[DARARepeater] LAN Routing
Derek Gooley
dgooley at gmail.com
Tue Oct 13 15:50:57 EDT 2020
>There is an incredible amount of internal v6 running on many network today.
That should concern you.
On Tue, Oct 13, 2020 at 3:47 PM Jack Gerbs <jgerbs at quanexus.com> wrote:
> Totally agree with Jim on this. IPv6 is not going to leave your network.
> Your ISP, today, is only running IPv4 and you would need to translate v6 to
> v4 at your gateway. The threat from IPv6 is an internal threat, where the
> malicious actor, once on your network, would look to exploit v6
> vulnerabilities. it. There is an incredible amount of internal v6 running
> on many network today.
>
> 73, Jack, WB8SCT
>
>
>
> *From:* dararepeater-bounces at mailman.qth.net <
> dararepeater-bounces at mailman.qth.net> *On Behalf Of *Jim Bacher, WB8VSU
> *Sent:* Tuesday, October 13, 2020 3:38 PM
> *To:* Derek Gooley <dgooley at gmail.com>
> *Cc:* DARA Repeater List <dararepeater at mailman.qth.net>
> *Subject:* Re: [DARARepeater] LAN Routing
>
>
>
> Derek, in general router advertising never leaves the network it was
> broadcast on. As it would be an unsolicited packet on the incoming router,
> the router would automatically block the packet. For a home user I don't
> see it as a threat. For a corporation that is a threat.
>
> My windows box just informed me it needs to reboot, so they must have
> pushed out the patch.
>
> Jim Bacher, WB8VSU
>
> wb8vsu at arrl.net
>
> https://trc.guru
> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2ftrc.guru&c=E,1,KnRqymRIVRLWhfeBfW3OdAoBiKzGSYbsssk3Fzfm1s4bfNfvCIJf2AiWAA-oJJmvErX2_vy67tFVwig3oh8awpnodHhx_6kefCH7i1NkkVI_8FKlPy0t3FqS&typo=1>
>
> On Oct 13, 2020, at 2:45 PM, Derek Gooley <dgooley at gmail.com> wrote:
>
> I'm not moving to IPv6 any time soon.
>
>
>
>
> https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898
>
>
>
> On Mon, Oct 12, 2020, 16:16 Jim Bacher, WB8VSU < wb8vsu at arrl.net> wrote:
>
> Mark, most IoT devices now days are going to be IPv6 and IPv4. If you have
> IPv6 turned off on your 2nd router then Jack's suggestion is a good easy
> choice. If you have IPv6 turned on, then it won't work if the devices have
> IPv6 enabled.
>
> Everything is automatic under IPv6 which makes it more difficult to block
> an outgoing packet. Incoming are blocked by default. My two routers are
> capable of blocking networks or devices, whether they are IPv4 or IPv6.
> That can be complex to accomplish depending on the router and whether IPv6
> is turned on.
>
>
>
> Most of the risk with IoT, is allowing remote access to it and not
> changing the default password. So if you don't allow remote access, the
> device didn't have contamination on it when you bought it and you don't let
> it update there shouldn't be a problem.
>
> Most of the issues I am aware of are due to pin holes created for a IoT
> device on the firewall / router to allow remote access or having a
> contaminated OS to start with. Jack may know of others as he is more
> up-to-date than I am on IT.
>
> I am running IPv6 on my home networks. From what I can tell, more than 90%
> of the traffic is now IPv6 as a result. Most noticeable when running an
> update on a Raspberry Pi, as it will show where it's pulling the updates
> from. The bulk are from IPv6 addresses. Smart phones are also mostly IPv6
> and you can't disable IPv6 on the cell phone.
>
> Jim Bacher, WB8VSU
>
> wb8vsu at arrl.net
>
> https://trc.guru
> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2ftrc.guru&c=E,1,m8tD1_20ndS5wLp-5E32tqliSHgmj8kO5tJB78TOo3a1g7LjPRTUaU_Pqqoqpp4DFCo5VOMUSnf1xFNW9pG2jaPJJ8VtE1hHqmW71UETYKMgaewIJ3_0SAuiuQ,,&typo=1>
>
> On Oct 12, 2020, at 12:18 PM, Jack Gerbs < jgerbs at quanexus.com> wrote:
>
> Mark,
>
> An easy way to not allow devices to access the internet is to not put
> in a default gateway on the device, or put an unused address in for the
> default gateway. A more common way to do it is to create a rule that blocks
> the device from accessing the WAN port. Not sure your level of experience
> with firewalls, so don’t take this the wrong way, firewalls execute rules
> (ACLs) from top down, your more restrictive rules need to be applied first.
>
> Jack
>
>
>
> *From:* dararepeater-bounces at mailman.qth.net <
> dararepeater-bounces at mailman.qth.net> *On Behalf Of *Mark Erbaugh
> *Sent:* Monday, October 12, 2020 12:11 PM
> *To:* Derek Gooley <dgooley at gmail.com>; dararepeater at mailman.qth.net
> *Subject:* Re: [DARARepeater] LAN Routing
>
>
>
> Derek,
>
>
>
> Thanks. I’ll have to take some time to digest all that and learn to craft
> firewall rules.
>
>
>
> Another approach I was considering was connecting those devices to the
> secure network as long as I can configure the firewall to not allow them to
> access or be accessed from the Internet. Unlike my smart TV’s and Amazon
> Echo’s they don’t need access to the Internet to function. Would that
> approach be preferable to allowing connections across the subnets?
>
>
>
> 73,
>
> Mark
>
>
>
>
>
>
>
> *From: *Derek Gooley <dgooley at gmail.com>
> *Sent: *Monday, October 12, 2020 11:40 AM
> *To: *Mark Erbaugh <mark.election at gmail.com>
> *Cc: *dararepeater at mailman.qth.net
> *Subject: *Re: [DARARepeater] LAN Routing
>
>
>
> Having the devices on separate subnets or VLANs won't secure anything if
> they're still routable to eachother. You need to create firewall rules to
> block traffic between them.
>
>
>
> You could create a rule allowing traffic from your secure network to your
> IOT network, a rule allowing established connections from your dirty
> network to a secure network (so devices can communicate with hosts on your
> secure network once a connection is established), and a rule disallowing
> all other outbound and inbound traffic from your dirty network to achieve
> what you're asking.
>
>
>
> Here's some guides on how to add firewall rules to Ubiquiti EdgeRouter:
>
>
>
>
> https://help.ui.com/hc/en-us/articles/218889067-EdgeRouter-How-to-Create-a-Guest-LAN-Firewall-Rule
> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fhelp.ui.com%2fhc%2fen-us%2farticles%2f218889067-EdgeRouter-How-to-Create-a-Guest-LAN-Firewall-Rule&c=E,1,bdDUoLtTp9a5hgMUSsWg59wOTM-gaO04IfLRYrDNlqt7ydY9qEsZfHQyPnpF7z9g4FbZnvrSoXKJyaWUx3QZjfjK7t5CwIq6RiwfY90auvpict-DrIDN4hR6srU,&typo=1>
>
>
> https://help.ui.com/hc/en-us/articles/204962154-EdgeRouter-How-to-Create-a-WAN-Firewall-Rule
> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fhelp.ui.com%2fhc%2fen-us%2farticles%2f204962154-EdgeRouter-How-to-Create-a-WAN-Firewall-Rule&c=E,1,1kBBm9SHwd17vwXLgJPJIo_7HkCRRKWKLopBk7rP7d3l3UAMyS0YPviuBDmfEtZoTr0JfjNhcodP3NsmR8QeDCccBeUOpPG3ObCpJmcI7vwz&typo=1>
>
>
> https://help.ui.com/hc/en-us/articles/204952154-EdgeRouter-Zone-Based-Firewall
> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fhelp.ui.com%2fhc%2fen-us%2farticles%2f204952154-EdgeRouter-Zone-Based-Firewall&c=E,1,RCshEPTtrPKSraRGILk3GBLhhRduHThAY1ducDgi7S2fC_wVRRcmf2H-jwcrP2VL09ukwfqKSYVDolb2WgFp3jSaPrMZmyUzKweHza7r6OKmixlCais,&typo=1>
>
> On Mon, Oct 12, 2020, 11:06 Mark Erbaugh <mark.election at gmail.com> wrote:
>
> I’ve started adding IOT devices to my home. Following some security advice
> https://pcper.com/2016/08/steve-gibsons-three-router-solution-to-iot-insecurity/
> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fpcper.com%2f2016%2f08%2fsteve-gibsons-three-router-solution-to-iot-insecurity%2f&c=E,1,387TSYzRW26xvXvTzLfef5trEjglgbY2KZVlCKyeUg1S6mxUhxt4RSQP2AQhEq3DotIsK3CvfY-YY6BAlvpZjJ0B2C--rTJ9t_J32Aezz5Gjljv27FrFqo7Pvhg,&typo=1>)
> , I’ve configured two sub-nets, one for my computers which are secure (at
> least I’m running security software on them) and one for the IOT devices
> which I don’t trust as much. Hopefully, this will prevent an attacker from
> exploiting a weakness in one of my IOT devices to attack my secure
> computers.
>
>
>
> But I have found a need for an exception to my configuration. I have a
> couple of devices that I don’t fully trust to be on my secure network that
> I need to communicate with from my computer on the secure network:
>
> - FlexRadio 6700 (internal Linux software with unknown security)
> - Raspberry Pi running OctoPi server to control my 3d printer
>
>
>
> Right now, I’ve left the Flex on the secure network, so I’m trusting the
> Flex developers and I’m not using the OctoPi.
>
>
>
> Is it possible to put these devices on the secure network but configure
> the router (I’m currently using a Ubiquity EdgeRouter X) so that they can
> be accessed from inside the network, but that they can’t access the
> internet? I’m assuming that if the device can’t access the Internet, the
> Internet can’t access the device – is that a valid assumption?
>
>
>
> If so, how?
>
>
>
> One suggestion I saw was to implement parental controls on those devices,
> but I see no mention of parental controls in the EdgeRouter configuration.
>
>
>
> 73,
>
> Mark
>
>
>
>
>
>
>
>
>
> ______________________________________________________________
> DARARepeater mailing list
> Home: http://mailman.qth.net/mailman/listinfo/dararepeater
> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmailman%2flistinfo%2fdararepeater&c=E,1,oV-K8lGzWL2ryfgHlBSLatevJFfZDhgTDWHDM53At_Gqsw_EXAd-HzkbNHd_WI4b7rPSACDsoWHg4xKwbPK9xwN_3q_sON2U0lo4Vegs&typo=1>
> Help: http://mailman.qth.net/mmfaq.htm
> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmmfaq.htm&c=E,1,mOB7jSfUNeOdizAULu02ktA-vEtAWPbgnmcNV-7zpzl6vLCeweaGTsnH43iUfMwzGVUafQxNrEV7jZS1_7nlbwBggn6YAKb15VoC_Ku5U8Mc1lScK34,&typo=1>
> Post: mailto:DARARepeater at mailman.qth.net
>
> This list hosted by: http://www.qsl.net
> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net&c=E,1,EirwSbCV7F2MVLuTPhJdWDnMEM1qBssr310z_SoFYPE3dutDGunq1F-5F_5ZjecTAeWSIHkLxtg2uMlGqE_CoAL8EejjABVOzwAxSjl59ykyrH6U7tlZSOl9VWvA&typo=1>
> Please help support this email list: http://www.qsl.net/donate.html
> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net%2fdonate.html&c=E,1,7BfjHNFHd6YtaLHkEKR_1ZUxb9OOdJN1gMsEqlmEZqE7pYIJ_1odH_gucUvscKCKFlTmOo1T_lAQ8Q6KUWv7ag8B6t-MXAmIgeEzf4TfiA,,&typo=1>
>
>
>
> Our *Q-Stack Advantage* protects your systems and the information on your
> systems with a layered and proven approach. Quanexus provides managed
> Information Technology services for IT organizations, businesses,
> non-profits and more. Risk Assessments, Vulnerability Scans, Cabling,
> Telephone Systems, Surveillance and Access Control are all part of our
> value added services. Visit us at www.Quanexus.com
> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fquanexus.com&c=E,1,6czxhaCxN0Q-ydvLV5kfrIpxet8EYuJn60a4iMjxQ5GPqiR5R9atLPac-LQVEVi9sCxdyv4fB2eD8CTlbOAdL22AczjvT-Kb1TDyc8J7DVsCVto,&typo=1>
> to learn more.
>
>
>
> ------------------------------
>
>
> DARARepeater mailing list
> Home: http://mailman.qth.net/mailman/listinfo/dararepeater <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmailman%2flistinfo%2fdararepeater&c=E,1,UNLrpe8vboBKS8gzg55g1gs_YtBNAV4Jjby8TemabRN1Gv5pFzTZXtyjX64x_K6rVno-cgdoM7cz-pB5vWH4WFzjXX6WeN04WzSaZf4WsGmqEt4_6EoCQl8OWY4,&typo=1>
> Help: http://mailman.qth.net/mmfaq.htm <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmmfaq.htm&c=E,1,yzuxz_uMPl0Z3lh25-wB8NGyn_YWoMQAvttUlq7dOhtkjvPQh-tdhWSb4TGxEolyaPc9Oz90wZD7a7ycYh7RLJVTfQq6R0Wb3qE2s7gMgKFR-A0,&typo=1>
> Post: mailto:DARARepeater at mailman.qth.net
>
> This list hosted by: http://www.qsl.net <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net&c=E,1,BsiRmYcc_RlpfAXBXGDTXb1NVq25Zo5D63ksJo6UI_1y28fDuqmeu6R4gDcGYm3WeYGbvWVx-dbBui3UJ7PgM0QMstCcUMGCXRg1MEMB6F7uW3M,&typo=1>
> Please help support this email list: http://www.qsl.net/donate.html <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net%2fdonate.html&c=E,1,XsC3rrPSbQB-sDHUigu1hwlGiUoNT1eB0_NoPa8YBjhN2PC9MJ4CyR4C9_fmsRbSvVEk1fcNrH9MbiYRSETSY_dVtfljBhf3wBpPs6B0&typo=1>
>
> ______________________________________________________________
> DARARepeater mailing list
> Home: http://mailman.qth.net/mailman/listinfo/dararepeater
> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmailman%2flistinfo%2fdararepeater&c=E,1,qVrp1lR00oHPaHv9Lk0EuW74IesuPmELzTToNFKs6XOqSS5QwjY7kQJpXouzuFxoQ7vVIZy9JEQLPi9SnAc2wfIOCpl-XVB8fcVPHOWXeiEEDCRZOB7D&typo=1>
> Help: http://mailman.qth.net/mmfaq.htm
> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmmfaq.htm&c=E,1,RDsNDrsTcBzDFywGZ9RdgL46RxKWImzIaBEBDZaJYzUsd5DQVuYRc5IzYqtMGpXkwVV9GFl1q5Bm_hJDN8j-qg797R3yJedlHz134ifgDA0Qs94,&typo=1>
> Post: mailto: DARARepeater at mailman.qth.net
>
> This list hosted by: http://www.qsl.net
> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net&c=E,1,APpCDBWncRMtfd6w6aTLmfsL_mj8BPFA7SQ_XJZK-nuWpnYiKjOtqNWr54k-CAsrANR6S-pz-vqLPMJk6rxPG5PEQFeGOFGskk4DzcQZM2EZERC0S9Gnecik&typo=1>
> Please help support this email list: http://www.qsl.net/donate.html
> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net%2fdonate.html&c=E,1,-AJ5vOLxPAkOuWHLVNI-5kWCjWV4QvOUJOs88j_7DhI7TmMAOixzbwOl6i9phKzYitnXjTuvsX0vSdKQVy8NASeQwAZTbdH4hrr2HajOx0E,&typo=1>
>
> Our *Q-Stack Advantage* protects your systems and the information on your
> systems with a layered and proven approach. Quanexus provides managed
> Information Technology services for IT organizations, businesses,
> non-profits and more. Risk Assessments, Vulnerability Scans, Cabling,
> Telephone Systems, Surveillance and Access Control are all part of our
> value added services. Visit us at www.Quanexus.com <https://quanexus.com>
> to learn more.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.qth.net/pipermail/dararepeater/attachments/20201013/cb455792/attachment-0001.html>
More information about the DARARepeater
mailing list