Troubleshoot How to set up 2 DHCP servers in a single network?

[HarborFront]

Hi

I need some help as per aforementioned caption.

Devices :

1) Portal Router - My current router. It does not come with AV/AM and privacy protection. It connects to the ISP-provided ONT (Optical Network Terminal) running on 1 Gbps fibre broadband

I would like to overcome the shortcomings in my Portal Router by adding

2) CUJO Smart Firewall - A Smart Firewall with AV/AM protection for my devices (consider to buy)
3) eBlocker - A device to secure my privacy (consider to buy)

Note :- All connections using Gigabit LAN

Individually, the CUJO and eBlocker are very easy to set up. Just connect to the LAN port of your router and the devices will auto detect and set up.

The problem comes if I tries to connect the 3 together

According to CUJO website (below) my Portal Router can ONLY connect in Bridge Mode with an additional router like this

Portal Router (downstream) ==> CUJO ==> Another Router (upstream) ==> ONT (Optical Network Terminal) ==> Internet

COMPATIBILITY : CUJO LLC
CUJO modes : CUJO LLC

For the eBlocker connection,

eBlocker Review and Tutorial 2017 (Plus Discount) | RestorePrivacy

I'll need to disable DHCP server in the Portal Router to connect the CUJO in Bridge Mode. In this case the upstream router (which connects to the ONT) will be a DHCP server. If I connect my eBlocker to the upstream router then I'm not protected by CUJO. How about connecting to the downstream Portal Router?

So, any solution to this problem? Note that I don't like the idea of having to add another router.

Thanks

 

[HarborFront]

Alternatively, I replace my Portal Router with a Netgear Orbi router and connects as follows

The below picture is my connection i.e. with separate ONT and router

DHCP mode: Netgear Routers Orbi Interface : CUJO LLC

And connects the eBlocker as same before to the router using LAN

In this connection I'll need to disable the DHCP sever in the Netgear Orbi router but both the CUJO and the eBlocker will contend as a DHCP server

So how?

And, according to Netgear community, there seems to have some issues with the manner the CUJO site disables the Netgear Orbi's DHCP

Disable DHCP on the ORBI - NETGEAR Communities

DHCP mode: Netgear Routers Orbi Interface : CUJO LLC

Problems also mentioned here

CUJO Smart Internet Security Firewall Reviewed - SmallNetBuilder

One of the cons to Direct/DHCP mode is that CUJO is also performing Network Address Translation (NAT). This means your network is now double-NATed, since your router already is performing NAT. Technically, this isn't a big deal for most traffic, but it can cause problems with VoIP, gaming, and other connection-sensitive traffic.

Another con to Direct/DHCP mode is all traffic on your network is going first to your router's built-in switch, then to the CUJO, and then from CUJO back to your router, which may reduce overall network throughput.

Two more cons to Direct/DHCP mode are devices with static IPs on your network will stop working. And if you're using the VPN option on your router to remotely access your network, VPN will no longer work. Statically addressed devices can be re-enabled by configuring them for DHCP or giving them a static IP on the 192.168.0.0/24 subnet.

 

[HarborFront]

Last alternative will be to wait for Netgear Armor to arrive in the Netgear Orbi

Bitdefender and NETGEAR partner to bring IoT security to customers

Bitdefender and NETGEAR partner to bring IoT security to customers

NETGEAR Armor powered by Bitdefender will be made available for the Orbi Whole Home WiFi system and the Nighthawk performance routers later in the year via firmware updates.

and that'll be somewhere near to the end of the year.

Then I just disables the Netgear Orbi's DHCP server and connects the eBlocker to it....hopefully they can work together to provide AV/AM and privacy protection

 

[Digerati]

My current router. It does not come with AV/AM and privacy protection. I

The vast majority don't. And that's just fine.

To suggest your networked devices are "Unprotected" without this CUJO (or eBlocker) device is pure marketing scare tactics hogwash! We don't need these devices. Now if you want it, that's fine, but don't think for a second your current router and your devices' security are not protecting you already. And you certainly don't need both CUJO and eBlocker.

Our biggest threat is ourselves. The user is, was, and always will be the weakest link in security. We just need to keep Windows updated, use a decent and current anti-malware solution, and don't be "click-happy" on unsolicited attachments, links, downloads and popups.

Understand routers already act as a very effective network firewall (even basic routers) with DHCP. Better routers incorporate SPI (stateful packet inspection) for even greater hardware based firewall protection.

****

It is not clear (to me anyway) what you are trying to do. The idea is to run all your network devices through the CUJO device. Connecting directly to the router, as shown with the notebook in that one image) defeats the purpose of the CUJO device.

What devices do you have?

 

[HarborFront]

The vast majority don't. And that's just fine.

To suggest your networked devices are "Unprotected" without this CUJO (or eBlocker) device is pure marketing scare tactics hogwash! We don't need these devices. Now if you want it, that's fine, but don't think for a second your current router and your devices' security are not protecting you already. And you certainly don't need both CUJO and eBlocker.

Our biggest threat is ourselves. The user is, was, and always will be the weakest link in security. We just need to keep Windows updated, use a decent and current anti-malware solution, and don't be "click-happy" on unsolicited attachments, links, downloads and popups.

Understand routers already act as a very effective network firewall (even basic routers) with DHCP. Better routers incorporate SPI (stateful packet inspection) for even greater hardware based firewall protection.

****

It is not clear (to me anyway) what you are trying to do. The idea is to run all your network devices through the CUJO device. Connecting directly to the router, as shown with the notebook in that one image) defeats the purpose of the CUJO device.

What devices do you have?

FYI, high end routers come with IoT protection e.g. the ASUS RT-AC5300 incorporates Trend Micro antimalware protection system

My Portal Router comes with SPI and NAT dual firewalls but lacks of AV/AM and privacy protection. SPI and NAT are more for protection against network attacks not against malware nor protection of your privacy

A decent AM solution is only good for your PC/laptop/smartphones NOT for your IoT devices.

I have already mentioned that I'm considering buying the CUJO Smart Firewall and the eBlocker. I have corresponded with Portal and they have no near plan to incorporate any AV/AM solution into their router. Of course buying the CUJO will entitles me to lifetime free subscription.

Ultimately, after evaluation, the last alternative is what I'll be going after.

 

[Digerati]

FYI, high end routers come with IoT protection e.g. the ASUS RT-AC5300 incorporates Trend Micro antimalware protection system

My Portal Router comes with SPI and NAT dual firewalls but lacks of AV/AM and privacy protection.

As I said the "vast majority", sure, there are exceptions. But home users typically don't need or have "high-end" routers.

SPI and NAT are more for protection against network attacks not against malware nor protection of your privacy

True. But that's why we have firewalls and antimalware solutions on our computers - just in case a bad guy somehow gets past SPI and NAT.

A decent AM solution is only good for your PC/laptop/smartphones NOT for your IoT devices.

True, but changing default passwords on those devices and using very strong passwords, disabling UPnP and remote management, and keeping connected devices current will protect them too.

I am not dismissing the peace of mind those devices can provide. I am just saying don't fall for the marketing hype that you are unprotected if you don't use them.

 

[HarborFront]

As I said the "vast majority", sure, there are exceptions. But home users typically don't need or have "high-end" routers.
True. But that's why we have firewalls and antimalware solutions on our computers - just in case a bad guy somehow gets past SPI and NAT.
True, but changing default passwords on those devices and using very strong passwords, disabling UPnP and remote management, and keeping connected devices current will protect them too.

I am not dismissing the peace of mind those devices can provide. I am just saying don't fall for the marketing hype that you are unprotected if you don't use them.

I switched my ASUS RT-AC5300 to Portal Router some months back

My topic of discussion is to protect your home-wide IoT devices and online privacy

A Smart Firewall can perform the former and the eBlocker for the latter. Normal SPI/NAT firewall at the router and software firewall and AV/AM on your PC/laptop can only protect your PC/laptop

I suggest you read what eBlocker can do at their website

Anonymous and ad-free surfing on all your devices. Plug'n'play. Privacy made in Germany.

and tell me whether those steps you suggested can protect your onliine privacy

My suggestion is

If you have an existing router without IoT protection you can install a Smart Firewall and the eBlocker to protect your IoT devices and online privacy

If you have a high-end router which comes with IoT protection built-in for your IoT devices then there's no need to get the Smart Firewall device. Just get the eBlocker to protect your online privacy will do

If you are looking for a new router get one with IoT protection built-in. Then there's no need to get the Smart Firewall device. Just get the eBlocker to protect your online privacy will do. Router companies are tieing up with AV companies like BitDefender, Trend Micro, McAfee etc to provide AV/AM protection in the router.

 

[ForgottenSeer 58943]

The vast majority don't. And that's just fine.

To suggest your networked devices are "Unprotected" without this CUJO (or eBlocker) device is pure marketing scare tactics hogwash! We don't need these devices. Now if you want it, that's fine, but don't think for a second your current router and your devices' security are not protecting you already. And you certainly don't need both CUJO and eBlocker.

In the modern age there is almost NO protection offered by a simple-NAT router.. Literally none.. You are way way behind the times.. Your advice was probably relevant 20 years ago, but is absolutely not relevant today. So please stop giving poor, even dangerous advice to people.

Harbor, I know a 'little' about these consumer and prosumer protection devices. I don't use them, but they utilize basic network principles to accomplish their goals. As for multiple DHCP servers, I have 8 distinct, segregated DHCP servers with physical port segregation and VDOMS on my network. For me it is possible, and in fact ideal in terms of network security because it prevents lateral movement after the network is breached by an external actor. For you having multiple DHCP servers won't work and will result in a disaster for your network and attached devices.

First, I don't like Cujo because it utilizes ARP Manipulation and Poisoning to accomplish it's goals.. It will work - obviously - but isn't ideal. Fingbox also utilizes ARP poisoning which as a network engineer we totally hate Arp poisoning devices. Second, it appears eBlocker has to function as a DHCP server to even work, is that correct?

If so your setup would be to disable the DHCP on your primary router, put the Cujo in bridge mode downstream from your primary router, run Cujo into a switch, then plug your eBlocker into the switch as a DHCP server. I am going to assume eBlocker requires itself to be a DHCP server to maintain dominion as DNS forwarder - that's a logical conclusion here.

Modem->Router(DHCP/DNS Disabled)->Cujo(Bridged)->Switch->eBlocker(DHCP Server)

That should get you working just fine. However I do not feel this situation is ideal and with less money and effort you could have a much more secure environment. What I would do if I were you would be to remove your router, put a small Untangle Box behind your modem as your primary UTM. Then go to a switch. After the switch put your router on the network in AP Mode, then put a Pi-Hole on the network and load it up with blacklists for adblocking/telemetry/malware blocking and point Untangle BACK to the Pi-Hole for DNS resolution.. This will be MUCH faster and more efficient, and also more secure.

Modem->Untangle UTM(DHCP)->Switch->Pi-Hole->OldRouter(AP Mode)

My previous structure was: Modem->FortiGate E->FortiSandbox->Untangle(Transparent)->FortiSwitch->Bulldog RogueAP/Access Points->Pi-Hole.

My new structure is; Modem->FortiGate E->FortiSanbox->Port1,Port2 in VDOM1->Port3,Port4,Port5 in VDOM2, Port6, Port7 in VDOM3->FortiSwitch->Bulldog RogueAP/Access Points-.Pi-Hole.

What this does is give me 8 distinct, PHYSICALLY separated networks with their own DHCP in their own VDOMS. Each network cannot communicate to any other network or internal device unless explicitly policy permitted. This totally eliminates lateral movement in the network which is a common occurrence in the modern age with hackers/intruders or even malware. This is complex, admittedly, and I have over 40 policies on the Fortigate to manage it all with an explicit Deny/Deny/All for anything not policy allowed.

 

[ForgottenSeer 58943]

Harbor, within 5 years or less it will be almost required to have a UTM or UTM-Like device on homes. There is a reason every manufacturer on the planet is integrating security with their upcoming firewalls. Routers are a joke. Firewalls are barely adequate. Even PfSense is considered marginal in the modern age.

Norton, F-Secure, Bullguard, Bit Defender, all of the big boys have UTM type devices. ASUS integrates with Trend. Netgear will integrate with Bit Defender. These are all basically entry level UTM's, equivalent to what we were deploying in the corporate world for SMB's a few years ago. Even TRENDnet and Tenda are working on UTM devices.. It's not marketing hype, it's a fact of life and changes that need to be made for the situation we're in. Homes are all blended OS environments with blended devices. All of them offer some level of risk that cannot be mitigated by a stupid router and you certainly can't put AV's on the vast majority of them. Therefore these UTM type devices are the logical evolution of home security.

A common question from CEO's and others in the corporate world is "Can I get one of those UTMs for my home too?". The reason is, these guys see the reports, they see the thousands of malicious blocks a week. They see the hackers being repulsed daily. Then they think 'Is my washing machine going to be a victim?'.. Well yeah, it could, or even possibly already is. A plain old cheap nat router is a joke and anyone that thinks they are adequate in the current times is really not qualified to discuss IT Security IMO. SPI?

This guy (above) says "Better routers incorporate SPI (stateful packet inspection) for even greater hardware based firewall protection.".. Are you kidding me? Stateful inspection firewalls (L2) have effectively become obsolete because of two significant limitations. First, they don't inspect the data payload of network packets. Second, they don't have the fine-grained intelligence to distinguish one kind of Web traffic from another, malicious or otherwise, or to apply policy to that traffic. Basically - Stateful Packet Inspection (SPI) firewalls that are inadequate against today's threats in whatever form those threats come in.. This isn't 1998 for god sakes, someone needs to up their game or get off the playing field.

Also, and more importantly, almost all of these devices have Botnet Shields. Basically, it's a method to prevent botnet subversion of any IoT device. Otherwise known as a 'Session Block' in the IT world. What it does is examine session creation rates and once a threshold is reached it assumes the device has been botnet compromised and arp poisons it. Very simple, very effective, and already proven in the field.

 

[HarborFront]

@ForgottenSeer 58943

Thanks for the suggestions.

Your set up

Modem->Router(DHCP/DNS Disabled)->Cujo(Bridged)->Switch->eBlocker(DHCP Server)

is not possible if I use my existing Portal Router. I'll need another upstream router with DHCP disabled and working with my downstream Portal Router like this

Internet ==> ONT (Optical Network Terminal) ==> Another Router (upstream) ==> CUJO (Bridge Mode) ==> Portal Router (downstream) ==>

and I don't intend to use a switch for I do not have many LAN devices. I ran almost all of them using WiFi. CUJO and eBlocker work on LAN only

Of the 3 alternatives I put up the last alternative is the most viable and the connection would be

Internet ==> ONT (Optical Network Terminal) ==> Netgear Orbi Mesh Router (disabled DHCP) with Netgear Armor ==> eBlocker (enabled DHCP)

i.e. I'll need to replace my Portal Mesh Router with the Netgear Orbi Mesh Router (with Netgear Armor) and remove CUJO from the set up.

The only advantage I see of CUJO is its lifetime free subscription. Netgear Armor (powered by BitDefender) requires paid subscription. One other thing about CUJO (and similar proprietary Smart Firewalls) is that it uses its own proprietary cloud AV/AM protection, machine learning and behavior analysis. If you ask me I'll say protection by BitDefender, Norton, Tend MIcro, McAfee etc is much much better.

From my correspondence with eBlocker it seems they are going to test the Netgear Orbi and have malware protection added to their device.

IMO, a Smart Firewall is good only for existing routers without AV/AM protection built-in. Like I mentioned, nowadays, AV companies are tieing up with router companies to incorporate their AV/AM into the routers so Smart Firewalls will not be useful.

 

[ForgottenSeer 58943]

@ForgottenSeer 58943

Thanks for the suggestions.

Your set up

Modem->Router(DHCP/DNS Disabled)->Cujo(Bridged)->Switch->eBlocker(DHCP Server)

is not possible if I use my existing Portal Router. I'll need another upstream router with DHCP disabled and working with my downstream Portal Router like this

Internet ==> ONT (Optical Network Terminal) ==> Another Router (upstream) ==> CUJO (Bridge Mode) ==> Portal Router (downstream) ==>

and I don't intend to use a switch for I do not have many LAN devices. I ran almost all of them using WiFi. CUJO and eBlocker work on LAN only

Of the 3 alternatives I put up the last alternative is the most viable and the connection would be

Internet ==> ONT (Optical Network Terminal) ==> Netgear Orbi Mesh Router (disabled DHCP) with Netgear Armor ==> eBlocker (enabled DHCP)

i.e. I'll need to replace my Portal Mesh Router with the Netgear Orbi Mesh Router (with Netgear Armor) and remove CUJO from the set up. The only advantage I see of CUJO is its lifetime free subscription. Netgear Armor (powered by BitDefender) requires paid subscription. One other thing about CUJO (and similar proprietary Smart Firewalls) is that it uses its own proprietary cloud AV/AM protection, machine learning and behavior analysis. If you ask me I'll say protection by BitDefender, Norton, Tend MIcro, McAfee etc is much much better.

IMO, a Smart Firewall is good only for existing routers without AV/AM protection built-in. Like I mentioned, nowadays, AV companies are tieing up with router companies to incorporate their AV/AM into the routers so Smart Firewalls will not be useful.

What is a 'portal router'? I've never heard that term. Also, why would you need all of these routers? They are serving no purpose at all. The purpose of a small switch isn't the number of devices on a lan in some cases, in your case it's allowing you to place the eBlocker into the mix and to have eBlocker as your DHCP server. The second purpose of a switch in your case is to get your AP (or router in AP mode BEHIND the Cujo because it's going into your switch which then puts all of your wireless devices behind the Cujo and thus - within the proxy filtration scope of the Cujo.

First, does your ONT handle DHCP? I assume the ONT is serving as an SPF to convert fiber to ethernet and doesn't do anything else, right? The primary concerns with more than one router is: 1) Double or Triple NAT. 2) More than one DHCP. Then you need to consider arp and packet storm issues.

I don't know how your ONT functions, but logically, it should flow like this;

ONT ->Router (DHCP off)->Cujo (bridged) ->Switch->eBlocker(DHCP)

There should be no reason to add yet another router into the mix as it would serve no purpose whatsoever. Any AP or a router in AP mode would be behind the switch and thus, behind the Cujo so it would be behind the Cujo proxy. eBlocker seems to work by acting as a DHCP server w/DNS filtration so it doesn't matter where it's location is in the network as it will direct reservation requests to itself.

I think you are over complicating things to be honest.

 

[HarborFront]

What is a 'portal router'? I've never heard that term. Also, why would you need all of these routers? They are serving no purpose at all. The purpose of a small switch isn't the number of devices on a lan in some cases, in your case it's allowing you to place the eBlocker into the mix and to have eBlocker as your DHCP server. It's very simple.. Keep in mind if your AP or router in AP mode is behind the switch then all of your WiFi devices would also be passing through the Cujo Proxy.

First, does your ONT handle DHCP? I assume the ONT is serving as an SPF to convert fiber to ethernet and doesn't do anything else, right? The primary concerns with more than one router is: 1) Double or Triple NAT. 2) More than one DHCP. Then you need to consider arp and packet storm issues.

I don't know how your ONT functions, but logically, it should flow like this;

ONT ->Router (DHCP off)->Cujo (bridged) ->Switch->eBlocker(DHCP)

There should be no reason to add yet another router into the mix as it would serve no purpose whatsoever. Any AP or a router in AP mode would be behind the switch and thus, behind the Cujo so it would be behind the Cujo proxy. eBlocker seems to work by acting as a DHCP server w/DNS filtration so it doesn't matter where it's location is in the network as it will direct reservation requests to itself.

I think you are over complicating things to be honest.

I'm using fibre broadband. For fibre broadband they don't use the term 'modem' but ONT (Optical Network Terminal)....something like a modem. No, the ONT is ISP-supplied and it does NOT have DHCP.

Portal Router, here

Portal WiFi - Home

If I want to use CUJO with my Portal Router I'll need to connect using another router. This is CUJO requirement in Bridge Mode. Portal Router is NOT compatible to the CUJO in DHCP(Router Mode)....a no choice situation here as shown below

COMPATIBILITY : CUJO LLC

From the above link the Netgear Orbi allows me to connect in DHCP & Bridge Modes.....more flexibility

 

[ForgottenSeer 58943]

I'm using fire broadband. For fibre broadband they don't use the term 'modem' but ONT (Optical Network Terminal)....something like a modem. No, the ONT is ISP-supplied and it does NOT have DHCP.

Portal Router, here

Portal WiFi - Home

If I want to use CUJO with my Portal Router I'll need to connect using another router. This is CUJO requirement in Bridge Mode. Portal Router is NOT compatible to the CUJO in DHCP(Router Mode)....a no choice situation here as shown below

COMPATIBILITY : CUJO LLC

From the above link the Netgear Orbi allows me to connect in DHCP & Bridge Modes.....more flexibility

Ahh yes, I see it's a limitation of the particular equipment.. More powerful gear (SOHO or above) will give you much more flexibility. I'd recommend ditching all of the consumer gear and moving to Prosumer. Setup Untangle ($49 a year for full UTM), put a switch behind it, toss a Unifi access point onto the switch and either install the software controller on a PC/Server or get the CloudKey to control it. If you are feeling frisky, spend $50-$60 on a Pi3 kit on Amazon, 30-45 min of your time and setup a Pi-Hole. Plug that into the switch and point Untangle to the Pi-Hole for DNS resolution.

Then you can dispose of all of this limiting consumer gear and ARP poisoning disasters and get some really really serious protection for almost nothing.

 

[Digerati]

In the modern age there is almost NO protection offered by a simple-NAT router.. Literally none.. You are way way behind the times.. Your advice was probably relevant 20 years ago, but is absolutely not relevant today. So please stop giving poor, even dangerous advice to people.

You need to stop with your insistent FUD. Once again you make claims that, if even remotely true, would indicate that many 100s of millions of Windows users would be totally compromised. And once again, that is just not true.

A plain old NAT router provides a HUGE layer of security for the normal home user compared to no router at all. That's the point here, not corporate protection.

Did you "stop" getting infected when you moved to a corporate level router? I bet not. I'm not suggesting the least expensive router people can find. But there are many affordable routers between $100 - $150 that will do just fine.

When it comes to home users, bad guys are lazy opportunists. Once they see even a small level of security, they move on to easier pickings. Your nosy neighborhood whizkid is not going to get past your basic wireless router unless you do something stupid like set the wifi passphrase to your dog's name or street address.

Now if a determined bad guy is targeting you specifically, that's another story, but then you have bigger problems to worry about.

Now if you want this thread to be about corporate level protection, I agree with you. But as far as I can tell, this is about a home network.

My topic of discussion is to protect your home-wide IoT devices and online privacy

Okay, fine. But if privacy is your concern, you need to get rid of your cell phone and your ISP. They know your real name, your real home address and your billing information. They also know where you have surfed on the Internet. And thanks to Congress, they can sell that information to just about anyone.

Your cell phone carrier knows all that and who you have texted, talked to and emailed. But worse than that, they know where you are currently standing to within a few feet, including which aisle of the store you are standing in. They know where you have been, the direction you are heading and how fast you are traveling.

Microsoft does not even know our real names or address. And with an Ethernet connected computer, the closest they know of our physical location is our PoP (point of presence) where our ISP connects us to the Internet backbone - which in my case, is 10 miles away in the next town over.