New Sky Business Router won't let me change the subnet...
May 29, 2024 12:37 PM
A friend's business has gone with Sky Connect (Business) in the UK and their router (a BR440) refuses to allow them to move to 192.168.2.x because it wants to use it for 'public wifi'. I can't find anyway to change this in the settings - it isn't possible, confirmed by Sky.
All of the LAN and various (micro)services are configured to use 192.168.2.x but the router issues 192.168.0.x. It's very annoying.
The problem is, the business has some really old (but important) services running on various static IPs in the 2.x range that the 0.x range need to access. The passwords are long since forgotten (sadly) so it isn't possible to reconfigure everything to just sit on a 0.x address. There's so much hard coded across the network to expect the device or service to be at a specific 2.x address.
Without doing double NAT (as that would be a bad idea, right?) how would you get around this problem as cheaply and simply as possible?
I'm happy to buy a device to sit in the middle and translate things (ideally without introducing double NAT) but I don't have a huge amount of time to configure everything for them.
Any tips very welcome.
The problem is, the business has some really old (but important) services running on various static IPs in the 2.x range that the 0.x range need to access. The passwords are long since forgotten (sadly) so it isn't possible to reconfigure everything to just sit on a 0.x address. There's so much hard coded across the network to expect the device or service to be at a specific 2.x address.
Without doing double NAT (as that would be a bad idea, right?) how would you get around this problem as cheaply and simply as possible?
I'm happy to buy a device to sit in the middle and translate things (ideally without introducing double NAT) but I don't have a huge amount of time to configure everything for them.
Any tips very welcome.
Double NAT is bad only because making servers that sit behind multiple layers of NAT available to the outside world requires setting up port forwards on every layer's router. If double NAT would solve your present problem and you either don't need access from outside or have enough control over your routers to be able to set up the appropriate forwardings, there's no reason to avoid double NAT beyond the general sense of ewww.
posted by flabdablet at 7:40 AM on May 30, 2024
posted by flabdablet at 7:40 AM on May 30, 2024
That said, in your shoes I'd be biting the bullet and reconfiguring everything that connected to a legacy 192.168.2.x server so as to do that via a locally administered DNS name rather than kicking this particularly foul-smelling can of technical debt down the road for the next poor bastard to deal with. And I'd set up a KeePass database file that documented all the relevant passwords.
I'd allocate all those names inside subdomains of the .lan TLD so as to be able to keep all the local DNS stuff completely insulated from possible future changes to the organization's public-facing domain name (don't use .local for your private internal TLD, as was once best practice, because that will cause conflicts with any mDNS-capable devices that turn up on your LAN).
If that wasn't practical, I'd be ditching the ISP-provided router and installing one I could control. And if that wasn't practical, I'd just go with double NAT and disable the ISP-provided router's wifi to make sure nothing but my internal router ever connected to its LAN side.
posted by flabdablet at 8:01 AM on May 30, 2024
I'd allocate all those names inside subdomains of the .lan TLD so as to be able to keep all the local DNS stuff completely insulated from possible future changes to the organization's public-facing domain name (don't use .local for your private internal TLD, as was once best practice, because that will cause conflicts with any mDNS-capable devices that turn up on your LAN).
If that wasn't practical, I'd be ditching the ISP-provided router and installing one I could control. And if that wasn't practical, I'd just go with double NAT and disable the ISP-provided router's wifi to make sure nothing but my internal router ever connected to its LAN side.
posted by flabdablet at 8:01 AM on May 30, 2024
Probably obvious, but the first thing I would do is verify that you can’t ping between the 192.168.0 addresses and 192.168.2. You would think you couldn’t, but I’ve met routers that will do ARP in unexpected places.
If I was feeling really hacky I would change the subnet on the LAN to 192.168 (netmask 255.255.0.0 or /16). I can’t find a user manual for the BR440 so I’m not sure if that’s possible.
posted by Tell Me No Lies at 8:10 AM on June 1, 2024
If I was feeling really hacky I would change the subnet on the LAN to 192.168 (netmask 255.255.0.0 or /16). I can’t find a user manual for the BR440 so I’m not sure if that’s possible.
posted by Tell Me No Lies at 8:10 AM on June 1, 2024
When telcos supply routers with a public wifi feature, the design intent is to allow those routers to offer wifi Internet access to the telco's entire customer base in a way that doesn't allow access to the private LAN at the premises where the router is physically installed.
Access controls on the public wifi network - of which there are sometimes none at all - are managed by the telco, not by the customer whose premises the router is at. Traffic on the public wifi network also doesn't count against any data volume caps applicable to that customer. If the router provides any way at all for the customer to disable the public wifi network, there will sometimes even be a kickback arrangement to incentivize not doing that.
If I understand the Sky offering correctly, the public wifi network involved in this question is of that kind. So given that this BR440 apparently won't even let you disable the public wifi network, I would be astonished to learn that it would allow itself to be reconfigured to nobble the separation between public wifi and private LAN.
What it all boils down to is that ISP-supplied routers in general, and telco-supplied routers in particular, are a nest of vipers and best avoided entirely by anybody whose use case requires them to care about stuff like internal IP addresses. If you can use your own router instead then do use your own router instead, and if you can't, find a less insane ISP.
posted by flabdablet at 9:54 PM on June 1, 2024
Access controls on the public wifi network - of which there are sometimes none at all - are managed by the telco, not by the customer whose premises the router is at. Traffic on the public wifi network also doesn't count against any data volume caps applicable to that customer. If the router provides any way at all for the customer to disable the public wifi network, there will sometimes even be a kickback arrangement to incentivize not doing that.
If I understand the Sky offering correctly, the public wifi network involved in this question is of that kind. So given that this BR440 apparently won't even let you disable the public wifi network, I would be astonished to learn that it would allow itself to be reconfigured to nobble the separation between public wifi and private LAN.
What it all boils down to is that ISP-supplied routers in general, and telco-supplied routers in particular, are a nest of vipers and best avoided entirely by anybody whose use case requires them to care about stuff like internal IP addresses. If you can use your own router instead then do use your own router instead, and if you can't, find a less insane ISP.
posted by flabdablet at 9:54 PM on June 1, 2024
« Older Please help me find a novel called "The Twentieth... | Google Sheets: What am I doing wrong? Newer »
You are not logged in, either login or create an account to post comments
If the .2.x devices are only used internally, add routes to the clients so they know they can reach 192.168.2.x on their local lan (this could be done with ROUTE on windows, or DHCP options or plugging an extra lan cable into each client on the 192.168.2.x network). But in two years when they add a new PC nobody will remember how to do this.
You could add a router/l3 switch between the lan and the internet that would handle routing 192.168.2.x traffic back onto the lan - doable but probably nearly the same overhead as double-nat plus you might have to spend time learning how to configure it.
Or just stick any decent internet router between the lan and the sky box, set it to .2.x on the lan side and live with double-nat. Assuming they're not hammering the connection or trying to win in counterstrike chances are nobody will be annoyed by this.
posted by samj at 2:14 AM on May 30, 2024