Here is what I thought it should be but not sure?

[G+_Rud Dog]

Here is what I thought it should be but not sure?

[G+_Travis Hershberger]

That's it all right.  Just to stay sane, I'd use different subnets on each of the three routers.  IE Router1 192.168.1.1/24, Router2 10.10.10.1/24, Router3 10.10.11.1/24

[G+_Ben Reese]

Yup, that's it. And the IP ranges really don't matter too much, but there's a bit more you can still do.

 

If Router 1 has an IP of 192.168.1.1 and router 2 has the same LAN-side IP, you shouldn't be able to access Router 1 from inside Router 2's network. That means devices on Router 2 can't configure Router 1. Depending on the router, if Router 2 is on a different subnet (say, 192.168.2.0/24), it may still pass traffic for 192.168.1.1 on through the gateway. May not be an issue, but if Router 1 has a vulnerability it's now easier for devices in Router 2 to exploit that.

[G+_Brett Childress]

This is definitely more secure. Exposing a sever/service on one of the sub-nets will require some port forwarding on two routers instead of one.

[G+_Travis Hershberger]

Ben Reese Your correct that the subnets don't really matter, that's more of a matter of making figuring out which network you happen to be connected to.  Lookup your ip address and you'll instantly know.

[G+_Rud Dog]

One tiny omission from my drawing, LAN side (on router 2) would need to talk to IOTs(router 3) will this be a problem? When I say "talk" I mean for IOT firmware updates, configuration and just plain checking IOT status.  

[G+_Travis Hershberger]

Rudy Trujillo I'd just switch the network cable from Router2 to Router3, do the updates, and switch the cable back.  I've got lots of computers/tablets and things sitting around that make it easy for me to do things like that tho.  The other option is to manually open ports in Router2+3 to enable one of the computers to communicate on the Router3 network.

[G+_Rud Dog]

Travis, switching the cable sounds like the EZ to carry out method unfortunately routers 2 and 3 will be in separate locations. 

The interesting sounding option is the opening of ports. When I started drawing this up in my mind there was a sizzle and pop(brain overload). Do you have a simple "how to" for this port opening related to this setup?

[G+_Travis Hershberger]

Rudy Trujillo It's going to be a little different for every router, sadly.  Let's say you have an IoT device that you login to from a secured web connection, https.  Also, let's assume that the IoT devices are connected to Router3.  On Router3 you'd want to forward port 443 (the https port) to the IoT devices ip address.  On Router2 you may need to add a static route pointing to the WAN port IP of Router3.

[G+_Rud Dog]

Fair enough and many thanks for taking the time to jot it down and send it.

[G+_Paul Galati]

Slightly confused as to why you would need three routers.  Assuming all three are consumer based wireless routers, couldn't the secure LAN be on router 2 and the IoT devices be connected to router one via wired or wireless?  Wouldn't router 2s firewall block any incoming unsolicited requests floating around router one's network?

[G+_Jason howe]

General for login address I usually go by 192.168.0.1, 1.1 for router 2, 2.1 router 3 and so forth. Which ever router is hosting dhcp will dishing the .2-.500 or what ever the size of the home network is starting from 192.168.1.2 or .10 pending if you have a file server or not....

 

 

Though looking at me own home network in a home context I'd be doing fiber linking between switches would be my main network, subsidiary

 

With 10 gb networking coming online within a home context, your backhaul links will likely have to be fiber based..

 

My network consists of

2 tvs,

Xbox

Xbox 360

Xbox one

Ps2

PS3

Ps4

Wii

Wiiu

1 6 disc onkyo DVD player

1 avr

3 bd players

Several laptops and a desktop and iPad and numerous phones

I see no point of deploying routers other than for wireless use when it comes to deployment of a home network..

 

Everything on a min of a 16-24 port switches..

 

Having said that you really need to think of the layout of your home network before you decide on what you are going to deploy..?

 

By the looks of the diagram

 

Looks like 2 DSL services needing a wan gateway.

[G+_Rud Dog]

Paul for the particulars would go to the video and see what you can glean from it as my purpose was to better understand what was presented by Steve Gibson. Leo and Steve pondered adding more detailed info but the in the end agreed between his instructions and site readables, should be enough.

https://twit.tv/shows/security-now/episodes/545

Believe it was the last topic of the show.

[G+_Jason Marsh]

Randy Trujillo Keep the nets totally separate, as the "convenience" of having communication between devices on routers 2 and 3 negates the advantage of the three router setup altogether. Convenience and security are, generally, mutually exclusive.

[G+_Larry Havenstein]

Some routing might fail if you don't use different subnets. I have seen some stateful firewall appliances have issues with that.

[G+_Larry Havenstein]

This sort of on the topic. One thing Steve Gibson said was you could use a cheap router as the top router. When I started looking into that, I noticed the wan/internet bandwith of the cheep routers was kind of low for more modern connections. My connection will support up to 240Mbps download and many of the cheap routers I was finding were allowing 50-70Mbps. I was finding that you had to move up to a mid priced firewall/router box to get reasonable wan bandwith (150Mbps). Netgear and Cisco had stuff that would do that for the about $150 range.

 

It makes sense to use a straight Router/Firewall for the first one as you really don't want any Wifi in that box. Just don't know if you can do it for cheap. Seems most non-wifi routers are designed more for small business use than the more modern high speed home access.

[G+_Jason howe]

never did with me because 192.168.0.1 was primary dhcp server, 1.1 and 2.1 are only router config addresses assuming the routers allow pass through service via the ewan

[G+_Rud Dog]

Judging from the response it appears Steve Gibson or some other knowledgeable person could devote an entire show/tutorial to setting this up correctly. Other then that will have to experiment with the routers available and see what works.

Only problem with doing this, might overlook something either affecting the security or speed of my network.

Thanks all for your input.

[G+_Rud Dog]

My first chance to catch up on my podcasts last night and was glad to see Security Now's Steve Gibson revisiting the 3 dumb routers subject. Now to get it down on paper and see if my understanding is correct.

[G+_Jason Marsh]

I think Steve Gibson and Fr. Robert Ballecer, SJ should team up and do a special show on securing your home network from your guests and IoT devices. Perhaps they could do a VPN client or endpoint setup for the tin-hatters among us ;)

[G+_Rud Dog]

As the brain-mill wonders through the process more questions pop up. Which router should be used as root the most expensive or option orientated? What affect does the secure and iot router have on the main throughput? Are we mixing GB and MB paths as we travel through these routers to the WAN? Most likely it sounds like experimentation is the answer but the rest of the family seems to think there is only a short  amount of time allowed for the  internet to be interrupted. 

[G+_Larry Havenstein]

Ideally the first one would be a non-wifi router or you would have to have the ability to shut wifi off in it to save the WiFi channels.   Was why I was looking for budget business class stateful firewall/routers when I started considering this project.  If you want true security wifi shouldn't exist in it.

[G+_Rud Dog]

That kind of makes me RT-AC dual band a non candidate for the root router or it would be a waste of a great router. Does anyone what the bandwidth would commonly be on the  WAN port of most routers? 

[G+_Larry Havenstein]

What ever speed your ISP says you should get from them is what the bandwith of the Wan port needs to support.   In my case currently Cox says I should be able to get up to 300 Mbps.   I have seen 220Mbps.  So I would need at least 300Mbps.   Although they are moving to "Gigablast" which is supposed to be 800Mbps roughly.  So I am guessing if you have to do a serious investment 1 Gbps Wan ports in my case would be wise.  If you get less than 150Mbps it gets much easier to find good firewall/routers.