vLAN the answer? Chromecast bullying

[QBtech]

Hi guys,

I really need your help/advice. Some background on my current issue:

I am currently living in an old school building that got converted to some form of dorm like living spaces. Cheap rent/little renting security type of deal (“antikraak” for the dutchies). When the school moved out they ripped all network equipment off the walls and currently the network is comprised of consumer crap. It is managed by “the IT guy” and is honestly a nightmare to anyone that has ever looked into network architecture. We share a single subnet with around 20 people and the amount of switches is crazy.
In the spoiler there is a over simplified diagram of the current network. (Night theme users beware)

Spoiler

1) Modem-router from the ISP. Handles DHCP etc. (aka total crap)
2) Main switch. No clue what brand etc. Probably a super simple 20-24 port GBit consumer model
3) My router that is configured as a switch and wireless access point. D-link DIR 845L. Picked it up cheap and has been working fine for me this far.
4) Other peoples routers/access points and computers.
A) The IT guys room
B) Another guys room where the main switch is located
C) My Room (The only part where I have any control)
D) Other peoples rooms (around 15 of these)

 

What is the problem?

 

The network is one big network. Although I don’t really like it, it was never a big problem. Most of my ports and service are locked up tight so I am not to worried about the security factor.(Most of these people think wifi is the internet etc) The problem is my chromecast. I seriously love the chromecast but every user can cast to it. What is even worse is that EVERY time I cast anything at all every android device gets a push notification to control the cast, a feature that needs to be turned off on every single device independently. This is turning into a real nightmare. People seem to enjoy pausing, stopping and fastforwarding my cast. I have been trying to run down the culprit and informing people how to turn off the notification but it doesnt seem to help.

 

What needs to happen?

 

I want to put a big giant wall between my network and the shared infrastructure. As long as they can not look into my network easily it’s fine. When I moved in I tried to set my DLink up as a router with it’s own subnet dealing with its own DHCP etc. Unfortunately someone on the other end of the building was getting his IPs from me for some reason and couldn’t connect to the internet anymore.  I have been looking into vLAN but I have hit a limit to my knowledge. Going without DHCP is not really an option, I switch devices and OSes on an almost daily basis. Plus the chromecast doesnt do Static IP as far as I know.

Do any of you have any experience with stuff like this and could you point me in the right direction? If you need some more information don't be afraid to ask!

Edited April 28, 2017 by QBtech
Made a dumb assumption in the switch speed

[tlink]

put in a simple firewall between your router and the rest of the network, a simple pfsense box or something.
 

Quote

Chromecast discovery packets rely on the DIAL protocol operating at UDP port 1900 and send the requests to the address 239.255.255.250. Ensure that no firewall blocks connectivity between the Chromecast device and wireless client

 

[manikyath]

double NAT will fix this for you, just re-enable router and NAT fuctionality of your own box, and choose a different subnet than whatever the ISP "shytebochz" is. (if you're in college, pick 192.168.69.0/24 , that's always a hit with fellow dorm folks ) remember that you need to plug dorm network into the WAN side as well.

 

sidenote: this is a complete bodge and very much not recommended in any actually well managed case.

 

also, if your router doesnt do the double nat thing very well, get a shytebox like a TP-Link  TL-WR841N, they're so cheap i like to call them disposable, and for some reason TP-Link has a lot of built-in functionality for bodges of this level. and it's not like their 50Mbps speed limit is gonna pose a problem if i hear the state of things. having a hardware wifi on/off switch is pretty nice for a dorm as well.

[QBtech]

4 minutes ago, manikyath said:

double NAT will fix this for you, just re-enable router and NAT fuctionality of your own box, and choose a different subnet than whatever the ISP "shytebochz" is. (if you're in college, pick 192.168.69.0/24 , that's always a hit with fellow dorm folks ) remember that you need to plug dorm network into the WAN side as well.

 

sidenote: this is a complete bodge and very much not recommended in any actually well managed case.

 

also, if your router doesnt do the double nat thing very well, get a shytebox like a TP-Link  TL-WR841N, they're so cheap i like to call them disposable, and for some reason TP-Link has a lot of built-in functionality for bodges of this level. and it's not like their 50Mbps speed limit is gonna pose a problem if i hear the state of things. having a hardware wifi on/off switch is pretty nice for a dorm as well.

The ISP box operates on 192.168.1.xxx. Actually the internet is not that bad.decent 200 down and 40 up if noone is doing anything.

 

Wha you are suggesting to to seems like what I did in the first place. Connect to WAN and set another subnet (192.168.4.xxx). It caused problems, so is there something I am forgeting?

[manikyath]

Just now, QBtech said:

 

Wha you are suggesting to to seems like what I did in the first place. Connect to WAN and set another subnet (192.168.4.xxx). It caused problems, so is there something I am forgeting?

which specific router were/are you using?

[QBtech]

1 minute ago, manikyath said:

which specific router were/are you using?

D-link DIR 845L.

 

Have been looking into getting something that runs ddwrt though. The UI of my router is pretty locked down

[manikyath]

7 minutes ago, QBtech said:

D-link DIR 845L.

 

Have been looking into getting something that runs ddwrt though. The UI of my router is pretty locked down

i'm not the biggest fan of D-Link to say it nicely

 

i'll accept a company who uses TP-Link equipment, if i find D-Link in a professional environment, it'll be either down the trash or out the window

--

as for recommendations, i actually suggest staying away from ddwrt because the devices that support it fully are usually in the same price bracket as very well worked out devices with loads of functionality that make a custom firmware an unnecessary hassle. i myself have bought a linksys LRT214 because i didnt need wifi (tp link shitboxes handle that for me at the moment), and it was in the same price bracket as a powerful home router. in general i'd suggest searching for routers supporting the features you're interested in, rather than supporting ddwrt.

[dalekphalm]

47 minutes ago, QBtech said:

The ISP box operates on 192.168.1.xxx. Actually the internet is not that bad.decent 200 down and 40 up if noone is doing anything.

 

Wha you are suggesting to to seems like what I did in the first place. Connect to WAN and set another subnet (192.168.4.xxx). It caused problems, so is there something I am forgeting?

I feel like something is wrong with your setup or your configurations.

 

If the incoming Ethernet Cable from the main router is plugged into your WAN port, and your WIFI is secure, and you plug your local devices into the LAN ports, there should be no way that another tenant is getting assigned an IP Address by your router.

 

Are you sure he wasn't on your WIFI or something? Change your SSID and the password for it, just to be safe.

 

But yeah, basically, you need to enable Double NAT and just use your Router as a Router again. Using PFSense or DD-WRT or any other type of thing like that is basically just doing an overcomplicated version of what your device is already capable of.

 

Use the KISS system: "Keep it simple, stupid" (Not calling you stupid :P)

[QBtech]

1 hour ago, manikyath said:

--snip--

As I said, bought it cheap. You are right about dd-wrt. Know of any cheap Gbit 5Ghz routers with support for this kinda stuff? Im honestly wondering if Im not better off throwing a managed switch inbetween. Something like TP-LINK TL-SG108E or the NETGEAR GS105E Prosave plus? Any merit to the 3 switch myth? (aka using more than 3 switches in series will tank your connection)

34 minutes ago, dalekphalm said:

I feel like something is wrong with your setup or your configurations.

--snip--

Use the KISS system: "Keep it simple, stupid" (Not calling you stupid :P)

Haha No offense taken. I wont be surprised if there was something wrong with my config. Quick rundown of how it went down:

I moved in, plugged in the ethernet cable that came from the mainswitch into the WAN port. Set the ISP-modem/router as standard gateway gave my router a static IP in that network. Set up my own subnet, used 192.168.4.1 as internal IP for the router. everything worked awesum at my end. Few hours later I was contacted by the IT guy asking how I setup my router as people were having problems. Looked in my DHCP table and actually saw their MACs. The Wifi was hidden and protected by a long alphanumeric sequence wpa2 psk style. These guys arent hackers/coders/computer people fyi.

 

Anything obvious I did wrong?

Edited April 28, 2017 by QBtech
Added some switches

[dalekphalm]

5 minutes ago, QBtech said:

As I said, bought it cheap. You are right about dd-wrt. Know of any cheap Gbit 5Ghz routers with support for this kinda stuff? Im honestly wondering if Im not better off throwing a managed switch inbetween.

Haha No offense taken. I wont be surprised if there was something wrong with my config. Quick rundown of how it went down:

I moved in, plugged in the ethernet cable that came from the mainswitch into the WAN port. Set the ISP-modem/router as standard gateway gave my router a static IP in that network. Set up my own subnet, used 192.168.4.1 as internal IP for the router. everything worked awesum at my end. Few hours later I was contacted by the IT guy asking how I setup my router as people were having problems. Looked in my DHCP table and actually saw their MACs. The Wifi was hidden and protected by a long alphanumeric sequence wpa2 psk style. These guys arent hackers/coders/computer people fyi.

 

Anything obvious I did wrong?

Can you grab a screenshot of the WAN settings page? I tried to find the emulator for that model, but looks like DLink doesn't have it online. The closest emulator I could find was for the DIR-855:

http://support.dlink.com/emulators/dir855/112/WAN.html

 

I would honestly set your router's WAN setting to DHCP, instead of Static IP (Unless you specifically need a Static IP - but then you're gonna run into issues because you're running dual NAT anyway)

 

Make sure to black out any private info on the WAN settings page.

[QBtech]

9 minutes ago, dalekphalm said:

Can you grab a screenshot of the WAN settings page? I tried to find the emulator for that model, but looks like DLink doesn't have it online. The closest emulator I could find was for the DIR-855:

http://support.dlink.com/emulators/dir855/112/WAN.html

 

I would honestly set your router's WAN setting to DHCP, instead of Static IP (Unless you specifically need a Static IP - but then you're gonna run into issues because you're running dual NAT anyway)

 

Make sure to black out any private info on the WAN settings page.

I needed a static IP for several reasons (SSH WoL) Honestly It is mostly empty atm cuz The best way to put this router into accespoint mode is to do a factory reset and point the WAN stuff to non existing stuff. Screenshot are in the spoiler:

 

Spoiler

 

Yes I am not currently home. Yes that is teamviewer. Yes that is a VM that is mostly off

[dalekphalm]

1 minute ago, QBtech said:

I needed a static IP for several reasons (SSH WoL) Honestly It is mostly empty atm cuz The best way to put this router into accespoint mode is to do a factory reset and point the WAN stuff to non existing stuff. Screenshot are in the spoiler:

 

  Hide contents

 

Yes I am not currently home. Yes that is teamviewer. Yes that is a VM that is mostly off

Well, just to clear up a few things:

 

The main router IP address is the 192.168.102.1?

 

And the 192.168.102.2 is the IP Address he assigned you as a Static IP?

 

I see nothing wrong there. I can't see how you were serving out an IP Address to another user outside the WAN port.

 

I would maybe give it another shot and see if the issue happens again.

[QBtech]

7 minutes ago, dalekphalm said:

Well, just to clear up a few things:

 

The main router IP address is the 192.168.102.1?

 

And the 192.168.102.2 is the IP Address he assigned you as a Static IP?

 

I see nothing wrong there. I can't see how you were serving out an IP Address to another user outside the WAN port.

 

I would maybe give it another shot and see if the issue happens again.

I might give it a go, but this router of mine takes a shitty long time to get back into access point mode (cuz i doesnt really have one) so ive been reluctant. Also everything on my end worked fine and I hate to bother other people (The guy that had the problem is a cool dude xD)

 

As to IPs

ModemrouterISP: 192.168.1.1

My router static: 192.168.1.220

When It was routing:

Internal IP of my router: 192.168.4.1

Dhcp range: 192.168.4.100-150

 

The 192.168.102.1-2 stuff is the current WAN settings to make the accespoint mode work. I need to point it somewhere nonexisting for some stupid reason otherwise it will not work.

[dalekphalm]

50 minutes ago, QBtech said:

I might give it a go, but this router of mine takes a shitty long time to get back into access point mode (cuz i doesnt really have one) so ive been reluctant. Also everything on my end worked fine and I hate to bother other people (The guy that had the problem is a cool dude xD)

 

As to IPs

ModemrouterISP: 192.168.1.1

My router static: 192.168.1.220

When It was routing:

Internal IP of my router: 192.168.4.1

Dhcp range: 192.168.4.100-150

 

The 192.168.102.1-2 stuff is the current WAN settings to make the accespoint mode work. I need to point it somewhere nonexisting for some stupid reason otherwise it will not work.

None of that looks incorrect to me.

 

That would be like my neighbour (on the same ISP) being able to get an IP from my modem. Of course, it's not an exact one-to-one comparison, but your neighbour's device shouldn't even be able to see your DHCP server (192.168.4.1).

 

I would re-setup the WAN Router, and ask your bud to ping 192.168.4.1 and see if he gets a response - or ping any computer on your subnet.

[QBtech]

He guys, just wanted to give you an update. I picked up a linksys e2000 running tomato firmware for €20 and it has solved all my problems out of the box. I tried to recreate the issue with my dlink router and it showed up again, just really reaaalllly weird. Thank you guys for all your help!