Announcement

Collapse
No announcement yet.

Ethernet Security tips ?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #31
    To the point of Network Address Translation (NAT), allow me to take away some confusion and unneeded complexity here.

    There are two types of NAT. The first one is known as Destination NAT (DNAT) and what it does is forward whatever is received to a specific other address. The second one is known as Source NAT (SNAT) and this changes the address where the reply should go to. There are a lot of crazy things you can do with SNAT and most will not work but the most common usage of SNAT is where a router replaces the reply address with its own address, a method that is generally referred to as Masquerading and every firewall application accepts this as shorthand for SNAT <my internal|external|whatever IP> which also prevents misconfiguration. So my tip is that you forget about (S)NAT and just remember MASQ which offers a visual interpretation of what it does - pretty cool that it happens to be carnival as I write this.

    Comment


      #32
      Originally posted by gordonb3 View Post
      Nothing weird, it simply won't work ...
      I didn't really mean weird from a how IP networks function perspective, but weird from what the user experiences. Like "hmmm, that's weird, it worked at the last campsite but now when I connect the WAN port the web UI stops responding."
      Or, "hmmm, that's weird, the web UI times out and when I ping the router I'm getting like 90% packet loss, until I disconnect the WAN port and then everything starts working again."
      Or, "hmmm, that's weird, when I connect the WAN port, the router reboots."
      Or, "hmmm, that's weird, the WAN port has a steady amber light on, I've never seen that before."
      Or, as P Nelson mentioned, maybe some or most routers detect this situation and automatically reconfigure the built in DHCP server to use a non-conflicting network internally, in which case in might be:
      "hmmm, that's weird, my neighbor's Ubiquiti router is working fine and my Trendnet router keeps rebooting."
      Or... whatever. Not only have I never actually experienced this specific scenario in real life, I haven't tested it with every make and model of router in circulation either, so I can't say that the symptoms would always be the same. I would say with some confidence that if I did run into the issue I would figure it out fairly quickly, however, I might initially respond to my wife's complaints of the internet not working with "give me a minute, there's something weird going on..."

      To the point of Network Address Translation (NAT), allow me to take away some confusion...
      I'm not confused on the way the vast majority (all?) of home routers translate multiple internal private IPs to a single publicly routable IP or the way they keep track of which inbound packet goes to which host internally. I am, however, under the (perhaps mistaken) impression that most casual home network users have heard the abbreviation NAT to refer to the technique, regardless of whether a term like Masquerading may be more precise or descriptive. I feel like "NAT" was in the feature list on the back or side panel of every home router box from the last couple decades but I admit to doing a quick google image search and I didn't immediately find a good example, so maybe I'm making it up.
      Last edited by sodface; 2022-03-01, 04:15.

      Comment


        #33
        I like how Linux folks used to refer to NAT as "mangling" the packets, which seems right.

        DNAT vs SNAT: and sometimes you do both at the same time. Fun.
        owner of the stuff at https://tuxreborn.netlify.app/
        (which used to reside at www. tux.org/~peterw/)
        Note: The best way to reach me is email or PM, as I don't spend much time on the forums.
        Free plugins: AllQuiet Auto Dim/AutoDisplay BlankSaver ContextMenu DenonSerial
        FuzzyTime KidsPlay KitchenTimer PlayLog PowerCenter/BottleRocket SaverSwitcher
        SettingsManager SleepFade StatusFirst SyncOptions VolumeLock

        Comment


          #34
          Originally posted by sodface View Post
          I'm not confused on the way the vast majority (all?) of home routers translate multiple internal private IPs to a single publicly routable IP or the way they keep track of which inbound packet goes to which host internally. I am, however, under the (perhaps mistaken) impression that most casual home network users have heard the abbreviation NAT to refer to the technique, regardless of whether a term like Masquerading may be more precise or descriptive. I feel like "NAT" was in the feature list on the back or side panel of every home router box from the last couple decades but I admit to doing a quick google image search and I didn't immediately find a good example, so maybe I'm making it up.
          I didn't state you were confused. In my experience however NAT means absolutely nothing to someone who is not a computer nerd, which I believe is the case with OP and as such I would have preferred it had not been mentioned at all because this type of jargon doesn't help in understanding that an untouched ISP router already provides more than sufficient security to everything you connect to the side that is marked `LAN`. In other words there is no point in enabling security to any specific machine inside your LAN, unless you have a trust issue with people that you do trust to be on your LAN.

          Comment


            #35
            Originally posted by gordonb3 View Post
            I didn't state you were confused. In my experience however NAT means absolutely nothing to someone who is not a computer nerd, which I believe is the case with OP and as such I would have preferred it had not been mentioned at all because this type of jargon doesn't help in understanding that an untouched ISP router already provides more than sufficient security to everything you connect to the side that is marked `LAN`. In other words there is no point in enabling security to any specific machine inside your LAN, unless you have a trust issue with people that you do trust to be on your LAN.
            A couple of comments

            I mentioned NAT because if you Google it you’ll get lots of useful info whereas if you Google masquerading you get lots of info about pretence.

            To say that an “untouched ISP router already provides more than sufficient security” is, I’d suggest, a little bit of a dangerous statement. I agree that they should but I’m sure you know that there are quite a few examples of ISP issued routers that have been found to have security flaws in them and have remained unpatched by the ISP for years - largely because they have no means of applying firmware updates and replacement (at a cost to them) is the only solution.

            I’m in Uk. Sometimes people ask us to recommend an ISP and before we give a recommendation we always preface it by stating that you get what you pay for both in the choice of ISP and the cost of the router.

            For the record it’s Zen and a Draytek Vigor.
            Jim
            https://jukeradio.double6.net


            VB2.4 storage QNAP TS419p (NFS)
            Living Room Joggler & Pi4/Khadas -> Onkyo TXNR686 -> Celestion F20s
            Office Joggler & Pi3 -> Denon RCD N8 -> Celestion F10s
            Dining Room SB Radio
            Bedroom (Bedside) Pi Zero+DAC ->ToppingTP21 ->AKG Headphones
            Bedroom (TV) & Bathroom SB Touch ->Denon AVR ->Mordaunt Short M10s + Kef ceiling speakers
            Guest Room Joggler > Topping Amp -> Wharfedale Modus Cubes

            Comment


              #36
              Thank you all for the advice.

              However, this is quickly becoming a specialist discussion!

              In fact, what should I do?

              I connect my Raspberry to my switch and that's it?

              Comment


                #37
                Originally posted by PaulH View Post
                Thank you all for the advice.

                However, this is quickly becoming a specialist discussion!

                In fact, what should I do?

                I connect my Raspberry to my switch and that's it?
                yes. That’s what I do. I’m assuming your router has typical firewall. I’ve personally never seen one that doesn’t.
                Home: Pi4B-8GB/pCP8.2.x/4TB>LMS 8.3.x>Transporter, Touch, Boom, Radio (all ethernet)
                Cottage: rPi4B-4GB/pCP8.2.x/4TB>LMS 8.3.x>Touch>Benchmark DAC I, Boom, Radio w/Battery (Radio WIFI)
                Office: Win11(64)>foobar2000
                The Wild: rPi3B+/pCP7.x/4TB>LMS 8.1.x>hifiberry Dac+Pro (LMS & Squeezelite)
                Controllers: iPhone14Pro & iPadAir5 (iPeng), CONTROLLER, Material Skin, or SqueezePlay 7.8 on Win10(64)
                Files: Ripping: dBpoweramp > FLAC; Post-rip: mp3tag, PerfectTunes, TuneFusion; Streaming: Spotify

                Comment


                  #38
                  Originally posted by PaulH View Post
                  Thank you all for the advice.

                  However, this is quickly becoming a specialist discussion!

                  In fact, what should I do?

                  I connect my Raspberry to my switch and that's it?
                  You can change the password for your Pi from the default.

                  Sent from my Pixel 3a using Tapatalk
                  Living Room: Touch or Squeezelite (Pi3B) > Topping E30 > Audiolab 8000A > Monitor Audio S5 + BK200-XLS DF
                  Bedroom: Radio
                  Bathroom: Radio

                  Comment


                    #39
                    Originally posted by PaulH View Post
                    Thank you all for the advice.

                    However, this is quickly becoming a specialist discussion!

                    In fact, what should I do?

                    I connect my Raspberry to my switch and that's it?
                    Yes, that is one of the morals of the (30+ year old) tectonic plate barrier joke: don't overdo security as it only harms yourself. Trust that the connections on the internet router are purposely marked internet and internal network respectively and that this implies that it provides the security you need to prevent people on the outside accessing your machine(s) on the inside. Also, worrying too much only makes you sick.

                    Comment


                      #40
                      Originally posted by d6jg View Post
                      To say that an “untouched ISP router already provides more than sufficient security” is, I’d suggest, a little bit of a dangerous statement. I agree that they should but I’m sure you know that there are quite a few examples of ISP issued routers that have been found to have security flaws in them and have remained unpatched by the ISP for years - largely because they have no means of applying firmware updates and replacement (at a cost to them) is the only solution.
                      That is a clear case of YOMV. In fact I replaced my ISP provided router with my own precisely for the reason that it contained a backdoor to allow the ISP such updates and the first time they used it to update something in the router it destroyed my work VPN and I was disconnected from the office for quite some time before thinking of checking that ISP router - because that couldn't be it, right? I was seriously pissed off to find literally hundreds of silly internet game firewall profiles having been reinstated and my VPN profile removed.

                      Comment


                        #41
                        Originally posted by gordonb3 View Post
                        That is a clear case of YOMV. In fact I replaced my ISP provided router with my own precisely for the reason that it contained a backdoor to allow the ISP such updates and the first time they used it to update something in the router it destroyed my work VPN and I was disconnected from the office for quite some time before thinking of checking that ISP router - because that couldn't be it, right? I was seriously pissed off to find literally hundreds of silly internet game firewall profiles having been reinstated and my VPN profile removed.
                        YOMV? Google didn’t help. I understand the VPN issue. I use a VPN but I’m the only one of my family and friends that even know what a VPN is.
                        Home: Pi4B-8GB/pCP8.2.x/4TB>LMS 8.3.x>Transporter, Touch, Boom, Radio (all ethernet)
                        Cottage: rPi4B-4GB/pCP8.2.x/4TB>LMS 8.3.x>Touch>Benchmark DAC I, Boom, Radio w/Battery (Radio WIFI)
                        Office: Win11(64)>foobar2000
                        The Wild: rPi3B+/pCP7.x/4TB>LMS 8.1.x>hifiberry Dac+Pro (LMS & Squeezelite)
                        Controllers: iPhone14Pro & iPadAir5 (iPeng), CONTROLLER, Material Skin, or SqueezePlay 7.8 on Win10(64)
                        Files: Ripping: dBpoweramp > FLAC; Post-rip: mp3tag, PerfectTunes, TuneFusion; Streaming: Spotify

                        Comment


                          #42
                          Originally posted by garym View Post
                          YOMV? Google didn’t help.
                          YMMV? Your Mileage May Vary?
                          Server - LMS 8.4.0 RPi4B 4GB/NanoSound ONE case/pCP 8.1.0 - 75K library, playlists & LMS cache on Sata SSD (ntfs)

                          Lounge - DAC32 - AudioEngine B2
                          Office - RPi 3B+/HiFiBerry DAC HAT/RPi screen - Edifier D12
                          Bedroom - Echo Show 8

                          Spares - 1xSB Touch, 1xSB3, 4xRPi, AVI DM5 speakers

                          Comment


                            #43
                            Originally posted by kidstypike View Post
                            YMMV? Your Mileage May Vary?
                            Aha. That makes sense.
                            Home: Pi4B-8GB/pCP8.2.x/4TB>LMS 8.3.x>Transporter, Touch, Boom, Radio (all ethernet)
                            Cottage: rPi4B-4GB/pCP8.2.x/4TB>LMS 8.3.x>Touch>Benchmark DAC I, Boom, Radio w/Battery (Radio WIFI)
                            Office: Win11(64)>foobar2000
                            The Wild: rPi3B+/pCP7.x/4TB>LMS 8.1.x>hifiberry Dac+Pro (LMS & Squeezelite)
                            Controllers: iPhone14Pro & iPadAir5 (iPeng), CONTROLLER, Material Skin, or SqueezePlay 7.8 on Win10(64)
                            Files: Ripping: dBpoweramp > FLAC; Post-rip: mp3tag, PerfectTunes, TuneFusion; Streaming: Spotify

                            Comment


                              #44
                              Originally posted by kidstypike View Post
                              YMMV? Your Mileage May Vary?
                              But it would be an unlikely typo, M is a fair distance from O [emoji2]

                              Sent from my Pixel 3a using Tapatalk
                              Living Room: Touch or Squeezelite (Pi3B) > Topping E30 > Audiolab 8000A > Monitor Audio S5 + BK200-XLS DF
                              Bedroom: Radio
                              Bathroom: Radio

                              Comment


                                #45
                                Originally posted by slartibartfast View Post
                                But it would be an unlikely typo, M is a fair distance from O [emoji2]

                                Sent from my Pixel 3a using Tapatalk
                                It's next to "Y" in Your?
                                Server - LMS 8.4.0 RPi4B 4GB/NanoSound ONE case/pCP 8.1.0 - 75K library, playlists & LMS cache on Sata SSD (ntfs)

                                Lounge - DAC32 - AudioEngine B2
                                Office - RPi 3B+/HiFiBerry DAC HAT/RPi screen - Edifier D12
                                Bedroom - Echo Show 8

                                Spares - 1xSB Touch, 1xSB3, 4xRPi, AVI DM5 speakers

                                Comment

                                Working...
                                X