Anti-probing protection

[Denna]

Is there anyway to prevent LAN and Wi-Fi connected devices (i.e., IoT) from probing the local network ?

 

[SwampKracker]

Firewalling every client is the only way to hinder probing . There is no way to stop a client from probing the local network, especially if other clients are broadcasting packets over the air.

 

[Nullity]

You could put your IOT devices on a separate VLAN/LAN and isolate the network.

 

[sfx2000]

Is there anyway to prevent LAN and Wi-Fi connected devices (i.e., IoT) from probing the local network ?

Depends - AP Isolation and the Guest SSID is a good start - the clients will not be able to talk to each other, and the Guest WLAN segregates traffic there... so each client can talk to the internet/cloud they are part of...

But the big deal is the IOT clients themselves - and yes, that is a problem... as many of those clients are designed first for functionality, and second for security...

FWIW - I specifically do not have IOT clients/devices on my network - period... not that I don't trust the vendors, it's just an issue I do not need to have - I haven't found an IOT device from a commercial vendor that meets needs that I have...

 

[pete y testing]

Is there anyway to prevent LAN and Wi-Fi connected devices (i.e., IoT) from probing the local network ?

i guess it also depends on the functionality of the IoT device within the home lan , for instance i use the wemo stuff and can control it from both the www and within my own lan , if you isolate the lan for the IoT device this local control would be lost , you may also find that the IoT devices need to communicate with each other over the local lan like ring door bell and the like

so it does depend on what the IoT device is and what effect isolating it from the LAN would do

 

[Denna]

1) Does Asuswrt-Merlin support dynamic VLANs ?

2) How do you use VLANs to isolate devices from the network and provide them to access the WAN without allowing them to probe the local network ?

 

[Fitz Mutch]

What do you mean by probing?

Turn on ARP logging

ebtables -t broute -I BROUTING -p ARP -j CONTINUE --log --log-arp --log-level 7
ebtables -I INPUT -p ARP -j CONTINUE --log --log-arp --log-level 7
ebtables -I OUTPUT -p ARP -j CONTINUE --log --log-arp --log-level 7
ebtables -I FORWARD -p ARP -j CONTINUE --log --log-arp --log-level 7

Watch the ARP broadcasts and replies

watch -n 1 dmesg

Turn off ARP logging

ebtables -t broute -D BROUTING -p ARP -j CONTINUE --log --log-arp --log-level 7
ebtables -D INPUT -p ARP -j CONTINUE --log --log-arp --log-level 7
ebtables -D OUTPUT -p ARP -j CONTINUE --log --log-arp --log-level 7
ebtables -D FORWARD -p ARP -j CONTINUE --log --log-arp --log-level 7

 

[Denna]

@Fitz Mutch,

Network probing defined as the actions taken by a device to scan a network looking for resources to access, sometimes in an unauthorized fashion.

If I configured a Chromecast device to access the Internet through the router, I'd like to ensure that it had the ability to access the Internet and nothing else.

On this router, there is no resource sharing between LAN devices. The router is strictly for the purpose of connecting multiple devices to the Internet.

I'm looking for a way to make it so that none of the devices connected to the router can discover and access another LAN device (excluding the router).​

 

[sfx2000]

I'm looking for a way to make it so that none of the devices connected to the router can discover and access another LAN device (excluding the router).

Guest Network - which makes for a VLAN for the Wireless Clients associated to the Guest Network
AP Isolation - clients can only talk to the router, not with other WLAN clients

Assign the untrusted devices to the Guest WLAN, enable AP isolation.

Problem solved. Keep it simple...

 

[sfx2000]

1) Does Asuswrt-Merlin support dynamic VLANs ?

No... and it's pretty much out of scope for a home Router/AP... one can explore OpenWRT, which does support it, and perhaps DD-WRT (I haven't checked), but Dynamic VLAN's are a policy thing that one normally associates with RADIUS, and there - Radius can do a lot of things beyond just Enterprise level auth - Radius can also define policies around the user and groups...

2) How do you use VLANs to isolate devices from the network and provide them to access the WAN without allowing them to probe the local network ?

Because VLAN's can break up broadcast domains - this is a bit beyond the normal user, and in some ways, outside of the scope of a home Router/AP.

If one is looking for this level of functionality - then one can find other options - note, I didn't say better, just other...

pfSense is a good place to start looking - and then finding AP's that can map SSID's to VLAN's.... either explicitly or implied... Airports are interesting as they do map the GUEST WLAN to a specific VLAN ID... 1003

I'm sure that someone could do the same with AsusWRT under the hood, and put things in a similar space. If not, there's always OpenWRT/DD-WRT...

 

[Denna]

In this example, wireless access is disabled on the router and only Ethernet connected devices are involved.

The idea for isolating Ethernet connected devices on the router is to:

1) Create a new VLAN.

2) For each Ethernet connected device, assign it's router port to the new VLAN.
​

Do you have to duplicate iptables rules to support the new VLAN interface ?

Is blocking a device from discovering/accessing other devices on a router about stopping ARP information from passing between those devices ?

So assigning each port to a unique VLAN would create its own broadcast domain thereby walling off the ARP traffic between Ethernet devices on the same network ?

For example, couldn't a device on vlan3 send an ARP request to the router to discover devices on vlan1 ?

Would "arptables" support help in this situation ?

 

[Fitz Mutch]

Do you have to duplicate iptables rules to support the new VLAN interface ?

If it will help you, here's how I customized my Asus Guest Network.

/jffs/scripts/vlan-rules.sh

#!/bin/sh
WANIF="$1"
IPADDR=$(/usr/sbin/nvram get lan_ipaddr)
NETADDR=$(/usr/sbin/ip route|/bin/grep br0|/usr/bin/cut -d' ' -f1)
HWADDR="$(nvram get lan_hwaddr)"

#########################################################################################################
# LAN port 4 on the RT-AC68U is a trunk port for a 24-port managed gigabit Ethernet switch
# that has 12 guest Ethernet ports (vlan14), 11 full access Ethernet ports (vlan1),
# and 1 uplink Ethernet port (vlan1 + vlan14)

/usr/sbin/robocfg show | /bin/grep -qF "vlan14:"
if [ $? -ne 0 ]; then
  /usr/sbin/robocfg vlan 1 ports "1 2 3 4 5t" # port 4 is tagged vlan1 by the switch
  /usr/sbin/robocfg vlan 14 ports "4t 5t"      # port 4 is tagged vlan14 by the switch
#  /usr/sbin/robocfg vlan 1 ports "1 2 3 5t"    # Asus router leaves ports 1-3 untagged
#  /usr/sbin/robocfg vlan 14 ports "4t 5t"       # Asus router tags port 4 with vlan14
  /sbin/vconfig add eth0 14
  /sbin/ifconfig vlan14 up
  /usr/sbin/brctl addif br0 vlan14
fi

#########################################################################################################
# Re-implementation of device isolation for AsusWRT Guest Network

ebtables() {
  local cmdline="$@"
  local deleteline="$(/bin/echo $cmdline | /bin/sed -r 's/(\s*-)(I|A)(\s+[a-zA-Z]\w*)(\s+[0-9]*\s+|\s+)(.*)/\1D\3 \5/')"
  # if the rule is Insert or Add, then remove all duplicates
  if [ "$deleteline" != "$cmdline" ]; then
    /usr/sbin/ebtables $deleteline > /dev/null 2>&1
    while [ $? -eq 0 ]; do
      /usr/sbin/ebtables $deleteline > /dev/null 2>&1
    done
  fi
  # apply the rule
  /usr/sbin/ebtables $cmdline
}


for IF_GUEST in wl0.1 wl1.1 vlan14 ; do

  # Remove the AsusWRT guest network rules, if any
  ebtables -t broute -D BROUTING -p IPv4 -i $IF_GUEST --ip-dst $NETADDR --ip-proto tcp -j DROP

  # For each guest network physical interface, un-bridge all frames entering the
  # bridge interface (br0) that are destined for the local network,
  # for protocols IPv4 and ARP
  ebtables -t broute -I BROUTING -p IPv4 -i $IF_GUEST --ip-dst $NETADDR -j DROP
  ebtables -t broute -I BROUTING -p ARP  -i $IF_GUEST --arp-ip-dst $NETADDR -j DROP
  #ebtables -t broute -I BROUTING -p IPv6 -i $IF_GUEST --ip6-dst $NETADDR -j DROP

  # Stay bridged (br0): ARP broadcasts
  ebtables -t broute -I BROUTING -p ARP -i $IF_GUEST -d ff:ff:ff:ff:ff:ff -j ACCEPT

  # Stay bridged (br0): ARP reply from/to router
  ebtables -t broute -I BROUTING -p ARP -i $IF_GUEST --arp-ip-src $IPADDR -j ACCEPT
  ebtables -t broute -I BROUTING -p ARP -i $IF_GUEST --arp-ip-dst $IPADDR -j ACCEPT

  # Stay bridged (br0): DHCP client: Discover, Request
  ebtables -t broute -I BROUTING -p IPv4 -i $IF_GUEST --ip-src 0.0.0.0 --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 68 --ip-dport 67 -j ACCEPT

  # Stay bridged (br0): DHCP client: Release
  ebtables -t broute -I BROUTING -p IPv4 -i $IF_GUEST --ip-src $NETADDR --ip-dst $IPADDR --ip-proto udp --ip-sport 68 --ip-dport 67 -j ACCEPT

  # Stay bridged (br0): DHCP server: Offer, ACK
  ebtables -t broute -I BROUTING -p IPv4 -i $IF_GUEST --ip-src $IPADDR --ip-dst $NETADDR --ip-proto udp --ip-sport 67 --ip-dport 68 -j ACCEPT

  # Stay bridged (br0): DNS
  ebtables -t broute -I BROUTING -p IPv4 -i $IF_GUEST --ip-src $NETADDR --ip-dst $IPADDR --ip-proto udp --ip-dport 53 -j ACCEPT

  # Stay bridged (br0): NTP
  ebtables -t broute -I BROUTING -p IPv4 -i $IF_GUEST --ip-src $NETADDR --ip-dst $IPADDR --ip-proto udp --ip-dport 123 -j ACCEPT

  # Stay bridged (br0): MiniDLNA
  ebtables -t broute -I BROUTING -p IPv4 -i $IF_GUEST --ip-dst $IPADDR --ip-proto tcp --ip-dport 8200 -j ACCEPT

  # Stay bridged (br0): HP printer
  ebtables -t broute -I BROUTING -p IPv4 -i $IF_GUEST -s xx:xx:xx:xx:xx:xx --ip-proto tcp --ip-sport 9100 -j ACCEPT

  # Drop all un-bridged frames for this physical interface (device isolation happens here)
  ebtables -I FORWARD -o $IF_GUEST -j DROP
  ebtables -I FORWARD -i $IF_GUEST -j DROP

  # Allow SSDP multicast to discover MiniDLNA
  ebtables -I FORWARD -i $IF_GUEST -p IPv4 --ip-proto udp -d 01:00:5e:7f:ff:fa --ip-dport 1900 -j ACCEPT

done