TP-Link Easy Smart Switch security question
-
I had a few netgear switches over the years - and have never seen such a blunder like tplink where you could not remove vlan 1 from ports.
In a post they stated on their own forums they stated it was on purpose to allow access to the web gui from every port.. Clearly showing a complete and utter lack of basic grasp of what a vlan is.. Do you have such examples of netgear doing the same nonsense?
-
@johnpoz that statement is a lie anyway since you can access the management IP from any VLAN, not just VLAN 1 (once you remove ports from VLAN1 on v3.0+ firmware)
so i guess it gets DHCP from VLAN 1 always ? why is the default Port VID 1 instead of 0 anyway ? -
@rajkosto v1 has different chip than v2/v3.
Anyway v3 does allow to remove ports from VLAN1. And this firmware can be flashed in v2 directly (I did so).
-
@apocalypse what chip is the v1 ? i assume the v2/v3 are RTL8370M ? or is it the other way around (in your first post you said it was RTL8370N which cant be because those are unmanaged)
-
@rajkosto Yes, v1 has RTL8370N which is managed. Also Netgear GSS108E. You can get more information here: https://github-com.translate.goog/libc0607/Realtek_switch_hacking/blob/master/RTL8370N-SR8808M.md?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=es&_x_tr_pto=
There is even a Chinese firmware, with a web interface similar to that of TP-Link but without customization.
v2/v3 have RTL8367C. Yes, I know it is 5 ports but it is what appears in the TP-Link firmware if you open it with a hex editor.
v4/v5 I do not know.
-
@apocalypse this whole TP-Link situation is a mess anyway, both the firmwares available on their site are labeled 1.0.0 for some reason (even though one is clearly newer than the other, via date and build no), and they have both Easy Smart Configuration Utility and Unmanaged Pro Configuration Utility available on the website which is the exact same application just renamed...
i guess theres nothing else to do for my V2.0 other than to run V3.0 2017 firmware on it
EDIT: heh trying out the DHCP client feature and its bugged, both my "smart switches" ended up getting the same IP from openwrt dhcp server (maybe because i chained one into the other), however the easy smart config program was able to distinguish them and change settings independently ??? -
@johnpoz
I've flashed my v2 to the v3 firmware but I'm unable to remove VLAN1 from all ports. I'm able to remove VLAN1 from all ports but port 1. If I try to remove VLAN1 from port 1 the switch goes offline (i'm unable to save the config with VLAN1 deleted from port 1) and I have to reboot to get connectivity back. My goal is to remove VLAN1 and change the default native vlan to something other than 1. Were you able to do this with the v3 firmware or do you know if this is possible?I now know I should have never bought one of these switches in the first place but if there's some way to get them to work, I'd like to try rather than tossing them in the trash. If I knew what I now know, I'd have never bought these "smart switches" and would have bought another Juniper EX2200-C.
Thanks!
-
@grocerylist Should not. The Switch is accessible from any VLAN. Access it through a different VLAN than 1 on another port and try again.
-
This post is deleted! -
Hi guys!
This topic was interesting for me when I was looking for any information about security of these cheap switches.
If I remember correctly it is mentioned here that similar Netgear switches have the ability to turn off their web-interface. I found an article which proposes a strange "hack" which might be left in the firmware intentionally. This "hack" allows to disable web-gui on my TL-SG105E V5 until next reboot. Actually not only web-gui but the ability to be reconfigured and to be discovered by the configuration utility.Here is the command:
curl -d "username=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&logon=Login" -X POST http://192.168.0.1/logon.cgiThe length of the username does matter. It's kind of buffer overflow, which doesn't looks like very reliable and enterprise-ready method but it's all we have :)
-
Your beautiful ant the most intelligent anti-spam filter does not allow me to post a link to the original article.
-
@risemann said in TP-Link Easy Smart Switch security question:
Your beautiful ant the most intelligent anti-spam filter
heheh - yeah I have no idea how it figures out what links should be allowed what should not.. But it then allows clear spam all the time with links, etc.
If you PM the link, be happy to post it for you.
The article sounds interesting.. Yeah my 2 cents on those switches - say a freak away..
-
Got a similar situation (I think) with another switch model - Netgear GS305EP.
VLAN1 is defaulted everywhere and cannot be removed from ports.
Reason I stumbled upon this is that I have this switch in front of PFSense - similar to a set up in which you only have 1 NIC on a PFSense box and basically whenever I connect this switch, PFSense is unable to acquire an IP from my ISP......which makes me think that somehow this switch is trying to pull an IP using DHCP from VLAN1.
-
@easycompany251 said in TP-Link Easy Smart Switch security question:
GS305EP
Hmmm - that is sad to hear, I do not have one to play with.. But not talking about deleting vlan 1 from the switch. Talking about removing it from a port when in 802.1q mode..
I looked for an emulator and can not find one to play with.. I have no use for a poe model, but I might be able to get non poe model the gs308e or gs305e to play with.. hmmm
-
Yeah I tried excluding it from all ports.....but the web-ui requires it for at least 1 port....
-
If it's only on one port that's OK. The problem situation is when all ports are forced to always be a member of the same VLAN.
Steve
-
@easycompany251 said in TP-Link Easy Smart Switch security question:
but the web-ui requires it for at least 1 port....
Yeah as @stephenw10 stated leaving it on 1 port so you can get to the gui to admin, is prob a safety feature to prevent users from shooting themselves in the foot. And would be preferred to allowing all ports to be able to get to the gui.
-
Right so after you mentioned VLAN1 being on a single port, I went back and was actually able to make it work.
Turns out I left the VLAN1 on all ports (as defaulted) and the switch does allow for it to be set to one. Never even thought about removing VLAN1 all together except for a single port.
Thanks!
-
@apocalypse Registered just to thank you about the great idea and tutorial.
It was just a mess what software to use for creation of the hex file but finally managed to do it with HxD.
Finally I have a web interface and latest security updates for this very old device (Netgear latest firmware 1.6.0.9 is updated 1 year ago where the TP-Link's is from the 2014). -
Several ways here might be able to go with gaining the entire security using dump switches and/or smart ones up to real small layer3 switches.
Plain Routing (using dump switches)
If you are using the pfSense as firewall you may be able to set up on any LAN port a small or greater dump switch.Network plugs in the wall --- patch panel --- some ports from patch panel to a dump switches --- dump switch to the pfSense firewall
So will be able to connect all WiFi APs to one Switch
Livingroom and house electric (smarthome) to another one
sons room to one switch
daughters room to one switchand each of the switches will be connected to one LAN port of the pfSense, you may be now routing it all
through the pfSense and you work with rules.Pro
- cheap
- easy to manage
Cons
- but only one routing point
- firewall must do the entire routing
Smart Switches (Using VLANs)
If you are using a smart switch you may be able to work with VLANs in your network and segment it in to many parts. You can now work with rules on the pfSense and
on top with ACLs on the Switch directly. The VLAN1 or VLAN0 is often so called default VLAM or management VLAN used only by the admin. After you were creating all your VLANs often you lay over another one (one over all the others) but not the VLAN1 (default) and with ACLs
you may now creating who has hands on what VLAN.Pros
- cheap
- small broadcast domain
- better overview over devices
- better structured or segmented network
- the admin owns now a management VLAN
Cons
- ARP spoofing is not solved
- Inter VLAN hopping is not solved
- VLANs must be created and ACLs must be set up
- the management VLAN can be miss used by others
Greater Smart or managed Switches VLANs, MacSec, multiple Radius auth. for each switch port
You will be setting up VLANs as before;
- one management VLAN1 (default)
- all other with a great one over all others
- Setting up ACLs
But now you will be able to turn on MacSec, and now one is able to sniff inside of that Switch(es), you will be able to stack them (ring) to better manage them. And you will be able to set up on your pfSense the FreeRadius package or
another FreeRadius server on an RaspBerry PI or PC Engines APU1/2/3/4/6 if needed. You will be able to gain your security over installing OpenLDAP (wired clients),
FreeRadius Server with certificates, (wired and wireless clients) and now you will be able to put any device into its own VLANs by using a radius certificate and I mean not only for the wireless clients.Pros
- Building stacks (ring)
- often MIBS for Nagios or PRTG
- each devices will be put in the right VLAN (certificates)
- MacSec is able to turn on (no sniffers)
- Switch Ports with multiple certificate authentication are
not any more allowing to finger at the VLAN1 (default) - no y-cable usage and/or foreign devices in your network
- much can be realized over pfSense itself or a small RaspBerry PI 2/3/4
Cons
- not so cheap as the other ways
- more management and admin power or work
- more complicated and also a much more hit on the
entire LAN network cable (MacSec and Radius with certificates and encryption will be using much horse power)
Managed switches (greater ones)
You can be often her and in the section before getting hands on layer3 license and/or they will be also in all
other segments being sold as real layer3 switches such
the Cisco SG300 or SG350 series. You will be getting all as above mentioned but on top layer3 that let route the entire VLANs it self and free the pfSense firewall from that
workload. Often stacking modules will be also available
for such managed switches. It is often also offered some
different routing methods like RIP-2, IGMP, VRRP, OSPFv2, PIM-SM, static IP Routing, PIM-DM and others so it is more interesting what your pfSense firewall is set up
and/or using to the WAN side and the LAN side too.Pros
- Stackable, Layer3 Licences available
- more routing protocols available
- faster and more powerful
- better connect and support to the WAN routing device
(pending on the used routing protocols there)
Cons
- high cost
- high electric power using
- much more complicate to manage
- not for all circumstances and users