Routing

For the majority of my adult life, I’ve had a preference for D-Link network products.  In the early days, before security was a primary concern, the simple ability of a router to even perform NAT routing reliably was a major accomplishment.  The old Apple Airport base station that dad had purchased was okay, but was notoriously flaky and required software to administer (rather than the universal browser-based GUI).  We had developed a ritualized order in which devices on the network had to be unplugged and rebooted in order to restore connectivity.

Network equipment from 1999–40-bit WEP encryption, awwww yeah!

When I moved into my first college apartment, a friend at the time gave me a D-Link router, the ol’ DIR-524.  It did it’s job admirably, though it became dated and thrown into a box when I moved into my second apartment, replaced by my roommate’s newer model Linksys.

This guy supported 802.11g!

But then the Linksys fried, and I dug out the D-Link again.  I continued to use it in two additional apartments thereafter, until I finally forked over $70 for a newer D-Link (although this was after I tried a Netgear, which continually dropped its routing), the DIR-655.

First gigabit-capable hardware I owned

That first D-Link has long-since disappeared, but the 655 still functions on my network to this day, having been reconfigured to operate as a hotspot (300N is still fast enough for an internet connection).  My point is that, over the years of router experiences, the only ones that seem to have been built with decent hardware and designed with stable firmware were D-Links.  After multiple iterations, I was a brand snob, and currently have 3 of their wireless routers in operation.

But the Internet’s come a long way since the 90s, and while router manufacturers have figured out how to design their equipment to function reliably at a base level, they have not put a premium on security.  I suppose that, given the price points of consumer-grade network equipment, the manufacturers have to prioritize, and that priority has fallen upon aesthetic design and marketing rather than support and security.  They can’t be blamed for that, since they’re only responding to demand (and the controversial “WAF”).  I suppose if customers demanded security, then they would respond accordingly.

My currently-running model: DIR-880L

I’ve listened passively as entire lines of consumer-grade routers were revealed to have massive security holes, and the manufacturers failed to respond.  These compromises always affected other brands, but all good things come to an end, and the flaws were gradually revealed throughout D-Link products too.  Pity.  Now it seems that no brand is immune.  All consumer-grade routers have similar problems, and I found myself left without a viable alternative.  And while I’m probably unlikely to be targeted, I do have Internet-facing services, like this site (rather that hiding in stealth mode).  So, it was time to consider upgrading to a business-class router.

When classifying routers, the target demographic is commonly used in its description.  That carries certain connotations, such as the knowledge and motivation of the purchaser, and the level of features and security.  Consumer-grade routers are designed to be pretty, work out of the box, and be easily configured if the user wants, but configuration isn’t generally required (or terribly robust).  At the other extreme are Enterprise-class routers, which assume a support staff of certified technicians (and an enterprise-level budget, being in the tens of thousands of dollars).  Everywhere in between lie Business-class routers, which I find to have the largest range in price and user-friendliness.

I was primarily after something basic–something that maintained firmware updates with vulnerability discoveries, that had good policy-driven default security settings, and still something that I could figure out given my lack of expertise.  I decided upon a Ubiquiti Edgerouter X.  It operates on their EdgeOS (which is the same across their entire line of products, which means it’s going to get updates as they respond to the needs of their bigger clients), and has received a number of positive recommendations from people in the industry.  And at $50, the price was good and low-risk.

Aesthetics be damned (but I still think it’s a cute little box)

It bears mentioning that this is no all-in-one wireless router–not a problem since I have hotspots configured, but be advised.

Amusingly, I lacked a general computer with an Ethernet port.  I know that seems odd, but computers are increasingly scaled down to reduce form factor and to extend battery life.  And since I haven’t yet built an office, I don’t have a place for a full desktop yet, and therefore stick to laptops.  In short, I needed an adapter.

After some searching, I found an Amazon brand adapter:

The reviews checked out, so I ordered that too.  I did anticipate some problems getting drivers, since the included CD-ROM was useless as I also lacked a CD drive, but they were available online and after a quick install, things were working as advertised.  I needed one of these anyway for other wired LAN configurations, so this project was just the final excuse.

In every consumer-grade router setup I’ve ever experienced, I plug in the router, connect via Ethernet to LAN port 1, navigate to http(s)://192.168.0.1, and am immediately presented with the configuration page login.  I followed these same steps, and…nothing.  Just an unfriendly browser timeout.  I repeated these steps, wondering what I had done wrong.  It was not a good sign that I failed at even finding the configuration page.  This was not going to be easy.

The instructions assumed a certain degree of competence, of which I apparently did not posses.  Fortunately, a kind soul elsewhere on the Internet had written a dummy’s guide for these initial steps (although later, I found these same steps on a quick setup pamphlet in the box, so that was my fault).  I had left my computer’s network settings to pull an IP address via DHCP, as is the norm, but the Edgerouter doesn’t come with DHCP enabled by default.  Instead, I had to manually assign an IP address to my computer within the normal range of the router’s subnet, which was 192.168.1.0/24 (excluding 192.168.1.0 and 192.168.1.1), so I chose 192.168.1.11 (anything in that range would presumably have worked, but I decided to follow the advice explicitly).  192.168.1.1 was therefore the default address for the router (and different than standard consumer grade routers).  I accessed this IP address and was presented with the login.  Success!

Already it looks more professional

The default login credentials were, however, in the manual; so at least I was able to log in right away.

Then, I was presented with the main screen:

The screenshot isn’t mine, but it’s more or less what I saw

Uhhhh, what do I do?  I spent the next half hour clicking everything to figure out where all the settings were.  Router GUIs are always somewhat random, but this one definitely allowed more customization than I was used to.  Fortunately, I found a wizard.  I generally avoid these, but I had two reasons for using them this time: 1) I wanted to keep the existing configurations on my D-Link, and it’s segmented guest WiFi, so that meant either massively overhauling the setup and possibly buying more equipment, or double NAT-ing; and 2) I didn’t fully understand what I was doing and wanted some more hand-holding.  I ran the WAN-LAN setup wizard.

I followed the prompts, the router rebooted, then nothing worked again.  Fortunately, I did know enough to switch the Ethernet cable to from eth0, where I had it and which was now configured to be the WAN port, to eth1.  Then I re-enabled DHCP on my computer.  Success!  I logged in.

I connected the modem to eth0, but the router never pulled an IP address from the ISP.  Frustrated, I repeated the above steps to no avail.  Then I went and fetched the most recent firmware for the device, which was many versions out of date.  Ultimately, this wasn’t the problem, but I’m glad it forced me to go pull the security updates before completing all my configurations.

Turns out I just had to reboot the modem.  I know I know, what a noob mistake.  I put the blame on the new hardware when in fact it’s probably the most advanced piece of network equipment I now owned.  I followed the wizard again, slightly changing the defaults so that eth1 and eth2 were separate subnets–a future experiment in network isolation.  It’s novel, and seemingly obvious now, that each port on a router be configurable.

So, the modem ran into eth0 (now the WAN), eth2 to the WAN on the old router.  Then I had to input all my port-forwarding settings so I could reach the server, and check a setting for NAT reflection, and input my DNS settings, bla bla bla.  In short, everything was back online…except for logging into my email server for some reason.  I’ll have to figure that out later.

[Edit: I figured out that I needed to add a firewall rule on the server to allow logins from the Edgerouter’s IP address]

The important thing is that it works, and my consumer-grade router is no longer the Internet-facing entry point to my LAN.  Presumably, I have a business-class firewall protecting me now.

And an interesting little extra is the DPI feature, screenshot example (again, not my own):

Of course, since I’m double NAT-ing, I don’t see the breakdown per client, but I do see an aggregate of all the network traffic.  I don’t know how robust this is, but it sure looks cool.

Liz might call be paranoid, but it’s only paranoia if aluminum foil wasn’t demonstrably effective at blocking alien mind-reading rays (at least business-class foil anyway).

–Simon

Leave a Reply

Your email address will not be published. Required fields are marked *