Use a More Sophisticated IP Address Scheme on Your Network

Let's assume that your router's IP address is set as 192.168.0.1. Yours might be different and that's fine, I just need to assume something here for this post.

Generally, at least in home networking situations, routers are configured to have 255.255.255.0 for their subnet mask. So then, based on the previous assumption of 192.168.0.1 for your router's IP address, your router's local network is everything 192.168.0.x.

But in most routers, you're not constrained to that subnet mask of 255.255.255.0, you can use any valid subnet mask. I'll leave it to you to read up on subnet masks if need be, but I'll note that if you just change this to 255.255.254.0, now instead of your local network being just 192.168.0.x, you also have 192.168.1.x. What's cool about this is that now you can use 192.168.0.x and 192.168.1.x for different things and be easily able to tell at a glance what is what.

So what's a way you could utilize 192.168.0.x and 192.168.1.x separately? Well, for known devices on my network, I like to create DHCP reservations (as I detail in my post Use DHCP Reservations Instead of Static IP Addresses, you should use DHCP reservations, not static IP addresses). So then I could create DHCP reservations for all known devices with IP addresses in 192.168.0.x. And then I could set my DHCP server to utilize addresses starting at 192.168.1.1 and ending at 192.168.1.254. And at that point, I can tell at a glance if something is a known device (has a 192.168.0.x IP address) or an unknown device (192.168.1.x).

And if you like this idea, you can take it to the next level by using 255.255.252.0 as the subnet mask and now, using my previous 192.168.0.1 router IP address as the assumption, your local network is 192.168.0.x, 192.168.1.x, 192.168.2.x, and 192.168.3.x. And now you have 2 additional octets available to you. So now you could do something like this:

  • 192.168.0.x: use for DHCP reservations for your known devices (that don't fall into one of the following 2 categories).
  • 192.168.1.x: use for DHCP reservations for your known devices that need special access through the firewall. For WiFi calling, my experience is that you need an outbound rule for UDP ports 500 and 4500 (yes, you could turn on IPSec passthrough, but it's better to be more prescriptive about exactly what destination devices need that access).
  • 192.168.2.x: use for DHCP reservations for your known devices that should not have Internet access (for example, let's say you have a printer on your network that you want to be able to print to so you want to access it locally, but you don't want it exposed to the Internet). Then you create firewall rules to block Internet access to and from all of 192.168.2.x.
  • 192.168.3.x: make these the addresses your DHCP server utilizes.

And if you need even more octets than 4, just change your subnet mask and you can get 8, 16, 32, 64, 128, or even 255 of them.

And then hopefully your guest network can operate on an entirely separate set of IP addresses, maybe even use its own subnet mask so you can do this kind of thing for your guest network too and see at a glance what devices are known and unknown in your guest network (and yes, it can make sense to have known devices in your guest network; see my post Two Security Approaches You Should Be Taking on Your Network for more information on this subject).

Two Security Approaches You Should Be Taking on Your Network

Routers these days are very sophisticated in regards to what they can do and you should take the time to configure yours to provide robust security. While not meant to be in any way comprehensive as to everything you should be doing from a security perspective on your router, this post offers 2 security approaches you should be implementing with your devices and router(s):

  1. Use the guest network for anything that doesn't need to talk to other devices on the network.

    Actually, if your router supports VLANs, using a VLAN for anything that doesn't need to talk to other devices on the nework is even better than using the guest network. For more information on this, see this excellent post.. But that post points out, most home routers do not, as of this writing, support VLANs. As such, utilizing a guest network is your best option on most home routers.

    A guest network sounds like something you would use only for your guests' devices, but this is too limited a view of a guest network; instead, you should think of your guest network as the place to put any device that doesn't need to talk to other devices on the network.

    These days there are all sorts of IoT (Internet of Things) devices that we don't access directly but rather we interact with via a cloud services. Got a smart thermostat on your network? How about a smart plug? Maybe a smart scale? Chances are that you don't directly access these devices but rather you access a cloud services to interact with these devices. Well, if that's the case, why would you want these devices to be able to talk to other devices on the network? Put them on your guest network: they'll still have access to the Internet, they just won't have access to other devices on the network. Now, you may be thinking "well, just because I don't need them to access other devices on the network doesn't mean I care if they can access other devices on the network." Well, you should care: unfortunately, devices do become compromised from time to time and if someone gets into one of yours, you don't want him/her to use that access to gain additional access to network traffic and/or devices on the network. So: guest network for anything that doesn't need to be able to talk to other devices on the network.

    And you know what would make it even better? If the guest network were on a completely separate router from your main network! If you really want to isolate the devices on your guest network as much as possible from your main network then you use 2 routers and the first (the one connected to the outside world, which most commonly would mean to your router) has the guest network on it and the second (which is connected to the WAN of the first) has your main network on it. Then even if a bad actor gains access to your guest network or to a device on it, he/she would have to gain access from the outside to your second router in order to compromise your main network.

  2. Disable access to/from the Internet for anything that doesn't need it.

    This one goes right along with the one above: in the same way that you don't want to give access to other devices on your network to anything that doesn't need it, you don't want to give Internet access to any device that doesn't need it. Have a printer on your network? Does it need Internet access? Chances are that it does not: chances are that you only need to be able to send print jobs to it on your local network. In the last item, I pointed out that unfortunately, devices do become compromised from time to time and in that case the point was to protect everything else on the network from a device that becomes compromised; here the goal is to protect a device from becoming compromised in the first place, which is especially important considering that if you need to talk to it (in this example, send print jobs to it) then you can't put it in the guest network which means that if it does become compromised then it's that much easier for the attack to gain additional access to network traffic and/or other devices on the network. So: turn off access to/from the Internet for anything that doesn't need it.

    Okay, great! But how do you do that? Well, the mechanism will vary from router to router, but in general the approach to use is going to be to create firewall rules. You will likely need a firewall rule that blocks all access from all ports from the outside (that is, the Internet) to a device and then a second firewall rule that blocks all access from all ports from a device to the outside. And you'll need such rules for every device on your network, so it might end up being a lot of rules. However, if you follow the guidance in my post Use a More Sophisticated IP Address Scheme on Your Network, you can create (if your router supports it) a rule for the entire octet you use for these devices.

Use DHCP Reservations Instead of Static IP Addresses

I was in an online discussion recently in which the other party talked about using static IP addresses on his/her devices. And I told that person this: the only time I can conceive of there being a need to utilize a static IP address on a device is if the device doesn't support DHCP, which would be a very rare situation.

As long as a device supports DHCP, the best way to get that device to utilize a known and consistent IP address is to utilize DHCP with the device and a DHCP reservation in the DHCP server (which in most home networks would be a function of the router). You want to have the sever (in this case, the router) dictating to the clients rather than having the clients dictating to the server. In so doing, you centralize your IP address control in the DHCP server instead of decentralizing that control to the devices. There are so many reasons this is the best approach:

  • It allows you to change your network address scheme in one place should you want to do so. And it's all seamless for the clients: you make the change on the DHCP server and that's it, you don't have to change anything on the client side.
  • You can move clients to another DHCP-enabled network (which is pretty much any network) without reconfiguring them. If you take a device to another network, it will just pick right up and work because it's set for DHCP.
  • You don't have to track the IP addresses your devices are using, your router does that for you. This means you will never have IP address conflicts. With static IP addresses, you could put multiple devices on the same IP address which would cause network issues. Not only that, you have to account for the IP addresses of your devices using static IP addresses in DHCP anyway (that is, you have to make sure that your DHCP server doesn't give out these addresses to other devices), so why not just have your DHCP server give out those addresses in the first place?
  • With many routers, you can address your devices by hostname and not just by IP address because the DHCP server registers those hostnames. Then that gives you even more flexibility. For example, while I have no intention to ever change the IP addresses of the cameras on my network, I can if I want to because all my viewer apps address those cameras by hostnames and so a change to the IP addresses those cameras are using will be completely transparent to my viewer apps.

Adding a User to the Administrators Group on a Synology Router

Background

I am a huge fan of Synology products. I started with an ioSafe disaster-proof NAS powered by Synology. I bought it because I had a very typical NAS use case: I had some very important data that I wanted to safely store and make accessible via my network. And my ioSafe NAS is amazing at doing that job for me! However, once I got it, I realized it is so much more than just network-attached storage, it's an awesome little server that does a ton of great things for me.

But this post isn't about working with Synology NAS devices, it's about working with Synology routers. So moving on to routers: I've been through a bunch over the years. Quite some time back, I was all about installing DD-WRT onto Linksys routers because DD-WRT allowed the hardware to do so much more than the native firmware and that was useful to me. But when Synology announced they would be releasing their first router, the now-discontinued RT1900ac, I was interested in checking it out and I eagerly snapped it up as soon as it was available. And I loved it, and so when they released their next-generation router, the RT2600ac, I got it as soon as it was available, and I migrated to it from the RT1900ac to get even better range and performance.

One of the great things about Synology's management software for their NAS devices and their routers is that they let you create your own administrator account and give it any user name. This is huge because it means you can disable the default administrator account, which is a security best practice (if an attacker trying to login to a system has to guess at not only the account password but also the account user name, it's that much harder for that attacker to gain access to that system).

You can create a new administrator account on a Synology router using SRM (Synology Router Manager, the GUI for administrating Synology routers) during initial setup of the router. In fact, I believe you actually must set up a new administrator account during initial setup of the router; it's really great that they implemented it that way (though if I'm remembering correctly, it's still up to you to go disable the default administrator account). However, when I started with Synology routers, it didn't work that way: I don't believe that I even had the option to create an administrator account during setup and I certainly wasn't required to do it.

So for all these years that I've had these routers, I have been using the default administrator account. But recently, someone with IP addresses in Russia tried to gain unauthorized access to my Synology NAS (fortunately, they were unsuccessful), and thereafter I decided I needed to step up my security game. There were several measures I took, and one of them was to create a new account, add that account to the administrators group, and then disable the default administrator account on my router as well as on my NAS.

Creating a new account is easy in SRM as well as in DSM (DiskStation Manager, the GUI for administrating Synology NAS devices). Disabling an account (in this case, the default administrator account) is also easy in both SRM and DSM. However, administrating groups, while easy in DSM, is not functionality provided in SRM, which created a major snag in my plan. I was able to work around it by utilizing SSH, and that's what I will show you how to do here. As well as I can tell, no one else has both figured out how to do this process and commented about it on the web and that meant I had to dig in and figure it out, which was a time-consuming process, and I'm writing this in the hopes it can help you get it done a lot faster.

So let's get started!

The steps

  1. Create a backup of your router's configuration settings. If something goes sideways here, you're going to want to have a backup of your router's configuration settings. If you need more information on how to do this, check out this SRM Help Article.
  2. Create the account you want to add to the administrators group. That is to say, create your new administrator account, only it won't be an administrator account when you create it, it will just be a regular user account. But you have to create it and then after you create it, you'll be able to add it to the administrators group. Note that it's possible to create a new account via SSH, but since it's easy in SRM, I recommend you go the SRM route, but it's your call.

    To create a new account in SRM, launch Control Panel, choose User from the menu on the left, press the + button above the list of users, and then fill in the user form (provide values for Name, Password, and Confirm password) as shown in the following screenshot. It goes without saying (but I'll say it anyway) that the Password and Confirm password values need to be the same. But an important note: it's best if the Name value does not include spaces because if you include spaces, the SSH commands in the following steps won't work as written.

    Note that I'm using newadmin for the value of Name, but you'll want to instead use the value you want to use for your new administrator account. Also note that in this and many of the screenshots that follow, I have redacted the user name of accounts I have created on my router.

    When you have filled in the user form, press the Apply button and your new account will be created as shown in the following screenshot.

    You will notice that the new account does not bear the little gold medal with a red ribbon on the user icon like the default administrator account does, which means that the account is not at this time part of the administrators group (adding it to the administrators group is what we'll do next using SSH). Note that I have already gone through and created a new account and added it to the administrators group, so what I'm doing for this exercise is creating yet another account and adding it to the administrators group; as such, there are a couple of differences in my screenshot and what you'll see: the little gold medal with a red ribbon on the user icon isn't showing on the default administrator account because I've disabled that account, but you can see that it is showing on my actual new administrator account (the user name of which I have redacted in the screenshot).

    It's a good idea to press the Edit button to for your new account and then, in the dialog that appears, enter in a Description and Email for the new user (and then when you're done you'll of course need to press the OK button to save those changes).

  3. Enable SSH. Login to SRM using your default administrator account, launch Control Panel, choose Services from the menu on the left, and then choose the System Services section at the top. You'll see the first portion of the page is Terminal and the first option listed is a checkbox labeled Enable SSH service; you want to check this box (you can leave the port at the default value of 22) then press the Apply button at the bottom of the page.

    You will then most likely get a Firewall Notification dialog asking if you want to allow Internet access to SSH; for purposes of what we're doing here, you definitely do not want this as this creates a potential attack vector for those who may wish to compromise your router. So simply hit the Cancel button.

    Remember what you did here because in the final step you're going to come back here and uncheck this box and apply that change. Even if you found that SSH was already on, I recommend you come back and disable it at the end of this process unless you have a known need to have it enabled as this will preclude any potential security concerns.

  4. Launch your SSH client. If you're on Windows, I'm going to leave this to you to research for yourself how to do this. If you're on a Mac, you simply need to launch Terminal. If you're reading this post and you're a Mac user, you most likely already know how to launch Terminal, but if you don't, check out this information.
  5. SSH into your Synology router as the root account. On a Mac using Terminal, this is the command you need to use:

    ssh -l root xxx.xxx.xxx.xxx

    Where you replace xxx.xxx.xxx.xxx with the IP address of your router (you will see that in the screenshots that follow I utilize synologyrouter.local instead of the router's IP address; if you want utilize that approach, you'll need to use xxx.local where xxx is whatever name you have listed for your router in Control PanelSystemSRM Settings). The command to use might vary slightly with another SSH client.

  6. Enter the password for your default administrator account then press the return/enter key. In Terminal (I can't speak for other SSH clients), the keystrokes for your password won't be reflected on the screen in any way until you have fully typed in the password and pressed the return/enter key. By the way, you're actually entering the password for the root account here, but on Synology routers the password for the root account is the same as the password for the default administrator account. Note that even after you have disabled your default administrator account, the password for the root account continues to be the same as the password for the default administrator account.

  7. Retrieve the current members of the administrators group. Don't overlook this step!!! Ideally, you'd be able to simply add the account you created in step 2 to the administrators group, but that's not possible; rather, when you're modifying the membership of a group, you have to specify all of the accounts you want to be members of the group. So that is to say when you're modifying the membership of a group, it's always a complete overwrite of the existing membership of the group. Therefore, before making any changes to the membership of a group, you need to know what users are currently in the administrators group so that you can specify them, along with the account you created in step 2, as the members of the group. Okay, with that, here's the command to use:

    synogroup --get administrators

    After you enter this command and press the return/enter key, you get a listing of information about the administrators group, including its current members, as shown in the following screenshot. As I mentioned previously, I have already gone through and created a new account and added it to the administrators group, so what I'm doing for this exercise is creating yet another account and adding it to the administrators group, and accordingly my administrators group already shows my new administrator account (I've redacted the user name of this administrator account in the screenshot), but I expect yours will only show admin and SynologyCMS. But regardless of exactly what accounts are shown as members of the administrators group, I recommend that you keep them all as members of the administrators group going forward (meaning you include them all in the command you'll type in the next step).

  8. Write all the members of the administrators group. That verb "write" may sound a little wonky, but I can't stress enough that what you're doing in this step is overwriting the existing membership of the administrators group with the new membership you're specifying in this step. If you mess this up, it could be very bad for you (and this is why step 1 here was to create a backup of your router's configuration settings). You must specify each and every member of the administrators group in this single command. Here's the command:

    synogroup --member administrators admin SynologyCMS newadmin

    So in the synogroup --member administrators part, you're specifying that you're writing the members of the administrators group and then after that you're including each of the accounts you want to be a part of the administrators group. You can see in the screenshot below that I'm specifying all of the accounts returned from the command in the previous step and I'm adding in newadmin, which is the name of the new account I want to add to the administrators group (you of course will need to replace newadmin with whatever account you created in step 2). Again, remember that the redacted parts are my actual new administrator account so don't worry about those, you just need to list all the existing accounts that are members of the administrators group plus the account you created in step 2.

    Just as was the case with the previous command, after you enter this command and press the return/enter key, you will get a listing of information about the administrators group, including its current members, as shown in the following screenshot. As I mentioned previously, I have already gone through and created a new account and added it to the administrators group, so what I'm doing for this exercise is creating yet another account and adding it to the administrators group, and accordingly my administrators group already shows my new administrator account (I've redacted the user name of this administrator account in the screenshot) but you can see that beyond that I'm showing exactly what I expect and what I want here: I have admin, SynologyCMS, and newadmin as members of the administrators group. And this is what you want to see too, except of course rather than newadmin you want the list to include whatever account you created in step 2; if that's what you see, you did it! Now it's time to check things out and clean things up.

  9. Terminate the SSH connection. You might want to skip ahead to the next step and check to make sure that you're seeing the account you created in step 2 as being a member of the administrators group and then come back to this one, but I'm putting it here so that I'm not switching out of Terminal and then back into it. Anyway, all you need to do here is type this command and then hit the return/enter key:

    exit

    After you do that, you can also quit your SSH client as you see fit (you won't need it any longer for what we're doing here).

  10. Login to SRM with the account you created in step 2 and disable the default administrator account. When you created the new account in step 2, you could login to SRM, but you didn't have administrator rights nor did you have access to everything, but now when you login to SRM with your this new account, you'll have full administrator rights and access to everything. And you can visually check to make sure you're set by launching Control Panel, choosing User from the menu on the left, and then looking to see if your new account now bears a little gold medal with a red ribbon on the user icon as shown in the following screenshot (here again I have redacted the user name of my actual new administrator account).

    From the perspective of improving the security of your router, it doesn't do you any good to create a new administrator account if you don't also disable the default administrator account. Obviously you don't want to do this if you haven't successfully added the account you created in step 2 to the administrators group, so it's a good thing we just checked to make sure your new account has administrator rights, isn't it? Well, yeah, but SRM won't let you shoot yourself in the foot here: you can't disable the account with which you are logged in. But you can disable the default administrator account with your new administrator account by selecting admin in the list of accounts; then pressing the Edit button; then, in the dialog that appears, checking the Disable this account box and choosing the Immediately radio button; and then pressing the OK button to save the changes.

  11. Disable SSH. See the first step where you enabled SSH and use it as a guide to disable SSH. You enabled it before with the default administrator account, now you can complete the circle by disabling it with your new administrator account.

So there you go! Pretty straightforward, but like I said, not documented in a concise manner elsewhere, so I put this together in the hopes it would help others out. If it was useful to you and you're willing to take a moment to post a comment about it, I'll appreciate that.

BlogCFC was created by Raymond Camden. This blog is running version 5.9.002. Contact Blog Owner