What Do I Need To Setup A Home Network In My Room?

[naughtybadfurrimunki]

Also it seems somebody's got wise, I tried logging in to the condo router again and now I'm unable to. I wonder how they know? Maybe someone's been trying to get in from the WAN side because yours truly was stupid enough to post the WAN ip further back in this thread!

Maybe an old session of yours or someone else is still there stopping you from logging in again.

Should I set the DNS server settings in the RT-N16 LAN DHCP settings to 8.8.8.8? Or should I set it to 192.168.1.1 so the Zyxel is the DNS server?

This is a matter of religion... test and see what is the fastest for you.

Martin

Many thanks again Martin. I've changed the Asus LAN DNS address and everything's working fine. At last!

Now I just need to figure out how to setup the UPnP media server and AiDisk!

[welo]

Also it seems somebody's got wise, I tried logging in to the condo router again and now I'm unable to. I wonder how they know? Maybe someone's been trying to get in from the WAN side because yours truly was stupid enough to post the WAN ip further back in this thread!

Maybe an old session of yours or someone else is still there stopping you from logging in again.

I very much doubt somebody noticed a login from the WAN side. That would imply that somebody actually looked at the router logs! Anybody thoroughly enough to check the router logs would not have left the default password on the router

Martin got a good point! Was the password rejected or was there any other error message? The latter points to session clashes (always logout probably).

Should I set the DNS server settings in the RT-N16 LAN DHCP settings to 8.8.8.8? Or should I set it to 192.168.1.1 so the Zyxel is the DNS server?

This is a matter of religion... test and see what is the fastest for you.

Martin

I don't recommend Google DNS as primary DNS as long as you don't have any problems with your ISP's DNS servers. Performance is most likely very similar with slight advantages for your ISP. In addition, some global web services offer load balancing based on your geographic locations, those will deliver better results when using your ISP's DNS servers.

However, some ISP's tend to have unreliable DNS servers, switching to Google DNS is a viable alternative in such cases. Don't use openDNS, performance is inferior in Thailand.

My recommendation doesn't consider ethical (Big Brother) or religious motives

[welo]

you are right about that but that means the money on a router is wasted... if it wasn't for the Wifi you would do it with a 400 baht hub instead...

It's more like getting the most value for the already spent money that rules...

Interestingly the price difference between a dedicated AP and a standard router is minimal - I guess the hardware inside aka hardware production costs is more or less the same.

I still wonder if you can get P2P software to work on a cascaded router setup (I mean easily). I am tempted to switch my Zyxel router back to AP mode and test it out

I'm using dynamic DNS to get into my server from outside. When my ip changes, usually someone else get the same ip. It takes about 15-20 minutes before the new DNS records are updated. During this time I end up on other peoples routers when I try to reach http://home.siamect.com. In the majority of cases I have been able to get in from the WAN side with the default password. It is usually Zyxel that are configured this way. True is the company doing it like this on a regular basis.

Wow! Scary! I will pay more attention to this problem when checking on friends' PCs and network setups...

I am actually surprised that there is something that TOT is better at than TRUE - the Speedtouch modems don't have this major flaw.

welo

[siamect]

I still wonder if you can get P2P software to work on a cascaded router setup (I mean easily). I am tempted to switch my Zyxel router back to AP mode and test it out

Seems to be complicated enough... As i understand it the UPnP is dynamically opening ports in your router from outside. To me this sounds like a good reason to stay away from it... although I must say it sound fun to play with...

Wow! Scary! I will pay more attention to this problem when checking on friends' PCs and network setups...

I am actually surprised that there is something that TOT is better at than TRUE - the Speedtouch modems don't have this major flaw.

Yes it is scary....

Actually one of my friends http://uploads.brainheart.co.th has a Speedtouch that was setup this way. In HuaHin. I don't know what company he is using and maybe he set it up this way by himself... If anyone want help to setup port 80 to reach into a web server on the LAN side through a Speedtouch... please let me know.

You need to use command line to do it. (At least that's the only way I could figure it out)

It is far easier to configure this on Zyxel or Belkin...

Martin

Edited June 28, 2010 by siamect

[siamect]

Now I just need to figure out how to setup the UPnP media server and AiDisk!

AiDisk... that's ftp right.. or can you set it up to use ssh (sftp port 22) instead. In that case do that. (thats what I do but I don't use AiDisk)

It will save you a lot of headaches.

If that is not possible read this http://www.enterpris...hafilewall.html

down at the bottom you have the same setup...

In any case you need to open the ports for it in both the Zyxel (talk to the landlord) and RT-N16. And you need a Dynamic DNS service...

Martin

[welo]

Seems to be complicated enough... As i understand it the UPnP is dynamically opening ports in your router from outside. To me this sounds like a good reason to stay away from it... although I must say it sound fun to play with...

Yeah, uPNP is definitely scary if you have untrusted computers on your network, but not in a standard home user setup IMHO.

A scenario such as the OPs is a security nightmare anyway - anybody in the apartment complex basically has full access to the Zyxel router, uPnp doesn't really matter in that case. I assume that uPnp only allows to open port forwards on the PC where the uPnp command originates from, but I'm not 100% sure.

We had a discussion on uPnp here on this forum, see here.

If anyone want help to setup port 80 to reach into a web server on the LAN side through a Speedtouch... please let me know.

You need to use command line to do it. (At least that's the only way I could figure it out)

Yeah, it's not really straight forward, but you can do it in the web UI as well. The key is that you first have to setup a game/application, which is basically just a name assigned to a port range. In the second step you can then assign the 'game/application' to an IP (select 'user defined' from the 'device' dropdown).

Alternatively you can browse the list of connected devices - the router collects a list of connected PCs based on the Windows network name - and then assign the port forward.

I guess this will even work if you have DHCP enabled and the router assigns a different IP to this device.

Alternatively, just click the 'Always use the same address' checkbox.

welo

Edited June 28, 2010 by welo

[siamect]

If anyone want help to setup port 80 to reach into a web server on the LAN side through a Speedtouch... please let me know.

You need to use command line to do it. (At least that's the only way I could figure it out)

Yeah, it's not really straight forward, but you can do it in the web UI as well. The key is that you first have to setup a game/application, which is basically just a name assigned to a port range. In the second step you can then assign the 'game/application' to an IP (select 'user defined' from the 'device' dropdown).

Alternatively you can browse the list of connected devices - the router collects a list of connected PCs based on the Windows network name - and then assign the port forward.

I guess this will even work if you have DHCP enabled and the router assigns a different IP to this device.

Alternatively, just click the 'Always use the same address' checkbox.

welo

Did you actually successfully do that?

In my cases, two separate boxes, I did exactly what you suggested but it didn't work because port 80 was forced to be the admin page for the router. That happened although the settings were correct in web interface.

The point at which it succeeded was the following

telnet 192.168.1.1

(remove http admin pages for WAN internet)

service system ifdelete name HTTP group wan

saveall

system reboot

This was working on both the routers I tested and it was about 6 months in between them. Same owner and probably same ISP.

I found the solution somewhere else (unknown)

but here is the original text

Thanks for your tips. I went to that other forum and eventually somewhere else (this kitz page about the 585 v7), and then I logged in via telnet and typed config dump, which showed me a massive list of stuff including:

[ servmgr.ini ]

ifadd name=PPTP group=lan

ifadd name=HTTP group=lan

ifadd name=HTTP group=wan <-------

ifadd name=HTTPs group=lan

ifadd name=FTP group=lan

ifadd name=FTP group=wan

ifadd name=TELNET group=lan

ifadd name=TELNET group=wan <-------

ifadd name=DNS-S group=lan

See where I've put the arrows, that shows access from the outside is enabled. So then I ran these commands:

service system ifdelete name HTTP group wan

service system ifdelete name TELNET group wan

saveall

system reboot

Having done that, the admin access from outside is disabled (security fixed! thanks for spotting it tedtrp), meaning that port 80 can be used for other things, and port forwarding works fine.

Edited June 28, 2010 by siamect

[welo]

OK, that makes sense now. I was puzzled why you didn't do it in the web interface - it's not that difficult

But no, I haven't tried that before.

But yes, it works. I just tested it. (forward p 80 to my test server)

However, I don't have the HTTP service running on the WAN port like in your example. But I don't run standard TOT firmware. Maybe I modified TOT's default settings during that process.

It's unbelievable that any ISP ships routers in the configuration from your example!!!

Side note: the Speedtouch does still serve the web interface when accessing the router with its external IP from inside the LAN. But I checked from outside to make sure... no rsponse.

welo

[siamect]

OK, that makes sense now. I was puzzled why you didn't do it in the web interface - it's not that difficult

Yes it is easy but not this time. I set up three ports ssh, http and port 5000 (My friends Synology DS207 redirects to port 5000 for admin login and ssh is needed to commandline the Synology).

ssh worked, port 5000 worked and http refused to work... 30 minutes later, it still didn't work.

And then I found this solution...

Martin

I apologize OP this is getting

[welo]

Yes, what about the OP. Does he have a double-NAT problem now or what?

@NBFM

Do you still have access to the Zyxel router now or not?

[Prasert]

A littlebit off-topic, but very essential and one of the main reasons why people don't get networks up and running:

Bridging and routing perform similar tasks however routers are more efficient and common than bridges.

Similar tasks? Well, if you talk about networks in general, then yes, they both are part of a network.

But in this case, there is a huge difference.

Bridging is OSI layer 2, devices that work on OSI layer 2 are switches and accesspoints (and a DSL modem in bridge mode). A bridge is basically a device that sends packets from 1 interface to the other, only changing the layer-1 information.

A bridge is unaware of the protocol being used, eg. TCP/IP or IPX.

Routing is OSI layer 3. This is where IP addresses appear.

A wireless router consists of a bridge between the ethernet LAN ports and the WiFi interface (SOHO routers are not able to route between these 2 physically different networks), and a router between that bridge and the WAN port. That WAN port can be another ethernet port or dsl port.

[welo]

Thanks for the interesting writeup!

What device could the OP use to separate his computers from the rest of the network while still sharing the same TCP/IP subnet? Basically only allowing two-way communication between the Zyxel router (the one connecting to the internet) and his devices, but disallowing communication between his devices and other PCs on the 'public' LAN (other PCs in the apartment building. (And of course not implementing NAT).

I guess the router's packet filter should be able to do this (based on IP), but most likely only via direct configuration in the cli, this is surely not a 'standard feature' accessible via web UI - or maybe dd-wrt supports such scenarios...?

Or could this be done on the data link layer (bridge)? I know there are switches with support for virtual LANs (VLAN), but they usually map to a corresponding layer 3 (IP) subnet as well, am I correct?

And a VLAN switch is probably more expensive than a router And is

Or do you think this is a bad idea and better stay with double NAT?

welo