I read an article that ripped apart how my network is set up - trying to fix it but running into problems

FORMER SETUP (worked)
WRT54G Linksys wireless router, hooked up to cable modem, dynamic external address.
Wireless was "open", WEP encryption, all comps on network ran fine, dynamic IP addresses.

PROPOSED SETUP
Change router's address (internal facing) from default (changed it from 192.168.1.1 to something a lil different) CHECK
Change name of router and SSID to something not identifiable, but not standard (so changed from linksys to something I can remember) CHECK
Use Mac filtering (implemented, that wasy easy) CHECK
Change encryption to WPA pre-shared key (set router to that option, inputted key) CHECK, I think anway
Disable DHCP server on router, use static IPs within network (disabled in router) CHeck - I think anyway

So I go and set all my computer's adapters, make my various computers have static IPs (go into the TCP/IP, give them unique IPs, set the subnet to 255.255.255.0, set the gateway to the router's new addy)
but then I have to enter primary and alternate DNS addresses. I'm following my router's manual by the way. It says the DNS addresses are provided by my ISP. My ISP says we won't give them to you. Do I have this straight?

Using ipconfig, or using my router's status page, I can get the primary and alternate DNS addresses I'm using right now. But since my ROUTER's external address is dynamic, it and the DNS values are subject to change, right? It seems like whenI set up the adapters with static IPs, I need to put in the DNS stuff. That means, if/when my ROUTER changes its external ip and DNS values, I'll have to resert the DNS values of all my comps. This seems like a very very annoying thing and makes me not want to implement static ip addresses within my network.

Static ip addresses have other good things too - it will be a lot easier to set up my HP desktop (the "media comp" with all the music, videos, hard disk space) as the ftp server...no more "I wonder what its IP address is today!"), I can maybe make one a DMZ for webpage hosting or whatever, other reasons. I think I just plain like things being static and defined.
Anyway...do I have this right? They say if I change the router's (external) ip address/connection to a static, the DNS will never change and then I will never have to change the setup of the adapters. But to do this I have to pay for a static IP address, and thats expensive. F that.

Anyone explain? Tell me where I went wrong ? or maybe I have it right but its just not worth it - in that case suggest the next best thing. Thanks.

See attached PIC for where I've changed the adapters to static IPs and it wants DNSs. My router manual says my ISP will give them to me, but they refuse. Unless I buy a static IP for my router. Which - to ME - means that static ip addresses inside your network are impossible unless you have a static ip for your rotuer. Which means all these "wireless security" articles are just pumping up prices.

First, many home-use routers skimp in the DNS department. A good one will have a DNS proxy built in, and in that case you could set the client machines to use the router as its primary DNS.

Second, what company do you have your cable modem from? Almost all of the decent companies use static IP addresses for cable modems. Again, if your router is shit I suppose it could keep requesting a renewal and getting a different one.

Third, if you have the knowledge I highly recommend picking up an old IBM 486 or something on ebay for 20 bucks and setting up a custom firewall. IPcop Linux is highly useful, you'll never have these types of issues again.

Why would a firewall machine stop my problems? My primary concern is people bypassing my router's firewall by actually logging into my network wirelessly. Thats why I've moved into static IPs, MAC filtering and encryption so I always know who's on, what they are doing, etc.

If thats your concern static IP's accomplishes nothing.

MAC filtering is all you need. And if you really want to sniff people on your own network, look at the DHCP Lease table in your router and match MAC to IP.

Like Insodus said, if you're just worried about someone passing by then just use MAC address filtering. Unless you're using some sketchy services, all web pages you hit that require banking info, user/pass, etc will be using encryption so you don't really have to worry about sniffing the traffic. Your original setup worked for accomplishing your primary goal anway. With regards to DNS, I don't know any ISP that uses dynamic IP's for DNS so once you set those, you're pretty much done.

Personally, I just have open wireless. I could care less who gets on my wireless network. There's no open shares out there so who cares?

Almost all of the decent companies use static IP addresses for cable modems.

Wrong.

Everything else was ok.

No, actually he was right.

O rly?

I guess the fact that Time Warner Cable doesn't do it makes them a not good cable company.

You've heard of Time Warner right?

Excuse me. To clarify, Time Warner does not do it for average home users.

Furthermore, DNS proxy is kind of unnecessary considering that "any good company" will never change the IP of their DNS.


Also, what IP range are you using for your internal network?

Please learn the distinction between almost all and all.

Please do not cite Time Warner as a super awesome cable internet company. A vast, vast, vast majority of cable internet users do NOT use their service. Congrats, you do. Everyone else doesn't.

Please understand what a logical statement is. "Almost all good companies use static IPs" does NOT mean "Only bad companies don't use static IPs." There's no way that you can ever argue that it does, unless you feel like breaking the defined rules of logic.

etc.

I'm sorry, Alex. When you find one that does, let me know.

Cox:
http://www.cox.com/fredericksburg/HighSpeedInternet/questions%20&%20answers.stm#P120_8657

Comcast:
http://www.comcast-ne.com/business/workplace-faq.html#10

Charter:
http://www.charter.com/Visitors/Support.aspx?SupportArticleID=59#IP%20address%20ch ange

Adelphia:
http://www.adelphia.com/high_speed_internet/faqs.cfm#ip

Note: I fully agree that having a static IP address is absolutely possible through any cable company. However the statement that "almost all good cable companies use (implying explicitly) static IP's" is completely inaccurate.

I have Charter, and a static IP. My super hot girlfriend has Comcast, and a static IP. I'm not really interested in what the websites say because they're written for fucking morons. But everyone I know who has Charter I can say with certainty has a static IP throughout the country, and everyone whose IP I've looked at with Comcast has a static IP. Cox and Adelphia aren't in this area so I can't say anything about them.

An IP that changes very infrequently is not a static IP. You can have the same IP for a year, but if the DHCP handler for Comcast goes through a power outage (unlikely) and IPs are re-leased (not a misspelling), your IP will change.

Call your cable company and ask them if you have a static IP. Please.

<<An IP that changes very infrequently is not a static IP.>>

My IP has remained the same for about 6 years, the exception being when I got a new router, in which case I was simply assigned a new IP which does not change.

<<Call your cable company and ask them if you have a static IP. Please.>>

I don't really need to, because I know what a static IP is and that I've got one.

The way I always understood it. Residential cable internet customers are usually only offered dynamic IP as part of their residential product package. Customers could psuedo-static the IP by leaving the PC/Router/Modem in a constant ON state. However if the connection were ever interrupted on either end, then the IP address would change upon reconnection/renew.

Pure static IP's, most commonly used for server/web hosting, are additional pay-for services offered to business customers at an additional charge. The reason behind having a static IP is so that customers over the internet can have a consistent address with which to locate that particular business on the internet.

That being said, if a business were ever to lose connectivity, by having a static IP, they would be reassigned the same IP upon reconnection/renew.

<<The way I always understood it ... customers could psuedo-static the IP by leaving the PC/Router/Modem in a constant ON state. However if the connection were ever interrupted on either end, then the IP address would change upon reconnection/renew.>>

My modem, PC, and router have all been turned on and off hundreds if not thousands of times over the years. It's never different.

rofl

The issue here with with DNS and static IP's in a private (non-routed) network, not on the public side.

The router will grab a dynamic IP address from the ISP which is of no concern to the node because it will be NAT'ed. So, you can set a static IP address on your computer to something like 192.168.201.4 and then for DNS you just plug in the static IP address of your ISP's DNS server.

With regards to IP's from cable companies...
You can usually buy a static for an additional charge (TimeWarner offers theirs through business accounts such as their Work at Home plan). However, your dynamic IP rarely changes because the DHCP server just renews the lease based on the MAC address of the client. Thus, if you want to change your IP address you either have to change your MAC address (new NIC/router or MAC spoofing) or you have to let the lease expire on your IP and not renew it long enough for it to get reassigned.

At any rate, to avoid someone logging into your Wireless network MAC address filtering will pretty much do the trick. No many war drivers are going to try and break that when they can just drive a street over to your neighbor's open wireless network.

However, your dynamic IP rarely changes because the DHCP server just renews the lease based on the MAC address of the client.

Exactly, thus effectively a static IP.

Uh, I was told MAC filtering was not a great way to protect my wireless. Its easy to clone MACs. In fact, my router lets me clone my MAC for identification purposes...I'm sure someone out there can easily do that.


And other people using your wireless slows down all users. Sorry, not paying 60 bucks a month so I can go half speed and my neighbor gets it for free.

I have WEP security set up at 128 bit encryption with a strong alpha/numerical password, my SSID renamed and hidden, mac address control, and my logon password for router access also with a strong alpha/numeric password.

Yea, I suppose thats a little paranoid, but thus far its kept me from experiencing any freeloaders.

Exactly, thus effectively a static IP.

Sounds to me like there's some confusion as to the definition and interpretation of dynamic and static with regards to IP addressing.

I consider static an address that NEVER changes or is never reissued, for any reason by the ISP.

I consider dynamic an address that is recycled purposefully by the ISP upon being freed up from the user.

Seriously, if your neighbor is crafty enough to get around a simple WEP or WPA key, there's not much you can do.

Just put on a key to deter average users and you'll be fine. I don't understand why you're trying to make the Fort Knox of wireless.



I have WEP security set up at 128 bit encryption with a strong alpha/numerical password, my SSID renamed and hidden, mac address control, and my logon password for router access also with a strong alpha/numeric password.

Yea, I suppose thats a little paranoid, but thus far its kept me from experiencing any freeloaders.

yeah, that.

Uh, I was told MAC filtering was not a great way to protect my wireless. Its easy to clone MACs. In fact, my router lets me clone my MAC for identification purposes...I'm sure someone out there can easily do that.


And other people using your wireless slows down all users. Sorry, not paying 60 bucks a month so I can go half speed and my neighbor gets it for free.

Youre beginning to pass from trying to prevent a moocher to trying to prevent a hacker. Its one thing to authorize your laptop's MAC address only so your friend next store cant use your service. Its another to drive yourself nuts anticipating if someone could sniff your MAC and then clone it.

You can certainly purchase security products to make yourself more secure. But honestly I think youve already done enough to keep out Joe average. You were past that when you filtered the MACs and enabled the WPA protection.

If you really really want to be more secure than that youre probably going to have to get a router that supports more features (if yours doesnt).

For example: http://www.pcmag.com/article2/0,4149,844020,00.asp
7. Limit the number of user addresses. If you don't have too many users, consider limiting the maximum number of DHCP addresses the network can assign, allowing just enough to cover the users you have. Then if everyone in the group tries to connect but some can't, you know there are unauthorized log-ons.

8. Authenticate users. Install a firewall that supports VPN connectivity, and require users to log on as if they were dialing in remotely. The Linksys BEFSX41 router ($99 list) is a great choice for this. Tweak the settings to allow only the types of permissions that wireless users need.


So anyway, youve done your homework and I think youre pretty set. Theres certainly a lot easier targets out there than you.

Uh, I was told MAC filtering was not a great way to protect my wireless.

They're wrong. No enterprise could pass audit with just MAC address filtering, but we're talking about home, not enterprise.


Its easy to clone MACs. In fact, my router lets me clone my MAC for identification purposes...I'm sure someone out there can easily do that.

Except they have to clone the MAC to one that matches the allowed list you have setup and the only way to get that list is either from your computer, your router or ARP cache all of which require access in the first place.


And other people using your wireless slows down all users. Sorry, not paying 60 bucks a month so I can go half speed and my neighbor gets it for free.
And using WEP slows down your wireless. And using WPA slows down your wireless.

WEP slows down your wireless?

That sucks. :(

How does it do that?

It slows it down because the router is already handling switching, routing, NAT, etc. You then add encryption to an already taxed CPU.