Wireless Router Security

As part of the security on my wireless router, I have restricted the IP addresses to 2 and staticly assigned them to the 2 devicese on my network.

Is this a good idea or are there other factors to consider.

I have already done the other usual things such as used WPA-PSK TKIP enclryption, changed the default IP range, and changed the admin password.

TIA

Rick

Reply to
Rick Stevens
Loading thread data ...

Reply to
Canucklehead

"Rick Stevens" wrote in news:Oy6gh.1828$ snipped-for-privacy@newsfe3-win.ntli.net:

How did you restrict the addresses to 2 ?

Reply to
DanS

Theres an option in the DHCP menu of my router IP range start & finish - just specified a range of 2 e.g. 192.168.0.2 to 192.168.0.3 - then statically assigned them to the 2 mac addresses on the network - it seems happy enough, I'm just not sure if it has any other implications, or causes any problems

Reply to
Rick Stevens

"Rick Stevens" wrote in news:Znrgh.7535$ snipped-for-privacy@newsfe4-gui.ntli.net:

Just because the DHCP scope is limited to 2 IP's, doesn't mean I can't set my laptop to a 192.168.0.10 and try connect to your network.

Reply to
DanS

Sorry Dan but I don't understand, am I missing something??

If I specify a range of 2 IP addresses and statically assign them to 2 devices, how can anything else gain an address?

Reply to
Rick Stevens

Rick,

What Dan is saying that there nothing to stop anybody sniffing your network and then manually setting an IP address.

regards

nemo2

Reply to
nemo2

I understand the part about people sniffing the network and possibly finding the IP start (e.g 192.68.0.x) part Nemo, but if there are only 2 available IP addresses and they are both taken, I dont understand how another addresss can be accepted by the router, sorry if I'm being thick, I'm only just learning about networking.

To clear things up, i was under the impression that if you set an IP range, DHCP could only assign a device an IP address within that range,once all the addresses were assigned, no more devices could log on to the network, hence my network (along with the other precautions I have taken that were listed in my original post) would be secure from intruders.

Have I got this wrong?

Rick

Reply to
Rick Stevens

You have only restricted the range of IPs available to clients using DHCP.

Someone can still assign a static address by simply changing their computer's IP configuration manually.

Reply to
Mark McIntyre

After enabling WPA and changing the default password and SSID, fiddling with IP (or MAC) addressing provides, at best, only miniscule additional security benefits that aren't worth the hassle.

As others have pointed out, shrinking the pool of addresses handed out by the DHCP server doesn't really restrict the number of IP addresses that can use your network. To do that, you need to alter the subnet masks of the router and other devices. For a two-device network (a router and one computer), you'd use a subnet mask of 255.255.255.252. The next smallest standard subnet (with a continuous range of addresses) you can create is for six devices with a mask of 255.255.255.248.

Reply to
Neill Massello

Yes, you got it wrong. Most routers will serve any clients in their subnet, no matter how they acquired their IP addresses. The router only ignores IP addresses outside its subnet mask, not outside its DHCP address pool.

Reply to
Neill Massello

"Rick Stevens" wrote in news:tcDgh.11783$ snipped-for-privacy@newsfe2-win.ntli.net:

Yes, this is wrong.

The DHCP scope does not define what addresses can be used. That is the job of the subnet mask. DHCP only hands out an available IP address to a device that asks for an IP address.

The router IP of 192.168.0.1 with a subnet mask of 255.255.255.0 defines the subnet that can communicate within itself as 192.168.0.1 thru .254.

Just because the the DHCP server only has 2 IP's in it's scope, it does NOT limit usable IP's, only the IP's it hands out.

As Neil pointed out, is the router SNM is set to 255.255.255.252 instead of 255.255.255.0, then that subnet only has 4 IP's. .0 being the subnet ID, .1 & .2 are usable, & .3 is the broadcast.

You have the rtr, and 2 IP devices, which is 3, so it won't fit in a .252 subnet. The next size subnet is .248. Subnet ID of 0, usable IP's of .1 - .6 and a broadcast of .7.

So there will always be usable IP's that are available in your system. That is why the rtr needs to be locked down with the other features & tools it provides.

I also do see why people use DHCP, maybe because that how it is by default, but on a home network, totally unnecessary. It's not hard to keep track of less than static 10 IP's.

Reply to
DanS

Ahh I see, thanks for explaining that, I didnt realise that the subnet was that important.

So realistically even if I drop the subet to 248, Im not going to gain anything security wise as there are still usable addresses.

Thanks Guys and sorry for being so thick

Rick

Reply to
Rick Stevens

"Rick Stevens" wrote in news:oWOgh.7889$ snipped-for-privacy@newsfe4-gui.ntli.net:

Not being thick. If you don't do computer/technology stuff for work, or as a hobby, or learn it by taking courses, it can be very confusing and seem very complex since there's so many details.

Hopefully you were able to undestand my ramblings, I did have a link to an article about subnetting that for some reason or another, was extremely well written and made everything very clear and easy to understand. It was only 2 or 3 pages. As usual though I can't find the link.

Regards,

DanS

Reply to
DanS

I agree with Banjo and with security it's better to ask than risk your network.

Good luck

nemo2

Reply to
me2

Try here:

formatting link
here for walk-throughs (if your model hardware is listed)
formatting link
bobb

Reply to
- Bobb -

Good source of info:

formatting link

Reply to
Danny Kile

He should be able to restrict his network to X number of host adresses using a subnet mask.

Reply to
johnny

Turn off your DHCP server and set your subnet mask to allow only 2 hosts. That way no one can dynamically obtain an address from your network.

Reply to
johnny

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.