This is very alarming. Why on earth is the default firewall configured to allow device discovery and network path to devices and information behind the WAN side of the Peplink Surf SOHO routers? I dropped this in behind a NAT router on a transparent ethernet bridge (powerline) and was jaw dropped to discover that I could access the EdgeRouter sitting at the perimeter of the network and my devices behind the SOHO were visible on the front side of the WAN (ahead of the SOHO) as well! This is a pretty glaring oversight in my opinion. I understand that some drop these in behind other network infrastructure locally on-site and want to have full visibility and communication between them but the default configuration is a little alarming to say the least!
My use case here specifically: I share a cable link with a neighbor over powerline. I want my side of the network to be completely isolated and secure from that side. No traffic should pass either way beyond the internet connection - no local traffic etc and I do NOT desire for any devices or services to be visible or âseenâ on either âsideâ by the other router. That is, I donât want to see their ChromeCast, and I donât them to see mine (or anything else). Total and complete isolation. This seems like a pretty basic thing? I could not believe the WAN side was exposed in such a manner!
Now I am trying to nail down the firewall configuration to completely isolate the network segments. Would appreciate any help in this regard.
Also, unless Iâm missing something, or my routers had been defective - the default outbound and inbound and internal ALL have âAllow any and allâ as the single rule by default. This doesnât seem particularly wise or well thought out and Iâd like to have some idea of the proper rule set diagrams to populate in these sections. Again, keep in mind, I am looking for total and complete isolation between the router and network segment AHEAD of the Peplink device on my side. No inter-subnet or inter-local traffic whatsoever should be passing through to/from either side of this transparent bridge.
Thank you.
I could not follow your specific installation. However, my experience with multiple Peplink routers is that the default inbound firewall rule is what you would want and what you would expect - all unsolicited inbound traffic is blocked by default.
And, an nmap scan of the WAN port should find no open ports, other than one you might have opened for remote admin.
1 Like
Hi Chad,
Let me summarize the things you mention above to make sure Iâm understanding it right.
So you have something like this:
- [EdgeRouter as perimeter (NAT)] â [Ethernet Bridge] â [SOHO] that right?
- And you could access the EdgeRouter (and other devices on the WAN of the SOHO) from devices on the LAN of your SOHO right?
- What about the visibility you saw from the WAN of the SOHO to its LAN devices? What could you see where did you see that?
- And is your SOHO WAN in NAT or IP forwarding mode? (default is NAT, you would have to manually set IP forwarding so if you havenât done that youâre likely in NAT mode).
Once Iâve understood that I can help explain what and how, and then show you how to achieve the isolation youâre after.
1 Like
Thatâs basically it, itâs a very simple network basically.
EdgeRouter at the border to a simple powerline ethernet transparent bridge which I then connect devices on my side to a âdumbâ ethernet switch. The âWANâ side of the Pepwave is getting the feed directly from the powerline adapter on my side. There are no other switches, routers, or network infrastructure in between us. A pretty basic home/SOHO setup I would say.
So what I am looking to do here is 2 simple things: I want total isolation of the devices and the network map behind both devices from EITHER side. Obviously a VLAN would be best but I canât administer that here at the moment because tenants do not have switches capable of VLAN tagging and so I am going to need to achieve this with firewall rules and physical port isolation at this time.
What I noticed the other day was that I could cast to a ChromeCast device that I should not have even been able to âseeâ from that network position. This concerned me greatly and got the ball rolling on the whole isolation idea, although I had the general concept and concern from the get-go.
Appreciate your help.
Thanks.
EDIT: The SOHO is in default NAT mode, no IP-forwards or any special network configuration or setup. Pretty basic out-of-the-box if you will, save for my firewall rules and what not here.
Thanks - that helps. And I assume that ChromeCast was connected WAN side of the SOHO and you were casting from the LAN yes?
1 Like
Thatâs correct. I was alarmed to see it visible and it hit me that it shouldnât be showing up at allâŚbut it was. I just want to make sure that there is total device isolation for both sides of the bridge so that each unit has a completely private network. Again, I realize that VLANs would be the best and most secure way to accomplish this, but this scenario just isnât possible at the moment. Iâm working on talking to them about investing in a small managed switch and then we can do VLANs.
OK, so realising that this is unexpected behaviour to many it is in fact by design.
The default out of the box configuration for a Peplink router is to have the WAN active as a DHCP client and to allow inbound routing from private IP addresses (hence the any to any allowed rule in the firewall). This freaks users out when they see it for the first time and I understand why as it looks like the Peplink router is wide open to inbound traffic from the WAN - its not.
Peplink devices have inbuilt stateful firewalls, inbound traffic then is only allowed on the WAN under two scenarios, 1. When an internal LAN IP has initiated communications with an IP on the WAN and that WAN IP needs to return traffic, 2. When a NAT rule (or internal router service) has been configured for a specific port - after which traffic sent to that port will be passed as required by the NAT rule (or service requirement).
What youâve seen then, is a device on your LAN initiating communications with the chromecast on the WAN and that device being able to communicate back (with that inbound traffic passed and allowed by the stateful firewall). So this is ânormalâ in th Peplink world.
What I expect has caused the alarm is that most 3rd party vendors do not allow inbound traffic from private IP ranges (typically they have BOGON filters) and only allow traffic from the specified IP of the upstream router on the WAN interface. Importantly - Peplink routers do have Intrusion detection and DoS prevention enabled by default which includes protection against IP spoofing which is the primary reason BOGON filters are used (in relation to protecting the LAN from inbound traffic spoofed from private IP addresses on the WAN).
There are a number of reasons why peplink do allow private addresses inbound and most of them are around making it really easy for non technical people to deploy Multi WAN load balancing devices and quickly connect all types of WAN based internet connectivity in lots of different topologies easily. As a network engineer and particularly as a hyper security conscious end user this can be disconcerting but the benefits outweigh the risks in my opinion operationally and you can easily add inbound filtering of non essential traffic.
To do that you will want to add rules to your firewall that explicitly block inbound traffic from the reserved private address ranges onthe WAN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 169.254.0.0/16) and then add an inbound allow rule above those for the IP of the internet access router (the edgerouter in your case).
3 Likes
Martin,
Thank you for the very detailed reply and explanation. I understand completely why this is default behavior - maybe it would help if Pepâs documentation had a warning to this effect for users who are not deploying load-balancing or multi-wan scenarios where such functionality would be necessary and expected.
My inbound firewall rule is the default except I changed âAllow Anyâ to âDeny Anyâ - this is listed under âInbound Firewall Rulesâ. Do I need rules on the outbound or the internal network as well? I have those too but they are to prevent devices on the internal network from communicating between themselves and different segments as well as preventing a LAN device from trying to open a connection to either a VLAN or other LAN-side device. Total and complete device isolation (on VLAN segments) is my ultimate goal. Iâm also very security conscious which is kind of a requirement today I do believe. Itâs horrifying to see the traffic and what these various devices are trying to do so I like to lock things down as tightly as possible without completely breaking anything.
2 Likes