How to make a DMZ with two routers

I’ve alluded in the past to why it’s a good idea to make a DMZ with two routers, but I’ve never gone into depth about how and necessarily why to do it.

If your ISP gave you a combination modem/switch/access point/router and it only supports 100 megabit wired and 54-megabit (802.11g) wireless and you want to upgrade to gigabit wired/150-meg (802.11n) wireless, here’s a great way to make the two devices work together and improve your security.

A DMZ is what it sounds like: a zone between your network and the Internet that you consider safer and friendlier than the Internet, but still don’t want the rest of your network mingling with.

Perhaps you want to run a web server at home. Putting that server in a DMZ would be a good idea just in case anything ever went wrong and the server got hacked.

A more common scenario is a wireless network for visitors to your house. They may bring their laptops, tablets, and smartphones with them and want to get on the Internet with them. Since you don’t own those devices and don’t control their security practices, you probably don’t want them comingling with yours on the same network, just in case. If you put them on a separate network, firewalled off from the network your computers sit on, you’ll keep your computers safe while still being a good host.

What you need

In addition to whatever router is already connecting you to the Internet, you could recycle an old Linksys WRT54G or similar router if that meets your needs. If you want 802.11n and gigabit, the best deal I know of right now is the Linksys WRT310N, currently (as of November 2011) available refurbished or used for around $30. Typically that feature set runs considerably higher. Not only is it cheap, it also can run DD-WRT for extra versatility.

If you want/need 802.11n but have no interest in wired gigabit, routers such as a D-Link DIR-601 that pair 802.11n with 100-megabit Ethernet are easy to find for $25 or less.

Setting it up

Here’s what the resulting network looks like. Please pardon my use of stock Visio shapes. I’m a writer, not an art director.

The wireless router that connects you to the Internet becomes your DMZ router.So, first, configure your existing router to use the 192.168.1.x network (or whatever other private network space you wish).

Next, plug a computer into one of the Ethernet ports of your second wireless router and, following the instructions that came with it, configure it to use a different private network address space. I use 192.168.2.x in my example, but you can use whatever space you wish. Plug the WAN port of a second wireless router into one of the Ethernet ports on the DMZ router, then connect all of your computers and other Ethernet- and wireless-capable devices to the second router. If you have anything you want to have live in the DMZ, such as your web server, configure its IP address and plug it into the first router.

Be careful how you name your networks. Resist the temptation to give the two networks the same name and append “DMZ” or “guest” to the end of one of them. That’s advertising that your non-DMZ network has something to hide, and that you care enough about it to set up a DMZ. I suggest giving them meaningless numeric names–numbers that don’t match your address or any nearby addresses, and numbers that don’t match your phone number or anything else that can be identified as you.

Don’t bother hiding your SSID. Hiding the SSID makes it harder to initially connect to the network, harder or impossible to automatically connect to the network, and I believe it makes it harder to stay connected to the network, though that may depend on the equipment you’re using. It also makes you less safe when traveling. Hacking tools will find your network whether you’re broadcasting your SSID or hiding it, so hiding your SSID, if anything, actually calls attention to it from the people whose attention you least want, while making your life with wireless much more difficult and miserable than it needs to be. It’s better to make the network names nondescript and secure them. The nondescript name and maximum-strength password will keep hackers out, and the maximum-strength password will keep freeloading neighbors out.

Use WPA2 on your personal network. You might feel comfortable using WPA and WPA2 on your DMZ, but that’s up to you. Whatever you do, don’t use WEP, as it’s so weak and compromised at this point as to be nearly useless–the high-tech equivalent of locking your car but leaving the windows rolled down. Secure both networks with strong passwords–63 characters with upper and lowercase letters, numbers, and symbols. On your regular network, the password should be as random as possible. You can make your DMZ password less obnoxious since your guests will have to type it the first time they connect. This is one case where I would argue in favor of taking an easy-to-type phrase mashed together–perhaps the words to a nursery rhyme or a song everyone knows–appending a number to it, and padding it out to 63 characters with an easy-to-type pattern.

Or if your Internet-connected router supports it, you can set up and use WPS to save your guests some typing, if their devices also support it.

It’s best to put your DMZ on your first router. I’ve set up ad-hoc DMZs before by plugging a spare router into an Ethernet port and plugging untrusted computers into that router, but you’ll get better security if you plug your own network into the second router. For one, it eliminates the chances of something going through the second router and wandering around inside your network rather than going out to the Internet. Those chances are slim, but not zero. Secondly, it gives your personal network the protection of two firewalls instead of just one. You’re paying for two firewalls, so you might as well give yourself the full benefit of them. If someone gets past your Internet-facing router/firewall, they then have to get through your DMZ-facing router/firewall to get to your network.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux