Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    How to prevent users from LAN to know the external local WAN IP ?

    Off-Topic & Non-Support Discussion
    multi wan cloudflare external ip security
    8
    41
    1520
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Sergei_Shablovsky
      Sergei_Shablovsky last edited by Sergei_Shablovsky

      The local pfSense appliance have multi WAN config (active-active mode), with 2 different IPs from local ISP, for example A.A.A.A and B.B.B.B.

      And addition also CloudFlare DNSSEC, DNS over TLS, load balancing feature used for both A.A.A.A and B.B.B.B IPs.

      How to making not possible for LAN users to know the local WAN IPs ? (for example by using checkmyip.com, yourip.com, etc...)

      —
      CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
      Help Ukraine to resist, save people’s lives !
      (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

      JKnott 1 Reply Last reply Reply Quote 0
      • JKnott
        JKnott @Sergei_Shablovsky last edited by

        @Sergei_Shablovsky

        You can't. There are too many ways to find out. In addition to what you mentioned, there are sites such as www.grc.com, testipv6.com, speedtest.net and more that identify the source IP address.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        Sergei_Shablovsky 1 Reply Last reply Reply Quote 0
        • Sergei_Shablovsky
          Sergei_Shablovsky @JKnott last edited by Sergei_Shablovsky

          @JKnott said in How to prevent users from LAN to know the external local WAN IP ?:

          @Sergei_Shablovsky

          You can't. There are too many ways to find out. In addition to what you mentioned, there are sites such as www.grc.com, testipv6.com, speedtest.net and more that identify the source IP address.

          Thank You for answer!

          I understand correctly that this is because of all ISPs broadcasting their structure (I mean OSPF, BGP, etc protocols) to keep connectivity better ?

          —
          CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
          Help Ukraine to resist, save people’s lives !
          (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

          V johnpoz 2 Replies Last reply Reply Quote 0
          • V
            viragomann @Sergei_Shablovsky last edited by

            @Sergei_Shablovsky
            That's by desing of TCP. Each packet a client sends to a server carrys the source and the destination address in its header. When your router send the packet out to the internet, it replaces the source address by its own WAN IP.
            Otherwise a respond packet won't come back to the router.
            So a destination server ever knows where a packet comes from.

            Sergei_Shablovsky 1 Reply Last reply Reply Quote 0
            • Sergei_Shablovsky
              Sergei_Shablovsky @viragomann last edited by Sergei_Shablovsky

              @viragomann said in How to prevent users from LAN to know the external local WAN IP ?:

              @Sergei_Shablovsky
              That's by desing of TCP. Each packet a client sends to a server carrys the source and the destination address in its header. When your router send the packet out to the internet, it replaces the source address by its own WAN IP.
              Otherwise a respond packet won't come back to the router.
              So a destination server ever knows where a packet comes from.

              Thank You for answer!

              I know this, but I try to find way to limit ability to determine local WAN IPs from inside LAN. For example even LAN user able to determine upstream ISPs router IP instead of our WAN IP - that would be great.

              —
              CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
              Help Ukraine to resist, save people’s lives !
              (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

              JKnott 1 Reply Last reply Reply Quote 0
              • JKnott
                JKnott @Sergei_Shablovsky last edited by

                @Sergei_Shablovsky said in How to prevent users from LAN to know the external local WAN IP ?:

                For example even LAN user able to determine upstream ISPs router IP instead of our WAN IP - that would be great.

                You'd have to block traceroute to do that. But why do you consider the ISPs router to be an issue?

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                Sergei_Shablovsky 1 Reply Last reply Reply Quote 0
                • stephenw10
                  stephenw10 Netgate Administrator last edited by

                  Send all your traffic over a tunnel to some IP you don't mind them finding. That's pretty much the only thing you can do.

                  Steve

                  Sergei_Shablovsky 1 Reply Last reply Reply Quote 0
                  • johnpoz
                    johnpoz LAYER 8 Global Moderator @Sergei_Shablovsky last edited by johnpoz

                    @Sergei_Shablovsky said in How to prevent users from LAN to know the external local WAN IP ?:

                    I understand correctly that this is because of all ISPs broadcasting their structure (I mean OSPF, BGP, etc protocols) to keep connectivity better ?

                    Huh?? No that has nothing to do with finding out IP your talking to a site from... Just google whats my IP, there are hundreds if not thousands of sites that will tell you what IP you talked to them from...

                    If your allowing access to the internet there is NO way to hide the IP your talking to the internet from... Just not possible!!! You could block traceroute, udp ports and icmp to stop someone from find the intermediate hops along the way, ie the isp gateway right after you router for example... But they would still be able to find the IP they are talking from by going to any of a 1000's different websites.. No possible way to block them all - also user could just hit any website/ip at all that they have access to the logs on to see the IP.

                    How exactly do you hide this for example - just a simple google, you going to block access to google?

                    whatip.jpg

                    Stephenw10 had the really only way you could attempt to hide it - by tunneling all traffic to some site your ok with them knowing the IP of, say a vpn - this way if they went to some site like whatsmyip - it would show that vpn endpoint IP and not your actual public IP.

                    What is the point of trying to hide your public IP from users of your network?? I am not understanding the use case here to be honest.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                    chpalmer Sergei_Shablovsky 2 Replies Last reply Reply Quote 0
                    • chpalmer
                      chpalmer @johnpoz last edited by chpalmer

                      @johnpoz said in How to prevent users from LAN to know the external local WAN IP ?:

                      What is the point of trying to hide your public IP from users of your network?? I am not understanding the use case here to be honest.

                      +1

                      Add me to that query.. :) sometimes you have to choose your battles..

                      Triggering snowflakes one by one..

                      1 Reply Last reply Reply Quote 0
                      • Sergei_Shablovsky
                        Sergei_Shablovsky @JKnott last edited by

                        @JKnott said in How to prevent users from LAN to know the external local WAN IP ?:

                        @Sergei_Shablovsky said in How to prevent users from LAN to know the external local WAN IP ?:

                        For example even LAN user able to determine upstream ISPs router IP instead of our WAN IP - that would be great.

                        You'd have to block traceroute to do that. But why do you consider the ISPs router to be an issue?

                        I try to eliminate security hole:

                        • minimize ability to determine main gate entry IPs from outside attackers;
                        • minimize ability to determine main gate entry IPs from inside office lan (office secured WiFi, office open WiFi);

                        Of course outside attackers may try to obtain access to ISPs infrastructure (client database leaks, phishing emails, etc.) or (most used way nowadays) by social engineering (phishing emails, SMS, Twitter/Messanger/Telegram for stuff with exploit links, etc).

                        And earlier or sooner, the attacker get the main gate IPs.

                        But anyway, time is money, and any wall behind the attacker goal - are good.

                        Regarding Your question: if attacker DDoS-ing the ISP upstream appliance - this is ISPs security job and attack may be eliminate on ISPs level more effectively than on our main gate applience, agree?

                        —
                        CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                        Help Ukraine to resist, save people’s lives !
                        (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                        JKnott 1 Reply Last reply Reply Quote 0
                        • Sergei_Shablovsky
                          Sergei_Shablovsky @stephenw10 last edited by

                          @stephenw10 said in How to prevent users from LAN to know the external local WAN IP ?:

                          Send all your traffic over a tunnel to some IP you don't mind them finding. That's pretty much the only thing you can do.

                          Steve
                          Thank You Steve!

                          I know about this ability but because keeping tunnel mean extra loading for hardware and lowering the overall bandwidth - I wrote to forum trying to find another way :)

                          —
                          CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                          Help Ukraine to resist, save people’s lives !
                          (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                          1 Reply Last reply Reply Quote 0
                          • JKnott
                            JKnott @Sergei_Shablovsky last edited by

                            @Sergei_Shablovsky said in How to prevent users from LAN to know the external local WAN IP ?:

                            I try to eliminate security hole:

                            minimize ability to determine main gate entry IPs from outside attackers;
                            minimize ability to determine main gate entry IPs from inside office lan (office secured WiFi, office open WiFi);

                            Of course outside attackers may try to obtain access to ISPs infrastructure (client database leaks, phishing emails, etc.) or (most used way nowadays) by social engineering (phishing emails, SMS, Twitter/Messanger/Telegram for stuff with exploit links, etc).

                            Better put your tin foil hat on. You have nothing to worry about in that respect. It's the ISPs responsibility to protect their network. Hiding it from your users will accomplish nothing.

                            PfSense running on Qotom mini PC
                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                            UniFi AC-Lite access point

                            I haven't lost my mind. It's around here...somewhere...

                            Sergei_Shablovsky 1 Reply Last reply Reply Quote 0
                            • Sergei_Shablovsky
                              Sergei_Shablovsky @johnpoz last edited by Sergei_Shablovsky

                              @johnpoz said in How to prevent users from LAN to know the external local WAN IP ?:

                              What is the point of trying to hide your public IP from users of your network?? I am not understanding the use case here to be honest.

                              Thank You John for kindly reply and efforts to understanding my needs!

                              Primary the topic mean hiding (or making very sophisticated to determine) from attacker external IPs of main gate from both side external and internal from doing the most used types of attacks like DDoS, DNS amplification, etc.

                              For example Incoming RST-packets detecting to prevent DNS-amplification/Malicious Activity Abuse attacks.
                              How You work with this type of attack?

                              When You keep all Your business/services in a cloud, - this not an issue because cloud SaaS provider (Amazon, DigitalOcean, Google, Akamai, etc...) doing all protection job for You. Just pay the price. Thousands of $USD.
                              But anyway you need to extra alarm work during attack to reconfigure infrastructure.

                              But here we all have pfSense as software installed on real hardware, more or less powerful. And we all are obligation to keep all services working well 24/7/365.

                              So due this we need to take all possible efforts to prevent attacks and secure our clients as much as possible.

                              For example, the cost of DDoS-ing nowadays are from $20 / hour to $2-5k / hour depend on type of attack. And how much Your client lost for 1 hour of all its services (public we, warehouse databases, emails, survival equipment, climate control, power control,...) are down?
                              Now there are no any solution from DDoS attacks rather than switch to failover uplink. If You have it already, of course.

                              Thinking this manner about hospitals, medicine clinics with a lot of blood pumps, heart support devices....

                              Most of users here on forum are quite away from this so-called “enterprise” questions. But only due the moment that really happened with them!

                              If 70% of ordinary users on this forum not thinking about things like DNS amplification not mean this attack not exist at all.

                              P.S. Example: Easy way to create attack vector by create gmail address -> register on this forum,-> look at this tread https://forum.netgate.com/topic/51312/show-your-pfsenses-thread-bandwidth-warning -> determine the real users with most explained hardware/software setup -> find in LinkedIn, FB company where this person work -> try to go inside and dump some sensitive databases -> obtain real IPs of entry -> prepare DDoS attack -> send email with proposition to pay by crypto -> make DDoS if payment not make.
                              $2,000-10,000 USD is not a big amount for business, compare to 3-7 days of all it’s online-oriented services are down and profit lost due this.
                              I think this criminal way is easy for understanding even someone are student in tech college. It’s reality. And no one ISP protect You against this, just switch off on a time of attack.

                              Another one example: forum user not only show his wan IPs, but pfSense Device ID and much more https://forum.netgate.com/topic/139433/resolved-pfsense-hangs-when-wan-is-unstable-or-lost

                              This is only one example how people not care about security. And I really not understand why doing this.

                              —
                              CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                              Help Ukraine to resist, save people’s lives !
                              (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                              1 Reply Last reply Reply Quote 0
                              • Sergei_Shablovsky
                                Sergei_Shablovsky @JKnott last edited by Sergei_Shablovsky

                                @JKnott said in How to prevent users from LAN to know the external local WAN IP ?:

                                @Sergei_Shablovsky said in How to prevent users from LAN to know the external local WAN IP ?:

                                I try to eliminate security hole:

                                minimize ability to determine main gate entry IPs from outside attackers;
                                minimize ability to determine main gate entry IPs from inside office lan (office secured WiFi, office open WiFi);

                                Of course outside attackers may try to obtain access to ISPs infrastructure (client database leaks, phishing emails, etc.) or (most used way nowadays) by social engineering (phishing emails, SMS, Twitter/Messanger/Telegram for stuff with exploit links, etc).

                                Better put your tin foil hat on.

                                Nice suggestion. :) But better to be serious in this case.

                                You have nothing to worry about in that respect. It's the ISPs responsibility to protect their network. Hiding it from your users will accomplish nothing.

                                May be You newer going under attacks: only one thing that 99% of local ISP in any country doing - is just send You abuse email and after 30min-2h of channel to upstream appliance are overhead -> blackholing all requests to Your IPs.

                                You may only sitting and waiting....

                                And after a You never receive money compensation for “losing profit because service not given to a You from ISP side” and pay a lot for lawyers to proofing the issue.

                                Live in reality :) Only a huge business able to win law battles. Other businesses may resolve security / attacks issues themselves.

                                So better to focus on topic, ok, transform it to “”How to make impossible of sophisticated to know real main gate IPs from inside office lan”
                                That's ok ok foil hat still needed? ;)

                                —
                                CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                                Help Ukraine to resist, save people’s lives !
                                (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                                1 Reply Last reply Reply Quote 0
                                • G
                                  gcu_greyarea last edited by

                                  On WAN block all incoming traffic.
                                  On LAN block all outgoing traffic.

                                  Set up a proxy server and install certificates on all you clients.

                                  Chose an ISP that offers a proxy server.

                                  Point your Proxy server to the ISP's upstream Proxy.

                                  Alternative:
                                  Purchase a VPS somewhere. Built a tunnel to that VPS and send all the internet traffic through the tunnel.

                                  If your security needs are really that strict spending a few $$$ on a VPS shouldn't break the bank...

                                  Sergei_Shablovsky 1 Reply Last reply Reply Quote 0
                                  • johnpoz
                                    johnpoz LAYER 8 Global Moderator last edited by johnpoz

                                    Sorry dude you can not HIDE your public IP from your users...Without tunnel them to some other endpoint

                                    It is not possible..As stated already if you let them talk from it to the internet - then there a bajillion ways.

                                    But sounds like your wanting to hide your IP from where you go to... This is the case then use proxy/vpn... If you don't want pfsense.org knowing your IP, then that is vpn or proxy. But can promise you users will have issues with being blocked... Many sites block such access - especially forums.. Because people hiding their IPs are normally spammers!

                                    If your concerned with ddos mitigation, then use a service that provides it.. Every major ISP provides this service - at a COST!! Or get your own IPs, and use a service that can route your traffic through them... At work we use these guys

                                    https://www.netscout.com/arbor-ddos

                                    If an attack is detected against any our public IP space, we can reroute that network through their network before it gets to us, they mitigate the attack traffic. It ain't cheap ;)

                                    Your only possible solution is vpn.. Be it you use a service or roll your own. This hides IP from your own users, it also hides your IP from destination.. But it comes with its own issues. This is the only ma an pa type shop sort of solution.

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                                    JKnott Sergei_Shablovsky 2 Replies Last reply Reply Quote 0
                                    • Sergei_Shablovsky
                                      Sergei_Shablovsky @gcu_greyarea last edited by

                                      @gcu_greyarea said in How to prevent users from LAN to know the external local WAN IP ?:

                                      On WAN block all incoming traffic.
                                      On LAN block all outgoing traffic.

                                      Set up a proxy server and install certificates on all you clients.

                                      Chose an ISP that offers a proxy server.

                                      Point your Proxy server to the ISP's upstream Proxy.

                                      Alternative:
                                      Purchase a VPS somewhere. Built a tunnel to that VPS and send all the internet traffic through the tunnel.

                                      If your security needs are really that strict spending a few $$$ on a VPS shouldn't break the bank...

                                      Ok. I just try to find another way, let’s say, I open to learn ;)

                                      ISP here are not stable due a couple of reasons, so VPS or even collocation - great way.

                                      Thank You for efforts! ;)

                                      —
                                      CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                                      Help Ukraine to resist, save people’s lives !
                                      (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                                      1 Reply Last reply Reply Quote 0
                                      • JKnott
                                        JKnott @johnpoz last edited by

                                        @johnpoz said in How to prevent users from LAN to know the external local WAN IP ?:

                                        then there a bajillion ways

                                        I thought it was closer to a gazillion. 😉

                                        PfSense running on Qotom mini PC
                                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                        UniFi AC-Lite access point

                                        I haven't lost my mind. It's around here...somewhere...

                                        1 Reply Last reply Reply Quote 0
                                        • stephenw10
                                          stephenw10 Netgate Administrator last edited by

                                          Yeah, if you allow users behind the firewall to connect out then they can trivially find the IP they are connecting from.

                                          The only thing you can do is change that IP to something else using a tunnel or proxy.

                                          Steve

                                          1 Reply Last reply Reply Quote 0
                                          • Sergei_Shablovsky
                                            Sergei_Shablovsky @johnpoz last edited by

                                            @johnpoz said in How to prevent users from LAN to know the external local WAN IP ?:

                                            Sorry dude you can not HIDE your public IP from your users...Without tunnel them to some other endpoint

                                            It is not possible..As stated already if you let them talk from it to the internet - then there a bajillion ways.

                                            I understand that but asking here, because hope that someone suggest me another way, than VDS/VPS. :)
                                            I open to learn.

                                            But sounds like your wanting to hide your IP from where you go to... This is the case then use proxy/vpn... If you don't want pfsense.org knowing your IP, then that is vpn or proxy. But can promise you users will have issues with being blocked... Many sites block such access - especially forums.. Because people hiding their IPs are normally spammers!

                                            I know that. Last 2-3 years a lot of people start to care about privacy much more and start blocking cookie, pop ups, js, using anonymizes, VPN services, etc. But this impact on websites coding, frontend of services coding,... forums...
                                            For example a lot of journalists (even in US, not only in small countries in 3rd world) need to hide their IPs, security and forensic pro, etc...
                                            New world become with a new types of attacks and a new type of defense.

                                            If your concerned with ddos mitigation, then use a service that provides it.. Every major ISP provides this service - at a COST!! Or get your own IPs, and use a service that can route your traffic through them... At work we use these guys

                                            https://www.netscout.com/arbor-ddos

                                            Thank You for kindly suggestion!

                                            I repeat another one time: technically not possible to against the DDoS attack on Your IPs, only pull Eth jack off ;)
                                            No one ordinary local ISP able to against 10G - 20G traffic come to Your Eth port.

                                            Because of this CloudFlare exist. But CloudFlare (or any other company, Amazon, DigitalOcean,...) only able to protect You if DDoS point on Your FQDN.
                                            But if attack pointed on Your real main gate IPs - You would have only one way: sitting and smoking great cigars from Cuba. ;)

                                            If an attack is detected against any our public IP space, we can reroute that network through their network before it gets to us, they mitigate the attack traffic. It ain't cheap ;)

                                            This work only attack point on FQDN, but if attack pointed on Your real main gate IPs - nothing to do with this :)

                                            Your only possible solution is vpn.. Be it you use a service or roll your own. This hides IP from your own users, it also hides your IP from destination.. But it comes with its own issues. This is the only ma an pa type shop sort of solution.

                                            Thank You for time and efforts to understanding my point.

                                            As we see, VPS/VDS on a very fast fiber-connected DC able to mask/hide real IPs of main gate...

                                            Thank You all !!!

                                            —
                                            CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                                            Help Ukraine to resist, save people’s lives !
                                            (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                                            1 Reply Last reply Reply Quote 0
                                            • johnpoz
                                              johnpoz LAYER 8 Global Moderator last edited by johnpoz

                                              @Sergei_Shablovsky said in How to prevent users from LAN to know the external local WAN IP ?:

                                              This work only attack point on FQDN, but if attack pointed on Your real main gate IPs - nothing to do with this :)

                                              Huh? Has zero to do with what fqdn might point to an IP.. We advertise what networks are used, the actual route is changed for network 6.15.0.0/16 as an example.

                                              We have multiple networks routed to our connections in our DCs - multiple customers using different networks, /24s for example.. These routes are advertised via bgp to the internet...

                                              So no dns record pointing to an IP has zero to do with the mitigation of such volumetric ddos attack.

                                              I suggest you take a look at how such a service I linked to works.

                                              But no such services don't work for small ma and pop setups where the ISP gives you IP address X to work with..

                                              You trying to hide your IP is not a security anything - security through obscurity doesn't fix the actual problem.. Its trying to hide your head in the sand hoping the bad guy doesn't find you.

                                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                                              If you get confused: Listen to the Music Play
                                              Please don't Chat/PM me for help, unless mod related
                                              SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                                              Sergei_Shablovsky 2 Replies Last reply Reply Quote 0
                                              • stephenw10
                                                stephenw10 Netgate Administrator last edited by stephenw10

                                                Yeah, that^. Works great in that sort of situation... if you are willing to pay for it.

                                                Not really possible for 5 static IPs at your office though. Only the ISP can do anything there.

                                                See my earlier 'use a tunnel' comment. 😉

                                                Steve

                                                Sergei_Shablovsky 1 Reply Last reply Reply Quote 0
                                                • johnpoz
                                                  johnpoz LAYER 8 Global Moderator last edited by

                                                  ^ exactly... The only solution to "hide" for a ma and pop setup is vpn service or proxy... But that doesn't actually fix the problem... Its just trying to hide.. If they get your IP, they still can ddos you...

                                                  This is why you need to work with your ISP when your such a small fish.

                                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                                  If you get confused: Listen to the Music Play
                                                  Please don't Chat/PM me for help, unless mod related
                                                  SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                                                  Sergei_Shablovsky 1 Reply Last reply Reply Quote 0
                                                  • stephenw10
                                                    stephenw10 Netgate Administrator last edited by stephenw10

                                                    There are advantages to dynamic IPs. Not many but this is one.

                                                    1 Reply Last reply Reply Quote 0
                                                    • johnpoz
                                                      johnpoz LAYER 8 Global Moderator last edited by johnpoz

                                                      Maybe if your home user and you don't want some script kiddie from dosing you to keep you from playing a game you beat him in or something.

                                                      Just playing wack-a-mole at this point. A vpn prob good suited for something like that, hiding your IP from the game server so billy can't knock you off the game when you start kicking his ass. As long as the game server doesn't block vpn - which they prob do ;)

                                                      If your trying to run a business, and your worried about ddos then really the correct solution is to get with your ISP about ddos protection.. Any major isp you get your connection from will offer ddos mitigation services, be it as a pay you go option or as an insurance sort of option you buy, etc.. They will provide you with a specific threat number to call if your under attack, etc. etc..

                                                      These are all things you have to take into account as your company grows and your connection becomes vital to the business, and not just your workers shopping amazon on their free time ;) on your $100 a month "business line" ;)

                                                      Here is the thing - none of its free! Thinking your going to find some solution with a 20$ a month vpn service is just plain nonsense..

                                                      If your wanting to run with the big dogs, going to have to learn how to piss in the tall grass ;)

                                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                                      If you get confused: Listen to the Music Play
                                                      Please don't Chat/PM me for help, unless mod related
                                                      SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                                                      Sergei_Shablovsky 1 Reply Last reply Reply Quote 1
                                                      • G
                                                        gcu_greyarea last edited by gcu_greyarea

                                                        So we went all the way - from "hiding WAN IP from internal users" to "protecting an enterprise from DDOS".

                                                        And we want all of that for free :)

                                                        If you cannot afford to host you application/website with one of the large providers you could still try this.

                                                        Rent a small VPS. Buy sufficient bandwidth and CPU to run a reverse proxy...

                                                        Connect to you VPS via VPN. Run all your public facing websites or application front-ends off the VPS...

                                                        Do the processing and Databases etc at home.

                                                        If you VPS gets attacked - switch over to another one...

                                                        And yes, there will be latency and costs of some sort.

                                                        Sergei_Shablovsky 1 Reply Last reply Reply Quote 0
                                                        • johnpoz
                                                          johnpoz LAYER 8 Global Moderator last edited by johnpoz

                                                          And yup, again going to say it again.

                                                          If your wanting to run with the big dogs, going to have to learn how to piss in the tall grass ;)

                                                          Hey I plugged in the switch and it worked.. I'm a network engineer ;)

                                                          If I could just keep everyone from knowing my IP they couldn't ddos me <rolleyes>

                                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                                          If you get confused: Listen to the Music Play
                                                          Please don't Chat/PM me for help, unless mod related
                                                          SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                                                          Sergei_Shablovsky 1 Reply Last reply Reply Quote 0
                                                          • Sergei_Shablovsky
                                                            Sergei_Shablovsky last edited by

                                                            @JKnott said in How to prevent users from LAN to know the external local WAN IP ?:

                                                            @johnpoz said in How to prevent users from LAN to know the external local WAN IP ?:

                                                            then there a bajillion ways

                                                            I thought it was closer to a gazillion. 😉

                                                            @JKnott said in How to prevent users from LAN to know the external local WAN IP ?:

                                                            @johnpoz said in How to prevent users from LAN to know the external local WAN IP ?:

                                                            then there a bajillion ways

                                                            I thought it was closer to a gazillion. 😉

                                                            You are surrender! :)

                                                            —
                                                            CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                                                            Help Ukraine to resist, save people’s lives !
                                                            (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                                                            1 Reply Last reply Reply Quote 0
                                                            • Sergei_Shablovsky
                                                              Sergei_Shablovsky last edited by Sergei_Shablovsky

                                                              Another one reason to care extremely well about DDoS is that source code of botnet creating system Mirai was in public access from 2016 and from this time amount of attacks of this kind rapidly grow.

                                                              Cryptocurrency give ability criminals to receive payments just sitting everywhere in the world. And creating attacks to anyone.

                                                              This mean You able to protect Yourself only by 2 ways (or in combination):

                                                              1. Using failover uplink (that mean doubling fiber cable connection, and additional agreement with ISP and a huge extra payment for traffic reservation for You);

                                                              2. Using cloud-based CDN with loading balance (in case of attack You downtime are only time for propagate renewed wan IPs, but here You also need to have ability quickly changing Your static WAN IPs, this mean additional agreement and monthly payment for uplink ISP and most of local ISP have no ability to make this in appropriate time slot, only Enterprise level of clients have this opportunity);

                                                              So, in real life if You are ordinary business, and if someone need to charge You several thousands of $$$, - that’s pretty easy.

                                                              Because You thinking all this wrote here in topic are just for “lovers of foil hats” and You newer going under DDoS.

                                                              Or may be You newer know about how the GitLab try to hide list of more than 5,000+ online shops that have malicious code in their CMS to collect credit cards data of customers?
                                                              More interesting that author of this research try to contact to this shops but receive “it's not our deal”, “we protected by https”, “we protected by PayPal”, or “this is coding mistake and not impact to our clients”, and so on... And more of shops in this list working until today.
                                                              Madness? Story for “foil hat lovers”? REALITY!
                                                              Just google this story...

                                                              —
                                                              CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                                                              Help Ukraine to resist, save people’s lives !
                                                              (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                                                              1 Reply Last reply Reply Quote 0
                                                              • Sergei_Shablovsky
                                                                Sergei_Shablovsky @johnpoz last edited by

                                                                @johnpoz said in How to prevent users from LAN to know the external local WAN IP ?:

                                                                ^ exactly... The only solution to "hide" for a ma and pop setup is vpn service or proxy... But that doesn't actually fix the problem... Its just trying to hide.. If they get your IP, they still can ddos you...

                                                                This is why you need to work with your ISP when your such a small fish.

                                                                Totally agree.

                                                                —
                                                                CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                                                                Help Ukraine to resist, save people’s lives !
                                                                (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                                                                1 Reply Last reply Reply Quote 0
                                                                • Sergei_Shablovsky
                                                                  Sergei_Shablovsky @stephenw10 last edited by

                                                                  @stephenw10 said in How to prevent users from LAN to know the external local WAN IP ?:

                                                                  Yeah, that^. Works great in that sort of situation... if you are willing to pay for it.

                                                                  Not really possible for 5 static IPs at your office though. Only the ISP can do anything there.

                                                                  See my earlier 'use a tunnel' comment. 😉

                                                                  Steve
                                                                  In my current office in Kyiv we have more than 5 already :)

                                                                  —
                                                                  CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                                                                  Help Ukraine to resist, save people’s lives !
                                                                  (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                                                                  1 Reply Last reply Reply Quote 0
                                                                  • Sergei_Shablovsky
                                                                    Sergei_Shablovsky @johnpoz last edited by

                                                                    @johnpoz said in How to prevent users from LAN to know the external local WAN IP ?:

                                                                    @Sergei_Shablovsky said in How to prevent users from LAN to know the external local WAN IP ?:

                                                                    This work only attack point on FQDN, but if attack pointed on Your real main gate IPs - nothing to do with this :)

                                                                    Huh? Has zero to do with what fqdn might point to an IP.. We advertise what networks are used, the actual route is changed for network 6.15.0.0/16 as an example.

                                                                    We have multiple networks routed to our connections in our DCs - multiple customers using different networks, /24s for example.. These routes are advertised via bgp to the internet...

                                                                    So no dns record pointing to an IP has zero to do with the mitigation of such volumetric ddos attack.

                                                                    I suggest you take a look at how such a service I linked to works.

                                                                    But no such services don't work for small ma and pop setups where the ISP gives you IP address X to work with..

                                                                    Thank You, I would pay more attention to this.

                                                                    You trying to hide your IP is not a security anything - security through obscurity doesn't fix the actual problem.. Its trying to hide your head in the sand hoping the bad guy doesn't find you.

                                                                    This is no-end game :)

                                                                    —
                                                                    CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                                                                    Help Ukraine to resist, save people’s lives !
                                                                    (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                                                                    1 Reply Last reply Reply Quote 0
                                                                    • Sergei_Shablovsky
                                                                      Sergei_Shablovsky @johnpoz last edited by

                                                                      @johnpoz said in How to prevent users from LAN to know the external local WAN IP ?:

                                                                      @Sergei_Shablovsky said in How to prevent users from LAN to know the external local WAN IP ?:

                                                                      This work only attack point on FQDN, but if attack pointed on Your real main gate IPs - nothing to do with this :)

                                                                      Huh? Has zero to do with what fqdn might point to an IP.. We advertise what networks are used, the actual route is changed for network 6.15.0.0/16 as an example.

                                                                      We have multiple networks routed to our connections in our DCs - multiple customers using different networks, /24s for example.. These routes are advertised via bgp to the internet...

                                                                      So no dns record pointing to an IP has zero to do with the mitigation of such volumetric ddos attack.

                                                                      But no such services don't work for small ma and pop setups where the ISP gives you IP address X to work with..

                                                                      You trying to hide your IP is not a security anything - security through obscurity doesn't fix the actual problem..

                                                                      Sorry my English. But I wrote the same: no matter how DDoS pointed on You

                                                                      1. You receive all traffic on Your main gate static WAN IPs (or upstream ISP’s router, if attacker know it’s IPs);

                                                                      2. Your ISP(s) receive all traffic pointed on You (because DNS records point on them);

                                                                      In both cases (even You try to change static main gate WAN IPs once a hour :) - traffic overload the link capacity and Your services would be switched off (by Yourself in first case and by uplink ISP(s) in second case).

                                                                      —
                                                                      CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                                                                      Help Ukraine to resist, save people’s lives !
                                                                      (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • Sergei_Shablovsky
                                                                        Sergei_Shablovsky @johnpoz last edited by

                                                                        @johnpoz said in How to prevent users from LAN to know the external local WAN IP ?:

                                                                        If your trying to run a business, and your worried about ddos then really the correct solution is to get with your ISP about ddos protection.. Any major isp you get your connection from will offer ddos mitigation services, be it as a pay you go option or as an insurance sort of option you buy, etc.. They will provide you with a specific threat number to call if your under attack, etc. etc..

                                                                        As I wrote previously, the cost of DDoS nowadays are much lower for attacker, and profit loss for business are comparatively high than attacker charge You, but the same time this profit loss for business are much less than yearly TOC for ISP service to against DDoS attacks like this.

                                                                        These are all things you have to take into account as your company grows and your connection becomes vital to the business, and not just your workers shopping amazon on their free time ;) on your $100 a month "business line" ;)

                                                                        Here is the thing - none of its free! Thinking your going to find some solution with a 20$ a month vpn service is just plain nonsense..

                                                                        In my reply’s I try each time point that our topic is not for “gamers that need solution for $20-100” ;)

                                                                        If your wanting to run with the big dogs, going to have to learn how to piss in the tall grass ;)

                                                                        Agree but here we return to point that I wrote before: most of osiers here on pfSense are small/middle rage business (in best case) and not able to pay $500-2k for ISP service this kind.

                                                                        —
                                                                        CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                                                                        Help Ukraine to resist, save people’s lives !
                                                                        (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • Sergei_Shablovsky
                                                                          Sergei_Shablovsky @gcu_greyarea last edited by

                                                                          @gcu_greyarea said in How to prevent users from LAN to know the external local WAN IP ?:

                                                                          So we went all the way - from "hiding WAN IP from internal users" to "protecting an enterprise from DDOS".

                                                                          And we want all of that for free :)

                                                                          If you cannot afford to host you application/website with one of the large providers you could still try this.

                                                                          Rent a small VPS. Buy sufficient bandwidth and CPU to run a reverse proxy...

                                                                          Connect to you VPS via VPN. Run all your public facing websites or application front-ends off the VPS...

                                                                          Do the processing and Databases etc at home.

                                                                          If you VPS gets attacked - switch over to another one...

                                                                          And yes, there will be latency and costs of some sort.

                                                                          Totally agree.

                                                                          I more than sure the topic would be helpful for much more people’s in this forum. And this is also good for pfSense company ;)

                                                                          —
                                                                          CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                                                                          Help Ukraine to resist, save people’s lives !
                                                                          (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                                                                          1 Reply Last reply Reply Quote 0
                                                                          • Sergei_Shablovsky
                                                                            Sergei_Shablovsky @johnpoz last edited by

                                                                            @johnpoz said in How to prevent users from LAN to know the external local WAN IP ?:

                                                                            And yup, again going to say it again.

                                                                            If your wanting to run with the big dogs, going to have to learn how to piss in the tall grass ;)

                                                                            Hey I plugged in the switch and it worked.. I'm a network engineer ;)

                                                                            If I could just keep everyone from knowing my IP they couldn't ddos me <rolleyes>

                                                                            C'mon, my friend, I love You ! ;)
                                                                            One of my work are network engendering also.

                                                                            But hardware are nothing about solution.

                                                                            We need to thinking widely, what we may propose to our employee and how this solution help our employee to running business and to solving his potential problems in a future.

                                                                            —
                                                                            CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                                                                            Help Ukraine to resist, save people’s lives !
                                                                            (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                                                                            1 Reply Last reply Reply Quote 0
                                                                            • johnpoz
                                                                              johnpoz LAYER 8 Global Moderator last edited by johnpoz

                                                                              Dude if you think hiding your IP is some sort of solution to anything your mistaken...

                                                                              If you suggest hiding your IP as solution - you shouldn't have a job in the field. Plain and simple!

                                                                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                                                                              If you get confused: Listen to the Music Play
                                                                              Please don't Chat/PM me for help, unless mod related
                                                                              SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                                                                              1 Reply Last reply Reply Quote 0
                                                                              • stephenw10
                                                                                stephenw10 Netgate Administrator last edited by

                                                                                If you're big enough to have static IPs but not big enough to have a routed subnet that you advertise then there is no easy (cheap?) solution here. Only the ISP can do anything about a DoS attack in that instance so they can charge whatever they want for doing that.

                                                                                Steve

                                                                                1 Reply Last reply Reply Quote 1
                                                                                • kiokoman
                                                                                  kiokoman LAYER 8 last edited by

                                                                                  in the 90's i remember there was this conspiracy theory that antivirus computers create viruses in order to sell antivirus software... say no more ... now that your isp know your fear it will ddos you to take your money ... big fish eat small fish !

                                                                                  ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                                                                                  Please do not use chat/PM to ask for help
                                                                                  we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                                                                                  Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                                                                                  Sergei_Shablovsky 1 Reply Last reply Reply Quote 0
                                                                                  • stephenw10
                                                                                    stephenw10 Netgate Administrator last edited by

                                                                                    This is not pfSense specific. Moving it to off-topic to continue.

                                                                                    1 Reply Last reply Reply Quote 0
                                                                                    • First post
                                                                                      Last post