[DARARepeater] LAN Routing

Jim Bacher, WB8VSU wb8vsu at arrl.net
Tue Oct 13 15:37:53 EDT 2020


Derek, in general router advertising never leaves the network it was broadcast on. As it would be an unsolicited packet on the incoming router, the router would automatically block the packet. For a home user I don't see it as a threat. For a corporation that is a threat. 

My windows box just informed me it needs to reboot, so they must have pushed out the patch. 

⁣Jim Bacher, WB8VSU 
wb8vsu at arrl.net 
https://trc.guru​

On Oct 13, 2020, 2:45 PM, at 2:45 PM, Derek Gooley <dgooley at gmail.com> wrote:
>I'm not moving to IPv6 any time soon.
>
>https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898
>
>On Mon, Oct 12, 2020, 16:16 Jim Bacher, WB8VSU <wb8vsu at arrl.net> wrote:
>
>> Mark, most IoT devices now days are going to be IPv6 and IPv4. If you
>have
>> IPv6 turned off on your 2nd  router then Jack's suggestion is a good
>easy
>> choice. If you have IPv6 turned on, then it won't work if the devices
>have
>> IPv6 enabled.
>>
>> Everything is automatic under IPv6 which makes it more difficult to
>block
>> an outgoing packet. Incoming are blocked by default. My two routers
>are
>> capable of blocking networks or devices, whether they are IPv4 or
>IPv6.
>> That can be complex to accomplish depending on the router and whether
>IPv6
>> is turned on.
>>
>> Most of the risk with IoT, is allowing remote access to it and not
>> changing the default password. So if you don't allow remote access,
>the
>> device didn't have contamination on it when you bought it and you
>don't let
>> it update there shouldn't be a problem.
>>
>> Most of the issues I am aware of are due to pin holes created for a
>IoT
>> device on the firewall / router to allow remote access or having a
>> contaminated OS to start with. Jack may know of others as he is more
>> up-to-date than I am on IT.
>>
>> I am running IPv6 on my home networks. From what I can tell, more
>than 90%
>> of the traffic is now IPv6 as a result. Most noticeable when running
>an
>> update on a Raspberry Pi, as it will show where it's pulling the
>updates
>> from. The bulk are from IPv6 addresses. Smart phones are also mostly
>IPv6
>> and you can't disable IPv6 on the cell phone.
>>
>> Jim Bacher, WB8VSU
>> wb8vsu at arrl.net
>> https://trc.guru
>> On Oct 12, 2020, at 12:18 PM, Jack Gerbs <jgerbs at quanexus.com> wrote:
>>>
>>> Mark,
>>>
>>>      An easy way to not allow devices to access the internet is to
>not
>>> put in a default gateway on the device, or put an unused address in
>for the
>>> default gateway. A more common way to do it is to create a rule that
>blocks
>>> the device from accessing the WAN port. Not sure your level of
>experience
>>> with firewalls, so don’t take this the wrong way, firewalls execute
>rules
>>> (ACLs) from top down, your more restrictive rules need to be applied
>first.
>>>
>>>            Jack
>>>
>>>
>>>
>>> *From:* dararepeater-bounces at mailman.qth.net <
>>> dararepeater-bounces at mailman.qth.net> *On Behalf Of *Mark Erbaugh
>>> *Sent:* Monday, October 12, 2020 12:11 PM
>>> *To:* Derek Gooley <dgooley at gmail.com>; dararepeater at mailman.qth.net
>>> *Subject:* Re: [DARARepeater] LAN Routing
>>>
>>>
>>>
>>> Derek,
>>>
>>>
>>>
>>> Thanks. I’ll have to take some time to digest all that and learn to
>craft
>>> firewall rules.
>>>
>>>
>>>
>>> Another approach I was considering was connecting those devices to
>the
>>> secure network as long as I can configure the firewall to not allow
>them to
>>> access or be accessed from the Internet. Unlike my smart TV’s and
>Amazon
>>> Echo’s they don’t need access to the Internet to function. Would
>that
>>> approach be preferable to allowing connections across the subnets?
>>>
>>>
>>>
>>> 73,
>>>
>>> Mark
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *From: *Derek Gooley <dgooley at gmail.com>
>>> *Sent: *Monday, October 12, 2020 11:40 AM
>>> *To: *Mark Erbaugh <mark.election at gmail.com>
>>> *Cc: *dararepeater at mailman.qth.net
>>> *Subject: *Re: [DARARepeater] LAN Routing
>>>
>>>
>>>
>>> Having the devices on separate subnets or VLANs won't secure
>anything if
>>> they're still routable to eachother. You need to create firewall
>rules to
>>> block traffic between them.
>>>
>>>
>>>
>>> You could create a rule allowing traffic from your secure network to
>your
>>> IOT network, a rule allowing established connections from your dirty
>>> network to a secure network (so devices can communicate with hosts
>on your
>>> secure network once a connection is established), and a rule
>disallowing
>>> all other outbound and inbound traffic from your dirty network to
>achieve
>>> what you're asking.
>>>
>>>
>>>
>>> Here's some guides on how to add firewall rules to Ubiquiti
>EdgeRouter:
>>>
>>>
>>>
>>>
>>>
>https://help.ui.com/hc/en-us/articles/218889067-EdgeRouter-How-to-Create-a-Guest-LAN-Firewall-Rule
>>>
><https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fhelp.ui.com%2fhc%2fen-us%2farticles%2f218889067-EdgeRouter-How-to-Create-a-Guest-LAN-Firewall-Rule&c=E,1,bdDUoLtTp9a5hgMUSsWg59wOTM-gaO04IfLRYrDNlqt7ydY9qEsZfHQyPnpF7z9g4FbZnvrSoXKJyaWUx3QZjfjK7t5CwIq6RiwfY90auvpict-DrIDN4hR6srU,&typo=1>
>>>
>>>
>>>
>https://help.ui.com/hc/en-us/articles/204962154-EdgeRouter-How-to-Create-a-WAN-Firewall-Rule
>>>
><https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fhelp.ui.com%2fhc%2fen-us%2farticles%2f204962154-EdgeRouter-How-to-Create-a-WAN-Firewall-Rule&c=E,1,1kBBm9SHwd17vwXLgJPJIo_7HkCRRKWKLopBk7rP7d3l3UAMyS0YPviuBDmfEtZoTr0JfjNhcodP3NsmR8QeDCccBeUOpPG3ObCpJmcI7vwz&typo=1>
>>>
>>>
>>>
>https://help.ui.com/hc/en-us/articles/204952154-EdgeRouter-Zone-Based-Firewall
>>>
><https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fhelp.ui.com%2fhc%2fen-us%2farticles%2f204952154-EdgeRouter-Zone-Based-Firewall&c=E,1,RCshEPTtrPKSraRGILk3GBLhhRduHThAY1ducDgi7S2fC_wVRRcmf2H-jwcrP2VL09ukwfqKSYVDolb2WgFp3jSaPrMZmyUzKweHza7r6OKmixlCais,&typo=1>
>>>
>>> On Mon, Oct 12, 2020, 11:06 Mark Erbaugh <mark.election at gmail.com>
>wrote:
>>>
>>> I’ve started adding IOT devices to my home. Following some security
>>> advice
>>>
>https://pcper.com/2016/08/steve-gibsons-three-router-solution-to-iot-insecurity/
>>>
><https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fpcper.com%2f2016%2f08%2fsteve-gibsons-three-router-solution-to-iot-insecurity%2f&c=E,1,387TSYzRW26xvXvTzLfef5trEjglgbY2KZVlCKyeUg1S6mxUhxt4RSQP2AQhEq3DotIsK3CvfY-YY6BAlvpZjJ0B2C--rTJ9t_J32Aezz5Gjljv27FrFqo7Pvhg,&typo=1>)
>>> , I’ve configured two sub-nets, one for my computers which are
>secure (at
>>> least I’m running security software on them) and one for the IOT
>devices
>>> which I don’t trust as much. Hopefully, this will prevent an
>attacker from
>>> exploiting a weakness in one of my IOT devices to attack my secure
>>> computers.
>>>
>>>
>>>
>>> But I have found a need for an exception to my configuration. I have
>a
>>> couple of devices that I don’t fully trust to be on my secure
>network that
>>> I need to communicate with from my computer on the secure network:
>>>
>>>
>>>    - FlexRadio 6700 (internal Linux software with unknown security)
>>>
>>>    - Raspberry Pi running OctoPi server to control my 3d printer
>>>
>>>
>>>
>>>
>>> Right now, I’ve left the Flex on the secure network, so I’m trusting
>the
>>> Flex developers and I’m not using the OctoPi.
>>>
>>>
>>>
>>> Is it possible to put these devices on the secure network but
>configure
>>> the router (I’m currently using a Ubiquity EdgeRouter X) so that
>they can
>>> be accessed from inside the network, but that they can’t access the
>>> internet? I’m assuming that if the device can’t access the Internet,
>the
>>> Internet can’t access the device – is that a valid assumption?
>>>
>>>
>>>
>>> If so, how?
>>>
>>>
>>>
>>> One suggestion I saw was to implement parental controls on those
>devices,
>>> but I see no mention of parental controls in the EdgeRouter
>configuration.
>>>
>>>
>>>
>>> 73,
>>>
>>> Mark
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ______________________________________________________________
>>> DARARepeater mailing list
>>> Home: http://mailman.qth.net/mailman/listinfo/dararepeater
>>>
><https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmailman%2flistinfo%2fdararepeater&c=E,1,oV-K8lGzWL2ryfgHlBSLatevJFfZDhgTDWHDM53At_Gqsw_EXAd-HzkbNHd_WI4b7rPSACDsoWHg4xKwbPK9xwN_3q_sON2U0lo4Vegs&typo=1>
>>> Help: http://mailman.qth.net/mmfaq.htm
>>>
><https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmmfaq.htm&c=E,1,mOB7jSfUNeOdizAULu02ktA-vEtAWPbgnmcNV-7zpzl6vLCeweaGTsnH43iUfMwzGVUafQxNrEV7jZS1_7nlbwBggn6YAKb15VoC_Ku5U8Mc1lScK34,&typo=1>
>>> Post: mailto:DARARepeater at mailman.qth.net
>>>
>>> This list hosted by: http://www.qsl.net
>>>
><https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net&c=E,1,EirwSbCV7F2MVLuTPhJdWDnMEM1qBssr310z_SoFYPE3dutDGunq1F-5F_5ZjecTAeWSIHkLxtg2uMlGqE_CoAL8EejjABVOzwAxSjl59ykyrH6U7tlZSOl9VWvA&typo=1>
>>> Please help support this email list: http://www.qsl.net/donate.html
>>>
><https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net%2fdonate.html&c=E,1,7BfjHNFHd6YtaLHkEKR_1ZUxb9OOdJN1gMsEqlmEZqE7pYIJ_1odH_gucUvscKCKFlTmOo1T_lAQ8Q6KUWv7ag8B6t-MXAmIgeEzf4TfiA,,&typo=1>
>>>
>>>
>>>
>>> Our *Q-Stack Advantage* protects your systems and the information on
>>> your systems with a layered and proven approach. Quanexus provides
>managed
>>> Information Technology services for IT organizations, businesses,
>>> non-profits and more. Risk Assessments, Vulnerability Scans,
>Cabling,
>>> Telephone Systems, Surveillance and Access Control are all part of
>our
>>> value added services. Visit us at www.Quanexus.com
><https://quanexus.com>
>>> to learn more.
>>>
>>> ------------------------------
>>>
>>> DARARepeater mailing list
>>> Home: http://mailman.qth.net/mailman/listinfo/dararepeater
>>> Help: http://mailman.qth.net/mmfaq.htm
>>> Post: mailto:DARARepeater at mailman.qth.net
>>>
>>> This list hosted by: http://www.qsl.net
>>> Please help support this email list: http://www.qsl.net/donate.html
>>>
>>> ______________________________________________________________
>> DARARepeater mailing list
>> Home: http://mailman.qth.net/mailman/listinfo/dararepeater
>> Help: http://mailman.qth.net/mmfaq.htm
>> Post: mailto:DARARepeater at mailman.qth.net
>>
>> This list hosted by: http://www.qsl.net
>> Please help support this email list: http://www.qsl.net/donate.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.qth.net/pipermail/dararepeater/attachments/20201013/d36ac83e/attachment-0001.html>


More information about the DARARepeater mailing list