Security problem that i am not sure what i can do about



  • Hey, so basically i have Wireless clients connected to my network, they are all via antenna (WiSP) they all get default gateway of 10.0.0.1 (All my AP's also have this set in them).

    Yesterday, a client purchased themselves a new wireless router for their home, which also happened to have the IP address 10.0.0.1.  For over an hour i was troubleshooting a problem cause no one was getting internet. Long story short, i worked out that it was this clients router.  So my question, how on earth can i stop this from happening again?

    Anyone in this case could install a router in their home and bring my network down.. again

    My clients are all connected to my LAN.



  • luke, get a network engineer with WISP experience to audit and probably offer design recommendations for your configuration.


  • Netgate Administrator

    Was this client trying to use their new router to connect to your network? It sounds like they had it misconfigured how ever you look at it.
    You could change your gateway to something much more obscure but that might involve a lot of reconfiguring!  ;)
    You could segregate your network so that if it happened again only one segment would be affected.

    I realise that your pfSense setup is quite complex and changing anything is going to be a headache.

    Steve



  • An Workaround could be static Mac address entry for your gateway at least on your wifi devices.

    I think segmentation will improve your security.



  • @dhatz:

    luke, get a network engineer with WISP experience to audit and probably offer design recommendations for your configuration.

    Yes have thought about that before. But haven't been able to find anyone as yet.



  • @stephenw10:

    Was this client trying to use their new router to connect to your network? It sounds like they had it misconfigured how ever you look at it.
    You could change your gateway to something much more obscure but that might involve a lot of reconfiguring!  ;)
    You could segregate your network so that if it happened again only one segment would be affected.

    I realise that your pfSense setup is quite complex and changing anything is going to be a headache.

    Steve

    Hey Steve, yes they were trying to use it to connect to me.  They had their antenna plugged into the WAN port of their router.  It was configured incorrectly yes, but this could easily happen again.

    I also thought of changing my gateway to something strange… but yes that will be alot or reconfiguring as all my AP's and PTP's on the network (around 100 devices) all have their IP and Gateway set statically.

    Segregating my network so if it happened again it would only affect part of it sounds like a better idea.. how would i go about that?



  • @marcelloc:

    An Workaround could be static Mac address entry for your gateway at least on your wifi devices.

    I think segmentation will improve your security.

    Hey marcelloc, yeah i do already have the Gateway set statically on all devices on my network, apart from Client CPE's.

    I'll have to read up on segmentation as i am not sure what you and Steve mean by that, but if it could help then i am definately willing to give it a try.



  • Change your wifi devices to run in route mode instead of bridge.

    This way clients will have a different network ip range and wifi device wil be the gateway instead of pfsense.

    Clients 192.168.2.x -> wifi device in route mode <–10.10.0.x--> wifi device in bridge mode ---> pfsense



  • @marcelloc:

    Change your wifi devices to run in route mode instead of bridge.

    This way clients will have a different network ip range and wifi device wil be the gateway instead of pfsense.

    Clients 192.168.2.x -> wifi device in route mode <–10.10.0.x--> wifi device in bridge mode ---> pfsense

    This was the first fix i thought of also. but this unfortunately goes against everything else i do to make sure clients don't distribute my connection to neighbours.  With their CPE in bridge mode, my Radius server can handle their IPs and logins. If i put them in Route mode, i will just be able to see their 1 device (router) as being online, but what they are doing with their connection after that i cannot manage anymore…



  • Are you sure about this? ???

    If the client install a wifi router on your bridge network and nat to other devices, how can you get this traffic in bridge but not on route mode?

    If you configure each cliente with It's own network range don't your radius will be able to reach all devices?

    Clients –> wifi device in router mode and with dhcp relay <-----> wifi bridge mode ----> radius/dhcp server/pfsense ----> internet.



  • @marcelloc:

    Are you sure about this? ???

    If the client install a wifi router on your bridge network and nat to other devices, how can you get this traffic in bridge but not on route mode?

    If you configure each cliente with It's own network range don't your radius will be able to reach all devices?

    Clients –> wifi device in router mode and with dhcp relay <-----> wifi bridge mode ----> radius/dhcp server/pfsense ----> internet.

    Well, i don't like to say that i am sure cause i am probably wrong, but that is my understanding.

    Currently my RADIUS server allows 1 IP per client and 1 MAC address.  If that CPE is in Router mode, then the 1IP and 1 MAC i see are the CPE.  Id my CPE's are L2 Bridge like they currently are, then that 1 IP and 1 MAC that i give the client is their PC.  So to me that makes it not possible for them to distribute (ok they still can from sharing the LAN connection, but less likely than distributing from a WAP.)

    To be honest, i am sure my setup could be improved and my ears are open to anything.  Here in Brasil, as you know, people love to distribute connections, so i am just trying to do as much as i possible can to lock my clients down to not being able to distribute my signal.. i need to as the Bandwidth prices here are so high.



  • Luke,

    Configure you access point in route mode without nat, this way you will have all clients ip on your dhcp /radius/firewall.

    But on any setup(bridge/route/route+nat), your clients can setup an access point with cloned mac address from configured machine and share their connections.


Log in to reply