Double Router Security?

[Mike7143]

So, not sure if anyone is familiar with a research program Google is doing, but the short is that they will pay you $120 up front and $30/month if you install a Cisco router that will report your internet activity to Google as part of a large research program. I figure I already use Google Chrome browser, so Google probably can already see what I'm up to, but hey, if they wanna know I look at pictures of funny cats and pay me, so be it. However, that also means I'll be sending them info about by banking, email, etc. which isn't good.

So my question is, what if I wire the special router they'll send me into my network behind my existing router? Specifically, internet comes in via a Motorola SB6121 and then to my WAN port on the WRT54G. From the Linksys I've got a hardlined PC and Xbox and then via wifi my smartphone and a tablet. Google requires a minimum of 1 device for the research and it can be a tablet. So the thought is I'd run a line from an open port on the Linksys to the WAN on Google's Cisco router and then on a completely separate wireless network, connect only the tablet. Then, as long as I use the tablet for general stuff and refrain from accessing private data on it, Google gets it's research data, but not banking data etc. that I do on my desktop that's on the Linksys router.

Does this make sense? Would it accomplish my goal to feed "piddly" data such as YouTube, Netflix, lolcats, and etc from my tablet and not send them private data from banking sites and other things that I'd do on the PC? Assuming worst case that I can't access the provided router's settings interface, would this still work?

Below is a simple diagram I made to help.

 

[Liger88]

Should work just fine. From the sounds of it the hardware is the predominate "monitoring" mechanism along with the firmware/software inside the router, not some voodoo magic outside of that. Separating your network like that should work just fine. I'd be the uber paranoid type (and if you have DD-WRT or something else installed) I would segregate the ports even further via VLAN or DMZ just to be on the safe side, or just assign it a separate network ID.

 

[Sage2k]

Interesting. How do i get into this program?

 

[koolaidkitten]

Interesting. How do i get into this program?

Yes please do tell

 

[Mike7143]

I do have DD-WRT installed on my WRT54G. So how do I segregate my network for this even better?

 

[Mike7143]

Would doing the following get me what I need?
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=1160

Copy and pasted: "What I was looking to do is separate Port 4 of my router into a separate VLAN that can access the internet, but not access anything on ports 1-3, or the wireless. However, I want to be able to see everything on port 4 from the other side (in other words I want to see "into" the port 4 VLAN, but don't want them to see out). I've sucessfully got it to work, port 4 cannot ping out, but ports 1-3, and wireless can ping in. I also wanted DHCP to assign IP addresses correctly depending on where you were plugged in. In this example the first VLAN (your current router ip address) is going to be on 192.168.1.1, and the second VLAN (the new on we create on port 4) is going to be on 192.168.2.1."

Would this be exactly what I need to do so that Google's router couldn't talk to anything on my main router except in/out via the internet but also allow me to access the Google router's web interface to change settings from my desktop that's on my main router? I also assume I'd have to change the 2nd to last line of code to match my current main router's DHCP setting so my stuff doesn't get messed up as well as define what IP addresses I want to assign to the WAN of Google's router?

 

[Mike7143]

Interesting. How do i get into this program?

Yes please do tell

I'm not sure. I never signed up for anything, it was completely random. There is a less complicated version that involves using Chrome and a plug-in but the pay is a lot less so I've read.

This is Google's page on the study: http://www.google.com/landing/screenwisepanel/
This is the one that I think involves Chrome and a plug-in and pays like $5 up front, then $5 or maybe $10 every 3 months?

This is the other study page: http://www.screenwisepanel.com/Index.aspx?ReturnUrl=/
This one is the one that I don't think you can join. I literally had to type in the code from the paper I received in the mail and after I entered the code and entered my zip code, it knew my address and asked me to verify it to make sure.

 

[timreichhart]

It dont work when you click on join now you just get redirected to google.com Because I tried it on firefox and chrome just an redirect to google.com

I'm not sure. I never signed up for anything, it was completely random. There is a less complicated version that involves using Chrome and a plug-in but the pay is a lot less so I've read.

This is Google's page on the study: http://www.google.com/landing/screenwisepanel/
This is the one that I think involves Chrome and a plug-in and pays like $5 up front, then $5 or maybe $10 every 3 months?

This is the other study page: http://www.screenwisepanel.com/Index.aspx?ReturnUrl=/
This one is the one that I don't think you can join. I literally had to type in the code from the paper I received in the mail and after I entered the code and entered my zip code, it knew my address and asked me to verify it to make sure.

 

[Mike7143]

If you do a search for screenwise panel on Google, they're the first 2 search results, at least for me. I don't know why they're both redirecting to google.com, I get two different sites both about panelwise.

 

[Liger88]

Would doing the following get me what I need?
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=1160

Copy and pasted: "What I was looking to do is separate Port 4 of my router into a separate VLAN that can access the internet, but not access anything on ports 1-3, or the wireless. However, I want to be able to see everything on port 4 from the other side (in other words I want to see "into" the port 4 VLAN, but don't want them to see out). I've sucessfully got it to work, port 4 cannot ping out, but ports 1-3, and wireless can ping in. I also wanted DHCP to assign IP addresses correctly depending on where you were plugged in. In this example the first VLAN (your current router ip address) is going to be on 192.168.1.1, and the second VLAN (the new on we create on port 4) is going to be on 192.168.2.1."

Would this be exactly what I need to do so that Google's router couldn't talk to anything on my main router except in/out via the internet but also allow me to access the Google router's web interface to change settings from my desktop that's on my main router? I also assume I'd have to change the 2nd to last line of code to match my current main router's DHCP setting so my stuff doesn't get messed up as well as define what IP addresses I want to assign to the WAN of Google's router?

Yup pretty much. You're isolating the port on the main router that the Google device is connecting through via the physical port itself. Should prevent any attempt at Google's device to peak into your entire networks traffic. Not to say they would, but I'm paranoid especially with a information hungry company like Google. You might not have to do all that command line stuff though. DD-WRT has most of that already built-in and fully tweaked working properly from the GUI.

 

[Mike7143]

I was going to follow the post step by step because I don't really know what I'm doing. Further in that thread there's a guy saying that quote "The last line in your modded iptables enables access into the router from the wan... so people out on the Internet could potentially logon, and you don't want this."

I assume he's talking about "iptables -I INPUT -i vlan1 -j ACCEPT"
So, if I just leave that out, will I be golden?

 

[Mike7143]

So far I've made port 4 part of VLAN2 via the GUI and assigned it a new IP (192.168.0.1) and enabled a 2nd DHCP for it. So at this point I can connect my tablet (via a USB-Ethernet adapter) to port 4 and it gets an IP address of 192.168.0.106. I have internet access on the tablet. I can also ping the tablet from my desktop that's on a 10.0.0 network on port 1. I can't however, look at files on my PC from my tablet via a file explorer app. I assume this is just because of the two mismatching IP addresses. Not sure if I can find a "ping" app for Android to try pinging my desktop. So now, to actually keep port 4 from accessing ports 1-3 and wireless and to keep my access into port 4's network I need to apply the following to the router?

iptables -I FORWARD -i vlan1 -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o vlan1 -j ACCEPT
iptables -I FORWARD -i ppp0 -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o ppp0 -j ACCEPT
iptables -I INPUT -i vlan2 -j ACCEPT

And I should NOT add the line below because it will allow access into the router from the WAN?
iptables -I INPUT -i vlan1 -j ACCEPT

Thanks for the directions so far!

 

[Mike7143]

I installed a simple ping app on my tablet. When I have my table plugged into port 4 I can successfully ping the tablet's (192.168.0.106) default gateway (192.168.0.1 on port 4 of Linksys) as well as the Linksys itself on 10.0.0.X. but I CAN'T ping my PC on 10.0.0.XX. Is this enough on it's own or would I still need the iptable lines added?

 

[Liger88]

I was going to follow the post step by step because I don't really know what I'm doing. Further in that thread there's a guy saying that quote "The last line in your modded iptables enables access into the router from the wan... so people out on the Internet could potentially logon, and you don't want this."

I assume he's talking about "iptables -I INPUT -i vlan1 -j ACCEPT"
So, if I just leave that out, will I be golden?

Yeah, just substitute the instructions as needed. I don't think it's completely necessary to remove that line from iptables, but if that's what others are suggesting to further add security between the segregated networks than go for it. I'd figure access via the WAN is more for like Management purposes not near the physical hardware.

So far I've made port 4 part of VLAN2 via the GUI and assigned it a new IP (192.168.0.1) and enabled a 2nd DHCP for it. So at this point I can connect my tablet (via a USB-Ethernet adapter) to port 4 and it gets an IP address of 192.168.0.106. I have internet access on the tablet. I can also ping the tablet from my desktop that's on a 10.0.0 network on port 1. I can't however, look at files on my PC from my tablet via a file explorer app. I assume this is just because of the two mismatching IP addresses. Not sure if I can find a "ping" app for Android to try pinging my desktop. So now, to actually keep port 4 from accessing ports 1-3 and wireless and to keep my access into port 4's network I need to apply the following to the router?

Looks like you got it. The DHCP server is correctly assigning IP's to the devices connected to the right router and you can ping the tablet because it's directly connected via the Google device router on your Linksys which is its own separate network. Devices on the Google router only know of the immediate network that traces back to Port 4 on your Linksys. They are completely separated which is why they do not recognize each other. If you ever needed to share between tablet and PC you can just hop from the Google router to your Linksys via Wi-Fi or Port 1-3

iptables -I FORWARD -i vlan1 -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o vlan1 -j ACCEPT
iptables -I FORWARD -i ppp0 -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o ppp0 -j ACCEPT
iptables -I INPUT -i vlan2 -j ACCEPT

And I should NOT add the line below because it will allow access into the router from the WAN?
iptables -I INPUT -i vlan1 -j ACCEPT

Thanks for the directions so far!

See previous. I think it's more about long distance management than anything else. Although if security was a big deal that could be something a security conscious individual might lock down.

I installed a simple ping app on my tablet. When I have my table plugged into port 4 I can successfully ping the tablet's (192.168.0.106) default gateway (192.168.0.1 on port 4 of Linksys) as well as the Linksys itself on 10.0.0.X. but I CAN'T ping my PC on 10.0.0.XX. Is this enough on it's own or would I still need the iptable lines added?

Nope, you should be straight for the purposes of segregating your network from Google. That's exactly what you want. Being able to ping both routers interface/gateways, but being unable to communicate or see one another when it comes to other devices.

Again this might have been unnecessary, but it's an added comfort and a nice learning experience that could always come in handy down the road .

Cheers!