally show up in the lowest IP numbers available as well as any new items in a network, like a new phone or wifi lightbulb. Having everything on a fixed IPs starting at say, 192.168.1.20, means that intruders or new items will generally end up in IPs ending with 2-19, which is super easy for you to see on your router's attached devices page. If the intruders or new item--as happens--are randomly assigned to a higher number, however, if everything in your network has an assigned IP, you can check your IP assignment table on your router and see if that IP number is assigned to something in your home. (Or your spreadsheet, which really, if you did All Fixed IPs, you should have already made.)
If the Unknown Item is not in the table, and you don't have a friend over or just added something (a wifi lightbulb for example) or you got a new phone/computer you haven't added yet, then yes, that Unknown is an intruder.
What To Do First
1.) If your router doesn't allow you to kick them off individually, you can block them by MAC, so do that. Block the MAC either way, though.
2.) Write down that MAC somewhere on your computer (or put it in your fixed IP spreadsheet on a sheet called "Blocked MACs"). You're going to need this later.
3.) Take steps to re-secure your router as listed below. I recommend you use paranoid rules at minimum (and prefer Super Paranoid Rules) but ymmv.
Steps to Securing a Compromised Router
1.) Disconnect the modem and router.
1a.) Paranoid rules: disconnect the modem and router, then manually shut down your router. Leave off for five to fifteen minutes before turning it back on.
2.) Connect your computer to the router with an ethernet cable.
3.) Change the wifi password to a minimum of sixteen characters and use passphrase rules, which you can easily combine with special characters. Ihateeverything#4 Dogcat#1mMouserat
4.) Restart your router using the router interface.
4a.) Paranoid rules: shut down your router using the router interface. Wait five to fifteen minutes.
5.) Reconnect modem and router and turn on router.
6.) Login to your router and go to logs--if available--and watch everything reconnect. Update all items on your network with new wifi password as needed.
Now, a section for Very Paranoid Rules. Starting with Step 5 above:
5b.) Disconnect everything that is connected to router by ethernet cable. Do NOT reconnect modem and router. Turn on router.
6b.) Login to your router, write down or screenshot all your settings, and then go to the update/reset page--probably under Admin--and reset router to factory settings and restart. Do not back up anything first. While this is happening, delete all existing router backups on your computer with one exception: if you have one that you did the day you first got this router, you can keep that one.
7b.) After reset and restart, you may either use the backup allowed in Step 6b or (preferred) start over and enter everything like this is a brand new router. Then create a new backup and give it a name like BackupFromEvil-Basic Settings-[Date].
7b2.) You can at this time install any router updates, like firmware updates that have occurred since you bought the router. If you do, create a second backup after you're done, BackupFromEvil-Basic Settings After Firmware[number] Update-[Date].
8b.) Turn wifi off, either in the interface or if there's a manual switch on the router. You can also do this before 7b2.
9b.) Go to your router settings and find a page that may be called Access Control but has many names. Our goal is to block everything that we do not personally authorize by MAC address, so either your router documentation will tell you or google but set it to block everything and I mean everything.
9b2.) Enter the MAC address of the intruder from earlier in blocked list if that's available in this mode.
10b.) If you didn't create that Fixed IP address spreadsheet, you're doing it now. Make a full list of everything that connects to your router by internet or wifi.
Format:
First column should be name of the item.
Second column is the name of the item as it appears on the router (if you know it right now, leave blank otherwise.) If your router allows you to rename, you can change it to that later.
Third Column should be the MAC address.
Fourth Column is the IP address it will be assigned.
Fifth Column is whether it connects by ethernet cable (LAN) or wifi
11b.) Enter into Access Control (or your router equivalent) everything that is allowed access one by one.
12b.) Create a second (or third if you installed firmware updates in 7b2) backup with a new name BackupFromEvil-[AccessControlSomethingHere]-[Date].
13b.) Reconnect your ethernet cables for all network items that use ethernet cables.
14b.) Turn on wifi back on.
15b.) Change wifi password for each wifi item one by one and add them back into the network.
16b.) After about a week (or a month) with no intruders and no problems, you can switch off MAC filtering, so anything with the right wifi password is able to connect to your network.
17b.) If you switch, enter the MAC address of that intruder to the blocked list if you couldn't back in 9b2.
If you think there was an intruder, and your first password was under sixteen characters or not very strong, always use Super Paranoid Rules. And generally, when there's a confirmed intruder, don't use any of your backups no matter when you did them.
About Why Super Paranoid Rules Should Be Used
Strong passwords and being normal people will cover 99.99% of intruder problems. Which leads to another reason why you really really really need your wifi password and the router password (the one that lets you log into the GUI) to both be very strong and be very, very, very different.
I am not a genius, nor a hacker, nor even visit hacking sites, I am not even adequate at this, I barely understand it, but after five minutes of googling and a couple of guesses, I could telnet into my router with full access aka the ability to change any and all settings on my router.
(Note: And have done so, but that's another story and a plethora of resets but no regrets.)
This means anyone connected to my network could do it and do way more than what the GUI will let you do. As I assume pretty much anyone who would do this is better than me, they could either erase/alter all my settings and/or successfully inject/write useful code into it in under five minutes. If my router's hard drive is large enough, they could also partition off a piece of it and put shit in there, where unless I logged in to telnet and went looking, I wouldn't even know it existed or was a problem, as well as delete the log entries showing they'd ever been there (though anyone who could use telnet and was looking for intruder changes wouldn't need or trust the logs anyway). A factory reset would be the only thing that would erase everything and also that partition and though yeah, that's the consensus, I haven't personally tested the bit about the partition.
(Now granted, I don't see how a partition would survive a full flash, and people who actually know this shit agree, but all that means is that either no one has discovered how to do it yet, or if they have, they aren't telling.)
My rule of thumb is: if I can do it using google and no idea what I'm doing, anyone can do it and better, faster, and with custom-designed programs to help, and can do a fuckload more. And when it comes to network security, the Super Paranoid method's only drawbacks is that it takes longer to do and can be inconvenient when you have friends over if you want them to use your wifi and you locked everything by MAC. In which case, enabling your guest network while they're around is your best and fastest option instead of adding them in by MAC address.
Any additions, corrections--again, not an expert or even like, an adequate amateur--clarifications, or questions are welcome, as always.
Posted at Dreamwidth: https://seperis.dreamwidth.org/1065705.html. | You can reply here or there. |
comments