Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New ISP combo modem. Are my Private IP addresses now Public?


  • Please log in to reply
7 replies to this topic

#1 mjyeo

mjyeo

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 13 February 2018 - 10:05 PM

My ISP just changed out my old Arris Surfboard cable modem/router for a new (purportedly faster) Arris DG3270 “Gateway” combo cable modem/router/wi-fi, but I think the change might have created a security issue.

 

In my previous home network configuration I had 3 Windows 10 computers wired directly to 3 of the LAN ports on the back of the Surfboard. The 4th LAN port was connected to the WAN port on a D-Link DIR-655 router which provided a good wi-fi signal throughout the house for iPhone and iPad, and all worked perfectly. The ISP technician said he could provide a similar setup with the new Arris Gateway device by switching off its wi-fi. He connected LAN port 1 on the back of the Arris Gateway to LAN port 1 on the back of the D-Link router and not to the WAN port (which I understand effectively converted the D-Link into a switched wi-fi device and avoided potential double NAT and DHCP problems), and LAN ports 2, 3, and 4 on the back of the Arris Gateway to the 3 Windows 10 computers.

 

The Arris Gateway user GUI for the new device shows Routing, Wireless 2.4GHz and 5GHz settings NOT enabled, DHCP and DHCP server settings enabled, and NAT mode selected is Bridged. All settings on the Firewall page are enabled.

 

The ISP’s Public IP address currently assigned to me is 24.x.x.x.  However, when I run ipconfig /all from the Windows 10 command line I see that the private IPv4 address for the computer I am currently using, and the Default Gateway also show as 24.x.x.x addresses.  The range of available private IP addresses shown in the Arris GUI DHCP area is 192.168.0.2 to 192.168.0.254 and I expected to see private IP and Default Gateway addresses in this range.  I am therefore wondering whether the ISP technician somehow disabled the Arris Gateway DHCP server and effectively connected my home network directly to the internet with no separation between public/private segments, and if so whether incoming traffic is even passing through the Arris Gateway Firewall to filter out undesirable and/or malicious material.

 

Any information or comments that help me understand what is going on would be greatly appreciated.    


Edited by mjyeo, 13 February 2018 - 10:08 PM.


BC AdBot (Login to Remove)

 


#2 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 7,526 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:03:43 PM

Posted 13 February 2018 - 10:30 PM

Is there any reason, other than it's what you were used to, that you are not using your modem-router as a modem-router?

 

It's got better WiFi whether you have devices that have Wireless AC or Wireless N.

 

You're making this needlessly complex.


Brian AKA Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

 

     In a modern society where everyone thinks their opinion deserves to be heard nothing annoys me more than individuals who mistake their personal preferences for fact.

         ~ Commenter TheCruyffGurn on the The Guardian website, 8/13/2014

 

              

 


#3 Kilroy

Kilroy

  • BC Advisor
  • 3,335 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:02:43 PM

Posted 14 February 2018 - 11:53 AM

There's no need to worry if your 192.168.x.x address is public, it cannot be routed on the Internet.



#4 mjyeo

mjyeo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 14 February 2018 - 11:56 AM

Hi Brian. The D-Link router provided very good wi-fi coverage throughout the (large) house, the ISP technician said the D-Link is a superior device to the wi-fi component of the Arris modem-router and that it would be simple to set up, I didn't want any deterioration in wi-fi coverage so he went ahead. That was the reason it was set up this way.

 

I have no complaints about performance and responsiveness. All 3 computers are fast and responsive and the wi-fi around the house is as good as it was before.

 

The only concern I have is the invisible part. When I query the system and find the IPv4 address of my principal desktop computer is not in the private range I reason that wherever it is getting its IP address from it is not from the Arris device which is supposed to provide it. And if the DHCP server in the Arris is enabled but not working, I wonder if the other enabled features like the firewall also not working. I don't have enough technical knowledge to test whether they are or not.  Hence my query.


Edited by mjyeo, 14 February 2018 - 11:57 AM.


#5 Orecomm

Orecomm

  • Members
  • 261 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roseburg, Oregon
  • Local time:12:43 PM

Posted 19 February 2018 - 10:09 PM

If this is a duplicate, my apologies. I replied but it didn't appear to post.

 

From your post:

 

The Arris Gateway user GUI for the new device shows Routing, Wireless 2.4GHz and 5GHz settings NOT enabled, DHCP and DHCP server settings enabled, and NAT mode selected is Bridged. All settings on the Firewall page are enabled.

 

Your installer goofed. The Arris is set up as it would be if you had a customer-owned Router behind it (Bridged mode). The problem is, you no longer have a router, as the installer bypassed the routing component of yours by connecting to a LAN port, and even if it was it wouldn't protect the three devices plugged into the Arris. Routing needs to be turned on, NAT needs to be "Routed with NAT", and you need to change the DHCP server to use the inside address of the Arris as Gateway.

 

Your devices are exposed. Even though the 192.168.x.x addresses are not (supposed to be) routable over the public Internet your devices will be visible to anyone or anything connected to the same subnet or physical cable segment until it bumps into a router. On most cable networks this is 2 to 4 thousand of your nearest friends and neighbors. A quick TCPdump on any of your devices should confirm this.

 

If you are not comfortable changing the settings yourself call your provider and explain what you are seeing, and escalate until someone sounds surprised and concerned. They should be able to change the settings remotely from their head end, it shouldn't take a dispatch to fix. 



#6 mjyeo

mjyeo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 20 February 2018 - 02:04 PM

Thanks for the post Orecomm, which was not a duplicate and was certainly helpful. One more question. Since the Arris Gateway is currently set up in Bridged mode because the D-Link router is behind it, but the ethernet cable connections are wrong, could I not simply correct the connections by running the ethernet cable from LAN port 1 on the Arris to the WAN port on the D-Link, and run the wired connections for the 3 computers to 3 of the 4 available LAN ports on the D-Link.  Would that not make all host devices use the private IP addresses from the DHCP server in the D-Link and solve the problem?

 

Sorry if this is a stupid question but I'm not a network engineer and my knowledge in this area is limited.



#7 Orecomm

Orecomm

  • Members
  • 261 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roseburg, Oregon
  • Local time:12:43 PM

Posted 21 February 2018 - 02:23 PM

There are no stupid questions, and yes this would work fine. The only potential gotcha is the address you get on the D-Link WAN will probably be a 192.168.1.x  address (for now) which means your inside (LAN) will need to be something else (192.168.2.x or 192.168.10.x or similar). I would expect that to change fairly quickly, because the way they have it configured now the Arris will be happily handing out 192.168.1.x addresses to everyone on the physical WAN segment it's attached to. (It's bridging ports - so inside and outside get the same services.) As an ISP I have seen this more often than you might think. Sooner or later the ISP's tech support will figure it out and reconfigure the Arris.



#8 mjyeo

mjyeo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 25 February 2018 - 02:30 PM

My ISP Tech Support confirmed settings in the Arris modem/router were correct for Bridged mode and no changes were necessary, but after talking to this guy my system became virtually unusable.  I checked the Arris settings again and noted that he had changed some settings and whatever mode the device was now in was not Bridged mode.  As a result of this call I lost all remaining confidence in Tech Support to provide any useful information whatever and resolved to fix it myself. Since the only thing I need wi-fi for is iPhone and iPad access throughout the house I decided to use the D-Link as an Access Point only. I set the Arris settings to work as modem/router and switched off wi-fi and changed the IP address of the D-Link since it was the same as the Arris. I hardwired LAN port 1 on the Arris to a LAN port on the D-Link and the 3 computers to the remaining 3 LAN ports on the Arris. I restarted Arris and D-Link and then started up my devices, one by one, and everything seems to work fine. I now have the public IP assigned by the ISP and private non-routable IP addresses for each host, assigned in an orderly way from the DHCP server on the Arris. Wi-fi around the house is about as good as it was with the ISP's old wired modem. I am using the Arris router for routing and DHCP service which was not my original intent, but my overall service now is no worse than it was before the change. I'll work with it a while and if it's OK I'll leave it as is.  And I'll be sure to decline any future offers from my ISP to change out my Gateway again! Thanks for the ideas and suggestions Orecomm; they gave me some confidence to dig in and learn enough about networking to figure out a solution that works and lowers my concerns about security.                  






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users