How to install a second router...

Messages
2,333
Location
Virginia
This is going to be a long post, so I am going to try and break it up into sections...

You have your existing router/modem provided by the Internet Service Provider,
but it does not have the features you want,
so you are adding a second router.
This is a primer on how to set up your router security, and subnet your second router, if necessary...

First off, walk around the house, and find the wireless MAC addresses to all your devices, laptops, desktops, printers, phones, tablets, etc
Write these down,.

To access your new router, put it on the desk in front of you, and hook an internet cable from your laptop/desktop to one of the four Local Network ports on the back. Not the single WAN (Wide Area Network) port, one of the four others. Start the laptop. It should pull an IP address from the router.
Now connect to the router. IP address is usually 192.168.1.1, username is admin, password is sometimes "Admin", on a sticker on the back, or blank.

First, change the IP address of the router to 195.168.XXX.1, with XXX being from 25 to 225. Save changes, reboot router and laptop.
Now reconnect to the router. Remember that the IP address has changed.

Next, set up a reserved DHCP address for any wireless printers, This will assign them the same IP address each time,
I usually use 192.168.XXX.20 to 192.168.XXX.24

Next, go to "Mac Address Filtering". enter all the wireless MAC addresses you collected, remember that they should be uppercase, and separated by a colon. (FF:FF:FF:FF:FF:FF). If someone figures out your password, they still cannot access your network through wireless unless the have a MAC address on the list.

Last, go to "Administration", turn off "HTTP access", turn on "HTTPS" access"

Final thoughts...
Make sure your 2.4 and 5 GHz bands have different names.
Make sure you set and change the Administrator password...
Plug in any VOIP devices, Magic Jack, Ooma, etc, into the first modem/router combo, not your new router...
 

OVERKILL

$100 Site Donor 2021
Messages
45,379
Location
Ontario, Canada
While I applaud the idea of helping someone, most of that is optional, some is worthless (mac filtering)
and this isnt really helping anyone

you just added some random ideas on how you set yours up.. not best practices, and this isnt a How-to.

I also don't see any mention of trying to avoid serial NAT, changing the admin password to something complex..etc. In fact the last line seems to be stating that we are in fact using serial NAT, which is a big no-no.

Not to be TOO overly technical, you also aren't subnetting. You aren't breaking up a range and assigning segments of it to different networks above, routing between them. You are simply using a single (flat) topology and assigning some devices within a single subnet some static IP's.

I'm quite sure we've been over the utility of some of these practices (like MAC filtering and how anybody technically proficient enough to crack your WiFi is going to be more than capable of spoofing a MAC address) in previous threads as well.
 

OVERKILL

$100 Site Donor 2021
Messages
45,379
Location
Ontario, Canada
Cable company setup a new modem, plugged my existing Asus 5400 into that.
All my wires and wireless devices connected and worked.
Too simple?

Apparently.

Of course with a modem, which bridges the ISP network to the WAN interface of your gateway, you are getting a public IP address, which is not what is being described in the OP where the concept of bridge mode (which is available most of the time, but not always) is not explored and rather we are doing NAT behind NAT, which is why some devices were suggested to remain on the primary private ISP subnet, as serial NAT can cause issues with those types of devices. It of course can also cause fun MTU issues where certain sites are unreachable, odd latency spikes...etc.
 

OVERKILL

$100 Site Donor 2021
Messages
45,379
Location
Ontario, Canada
First part is god reading...


Old, but still good info...

Some newer routers will automatically change the IP address when they detect a conflict, or another router.

Also forgot to say, update your firmware, and turn off your SSID broadcast...
With all due respect, no, an article from 16 years ago is not a good read. It's from an era where WEP was current (and advises using it). You've linked that article before and I picked apart its relevance and your takeaways then. Re-presenting it now, when it is even older, is not helping your case.

I could crack WEP extremely quickly wardriving, sniff a valid MAC and be on your network as an authorized client, it wasn't difficult. MAC filtering provides a false sense of security and is easily defeated, which is why it is rarely used at the enterprise level anymore. It is also a pain in the rear to manage. MAC filtering was popular, and common, when I was doing my CCNA back ~2000, but things have changed significantly since then. Wireless clients will authenticate via RADIUS and secure tokens, so there is no utility in increasing the load on helpdesk and networking staff by maintaining hardware address-based checks that are readily defeated with spoofing. With the turnover of devices in departments and the flow in and out, having a smartcard as the backstop for authentication allows for user portability across devices and presents a far easier management scenario as a user can be tracked via their authentication, regardless of the device they are using.
 
Messages
3,100
Location
USA
"Go around the house and write down all your MAC addresses..." Huh? Much easier to log into your existing router that those devices are connected to, and find them there. And the underlying issue is that MAC addresses go out in plain text over the air, which makes them useless as a security mechanism.

The latest iOS uses random wifi MACs to increase user privacy. This is likely to trend to other manufacturers as well.

Hidden SSID is another thing to create an entirely false sense of security and decrease convenience to valid users. Anyone within wifi range with monitoring software will know immediately that a hidden network exists, and can discover the actual SSID as soon as one of your devices re-negotiates a connection, which happens a lot.

There are "friendly" reasons to use MAC filter and hidden SSID. For example you can MAC blacklist one of your devices that always tries to connect to the wrong (farther away) router. You can hide seldom used internal networks to avoid cluttering the screens of people looking for the one that they should use.

WPS-PIN is a big security issue for home routers especially older firmware that had no counter-measures against brute force attack (reaver). Best to always turn off WPS-PIN. WPS-PBC is also insecure of course if there are malicious neighbors active at the time you press the button. So really, don't use WPS at all.
 
Last edited:

OVERKILL

$100 Site Donor 2021
Messages
45,379
Location
Ontario, Canada
"Go around the house and write down all your MAC addresses..." Huh? Much easier to log into your existing router that those devices are connected to, and find them there. And the underlying issue is that MAC addresses go out in plain text over the air, which makes them useless as a security mechanism.

The latest iOS uses random wifi MACs to increase user privacy. This is likely to trend to other manufacturers as well.

Hidden SSID is another thing to create an entirely false sense of security and decrease convenience to valid users. Anyone within wifi range with monitoring software will know immediately that a hidden network exists, and can discover the actual SSID as soon as one of your devices re-negotiates a connection, which happens a lot.

There are "friendly" reasons to use MAC filter and hidden SSID. For example you can MAC blacklist one of your devices that always tries to connect to the wrong (farther away) router. You can hide seldom used internal networks to avoid cluttering the screens of people looking for the one that they should use.

WPS-PIN is a big security issue for home routers especially older firmware that had no counter-measures against brute force attack (reaver). Best to always turn off WPS-PIN. WPS-PBC is also insecure of course if there are malicious neighbors active at the time you press the button. So really, don't use WPS at all.

Yup, we've been over pretty much all of this stuff in previous threads, but unfortunately it hasn't seemed to dissuade the OP from posting it as advice yet again 🤷‍♂️

And while you can turn off the private address feature on the iPhone for a given network, that may not be the case on other platforms and unless somebody knows to go looking for that feature, if they followed the OP's advice, their phone's MAC constantly changing whenever it joined would present a massive frustration.
 
Messages
40,451
Location
Great Lakes
With all due respect, no, an article from 16 years ago is not a good read. It's from an era where WEP was current (and advises using it). You've linked that article before and I picked apart its relevance and your takeaways then. Re-presenting it now, when it is even older, is not helping your case.
Maybe there is a "NOT" missing somewhere in the thread title. :)
 
Last edited:

OVERKILL

$100 Site Donor 2021
Messages
45,379
Location
Ontario, Canada
never seen anyone setup mac filtering on a home network. Interesting.

It's far more likely the device itself or one of the already authenticated devices gets compromised, which renders the MAC filtering as completely useless. And, as I noted earlier, anyone with sufficient skill to break into the network is going to be able to spoof a MAC address, so it serves absolutely no utility in that scenario either. It's a "feel good" whose primary virtue is inconvenience, just like hiding the SSID.
 
Messages
25,572
Location
Upstate NY
I would buy a plain cable modem and then buy the WIFI router I wanted.

If you have a PON then you should be able to connect a WIFI router to the ONT.

If I had to keep a cable company WIFI box then I would turn off the WIFI if I could on the cable company WIFI box or make sure it used channel 1 and use channel 6 or 11 in my WIFI router for 2.4GHZ.
 
Messages
4,739
Location
Ohio
If this works for you, great. Please don't promote this the way to do it.

What you don't realize is, the steps you give are for your brand/model of router (and possibly firmware) and not exactly universal or generic. Someone who "needs" guidance will probably be lost or confused if they attempt to follow this and they own a different router. I have an ASUS router, for example, and don't have the menus you refer to under "Administration". Or, "Mac Address Filtering" is under another menu.
 
Last edited:
Top