Pepwave Soho MK3 -- Firewall Issue


#1

I just received the unit today. It came with 6.3.3 and I upgraded it to 7.0.0.

My network topology for testing is: I have 5 public IP address which I assigned an unused on the Pepwave’s WAN ethernet port (networked A). I have a wired network siting behind a pfSense setup (Network B). I ran my my network tests from Network B -> A.

First: I was disappointed to find the default ingress rules was allow everything.
Second: I found that the the WAN firewall rule only appears to configure for ‘Deny’ and there is no ‘Drop’ option. The different is Deny results in an ICMP respose of connection refused. Drop is basically a ‘stealth’ mode. Stealth mode is preferred. However, so far, ports >= are resulting in ‘Connection timed out’ which is desired.

Formally, I had a Netgear WNDR3700 running WW-DRT behind the pfSense fireware. However, I really wanted the wireless network on its own trunk and have my two laptops VPN to the other networks as needed. But the lack of stealth mode is deal breaker.

Please advise.

Thanks,
-henry


#2

What’s your question? The SOHO is a NAT router, so as long as you’re using private IPs on your LAN and you’re connected to public IPs on your WAN, you’re firewalled. There isn’t any way for a hacker to route their communication over the Internet to the private IPs you’re using internally. What small business router isn’t like that?
Absolutely you can have your wireless network(s) on it’s (their) own trunk(s) (VLAN). Go into ‘Network settings’ under LAN and look for a question mark icon, When you see these icons and click on them, these are the doorways to unlocking advanced settings. You can create multiple VLANs on your network, such as ‘Guest’ and ‘Office’, create different wireless SSIDs and assign them to the different VLANs you’ve created.
I’m confused about what WAN firewall rules you’re referring to in your sentence beginning with ‘Second’. What blocking are you configuring - inbound, outbound or internal? The only reason to be putting in blocks on the WAN port would be for limiting access to any port forwarding you put in place. Otherwise, the WAN port isn’t listening for inbound traffic from the public Internet, so there’s no reason to deny packets. If you’re quite positive I’m wrong about this, let me know so I can get some Wireshark packet captures to confirm the SOHO’s response to an external connection on a random port.

I’m not sure what you were asking in your post, but hopefully I’ve shared something with you to help you appreciate and explore the feature set that comes with these routers. If you’re looking to be wow’ed, check out what the InControl feature can do for you.


#3

First:
To help clarify: I have class 29 network with 5 of those address I can assignable as I see fit.
The is not NAT. The issue is when I use netcat or nmap against the PepWave, it is does not appear to operate in Stealth mode (in linux this is DROP in iptables) It appears the Pepwave SOHO does not mask it.


#4

I test my Surf SOHO with Shields Up at grc.com often. It has always reported that ports are STEALTH. Never once did a port show up as CLOSED on the Surf SOHO


#5

Thanks Michael234. I am not sure why it was in stealth mode. But subsequent fiddling and addition testing it is in stealth mode.