My little side project: A Peplink Surf SOHO FAQiki for users new to enterprise routers and networking. (lots of images)


#1

I’ve noticed this topic come up here a few times (and recently wrote one myself) both here and on on the 3G forums. I am partly doing this for myself as a way to structure my learning in a goal-oriented approach.

I think it would be really great if there was a router feature FAQ that links into the process of learning about networking in general, so I’m making one for myself as part of my Linux/networking diary.

I only just started, but I’m attaching a sample my big questions about Peplink’s admin console to this post. The “guide” will be visual and have lots of caps like this with insights from professionals, hopefully.

I appreciate any and all input. I have way too many questions and images like this to flood the forums with, which is why I want to research them and concentrate what I can find into a single open wiki type guide. Here is a small sample of my confusions-- I have over a dozen.

This was meant to be about DNS configuration confusion – LAN DNS server vs WAN, why and how I should configure my LAN DNS proxy and how or why it works as a name resolving service. The DNS features of the router is very foggy territory for me and the manual doesn’t go into specifics.


#2

Hello @murgatroid,
This is a great place to both ask questions and share knowledge on the Peplink and Pepwave technologies.

Peplink encouraged the posting of questions here and welcome the sharing what you learn from your own experience (links to the wiki you are making could be shared too).

There are many active members here as well as a good representation of the Peplink team, so welcome, we all contribute where we can.
Happy to Help,
Marcus :slight_smile:


#3

From your notes it looks like you may be worried about security; right now it looks like your default inbound firewall rule is set to allow, which will allow everything not specifically denied above.

You might want to change the default to deny and then explicitly allow the ports, etc, that you do want to have access to your network from the WAN connection.


#4

Thank you mldowling, I am trying to figure out as much as I possibly can without clogging these forums up. I am continuing reading “conventional” sources, but learning what OSPF broadcasting is and figuring out what I’m doing are two different things. It is suprisingly difficult to find practical answers to router security abovee the very simple clickbait but below the veteran or certified professional. At least for me. I will eventually finish reading the N+ cert book (3.3 inches thick), but I don’t think this should be necessary for people!

[quote]From your notes it looks like you may be worried about security; right now it looks like your default inbound firewall rule is set to allow, which will allow everything not specifically denied above.

You might want to change the default to deny and then explicitly allow the ports, etc, that you do want to have access to your network from the WAN connection.[/quote]

kgarvey : Yes, you are of course right. The indicated ports were included when I used Windows, but just this week went Linux full time. My problem is I don’t really know what ports I should be allowing other than 80 and 443. I don’t know enough about how firewalls work. If I allow FTP port 25 (I think), does this allow unfettered FTP protocol abuse? My assumption is that my OS is probably doing most of the work in protecting me, but I really don’t have a clue.

I may as well not have a firewall at all! If I could see a template of a “secure” home peplink, that would be great. And yes, I am interested in security since I was hacked by something like an aircrack-ng style suite of tools.

I have the hack suite on an infected Mint install USB and studied it for hours. DirtyCow was on there, there were scripts for lan wakeup attacks, unix drop scripts, overflow attacks for decrypting, Audio and camera hacks (i found a directory with audio clips that had been captured). Brute force dictionary attacks, trojans that destroyed firmware, embedding hidden torrent services on victim networks, you name it. In my case, SMTP packets were being sent from a mailserver they had created on my computer or router. Who knows where.

The more you learn, the less you know. Thank you very much for your reply.


#5

Glad to see this thread, as I am in the same boat @murgatroid. After being hacked I picked up a surf soho and am rebuilding my home network from the ground up. I know enough to be dangerous then I google the rest. Your comment below rings particularly true to me also
"It is suprisingly difficult to find practical answers to router security abovee the very simple clickbait but below the veteran or certified professional"

Anyway, some suggestions if you havent’ already come across them, or for any other beginners:

Take my suggestion(s) FWIW (I’m a newbie myself)

Disable “Reply to ICMP Ping” on the WAN settings
Take a look at routersecurity.org and read through the checklist there
Scan your IP using Shields Up (visit https://www.grc.com)

On the firewall side:
Enable intrusion detection
I have denied all incoming (using the default rule)
Created a new outgoing rules for http (80)
Created a new outgoing rules for https (443)
Denied all outgoing (using the default rule)

I expect to open up some more ports as I continue to bring things back online (sonos, insteon, ecobee etc)

Thanks for doing this, I will check back frequently!


#6

I tried your rules for outgoing traffic:

Created a new outgoing rules for http (80)
Created a new outgoing rules for https (443)
Denied all outgoing (using the default rule)

But I can’t access any page at all. Could you upload a screenshot maybe?
I got hacked too so I’m trying to make everything as secure as possible.


#7

I’m having a few issues myself, so maybe my rules are bad advice :grimacing: Make sure you have the correct order (deny at the bottom).

FWIW I’m accessing this site right now via these rules, so you should be able to get out.

See here


Blocking all outgoing traffic except http/https?
#8

Yeah, deny was at the bottom. I will try again in a few minutes and will provide some screenshots. Maybe you cna tell me what am I doing wrong. I’m not an expert when it comes to routers so maybe I’m missing something very simple.


#9

Thanks for the reply.
Ok, I tried again and I still can’t access any website.
Here’s what the rules look like (two images):

Also whenever I try to enable HTTPS for router admin I cant get to the log-in page, it says the certificate is invalid and “connection is not secure”. I have to manually add the router administration address to the exceptions list if I want to configure the router. If I dont enable https and just use http, this doesnt happen. Is this normal? Thanks.


#10

Odd, that same config is working for me. Might have to defer to someone with more knowledge.

The HTTPS admin thing is likely due to the router’s security certificate not being recognized by the browser. I get the same issue and I just ignore it.


#11

Rib, thank you for your post and your comisserations. I have not abandoned this project. I am scattered across a half dozen Help Me Dear God forums and I’ve had to maintain an organizer to keep up with it. I have a Router Diary, a Linux Diary, etc. Sounds OCD, but my general lack of this particularly quality probably led me to be here in the first place.

I think turning off all ports and working from there is a good approach, YET I’ve also read that it’s not a good idea to simply turn a port open just because you use it even if it’s 80 and 443. I have so many questions about firewall hardening, I kind of have to take my 50 questions and just hit them one by one and hope to build up something that can be generally useful to myself and people in our boat.

There is really no one size fits all setup. My main interest is router security in a very dangerous (both in terms of street crime and networking) place, a highly tech literate, densely populated neighborhood. Someone else might be interested in creating lots of VLANs so that their roomates can’t get to their work account.

I am definitely not abandoning this, just taking it one solution as a time.
I’m not sure if the above setup will work for me if I’m using many different applications, a VPN, etc. If you are familiar with the must-have OSX utility Little Snitch, it would be like shutting all of OSX down except your browser.


#12

Addendum:
Below is a common list of ports many users would consider needed for the normal functioning of the internet. This was borrowed from “http://ubuntuforums.org/showthread.php?t=1876124” – Creating a firewall for your Ubuntu desktop, but it’s basic port stuff. It’s looking like I’m going to have to figure out exactly what I should keep open, and how. BTW, routersecurity.org has been down for me for a couple weeks. I bet it’s my ISP. :stuck_out_tongue:

FTP - 21 TCP
SSH - 22 TCP
TELNET - 23 TCP
SMTP - 25 TCP
DNS - 53 TCP/UDP
DHCP - 67 , 68 DHCP
HTTP - 80 TCP
POP3 - 110 TCP
IMAP - 143 TCP
HTTPS - 443 TCP
VNC - 5900-6000
IRC - 6667-7000
Gmail SMTP TLS: 587
Gmail SMTP SSL: 465
Gmail POP SSL: 995
Gmail IMAP SSL: 993


#13

Can we get a list of ports that should always be closed?

Could you post a screenshot of your Outbound configuration or at least show me how did you setup to make it block everyhting except 443 and 80? If I follow the steps you suggested, I got no Internet.


#14

As a rule of thumb: If your network is not hosting services for a particular service then don’t open the corresponding ports for access. E.g.

You are not running a mail server (SMTP for incoming mail, IMAP, POP for user access) then don’t open:

  • SMTP - 25 TCP
  • POP3 - 110 TCP
  • IMAP - 143 TCP
  • Gmail SMTP TLS: 587
  • Gmail SMTP SSL: 465
  • Gmail POP SSL: 995
  • Gmail IMAP SSL: 993

If you are not running a webserver then don’t open

  • HTTP - 80 TCP
  • HTTPS - 443 TCP
  • Alternate HTTP - 8080 TCP
  • Alternate HTTPS - 8433 TCP
    and so on.

You are unlikely to need to serve DNS and certainly not DHCP on the WAN.

Never open

  • TELNET - 23 TCP

Think really hard before opening
VNC - 5900-6000 (which includes remote desktop access)
IRC - 6667-7000

Common brute force attack vectors are through VNC and SSH, so if those are open make sure your user account and password regime is solid.

Just my $0.02


#15

Hey guys, I think this is the correct thread to ask this:
I tried blocking all Outbound except ports 80 (tcp) and 443 (tcp) and I couldnt access any website except for Google.
Then I made another rule for UDP 53 and now I can access everything.
Is this bad news? Should I always have access to any site with just 80 and 443? I used DDWRT in the past and I remember they reccommended closing port 53 thats why I’m asking.
Something probably related that I fee I should add: I have set up authoritative DNS.

Thanks.


#16

UDP port 53 access to an outside server is what your system uses to get DNS resolution of domain names not served locally. If your network cannot access UDP port 53 on outside servers then you can only resolve the domain names that you have defined on a server within the local network.
If your firewall blocks access to port 53 on outside servers then you can still access websites - you just have to remember their IP address in place of their URLs.
Gets tedious.


#17

Hello @PepitoLink
We normally block outbound requests from within the network to outside DNS systems.
With the Peplink Balance, this is very easy to setup, we just create a firewall rule (or use the new Content Filtering feature) to block all outbound DNS requests.
We let the Balance router manage the DNS requests, if we are using a separate DNS Server for the organisation (such as is issued in DHCP) then we just let that DNS server have a exemption in the firewall rules (create the rule and put it above the block all rule). In the case where you need to let a DNS Server through your balance while block everything else, we have found for DNS it is better done with the outbound firewall rules than attempting to mix it with the Content Filtering.
Happy to Help,
Marcus :slight_smile:


#18

Taking a step back on the DNS issue, no doubt much depends on whether the Peplink router is forcing itself on clients. That is, the router can force all connected devices to use the DNS servers its configured with, or, not. I think different people here have been making different assumptions as to this basic option.

As to whether you can get to all sites with only 80 and 443 open is an interesting question. Don’t know. Great experiment. You should be able to, but some things like streaming audio perhaps may not work.

As for the routersecurity.org site being down a couple weeks thats on your end. I’m the guy behind it and it has not had an extended outage. It did get moved to a new hosting company in April 2017 but it was mirrored during the transition, there should not have been any downtime. Email me to discuss, if you like:
routers at michaelhorowitz dot com


#19

Thank you all for contributing to this thread.
I’m definitely keeping these insights and piling it into a cherrytree doc named “The idiot’s guide to setting up a Peplink router,” mainly for my own use but if it’s ever sharable I will certainly post here. Other questions are being cobbled together from across the net and I put time toward this when I am able.

Hi Michael, thank you so much for your excellent and informative site, like many people here my decision to purchase a Surf SOHO was based on your writeup. I think what was happening with the “outage” was that HTTPS Everywhere was not allowing me on to the http://routersecurity.org site, leading to a blank page, and I didn’t know what was happening as I had set it to block all unencrypted sites. Just a dumb error on my part.

zegor_mjol, I had 443, 80 allowed both on incoming and outgoing UDP/TCP. I didn’t know and don’t understand that having a web server is the only reason one would keep these ports set to allow incoming/outgoing. I also allowed SSH port 22, based on a post somewhere else, and port 53 as I did not understand that since my router is my DNS resolver (something I still don’t quite fathom in terms of my router’s place in the greater scheme of layer 6) I wouldn’t need my WAN to access to DNS port 53. I just deleted SSH outgoing and incoming per your suggestion, and I lost connectivity to the web. I’m going to leave it on for outbound because I don’t know what else to do to continue using the internet at this point.

I’ve also read that ICMP is far more useful to have open than it is to lock up, as pinging is necessary for a variety of basic activities despite being an attack vector. For instance, my paid VPN service pings me to gauge network health and perhaps other things. Is keeping ICMP open generally a stupid idea too? Also, there are a variety of ping types, for instance SSH ping. Asking about these might be beyond the scope of this thread.

I am now a bit confused again and completely unsure of what I should be doing other than denying all. I know allowing everything as the default layout has it is a big Bad Idea. I’m also a little confused about LAN-local port allowances, and whether or not setting up OSPF with MD5 is something that actually helps here. And if not, when or where it comes in handy.


#20

Hello, believe it or not, I haven’t abandoned this. In fact, I have a massive cherrytree doc that continues growing as I learn and unlearn things. I have broken my firewall so many times I don’t know whether I’m coming or going. There’s already many great how-to’s out there, but it’s never really what I need.

In the entirety of the CompTIA Network+ paperweight (joking, it’s great, just heavy), I learned a lot, but I didn’t learn a lot of essential things, like how to use Peplink’s router administration software in the best way for my needs, and what sort of security paradigm I should follow as a home user with business leanings, nosy neighbors, and a disagreement with a particularly egregious online collective known for coordinated animosity.

Every person’s security needs are different. As I’m also learning Linux at the same time, it’s been an uphill battle, and choosing focus has been a challenge.

If I were to write Peplink’s SOHO MK3 manual, I would start by explaining what ports actually are, list the common IANA ports (and explain what IANA, ICANN, IEEE, actually are in short order), describe basic ifconfig/netstat outputs to common consumers, then create a few scenarios and firewall configurations that might apply to different kinds of typical users: the gamer who needs to understand p2p and port forwarding, the home businesswoman who wants to separate family equipment from her PC activities, the (rightfully) paranoid activist or businessperson transmitting sensitive content through their Peplink, the kitten clicker who knows absolutely nothing about bad things in the universe, the computer network-literate tinkerer with very specific server needs, the college kids trying to network their 5-student living grounds with a webcam, a torrent client and no idea how vulnerable they are, and so on.

I would also explain, and this is astoundingly difficult for people with no networking knowledge to understand, the difference between “incoming” and “outgoing,” because the reality defies the intuitive interpretation of these words as they pertain to different protocols. To complicate matters, The Internet of Experts On Things do not agree on what you should be allowing and denying. I spent a really long time tweaking my Deny All Outgoing setup, until I read a security professional’s blog that said it was crazy, I kind of gave up.

I hope one day soon to share my journey here, to save other idiots the time I spent learning how to walk. One thing is clear, there’s often no right answer. I don’t want to promise a duedate, because I’m still terribly insecure about my system decisions, but I’ve kept the torch lit.