Geekzone: technology news, blogs, forums
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

63 posts

Master Geek

#230648 6-Mar-2018 16:53
Send private message

Hi guys. 


Has anyone found a brand of CPE Modem for vDSL/Fibre etc that has the feature to ALLOW specific IP addresses at the WAN, and IP subnets and by default block all others?


Ideally I'd be able to enable some addreses/ subnets and all others would be blocked e.g. Romania Russia and so forth. 


Cant find this on Asus which look to have best UI and capabilities, open to any others. 











Create new topic
4542 posts

Uber Geek


  #1970030 6-Mar-2018 17:09
Send private message

The majority (if not all) of the consumer grade routers (Asus, TP-Link, Netcomm etc) operate with a default "DROP ALL" rule. And then generally have a a GUI for making specific "ACCEPT" rules. They pretty much all can do this when creating port forwards too.


But what are you actually trying to achieve? Remote access to the router? Or remote access through to an internal server via a port forward?


If you want more granular control you need to look to the more business-y/pro level routers like Mikrotik or Ubiquiti Edgerouter. These will ship with no default config and assumes the user knows what they are doing so the learning curve can be steep depending on your current understanding of networks and firewalls.


Personally Mikrotik wins all around for me - for me winbox must be one of the most functional GUI's around. I use Mikrotik for business clients as I know I can configure literally anything that gets asked or is required for the site/sites. Ubiquiti is maybe a little more towards the "pro-sumer" side with an OK GUI, but also things like wizards that guide through initial config etc - to do anything decent though you have to get on the command line which is just inconvenient. 

3121 posts

Uber Geek

Lifetime subscriber

  #1970035 6-Mar-2018 17:37
Send private message

I think the feature you are looking for is to permit some IP addresses, but the "some" is hard to determine.


BGP and dynamic routing protocols could help, as could full featured routers / IDS like the Sophos UTM Firewall. Haven't played with it before but it looked promising:





63 posts

Master Geek

  #1970063 6-Mar-2018 17:43
Send private message

hi thanks for your help.

Ideally i'd still stay consumer although I really want the capability.

I have a coupl of ports port forwarded to lan devices and I want to restrict the WAN IP source address.

That way I can significantly reduce the risk opening just select addresses and subnets.

At least then i'll remove romania, russia , china from the addresses.

Just to make it one more step harder than an open port.

I might move to a VPN server on the CPe as notice the next step up on cpe from the default IsP supports it.

Just a bit of a pain vpn in from phone, AND then run TinyCamPro to view the remote survaillence.

The IP address filtering on the cameras were hopeless as it only supported an exact host address not a subnet.

So thats what im acheive.

Any further ideas? Where do i source the cpe you mentioned although still hoping for a consumer cpe solution?

Any further ideas?

63 posts

Master Geek

  #1970066 6-Mar-2018 17:48
Send private message

Thanks for your thoughts really appreciate your time.

Spent quite a few years in telco and networking & so getting something working even slightly complex is fine for me.

But the older I get I just want this stuff to work, not waste time I could be drinking my cocktail haha, nice GUIs are okay too!

4542 posts

Uber Geek


  #1970120 6-Mar-2018 19:24
Send private message

Maybe look at loading a third-party firmware on to a router like one of the many OpenWRT variants (DD-WRT, Tomato, Gargoyle etc). Generally just gives better GUI access to the firewall and will allow you to do things like specify subnets.


The only thing that will hold you up there is doing that on modem/router combos as generally there is no support for the modem portion in the third party firmwares.


Personally, I think VPN is actually simpler long term - not to mention a butt load safer. Maintaining an address list of all the NZ IP ranges is annoying unless you can automate it.


If you are keen for a play, grab yourself a little baby Mikrotik, use that as a VPN server (unless you already have hardware that can handle it), and then there is just one port forward to be done on the router to the VPN server.


Oh and standard disclaimer re port forwarding to CCTV devices these days.


Edit: Also as you mention, generally the basic stuff only supports using single hosts rather than subnets in your rules.

29021 posts

Uber Geek

Biddle Corp
Lifetime subscriber

  #1970344 7-Mar-2018 08:24
Send private message

I won't add anything to the thread except to say that a port forward to a camera is one of the dumbest thing you can ever do on the Internet. A blacklist/whitelist of IP ranges does nothing for security unless you're locking this to a single IP that you fully control.







63 posts

Master Geek

  #1970556 7-Mar-2018 12:49
Send private message

starting to believe maybe Draytek support this?

need to try confirm if its in their pro-sumer devices.


63 posts

Master Geek

  #1970559 7-Mar-2018 12:54
Send private message

And that would indeed be why I am trying to do something about it and the cause for the thread in the first place.

Its been fine for 5 years, and only a recent problem because of a discovered backdoor issue.

Security is a balence of risk and convenience.

My view is the risk is likely mitigated stricting the access IP to subnets I use on my services.

Additional notifications for illegal login attempts etc, and lock out timers further.

I might still implement VPN bar for obvious inconvenience, two step access.

63 posts

Master Geek

  #1973391 12-Mar-2018 16:24
Send private message

Hey guys.  An update to share for  others following/ learnings and some questions. 


Anyone know an "OpenVPN" capable windows 10 software?


What's a good android based port scanner which does UDP as well - OpenVPN uses UDP 1194. I want to validate ports are indeed closed and I'm all secure. I had FING but it seems to be only for TCP?




-I ended up purchasing a ASUS DSL AC68U -


-really quite impressive CPE for reasonable cost. DOESNT do WAN IP Address filtering but does do VPN Server. 


-works on SPARK vDSL no probs ~65Mb download. 


-Good beam forming on 802.11ac and seems better WiFi coverage for sure 


-So I've tested it with VPN Server, configured for OpenVPN, generated the auth certificate generated from the Router and installed on my android on OpenVPN VPN app, will do same for windows 10 laptop.  




Works well, been testing it this week.  Enable DDNS and the generated OpenVPN Cert takes that configuration into account (DDNS Domain instead of WAN IP) , and the Client CERT just knows to resolve the DDNS Domain- like magic.


Bit of a two step process to access the internal LAN Camera network, start VPN which can be made one click, and then click on camera TinyCam etc  - but not so inconvenient that I probably wont do it. 




Seems not too many pro-sumer CPE do WAN Filter IP address amazingly - I see it in SPARKS Huawei 659B (business) but I didn't test it to see if it worked, locking down WAN IP Address subnets might be okay for some balance risk vs convenience.  SPARKs Mobile and Broadband subnets are easy to collect. 























559 posts

Ultimate Geek

  #1973525 12-Mar-2018 20:21
Send private message



Anyone know an "OpenVPN" capable windows 10 software?



On my Win 10 laptop I use OpenVPN's own free version, plus its GUI program:


These days the GUI program is supposed to be bundled with the client software, but it is a long time since I last updated mine, and back then it was a separate program.

Create new topic

Twitter and LinkedIn »

Follow us to receive Twitter updates when new discussions are posted in our forums:

Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:

Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:

News »

Menulog change colours as parent company merges with Dutch food delivery service
Posted 2-Jul-2020 07:53

Techweek2020 goes digital to make it easier for Kiwis to connect and learn
Posted 2-Jul-2020 07:48

Catalyst Cloud launches new Solutions Hub to support their kiwi Partners and Customers
Posted 2-Jul-2020 07:44

Microsoft to help New Zealand job seekers acquire new digital skills needed for the COVID-19 economy
Posted 2-Jul-2020 07:41

Hewlett Packard Enterprise introduces new HPE GreenLake cloud services
Posted 24-Jun-2020 08:07

New cloud data protection services from Hewlett Packard Enterprise
Posted 24-Jun-2020 07:58

Hewlett Packard Enterprise unveils HPE Ezmeral, new software portfolio and brand
Posted 24-Jun-2020 07:10

Apple reveals new developer technologies to foster the next generation of apps
Posted 23-Jun-2020 15:30

Poly introduces solutions for Microsoft Teams Rooms
Posted 23-Jun-2020 15:14

Lenovo launches new ThinkPad P Series mobile workstations
Posted 23-Jun-2020 09:17

Lenovo brings Linux certification to ThinkPad and ThinkStation Workstation portfolio
Posted 23-Jun-2020 08:56

Apple introduces new features for iPhone iOS14 and iPadOS 14
Posted 23-Jun-2020 08:28

Apple announces Mac transition to Apple silicon
Posted 23-Jun-2020 08:18

OPPO A72 a top mid-tier smartphone
Posted 19-Jun-2020 18:02

D-Link A/NZ launches new smart AX1500 Wi-Fi 6 Router
Posted 19-Jun-2020 15:03

Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.