On Wed, Mar 29, 2017 at 11:28 AM, Kai Krakow <hurikha...@gmail.com> wrote: > Am Wed, 29 Mar 2017 04:52:08 -0700 > schrieb Jorge Almeida <jjalme...@gmail.com>: > >> On Wed, Mar 29, 2017 at 12:45 AM, Neil Bothwick <n...@digimed.co.uk> >> wrote: >> > On Tue, 28 Mar 2017 22:52:25 -0700, Jorge Almeida wrote: >> > >> >> > > > >> > >> The ISP provided router is officially managed (whatever this means) by >> them. As to privacy, I know a packet is visible once it leaves the >> router via Wan port. What I worry a bit is about the possibility of >> foul play towards the home network. The computers are firewalled via >> iptables, but accept connections from 192.168.... What prevents a >> hacked router of impersonating a local origin? > > Block packets originating from the router MAC address and that don't > belong to a known connection. Then deploy a managed switch that can do > MAC address filtering so it allows only the one MAC address on the > router port. This should be safe enough. It would be difficult to get > around such a setup. To be even more safe, use VLAN and exclude all > your computers from the management port. > > This, however, doesn't prevent tampering with packets on their way > through the router. You could use VPN and place the tunnel endpoints > only on trusted routers. That way, your ISP only relays VPN traffic, > and ensures the transfer networks below are only used for VPN and your > machines accept nothing else. > > -- Assuming that the router speed issue has no solution, I think I'll adopt a different setup: All computers (just 3) with 2 network cards; one card connected to the ISP router, rejecting all incoming packets that are not part of an established connection; the other card connected to one of my routers, accepting local connections (different subnet from the one associated with the ISP router; computers with static IPs, for good measure); This secondary router has the Wan port disconnected (is this the same as a switch?). This should allow the home computers to communicate with each other without any outside interference. Am I missing something?
Regards Jorge
