Changing 192.168.0.1

[Mediaman]

Is there any harm in changing ones default router address to something other than 192.168.0.1? Seems to me its just good practice to do so just in case someone gets access to the network. Its bad enough that I have free access to my neighbours signal, but it was way too east to type in 192.168.0.1 (just for fun) and see his router settings!! Granted he had no security enabled and left router passwords unchanged, but still, one can never have too much protection!

So if there is no harm (and potential benefit) in changing it, I am tempted to do so. Can it literally be anything?

 

[thiggins]

You can change it. Make sure that it is set to an IP outside the DHCP server range (but inside the subnet, please!)
For example, I have my LAN on 10.168.3.X because I test a lot of products and didn't want to keep conflicting with the commonly used 192.168.0.X and 192.168.1.X ranges. I set my router IP to 10.168.3.254, which is outside the DHCP server range of 10.168.3.100 to 10.168.3.249

 

[jdabbs]

Benefits: Negligible. Anyone connecting via DHCP would be able to glean your router IP by looking at the assigned gateway.

If you aren't using DHCP, they could just sniff your traffic for a few minutes to get it. This is the security equivalent on a screen door on a bank vault: anyone capable of getting through the bank vault doors isn't going to be slowed down by it in the slightest.

 

[grandin]

Screen door security

There are some useful administrative benefits to doing this. A screen door can keep out pesky mosquitoes who may have somehow stumbled past (or been allowed past) the vault doors. For example, my teenage son's girlfriend has our wireless key programmed into her laptop. I don't expect her to start hacking our network, but the fact that our IP addrs are different from the ones she uses at school and at her dorm makes misidentification of certain non-dns referenced resources unlikely.

As Tim alluded earlier, another benefit to having a separate subnet which differs from those typically configured into consumer products is it prevents those products from "taking over" aspects of your network as soon as you plug them in. For example, you buy a wireless router to use as an access point. You plug it in, hoping to configure it before using it. The router has a DHCP server turned on by default and it immediately fouls up the DHCP requests for a server you already have on your net. Among other problems, your network nodes one by one go offline over the course of the next two to four weeks while you're trying to figure out what the heck happened. I could go on and on with scenarios that can be caused by a rogue DHCP server.

Another scenario: You have your network set up to the default subnet of 192.168.0.0. One of your kids or a visitor plugs in another wireless access point that's configured by default for the subnet you're using and has no security set up. Instant hole into your network that may be inadvertently used by your neighbors without their even realizing it. Until you have a chance to discover this rogue AP, at least the different subnet will prevent people from **unintentionally** using your bandwidth or accessing unsecured devices on your net. And let's face it, in this scenario the unintentional user may well be as dangerous as the sniffer-endowed hacker bent on destroying or exploiting your network. At least obscuring your IP range gives you *some* protection.

If you do this, be sure to use one of the subnets set aside for private network use. They are:

10.0.0.0 - 10.255.255.255 (mask=255.0.0.0)
172.16.0.0 - 172.31.255.255 (mask=255.240.0.0)
192.168.0.0 - 192.168.255.255 (mask=255.255.0.0)

The masks listed are the broadest mask you should use with each subnet. Using more restrictive masks to create smaller subnets (like the commonly used 192.168.1.0 with mask 255.255.255.0) is certainly allowed and can make network management easier. In fact, many consumer-grade products won't even work with masks larger than 255.255.255.0.

Why use only these private subnets? You could use another subnet, like 169.226.0.0 (mask=255.255.0.0), but by using that subnet you are risking being unable to access internet content (or any other services) provided by the true owner of that subnet, the State University of New York. Requests to the subnet you've set up never get outside of your home network (that's part of the router's job--to route requests for your private network internally and requests to any other network externally). The private subnets listed above have no owner--they are intentionally set aside for NAT use--so these subnets are guaranteed not to be present on the internet in any way shape or form. That's why they are called "private."

For more info check out: http://compnetworking.about.com/od/workingwithipaddresses/l/aa043000b.htm

Hope this helps.

Grandin

 

[Mediaman]

Love the screen door analogy !

So I would be ok if I make these changes?:
(that is, is my numbering correct)


Main router
IP: 192.168.0.1 -> 10.68.0.1
SubMask : 255.255.255.0 -> 255.0.0.0
DHCP IP Start: 192.168.0.2 -> 10.68.0.2
DHCP IP End: 192.168.0.100 -> 10.68.0.100

AP
IP: 192.168.0.251 -> 10.68.0.251
SubMask : 255.255.255.0 ->255.0.0.0
DHCP: disabled

 

[YeOldeStonecat]

For a home network..not a heck of a lot of advantage to it. If someone spent the time to grind past your wireless security, you most likely have DHCP running on your network..once (a big IF) they break your wireless security..their PC will obtain its lease, they can look at IPCONFIG /ALL results and see the IP address they obtained, as well as the IP of your DHCP server and Gateway..which is the same on home grade routers. So they now have it.

I change them because I VPN to a lot of clients, so I stay away from the common 192.168.0.xxx and 192.168.1.xxx. I keep the 192.168..but my 3rd octet is a fairly high number. Routers in gateway mode traditionally have their address end in .1. Common DHCP pools start with .100 and end with .200 on home routers. Access points commonly at .245 or .253.

 

[Mediaman]

I believe grandin's point was more to protect against the unintentional/accidental access, as opposed to the intentional/deliberate.

Assuming my numbers above are valid, plan to try this shortly.

 

[grandin]

Sure

Those addrs will work as you listed them.

To save router resources and prevent mistakes (as long as you're sticking with the 10.68.0 subnet) I would use a mask of 255.255.255.0. Really, a class C subnet (one using a mask of 255.255.255.0, allowing up to 254 IP addrs) is a nice size for home or small office--any network with fewer than 80-100 nodes.

 

[jdabbs]

Grandlin, welcome to the forums!

That said, I'm going to have to respectfully disagree with some of your points.

Internet access but not Router Access:
Hopefully you're only letting trusted people have access to your network (although with WEP, you're not putting up much of a fight). You are worried about people either stumbling onto or gaining access to your router config. This is a problem, but there is already a much better solution: a password. Stops accidental access, and unless you're running a vulnerable router, malicious users. This is preferable to merely "hiding" the router, as it also thwarts people actively hunting for it.

Rogue devices:
-AP: APs bridge the wireless and LAN interfaces. So when a opportunistic piggybacker connects to the open AP and sends a DHCP request, the router helpfully responds with a lease from your different subnet. Doesn't matter if the AP is configured for 10.0.0.0/8 and your router is 192.168.1.0/24, a frame is a frame, and forwarded regardless.
-Multiple DHCP servers: Having two different DHCP servers are a problem even if they issue leases for different subnets. Changing your router subnet offers no protection against this, so I'm not sure why you brought that up.

There are reasons to change your router subnet. Security is the least of them.

 

[Mediaman]

Grandin, many thanks. Just installed my screen door. So nice when it takes 5 seconds and works without issues! Not even a computer re-boot needed.

Perhaps there is a debate on maginitude of merits, but certainly there are some, and no drawbacks or cost.

Thanks again.

 

[grandin]

Jdabbs,

Good points, all. In addition to at least WPA security and password-protected configs, we generally configure our clients' DHCP servers to respond only to known MAC numbers. It's something I do so regularly I don't even think about it anymore; I should have pointed that out. Of course, a rogue DHCP server poses less of a threat (in this config) if the subnet differs from the legit router's as the IP and gateway addrs issued will preclude access to local or Internet resources.

In any event, even without MAC-verified DHCP there are numerous service-overlay or service-conflict problems that can be prevented by changing the default subnet and LAN IP addrs. This isn't security as much as robustness and reliability. Security benefits alone don't justify changing the default config. But there are still compelling reasons for doing so. In my business it's one of the fine points that separates the quick-and-dirty installers (cough cough geek squad cough ) from the guys who are thinking things through.

The way I laid out the rogue DHCP scenario was flawed. A better description of the problem would have stated that a rogue DHCP server with the same default config as the legit server would issue CONFLICTING addrs which would cause immediate network issues. A server on a different subnet would cause issues only for some nodes with expiring leases--something that generally happens on a 2-week timeframe. In any event, I could have chosen a better service conflict example.

As far as someone stumbling onto router config, I don't worry about that, of course, because we're using admin passwords. The definitive "inadvertent unauthorized usage" threat is the 12-year-old neighbor kid using a client's IP addr to download Saw IV, attracting the attention of the MPAA. (Or any one of a number of other unauthorized usage problems).

Thanks for keeping it real. By the way, it's "Grandin" with no "L". Old family name or I wouldn't mind so much.

Best,

Grandin

 

[jdabbs]

Thanks for keeping it real. By the way, it's "Grandin" with no "L". Old family name or I wouldn't mind so much.

Sorry about that--I used to work with a rascal with the name of Sandlin, must have been thinking of him.

Your rationale for changing subnets is pretty solid; like you said, not strictly security-wise, but plenty of justification for doing so regardless.

Your approach to access control by whitelisting MACs via DHCP is understandable; my org instead takes the angle of limiting the number of MACs connected per port. I can see the pros and cons of each technique though.