# Is there a way to "mask" a DHCP assigned IP address in a personal computer?



## Sivan! (May 5, 2022)

I do not have a static IP for my computer connected by fiber to home.  My ISP assigns an IP address by DHCP,  is there a way of making my ISP's router at my home remember the address assigned to me by local settings? I do not fully understand but this URL to a how-to guide points to a method.

Someone very knowledgeable about networking, especially Security issues once told me not to expose my computer to the Internet, whatever that meant (it was in the context of giving me a primer about VMs).  I am on a desktop computer, is there a way to set a static IP, and / or even otherwise, "mask" the IP address?


----------



## ct85711 (May 5, 2022)

Sivan! said:


> Someone very knowledgeable about networking, especially Security issues once told me not to expose my computer to the Internet


This person is completely right; as for 90% of the time you do NOT want to expose your computer/internal network exposed directly to the internet.  Going by what you are attempting to ask, is how can you get the public ip address given to your modem/router to your computer.  This is actually going against your friend's advice.  To explain this as an analogy (so you can maybe understand this better) is think of a gated community/neighborhood.  The secure/default way is anyone coming in from the street gets stopped and screened at a guard house, which will allow valid traffic in and stop others that have no business there.  By giving your computer a public ip address, you are cutting out the guard house; and any Joe Doe can walk in from the street and go your your computer without anyone making sure he is allowed to or not.

So, are you sure you want to go this route?  A better question would be what are you trying to solve?  As by knowing that, we will have a better chance of advising you a better path you can take (i.e. using the proper tool for the job instead of brute forcing it with a sledge hammer).


----------



## Sivan! (May 5, 2022)

ct85711 said:


> This person is completely right; as for 90% of the time you do NOT want to expose your computer/internal network exposed directly to the internet.



Yes, he is.



ct85711 said:


> Going by what you are attempting to ask, is how can you get the public ip address given to your modem/router to your computer. This is actually going against your friend's advice.  To explain this as an analogy (so you can maybe understand this better) is think of a gated community/neighborhood.  The secure/default way is anyone coming in from the street gets stopped and screened at a guard house, which will allow valid traffic in and stop others that have no business there.  By giving your computer a public ip address, you are cutting out the guard house; and any Joe Doe can walk in from the street and go your your computer without anyone making sure he is allowed to or not.



Not really.  This was actually two questions, one somewhat in conflict with another:

1.  My understanding of a static public IP address is that it would make it easy for me to set up a Web-server for a not-so-important blog or to experiment with network design as in a learner's lab, which sometimes require the IP address specified in settings.

2.  The idea of "masking" (not to be confused with the technical term as in 'subnet mask') the IP address is to follow the advice of not exposing my desktop computer directly to the Internet (assuming I will use a different one for the web-server). The question was to ask if there is a way of assigning an internal IP address.

No, I wasn't thinking of making the modem/router's as my computer's public IP.



ct85711 said:


> So, are you sure you want to go this route?  A better question would be what are you trying to solve?



I am trying to find a way to "harden" my network, like how one hardens an operating system. The network hardened for access by malicious traffic, sometimes targeted, even though it is one computer, and sometimes a laptop, not to mention a phone on which I may not be able to do much.



ct85711 said:


> As by knowing that, we will have a better chance of advising you a better path you can take (i.e. using the proper tool for the job instead of brute forcing it with a sledge hammer).



Network virtualization would be very useful, but I don't have a server at the moment that would meet the minimal requirements for virtualization server hardware. This is also to learn to a little more about networking in the process of solving a real problem.

Thank you for all these thoughts on this post. I hope these answers express the question better, even while adding some more complexity.


----------



## gpw928 (May 6, 2022)

Your post says you are connecting to "my ISP's router at my home".  So it sounds like you have a conventional ISP service with a WiFi router connecting you to the Internet.  This is "your router".

You router connects to an internal network, to which your workstation also connects (either by WiFi or copper drop cable), and to an external network (via fiber) which resides on the Internet.  Your router routes traffic between the two networks.

Your internal network address will typically be pre-configured on your router to something like 192.168.1.0/24, meaning:

High order bits comprising network address: 24
Number of low order bits comprising host address: 8
Network address: 192.168.1.0
Network mask: 255.255.255.0
Broadcast address: 192.168.1.255
Host addresses: 192.168.1.1 through 192.168.1.254
Default gateway: 192.168.1.something (usually 1 or 254)
The 192.168.1.0/24 network is reserved for private use.  So you don't have to get permission to use it.

The default gateway is the IP address of your router on the internal network.

Your router will also connect to an external network.  The IP address on that external network (on the Internet) is allocated by your ISP's DHCP server, and may be either static or dynamic.

If you want a static IP address on the Internet, you have to ask your ISP to supply one.  They will generally charge for this service. There is no reason to have a static IP address on the Internet unless you provide services accessible from Internet, like a web server.

Your router will generally run both a firewall and a DHCP server for your internal network (different to the ISP's DHCP server mentioned above).

Your router's DHCP server will allocate an IP address (on the internal network) to internal clients like your workstation, each time they boot, and tell those clients where to direct network traffic bound for the Internet (i.e. the "default route").

The firewall will be configured, by default, to deny entry into your home network from anything originating on the Internet.  It will also generally allow internal clients open outbound network connections to the Internet, without limitation.  This is completely usual.

If you want to provide any Internet facing service, like a web server, you have to open up your firewall to allow entry of network connections from the Internet. You should not do this unless you understand how to manage the considerable dangers.

Many people choose to run web servers in the cloud, safely disconnected from their home network.  Virtual cloud machines are cheap (starting at a few dollars a month), have firewalls configured by professionals, and can generally be re-imaged easily if they ever do get compromised.


----------



## bakul (May 6, 2022)

Sivan! said:


> Someone very knowledgeable about networking, especially Security issues once told me not to expose my computer to the Internet, whatever that meant (it was in the context of giving me a primer about VMs). I am on a desktop computer, is there a way to set a static IP, and / or even otherwise, "mask" the IP address?


You need a firewall. The ISP installed router probably already has a builtin one. You can connect to the router via its web interface and see what it does.


----------



## richardtoohey2 (May 6, 2022)

gpw928 said:


> If you want to provide any Internet facing service, like a web server, you have to open up your firewall to allow entry of network connections from the Internet. You should not do this unless you understand how to manage the considerable dangers.


And even if you DO understand the dangers, you'll probably be best splitting your network into networks, with the rest of your home network behind a different firewall.

But if you use your ISP's router's wifi directly (as most people would) then you have to work around that.  (Not sure how - turn off the wifi, add an Access Point wifi gadget, etc?)

You have to assume if you provide a route into ONE machine on your network (like the webserver) that an attacker will be able to jump from that machine to *anything* in your home network (including that unpatched SmartTV, IOT gadgets, PVR, etc.)

Which is why we end up here:


gpw928 said:


> Many people choose to run web servers in the cloud, safely disconnected from their home network. Virtual cloud machines are cheap (starting at a few dollars a month), have firewalls configured by professionals, and can generally be re-imaged easily if they ever do get compromised.



And the original advice was sound:


Sivan! said:


> Someone very knowledgeable about networking, especially Security issues once told me not to expose my computer to the Internet



It can be a good learning experience, but basically you can assume anything on the internet will be found and probed within literally MINUTES of it being connected, so be prepared for that.

A lot of ISPs routers have backdoor/remote logins for their tech staff, and a lot aren't patched often, so we're all a bit doomed anyway!


----------



## sko (May 6, 2022)

bakul said:


> You need a firewall. The ISP installed router probably already has a builtin one.


most likely not - NAT is not a firewall and those plastic toys are usually already overwhelmed with that if you'd really try to push packets over them....

Sivan! 
I take from your initial question(s) that you lack the absolute basics in how networks and the internet work, hence you should absolutely NOT consider putting any device on a public IP, let alone running a publicly accessible server of any kind. This *will* end badly.

Please educate yourself in basics like routing and basic firewalling. On the way you will discover NAT and port forwarding, which will conclude your initial questions. The FreeBSD handbook is a good starting point for that, as it has a very clear and easy to follow explanations. You may even start with chapter 32.2. "Gateways and Routes", but fall back to even more basic topics if you don't understand what's going on.


There's already way too much low hanging fruit out there for botnets - don't add yet another one...


----------



## bakul (May 6, 2022)

At least my isp router has a firewall, separate from NAT and likely so does Sivan’s but he should verify it. I don’t use either NAT or the firewall from router — I use a FreeBSD machine for that — but I wouldn’t suggest to a newbie to set up his own firewall. That’s sure to cause him a lot of misery!


----------



## Sivan! (May 7, 2022)

bakul said:


> At least my isp router has a firewall, separate from NAT and likely so does Sivan’s but he should verify it. I don’t use either NAT or the firewall from router — I use a FreeBSD machine for that — but I wouldn’t suggest to a newbie to set up his own firewall. That’s sure to cause him a lot of misery!



How do you use a FreeBSD machine as a firewall?  I can use a old server, install a suitable FreeBSD core (minimal? without GUI?), and slowly work on setting it up as a firewall, NAT...  Everything that is said by sko is true, I will start with Chapter 32.2 of the handbook, but would still like to set it up as some sort of a Network Security Box to make the Desktop Computer and Laptop computer safe.


----------



## gpw928 (May 8, 2022)

There's nothing wrong with wanting to learn how to build a firewall as a learning exercise...

Your router is already firewalling your internal network.  Consumer grade appliances (which yours almost certainly is) get bad press because the vendors who manufacture them are often sloppy.  Geeks often want to discard them, and build their own.  I certainly did.

However, consumer grade appliances protect more than 99% of home networks, and it's easy to argue that they are adequate in most circumstances, especially if you use Google to search for known issues (usually back doors).

Your router actually consists of a router that does Network Address Translation (NAT) and a modem.  Even if you roll your own router and NAT, you will still need the modem function.  I'll leave that as an issue to sort out later.

Given your starting point, it's going to be an arduous task to write a safe functional firewall.  Dangerous too.  The danger lurks everywhere on the Internet, and the smallest mistake can see your network compromised.

As others have suggested, you need to grasp the fundamentals, from first principles, before moving to risking your network.

W. Richard Stevens series "TCP/IP Illustrated" is a good place to start.  But it's just a start.  You would then need to move onto firewall-specific books.  Mine are all old, so I'll leave current recommendations to others. 

The best answer to your question, by far, is that there are some really good pre-packaged firewall software out there.  These include OPNsense (truly free) and pfSense (free for personal use).  They are both distributed as complete operating systems based on FreeBSD, and provide highly professional quality choices.  They also do the more complex things (like VPNs) easily.  They have active support communities.  If you want to abandon "your router", get one of these while you read up on networks.


----------



## Sivan! (May 8, 2022)

gpw928 said:


> There's nothing wrong with wanting to learn how to build a firewall as a learning exercise...
> 
> Your router is already firewalling your internal network.  Consumer grade appliances (which yours almost certainly is) get bad press because the vendors who manufacture them are often sloppy.  Geeks often want to discard them, and build their own.  I certainly did.
> 
> ...



These sound like excellent resources to understand and gain clarity.  Yes, it is an arduous task, will minimize danger by taking ample advise, but wish to build a box for this purpose which might expand. In the meantime,  OPNsense or pfsense must be an interim solution.

Thank you.


----------



## bakul (May 8, 2022)

If you want to learn, there are some examples in "/usr/share/examples/pf/" that may be of some use. Plus you can find freebsd pf tutorials online. Make sure you have physical access to the gateway machine as a wrong config can lock you out!


----------



## Deleted member 70435 (May 8, 2022)

when the issue is networks, it is complicated to give advice, that are effective, what I would recommend as a person with some experience in this area is you look for good use cases, on the Google with FreeBSD


----------



## sko (May 9, 2022)

You don't have to put a firewall directly on the public line for learning purposes. just add its external interface to your local network and create another local subnet (ideally in a completely different RFC1918 prefix) behind it that gets routed and NATed into you primary LAN. (yes, double-NAT is ugly, but perfectly legit for such testing purposes - just don't expect e.g. VoIP to work correctly in this scenario)
Behind your own router/firewall you can put clients for testing and getting familiar with PF and the various implications its configuration and rules have to services you might need. You can also test if anything from your 'normal' LAN can access the subnet(s) behind that firewall (which would be bad).
If you need the client to just work again, put it back in the primary LAN (the one behind your ISPs router). Once you feel confident enough that your ruleset works and you _UNDERSTAND_ what your config/ruleset is doing and how things work in the background, you may use that on a public facing router.

As for the mentioned pre-built router appliances OPNsense and PFsense: they are OK, but they won't teach you anything. In fact I find their GUI and baked-in logic very awkward and even confusing at some places, especially if you know what PF (or any other service they configure via GUI) is actually doing in the background and how easy it would be to just configure what you want within the config file.
Thanks to the butchered backand with (sometimes multiple layers of) heavy abstraction, you can't use the config files as they are getting overwritten and are bloated with tons of confusing meta-configuration for the abstraction layers to hook into.
Long story short: if you actually want to learn something, use plain PF. The syntax is very readable and clear, so example configurations are very easy to follow and understand.


----------

