[DARARepeater] LAN Routing
Jack Gerbs
jgerbs at quanexus.com
Mon Oct 12 11:57:49 EDT 2020
Forgot to state the routes are:
* secure-lan to non-secure lan
* non-secure-lan to secure-lan
The ACL is critical. The ACL is what limits the specific traffic that can flows between the 2 segments/networks.
73,
From: dararepeater-bounces at mailman.qth.net <dararepeater-bounces at mailman.qth.net> On Behalf Of Jack Gerbs
Sent: Monday, October 12, 2020 11:43 AM
To: Mark Erbaugh <mark.election at gmail.com>; dararepeater at mailman.qth.net
Subject: Re: [DARARepeater] LAN Routing
Mark,
Your email is a little confusing. If the goal is to move the Flex to the non-secure segment and access it from the secure segment, this can be accomplished. The Ubiquity Edge allows granular access control lists (ACL). You would need to set 1 rule (because the Ubiquity is a stateful firewall) and 2 routes.
The rule (ACL) should allow secure-Lan to access the non-secure Lan:
• To increase security the ACL should include the source and destination IP addresses of the computer and the Flex (From to) and also include the port or ports the Flex is listening on.
Because the Ubiquity is a stateful firewall, the Flex will not be able to access the secure-network without be invited in by the computer on the secure-Lan (this is how all firewalls work today).
Let me know if you need any other help, it has been a long time since I had my hands on a Ubiquity EdgeRouter X.
73k
Jack, WB8SCT
From: dararepeater-bounces at mailman.qth.net<mailto:dararepeater-bounces at mailman.qth.net> <dararepeater-bounces at mailman.qth.net<mailto:dararepeater-bounces at mailman.qth.net>> On Behalf Of Mark Erbaugh
Sent: Monday, October 12, 2020 11:05 AM
To: dararepeater at mailman.qth.net<mailto:dararepeater at mailman.qth.net>
Subject: [DARARepeater] LAN Routing
I’ve started adding IOT devices to my home. Following some security advice https://pcper.com/2016/08/steve-gibsons-three-router-solution-to-iot-insecurity/<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fpcper.com%2f2016%2f08%2fsteve-gibsons-three-router-solution-to-iot-insecurity%2f&c=E,1,auaWpV3iAY5uCVBZezYtzLFp59k7_1gcbGYcKXFVzzMGk7Namye2g-1oUybRbji7-w71ygGdIw8zl1fgg63h9IKwKJEt1lukckwo6XzZY2TePzwb-L_Z&typo=1>) , I’ve configured two sub-nets, one for my computers which are secure (at least I’m running security software on them) and one for the IOT devices which I don’t trust as much. Hopefully, this will prevent an attacker from exploiting a weakness in one of my IOT devices to attack my secure computers.
But I have found a need for an exception to my configuration. I have a couple of devices that I don’t fully trust to be on my secure network that I need to communicate with from my computer on the secure network:
* FlexRadio 6700 (internal Linux software with unknown security)
* Raspberry Pi running OctoPi server to control my 3d printer
Right now, I’ve left the Flex on the secure network, so I’m trusting the Flex developers and I’m not using the OctoPi.
Is it possible to put these devices on the secure network but configure the router (I’m currently using a Ubiquity EdgeRouter X) so that they can be accessed from inside the network, but that they can’t access the internet? I’m assuming that if the device can’t access the Internet, the Internet can’t access the device – is that a valid assumption?
If so, how?
One suggestion I saw was to implement parental controls on those devices, but I see no mention of parental controls in the EdgeRouter configuration.
73,
Mark
Our Q-Stack Advantage protects your systems and the information on your systems with a layered and proven approach. Quanexus provides managed Information Technology services for IT organizations, businesses, non-profits and more. Risk Assessments, Vulnerability Scans, Cabling, Telephone Systems, Surveillance and Access Control are all part of our value added services. Visit us at www.Quanexus.com<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fquanexus.com&c=E,1,eKWF4h3Jvdh8RE3kBvsFphKtLI96nlh4AJFrrt9bmC3i7YB_q44JIKlDaQMKc4yH17i-Q9s4f6zL3P_OoWQel8OUOshNb1U2Rh7NuNPmAR9Pg8gMrGX71p1K&typo=1> to learn more.
<font size="3" color="A5292B">Our <B>Q-Stack Advantage</B> protects your systems and the information on your systems with a layered and proven approach. Quanexus provides managed Information Technology services for IT organizations, businesses, non-profits and more. Risk Assessments, Vulnerability Scans, Cabling, Telephone Systems, Surveillance and Access Control are all part of our value added services. Visit us at <a href="https://quanexus.com">www.Quanexus.com</a> to learn more.</font>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.qth.net/pipermail/dararepeater/attachments/20201012/8e51f34e/attachment-0001.html>
More information about the DARARepeater
mailing list