OpenHAB / Home router setup / security

Evening All,
Currently I connect all of my smart Devices to one home router over WiFi which then is connected to internet. This router has standard ip range 192.168.xx.xx
Also the router I’m using is very basic and was provided by my broadband company. Thinking about my current setup I can imagine the scenario that when my router breakes for any reason my supplier would send my new replacement router not necessary the same brand and model. So this could cause me a lot of problem if I had to reconfigure it all all over again even I got all configs backed up.
Or another potential scenario would be if I decide to change supplier , normally would receive new device straight away.
To overcome these issues I thinking about purchasing my personal router (no2) to connect all smart devices (lights, echoes, tv, mobile phone). This router then would be connected to my first router (no1) via lan cable and would have private ip range e.g 10.10.xx.xx
My router no1 would effectively became a gateway.

Is that the common practice and could you please advise on the best possible setup?
Also how would this increase my security level of my system.

Cheers

That is what I did Andy. That way if the IP’s router dies you have everything on your router. Then you just have to worry about your router.

If you are going to buy your own router anyway (which is a good idea) you won’t want your Internet to be dependent on two devices. Here in DE you can get credentials from your provider, allowing you to use your own router. I think it’s a EU directive so should apply to the UK as well (if you hurry up :-))
And you’ll have your old router as a spare part.
This of course is assuming you get a decent model that is capable of implementing all the security stuff you want.

I did not put up a simple router behind the the one connected to the outside world. I did choose a firewall appliance (IPFire) and a Banana R1 Router Board (Other arm hardware is supported too).

Why ?
With this setup none of my devices can be reached directly from the outside. In addition this appliance provides basic network infrastructure services (DNS, DHCP) even if the outside network connection fails. I am able completely control each and every connection to my inner network. There are addons that provide network intrusion detection and a webserver which I am using as reverse proxy for openhab and access control.

Normally DNS and DHCP can be provided by the outer router too, but its configuration can probably be seen by the broadband company and anyone who is able to hack my outside router. To hack the IPFire appliance too is not impossible but far more improbable.

Cheers guys. I had a battle with my broadband supplier recently about the router as the always supply me cheap box so really wanted to get better model but they want to charge me for - not really prepared to spend any money if this is their responsibility.
But I’m willing to buy my own router for smart devices so if the IP’s router dies I shall have everything on your router and replacement of IP router should be straight forward. I got a friend who works in industrial automation sector who promised me get some great discount for new router so maybe getting something which is reliable (Cisco/Juniper).
In terms of the setup would be looking to do it this way:

Broadband provider router
IP: 192.168.1.1

My own router
IP: 10.100.10.xx
Gateway: 192.168.1.1

With regards to my mobile phone I currently use ping to detect them on my network for presence (mobile phones got static IP addresses)
Should I connect them to my second router (10.100 range) or to my router number 1?

In my experience this is a pretty common configuration. You want to put anything you don’t trust or don’t control outside of your LAN and buying your own router is one of the simplest ways to do this. About the only think that will become complicated is if you ever need to set up NAT as you will have to do it twice. Marcus is also correct, twice the more hardware you have between you and the internet, the more chances you have of something going down. But in my experience the likelihood is pretty low.

Beyond that I see no down sides.

Meh, only marginally. It gives you more control over your LAN as you are not depending on a device that someone else owns or controls. But for the most part ISPs can be reasonably well trusted not to invade your privacy or do malicious things on your LAN without your permission. But you are at risk from malicious insiders and incompetence. Providing a barrier between you and your ISP’s gateway would help protect you from that.

Would it be a net benefit? Yes. A large net benefit? Probably not.

A firewall will give you more options and features than a typical off-the-shelf wifi gateway. But, except for the reverse proxy, all of what you list is also pretty standard on most WiFi routers. I’m not arguing against a firewall as they are typically more capable than a standard WiFi router, but it is perfectly safe and to use what is built into the WiFi router for protection too and they usually have all the DNS and DHCP etc. features you mention.

Honestly, you should just go all the way. Put ALL of your devices on your new personally owned router. If you can, turn the WiFi off on your ISP provided router. If not move it to specific channel and set up your personal router on a different channel.

Now, if you don’t trust your home automation devices themselves, then it will be a good idea to keep them segregated. But it get’s complicated at that point as your OH instance will need to be on both networks.

@rlkoshak Many thanks for information. I searched through my IT stuff and found two router which I could potentially used on my setup.
However I just noticed that my ISP router hasn’t got WAN port. The only port I have are 4 x LAN and 1 x DSL. So looks like I will need to upgrade my ISP router first in order to connect to my own device.
Am I correct ?

DSL is the WAN port, unless your ISP router is also a DSL modem in which case it’s a different type of plug.

If it is a phone jack instead of an ethernet jack, you will plug one of the LAN ports from the ISP provided router into the WAN port on your own router. Configure your own router’s WAN port to get it’s IP via DHCP.

It is always wise to keep ISP’s router as a gateway and an internal one to keep local device’s MAC based security+local DHCP settings.

The ISP support staff that visits your home when there is a problem, is trained to configure their preferred routers.