Helping people with computers... one answer at a time.

Be it tenants or children, it's common to have machines on your network that you can't trust. A secure solution involves setting up another network.

In reference to your article " Is the WiFi connection provided by my landlord safe, and if not, how should I protect myself?", while I am not *that* landlord, I am *a* landlord. I don't know how to look at my tenant's data, but how do I protect myself from my tenant and for that matter someone in another apartment or someone just driving by the apartment building? According to my tenant, there are 8 different networks registering on his laptop (including mine). Because my tenant shares the cost of the connection with me, I feel I have to protect the both of us from "problems."

I have wireless broadband router I am wired directly to the router and my tenant uses the wireless connection. The router itself has a password on it and you need to enter an encryption key to gain access to the network to which my router is attached.

There are a few issues here, some of which are common and have standard solutions, which it sounds like you've already implemented.

However protecting you from your tenant, your tenant from you, and for that matter all your tenants from each other gets ... well, things get interesting.

Let's start with what you're already doing correctly: password protecting the wireless connection. As long as that router is configured to use WPA encryption and not WEP, that should prevent random people from connecting to your network when they are in range.

Make sure also that you change the administrative password on the router itself. The defaults are well known, and if you don't change it any of your tenants could gain administrative access to the router and do all sorts of nasty things with it.

Finally, as to those other 8 wireless networks that appear in range: just don't connect to them.

Now, let's look at protecting you and your tenants.

First, let's diagram what you've described:

Simple Internet Sharing with a Router

In fact, I'll expand that a little to a more general case:

Simple Internet Sharing with a Router and multiple computers

As you can see, the internet comes into the router, where it's then shared with both your computer via a hardwired connection, and with one or more tenant computers over wireless.

This is a perfectly acceptable solution to sharing an internet connection, and is an extremely common configuration in homes and offices.

The problem is simply this: it assumes that everything on the local network is trustworthy.

To put it simply, a router used in this fashion protects one side, the local network, from the other side, the internet. It does not provide any protection between equipment on the same side. By that I mean that the router does not protect machines on the local network from each other. It assumes that they can all be completely trusted.

"The problem is simply this: it assumes that everything on the local network is trustworthy."

In your case, that's a bad assumption. Tenant A's computer could, for example, become infected with a virus that could then migrate to Tenant B's computer or to yours. Or, even more worrisome, they could actually purposely attempt to perform a malicious act.

Any time you have a collection of computers that share an internet connection but can still not be trusted, you need to take extra steps. And by "not trusted" I mean things like being operated by tenants whose activities or expertise you have no knowledge of, or even your own children whose inexperience you're all too well aware of. You need to protect yourself in either case.

In a case like this the assumption you need to make is very simple: assume your computer is connected directly to the internet, and take appropriate steps. Even though you're connected behind a router, assume the worst and pretend you're not.

That means either making sure that everyone has appropriate firewall and other security software installed on all machines, or devising a hardware based solution.

And what's my first reaction when I hear that someone is connected directly to the internet?

Install a router.

Or, in this case, install another router.

There are two approaches, depending on what kind of internet connectivity you've been given by your ISP.

Approach One: Your ISP will give you more than one IP address.

In this case we use a hub (or a switch) to "split" the internet in two before attaching a router.

Spliting the Internet in Two Using a Hub

In this configuration you have completely isolated yourself from your tenants. Their machines can't see your machines, and vice versa. You're totally protected from anything that they might try to do.

But note that by putting all the tenants behind a single router, they are once again unprotected from each other. A more complete solution might be something like this:

Spliting the Internet Using a Hub Protecting Each Network with Its Own Router

Here we've installed a router for each tenant. What this does is create a private and protected network for each tenant, completely isolated from each other. Each wireless network would have its own unique ID and password, shared only with the tenant that is supposed to be using it.

Personally, that's a little over the top (though you'd be considered a great landlord for providing this level of connectivity). A much more common approach is to provide a "naked" wired connection to each tenant, and let them install their own router as needed. The diagram is identical to the previous one, the only difference is in where the router might be physically located, and who actually provides it.

All of the preceding assumes that your ISP will hand out more than one IP address. The result is that each router is granted it's own, unique IP address on the internet.

The following scenario is actually slightly more common.

Approach Two: Your ISP will give you only one IP address.

In a nutshell, the approach here is to replace the hub that's been "splitting" the internet with another router.

Spliting the Internet Using a Router and Protecting Each Network with Its Own Router

The function of what I've labeled the "Internet Sharing Router" is simply that: to share the internet connection and the single IP address that your location has been given. Each of the next level routers get a unique local IP address on the tiny local network that exists only between the routers. Each of those second level routers then creates a unique, and once again private and protected, local area network for the machines connected to it.

It's tempting to think that all these routers are not needed - that it's overkill - but that's simply not true, from either a functional, or a security perspective:

  • Remove the "Internet Sharing Router", and all but one of the other routers will likely stop working, or connectivity will become intermittent and unpredictable. Because your ISP is handing out only one IP address, only one device can be connected directly to the internet. This router is required to share that single IP between multiple devices.

  • Remove any one of the second level routers, and the machines that were behind it could be exposed to malware originating on any of the other network segments.

  • Remove two or more of the second level routers, and the machines that were behind them are now completely exposed to each other.

All this security comes at a price. What we've created results in something called "double NATting" where the path from any one computer to the internet traverses two NAT routers. That can interfere with some communications protocols, mostly peer-to-peer services. "Port forwarding" becomes, if not a nightmare at least a very bad dream, as ports would now have to be forwarded at two routers: first at the sharing router, and then again at the local second level router.

But for basic operations like the web and email, this scenario works, and works quite well.

Other Solutions

There are other solutions, but I focus on the two presented here as perhaps the most inexpensive and conceptually simple of the lot.

There are higher-end routers that can actually do everything the collection of hubs and routers above do, in a single device. They can be extensively configured to share a single IP address (without double NATting), and protect sub-networks connected to the router from each other. In fact, this is what you'll usually see in larger installations and corporations. The downside to this approach is simply cost and complexity. Purchasing, connecting and configuring consumer-grade hubs, switches and routers is well within the means of most average computer users. The same is decidedly not true for the higher-end solutions, where you really do want a professional to install and maintain the networking equipment.

Article C3371 - May 5, 2008 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

19 Comments
Mary
May 6, 2008 4:53 AM

Thanks for providing the diagrams. Makes it so much easier to understand the concepts behind NATting, double NATting, etc.

John
May 6, 2008 6:23 AM

I really disagree with you on this one Leo. Buying an additional router for each connected computer is an extremely expensive solution when good firewall software will suffice and do exactly the same thing. Routers provide an incoming firewall by the intrinsic nature of using NAT (as you've pointed out in other articles), but you don't need to buy a router if all you need is a firewall--that can be accomplished with good firewall software, and some decent firewall programs are available even for free. Of course it could be argued that a hardware-based firewall could be considered more bullet-proof than software-based firewalls since they are virtually impervious to malware, but if you have good firewall software that hasn't been compromised by malware that all ready exists your computer, then a software-based fireall is JUST AS GOOD as being behind a router for all practical purposes.

How can you make your readers believe they need a router for every single computer on their LAN, in addition to their router that connects them to the internet? That is an extremely expensive solution that is unnecessary. Would you mind explaining why you think spending all that money on additional routers is justified over using good firewall software? I think protecting yourself with decent firewall software is adequate for 99.9% of the average computer users out there. I think you are way out-of-line on your advice this time, Leo.

jeffrey
May 6, 2008 11:21 AM

In regards to John's comment, that is correct if it were just 1 family and 1 person has control or access to all computers...but in a landlord tenant situation, where the landlord has tenants connecting and does not know, and may not be able to legally confirm if they have a firewall, the hardware solution appears to me to be the better one.

Leo
May 6, 2008 2:32 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As Jeffrey pointed out, I'm not suggesting this for a home
scenario, or for any scenario where you have control over
all the computers. This is specifically for distribution of
an internet connection to users/computers/whomever over
which you have little or no control.

In *some cases* it might be appropriate for the home:
particularly if you have children or house guests whose
usage you cannot trust.

But if you can trust all the computers behind your single
router, then absolutely a single router is the way to go.
It's how I run here.

But I'm no landlord :-).

Thanks,

Leo


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFIIM5uCMEe9B/8oqERAlITAKCMN52F6XhQb4WlwOOqJRBJPMku8ACdGGPB
mY9nKthb1ba9ka7D06FxUHM=
=NVC0
-----END PGP SIGNATURE-----

Brent
May 7, 2008 6:49 AM

The fatal flaw in John's view is not taking into account the scope of things. As already pointed out, we are talking about a network with MANY users (ie tennant rooms) that we want to assume no level of trust among them.

The problem with software firewalls is that they can be disabled fairly easily, even accidentally by...shall we say "less than informed" computer users. So basically with a software firewall approach you can urge your tennants to use them but you can never be 100% sure they are using them and using them correctly.

So to sum up, Leo's multiple router approach is very good advice for the given situation.

Amjad Yusuf
May 7, 2008 11:20 PM

I don’t know why you guys are making short story too long. Simple solution for this scenario is just remove the tick mark ‘File And Printer Sharing For Microsoft Network’ under Local Area Connection Properties.And see, nobody can access your machine.

Shreyas
May 8, 2008 7:23 AM

Even I think this solution is an overkill, Leo. A good firewall software can keep you safe 99% of the time. Just for the rest 1%, why would you put so many more dollars in buying other routers?

And as you pointed out, this will interfere with p2p softwares, causing troubles. A good solution could be, know your tenants well!

Another thing we are forgetting here is that the second level routers need to have a 'wired' connection with the main router! In most cases, this won't be possible. I don't think any landlord should wire up his apartment just so that he can give a 100% internet security to his tenants.

The money equation just doesnt work here.

Leo
May 10, 2008 10:47 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Amjad: Turning off File and Printer Sharing is NOT secure.
Without a firewall you would still be at risk of malicious
attacks and vulnerabilities.

Thanks,

Leo


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFIJd+3CMEe9B/8oqERAj9FAJ0Rb0EsmiMsPMnrPtfUCzaBaFs+kwCeMzZs
V2QRknlcw3nk5e7xokzLpXE=
=uw3Y
-----END PGP SIGNATURE-----

Leo
May 10, 2008 10:49 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Shreyas: please re-read my earlier response in comments to a
similar objection. This scenario is NOT your home. It's a
landlord or other situation where he has NO control over all
the computers involved. If everyone could be *guaranteed* to
install and use a software firewall, that would be a fine
approach. You simply *cannot* make that guarantee.

Thanks,

Leo


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFIJeAvCMEe9B/8oqERAqy1AJ9BRiS82LGjS7sWc2ZepQBAb4a9rgCggRm4
zgLL2Z2f37qh+3WU9DkJPbk=
=dWII
-----END PGP SIGNATURE-----

John
June 4, 2008 6:35 PM

Thanks for everyone's comments about my previous post. After more thought, I realized that having all the computers connected to one router (without additional routers to protect each computer) is actually justified because that is no worse than everyone having their own DSL connection; whether their computers communicate across the intranet set up by the router, or whether they communicate across the internet via each having their own DSL connection, it is virtually the same thing. The only difference is when they are connected via the internet by DSL modems, they are not vulnerable to ARP poisoning intranet attacks that could happen on the router WLAN. So I don't think it is the landlord's responsibility to shield them from each other when it is the same thing if they have their own DSL connection. The tenents must be responsible for their own safety.

But I came across what may be a perfect solution for this scenario. I'm not sure which other routers have this option, but the Linksys WRT54G that I use has an advanced wireless setting called "AP isolation", that when turned on, prevents the computers on the WLAN from communicating with each other (while still allowing each of them to communicate with the router). That would isolate all the computers from each other and there would be no need to buy additional routers. What do you think, Leo? Seems like this is just the right solution for the scenario described in your article.

Bob
February 17, 2010 2:43 PM

How do I ensure that a particular router has "AP isolation" (a.k.a. "client isolation"). And how do I determine that any particular hub meets the requirements for isolating one tenant from another?

Anonymous
August 7, 2010 11:40 PM

is it possible to connect from provider to modem to router to hub then to another router again?????

Possible: certainly. Is it what you need or want? I have no idea.
Leo
09-Aug-2010

neil manaog
August 7, 2010 11:41 PM

is it possible to connect from provider to modem to router to hub then to another router again?????

Alan
December 19, 2010 9:30 AM

Hi & thanks for the article!

Instead of the configuration- modem--> internet router-->router 1(network 1) & router 2(network 2),

would the following operate the same?

modem-->router 1(network 1) -->router 2(network 2)

In other words, run the 2nd network off of the other network's router....hmmm?

Thanks!

That doesn't protect everyone from each other. That only protects the computers connected to router 2 from the computers on router 1, and not the reverse.
Leo
20-Dec-2010

Alan
December 22, 2010 3:07 PM

Thanks Leo! Your reply is appreciated.

I learned that my Airport Extreme router has a guest network feature that splits the LAN into 2 VLANS's, which are on separate IP's & have different WPA passwords. This would seem to do the trick but I am not convinced of the security.

I am having trouble w/ the set-up you described with double NAT being reported by the Airport, but we'll see...

The guest network sure is the easier softer way!

DaveVM
December 24, 2010 11:33 AM

Leo,

About the double NAT issue, what if the NAT were turned off on the router connected to the ISP and the other routers had NAT on?

Would that stop the double NAT and preclude having to do the double router port forward jobs and so forth?

Just wondering.

Dave

There may be other details at play (for example will your ISP give you more than one IP address with NAT off?), but in concept: yes.
Leo
25-Dec-2010

Alex
November 23, 2011 3:51 PM

Leo, thank you very much for explaining that very clearly - I've understood the concept, but how do you actually (physically) connect one router to another one?
I've got my main router "2wire 2701hgv" (that is connected to the telephone line - broadband) and would like to place one of my laptops behind the second router "2wire 2700hgv" the way you suggested in this article. However, the problem I see is:
- you connect a telephone line cable to the first (main) router's port (lets call it "main router in") - that's simple and quite straight forward as the relevant cable is supplied with the router, and then, which port on it (lets call it "main router out") and what sort of cable do I have to use in order to connect to the second router (lets call it "second router in")?
As far as I understand, I'm supposed to connect main router's "out" (which is one of the 4 available Ethernet ports) to the second router's "in" (which is a telephone line "in" port), and that's exactly where the confusion kicks in - what sort of cable to use? Main router's "out" is an Ethernet port, but the second router's "in" is a standard telephone line port so a regular Ethernet cable (neither a telephone line one) that have the same jacks on either end would not do.
Thank you.

If your router has a telephone line in, then it's not just a router - it's a modem/router. A true router would have a network connection (often labeled WAN) for its input.
Leo
24-Nov-2011
Alan
August 27, 2012 5:22 PM

Hi Leo,

This one may cause you to change the name of your site! ;-) Here goes…

I presently run the following network setup:

Modem > Router 1 > Router 2, Router 3, VoIP Device

I do this as I want to run three separate networks for security reasons, as follows:

1) Router 2- personal machines, which contains 2 wired desktops & 1 laptop(wireless)

2) Router 3- biz laptop(wireless), wi-fi for cells & guests

3) VoIP Device

So, what’s wrong with this? Well, I’m getting a signal boosting device from my mobile phone provider & a wireless gaming adapter & have only 4 ports on router 1 & have only 1 port remaining. From experience, I am guessing that these devices will not function properly behind 2 routers, which is why I have the VoIP device connected directly to router 1. It’s not easy to find a proper, Gigabit router with 5+ ports. If I can, well that’s great, problem solved. I can simply plug in my 2 new devices along with my existing 3 to the new 5 port router, while maintaining the rest of my existing setup, & be good to go!

Not so fast... I was thinking, what if I set up one of my routers, in this case an Airport Extreme w/ 3 ports (don’t penalize me, I’m not a Mac guy per se) as my internet router, like so:

Modem > Router 1(Airport Extreme) >

-Wireless network for personal laptop.
-Wireless guest network (using the built-in Airport functionality) for my biz laptop, guests, & cells
-Port 1 > Desktop 1
-Port 2 > Desktop 2
-Port 3 > Switch > Voip device, mobile network signal booster, gaming adapter (connects to Directv receiver)

My problem with this setup, while there is happily no possibility of double NAT, I am uncomfortable running the foreign devices on the same network on which I run my pc’s. I am uncomfortable yet ignorant of the potential risks in such a scenario. Not sure if such devices possess a threat potential, as untrusted computers do that are running on a network.

It’s been a couple of years since I’ve posted on you site. I hope you have the time to respond. Thanks for a great site, & your extremely clear & concise explanations Leo!


Alan
September 2, 2012 8:14 AM

Hi Leo,

P.S. to my last comment…

Been thinking about your explanation of creating separate networks as a way to protect all parties from each other & have some questions.

In regards to the following question previously asked:

"Instead of the configuration- modem--> internet router-->router 1(network 1) & router 2(network 2),

would the following operate the same?

modem-->router 1(network 1) -->router 2(network 2)

In other words, run the 2nd network off of the other network's router..."

You replied:

"That doesn't protect everyone from each other. That only protects the computers connected to router 2 from the computers on router 1, and not the reverse."

Well, when creating completely separate networks as you've suggested in approach two, all networks still have to pass through the one router connected directly to the modem. Wouldn't this one router access point be a point where all data passing through could theoretically be accessed by any other devices on the network or sub-networks?

I hope you'll explain why I am wrong & that this is not the case ;-)

Thanks!

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.