Need help with Design

bPsdTZpW

@stephenw10 said in Need help with Design:

Yup that's true. But the risk of the local router being compromised and seeing your traffic is no different to anywhere else in the route really.

ISP routers tend to be on the crappier side, so I'd expect more vulnerabilities than in, e.g., pfSense.

And in both situations running all your traffic over a VPN removes that risk.

It doesn't remove the DNS risk unless you use a secure DNS solution (or potentially the VPN provider's DNS); unencrypted DNS queries will merely exit the VPN tunnel somewhere on the 'net, then potentially get read and/or the responses doctored on their way back into the tunnel.

stephenw10

Exactly it only moves it somewhere else.

deanfourie

Ok, sure but I don't understand why I am seeing traffic with External IPS on my WAN interface,

This is NATed, I should only see 192.168.1.1 and 192.168.1.2?

Its showing as a HOST on the WAN interface.

Thanks

stephenw10

Mmm, that's fun!

That's a Huawei MAC address. I would expect that to be the 4G routers WAN interface?

I would not expect to see that on the LAN side. Something buggy/poorly configured there.

pfSense doesn't care though it will just block it.

Steve

deanfourie

@stephenw10 that's on pfSense WAN interface.

I think something suspicious is going on tbh

stephenw10

Right it's on the internal side of the 4G router, where I would not expect to see the public IP.

deanfourie

@stephenw10 exactly. Should I be worried?

stephenw10

Not excessively because pfSense will just block it anyway. It implies that the 4G router is doing something it shouldn't. Hanlon's razor dictates it's probably just buggy firmware.

Steve

deanfourie

@stephenw10 but it's possible if the huwawei is compromised, then everything is going through it is vaulnarable to being intercepted?

Thus, why I don't like it being an upstream gateway rather then being in bridged mode, it's another node sitting on my WAN interface which I cannot intensively monitor.

bPsdTZpW

@deanfourie said in Need help with Design:

@stephenw10 but it's possible if the huwawei is compromised, then everything is going through it is vaulnarable to being intercepted?

Sure. And modified if it's plaintext (e.g., DNS responses). This is why I suggest using some form of secure DNS (e.g., DNS over TLS) and a VPN.

Thus, why I don't like it being an upstream gateway rather then being in bridged mode, it's another node sitting on my WAN interface which I cannot intensively monitor.

Agree. Alas many ISPs won't let you use bridged mode and/or require you to use their equipment.

deanfourie

This was pulled from my logs today.

Mar 3 09:17:33 arpwatch 94050 bogon 0.0.0.0 b4:ae:2b:2d:f0:a9
Mar 3 09:17:34 arpwatch 94050 bogon 0.0.0.0 b4:ae:2b:2d:f0:a9
Mar 3 09:17:35 arpwatch 94050 bogon 0.0.0.0 b4:ae:2b:2d:f0:a9

They are everywhere

Mar 3 14:17:34 arpwatch 94050 bogon 0.0.0.0 b4:ae:2b:2d:f0:a9
Mar 3 14:17:35 arpwatch 94050 bogon 0.0.0.0 b4:ae:2b:2d:f0:a9
Mar 3 14:18:00 sshguard 69810 Exiting on signal.

Mar 3 15:11:05 arpwatch 94050 bogon 0.0.0.0 78:24:af:36:1a:08
Mar 3 15:11:06 arpwatch 94050 bogon 0.0.0.0 78:24:af:36:1a:08
Mar 3 15:11:07 arpwatch 94050 bogon 0.0.0.0 78:24:af:36:1a:08
Mar 3 15:11:08 arpwatch 94050 bogon 0.0.0.0 78:24:af:36:1a:08

and the list goes on

Also, I cannot change the LAN subnet mask? What is up with this router? I've never seen that before.

deanfourie

This post is deleted!

deanfourie

Ok, so this is starting to look a little bit strange. In ntopng I have devices that are appearing as ghost hosts, and this moves around between devices. This is not a simple network misconfiguration on a basic /24 network.

Now I'm seeing every time a host connects to the network, there is a ARP entry for that hosts MAC address to ip 0.0.0.0. These constantly change between hosts.

This looks very suspect to me.

stephenw10

Those are known MAC addresses though? Looks like hosts connecting and broadcasting for DHCP servers to me. Which would be totally normal.

deanfourie

@stephenw10 really, do they create arp entries when broadcasting?

stephenw10

Not in the arp table but arpwatch does. There's an option to disable it if you don't want to see that:

Disables reporting 0.0.0.0 changes, helpful in busy DHCP networks.

Steve

deanfourie

I'm still getting this and I honestly don't like it.

Why am I getting any other hosts on my WAN interface. This interface consists of just pfsense @ 192.168.1.1 and my upstream gateway @ 192.168.1.2. Why am I seeing external IPs here? Also IPv6 addresses.

This seems off to me. Also, it keeps appearing and disappearing.

Any ideas?

stephenw10

That's a v6 link-local address. I assume that is not your WAN MAC?