It’s finally weekend, guys! Let’s make some improvement to your home network.
After this post, you will be able to:
- Understand why you need a more secure local network
- Configure your router to create one
- Get your friends mind-blown with IP addresses other than
What is your local IP address?
ipconfig in Command Prompt (if you’re using Windows) or
ifconfig in Terminal, it will print out your PC/laptop’s local IP address. Most likely, it’d start with
192.168. That’s the default local IP address configuration that comes built-in with almost all home routers that your ISP (Internet Service Provider) gave you.
192.168.X.X IP range is too common (which is why they chose them as default IP) that we tend to forget that there are two more IP ranges that can be used for private network as well:
Okay, that still doesn’t explain why the default network is not so good. Well, it’s not secure to be exact.
Why your local network is not as good as you think
The world we’re living in is equipped with everything that’s hooked into your home network. You think I’m talking about smartphones, laptops or PCs? No, I’m talking about your CCTV cameras, game consoles, refrigerators, washing machines or even air conditioning systems.
I assume that devices such as smartphones, laptops are somewhat safe and reliable provided that you apply the patches regularly. Others that belongs to IoT’s boom, I’m not gonna give them much credit when it comes to security. And, neither should you!
So, am I telling you to get rid of those devices?
Absolutely not. The fact that they’re not secure doesn’t make them less helpful in our lives.
But here’s the thing. You may have heard something like: your team will only be as fast as the slowest member. The same is true for your home network:
Your home network will only be as secure as the least secure device in your house
The point I’m trying to make is: no matter how careful you are while surfing the Internet with your phone or laptop, hackers still can exploit the weaknesses and breach into your network through the smart devices that you’re so proud of (like how Kevin Hart had 9 gun compartments in his house and still got robbed lol).
Can you make all your IoT devices more secure? I think that’s the manufacturer’s call to make. In the meantime, what we can do is wrap devices like laptops, PCs and smartphones in a separate private network.
Create the network topology
It’s time to get our hands dirty.
Let’s do a little bit of recon first. Right now, your home network probably looks something like this:
In order to accomplish what we’re about to do, you will need to have a router that has LAN routing capability. As I mentioned in my previous post, the default home router that the ISP provided just won’t cut it.
While I can’t specifically tell you what model you should use, I’m gonna show you what I use. I got a few old Cisco devices lying around, and for this post, I’m gonna use a Cisco 1841 router. It’s a little too old but still can does the job super well.
The 1841 has two FastEthernet interfaces (
FE0/1) and as you might guess, one of them will be on the default network (created by the home router) and the other one will be attached to the private network that we’re about to create.
With the new router in play, the topology will be something like below with two separate areas.
From the command above, I know that my default network address is
192.168.1.0/24. The FE0/0 interface is linked to the home router’s network so its IP must be on the same subnet. I’ll choose
As for the private network on the FE0/1 side, you can choose any network as long as it’s not on the same subnet as
192.168.1.0/24. For instance,
192.168.2.0/24 is clearly a good candidate. But let’s move out of the
192.168.X.X range for once, shall we? Remember
10.X.X.X is a valid IP range for local network? I’m gonna go with
10.10.1.0/24 for the private network and choose the last IP address, which is 10.10.1.254/24 for the FE0/1 interface.
So finally, the new home network topology will look like this:
Configuring the router’s interfaces
Alright, it’s time to play.
One great thing of network devices other than the home router is that, they come unconfigured and you have all the rights (and obligations) to make them behave the way you want.
For the sake of simplicity and I know not everyone is using Cisco devices, I’ll just go quickly through the configuration so that you understand the methodology to apply to your devices.
First thing first, I will connect the 1841’s console port to my PC and start a Putty session:
Then, I’ll go to configuration from the terminal mode:
c1841>configure terminal c1841(config)>
Next, I will configure FE0/0 interface by assigning the IP address 192.168.1.254/24 and bring it up.
c1841(config)>interface fastEthernet 0/0 c1841(config-if)>ip address 192.168.1.254 255.255.255.0 c1841(config-if)>no shutdown
Ok, cool. I will then move onto the FE0/1 interface. We will do the same thing but just notice the difference in the IP address:
c1841(config)>interface fastEthernet 0/1 c1841(config-if)>ip address 10.10.1.254 255.255.255.0 c1841(config-if)>no shutdown
Then let’s check if we did something wrong:
We got each interface’s IP address right. Let’s move on.
Configuring DHCP servers
The next thing I have to do is configure the DHCP servers. Notice that I’m using the plural form here.
For those who don’t know, for your device to have an IP address, you have to manually assign it (like I did above) or configure a DHCP server so that devices can obtain IP addresses automatically.
192.168.1.0 network, the home router also acts as a DHCP server. The problem is, the default DHCP IP range is from
192.168.1.2 all the way to
192.168.1.254, which means that the FE0/0 interface on 1841 can’t use 192.168.1.254 IP address (you can only assign static IP addresses that are not in the IP range of DHCP server).
That being said, I need to reserve some addresses so that I can statically assign them to devices. In this case, I will limit the DHCP IP range from
192.168.1.191. What it means is that, the IP from 192.168.1.192 to 192.168.1.254 can be used as static addresses.
That’s it for
10.10.1.0 network, I have to create a new DHCP server on the 1841 router. We will apply the exact same thing: only use IP addresses from
10.10.1.191 for DHCP pool. The setup is pretty straight-forward:
c1841(config)#ip dhcp excluded-address 10.10.1.192 10.10.1.254 c1841(config)#ip dhcp pool private c1841(dhcp-config)#network 10.10.1.0 255.255.255.0 c1841(dhcp-config)#default-router 10.10.1.254
And we’re done configuring the DHCP servers.
Testing the new private network
We’re going through a lot and it’s time to check if the
10.10.1.0 network is working properly. The easiest way to confirm is to test if I can ping a device in
10.10.1.0 network from a device in
I already have my PC connected to 192.168.1.0 network. As for the private network, I will plug in my old Raspberry Pi 2 to the FE0/1 interface. With the new DHCP setup, I’m pretty sure that the Pi will end up having
10.10.1.1 IP address.
Alright, let’s find out if my PC can ping the Pi?
The reason is, my PC’s default gateway is
192.168.1.1, which is the home router. And as I mentioned above, the home router doesn’t have LAN routing capability so it doesn’t know where the
10.10.1.0 network is to forward traffic into.
Fortunately, almost all operating systems allow us to add the routing rules. On Windows, we can add the rule as follows:
route ADD 10.10.1.0 MASK 255.255.255.0 192.168.1.254
We can interpret the command above like this: whenever the destination is in
10.10.1.0 (on the FE0/1 interface), the default gateway is
192.168.1.254 (the FE0/1 interface) instead of
192.168.1.1. We can confirm the rule being added:
Now let’s ping the Pi again.
We can see the replies coming back from
Notice that there are other ways to solve the problem above, all of which would involve adding more configuration to the 1841 otherwise we’ll lose the connectivity to the Internet. Let’s save it for another post.
I can even
ssh into the Pi.
That means that the new private network is working properly.
We got no Internet access from the private network. That’s the problem we’ll be solving in the next post.
In today’s blog post, I hope we’re now aware of the necessity of having a private home network and the methodology to create one. Of course, it would require much more work until everything becomes fully operational but today we made a great start.
In the next post, we will add the necessary configuration so that we can have the access to Internet from the private network.
Thank you for your time and I’ll see you in the next post.