Home Subnetwork

Eilua

Eilua

Eilua

Associate
Joined
3 Jun 2013
Posts
150
Location
Internet
Hi,

I'm in my mid 30s and unfortunately I've recently had to move back in with my parents for financial reasons. My step dad pays for a gigabit fiber connection to the property (I offered to contribute but he wasn't having any of it) and is a bit of a control freak who quite frankly doesn't respect my right to privacy. This was all a bit weird when I was still a teenager, but is definitely beyond the pale now that I'm an adult. The obvious solution would be to get my own place again but that isn't likely to be financially feasible in the short term. In order to find a short term solution to this problem that won't cause too much bad blood I've been considering buying my own router in order to restabilish security and privacy for my devices as well as combine this with a VPN in order to encrypt my traffic and therefore shield myself from prying eyes. While I am generally quite tech savvy I've pretty much always lived with IT professionals of one form or another and so have never really had to think too hard about home networking. I wanted to check, before spending the money on hardware, that what I want to do is possible and if there are any considerations I should be making / limitations with this approach. I was struggling a bit to find the information I need on google so I'm hoping someone here is able to help!

To give a background for how our home network is setup currently: We have an ISP provided router that routes traffic along ethernet cables fixed around the outside of the house. I have one ethernet socket in my room that I connect to a 4 port switch that is in turn connected to my various devices. While the ISP provided router does have 2.4Ghz and 5Ghz Wifi capabilities I am not permitted to use them because the wifi signal isn't very good and my step dad doesn't want me saturating it while he's trying to watch netflix in bed (fair enough!). As a consequence I've been relying on mobile data for software updates etc..

I am hoping to be able to purchase a router that would provide me with wifi coverage in my room as well as be able to control the traffic going in and out of my room. At the moment I'm leaning toward picking up a Ubiquiti Unifi Express 7 and reusing my current switch in order to get around the single LAN port on the 7. The idea is to connect the ethernet socket in my room with the WAN port on the router, connect the LAN port on the router to my switch, and then connect my switch to each of my devices like I currently do. I am hoping that this will result in my step dad being able to see the router connected to his network but not be able to see (or ping) any of the individual devices connected to my router. I believe he currently uses MAC address filtering on the home network (he insisted on taking photos of the settings pages that listed the MAC addresses on each of my devices before he would grant me access). I am hoping that I as long as he adds the MAC address of my new router to his settings my internet connection should essentially work as normal only without his ability to see anything in my room beyond the router itself. Once you combine this with routing all of my traffic through a VPN I am hoping that he will be able to see all of the packets coming to and from the router placed in my room but be unable to see what kind of packets they are / where they are being routed too, thereby reinstating my privacy.

Am I right in thinking that this sort of setup is possible? I don't want to spend the money on the router only to find that It's not possible to do what I want it to do.

I'd appreciate any advice any of you can give me!

Thanks.
 
First off, are you sure that your network traffic can be monitored? If it's just an ISP-provided router you're connected to then unless it has fancy parental controls/monitoring, all that could be seen is what devices are attached and UPNP port forwarding. Maybe look up the ISP router specs and see what it can do - you might be worrying too much about it and a simple Access Point is perhaps all you'd need.
I don't know about the specific Ubiquiti kit you mention, but putting a router behind another router introduces 'double NAT' which can cause some problems.
It sounds like your step dad would know enough to understand that a router/VPN would 'hide' what's attached and what traffic is being sent, and if this triggers his control freakery he could refuse to allow you to connect one, so you may as well try to get agreement before spending the money. You could spoof the MAC on the WAN port with an already-whitelisted address but if he's really monitoring things that might lead to an argument and the ethernet cable to your room being unplugged.
To completely avoid any arguments, if you've got good mobile coverage then maybe get yourself a 4G/5G router with a preloaded data SIM.
 
Funnily enough this is often done in reverse: a parent mandates their children's access all goes through a secondary router so that router can be blocked and managed as needed. All you really need for basic security is a router with an ethernet LAN/WAN uplink. Make sure that it is set to a different private subnet (e.g. 172.16.x.x vs 192.168.x.x) Plug that into the house network and plug all your devices into that router. If your stepfather is going to do packet sniffing then that's a different ballgame and I'll leave you to the experts.
 
wonko said:
To completely avoid any arguments, if you've got good mobile coverage then maybe get yourself a 4G/5G router with a preloaded data SIM.
Click to expand...

Depending on latency considerations this is a valid option if signal is good - where I live for example EE 4G is pretty solid and perfectly usable for all but twitch gaming with even daytime bandwidth usually >100mbit/s.
 
I'd recommend buying a 4G/5G router and keeping your connectivity firmly in your own control.

If that's not possible for practical reasons, then you can run another router behind the existing one but this isn't really going to do much other than centralise your connectivity behind a single MAC address on his network.

What type of traffic are you trying to prevent visibility of? Web traffic is HTTPS and encrypted by default. You can view destination IP addresses and ascertain connectivity, but nowadays everyone is having their services fronted by the likes of Cloudflare and it's hard to tell where it's really going anyway.

Your biggest "risk" of your privacy being invaded is DNS. DNS is plain text and it's very easy to see/log what records that your devices are looking up - compounded further if you are using the DNS servers supplied by his DHCP (I don't know how sophisticated his setup is but assuming worst case and it's extreme). The solution to this is encrypting your DNS requests using DoH or DoTLS and sending them to DNS servers you specify. There are a few public DNS servers out there that support encryption. Google is your friend.

Some comments to a few pieces:

1) You will not "saturate" the WiFi and break Netflix if it's a gigabit uplink - especially not using 2.4GHz. I'd be surprised if you could get close to 800-900Mb throughput on 5GHz with your device millimeters away from the AP. Not even adding on the fact that Netflix has buffering, dynamic resolution, and variable bitrate audio/video to deal with low bandwidth and packet loss. This just sounds like some messed up false logic to prevent you from using the WiFi.

2) Him being able to ping (send and receive ICMP packets) can easily be blocked (it's under file and sharing services, ICMP v4 and v6 as default rules in Windows Firewall). Furthermore, it tells you very little beyond the device is alive and responding to ICMP. It provides no sensitive information.

3) Have you validated that MAC address filtering is actually on? You can spoof a MAC address and confirm it. Google is your friend if you're not sure how to do this.

4) The ISP router is probably pants and he's highly likely not able to spy on you all that much without third party services. Use encryption for your traffic (HTTPS for web, and equivalents for other services) and encrypt your DNS requests. This will provide you with a pretty solid foundation without spending any money and only a little bit of time.

5) Quartz mentioning of packet capture seems highly unlikely. Nonetheless, beyond source and destination IPs, encryption easily thwarts this as a monitoring method. It's also horrendously storage and compute intensive to analyse and store raw packets.

6) Your step dad doesn't seem as tech savvy as you think he is based on your description.

7) Finally, this whole situation is rather ****** up and not normal. Get out of it as quickly as you can.
 
Last edited:
Thanks for your responses everyone I appreciate it.

To give a bit more background information what set this all off was because I'd been invited to live at my parents place rent free until I get back on my feet financially I decided to spend a bit more than I would normally on my mum for christmas as a thank you. My step dad told my mum prior to christmas what I had bought her (ruining the surprise) and when my mum asked him how he knew he told her essentially that he'd been monitoring my internet traffic. Now whether this is actually true or not I don't know, but I can't imagine how else he would have known given that I didn't discuss it with anyone else and signed for the delivery myself when no one else was in the house. As aaronyuri hinted at I've known since I was young that he isn't nearly as tech savvy as he claims to be. He did work in various areas of networking and telecoms for about 20 years but he's always been quite insecure about his own capability and as a consequence tends to overstate his skillset. When I was younger he would often brag about "hacking" mine and my brothers devices, "hacking" the neighbours etc..all quite cringe worthy really. In the grand scheme of things I don't suppose any of this really matters much and the chances are that his own technical limitations prevent him from gleaning too much sensitive material from my devices. I suppose my issue is that even the possibility that I might be being spied upon makes me feel a bit uncomfortable and hence my desire to look for a solution that might give me a bit more security and control over my traffic.

I did do a bit more research last night and as many of you have mentioned it does seem that double NAT will be an issue if I install a second router. I don't host any services (game servers etc) but I would ideally like to connect to a VPN and also occassionally use peer to peer file transfer, both of which it seems would be negatively effected by double NAT. A 4G/5G router is certainly worth looking into however, and isn't something I had considered before. My mobile data reception is acceptable for phone software updates and basic web browsing but I'm not certain how effective it would be to route all my traffic through such a connection. I'll do some digging though and find out.

In regards to the issues with the wifi, while we do have a gigabit connection to the property and can get that speed with a wired connection, the ISP provided router has pretty terrible wifi and isn't positioned well to cover the bedrooms. I believe that my parents typically only get about 10-20Mbps on 2.4Ghz and about 40-50Mbps on 5Ghz on their devices from their bedroom. My room is slightly further away from the router and so I would expect to get slightly lower speeds. I think my stepdads concern was if they are both watching netflix (for example) in bed on their tablets and I also have access to the wifi it may cause buffering etc and he doesn't want that. I'm sure he is perfectly capable of improving the wifi coverage in the house if he wanted to but just doesn't want to spend the money when it works for what they need it for. As a result he doesn't want me connecting to it and honestly I don't actually have an issue with this. Only reason I mentioned it is because buying an all-in-one unit like the Express 7 would give me the wifi access I don't currently have without negatively effecting my parents. A two birds with one stone situation.

It's looking like perhaps the best option for maintaining my privacy would simply be to use a VPN service? As I understand it (and feel free to correct me if I'm wrong) when you connect to a VPN the tunnel between your device and the server you are connecting to is encrypted and most VPNs offer their own DNS (which is also presumably encrypted?) and so even in the event that my step dad is able to monitor the traffic all he would be able to see is all of my traffic going to a single IP but not be able to see anything beyond that point, as well as not be able to see any specific information about the packets being sent? If that alone will achieve what I want it would save me quite a bit of money on the router. I would obviously still not have access to wifi, but that isn't really a deal breaker for me at the moment.

You've all given me a lot of food for thought.

Thanks.
 
You must log in or register to reply here.
Back
Top Bottom