DHCP

[fourtwentyfour]

I see that my pc has DHCP enabled, and so does my router. Which allocates address, is there a conflict?

I have a Synology NAS, DS416 whose addresses can be hard to find after a new internet provider is used, or randomly, sometimes. I eventually fix it, but it takes most of a day, and the solution seems variable.

The problem seems to be that the NAS ip address is changed by, for example, the new router, but the NAS seems not to agree and keeps the old one. (I think).

I know there are static and dynamic IP addresses, and wonder if I might be able to set a fixed address for the NAS, and if so would this be sensible? Should I set fixed address's for everything?

[servodude]

I see that my pc has DHCP enabled, and so does my router. Which allocates address, is there a conflict?

I have a Synology NAS, DS416 whose addresses can be hard to find after a new internet provider is used, or randomly, sometimes. I eventually fix it, but it takes most of a day, and the solution seems variable.

The problem seems to be that the NAS ip address is changed by, for example, the new router, but the NAS seems not to agree and keeps the old one. (I think).

I know there are static and dynamic IP addresses, and wonder if I might be able to set a fixed address for the NAS, and if so would this be sensible? Should I set fixed address's for everything?

I'd expect your router to be the DHCP server
And I'd suggest you look at the options it has for "reserving' addresses, whereby it will allocate the same IP address to a MAC address everytime it sees it

[Infrasonic]

There's pro and cons to any methodology - especially these days wrt to security...

Historically I would have gone for fixed IP for anything that is on a cable and not moving around - so desktop PC's, NAS', et al.
The less clients you have on Wi-Fi the better for latency as well - keep it to laptops and mobiles only if possible.

However - there has a been a marked increase in WAN side attacks on routers and NAS and some of the bigger brands like QNAP, Synology have been hit with zero click ransomware issues. Unlike QNAP Synology have been pretty good at patching quickly but it's becoming a bit of an arms race.

So if you really need WAN side access to the NAS I'd be reading up on strengthening your router and NAS defences, looking at VLANs, port knocking et al. It might require a better router and/or use of a secondary one which can be tweaked as needed (a good reason to hang on to old routers... ).

https://en.wikipedia.org/wiki/VLAN

https://en.wikipedia.org/wiki/Port_knocking

[fourtwentyfour]

Ok, thanks.

I might have misunderstood before.. I now think that the pc, and any other attached device having DHCP enabled means they can be subject to an address change, but a router which is DHCP enabled can initiate new addresses to everything? So the pc and router are not fighting each other to give out addresses.

Ideally I want everything on my side of the router, except the pc, not to have access to the outside world, and to be invisible to it. How do I do that easily? (The two links suggested might be a little complex for me, at this stage.)

On the other hand, the NAS is the most vulnerable device, and for all of the time the pc is in use the NAS is visible to the pc. Maybe I am using it wrongly?

I don't use wifi, all is cable fed, and a couple of switches are used too.

[I visualise my pc, with the internet to the left, and my local stuff to the right, such that each side cannot see the other, but it doesn't seem to work like that?]

[Infrasonic]

You need to check your router and NAS settings and make sure all WAN side remote admin access is switched off (it should be off by default but always check as it isn't universal...). If there are default admin passwords that you've never changed then change them - believe it or not they used to be things like 0000 or 1234...(The default admin codes might be on a sticker on the bottom of the router.)

Once you've done that do a search of your specific router model number and NAS model number and see if there are any firmware security issues that would allow a WAN side attack using elevated admin privilege exploits. If there are check for firmware updates fixing the issues.

If you don't need to access from the internet then traditionally you would have been pretty safe - all that is happening now is that there are more exploits coming to the attention of the hackers so updates to firmware settings are relevant.

Home routers have been a bit slack there and you might be forgiven for thinking the OEM's are deliberately keeping it that way so you have to keep buying new kit every few years as the old unsupported boxes become ever more vulnerable to exploitation...

ISP supplied modem/routers from companies like BT should have vulnerabilities patched automatically as they will have super admin access rights. You'd need to check you contract small print to see how long they go on for and I wouldn't assume they will just fix everything anyway - they do whatever they have to rather than what they should do.

[fourtwentyfour]

My router is a Virgin Media Hub 3.0

Default Password changed
Remote Access Disabled
Port Forwarding None
DMZ Disabled
IPv4 Port Filtering On
Mac Filtering On [I notice attached devices PC and NAS connect to ethernet, I can add rules to stop NAS access? Do I need to?]
IPv4 Firewall On

NAS
External Access not set-up

Question:
I have a BT Hub 6, can I use Modem Mode on the Virgin router and connect the BT hub to do a better job? How? Would there be a speed limit? [I’d like everything to work, in my house, with the ability to turn off/on the internet, on demand.]

[Infrasonic]

MAC filtering should just be a whitelist for permitted devices you want to communicate on the LAN.

If the Virgin hub does everything you need it to then leave it set up as is.

The only advantage to using the V hub in modem mode with the BT hub is if the BT has more router features or you want to set up a segmented system akin to the VLAN link but with hardware.

I don't use either of those modem/routers so you'd have to do some digging around the Virgin/BT user forums to see what the limits are settings wise. There's some pretty clued up users on those forums generally.

Did you check the Virgin hub and Synology NAS to see when the last firmware updates were?

Has the Synology got its own firewall or can you install one from the Synology app store? That would give you a bit more control over the NAS.

[fourtwentyfour]

The Virgin Hub 3.0 has software version: 9.1.1912.304 but it seems as if I have no control over it.

The NAS is up to date and the firewall is enabled with basic settings. I don’t really have the knowledge to set up things in a better way, yet.

Ideally I would like my local stuff like printer/NAS ets to be in their own local network so nothing can get at them. If we imagine the world outside my front door is the internet, the front door is the router, my living room is where I use the pc, I’d like the other stuff in the garage, where it can’t get to the front door without my permission and help, if you see what I mean.

I do have this BT Hub 6 spare, although I don’t know how it would connect to the modem as it doesn’t have WAN socket, only ethernet and the usual telephone type broadband one.

As an aside, I use the NAS as a file server, I read and write to it, with no storage on the pc. Is that the right thing to do?

[Infrasonic]

The Virgin Hub 3.0 has software version: 9.1.1912.304 but it seems as if I have no control over it.

Virgin will push down firmware updates as they become available - you need to be aware if there are any security issues that crop up in future though so that you don't get caught out before an update is issued. Set up a news feed or RSS feed for your router + security as the search term/topic.

The NAS is up to date and the firewall is enabled with basic settings. I don’t really have the knowledge to set up things in a better way, yet.

Have a look at the user forums for recommendations.

Ideally I would like my local stuff like printer/NAS ets to be in their own local network so nothing can get at them. If we imagine the world outside my front door is the internet, the front door is the router, my living room is where I use the pc, I’d like the other stuff in the garage, where it can’t get to the front door without my permission and help, if you see what I mean.
.

That's generally how they are set up - it's only when they get breached with a remote code /admin privileges escalation hack that there are problems, as then they can access settings and change things. There's a catch 22 here - the only way you can strengthen your defences beyond what the firmware updates will do is to learn the ins and outs of networking security as it applies to modem/routers and NAS'. You can generally save settings, so if you did change something and it messed up you should be able to reload the old settings or resort to factory defaults.

I do have this BT Hub 6 spare, although I don’t know how it would connect to the modem as it doesn’t have WAN socket, only ethernet and the usual telephone type broadband one..

Your Virgin Hub modem has the ISP WAN input- your BT hub would be feeding off of that via the LAN ports as you're only using it as a switch/router. Don't forget although they are called 'routers' the ISP ones are actually a combined modem/firewall/router/switch + some more advanced ones have NAS/print server facilities via USB as well.

As an aside, I use the NAS as a file server, I read and write to it, with no storage on the pc. Is that the right thing to do?

Are you backing the NAS up to another drive? Otherwise you've got a single point of failure there. If the Synology has a USB socket it should be pretty straightforward to do and keep the USB drive unconnected apart from when you back the NAS up. That way if you did get a ransomware infection on the NAS you at least have a clean backup on another drive.

Any topics where you need to improve your knowledge, search them and look at articles or Youtube tutorials on to how to do it.

There's a good basic networking tutorial YT channel here that breaks it all down into small chunks and single topics, once you understand the packet signal flow it starts to make more sense (but networking is hard I'm afraid, there's no way around it...)...https://www.youtube.com/c/PowerCertAnim ... eos/videos

[Infrasonic]

'Synology DS 416 firewall settings' search on Youtube...https://www.youtube.com/results?search_ ... l+settings

[tsr2]

There's a lot to digest in this thread, but I think the simple answer may be "DHCP reservation" on the router?

[mc2fool]

There's a lot to digest in this thread, but I think the simple answer may be "DHCP reservation" on the router?

I agree, although the purists will say don't do that, set up fixed IPs on each device instead. But I nevertheless still (mostly) use DHCP reservation 'cos then you can set them all (well, most) in one place, on the router.

Note however that many routers have quite small limits as to the number of IPs you can reserve ... on my current Huawei it's just 8, and I have potentially 11 devices so 3 have their IPs set on the device.

Something else you might want to look into is the hosts file. In Windows it's in c:\Windows\System32\Drivers\etc\ and there's plenty on it if you google for windows hosts file. In a nutshell it lets you assign names to IPs, so you can then access your DS416 as http://DS416 and \\DS416, or http://MyNas and \\MyNas, etc...

[ReformedCharacter]

There's a lot to digest in this thread, but I think the simple answer may be "DHCP reservation" on the router?

I agree, although the purists will say don't do that, set up fixed IPs on each device instead.

Thanks. Out of curiosity, why do the purists say to set fixed IPs on each device rather than router reservation?

RC

[martinc]

I read a thread like this and I wonder what I am doing wrong.

I have a BT Homehub 6, I recently added a RaspberryPI printserver to my LAN. I named the pi 'printserv01' when I set up the SD card. When the pi boots it tells the DHCP server on the BT homehub that it wants to be called 'printserv01', the homehub allocates an IP address like 192.168.1.123 but I don't care what it is. The hub works as a DNS server for LAN addresses so any DNS-enabled system on the LAN can reach printserv01 by name, and I don't have to worry about allocating IP addresses. After the first boot I can ping/ssh/cups web page to printserv01 with no problems.

The hub forwards WAN address to BT's DNS servers, I can't change that but I could set Google's DNS servers manually in each system if I wanted to.

On my Windows systems I set the address to automatic (it's the default) and the same thing happens.

This works for all my systems, even VMs get their own LAN address and node name. The IP addresses from the hub are very stable (i.e. they don't change),
even if they were all reset I wouldn't care.

Why would I add printserv01 to my hosts file if I can resolve the name using DNS? Why would I fix IP addresses for no reason?

The homehub never allocates addresses in the range 192.168.1.0-63 so I could use those I suppose.

I would ask the original poster what is he worried about? Your NAS should have a setting to 'Use DHCP' or 'automatic', make sure that's set to start with.

[mc2fool]

There's a lot to digest in this thread, but I think the simple answer may be "DHCP reservation" on the router?

I agree, although the purists will say don't do that, set up fixed IPs on each device instead.

Thanks. Out of curiosity, why do the purists say to set fixed IPs on each device rather than router reservation?

RC

Well, I remember that being the case when I read up on it many years ago, but on a quick google now to remind me of the arguments, it looks like it may have gone the other way! So now I'm going to leave googling static IP vs DCHP reservation as an exercise for the reader....

[Breelander]

I read a thread like this and I wonder what I am doing wrong.

I have a BT Homehub 6.... This works for all my systems, even VMs get their own LAN address and node name. The IP addresses from the hub are very stable (i.e. they don't change), even if they were all reset I wouldn't care.

Why would I add printserv01 to my hosts file if I can resolve the name using DNS? Why would I fix IP addresses for no reason?....

I have a BT HomeHub 6 too. I use its DHCP server to assign IPV4 and IPV6 addresses for all of my devices. Currently the hub's table of leased addresses show 10 addresses of each type are being leased out. Never felt the need to use a fixed IP or a HOSTS table entry.

[ReformedCharacter]

I read a thread like this and I wonder what I am doing wrong.

I have a BT Homehub 6.... This works for all my systems, even VMs get their own LAN address and node name. The IP addresses from the hub are very stable (i.e. they don't change), even if they were all reset I wouldn't care.

Why would I add printserv01 to my hosts file if I can resolve the name using DNS? Why would I fix IP addresses for no reason?....

I have a BT HomeHub 6 too. I use its DHCP server to assign IPV4 and IPV6 addresses for all of my devices. Currently the hub's table of leased addresses show 10 addresses of each type are being leased out. Never felt the need to use a fixed IP or a HOSTS table entry.

I use fixed IP addresses to access an IP camera and for remote access to connect to a Raspberry Pi and various old PCs that I use from time to time and keep away from my office. Using Wakeonlan I can start them up remotely too, which is useful but a fixed IP isn't needed for that.

RC

[didds]

There's a lot to digest in this thread, but I think the simple answer may be "DHCP reservation" on the router?

I agree, although the purists will say don't do that, set up fixed IPs on each device instead.

Thanks. Out of curiosity, why do the purists say to set fixed IPs on each device rather than router reservation?

RC

cant say that in 40 years of IT sys admin Ive heard any purist answer, but a pragmatic answer may be ... (?)

if all systems are dhcp and all IPs are set on a reserved dhcp config on the router... losing the router means now nothing has an IP at all, and the replacement router somehow neds to be fully configured to ensure the same MACs get the same IPs.

Whereas every system having a stratic IP configured on it, with the router as gateway, means losing the router doesn't lose any Ips for specific systems and a replacement router merely needs to be the correct gateway IP and netmask - and hey presto off we go again.

Thats the first thing that springs to mind anyway.

[servodude]

There's a lot to digest in this thread, but I think the simple answer may be "DHCP reservation" on the router?

I agree, although the purists will say don't do that, set up fixed IPs on each device instead.

Thanks. Out of curiosity, why do the purists say to set fixed IPs on each device rather than router reservation?

RC

cant say that in 40 years of IT sys admin Ive heard any purist answer, but a pragmatic answer may be ... (?)

if all systems are dhcp and all IPs are set on a reserved dhcp config on the router... losing the router means now nothing has an IP at all, and the replacement router somehow neds to be fully configured to ensure the same MACs get the same IPs.

Whereas every system having a stratic IP configured on it, with the router as gateway, means losing the router doesn't lose any Ips for specific systems and a replacement router merely needs to be the correct gateway IP and netmask - and hey presto off we go again.

Thats the first thing that springs to mind anyway.

That's about the only reason I can't think of
It lets you swap the router and anything that relies on knowing the IP address of something else on the network will "just work"

Which is a niche problem but one that hit me last week when one of the offices I "remote" to via VPN swapped their router and I had to go hunting for the box I use on a couple of new subnets (it's got a slightly unusual configuration for the enterprise network but perhaps if I'd waited long enough its name would have been sniffed out?)

-sd

[Infrasonic]

One reason the OP might be having DHCP problems is if the Virgin hub 3.0 is flaky with its allocation - which a quick search suggests it often is.

In which case as an A/B the spare BT HH 6 could be pressed into action as the router doing DHCP and the VH 3.0 just being the modem, assuming there are no restrictive gotchas there with the BT HH 6?

It seems that quite a few VH 3.0 users have gone the modem + other router route. We have Virgin cable and BT (FTTP) ISP provision in my flat development and there do seem to be a lot more complaints about Virgin wrt to dropping internet / LAN connections...