The AT&T unit (HUMAX BGW320-500), according to the "settings" page, gives out "private" IP addresses between 192.168.1.64 and 192.168.1.253. This is how it came from the factory, but all four parts of the IP address can be changed (which could be dangerous -- read on). DHCP is currently turned ON, wireless is currently turned OFF. When I look at the Linksys settings, it is capable of handing out addresses from 10.165.X.Y. Right now it is set for 10.165.249.100. Maximum users is set at 99. The Linksys limits me to typing in numbers between 1 and 155.

So I think I know what's going on here. The AT&T unit is in "passthrough" mode. DHCP is ON, so it gave a "private" address (192.168.1.65) to the Linksys. If I then plugged in a WIRED computer to the AT&T unit, it might be given 192.168.1.66. After that, if I turned on and set up the wireless in the AT&T unit, and typed the encryption key into a laptop, the laptop might receive 192.168.1.67.

The Linksys ALSO has DHCP turned on. So if I plug in a WIRED computer to it, it might receive an IP address of 10.165.249.101. If I then set up the wireless in the Linksys, which I did, the Linksys will give out unused IP addresses in its range (10.165.249.100 to 10.165.249.199 at present).

So you CAN HAVE more than one router with DHCP turned on. Each router will hand out addresses in its assigned space, to wired clients (and wireless clients, if the router has a wifi chip in it).

In fact, corporate routers and switches won't limit you to a small range like my consumer-grade Linksys (10.165.X.Y). They will let you use any legal "private" address (see the internet for a full list of these, one example is 192.168.0.0 all the way to 192.168.255.255). Corporate equipment will also have MUCH more powerful processors, capable of handling MANY more connections at once. Corporations will also have range extenders, and a "mesh" setup. Both Amazon buildings I worked in had HUNDREDS of wireless access points mounted on ceilings, and they would "hand off" my laptop's wifi signal as I pushed my laptop on its cart down the length of the building. But corporate equipment (indeed, this whole paragraph) is beyond the scope of my little wiki.

I wanted to set up several more computers (ethernet only, since that is faster) and plug them in to the AT&T fiberoptic modem, and then boot them while connected to the Linksys, to prove they got IP addresses in the range each router was "supposed to be" handing out. I have two more of those mini-ITX boards and a couple of other computers I can assemble from parts, but I am confident this is how things will work, so I am posting this now. I'll test my theories soon.

It should be noted here that if you want to have different wireless stations broadcasting, they MIGHT be able to have the same encryption key (can they? Someone please tell me) but for good practice, they should have different keys. And they DEFINITELY need different NAMES (and use different wifi channels, but most consumer equipment today automatically selects the best channel for the least interference).

That is basically what I am trying to do. I THINK I have successfully set up the AT&T fiberoptic unit as a "pass-through" device. As for DNS, here is Louis Rossman's "Introduction to a Self-Managed Life":

http://wiki.futo.org/index.php/Intro...ing_in_pfSense

Every time I type a website that does not exist, I see an AT&T (American Telephone and Telegraph) page. In the past, I have tried to over-ride this, but I cannot. Louis mentions something in there about how to fix things so the ISP CANNOT over-ride my choice of DNS server. I will look at it later.

During the Super Bowl tonight, I realized I might have perfectly good hardware for pfSense (BSD-based). When I went to the basement, what was on my AMD 5350 Mini-ITX system? TrueNAS, which is based on FreeBSD. I played around with that several years ago. It worked and booted up, but I never used it. TrueNAS was 80x25 text mode, so I don't know if pfSense will like my 5350's "system on a chip" graphics. As for networking, continue reading.

BSD famously does not support wireless chips AT ALL. So I purchased an Intel X520-AX2 card (used) from eBay. It has two 10 GB WIRED ports on it, perfect for the PCI-E (x16) slot on my passive-cooled mini-ITX system. I also bought a TP-Link AX-1800 wireless access point. I think I can make everything work properly, but it could be a week or more before all the parts get here.

If PfSense (BSD) doesn't like my graphics hardware, I'll just use ipFire.

I should clear my browser cookies (and maybe cache and browsing history) every few weeks. Years ago, up until Firefox 2.0.0, I had a plug-in that would let me accept or reject every single cookie (when FF was updated after that, the plug-in was no longer available). When I went to a new website, I would allow cookies that were set to expire in one year. But if I saw one that was set to expire in 2037, or even the year 2300 (yes I did see this), I would reject them.

My next post should be more about the mini-wiki I am building in this thread.

set your fiber modem as a passive modem,
use the ac1200 as the DNS server and set the DNS servers in it to private ones that are not owned by government or isp's etc.
look here:
https://www.opennic.org/

because using default DNS servers leaves you vulnerable to tracking, re-direction and even blocking.

Actually, I think the fiberoptic unit might be working properly. I might need to hold down the red "reset" button for a good length of time, like more than 5 seconds. When I come back upstairs, and the modem's settings page has changed to a page that says "waiting to determine your type of broadband connection", I think this shows I did it right. Last time I reset it, I did it right. I suggest it is working properly right now. All websites come up reasonably quickly.

Interesting story: years ago (probably 1996 - 1998), before web hosts monitored, tracked and monetized you with all these "tracking cookies", I ran special software on my Windows 3.1 computer (EDIT: that did the same thing, nowadays ISPs use cookies to regularly report server-side stuff like page views to the "dot-com" client). The software was sent to me by the Nielsen company, the same company that measures the popularity ratings of radio and TV shows here in the US. Every 6 months, for about 3 years, they sent me a $50 US Savings Bond as payment. I got 5 or 6 of them stored in a safe place.

If I ping www.badcaps.net, the pings time out. If I ping www.microsoft.com, it works fine. Maybe there is a server-side reason for this I don't know about. I would think you could ping EVERY website, but maybe if the badcaps website is hosted on an ISP's rack-mounted equipment (along with many other client websites), ping doesn't work......

I have some ideas about my network, but it could take a few days (or weeks) to test my theories. Watch this space.

start by fixing the fiber modem, it's all kinds of fucked up if wifi doesnt turn off and you can use it to get into settings.
check for a firmware upgrade for that security bug.
if you dont find one then mail the makers and tell them they have a security bug that needs fixing fast.
and post here the make & model - lets give them a damned good incentive to fix stuff.

pfSense is clearly nice. But I don't know about the [BSD] hardware. I don't think my Asus P5GC-MX would be a good choice. I'm sure I can get decent USED hardware from eBay, but what do I look for? Louis Rossman suggests an Intel X540 PCI-E ethernet card with two ports. Which means I would need a wireless access point (unless you can get a wifi card with both radios and Intel chips that are more likely to work with BSD). Will the WAP try to hand out IP addresses in the 192.168 space (or the 10.165 space), conflicting with the pfSense hardware? Will the WAP have both radios? I don't want a situation where every problem I solve causes more problems.

What hardware do YOU use? Do you have both radios?

I, first, must say that "dotted quad" = IP address. Please use the term IP address when discussing networking and/or computing topics. Unless I'm missing something...

A1: Firewall Rulesets determine what packets are either accepted, or rejected, or dropped.
A2: A public website will have a public IP address. A public IP address is required for the world to reach any specific website; however, DDNS works well and also accomplishes that task. DNS maps domain names to IP addresses. That is it's purpose...
A3: Yes email clients/servers and pretty much everything that accesses the Internet utilizes DNS.

I, personally, have loved pfSense since the moment it was booted on my hardware for the first time.

Look at the third-party "for-profit" repair manual for my car. "Power is generated by a 4-cylinder engine (gas only, no diesel), transversely mounted in the front. Power is transmitted to the front wheels through either a 4-speed automatic or a 5-speed manual transaxle, through equal length halfshafts." I omitted steering, brakes and suspension, but you get the idea.

Here is my "Networking for Dummies" book that I am re-writing (only discussing IPv4 in this post):

Routers (switches and gateways also?) analyze packets that are usually 1500 bytes long, attempting to flow in either direction. The source and destination of packets (presumably contained in the packet, and expressed as "dotted quads" between 0.0.0.0 and 255.255.255.255) are examined according to a series of rules, and if permitted, they are passed out of the device on to their destination. Rules can also silently drop the packets or reject them back to the sender. Rules can be made to drop outgoing packets sent to various domains, or packets sent by unauthorized users or computers. For example, a request to download the "/index.html" top landing webpage on a forbidden domain (website, FTP server, possibly others), would be dropped. Incoming packets can be restricted to only certain users or "subnets" (maybe with a separate sub-set of dotted quads like 192.168.3.X?). Incoming packets can also be examined for their source (from a forbidden dotted quad) and destination (only certain users are allowed to get these packets), just like outgoing packets.

(This is called "stateful packet inspection". And if a packet is part of a connection that was previously established and allowed by the rules, it is automatically allowed through.)

Also note that packets are sent and received on "ports". There are 32,768 of them. Because of tradition (established by various RFCs, establishing the standards), some of the first 1,024 are used for common services like HTTP/HTTPS (web pages), SMTP (e-mail) and so forth. The rest can be used by anything, as long as the sending and receiving computer agree, and the rules (of intervening equipment) do not drop or reject the packets.

Packets for one purpose (HTTP, e-mail, FTP) that come in on a non-standard port can be rejected, correct?

Private home or business networks are in a "private" address space with dotted quads that are either in the "192.168.X.Y" address space or the "10.165.X.Y" address space, where X and Y are numbers between 0 and 255. Public web servers like corporate websites cannot use these "private" address spaces out on the world-wide web, correct? When Ford car company established a website, those in charge of DNS (ICANN?) would not be dumb enough to allocate "ford.com" to resolve to 192.168.X.Y, right?

No, I have no idea how to make sure your mail server has a "reverse DNS lookup" or if that has any bearing on the "rules" discussed above. I have no idea how to lock an e-mail server so it is not an "open relay" for spam. I don't know if packets on an e-mail port can be checked to see if the sender's dotted quad actually belongs to that e-mail server ("spoofing the sender"). And I don't know if e-mail packets, on e-mail ports, can be checked to see if the recipient "John_Smith@domain" actually exists. Maybe that is the job of "Microsoft Exchange Server" or other mail server software.

Everyone should please feel free to answer the questions I have asked here.

I also did not mention, in my little "mini-wiki" how typing "ford.com" causes a query to a DNS server, where the correct dotted quad is obtained, and the surfer's web browser really asks Ford Car Company's "dotted quad" for the web pages. The dotted quads assigned to any server (web pages, e-mail, FTP, whatever) can change, but this is avoided, since it can take a day or so for the worldwide DNS "recordkeeping" servers to reflect the change. Do e-mail servers and packets (and FTP servers, and other protocols) also use DNS or something similar? Please post in this thread if you know the answer. And I also did not discuss how popular websites like Google, Yahoo, or other high-volume websites buy "load balancing" from their ISPs (which is really additional servers) so many megabytes per second worth of packets for web pages, e-mail traffic, FTP downloads, etc can all appear to be located at the correct dotted quad, coming from and going to many concurrent users.

I'm just a retired Amazon clerk who never used the accounting skills or the heating and air conditioning training I received. I hope I can get this whole "networking" thing to work.

Yes, I want the fiberoptic modem unit to feed the WRT-AC1200, and the WRT-AC1200 to feed the house. Right now, the wireless is turned OFF in the fiberoptic modem. And yet I can wirelessly access the fiberoptic modem's settings at 192.168.1.254, AND the Linksys settings page at 10.165.249.151. I thought the Linksys would block me from seeing the settings page at 192.168.1.254, but I guess not.

So maybe I already achieved what I wanted, and maybe I can write down the settings on the WRT-AC1200 and substitute the 25-watt passive-cooled computer? I'll need a keyboard, monitor and mouse to change the settings on it, and configure the wireless, then I can set up auto-login in case of power failure. Then configure the ad-blocker and let my 25W computer do its work.

(I found a FANLESS Seasonic 460 watt PSU, sitting UNUSED on a merchant's shelf since it was manufactured 8 or 10 years ago, I'll buy it in a few minutes. And I have seen many videos of Chinese E-bikes and "BYD" cars burning. So I will use the APC UPS-1500 I already have in my house. The battery is fresh, and from a trusted supplier.)

Can the TP-Link N900 wifi card (Atheros 9380 chip) use both radios at the same time? Win7 and Linux on my main computer (same wireless card) never use both radios at the same time. If I want to run many devices using wifi at the same time, will the 25 watt ipfire linux hardware firewall operate both radios at once? I guess I'll have to try it to find out.

I thought this was a case where the fiberoptic unit was handing out dotted quads to my devices in the 192.168.0.X space, and the Linksys was handing out addresses in the 192.168.1.X space, but obviously that might not be true, and it might not even be relevant, and it is more complicated than that.

trying to understand all this.
so the fiber modem feeds the wan port on the ac1200,
and the ac1200 feeds the house?

192.168.1.65 port 22: Connection refused. could be several things,
why port 22?
use the web browser to go to the i.p. without a port number but with https - let the router sort that out.
or dont type http:// just put the number in.
maybe you should get a cheap chinese 18650 based ups for that router - if it only holds up for 10 minutes it will be good enough.

Wow. That's incredible. Thank you ! Unfortunately, I cannot use it. Because:

(1) When I change settings incorrectly, I must reset the AT&T fiberoptic modem. I don't REALLY know enough to change the settings intelligently. And when I reset the modem, it often does not reset properly. Sometimes the AT&T fiberoptic unit "somewhat" works, but it will be very slow, or it will let me go to some websites but not others.

(2) Sometimes the AT&T fiberoptic unit will work, and I can change the settings by going to http://192.168.1.254. And sometimes I can also see the settings on the WRT-AC1200 by going to http://10.165.249.151. But the WRT-AC1200 settings page will be unreachable if there is a 20 second power outage or reboot. I must turn the Linksys off, then walk down the stairs to remove 120 volt power from the AT&T unit. 20 seconds later I do those things in reverse.

(3) The WRT-AC1200 has two boot partitions, and it seems to alternate between them whenever you upgrade the firmware. I upgraded from factory firmware to Open WRT. I can choose "revert to previous firmware", so it will boot from the OpenWRT partition next time. But this does not actually work. If I reboot into Linux Mint, and type "sudo ssh 192.168.1.65" (which is where I believe the WRT-AC1200 is located) and then type my Linux Mint administrator password, I get the following message:

192.168.1.65 port 22: Connection refused.

I was supposed to get a command prompt, where I could check which partition was active, and instruct it to choose the other one next time and then tell it to reboot immediately. But that didn't work either. So it will probably have the factory firmware forever. I upgraded the old WRT-54GL 1.1 to DD-WRT (it is sitting on the floor of my kitchen right now) but upgrading the WRT-AC1200 is beyond my ability.

I'd love to get this to work, but I think I'm going to need to hire someone here in town. And before you say "buy a Netgate or Synology hardware solution", remember -- I must instruct the fiberoptic modem to work with this thing I bought, or it is just a fancy decoration. And I don't seem to be smart enough to do that.

Computer networking is not like a car -- if the headlight does not work, and the bulb is good, and the fuse did not blow, and the switch did not fail, then the problem can be traced with a volt meter to figure out where the wire is broken. But if a 1500 byte packet disappears because it is routed incorrectly, I'm not smart enough to know what happened, and there are no error messages to tell me. Years ago (1988 I think) I spent over 12 hours staring at a terminal in the room with the university mainframe trying to troubleshoot a simple for/next or gosub/return loop (I had to take a class in BASIC). I couldn't make the loop work until the person minding the mainframe accidentally gave me more help, I think, than he was supposed to. Would that surprise you?

I do appreciate your suggestion. I passed a difficult 2-day exam for the accounting profession, but I am too stupid to make a network work. I will probably have to hire someone here in town.

openWRT already has a good adblock app - i'm using it.
https://openwrt.org/packages/pkgdata/adblock