Tighter router security?

[brossyg]

We have an ASUS RT-AC68U in a SOHO environment with 30+ devices on the LAN side of the router. We use port forwarding in order to access certain computers and three NAS's remotely. The computers behind the router all have Norton Security installed, but the three NAS's and also mobile devices have no machine-level security (other than passwords).

Our network was scanned by Security Metrics yesterday and they were able to detect all machine names on the computers and NAS's behind the router, which surprised me. Then I realized that this is the problem with port forwarding ... these ports are open.

So, we would like the router to restrict incoming requests to only one or two laptops or mobile devices that use Microsoft Remote Desktop or an Ipad that uses the Qnap App to access files on the Qnap NAS.

The ASUS RT-AC68U does not seem to have this level of filtering, and restricting incoming traffic by MAC address seems to be problematic (based on a quick Google search).

What is the best way to stop incoming traffic, other than closing all ports?

 

[abailey]

The best way is to use VPN. That way you can close those ports but still get to it from all your devices through VPN. This is what I do to access resources on my home network remotely.

 

[RMerlin]

I second that. VPN is the way to go, especially in a business environment. The only port forwards should be for public services such as mail/web/ftp servers.

 

[brossyg]

OK. Thx. So I need a little help with that.

Let's say I am in a hotel room 1000 miles away on my laptop trying to log in to my SOHO computer using Microsoft Remote Desktop. Currently, I log in using the WAN IP of my router plus the ":XXX" for the port forwarded to the specific computer I am trying to connect to.

How do I do this using a VPN?
Is the VPN created on my laptop, the SOHO router or the SOHO computer it is connecting to?

If the VPN is created by the router, when I enable a VPN on the router, is there a specific VPN IP address use when logging in from my remote laptop and does that VPN IP go straight through to my SOHO desktop?

Does that mean I need a separate VPN for each SOHO desktop I am trying to reach from the remote laptop?

 

[RMerlin]

On the router you will configure the OpenVPN server, and create the desired usernames and passwords.

On the laptop you will install the OpenVPN client, along with the pre-generated config file you download from the router.

First, you will connect the laptop to the router by running the OpenVPN client, which will connect to the router using the WAN IP. This will establish a tunnel between your hotel and your office's network. Then, you will run the RDesktop client, using the desktop's private IP at the office (i.e. 192.168.1.xxx).

This means that you can also access any LAN device through your tunnel, including NAS shares. You use whatever IP they have at the office, and the tunnel will route it between your hotel and the office.

You might need to check the security configuration on your PCs at the office however, ensure that their own firewalls allow connections from your remote laptop (as it will use an IP in the 10.8.0.xxx/24 subnet).

 

[brossyg]

Thx! But, the office computers all have typical 192.168.1.xxx LAN addresses and the subnet is 255.255.255.0

If the IPs of the local computers in the office are changed, then the office LAN won't work.

Does the VPN have to use 10.8.0.xxx with a different subnet?

...and actually, the IP of the laptop will change depending on the IP it is assigned by the hotel's DHCP.

 

[ColinTaylor]

If the IPs of the local computers in the office are changed, then the office LAN won't work.

That's not what he saying. Everything on your LAN stays the same.

The VPN tunnel creates a new network (10.8.0.x) just for the remote connections. He's saying that you might have change the office PC's to allow connections from 10.8.0.x.

Just try it and see. It'll make sense when you see it in action (or Google for OpenVPN).

 

[brossyg]

Got it. Thx.

 

[Bamsefar]

Could one not do something like:

### Drop PPTP access to all except our own MAC Address ###
iptables -I INPUT -p tcp --dport 1723 -m mac ! --mac-source YOUR-MAC-ADDRESS-HERE -j DROP

 

[RMerlin]

Could one not do something like:

### Drop PPTP access to all except our own MAC Address ###
iptables -I INPUT -p tcp --dport 1723 -m mac ! --mac-source YOUR-MAC-ADDRESS-HERE -j DROP

MAC addresses are only valid within a LAN segment, they do not carry over the Internet.