What CPE Modems Allow WAN IP Addresses and Subnets BUT block all others

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › What CPE Modems Allow WAN IP Addresses and Subnets BUT block all others

tradertim

70 posts

Master Geek

#230648 6-Mar-2018 16:53

Hi guys.

Has anyone found a brand of CPE Modem for vDSL/Fibre etc that has the feature to ALLOW specific IP addresses at the WAN, and IP subnets and by default block all others?

Ideally I'd be able to enable some addreses/ subnets and all others would be blocked e.g. Romania Russia and so forth.

Cant find this on Asus which look to have best UI and capabilities, open to any others.

cheers

chevrolux

4962 posts

Uber Geek
Inactive user

#1970030 6-Mar-2018 17:09

The majority (if not all) of the consumer grade routers (Asus, TP-Link, Netcomm etc) operate with a default "DROP ALL" rule. And then generally have a a GUI for making specific "ACCEPT" rules. They pretty much all can do this when creating port forwards too.

But what are you actually trying to achieve? Remote access to the router? Or remote access through to an internal server via a port forward?

If you want more granular control you need to look to the more business-y/pro level routers like Mikrotik or Ubiquiti Edgerouter. These will ship with no default config and assumes the user knows what they are doing so the learning curve can be steep depending on your current understanding of networks and firewalls.

Personally Mikrotik wins all around for me - for me winbox must be one of the most functional GUI's around. I use Mikrotik for business clients as I know I can configure literally anything that gets asked or is required for the site/sites. Ubiquiti is maybe a little more towards the "pro-sumer" side with an OK GUI, but also things like wizards that guide through initial config etc - to do anything decent though you have to get on the command line which is just inconvenient.

BarTender

3606 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1970035 6-Mar-2018 17:37

I think the feature you are looking for is to permit some IP addresses, but the "some" is hard to determine.

BGP and dynamic routing protocols could help, as could full featured routers / IDS like the Sophos UTM Firewall. Haven't played with it before but it looked promising: https://www.sophos.com/en/products/free-tools/sophos-utm-home-edition.aspx

tradertim

70 posts

Master Geek

#1970063 6-Mar-2018 17:43

hi thanks for your help.

Ideally i'd still stay consumer although I really want the capability.

I have a coupl of ports port forwarded to lan devices and I want to restrict the WAN IP source address.

That way I can significantly reduce the risk opening just select addresses and subnets.

At least then i'll remove romania, russia , china from the addresses.

Just to make it one more step harder than an open port.

I might move to a VPN server on the CPe as notice the next step up on cpe from the default IsP supports it.

Just a bit of a pain having.to vpn in from phone, AND then run TinyCamPro to view the remote survaillence.

The IP address filtering on the cameras were hopeless as it only supported an exact host address not a subnet.

So thats what im trying.to acheive.

Any further ideas? Where do i source the cpe you mentioned although still hoping for a consumer cpe solution?

Any further ideas?

tradertim

70 posts

Master Geek

#1970066 6-Mar-2018 17:48

Thanks for your thoughts really appreciate your time.

Spent quite a few years in telco and networking & so getting something working even slightly complex is fine for me.

But the older I get I just want this stuff to work, not waste time I could be drinking my cocktail haha, nice GUIs are okay too!

chevrolux

4962 posts

Uber Geek
Inactive user

#1970120 6-Mar-2018 19:24

Maybe look at loading a third-party firmware on to a router like one of the many OpenWRT variants (DD-WRT, Tomato, Gargoyle etc). Generally just gives better GUI access to the firewall and will allow you to do things like specify subnets.

The only thing that will hold you up there is doing that on modem/router combos as generally there is no support for the modem portion in the third party firmwares.

Personally, I think VPN is actually simpler long term - not to mention a butt load safer. Maintaining an address list of all the NZ IP ranges is annoying unless you can automate it.

If you are keen for a play, grab yourself a little baby Mikrotik, use that as a VPN server (unless you already have hardware that can handle it), and then there is just one port forward to be done on the router to the VPN server.

Oh and standard disclaimer re port forwarding to CCTV devices these days.

Edit: Also as you mention, generally the basic stuff only supports using single hosts rather than subnets in your rules.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1970344 7-Mar-2018 08:24

I won't add anything to the thread except to say that a port forward to a camera is one of the dumbest thing you can ever do on the Internet. A blacklist/whitelist of IP ranges does nothing for security unless you're locking this to a single IP that you fully control.

tradertim

70 posts

Master Geek

#1970556 7-Mar-2018 12:49

http://www.draytekusa.com/restricting-open-ports-access-specific-source-ip-addresses

starting to believe maybe Draytek support this?

need to try confirm if its in their pro-sumer devices.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

tradertim

70 posts

Master Geek

#1970559 7-Mar-2018 12:54

And that would indeed be why I am trying to do something about it and the cause for the thread in the first place.

Its been fine for 5 years, and only a recent problem because of a discovered backdoor issue.

Security is a balence of risk and convenience.

My view is the risk is likely mitigated stricting the access IP to subnets I use on my services.

Additional notifications for illegal login attempts etc, and lock out timers further.

I might still implement VPN bar for obvious inconvenience, two step access.

tradertim

70 posts

Master Geek

#1973391 12-Mar-2018 16:24

Hey guys. An update to share for others following/ learnings and some questions.

Anyone know an "OpenVPN" capable windows 10 software?

What's a good android based port scanner which does UDP as well - OpenVPN uses UDP 1194. I want to validate ports are indeed closed and I'm all secure. I had FING but it seems to be only for TCP?

-I ended up purchasing a ASUS DSL AC68U -

-really quite impressive CPE for reasonable cost. DOESNT do WAN IP Address filtering but does do VPN Server.

-works on SPARK vDSL no probs ~65Mb download.

-Good beam forming on 802.11ac and seems better WiFi coverage for sure

-So I've tested it with VPN Server, configured for OpenVPN, generated the auth certificate generated from the Router and installed on my android on OpenVPN VPN app, will do same for windows 10 laptop.

Works well, been testing it this week. Enable DDNS and the generated OpenVPN Cert takes that configuration into account (DDNS Domain instead of WAN IP) , and the Client CERT just knows to resolve the DDNS Domain- like magic.

Bit of a two step process to access the internal LAN Camera network, start VPN which can be made one click, and then click on camera TinyCam etc - but not so inconvenient that I probably wont do it.

Seems not too many pro-sumer CPE do WAN Filter IP address amazingly - I see it in SPARKS Huawei 659B (business) but I didn't test it to see if it worked, locking down WAN IP Address subnets might be okay for some balance risk vs convenience. SPARKs Mobile and Broadband subnets are easy to collect.

fe31nz

1233 posts

Uber Geek

#1973525 12-Mar-2018 20:21

tradertim:

Anyone know an "OpenVPN" capable windows 10 software?

On my Win 10 laptop I use OpenVPN's own free version, plus its GUI program:

https://openvpn.net/index.php/open-source/downloads.html

These days the GUI program is supposed to be bundled with the client software, but it is a long time since I last updated mine, and back then it was a separate program.