[DARARepeater] LAN Routing

Jack Gerbs jgerbs at quanexus.com
Mon Oct 12 12:18:01 EDT 2020


Mark,
     An easy way to not allow devices to access the internet is to not put in a default gateway on the device, or put an unused address in for the default gateway. A more common way to do it is to create a rule that blocks the device from accessing the WAN port. Not sure your level of experience with firewalls, so don’t take this the wrong way, firewalls execute rules (ACLs) from top down, your more restrictive rules need to be applied first.
           Jack

From: dararepeater-bounces at mailman.qth.net <dararepeater-bounces at mailman.qth.net> On Behalf Of Mark Erbaugh
Sent: Monday, October 12, 2020 12:11 PM
To: Derek Gooley <dgooley at gmail.com>; dararepeater at mailman.qth.net
Subject: Re: [DARARepeater] LAN Routing

Derek,

Thanks. I’ll have to take some time to digest all that and learn to craft firewall rules.

Another approach I was considering was connecting those devices to the secure network as long as I can configure the firewall to not allow them to access or be accessed from the Internet. Unlike my smart TV’s and Amazon Echo’s they don’t need access to the Internet to function. Would that approach be preferable to allowing connections across the subnets?

73,
Mark



From: Derek Gooley<mailto:dgooley at gmail.com>
Sent: Monday, October 12, 2020 11:40 AM
To: Mark Erbaugh<mailto:mark.election at gmail.com>
Cc: dararepeater at mailman.qth.net<mailto:dararepeater at mailman.qth.net>
Subject: Re: [DARARepeater] LAN Routing

Having the devices on separate subnets or VLANs won't secure anything if they're still routable to eachother. You need to create firewall rules to block traffic between them.

You could create a rule allowing traffic from your secure network to your IOT network, a rule allowing established connections from your dirty network to a secure network (so devices can communicate with hosts on your secure network once a connection is established), and a rule disallowing all other outbound and inbound traffic from your dirty network to achieve what you're asking.

Here's some guides on how to add firewall rules to Ubiquiti EdgeRouter:

https://help.ui.com/hc/en-us/articles/218889067-EdgeRouter-How-to-Create-a-Guest-LAN-Firewall-Rule<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fhelp.ui.com%2fhc%2fen-us%2farticles%2f218889067-EdgeRouter-How-to-Create-a-Guest-LAN-Firewall-Rule&c=E,1,bdDUoLtTp9a5hgMUSsWg59wOTM-gaO04IfLRYrDNlqt7ydY9qEsZfHQyPnpF7z9g4FbZnvrSoXKJyaWUx3QZjfjK7t5CwIq6RiwfY90auvpict-DrIDN4hR6srU,&typo=1>
https://help.ui.com/hc/en-us/articles/204962154-EdgeRouter-How-to-Create-a-WAN-Firewall-Rule<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fhelp.ui.com%2fhc%2fen-us%2farticles%2f204962154-EdgeRouter-How-to-Create-a-WAN-Firewall-Rule&c=E,1,1kBBm9SHwd17vwXLgJPJIo_7HkCRRKWKLopBk7rP7d3l3UAMyS0YPviuBDmfEtZoTr0JfjNhcodP3NsmR8QeDCccBeUOpPG3ObCpJmcI7vwz&typo=1>
https://help.ui.com/hc/en-us/articles/204952154-EdgeRouter-Zone-Based-Firewall<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fhelp.ui.com%2fhc%2fen-us%2farticles%2f204952154-EdgeRouter-Zone-Based-Firewall&c=E,1,RCshEPTtrPKSraRGILk3GBLhhRduHThAY1ducDgi7S2fC_wVRRcmf2H-jwcrP2VL09ukwfqKSYVDolb2WgFp3jSaPrMZmyUzKweHza7r6OKmixlCais,&typo=1>
On Mon, Oct 12, 2020, 11:06 Mark Erbaugh <mark.election at gmail.com<mailto:mark.election at gmail.com>> wrote:
I’ve started adding IOT devices to my home. Following some security advice https://pcper.com/2016/08/steve-gibsons-three-router-solution-to-iot-insecurity/<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fpcper.com%2f2016%2f08%2fsteve-gibsons-three-router-solution-to-iot-insecurity%2f&c=E,1,387TSYzRW26xvXvTzLfef5trEjglgbY2KZVlCKyeUg1S6mxUhxt4RSQP2AQhEq3DotIsK3CvfY-YY6BAlvpZjJ0B2C--rTJ9t_J32Aezz5Gjljv27FrFqo7Pvhg,&typo=1>) , I’ve configured two sub-nets, one for my computers which are secure (at least I’m running security software on them) and one for the IOT devices which I don’t trust as much. Hopefully, this will prevent an attacker from exploiting a weakness in one of my IOT devices to attack my secure computers.

But I have found a need for an exception to my configuration. I have a couple of devices that I don’t fully trust to be on my secure network that I need to communicate with from my computer on the secure network:

  *   FlexRadio 6700 (internal Linux software with unknown security)
  *   Raspberry Pi running OctoPi server to control my 3d printer

Right now, I’ve left the Flex on the secure network, so I’m trusting the Flex developers and I’m not using the OctoPi.

Is it possible to put these devices on the secure network but configure the router (I’m currently using a Ubiquity EdgeRouter X) so that they can be accessed from inside the network, but that they can’t access the internet? I’m assuming that if the device can’t access the Internet, the Internet can’t access the device – is that a valid assumption?

If so, how?

One suggestion I saw was to implement parental controls on those devices, but I see no mention of parental controls in the EdgeRouter configuration.

73,
Mark




______________________________________________________________
DARARepeater mailing list
Home: http://mailman.qth.net/mailman/listinfo/dararepeater<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmailman%2flistinfo%2fdararepeater&c=E,1,oV-K8lGzWL2ryfgHlBSLatevJFfZDhgTDWHDM53At_Gqsw_EXAd-HzkbNHd_WI4b7rPSACDsoWHg4xKwbPK9xwN_3q_sON2U0lo4Vegs&typo=1>
Help: http://mailman.qth.net/mmfaq.htm<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmmfaq.htm&c=E,1,mOB7jSfUNeOdizAULu02ktA-vEtAWPbgnmcNV-7zpzl6vLCeweaGTsnH43iUfMwzGVUafQxNrEV7jZS1_7nlbwBggn6YAKb15VoC_Ku5U8Mc1lScK34,&typo=1>
Post: mailto:DARARepeater at mailman.qth.net<mailto:DARARepeater at mailman.qth.net>

This list hosted by: http://www.qsl.net<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net&c=E,1,EirwSbCV7F2MVLuTPhJdWDnMEM1qBssr310z_SoFYPE3dutDGunq1F-5F_5ZjecTAeWSIHkLxtg2uMlGqE_CoAL8EejjABVOzwAxSjl59ykyrH6U7tlZSOl9VWvA&typo=1>
Please help support this email list: http://www.qsl.net/donate.html<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net%2fdonate.html&c=E,1,7BfjHNFHd6YtaLHkEKR_1ZUxb9OOdJN1gMsEqlmEZqE7pYIJ_1odH_gucUvscKCKFlTmOo1T_lAQ8Q6KUWv7ag8B6t-MXAmIgeEzf4TfiA,,&typo=1>

<font size="3" color="A5292B">Our <B>Q-Stack Advantage</B> protects your systems and the information on your systems with a layered and proven approach.  Quanexus provides managed Information Technology services for IT organizations, businesses, non-profits and more. Risk Assessments, Vulnerability Scans, Cabling, Telephone Systems, Surveillance and Access Control are all part of our value added services. Visit us at <a href="https://quanexus.com">www.Quanexus.com</a> to learn more.</font>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.qth.net/pipermail/dararepeater/attachments/20201012/4d985304/attachment-0001.html>


More information about the DARARepeater mailing list