In order for anyone to hep you, you need to help them help you in a simple manner and that is screenshots, logs from all related devices.
Hi the-Joker.
Since you're still asking for "Screenshots", when I know for an absolute fact that for "setup 1" they would be literally irrelevant - GIVEN MY QUESTION, I realize that you will NOT be able to help me with the security issues for my FULLY WORKING "setup 1".
But perhaps you can help me with the strictly hypothetical "setup 2". It does not EXIST - so screenshots are not even POSSIBLE! I'll repost my diagram from ealier and describe the problem in a bit more detail - in the next post.
For "Setup 2" I was asking "Would it be possible to put a dd-wrt Router INBETWEEN the ONT and the Providers Router and still get Internet Connectivity and the all important Telephone via VoIP?
It's an important "thought experiment", because the Forums here in Spain are literally FLOODED with the request "How can I Replace that Blxxxy Awful Provider's Router?"
The issues are that the Provider REFUSES to give the ONT setup information, or even HOW to connect to it.
Further they don't have anything in their "Livebox 6+" Management Pages that relates to connection with the ONT.
In other words there seems to be no static WAN IP setup for the Livebox 6+.
I think it connects on 192.168.1.1 (plus on the Virtual Networks described below)
I EXPECT that the ONT is set up to REQUIRE a connection with a device on 192.168.1.1
I EXPECT that any Router with that IP would connect - but that without extra setup I'd loose the Telephone over VoIP!
It is known that various Providers use a "Triple Virtual Network" setup to give Internet, VoIP and IPTV. It is known that the Router MUST support Protocol IEEE 802.1Q.
Router makers don't seem to put info about support for this protocol "on the box" OR in the Manual, but I've discovered that this is simply the capability for Virtual Networks. In other words ANY Router running dd-wrt is capable! However it seems that no Router is capable of connecting to those three Virtual Networks of the Provider without manual setup. Some of that requires the setup parameters of the Providers (which they refuse to give!)
On a Spanish site, reiniciapc.com, I gained some information. He gives some of the Vlan setup parameters for all the most frequent Cable Providers here. Movistar, Vodafone, Pepephone, Orange, Virgin Telco, Adamo and Nebe FTTH.
It's lacking the special VoIP codes - I'm hoping that someone will "hack" theses and share them!
That for Orange is:- (translated)
- - -
Connection Type: Dynamic IP.
Internet VLAN ID: 832 PRIORITY: 0
IP-Phone VLAN ID: 832 PRIORITY: 0
IPTV VLAN ID: 838 PRIORITY: 4
Orange can make "direct" instalations (Router with integrated ONT) o "indirect" (with separate ONT).
If yours is a "direct" installation, you must put their Router into "ONT mode" and conect the Lan port 4 to the WAN port of your own Router.
- - -
Mine is an idirect setup, so, with enough setup information I SHOULD be able to replace the router.
I show the relevant Network page of my tp-link Archer C7 v5 running dd-wrt (this page is exactly as default from a "reset")
I note that under "Interface" there are a number of devices listed:-
bro, eth0, vlan1, vlan2, wlan0 and wlan1.
I'm not clear whether I should be putting those parameters for some of those existing interfaces, or more probably whether I need to create new ones. What should they be called?
Could you please run me through setting up those three VLANS on my tp-link, to connect to those of the ONT of the Cable Provider.
Are there changes that would be required on any other dd-wrt page? extra iptable rules for the Firewall? extra "Routes" or "Bridges"?
Obviously my tp-link, even running dd-wrt does not have built in VoIP. I would need a separate Ethernet connecting VoIP unit to connect to that VLAN. I've investigated and seen such units.
These come from an older age when Providers provided the connection parameters. But now they don't! Then I would just need to hack the Providers setup parameters for that, or keep searching the internet for someone else who has...
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Sat Jun 11, 2022 11:43 Post subject:
The providers router/equipment is the weak point in the security, since its is well known they do not use up-to-date kernels/libraries and components and when known exploits are patched they will take forever and a day and that is, if the router is actively supported many are not and never get updated. For instance even today brand new equipment is kernel 2.6 which is EOL and I have yet to see any of them use a current OpenSSL version, the latest Ive seen is 0.9.8 also EOL and filled to the brim with known exploits, that's just two aspects, there are many many more libraries that are equally critical and are ignored. The corporations responsible dont care and its all done on purpose under what is known as planed obsolesce, a real fact of modern life and consumer equipment no matter if its ISP provided or not.
DD-WRT on the other hand uses only currently maintained kernels/libraries and other components and these are updated regularly and any known exploits plugged. END OF, there are no ifs buts or any doubts about it.
Obviously nothing is exploit free, nothing of the kind exists but I know I rather run patched code ASAP rather than whenever or never where Retail Stock/ISP's firmware is concerned. So reduced attack surface is desired. However its up to the users to upgrade their DD-WRT regularly, minimum IMO is 30 days interval, or less if you are really paranoid and follow/understand the patches being made into https://svn.dd-wrt.com/timeline
If the ISP forces you to use their equipment, or lock the service to a specific device MAC address, DD-WRT can spoof that address, and you would only plug that equipment in in case of any support call outs, otherwise keep it in a cupboard or in a already secured segment of your topology.
There are many other steps to secure a network like plugging any DNS leaks, using SSH tunnels, VPN/Wireguard for the WAN facing router, as well as restricting WAN access to devices that dont have any security updates or alternative firmware and blocking/filtering a ton of other things.
e.g. Filtering telemetry and other undesirables, blocking remote management and on Firewall.asp (Security tab check everything in there you dont use, DoS hardening (Impede WAN DoS / Bruteforce) is a must, so is filtering java applets and ActiveX (obsolete Internet Explorer tech), ARP spoofing protection and the SPI firewall.
And if dont use VPN on the VPN Passthrough tab everything in there can be disabled.
Further there are firewall rules you can add and create proper ACLs filtered by traffic/ports and devices and block anything else a device doesn't need. e.g. if a device only uses a specific port for its regular operation drop all other ports and traffic types.
Also avoid using bridges instead of proper routing setups. Most people use bridges to solve networking issues and while it may work, Routing tables and routing policies are safer more manageable and there is no substitute.
Firewalls are not perfect and can be easily bypassed anyway no exploits necessary, there are ways to harden them but requires a lot of reconfiguration on all devices.
In the end, this wont stop anyone determined to get in and the most common weak link are the users behind that network and the dumb things they click and sites they visit looking for pron or warez or worse clicking links in emails. You cant fix people. The source code is available but its sneered at and illegal in most countries.
Hi the-Joker.
thanks for your general intro to good security tweaks. Many I already knew, but I will implement a few, that I wasn't sure about before. Thanks.
You didn't go into detail about iptables, so a very brief question.
In my working "setup #1" - I'll repost my diagram - I'd LIKE an iptables rule to prevent ANY unsolicited connection from the Orange Livebox 6+ Router. I've read that in a standard Network Topology, the Routes always direct traffic UPWARDS. This SHOULD stop Orange "snooping". I'd just like a more positive block!
Something I could uderstand was safe, i.e.
"Allow everything except 192.168.1.1" would not fit the bill. Depending on it's order in the Firewall, that might actually override and ALLOW things blocked by other important rules!!
Instead something which implemented "Block anything unsolicited from 192.168.1.1". Or would I need to use the MAC address in that rule?
There's also the hidden Network on the Livebox 6+ at 192.168.144.1. This would also need blocking!!!
I haven't yet completed my pings of all the available addresses on 192.168.X.Y. There may well be more hidden or VLANS on that Router.
You want to block any WAN traffic or do you want to prevent the main router from sending specific port/traffic type to a given device within the LAN?
Hi again. No I don't want to block "Internet" traffic in this rule, that's covered by other security. I KNOW that this Provider Router has hidden stuff on it. 192.168.144.1 responds to pings, but doesn't give a "Management Interface". There may be more secret stuff there...
I simply don't want either Orange (or China as the Manufacturer) to be able to launch any spy activity on me...
So rules JUST to block all UNSOLICITED traffic from 192.168.1.1 and 192.168.144.1
To block absolutely eveything would block the Internet, which is obviously not what I want!
Regards TechieTroglodyte
I gave this info elsewhere, but to keep it easilly available, my Routers are both Identical:-
Router Model - TP-Link ARCHER-C7 v5
Firmware Version - DD-WRT v3.0-r49081 std (06/04/22)
Kernel Version - Linux 3.18.140-d6 #144760 Sat Jun 4 12:00:28 +07 2022 mips
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Sat Jun 11, 2022 13:20 Post subject:
You cant prevent any such activity from any router which has likely has management protocols hidden like e.g. TR-069 or other unknown crap, the only way to stop it is not to have such a router WAN facing, otherwise you need to know what specifically is going on traffic wise in a long run in order to know what needs to be blocked or how.
Without knowing there is no way to mitigate specifics.
otherwise you need to know what specifically is going on traffic wise in a long run in order to know what needs to be blocked or how.
I know that a lot of Firewall Rules have the format I was wanting - to block unsolicited incoming traffic. I'm dissapointed that this cannot be done for a specific IP in dd-wrt.
It looks like I might have to sacrifice my Telephone "Land Line" in order to be as secure as I want.
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Sat Jun 11, 2022 14:13 Post subject:
I didn't say it cant be done, you need to use a packet sniffer in order to determine what is desired/undesired traffic which ports with packet type source/target IPs and so on.
But where it comes to hidden management protocols you cant block those on the ISP router, you need to disassemble the firmware find out what can be disabled and this is against ToS, most ISP routers have TR-069 which pretty much gives access to everything Router side for remote management and configuration and who knows what else is hidden in there.
Land line wise Likely there are alternatives, but that's something you need to research and buy and apply the same configuration to match ISP so that you still have a Land Line, or get a dedicated Land line, which neither is secure anyway.
There are also standalone Firewall boxes, even better build one yourself and install PFsense or some other opensource offering, that you can wack between the ONT and this ISP router and block anything undesired and still keep the Landline.
most ISP routers have TR-069 which pretty much gives access to everything Router side for remote management and configuration and who knows what else is hidden in there.
I just read the Wikipedia article on TR-069, and was frankly horrified!
So even though I have Remote Management dissabled in the Livebox 6+ it's actually Remote Access by the User that I've dissabled, not Remote Management by "THEM"!
I quote the setting is (in Spanish)
"Permitir el acceso remoto del usuario"
"Permit the USER to have Remote Access" (to the Management Page).
Huh!!! What a clever choice of words, to hide from the user what's going on!!
Well - I DO have Remote Management disabled in my two dd-wrt boxes AND in Windows (in Windows I even go into "Services" and disable various services from even starting. Windows default has been to start the service even if you've selected "no" to Remote Management...)
The situation is even worse than I had thought. I'm gonna make totally replacing the Livebox 6+ a huge priority!
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Sat Jun 11, 2022 17:26 Post subject:
Wise move, no way of telling what hidden crap these things have, or even if that protocol I mentioned is included, but usually ISP have to have a way to push configurations to their equipment and this tr-069 is one of those ways, if its still used or not, IDK, I dont have any regular ISP provided equipment per say, they have direct access to that equipment, but have no idea what Im running inside it, good luck to them to break 2048bit encryption SSH tunnel I run for incoming/outgoing traffic on non standard ports, so its disguised.
Im surprised you are so concerned about security and seem to know very little about whats going on behind the scenes, I dont mean this in a disparaging way, but if you never heard of TR-069 then, well... You should get yourself better informed is what I'm saying.
But having said this, security is a myth, you will be forever chasing that unicorn and getting nowhere fast.
Rule of Thumb, Stock firmware and ISP provided equipment and firmware are not trustworthy IMO.
Think about this for a second, certain 3 letter agencies in a 3 letter country somewhere to the west, have cof secure networks, professional equipment and well paid researchers and every so often they get compromised.
OK you cant compare a GOV vs a private citizen, but for the lets call them bad actors out there, growing their botnets and mining crypto has become amplified in the last 5 years, because some 3 letter agencies and other corporations have helped disrupt their old botnets and these bad actors will go after ISP equipment and certain routers running stock fw with known unpatched vulnerabilities to achieve all of those interests.
But that said, no matter how tight you make your security, its like I said, the week link is the people behind those networks.
