Danger / Security concerns in allowing access to DSL modem on WAN from LAN??



  • Hi:D

    I'm running pfSense 2.0.2 with 3 nics. The WAN is connected to a DSL modem in transparent bridging mode via PPPoE, so traffic going to the WAN will go right through pfSense to the DSL gateway. Normally I wouldn't be able to access the webGUI of the modem from inside the LAN but I needed to be able to restart the modem with a script so I followed this guide and opened it up. http://tinyurl.com/84eu5cd

    Basically, I created a new interface on the WAN port then added an outbound NAT rule that linked a virtual IP on the WAN to the LAN.

    I am wondering what kind of security threats this configuration might pose. Would this be somehow exploitable from the outside? The new modem interface does not seem to obey firewall rules and I can ping to any address from there. Despite being able to ping to any address on any interface, I can only connect on the one subnet that is defined in the Outbound NAT rule. Since the modem is simply acting as a bridge and isn't visible to either the WAN or LAN networks before this trick, is it even visible outside the LAN now? If this config offers a significant security threat then Id like to remove it or find an alternative.

    I'd appreciate any feedback. Thank you


  • Rebel Alliance Developer Netgate

    You can restrict access using LAN firewall rules if you're concerned. It wouldn't be "exploitable" from the outside, just from your local network(s).

    How secure that is really depends on how secure the GUI on the modem is. If it doesn't use any auth or pretty weak auth or has a default password, then it would be a concern.

    But if you block anyone from reaching it but a couple of designated "management" PCs, that can be mitigated.



  • Ah, Thank you.

    I have added a good password to the modem GUI and have restricted access to it with some firewall rules.

    Good to know that it isn't accessible from the outside. That's what I was mostly worried about.


Locked