Router Security – Subnets and IP Addresses

Router Security – Subnets and IP Addresses

👨‍💻

As you’d expect, every computer on the network has a unique number. And by “computer” I mean any computer (phones, tablets, ROKU boxes, routers, Amazon Echos, etc.). The unique numbers are called IP addresses and are written as four decimal numbers separated by periods (instead of commas). The common IP address is 192.168.1.1. Each number can, technically, range from zero to 255.

Routers differ from other computing devices in that they have (at least) two IP addresses: a public and a private one. The public side of the router is visible on the Internet. The public side is also referred to as the WAN or wide area network side of the router. The public IP address is not controlled by the router, rather it is assigned by the ISP (Comcast, Verizon, Spectrum, etc.). The public IP address is not a secret and there are many sites showing it (ipchicken.com, checkip.dyndns.com, www.ip-adress.com/what-is-my-ip-address).

In contrast, a router has complete control over the private side IP addresses (also known as a LAN or Local Area Network), both for itself and for all the computing devices that connect to it.

The range of IP addresses on the allowed LAN side is called a subnet (as in a subnet, as in, use only these few numbers out of all possible billions of numbers). A very common subnet (number range) are numbers starting with 192.168.1 and varying only in the fourth/last digit. This is often written as 192.168.1.x where x is a placeholder for all possible numbers in the fourth position (0 to 255).

Devices that connect to the router are assigned an IP address on the LAN side in one of three ways.

1. The most common is that they ask the router to assign them an IP address when they connect to the router for the first time. This is referred to as DHCP, where D stands for dynamic, as in an IP address that is assigned dynamically on demand. Usually the device uses the IP address for one day and then asks the router for another address, but the router can control that.
2. The slight difference to this is that DHCP is also used, but the router will give the same IP address to the device over and over again. The common term for this is a DHCP reservation.
3. The least common way is to have the device configured to use the same IP address all the time. That is, it never asks the router for an IP address. Unlike Dynamic, this is referred to as a static IP address. If the static IP is not in the correct subnet, the hair will be pulled.

These are the decisions to be made regarding IP addresses besides LAN:

1. Choose a subnet (the full range of allowed IP addresses)
2. Set a static IP address within the router subnet
3. Specify the IP addresses within the subnet that will be served on a dynamic (on demand) basis to the devices connecting to the router. This in turn defines which IP addresses can be assigned permanently / statically. Note that a DHCP reservation can be used for distribution Which The IP address in the subnet (other than the one used by the router).

Each router has default values ​​for the above three resolutions, and defaults will, of course, work. Handling of IP addresses and subnets is optionalHowever, it is recommended for several reasons.

First, you will be more secure by not using the default settings. This is because some malware targets routers with their default IP address. Also, some devices on the local area network work better with a static/permanent IP address and your router’s default settings may not allow any static IP addresses. Using a subnet that is away from the usual path can also be beneficial for VPNs. If, someday in the future, you set up a site to site VPN, each site’s use of its subnet is much easier and cleaner. And if you ever want or need to connect one router to another router, it won’t work well if each router uses the same subnet.

FYI: There are two reasons to connect one router to another. The first is to make some initial configuration changes on a new router, as I suggest on the new router page. The other is a secluded section inside your home for devices involved in working from home. For more information on this, see my September 2020 blog. A second router can make working from home more secure.

The downside to configuring IP addresses and subnets is that a bug can mess things up completely. Therefore, the three decisions above (and detailed below) are best made early in the game. This way, if a change messes things up, the router can be reset without losing any other configuration changes you might have made.

Choose a subnet

The first decision is the subnet, which defines the range of IP addresses allowed on the LAN. This range also determines the maximum number of devices that can connect to the router. For most people, most of the time, a range that allows 250 connected devices (whether or not) should suffice. Almost every home router uses a subnet that supports a maximum of 250 connected devices.

The subnet that allows 250 devices is specified with the first three of the four numbers in the IP address with X being used as a wildcard. For example, very common subnets are 192.168.0.x, 192.168.1.x and 192.168.2.x. Because it is popular, it is best to avoid it. Using a subnet like 192.168.200.x makes you more secure because no router is using the 192.168.200.x subnet by default.

Why bother with subnets starting with 192.168?

Some IP addresses are not allowed on the public internet, they are for internal use (LAN side) only. This means that you can and should use them in your home or office. IP addresses starting with 192.168 are in this reserved list. So do all IP addresses that start with 10. You’ll never find an IP address on the public internet that starts with 10 or 192.168. Meanwhile, every home in the world can use the 192.168.1.x subnet without problem.

Whether you choose a subnet that starts with 192.168 or a network that starts with 10, it’s best to avoid subnets that other devices use.

If you prefer 192.168, avoid networks where the third digit is 0, 1, 2, 3 (Amped Wireless, Huawei), 4 (Zoom), 5 (used by Hawking), 7 (Eero), 8 (used by GLi and Huawei ), 9 (Gryphon), 10 (Motorola, pcWRT, NetComm), 11 (Buffalo), 15 (D-Link, Linksys and Vonage), 16 (Linksys), 19 (Anonabox), 20 (Motorola, NetComm), 30 (Motorola), 50 (Peplink), 55 (Luma), 62 (Motorola), 72 (Asus Lyra), 85 and 86 (Google), 88 (used by MikroTik), 100 (used by various cable modems and Huawei) , 102 (Motorola), 121 (Ubiquiti Alien router), 123 (LevelOne, Sitecom, Comfast), 127 (Mercku), 168 (Sonicwall), 178 (used by FRITZ! Box), 218 (Firewalla), 223 (Trendnet) , and 254 (D-Link, Actiontec).

In September 2018, malware was found looking for routers on subnets 192.168 points 0, 1, 2, 15, 25 and 100, which is all the more reason to avoid them.

If you prefer IP addresses starting with 10, the subnets to avoid are 10.0.0.x (Netgear, Asus, Cisco, 2Wire, etc.), 10.0.1.x (Apple), 10.1.1.x (Belkin). , D-Link), 10.1.10.x (SMC), 10.10.1.x (Asus), 10.10.10.x (used by HooToo in the HT-TM05 TripMate Titan Wi-Fi Sharing Device), 10.90.90. x (D-Link).

Some of the networks that are easy to remember are 10.11.12.x and 10.20.30.x. However, the priority should not be easy to remember, it should be security. So, something that no one will guess, like 10.43.27.x is better. If you live on 123 Main Street, version 10.123.123.x is a great choice.

If you know other virtual subnets used by routers, please email me.

To really live off the beaten path, you can choose a subnet between 172.16.xx and 172.31.xx. These too, are for use on the LAN side only, and I suspect they use less than 10.Something and 192.168.Something. For example, I’ve never seen or heard of a router using one of these subnets by default. I guess they’re not popular because it’s harder to remember them. Then also, their subnet masks (next topic) are not standard and there may be some routers that do not support them.

subnet masks

Along with choosing a subnet is the concept of a subnet mask. The mask is what identifies your router subnet. The bad news is that subnet masks are bit masks (binary numbers) and therefore confusing for non-technical people. The good news is that almost every home network uses the same subnet mask, so you’ll likely be able to skip the details.

The 192.168.200.x subnet means that all devices on the network will have IP addresses starting with 192.168.200. This also means that the network cannot contain more than 255 devices. The highest and lowest IP addresses often have special meanings, so I’ll limit this subnet to 192.168.200.1 (avoid zero) up to 192.168.200.253 (skip 254 and 255). Thus, a maximum of 253 simultaneous devices, which is enough for almost everyone.

The subnet mask for any network where the first three numbers are the same is 255.255.255.0. The number 255 means that this part of the IP address is part of the subnet, while the number 0 means that it is not. Therefore, 255.255.255.0 means that the first three numbers are used to identify the subnet. Thus, 192.168.1.x, 192.168.22.x, 10.11.11.x, and 10.88.99.x can all use a 255.255.255.0 subnet mask because, in each case, the first three numbers are the same and identify the network sub.

The subnet mask 255.255.255.0 is actually 24 binary digits, followed by 8 binary zeros. For this reason, it is often referred to as 255.255.255.0/24.

The image above shows how to define the subnet of the Asus router. The subnet mask goes hand in hand with setting the router’s IP address (our next topic below).

The image above shows how to define a subnet of a Peplink/Pepwave router. The subnet mask is triggered when specifying a router’s IP address and when specifying a DHCP scope (more below). Note that after displaying the subnet mask, Peplink displays a slash followed by the number 24. This is a nerd talk about the 24 binary that represents the true subnet mask. “Lease Term” is how long a device can use the IP address assigned to its router. After time has passed, you should ask again. For now, ignore the middle section about VLANs.

the hard part

Any IP address starting with 192.168 is reserved for internal/LAN use only. Thus, 192.168.5.5, 192.168.6.6, and 192.168.33.22 can all be part of your home subnet. If you do, your router can, in theory, connect to more than 65,000 devices. In fact, you wouldn’t want to pay for a router with compute horsepower to handle 65,000 devices. However, for the rich out there, you can indicate this with a subnet mask of 255.255.0.0 or 255.255.0.0/16.

IP addresses starting with 10 are more flexible. At the low end, they can mimic the 192.168.1.x subnet and the first three numbers are the same, allowing for 253 devices. In the examples above, I assumed this would be the case. As before, the subnet mask will be 255.255.255.0.

At the high end, they could simply have the ten be the same and allow all other numbers to vary. In this case, 10.1.2.3, 10.4.5.6, and 10.123.123.123 are all part of the same subnet. This allows more than 16 million devices on the subnet. Do not do this. You don’t need to connect 16 million devices to your router. However, this can be indicated by a subnet mask of 255.0.0.0 or 255.0.0.0/8.

At the advanced end, subnets between 172.16.xx and 172.31.xx can use a subnet mask of 255.240.0.0/12 and have more than one million devices on the subnet. It should also work fine with the most common subnet mask (255.255.255.0) indicating a subnet where the first three numbers are the same for up to 253 devices. Subnet mask 255.240.0.0 is really off the beaten path and there’s a chance that the router won’t support it.

Whew.

Choosing a router’s IP address

Within a given subnet, routers are usually assigned the number 1. For routers. There are no technical requirements for it, it’s just…

[ad_1]
Don’t forget to share this post with friends !