[plug] Safely using an untrusted router
justanothergreenguy at gmail.com
Thu Oct 22 07:57:38 UTC 2015
Oops, I'll try again...
Thanks for that Dean.
It looks a bit complicated for me, and it looks like you're having
to trust all 3 devices, whereas I'd prefer not to put any trust
in consumer-grade network devices at all, if any part of the network is
directly exposed to the Internet (preferring a VPN in such a case).
Actually, Steve Gibson (Security Now podcast) suggests chaining routers to
achieve segregation and protection of a LAN due to the NAT firewall of the
inner router, but I think the port 32764 fiasco might render this
But thanks anyhow. I didn't know you could run OpenWRT in a RPi.
Interesting project :)
On Thursday, 22 October 2015, Dean Bergin <dean.bergin at gmail.com> wrote:
> Hello Dirk,
> This is probably not going to help solve your particular issue, but one
> thing I recently did, was install OpenWRT on a Rpi2 and set up PPPoE over
> one of two subinterfaces (VLAN) to a cheap netgear modem (with the help of
> a Cisco Catalyst switch). I also put the Rpi2 OpenWRT effectively into it's
> own routed subnet/DMZ (part of the design) so that even if there where to
> be some kind of funny business, things like uPNP theoretically should not
> work since my experience has taught me that most consumer-grade
> modems/routers do not route/NAT anything other than their resident subnet,
> therefore I believe that not only are uPNP implementations (and many other
> services on consumer-grade routers) usually bound to the subnet to which
> they are running on, but should be disabled in cases where the device is in
> pass-through mode.
> >Does anyone know whether 4G modems (and smart phones, for that matter)
> are assigned a publicly-routable IP address or are they
> typically NAT'd behind a small number of IP addresses of the mobile service
> provider's servers? I can't imagine billions(?) of mobile phones
> all having unique publicly-routable IP addresses (on top of all the servers
> and so on, around the world).
> I had the opportunity to test this, as I was able to tether my phone to a
> Rpi2 running OpenWRT as part of the labs I did for my now current nework
> design, but I did not think to test this specific scenario.
> Shouldn't be too difficult to create a lab to test this, if someone has a
> spare raspberry pi (mine is currently in 'prod' now)?
> On Wed, Oct 21, 2015 at 6:27 PM Dirk <justanothergreenguy at gmail.com
>> Thanks Andrew. Will follow up on those ideas too, thanks.
>> However, I have another idea, a bit left field, but it may just do the
>> Does anyone know whether 4G modems (and smart phones, for that matter)
>> are assigned a publicly-routable IP address or are they
>> typically NAT'd behind a small number of IP addresses of the mobile service
>> provider's servers? I can't imagine billions(?) of mobile phones
>> all having unique publicly-routable IP addresses (on top of all the servers
>> and so on, around the world).
>> If they're NAT'd, then maybe a pre-paid 4G USB modem dongle would be the
>> way to go for low MB critical online work, eg. fetching package lists,
>> logging in to ASIC, ATO, webmail, our utilities, etc. Should block
>> all scanners on the net that are looking for routers to exploit, by virtue
>> of sitting behind the Svc providers routers. (...and then use an unsecured
>> computer and ADSL router pair for general web browsing, content streaming,
>> Does anyone know if this would work?
>> (Of course, if a 4G dongle is not NAT'd then I don't really gain
>> On Wednesday, 21 October 2015, Andrew Cooks <acooks at gmail.com
>>> On Wed, Oct 21, 2015 at 9:43 AM, Dirk <justanothergreenguy at gmail.com>
>>>> Cheers for that Pavel. And thanks again Brad for your input. You've
>>>> both given me some ideas, although I was hoping for an easy OpenVPN option
>>>> If anyone else has any thoughts or suggestions, please let me know!
>>>> My internet access is slow enough, so I'm not really excited about
>>> pushing everything through a VPN.
>>> I trust my router. I have a TP-Link TD-8817 modem in bridge mode,
>>> connected to a fit-pc (http://www.fit-pc.com/web/solutions/multilan/)
>>> running IPFire (http://www.ipfire.org/). IPFire tells me I can trust my
>>> DNS. IPFire packages are kept up to date. The modem could conceivably
>>> modify the PPPoE frames in transit, except that it's a dirt cheap consumer
>>> product with little functionality that could be exploitable and it's
>>> unlikely to have enough processing power to do that kind of thing.
>>> There is nowhere safe, only acceptable risks.
>> PLUG discussion list: plug at plug.org.au
>> Committee e-mail: committee at plug.org.au
>> PLUG Membership: http://www.plug.org.au/membership
> Kind Regards,
> *Dean Bergin*.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the plug