Connect 2 routers using unsecure channel

There are 2 routers connected using a 1Gb cable, one router is a slave router connected to LAN port of the master router. The cable is physically unsecured, and I want to secure the connection.

I have tried Wireguard, and it is slow: it gives me only 100Mbps using my hardware. I'm not even trying OpenVPN.

What is the good solution to secure connection through an nonsecure channel keeping the speed? I plan to figure out what PPPoE is, but first I'd like to know if it meets my needs.

Can you elaborate on the following:

  • What brand/model routers are you using?
  • what is the output of ubus call system board for each device.
  • What is the purpose of the downstream router?
  • Do devices on the downstream router need to be on the same subnet as the upstream?
  • What do you mean by the cable being unsecured?
  • What is the threat you anticipate?
  • How smart/determined are the people who you think would be attempting to compromise your system?

PPPoE is not secure, your best option is probably wireguard. Perhaps you can do some tuning and improve the performance, or think about buying faster routers.

3 Likes

Does that mean a cat5e cable or is the actual bandwidth 1Gbps?
If it stops at 100Mbps it sounds more like the actual bandwidth is only 100Mbps.

How far apart are these two routers since they are in a LAN setup?

I get ~~ 873 Mbps by cable and ~~ 140 Mbps using Wireguard and the same cable. The weakest router is Xiaomi AC2100, it is the limit

1 Like

And what about the rest of the questions you've been asked?

1 Like

They are, let's say, 30 m apart, 1 stair below. It does not matter as the cable is good and performs very well on 1Gb.

1 Like

And what about the rest of the questions you've been asked?

1 Like

Sorry, missed the questions
1.

{
	"kernel": "5.15.137",
	"hostname": "p",
	"system": "ARMv8 Processor rev 4",
	"model": "ASUS TUF-AX4200",
	"board_name": "asus,tuf-ax4200",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "mediatek/filogic",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}
{
	"kernel": "5.15.134",
	"hostname": "parents",
	"system": "MediaTek MT7621 ver:1 eco:4",
	"model": "Xiaomi Redmi Router AC2100",
	"board_name": "xiaomi,redmi-router-ac2100",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.0",
		"revision": "r23497-6637af95aa",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.0 r23497-6637af95aa"
	}
}
  1. Purpose of downstream router is to serve my parents living one stage below me.
  2. No need in same subnet, I can do whatever I want
  3. "the cable being unsecured" means the cable goes one stage down in a common [cable pipeline], don't know how to say that in English.
  4. The threat is middle-man attack to my home network where all the passwords are 123 and many devices does not have a password at all.
  5. "How smart/determined are the people": I don't know, but this is not good for my feelings

Do they need access to local devices in your network or is it just internet access?

Yep, they need SMB server, and that's all. But this can be dealt with/additional mangles added.

Doesn't really sound like there's much need to 'secure' the traffic on the cable then. Use firewall to block access to your local network, then grant access to the SMB server.

2 Likes

This is probably the best solution. Thank you

BTW, I have an additional question about splitting LAN4 from br-lan, may I ask it here or I should create an additional topic?

You want encryption on the wire, but encryption being CPU intense should not really come as a surprise, that's just the nature of the technology.

--
Yes, I would expect wireguard to be a tad faster than 100 MBit/s on filogic 830, but I haven't tried that either (nor do I have any filogic devices around).

1 Like

Best to start a new topic. Makes it easier for others in the future to find information that might need through searches.

1 Like

To be able to do inductive wire tapping on a 30m cat5e (or better) cable inside a lan inside a cable pipeline inside your home, the you actually need the NSA themself as enemies. No one else cares or have the capacity.

A MITM attack pretty much requires a proxy server mounted in the line, and they usually already have your crypto keys so encrypted traffic doesn’t matter.

But if your passwords are 123…!?, what is the point with this then?

You have two easy ways to “secure” this cable from your fears, buy a FTP cable or run a opto fiber cable instead.
Note that a FTP cable can only work if the ethernet connectors on your devices are shielded!

It seems for me it requires just a twist in between. But this does not matter for now.

For example, Moode player does not have a password and it allows access to your SMB server. And also my iMac does not have a PIN code like windows does, so I'm unable to use a good password for everyday use.

How much can this cost? And how FTP cable can protect me from an inset and twist?

Security isn’t cheap, and the sales departments love to scare people to buy useless crap!

The whole idea with cable shielding is that it doesn’t leak or receive signals in a EMC environment.

But ethernet signals are twisted pairs of differential voltage already so there isn’t much signal to pick up to begin with.

What is a “inset and twist” and how are someone supposed to do that inside of your home inside a cable pipeline?

I'm not so crazy about EM really)
But to secure unsecured cable is really a good idea even in home networking. Isn't it?

Optics is much more expensive than two additional powerful routers. So may be the firewall is just enough, I just need to figure out how to exclude LAN4 from br-lan, I'll create a new topic for that. Documentation is not enough.

"What is a “inset and twist”"
Don't know to say it in English. This is when you cut a cable and put a third cable in between. Then you get an IP and do a netscan and so on. Then you SSH onto a Mac

I don’t really see how this actually can be done in your home inside of the cable pipe without you knowing about it?