Blocking traffic

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
FlaParrotHead
DD-WRT Novice


Joined: 04 Nov 2020
Posts: 44

PostPosted: Fri Jun 04, 2021 15:19    Post subject: Blocking traffic Reply with quote
Is there a way I can block all INBOUND WAN traffic to one local LAN IP address (all protocols) with the exception of a single TCP port (used for Plex). I do not want to impact local LAN traffic to that device.

The reason is that the device (a NAS server) is seeing, and blocking, a significant about of what appear to be UDP hits and I’d like to shut them down.

_________________
Linksys WRT3200ACM
Kernel: 4.9.231 #1979 SMP Sun Aug 2 03:35:09 +03 2020 armv7l
DD-WRT v3.0-r44048 std (08/02/20)
OpenVPN: ExpressVPN
Devices: Sonos, Apple, QNAP, other
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 7924
Location: Netherlands

PostPosted: Fri Jun 04, 2021 15:48    Post subject: Reply with quote
Transferring this to the right forum.

To get the best out of DDWRT and the forum read the forum guidelines with helpful pointers:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

If you have not already read the forum guidelines, please do !!

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
WireGuard Documents & Guides:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397
OpenVPN Documents & Guides: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
IPSET: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
FlaParrotHead
DD-WRT Novice


Joined: 04 Nov 2020
Posts: 44

PostPosted: Sat Jun 05, 2021 3:35    Post subject: Reply with quote
I finally was able to catch what I think are the hits on my NAS, could someone suggest what blocks I need to keep these from coming into the interface at all?

Jun 4 23:30:25 ABCDD_WRT kern.warn kernel: [132367.147169] DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:4b:b8:a5:cc:08:00 SRC=192.168.1.11 DST=192.168.1.255 LEN=400 TOS=0x00 PREC=0x00 TTL=64 ID=15601 DF PROTO=UDP SPT=34616 DPT=1900 LEN=380

So, a little more information. The device with 192.168.1.11, which is on the subnet of the ISP router in front of my DD-WRT router is an Nvidia Shield streaming box, not on the subnet of the DD-WRT device.

Any clue what the shield may be trying?

_________________
Linksys WRT3200ACM
Kernel: 4.9.231 #1979 SMP Sun Aug 2 03:35:09 +03 2020 armv7l
DD-WRT v3.0-r44048 std (08/02/20)
OpenVPN: ExpressVPN
Devices: Sonos, Apple, QNAP, other
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 9522
Location: Texas, USA

PostPosted: Sat Jun 05, 2021 4:49    Post subject: Reply with quote
I'm pretty sure sniffing on the 192.168.1.0/24 network with Wireshark will tell you exactly what those packets are, *but* that is UPnP/SSDP broadcast, if I am not mistaken. I do not enable either on anything.

https://www.google.com/search?q=udp+1900+purpose

_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
FlaParrotHead
DD-WRT Novice


Joined: 04 Nov 2020
Posts: 44

PostPosted: Sat Jun 05, 2021 14:31    Post subject: Reply with quote
kernel-panic69 wrote:
I'm pretty sure sniffing on the 192.168.1.0/24 network with Wireshark will tell you exactly what those packets are, *but* that is UPnP/SSDP broadcast, if I am not mistaken. I do not enable either on anything.

https://www.google.com/search?q=udp+1900+purpose


Thanks … I have both networks shut down for a clean start and will figure out how to disable UPnP and SSDP on my 192.168.42.0/24 DD-WRT subnet once I bring everything back online, unfortunately I am unable to disable it on the ISP 192.168.1.0/24 subnet (not having access to that router interface).

Since I’m down for now, can you point me to the right settings? Thanks again!

_________________
Linksys WRT3200ACM
Kernel: 4.9.231 #1979 SMP Sun Aug 2 03:35:09 +03 2020 armv7l
DD-WRT v3.0-r44048 std (08/02/20)
OpenVPN: ExpressVPN
Devices: Sonos, Apple, QNAP, other
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 9522
Location: Texas, USA

PostPosted: Sat Jun 05, 2021 16:09    Post subject: Reply with quote
It's your Nvidia Shield device that is sending out UPnP broadcasts, is what it looks like. I don't know how you don't have access to your ISP router's interface, you should. On DD-WRT, click on NAT/QoS, then UPnP. It is usually disabled by default, so that should not be the issue. I would contact whoever you need to for getting the login credentials on your ISP gear and check it; Are you running Plex on the Nvidia Shield device? If so, it's a matter of turning off local network discovery:

https://www.reddit.com/r/PleX/comments/aaeqaq/disable_upnp/

I really wish M$ and all these IoT devices wouldn't have this crap turned on by default.

_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
FlaParrotHead
DD-WRT Novice


Joined: 04 Nov 2020
Posts: 44

PostPosted: Sat Jun 05, 2021 16:59    Post subject: Reply with quote
kernel-panic69 wrote:
It's your Nvidia Shield device that is sending out UPnP broadcasts, is what it looks like. I don't know how you don't have access to your ISP router's interface, you should. On DD-WRT, click on NAT/QoS, then UPnP. It is usually disabled by default, so that should not be the issue. I would contact whoever you need to for getting the login credentials on your ISP gear and check it; Are you running Plex on the Nvidia Shield device? If so, it's a matter of turning off local network discovery:

https://www.reddit.com/r/PleX/comments/aaeqaq/disable_upnp/

I really wish M$ and all these IoT devices wouldn't have this crap turned on by default.


Thanks…. I am running Plex CLIENT on the Nvidia. Plex SERVER is on a NAS off the 192.168.42.0/24 subnet.

SADLY, the local island ISP where I am now does not permit end-user access to their routers. I may just move the shield to the other subnet, but that may need occasionally using VPN passthru tunnels….

_________________
Linksys WRT3200ACM
Kernel: 4.9.231 #1979 SMP Sun Aug 2 03:35:09 +03 2020 armv7l
DD-WRT v3.0-r44048 std (08/02/20)
OpenVPN: ExpressVPN
Devices: Sonos, Apple, QNAP, other
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 9522
Location: Texas, USA

PostPosted: Sat Jun 05, 2021 17:17    Post subject: Reply with quote
Then that explains the entries. Well, hopefully your ISP doesn't allow UPnP through their router.
_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
tedm
DD-WRT User


Joined: 13 Mar 2009
Posts: 451

PostPosted: Sun Jun 06, 2021 5:55    Post subject: Reply with quote
UPnP is built on multicasting and an ISP cannot forward this on to "the Internet" because all backbone providers filter this out - even if the ISP is stupid enough to actually rebroadcast multicast traffic from end users to their internal network (and still have a functioning network which for an ISP of any size would be impossible) their backbones would ignore it.

I also wish the IoT people would have this crap shut off by default.

However, I wish 1000 times more than that, that people would stop with the chicken-little scare tactics that this traffic "is dangerous" or a security hole. Why are we seeing people freaking out about seeing this traffic on their network in the first place? Oh yeah, it's because they followed some half-azzed guide on the Internet to fire up wireshark and don't know anything about networking.

If your gateway router to the Internet is configured to ignore UPnP traffic, then there is no security hole. Unless of course you deliberately drop malware on to your internal network but if you do that, you have a lot worse problems than UPnP. The security hole aspect is some SOHO routers on the market by default will respond and follow directives from UPnP devices to open port forwards, and the answer is simple - don't use crappy routers to connect to the Internet.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 4442
Location: UK, London, just across the river..

PostPosted: Sun Jun 06, 2021 8:25    Post subject: Reply with quote
tedm Laughing Laughing Laughing than you are free to turn upnp on and enjoy life...even if you get 100000$ router ....its not a cool idea to have it ON...and nope not all ISP are decent and filter traffic, like it should, or the general users neither...and we here all using DDWRT just because its not a crap, like the stock firmware is...and cannot afford 5 number price routers...that could be crap too...as well, people very often have a bad internet hygiene and get some malwares at some point...so upnp is not a clever idea to be used, unless there is a need for it and people understand pros'n cons of it......

Same as ICMP...been blocked or not the eternal debate...

_________________
Atheros
TP-Link WR740Nv1 -----DD-WRT 46974 BS AP,NAT
TP-Link WR740Nv4 -----DD-WRT 44251 BS WAP/Switch
TP-Link WR1043NDv2 ---DD-WRT 46885 BS AP,NAT,AP Isolation,Ad-Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---DD-WRT 47074 BS AP,NAT,AD/Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -----DD-WRT 47090 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT,Vanilla
Broadcom
Netgear R7000 -----DD-WRT 47090 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,VLAN's,DoT,VPN
-----------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913


Last edited by Alozaros on Sun Jun 06, 2021 11:25; edited 1 time in total
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 9522
Location: Texas, USA

PostPosted: Sun Jun 06, 2021 11:19    Post subject: Reply with quote
I'd really like to see proof of this. Do you want to know why? Internet printing. IoT. You name it. Please show me now uPnP and multicast and a lot of other things are *not* forwarded out to the internet, oh wise one.
_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum