[DARARepeater] LAN Routing
Derek Gooley
dgooley at gmail.com
Tue Oct 13 14:43:41 EDT 2020
I'm not moving to IPv6 any time soon.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898
On Mon, Oct 12, 2020, 16:16 Jim Bacher, WB8VSU <wb8vsu at arrl.net> wrote:
> Mark, most IoT devices now days are going to be IPv6 and IPv4. If you have
> IPv6 turned off on your 2nd router then Jack's suggestion is a good easy
> choice. If you have IPv6 turned on, then it won't work if the devices have
> IPv6 enabled.
>
> Everything is automatic under IPv6 which makes it more difficult to block
> an outgoing packet. Incoming are blocked by default. My two routers are
> capable of blocking networks or devices, whether they are IPv4 or IPv6.
> That can be complex to accomplish depending on the router and whether IPv6
> is turned on.
>
> Most of the risk with IoT, is allowing remote access to it and not
> changing the default password. So if you don't allow remote access, the
> device didn't have contamination on it when you bought it and you don't let
> it update there shouldn't be a problem.
>
> Most of the issues I am aware of are due to pin holes created for a IoT
> device on the firewall / router to allow remote access or having a
> contaminated OS to start with. Jack may know of others as he is more
> up-to-date than I am on IT.
>
> I am running IPv6 on my home networks. From what I can tell, more than 90%
> of the traffic is now IPv6 as a result. Most noticeable when running an
> update on a Raspberry Pi, as it will show where it's pulling the updates
> from. The bulk are from IPv6 addresses. Smart phones are also mostly IPv6
> and you can't disable IPv6 on the cell phone.
>
> Jim Bacher, WB8VSU
> wb8vsu at arrl.net
> https://trc.guru
> On Oct 12, 2020, at 12:18 PM, Jack Gerbs <jgerbs at quanexus.com> wrote:
>>
>> Mark,
>>
>> An easy way to not allow devices to access the internet is to not
>> put in a default gateway on the device, or put an unused address in for the
>> default gateway. A more common way to do it is to create a rule that blocks
>> the device from accessing the WAN port. Not sure your level of experience
>> with firewalls, so don’t take this the wrong way, firewalls execute rules
>> (ACLs) from top down, your more restrictive rules need to be applied first.
>>
>> Jack
>>
>>
>>
>> *From:* dararepeater-bounces at mailman.qth.net <
>> dararepeater-bounces at mailman.qth.net> *On Behalf Of *Mark Erbaugh
>> *Sent:* Monday, October 12, 2020 12:11 PM
>> *To:* Derek Gooley <dgooley at gmail.com>; dararepeater at mailman.qth.net
>> *Subject:* Re: [DARARepeater] LAN Routing
>>
>>
>>
>> Derek,
>>
>>
>>
>> Thanks. I’ll have to take some time to digest all that and learn to craft
>> firewall rules.
>>
>>
>>
>> Another approach I was considering was connecting those devices to the
>> secure network as long as I can configure the firewall to not allow them to
>> access or be accessed from the Internet. Unlike my smart TV’s and Amazon
>> Echo’s they don’t need access to the Internet to function. Would that
>> approach be preferable to allowing connections across the subnets?
>>
>>
>>
>> 73,
>>
>> Mark
>>
>>
>>
>>
>>
>>
>>
>> *From: *Derek Gooley <dgooley at gmail.com>
>> *Sent: *Monday, October 12, 2020 11:40 AM
>> *To: *Mark Erbaugh <mark.election at gmail.com>
>> *Cc: *dararepeater at mailman.qth.net
>> *Subject: *Re: [DARARepeater] LAN Routing
>>
>>
>>
>> Having the devices on separate subnets or VLANs won't secure anything if
>> they're still routable to eachother. You need to create firewall rules to
>> block traffic between them.
>>
>>
>>
>> You could create a rule allowing traffic from your secure network to your
>> IOT network, a rule allowing established connections from your dirty
>> network to a secure network (so devices can communicate with hosts on your
>> secure network once a connection is established), and a rule disallowing
>> all other outbound and inbound traffic from your dirty network to achieve
>> what you're asking.
>>
>>
>>
>> Here's some guides on how to add firewall rules to Ubiquiti EdgeRouter:
>>
>>
>>
>>
>> https://help.ui.com/hc/en-us/articles/218889067-EdgeRouter-How-to-Create-a-Guest-LAN-Firewall-Rule
>> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fhelp.ui.com%2fhc%2fen-us%2farticles%2f218889067-EdgeRouter-How-to-Create-a-Guest-LAN-Firewall-Rule&c=E,1,bdDUoLtTp9a5hgMUSsWg59wOTM-gaO04IfLRYrDNlqt7ydY9qEsZfHQyPnpF7z9g4FbZnvrSoXKJyaWUx3QZjfjK7t5CwIq6RiwfY90auvpict-DrIDN4hR6srU,&typo=1>
>>
>>
>> https://help.ui.com/hc/en-us/articles/204962154-EdgeRouter-How-to-Create-a-WAN-Firewall-Rule
>> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fhelp.ui.com%2fhc%2fen-us%2farticles%2f204962154-EdgeRouter-How-to-Create-a-WAN-Firewall-Rule&c=E,1,1kBBm9SHwd17vwXLgJPJIo_7HkCRRKWKLopBk7rP7d3l3UAMyS0YPviuBDmfEtZoTr0JfjNhcodP3NsmR8QeDCccBeUOpPG3ObCpJmcI7vwz&typo=1>
>>
>>
>> https://help.ui.com/hc/en-us/articles/204952154-EdgeRouter-Zone-Based-Firewall
>> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fhelp.ui.com%2fhc%2fen-us%2farticles%2f204952154-EdgeRouter-Zone-Based-Firewall&c=E,1,RCshEPTtrPKSraRGILk3GBLhhRduHThAY1ducDgi7S2fC_wVRRcmf2H-jwcrP2VL09ukwfqKSYVDolb2WgFp3jSaPrMZmyUzKweHza7r6OKmixlCais,&typo=1>
>>
>> On Mon, Oct 12, 2020, 11:06 Mark Erbaugh <mark.election at gmail.com> wrote:
>>
>> I’ve started adding IOT devices to my home. Following some security
>> advice
>> https://pcper.com/2016/08/steve-gibsons-three-router-solution-to-iot-insecurity/
>> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fpcper.com%2f2016%2f08%2fsteve-gibsons-three-router-solution-to-iot-insecurity%2f&c=E,1,387TSYzRW26xvXvTzLfef5trEjglgbY2KZVlCKyeUg1S6mxUhxt4RSQP2AQhEq3DotIsK3CvfY-YY6BAlvpZjJ0B2C--rTJ9t_J32Aezz5Gjljv27FrFqo7Pvhg,&typo=1>)
>> , I’ve configured two sub-nets, one for my computers which are secure (at
>> least I’m running security software on them) and one for the IOT devices
>> which I don’t trust as much. Hopefully, this will prevent an attacker from
>> exploiting a weakness in one of my IOT devices to attack my secure
>> computers.
>>
>>
>>
>> But I have found a need for an exception to my configuration. I have a
>> couple of devices that I don’t fully trust to be on my secure network that
>> I need to communicate with from my computer on the secure network:
>>
>>
>> - FlexRadio 6700 (internal Linux software with unknown security)
>>
>> - Raspberry Pi running OctoPi server to control my 3d printer
>>
>>
>>
>>
>> Right now, I’ve left the Flex on the secure network, so I’m trusting the
>> Flex developers and I’m not using the OctoPi.
>>
>>
>>
>> Is it possible to put these devices on the secure network but configure
>> the router (I’m currently using a Ubiquity EdgeRouter X) so that they can
>> be accessed from inside the network, but that they can’t access the
>> internet? I’m assuming that if the device can’t access the Internet, the
>> Internet can’t access the device – is that a valid assumption?
>>
>>
>>
>> If so, how?
>>
>>
>>
>> One suggestion I saw was to implement parental controls on those devices,
>> but I see no mention of parental controls in the EdgeRouter configuration.
>>
>>
>>
>> 73,
>>
>> Mark
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ______________________________________________________________
>> DARARepeater mailing list
>> Home: http://mailman.qth.net/mailman/listinfo/dararepeater
>> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmailman%2flistinfo%2fdararepeater&c=E,1,oV-K8lGzWL2ryfgHlBSLatevJFfZDhgTDWHDM53At_Gqsw_EXAd-HzkbNHd_WI4b7rPSACDsoWHg4xKwbPK9xwN_3q_sON2U0lo4Vegs&typo=1>
>> Help: http://mailman.qth.net/mmfaq.htm
>> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmmfaq.htm&c=E,1,mOB7jSfUNeOdizAULu02ktA-vEtAWPbgnmcNV-7zpzl6vLCeweaGTsnH43iUfMwzGVUafQxNrEV7jZS1_7nlbwBggn6YAKb15VoC_Ku5U8Mc1lScK34,&typo=1>
>> Post: mailto:DARARepeater at mailman.qth.net
>>
>> This list hosted by: http://www.qsl.net
>> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net&c=E,1,EirwSbCV7F2MVLuTPhJdWDnMEM1qBssr310z_SoFYPE3dutDGunq1F-5F_5ZjecTAeWSIHkLxtg2uMlGqE_CoAL8EejjABVOzwAxSjl59ykyrH6U7tlZSOl9VWvA&typo=1>
>> Please help support this email list: http://www.qsl.net/donate.html
>> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net%2fdonate.html&c=E,1,7BfjHNFHd6YtaLHkEKR_1ZUxb9OOdJN1gMsEqlmEZqE7pYIJ_1odH_gucUvscKCKFlTmOo1T_lAQ8Q6KUWv7ag8B6t-MXAmIgeEzf4TfiA,,&typo=1>
>>
>>
>>
>> Our *Q-Stack Advantage* protects your systems and the information on
>> your systems with a layered and proven approach. Quanexus provides managed
>> Information Technology services for IT organizations, businesses,
>> non-profits and more. Risk Assessments, Vulnerability Scans, Cabling,
>> Telephone Systems, Surveillance and Access Control are all part of our
>> value added services. Visit us at www.Quanexus.com <https://quanexus.com>
>> to learn more.
>>
>> ------------------------------
>>
>> DARARepeater mailing list
>> Home: http://mailman.qth.net/mailman/listinfo/dararepeater
>> Help: http://mailman.qth.net/mmfaq.htm
>> Post: mailto:DARARepeater at mailman.qth.net
>>
>> This list hosted by: http://www.qsl.net
>> Please help support this email list: http://www.qsl.net/donate.html
>>
>> ______________________________________________________________
> DARARepeater mailing list
> Home: http://mailman.qth.net/mailman/listinfo/dararepeater
> Help: http://mailman.qth.net/mmfaq.htm
> Post: mailto:DARARepeater at mailman.qth.net
>
> This list hosted by: http://www.qsl.net
> Please help support this email list: http://www.qsl.net/donate.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.qth.net/pipermail/dararepeater/attachments/20201013/c930585a/attachment-0001.html>
More information about the DARARepeater
mailing list