Question about multiple PC (LAN/WAN) setup and security

[user1679]

This question is probably pretty simplistic but I'm a programmer so my hardware knowledge is limited. I understand the basics.

Currently I play X4 on a Windows desktop (PC_A) in a 2nd floor room and will be creating a "home theatre" (ok, not really, just a large TV) room in the basement which will also have a Windows desktop (PC_B). I want to be able to connect both PC_A and PC_B to each other wirelessly so I can swap my save based on which computer I use while also allowing both of them access to the internet. I do NOT want to use any cloud storage to share my saves because my internet goes down more than I want.

Each desktop has built-in wireless and I looked into getting a second adapter for each and an additional router so I could connect to my internet provider via one adapter (192.168..) and use the other to connect to the local router (10.0...) to create an ad-hock LAN. While this is doable, Windows doesn't like having multiple default gateways and it can cause some problems. What is the most reliable / secure way to connect two computers to each other wirelessly *and* the internet while reducing intrusion risk from the internet side of things?

NOTE: I do not plan to have both machines running X4 at the same time, this is *NOT* a setup for Ventures. I use mods and Ventures is disabled.


Thanks!

PS: I tried YouTube and Google and while there are a lot of videos on how to set up a NAS or rewiring your whole house for a LAN / switch, they seemed a bit overkill for what I need.

[felter]

I don't know if it will be of use to you, but I use Steam Remote play to play games on a laptop in my conservatory, the laptop isn't powerful enough to play any games, so the game itself is playing on the desktop and is streamed over my network to the laptop. The connection can be done through wifi, but I found I would occasionally get lag, especially when one of my neighbours used their internet, so I setup a switch with a cable running from my router to the switch then a cable from the switch to my laptop of course I could just either make or buy a new longer Ethernet cable, but the switch works with the 2 shorter cables. The save games are all stored on the desktop computer and can be accessed from either computer.

[user1679]

I don't know if it will be of use to you, but I use Steam Remote play to play games on a laptop in my conservatory, the laptop isn't powerful enough to play any games, so the game itself is playing on the desktop and is streamed over my network to the laptop. The connection can be done through wifi, but I found I would occasionally get lag, especially when one of my neighbours used their internet, so I setup a switch with a cable running from my router to the switch then a cable from the switch to my laptop of course I could just either make or buy a new longer Ethernet cable, but the switch works with the 2 shorter cables. The save games are all stored on the desktop computer and can be accessed from either computer.

Thanks but the two PCs will be too far away for a cable / switch setup, this is why I was looking at getting a second wireless router. My thought was to do something like this:

PC_A

Wireless #1 on the 192.x.x.x network, using my ISP router as the default gateway
Wireless #2 on the 10.x.x.x network using my second router as the default gateway

--

Second_Router on the 10.x.x.x network

--

PC_B

Wireless #1 on the 192.x.x.x network, using my ISP router as the default gateway
Wireless #2 on the 10.x.x.x network using my second router as the default gateway

In theory this should allow content shared between the two PCs but using two default gateways can make the network slower because packet requests might not go to the proper network. I know I can just throw everything on the 192.x.x.x network but I don't want to create security holes by having a bunch of shared folders on the network that faces the internet. I think there might be a way to set up custom IP tables on the router to route between two networks.

[jlehtone]

• Router routes between subnets. Forwards traffic between them. Is a gateway between subnets
• WiFi Access Point (AP) and WiFi Adapter convert wired traffic to wireless (and back)
• Switch is a hub that connects multiple devices in same subnet. It does not need an IP to function
• DHCP server hands network configuration for other devices on the subnet

You current "ISP router" is probably a "home router" that has AP, switch, router, and DHCP server in one.

Traffic from PC_A goes to AP, to switch, to AP to PC_B when the two PC now communicate via the "ISP device". That traffic is not forwarded by the router to the "WAN subnet" on the ISP side. If you have no control over the ISP router, and particularly if the ISP does, then there is a technical chance (but not on the cheapest devices) that the ISP has session on the device and copies packets that visit the switch.


You could install SSH Server service (or VPN server) on PC and run SFTP client (or VPN client) on the other. The SSH protocol and VPN use encryption. Even if someone would eavesdrop on the router, they would need plenty to decrypt what they saw. (I don't know how to install those services on Windows.) No additional hardware required.


Your plan is to create a second subnet that has "router box" and two PC. The box will not be on any other subnet, so it cannot act as router. Ironically, both PCs will be on two subnets, so they could act as routers. If you let the box to act as DHCP server, then it will hand out "I am the route to other subnets" bit to the PCs, which is totally wrong, as this subnet (10.x.x.x/y) will not have any routers, gateways to other subnets.

Both PC do have NIC port for wired net, don't they?
Consider this. Draw cable from one PC to as close to the other as possible and put AP there. The other PC will have WiFi adapter to connect to the AP.

No DHCP. If Windows does not find DHCP and if it does not have manual config, then it will set up "zeroconf/bonjour/something" IP address. Both PCs will do that. They will be on same subnet (169.254.0.0/16) and not use same IP address. If zeroconf is not enough, then set manual config (no gateway nor DNS).

If possible, tell Windows to not broadcast/advertise on the ISP subnet (192.x.x.x/y) that it exists. Otherwise they show up twice (via both subnets) to the other PC.

For AP there are two options:

• There are devices that are nothing but AP (and have a port for wire too)
• "home router", where you disable the DHCP server and not connect anything to "WAN port", i.e. use only the AP/switch in it

[CBJ]

I don't really understand why this is being made so complicated. Surely both devices are connecting wirelessly to the same broadband router, aren't they? If so then they are already connected to the LAN side of that device and can communicate with one another on that LAN, and you can achieve what you want using simple file-sharing. It's fine to enable that because they're both behind the broadband router's firewall.

[jlehtone]

It's fine to enable that because they're both behind the broadband router's firewall.

I totally agree with that.

Imagine a person sitting on a branch, attempting to cut the branch. We do know that success in cut leads to a fall.
CBJ pointed out that a cut is not wise, if it makes one to fall.
I chose to indulge the paranoia and listed some 101 for efficient cut.

[user1679]

I don't really understand why this is being made so complicated. Surely both devices are connecting wirelessly to the same broadband router, aren't they? If so then they are already connected to the LAN side of that device and can communicate with one another on that LAN, and you can achieve what you want using simple file-sharing. It's fine to enable that because they're both behind the broadband router's firewall.

You're right, they both already go through the ISP provided gateway. My main goal for the secondary network was to isolate them from other devices such as phones and laptops without the need for complex firewall rules.

[Redvers Ganderpoke]

If you really want them on a second subnet and your router is capable of it setup a vlan (virtual lan) on a new subnet and set it up so that it shares the gateway of your router for the Internet. I use this method to segregate my IOT stuff from my PC stuff. They are plenty of guides on how to do it. But some ISP routers are capable of creating vlans.

[CBJ]

I honestly don't see the point of isolating them. If you have untrusted devices on your local network, behind your firewall, then you have bigger problems than someone stealing your savegames!

[jlehtone]

If you have untrusted devices on your local network, behind your firewall, then you have bigger problems than someone stealing your savegames!

This.

Statistically, the user is the greatest vulnerability on the LAN. It is almost always the user, who connects untrusted devices or downloads and executes who-knows-what that turns a device untrusted.

A "firewall ruleset" should be "allow what you must, deny everything else". Isn't it that by default?
If you share a folder in Windows, don't you have to set what credentials/hosts can access it? Don't store your PC password in the laptops and phones.

[alt3rn1ty]

Does your router have a "Guest Network", on mine I just use that for IOT devices, as its a separate LAN to the default which the more important devices connect through.

[user1679]

I honestly don't see the point of isolating them. If you have untrusted devices on your local network, behind your firewall, then you have bigger problems than someone stealing your savegames!

I'm not worried about them stealing my savegame, that's pretty disingenuous. I have people visiting a sick relative that use my network to share videos and save data, and I do other things on my devices besides play games.

Does your router have a "Guest Network", on mine I just use that for IOT devices, as its a separate LAN to the default which the more important devices connect through.

No, my router doesn't offer a guest network which is why I thought of using two adapters. But this, as I mentioned, isn't the most stable way. I'll try asking my ISP for an upgraded router.

[user1679]

If you have untrusted devices on your local network, behind your firewall, then you have bigger problems than someone stealing your savegames!

This.

Statistically, the user is the greatest vulnerability on the LAN. It is almost always the user, who connects untrusted devices or downloads and executes who-knows-what that turns a device untrusted.

A "firewall ruleset" should be "allow what you must, deny everything else". Isn't it that by default?
If you share a folder in Windows, don't you have to set what credentials/hosts can access it? Don't store your PC password in the laptops and phones.

Windows "Advanced Sharing" allows you to turn on/off file and folder sharing for "private" and "public" networks. And when you actually share a file or folder it defaults to "Everyone" and "Read". Naturally I change this to my specific user and remove the "Everyone" but the problem arises where I have to choose if my network is "Public" or "Private". I always choose private otherwise I have to spend the better part of a day disabling Windows Firewall rules and Group Policy to really lock things down from "public".

I really need to look into getting a router with a guest network.

[CBJ]

I'm not worried about them stealing my savegame, that's pretty disingenuous. I have people visiting a sick relative that use my network to share videos and save data, and I do other things on my devices besides play games.

I wasn't being disingenuous. By enabling file sharing on just your game folders, your savegames are the only thing that you're exposing fully to users who are on your network. If the issue is that you want a separate network for visitors then the savegame sharing that you described initially isn't really the problem.

[user1679]

I'm not worried about them stealing my savegame, that's pretty disingenuous. I have people visiting a sick relative that use my network to share videos and save data, and I do other things on my devices besides play games.

I wasn't being disingenuous. By enabling file sharing on just your game folders, your savegames are the only thing that you're exposing fully to users who are on your network. If the issue is that you want a separate network for visitors then the savegame sharing that you described initially isn't really the problem.

My initial question was really about protecting the computer, not specifically the save files. If I share my files on the same network as my ISP provided router, I'm essentially putting all my trust in them and their firmware which they update frequently and often break things. With my current setup using 2x wireless adapters, an intrusion into my ISP's box would show no shared files/folders. But it feels like I'm making my network slower by doing this since packets have a tendency to get lost.