Kitz Forum
Computer Software => Security => Topic started by: Ronski on February 14, 2019, 10:53:52 AM
-
I tried to RDP in to my works computer from home the other night and had issues, yesterday whilst using the PC things seemed a little slow at times.
Today I looked in event viewer (Windows 10) and found someone has been trying to login via RDP, the records only go back to around 02:30am (I presume a maximum amount of events stored), but there is around 31,000 failed attempts. So for now I have closed the port in the router. This is clearly an automated Bot attack, every IP address seems to be different, and from all over the world going by the ones I've looked at.
I found this (https://www.ryadel.com/en/rdp-stop-block-prevent-massive-login-attempts-remote-desktop-windows-server-2012-2016/) which seems the perfect solution, but we use AVG and trying to configure the same rule in that doesn't work for whatever reason.
So I thought I'd do it from the router (Zyxel VMG8924-B10A), at first it looked like I could enter my home IP address directly into the port forward rule, but that seems not to be the case as it says " WAN IP is optional. If user wants to present Multi-to-Multi NAT, user can assign the desired device WAN IP." so it seems it isn't for what I thought it was.
So I think I need to set it up under Firewall\Access Control (as per attached blank picture - see post 3), presumably I just need to enter my home IP address, destination address as my internal IP here at work, fill in the source port and destination port etc. Also I'm not sure if this replace the port forwarding rule?
Any thoughts as I do need to be able to RDP in?
-
Hi ronski
Sorry I cannot see a picture unless it’s connected to Tapatalk not showing sorry
I would imagine your correct (says me blindly) but another thought
If router allows vpn user dial in accounts, why not setup a vpn user and then RDP
Many thanks
John
-
Sorry John, due to brain overload I forgot to attach the picture :-[ I've attached it to this post.
I need to keep it simple as there is another user that uses RDP on a different port, fortunately they hadn't been trying to gain access to that PC, probably because its a higher port number and thus discovered mine first fortunately.
-
I’ve done this but with a Draytec. I was restricting traffic on port 25 just from certain IP’s I went around in circles. I got a article sent and I suspect you can make the Zygel do similar.
You still need the port forward, this is a block / allow rule. It all refers to Port 25 but just change the port number to 3389 and say call the rule RDP. As J0hn mentions VPN would be better as 3389 is an unencrypted port.
I hope you can adapt it for your router.
Alternate is to use an odd 3391 say, port number needs a registry change on the receiving server
Tony
-
Hi
@g3uiss - we always use draytek and vpn is the easiest method and more secure. You can keep rdp port fully closed and encrypted
@ronski - I normally create 2 rules, in and out, same rule but source/destination swapped
Also, if rdp is not shown as service, I usually create service port first. Some have bugs which let’s say gets confused over custom port direct input but I have never seen that on draytek
Many thanks
John
-
@d2d4j
That’s effectively what the note I attached says, 2 rules.
In @ronski case block in and allow out to single IP ( or range if appropriate).
I won’t use ope RDP only via VPN, but understand the reasons that it may be easier. With the block in rule there isn’t going to be an open port except from the the IP allowed.
Tony
-
Tony -- Your wan_firewall_rule.doc file has a size of 0 kBytes.
-
How odd. Try from this link https://www.dropbox.com/s/umx8e33k02ric8h/WAN_Firewal_Rule_new.docx?dl=0
Tony
-
Yes, thank you, that provides the file. :)
-
I might have to go the VPN route as the other user doesn't have a static home IP address, which means I may have constantly update their address.
The Zyxel VMG8924-B10A does have VPN support but not sure if it's suitable - I'll start another topic.
-
I've tried setting up a rule to just allow my IP address and drop any others, but as soon as I open the port the hacking attempts start again - see attached for what I've setup.
Interestingly they are trying foreign names now as the user account.
-
Hi ronski
Sorry picture to small on mobile but I would reverse rule to block all, then allow ronski rule
Did you restart after applying rules
Many thanks
John
-
Hi John, no I didn't restart as other users and phones were in use.
Why reverse the order of the rules, and with the drop rule first would it not just drop everything (if it actually worked that is)??
-
Hi ronski
Many thanks
Sorry as I said, I do not know your router but on many occasions, the block all needs to be first and then allow rule, as most will continue to match unless it matches then stop matching
Many thanks
John
-
On draytec there is an option to select what happens next. So drop first until match (2nd rule)
Tony
-
People do realise that the traffic you want to allow would match both the drop rule, and the allow rule. Therefore the usual order would be to have the allow rules first, and the drop everything (else) catch all last. If the drop all rule was first, the traffic you wanted to allow would be dropped by the drop all rule and not reach the subsequent allow rule. Most routers tend to be based on Linux with its iptables, and that's how it is usually done.
-
Hi ejs
I have seen this before, so unless router firewall defaults to block all and you just create open rule, the firewall is open and allows port forward to be open in firewall
Some are and some are not
Many thanks
John
-
You can also reconfigure the RDP port to something else, I know its security via obscurity but more then likely its only bots and its enough to stop bots.
Your initial approach is the best tho, whitelisting only authorised ip's.
Looking at my zyxel the UI is horrific but I think this is what you need to do.
Goto security.
Then firewall
Then access control
Add new ACL rule
Filter name - Pick a name
Keep source device set to specific ip address
Add your ip in the box below it as source ip
Protocol TCP
destination port 3389
Policy accept
Direction WAN to LAN
Do some testing from another ip to see if its blocked, if it isnt do another rule for deny to the port.
The problem you probably have since zyxel I feel isnt suitable for commercial use, its a very basic router, I feel the UI is one of the worst I have seen on a router, is I expect the NAT rule forwarding the traffic has likely already added an allow rule with source ip set to *. So your custom rule probably wont overide it I expect.
You may well have to do the lockout on the windows firewall which I know you was trying to avoid.
Or get a better device, since you done pfsense at home is it possible to set one up for your work as well? On pfsense you can adjust the auto created rules as you see fit and of course set other rules to override them on the firewall no problem.
-
Hi
Sorry I had a little read of the manual for that router
I believe the router firewall should default to block all unless rules are applied. However, when port forward is used, it opens all on that port
So if that’s true, you should
Open port
Disable port forward rule
Enable/create firewall rules to RDP
This should then stop the attacks I think
Many thanks
John
-
Problem is he would then have no routing for the NAT.
The zyxel doesnt allow you to edit firewall rules specific to NAT, so the only way he can remove that allow * rule is to disable the NAT forwarding on the port. The device simply looks like it is too limited.
--edit--
Iptables binary works in the terminal, so its probably fixable via CLI, but expect to lose the configuration on every reboot, and possibly also whenever you make a change in the UI for NAT/firewall.
-
Hi chrysalis
Many thanks
You may be correct as I do not know the router
I think it is the port forward which reads as though it just opens in the firewall to all
I don’t suppose in port forward, there are any options to include source ip is there.
Many thanks
John
-
I apologise I am not sure if I am correct on the limitation, I can see where the rules section is but of course since I am in bridge mode I have no NAT configured, so maybe ronski can confirm if NAT rules are visible in the UI, if yes then he may be able to edit them.
They should be visible in the section I mentioned.
Not keen on adding a NAT rule to test as it may break my configuration.
-
Yes there are NAT rules visible, I have one setup from before which opens port 3390 and forwards to port 3389 on my works PC. I was wondering whether I should delete this rule. I'm at home at the moment so I'll take another look tomorrow.
-
I mean the firewall allow rules associated with NAT.
The rules that allow traffic are separate to rules that forward traffic. I am talking about the former.
-
@Chrysalis
As far as I'm aware as with most basic routers creating a port forward automatically opens the port in the firewall, on the Zyxel there is nowhere as far as I can tell via the GUI to view firewall rules, apart from any setup in access control - I've tried setting up a ACL rule in access control, but it doesn't seem to work.
I found this https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=014045&lang=EN which refers to a different router, but implies the above.
I'm going to remove what I've added, along with the port forward and add a new ACL rule using just port 3389 and see how that goes, if that fails I'll email Zyxel support.
Edit.
Just found this which implies there is bugs in Zyxel's firmware, hence it does not work https://superuser.com/questions/1167598/zyxel-vmg1312-acl-for-nat-port-forwarding
-
yeah in that case the only fix is iptables rules hacking in the cli
-
If you can get the correct command to set this on the CLI it would lose the setting every reboot.
I'm sure Johnson would be happy enough to throw together a quick firmware that sends the command automatically on boot.
-
I'm going to (or rather the company is going) to purchase a Draytek router, I need to keep things simple both for my own ease of administration and others. I just need to work out which one will serve our needs, it needs to support dial in VPN (https://www.draytek.com/support/knowledge-base/5390) and support a proper firewall so I could implement what I have been trying to do should I need to.
-
Hi ronski
If you want to test dial in vpn, I can set you a test account for dial in on one of our drayteks.
The 2830 or 2860 are relative cheap on eBay and will do the job
You could then leave RDP closed and just use dial in vpn. This would then put you on the same network as work, meaning you could access everything on the network from where you are just as you would at work, unless access has been restricted
Many thanks
John
-
Hi John, that won't be necessary but thanks for the offer.
Looking at the current crop of Draytek routers, it looks like we have two choices:
Draytek Vigor 2762ac (https://www.draytek.co.uk/products/soho/vigor-2762-series-adsl-vdsl-router#overview) at £121+VAT
DrayTek Vigor 2862ac (https://www.draytek.co.uk/products/business/vigor-2862#overview) at £213+VAT
Is there any major benefits for going with the 2862 over the 2762?
Presume with either I can use the Zyxel or HG612 as a modem in bridge mode for stats collection?
I could if wanted save a little cash by going with the n version as we don't really need 5Ghz, it only ends up being phones and tablets on wireless, but it's only a small saving so probably best to stick with the AC versions.
On a side note I see that the 2862 supports Wireless Management (https://www.draytek.co.uk/information/our-technology/wireless), would that mean that a guest network would also be able to be run from a compatible Vigor AP? Currently we can only have the guest wireless network at one end of the building.
-
Hi ronski
To be honest, 27 series are old and not supported
I would opt for 2860n second user unit, and flash latest firmware. There about 100 give or take 10 or so
I think from memory another kitz user has a 2862, and posted over issues with rebooting or freezing but we have never had issues with 2860 or 29 series
It depends which series you go for, so you may have to set to wan2 and if wan1 (dsl) is not used, we usually disable it. You would also have usb 3/4 g if you have correct stick
Wi-Fi, there is no guest accounts but you do have 4 SSID you could create, and isolate from lan, vpn vlan etc so you could have 3 guest Wi-Fi or however you decide.
Also, if you do not have ipv6, goto hurricane and get a /64 block. Very easy to setup in draytek but it just works on 1 lan, not on all lan but you choose which lan
There’s more im sure and g3uise would hopefully post his thoughts
Many thanks
John
-
I’ve used a 2820 and currently use a 2925
I’ve never had any issues with either. The 2925 has no modem and I have 2 HG612,s plugged in. It allows me to load balance over 2 circuits by LAN IP.
The VPN functionality is excellent I use LT2P and there is no device I can’t connect with including Apple devices.
I’ve done a bit with Cisco routers over time, they cost the earth, and can’t do half what the Draytecs can.
The only comment I would make, is documentation isn’t that good, but you have John and I to provide any configuration assistance I’m sure.
Tony
-
Hi g3uiss
Snap, we have a lot of 2925 running loadbalance/failover on vdsl and los. Vdsl we prefer hg612
Do you have ipv6 setup on your 2925. If not and you would like to, we use hurricane ipv6 on a /64 block. It’s also free
We do not route ipv6 but install/use it so clients do not have any issues with ipv6 sites
@ronski, if you opt for a 2925, on port open/redirect/trigger, you could define exact source ip to use from ip object list (or group I think)
Many thanks
John
-
Just a FYI the 2925 now superseded by the 2926, I can’t see any significant difference.
@d2d4j no not enabled any IP6 yet. We have the 2 VDSL + 3G for final redundancy.
I’ve put them in many clients, never an issue !
Tony
-
About the kit mentioned earlier - 802.11n definitely does not imply no 5GHz. You do not have to have 802.11ac to get 5GHz, that is. I am proof of this.
-
Hi ronski
To be honest, 27 series are old and not supported
Just for info, the 2760 and 2762 are both fully supported by Draytek. The 2762 was released around the same time as the 2862. The 27xx series are targeted at the SOHO market whilst the 28xx series is targeted at the Enterprise market.
-
Hi
@ackinson many thanks and sorry I thought they were old and unsupported.
We use 28/29 series and only came across an old 27 series about 10 years ago unless I’m thinking of 26 series
Many thanks
John
-
@Weaver Looking at current Draytek devices they only have 5Ghz if they have AC
@atkinsong Being a current device I would think they are
I'm leaning towards the 2926ac, it's probably overkill for what we will use, but better to have too much than to find another limitation down the road.
Also found this demo page http://eu.draytek.com:12926/
Also need to find our HG612, I think someone has tidied it away, hopefully we still have it.
-
One thing, if our users connect via VPN will all that PC's internet traffic flow via the VPN, or is it easily possible to lock it down so that it's only RDP that goes via the VPN and other traffic flows as normal?
-
Hi ronski
I believe unless you create rules to divert wan traffic to use vpn (lan or dial in), then all traffic uses wan
The dial in vpn users would only have traffic flow when they use the vpn and when logged into their work pc, normal wan traffic for browser/email etc would still use wan connection, but traffic flow for vpn user would be RDP
I hope that makes sense but sorry if I am wrong
Many thanks
John
-
I think from memory another kitz user has a 2862, and posted over issues with rebooting or freezing but we have never had issues with 2860 or 29 series
There was indeed https://forum.kitz.co.uk/index.php?topic=21828.0
-
Hi ronski
Sorry you got me thinking so I did a quick test as it’s been a while since vpn setup etc
The pc used to connect to VPN would use vpn for traffic flow
The pc you RDP into should use its normal wan for traffic flow
I was testing using a win7 pc, so may have changed in win10
To be honest, at work you would not use VPN but at home you would. Even if you used VPN at work, it would be fast enough for you not to notice
I hope that helps a little and sorry if I’m wrong
Many thanks
John
-
Ronski do you mind if I ask why you decided specifically to not mirror your home setup of pfsense?
-
@John, thanks that's what I thought, so if there is anything dodgy on the home users PC it could potentially have access to works PC when they VPN in.
@Chrysalis I'm not paid to maintain our network equipment or anything computer related, its just taken for granted as I'm the tech savvy one, and I feel not really appreciated so its something I'm trying to do less of. I don't have enough time to do what I am paid for, so spending time setting up what is to me something quite complicated takes away valuable time from my real job. I Also would not want to install equipment that others are not familiar with, Draytek is our VOIP & ISP provider go to brand, so they are familiar with it, also I feel more help is readily available on this forum for Draytek.
-
Hi Ronski
Actually, if you use the draytek VPN client (https://www.draytek.com/products/smart-vpn-client/), it makes things really easy and the connecting PC used for dial in does not use VPN for internet (shows as no internet access), which tracert confirms.
In terms of transfer of unwanted things from your pc to work by VPN tunnel, I think it is no more an issue then when you connect to RDP and have drive access enabled or an infected PC on your work network, so common sense needs to prevail and good practices for security.
Sorry, was also going to say you could your current modem in bridge if wanted, we just use hg612 because we like them, and is easy to gain stats from
I hope that helps a little
Many thanks
John
-
Hi John, had seen the client so will use that - thanks for testing.
Only wanted to use the HG612 so that I can just switch the units over quickly. That would leave the Zyxel configured (although could just create a config backup) in case of any issues and a quick swap back.
-
Ok thanks for explaining appreciated. Hopefully you have better luck with the draytek.
-
Well I've ordered a 2926AC, just need to wait for it to arrive.
-
@ronski You will need to ensure work subnet is different to home as the VPN will issue a work IP to the remove PC if on the same subnet clashes very problematic.
The Draytec setup alows you to allocate IP’s to be given to the remote users. I would issue 2 away from the normal range.
Tony
-
We use a different subnet at work to the usual residential one's. If I set the Draytek to issue IP's away fromt the normal range wouldn't that stop remote desktop from being accessible?
PS. I've found a spare HG612 at home, so if I can't find the one at work I'll simply use that.
-
Hi ronski
@g3uiss is correct but as your work is on different range to home users I would just let draytek dhcp assign
You could of course tell draytek to assign from any of the 4 lan (if you set them different but draytek default is say 192.1)8.1.1 lan 1 192.168.2.1 lan 2 etc) but to access lan 1 if assign from lan 2 for vpn, you would need to tell draytek to have access to lans
So set lan1 to match your current lan at work, let vpn assign dhcp from lan1 and to access RDP from vpn, you would use internal IP address of the computer your connecting to because your connected internally to work lan
There though many ways to setup, but above is basic and easy
Many thanks
John
-
@ronski sorry I wasn’t very clear. Let’s say the IP range in the work location is 192.168.2.x
Then I would perhaps set the IP,s to be 192.168.2.253/4
You then logon to the RDP using its normal machine address / IP.
The Draytec just gives your home machine an address on the work LAN so you have direct access. No port forward etc.
When the VPN is running your Home pc will have another “virtual” adapter whose IP is 192.168.2.253, just like it was plugged in at work.
I hope I’ve not been too simplistic and offended :(
-
The Draytec setup alows you to allocate IP’s to be given to the remote users. I would issue 2 away from the normal range.
I interpreted this to mean if we use the range 192.168.2.x to instead allocate 2 addresses from a different range such as 192.168.3.x, thus being away from range 192.168.2.x. I would of allocated addresses which were in the same range but not in the DHCP pool or in use elsewhere. We allocate static IP's on devices, and just restrict the DHCP range say to 192.168.2.2 to 192.168.2.100
@ronski sorry I wasn’t very clear. Let’s say the IP range in the work location is 192.168.2.x
Then I would perhaps set the IP,s to be 192.168.2.253/4
Up until just now I was thinking the above was CIDR notation which I've never really got my head around, although have just found a really useful CIDR calculator (https://www.ipaddressguide.com/cidr), but have now realised you literally mean 192.168.2.253 and 192.168.2.254 :-[
I hope I’ve not been too simplistic and offended :(
Not at all, thanks for the help.
-
Sounds fine and glad your happy with the potential setup.
Hope to hear how it goes.
Tony
-
I will of course keep you updated.
The new router arrived yesterday, the day after ordering which was good as I opted for the 7 days free carriage, rather than next day.
Started setting it up today, doing the simple things and reading Draytek's online 'Getting Started (https://www.draytek.com/support/getting-started/)' guide. Have updated the firmware to the latest version. I'm pleased with the feel of the device, and the amount of options is rather overwhelming, but taken one step at a time its a lot easier.
One minor snag I hit was when setting up port forwarding for our CCTV which uses port 80 is the router complains that this port is used in the management interface. But when checking there I don't have enabled, and have no intention of enableing access to the router management interface from the WAN, so should the router really be complaining about me setting up a port forward for port 80?
I realise I can change the management interface to say port 8080, which is fine for me but someone else may not realise should I not be around.
PS. Also got my eye on an AP900 access point, with the aim of having the guest wireless network available at our end of the building as well.
@Weaver -the AP900 doesn't have AC wireless but does support both 2.4GHz & 5Ghz, so some of Drayteks older kit is dual band without AC
-
Hi ronski
Excellent news
We normally stop port 80 and use port 443 (which we change port to a different port as some servers behind need 443), so say 8443
You maybe best advised to have at least your home network allocated to external router login as it does help when diagnosis issues. Eg if you need to confirm if your work pc is responding to internal network if you could not RDP/vpn etc...
Also, Drayteks have used a,b,g,n and some ac. The way to tell is from model code eg 2860n or 2860ac etc... also v for voip
Look forward to how you find Drayteks and last point, we use 2 cable for monitoring to hg612 for easy setup
Many thanks
John
-
Do you really want to be using port 80 for your CCTV or management interface tho ronski? a common port.
-
I will of course keep you updated.
The new router arrived yesterday, the day after ordering which was good as I opted for the 7 days free carriage, rather than next day.
Started setting it up today, doing the simple things and reading Draytek's online 'Getting Started (https://www.draytek.com/support/getting-started/)' guide. Have updated the firmware to the latest version. I'm pleased with the feel of the device, and the amount of options is rather overwhelming, but taken one step at a time its a lot easier.
One minor snag I hit was when setting up port forwarding for our CCTV which uses port 80 is the router complains that this port is used in the management interface. But when checking there I don't have enabled, and have no intention of enableing access to the router management interface from the WAN, so should the router really be complaining about me setting up a port forward for port 80?
I realise I can change the management interface to say port 8080, which is fine for me but someone else may not realise should I not be around.
PS. Also got my eye on an AP900 access point, with the aim of having the guest wireless network available at our end of the building as well.
@Weaver -the AP900 doesn't have AC wireless but does support both 2.4GHz & 5Ghz, so some of Drayteks older kit is dual band without AC
Glad you found it comprehensive. There are so many options, many of no use in normal configurations, but there isn’t much you can’t do with it. Like John, we change the management port to avoid conflict and to a less common port for security.
Tony
-
Do you really want to be using port 80 for your CCTV or management interface tho ronski? a common port.
Probably not, and something I have been wondering about. There are three ports open for CCTV, I'll email the guy that installed it and see what he says when back at work on Monday. I may just shut the ports down one by one and see what happens, I'm pretty sure we all access it via an app anyway and that app does not even know our ip address. If I try and log in via our ip address I can't even enter my login details as it says I need to install some add on I've never been able to install. It's possible the port redirects were left from an older system.
-
Hi ronski
CCTV normally require 3 ports open
You should be able to lock the cctv to user logins only
The software the browser wants to load is normally uploaded directly from your cctv server
So closing the ports may break app viewer and be careful as it’s cctv, there are I believe insurance implications if not working and fitted.
One point I was going to mention, you can set dns domains to internal/external so say for your cctv, you could duplicate the external dns for cctv (lets call it cctv.mydomain.com) to 192.168.1.234 (lets say this is your cctv internal IP address), and when anyone connected to work network usss the app, then it is an internal connection but when off the work network, the dns would then resolve to its external IP address (lets say 222.333.444.555)
It speeds things up
Many thanks
John
-
Well it's all switched over this morning, can now RDP in from my home IP only, also access the router via HTTPS also only from my home IP.
Phones, and CTTV all working, still need to find out if I can close port 80 for the CCTV as the guy that deals with that has not answered my email, may even put the CCTV on a separate VLAN, but I need the admin password for that which I did have but have forgotten/can't find.
Still need to setup the VPN, also HTTPS certificates, possibly some other things.
I have the guest network set up on it's own VLAN with isolate member, and isolate VPN ticked, which states:
The isolate VPN configuration will isolate the wireless traffic from VPN connections and thus, wireless clients will not be able to access the VPN network under this setting.
Does that mean that if you are on the guest network I've setup you can't access the routers VPN's?
-
Hi ronski
Excellent news
Sorry I maybe a little (or a lot dim), but even if on guest Wi-Fi you could reach the router vpn (you could set the vpn to only act from wan I think), you would only end up back where you started from.
However, I would need to test but I believe guest would not be able to reach router vpn
Many thanks
John
-
Hi John, it's not that I want to access the VPN from the guess wi-fi, its more a case of I'm just curious to know what it means - see the circled bits in the attached picture. I've ticked it as it sounds more secure.
-
ell it's all switched over this morning, can now RDP in from my home IP only, also access the router via HTTPS also only from my home IP
Great. Is this with rules avoiding the need for the VPN ? So you have effectively sorted the problem, although I recal the other user doesn’t have a fixed IP. Is dyndns an option
-
I still need to set up the VPN for the other user. I've setup rules for my own IP which is sticky static on VM, it's never changed since I signed up last April.
I'm pleased with the router and its fairly easy to setup, in fact my brothers probably going to buy a pair of them. I'm also impressed with Drayteks knowledge base, plenty of helpful articles which are easy to find.
-
Hi ronski
Sorry was a little busy yesterday
The simplest way to look at isolate VPN is like isolate users. It stops access to any vpn connections already in use/new created so say from a vpn lan to lan or dial in vpn user.
Your thought of guest creating a dial in vpn made me think, as if guest could create a dial in vpn, then they would no longer be guest.
However, for that to happen they would need to know the dial in credentials/settings, so would not be able to create a vpn dial in account
I am sorry if that kinda doesn’t make sense and maybe tony could explain better
Many thanks
John
-
glad you got it working ronski, indeed that interface looks a big step up from zyxel
-
It's a huge step up, you can even create block/allow rules for whole countries like in PfSense and I find the online help and guides easier to understand.
-
A Draytec convert ;D
-
Just trying to setup a self signed certificate so I don't get warnings when using HTTPS to login to the router remotely and also for the VPN.
On the attached page it states to enable SSLv3.0, but on doing so I get a security warning that it may not be secure, and general googling seems to recommend not enabling it. Is it really required???
-
Hi ronski
To be honest, I rarely create self signed as they will still give warnings
It probably just needs SSLv3 enabled so it can create the self signed cert and you can disable SSLv3 afterwords.
You do not need a valid/self signed cert to use encryption and of course, you know exactly where your connecting to, so ssl certs not really required
Others though may disagree and prefer to have a ssl cert
Many thanks
John
-
Thanks John, if it won't cause issues with the VPN then I'll probably just create an exception on the PC at home then.
-
Hi ronski
Many thanks
It has never caused any issues to all our setups and we access using external IP address (so we know where we are going)
Vpn do not give issues and are fully TLS Encrypted
Login to router is restricted to a few of our cidr ranges only
The only warning happens when you access https://router-ip, which is a correct warning but we know the ipv4 address and you cannot have a SSL cert on IP address anymore
Many thanks
John
-
You can do self signed certs on ip's, but self signed will still by default generate a warning because its not trusted by the browser.
I dont know if you can import certificates on the device you have, if you can then I suggest this ronski.
On your local pfsense, goto the certificate manager and create a CA cert.
Then still in pfsense make a certificate for the device, for the common name just put something like PFSENSE in doesnt matter, then at the bottom you can add an ip address for the certificate and use your work ip, make sure its sha256 (default) and I suggest 3072 bits for the RSA strength.
Export the cert you just made, the key for it and the CA cert.
Import all 3 to the zyxel device (if it lets you).
Add your CA cert to the the trusted certs for your browser (chrome uses the windows CA store like IE, firefox has its own). The advantage of this is whenever you make a new cert using the same CA then you will no longer get prompts as the CA is now trusted in your local browser, and pfsense also will store the certificates for you as well in case you need to install them again.
If you cannot import, or simply cannot be bothered, then just do as he said, add the cert and add exception for it in browser, keep sslv3 disabled for operational use as its now obsolete.
-
Hi chrysalis
Ronski is using draytek
Drayteks can do all you suggest, including self gen cert or create a CSR etc...
The draytek will already have a self signed draytek cert as default installed
My point is it is a known device and known ip connecting too.
Many thanks
John
-
Thanks Chrysalis & John, I opted for the add an exception route.
I followed this guide https://www.draytek.com/support/knowledge-base/5330 to setup the VPN and now have that working, is there anything I need to add that's not in the guide?
I only enabled "SSL VPN Service", none of the others, and have used the DrayTek Smart VPN client (https://www.draytek.com/products/smart-vpn-client/).
-
I have an AP-900 which I'm setting up the other end of the building to the router, but I cant see or find out how to simply copy the routers Wi-fi settings to it. Considering the auto provisioning and management options you'd think this option would be there.
-
Hi ronski
I have not used one of those but I would have thought you do not copy any settings.
Once you join the AP to router, I would have thought it uses the router Wi-Fi settings
I will have to have a look later though, as I am not available until late today
Many thanks and sorry if I’m wrong, perhaps tony knows
John
-
Hi Ronski
Sorry just did it quickly, and it was as I thought - see picture. So once you have joined the AP900 to router, on AP900, you select to be central managed and all should work, as derived from router wifi settings
Many thanks
John
-
Thanks for your time John, but that just takes the profile that's stored on the router under "Central Management >> AP >> WLAN Profile" which you have to manually enter. There seems no way to take the wireless settings that are in use on the router and use them as the auto provision profiles.
I'll manually set up the profiles, perhaps this is just an oversight by Draytek, I may even email them.
-
I would imagine a lot of businesses use the non-wifi Draytek versions, in which case having a centralised source of wifi settings for APs perhaps makes more sense.
-
That's what I was thinking to.
-
On the Draytek router I have two wireless networks on both 2.4Ghz & 5Ghz, they are the office network and the guest network, both of these work as expected.
The guest network is separated and on a VLAN, all network ports on the router are members of this VLAN, as are the guest SSID's.
I have the same wireless networks set up on the AP-900, and the appropriate VLAN ID for the guest network.
On the AP-900 the office network functions as expected, however the guest network is not getting issued with IP addresses and DNS does not work. If I configure a laptop with a suitable static IP then I can reach sites via IP address, so do have internet access.
Any thoughts on the issue, could the VLAN ID being lost somewhere thus causing the above?
We have a Procurve 1800-24G which I believe should pass the VLAN ID tags as it's currently setup (default settings). It's possible there is a dumb switch somewhere, but I don't think there is - the cabling is a mess and not easy to follow.
Edited to add:
This is what the Procurve manual says for VLAN's, it says all ports have a VID of 1, so does that mean it won't pass a VID of say 5? But it then says "All ports can send and receive both VLAN-tagged and untagged packets (that is, they are hybrid ports)", so I'm a bit confused.
VLAN Setup
This page allows you to create up to 64 VLANs based on the 802.1Q standard.
You can also delete or modify VLANs.
Introduction to VLANs
VLANs are logical partitions of the physical LAN. You can use VLANs to
increase network performance, improve internal network security, or create
separate broadcast domains.
If the network has adequate performance and security for your current needs,
it is recommended that you leave the VLAN settings in the default
configuration. The default configuration is as follows:
• All ports are members of VLAN 1
• The switch management interface is on VLAN 1 (this cannot be
changed)
• All ports have a Port VLAN ID (PVID) of 1
• All ports can send and receive both VLAN-tagged and untagged
packets (that is, they are hybrid ports)
In the default configuration, any port is able to send traffic to any other port,
and a PC connected to any port will be able to access the management
interface. Broadcast traffic, for example, will be flooded to all ports on the
switch.
The four VLAN parameters you can configure for each port on the switch
include VLAN Aware Enabled, Ingress Filtering Enabled, Packet Type, and
PVID. Note that the ports within a trunk cannot be configured individually;
configure the trunk instead (trunks are labelled T1 to T12 for the 24 port
switch, and T1 to T4 for the 8 port switch).
-
Hi ronski
Sorry been a hard day today
If I understand correctly, your main lan is vlan 1 and guests use vlan 2 (Wi-Fi vlan 2 that is)
Main lan works as expected
Guest network works as expected on main router but not on ap900
Procurve is still set to default vlan 1 on all ports
So to correct, you would need to make sure ap900 is set to vlan2
Main router, make sure dns is set to use same as vlan 1 for all vlans (or set dns for vlan2 separately)
Locate the lan number used on procurve for AP900 and log into procurve, set the port number to be vlan aware and set to vlan 2
You do not need to tag any vlan, so keep it simply as you just need 2 lans
Many thanks
John
-
Hi ronski
Sorry if you do not trace hardware to trace lan, take a note of what ports are lit up on procurve, then unplug network cable from ap900, then check which light is not lit
Plug network cable back in ap900 and check the unlit light is now lit
Many thanks
John
-
Hi John, thank you for your reply, you understand correctly, not sure that I do though and not sure if it will work.
Setup is like this
Draytek wireless Router
Procurve Switch
Cable to other end of building to my office. This cable is not direct and may have other equipment on route.
AP900
5 Port dumb switch for computers, voip and printer in my office.
VID 0 (untagged if understand correctly) is for the internal network, VID 5 is used for the guest WiFi.
So as I understand I need the one port on the procurve to pass both VID 0 (untagged internal lan + WiFi ) and VID 5 (guest WiFi)
Are you saying I don't need to use tagging, but how can a vlan be separate if not tagged??
Hope that makes sense, rather tired.
-
It gets rather confusing but switches sometimes just split all the ports into a number of subsets where the ports in each subset can talk to one another but not to other ports in other subsets, and might refer to the subsets as VLANs perhaps?
-
In its default state the switch treats all ports the same.
But I am a bit confused as John says to use Vlan 1 and Vlan 2, but then says I do not need to tag any vlan, if it's not tagged surely its not a vlan.
I think on the AP900 the only way two differentiate between different lans is to tag them, unless you set up it to use Lan B and then I presume that traffic will only be sent to Lan B port.
https://www.draytek.com/en/faq/faq-wlan/wlan.vigorap/how-to-use-multi-ssid-vigorap-to-separate-the-network/
-
It gets a bit more confusing because the Procurve documentation seems to imply everything that is untagged will be tagged VID 1, any other tagged packets will be dropped.
802.1Q VLAN Setup
This page allows you to create up to 64 VLANs. You can also delete the VLANs or make changes to the VLAN membership and behavior of individual ports. VLANs are powerful but can be difficult to set up properly. If you are unfamiliar with VLANs please see the Introduction to VLANs. To create a VLAN, enter a VLAN ID into the VLAN ID field. After clicking the ADD button, you will be directed to the 802.1Q VLAN Group page to add port members to the VLAN. Each row of the table corresponds to one VLAN.
There are four main buttons associated with this page:
HELP - Displays this window.
ADD - Creates a VLAN with the specified VLAN ID.
MODIFY - Choose a VLAN to modify.
DELETE - Delete a VLAN from the VLAN table.
Introduction to VLANs
VLANs (or Virtual LANs) are logical partitions of the physical LAN. You can use VLANs to:
Increase network performance
Increase internal network security
Create separate broadcast domains
If the network has adequate performance and security for your current needs, it is recommended that you leave the VLAN settings in the default configuration. The default configuration is as follows:
All ports are members of VLAN 1
The switch management interface is on VLAN 1
All ports have a Port VLAN ID (PVID) of 1
All ports can send and receive both VLAN-tagged and untagged packets (i.e. they are "hybrid" ports)
In the default configuration, any port is able to send traffic to any other port and a PC connected to any port will be able to reach the management interface. Broadcast traffic, for example, will be flooded to all ports on the switch.
There are three different parameters that can be configured for each port on the switch; VLAN IDs (VLAN membership), PVID and Packet Type. Note that the ports within a Trunk cannot be configured individually; configure the Trunk instead (Trunks are labeled T1 to T12).
VLAN IDs
The Management VLAN is a special VLAN; it cannot be deleted and, if there is a possibility that a port could become isolated, the Web User-interface will add the port to the mamangement VLAN.
You can add up to 64 VLANs to the configuration of the switch. Each VLAN must be given a VLAN ID in the range 1-4094.
A port can be a member of up to 64 VLANs.
All packets travelling through the switch are associated with one and only one VLAN.
If a port is not a member of a VLAN, it cannot send or receive packets associated with that VLAN.
A tagged packet carries its VLAN ID in the payload of the packet.
An untagged packet, received on a port with Packet Type set to All, is associated with the VLAN identified by the PVID.
PVID
The PVID (Port VLAN ID) is the VLAN ID that is associated with untagged, ingress packets.
It is not possible to remove a port from VLAN 1 unless its PVID has been changed to something other than 1.
Outgoing packets are tagged unless the packet's VLAN ID is the same as the PVID. When the PVID is set to "None," all outgoing pacekts are tagged.
Packet Type
PCs should be connected to ports with Packet Type set to All. PCs cannot, in general, send or receive tagged packets.
Switches should be connected to each other with Packet Type set to Tagged and PVID set to "None."
If the Packet Type is set to All, the port can accept incoming tagged and untagged packets. Untagged packets will be associated with the VLAN identified by the PVID. Tagged packets will be dropped unless the port is a member of the VLAN identified by the VLAN tag in the packet.
If the Packet Type is set to Tagged, the port will drop untagged packets and will only receive tagged packets. Tagged packets will be dropped unless the port is a member of the VLAN identified by the VLAN tag in the packet.
-
Hi Ronski
Sorry, reading your posts I now have a better understanding of your network. Sorry long hard day yesterday and long hard day tommorow- 700 mile round trip
In your case, yes you would need to tag vlan (both on router, and ap)
You need to set procurve to be vlan aware
Test
If fails, then bypass the hub in your office, so ap connects directly to procurve (subject to no other mid connection hardware)
Test
Many thanks
John
-
Hi ronski
You need to create 2 vlan groups, and make both ports members of both groups (or make all ports members of both vlan groups)
Many thanks
John
-
Hi Ronski
If it makes easier, please see 2 pics for vlan/tagging on a procurve.
You create your 2 vlan, and then tell procurve which port members belong to which vlan.
I hope that helps a little
Many thanks
John
-
John, I started writing this post prior to your last two posts, but got interrupted, please don't reply today you've got a very long day ahead of you. This really can wait, I'm not back into work until Monday, even then there is no urgency so long as I don't break anything.
Thanks John, 700 mile round trip, not nice and very tiring, hope it goes well :fingers:
The hub in my office is plugged into the AP900, which in turn is plugged into the Procurve. It is possible there is something else in the middle, I know its a single continuous cable to the accounts office where it becomes a bit of a mess as the switch and a server was here when the network was first installed, then it was all moved to another office, and the cabling altered/joined to suit using the existing cables that fed that office. There is some network gear below the account's office which may be in my cable so to speak, I could very easily check but it would need to be out of hours.
Prior to your post I did have a look into the settings on the Procurve and can now see I can make ports members of multiple VLAN's, our interface is different to the one you posted and it was not obvious. I need to select the Vlan and then click modify, I can then assign that Vlan to whichever ports I want. So my plan on Monday is to create a Vlan with VID 5 and assign that to the port I'm (and the AP) connected to, so that port will be members of the existing default Vlan and the new one.
-
I'll manually set up the profiles, perhaps this is just an oversight by Draytek, I may even email them.
After emailing Draytek support last Monday I finally get a reply today, they have clearly not read what I wrote and have just sent a link to https://www.draytek.co.uk/support/guides/ap-900-auto-provision which doesn't explain how to use the routers own wireless settings for auto provision. :(
-
The guest wi-fi is now working down my end, I cheated and plugged the cable directly into the router bypassing the switch.
-
Only odd thing now is I seemed to have lost access to the AP900 as it's not showing in the Draytek's management interface as it was before. I've altered no settings on the AP900 or the router, most odd ??? ???
-
Hi ronski
That’s another way to connect directly. I should have asked if that was possible sorry
That sounds to me as though the AP is in repeater mode
Can you access the AP on its IP address or if not, if you rescan, does it show the AP
Many thanks
John
-
Hi Ronski
I think I know where your going wrong sorry, or I am not understanding sorry
I believe you have ypur AP as a repeater at the moment, sue to no autoprovision, so it is just repeating your router wifi
If you need the AP as seperate, but controlled by router, you need to create a provisioning profile (not the same as using the router wifi but could be if you match all details in new provisioning profile).
Once profile created, you push the profile to the AP and it is setup. Now if you buy more AP900 and plug these in, they will then use provisioning profile if you told the AP to use autoprovisioning
You will need to first check the AP900 IP address by looking it up from router’s Diagnostic\ARP Cache Table and locate the MAC address of the AP900 from the list
If you cannot login to the AP900, you may want to factory default the AP900, and create the autoprovisioning profile before plugging the AP900 into the network, so it will use the newly created profile
This then should give you control from router under AP management
I hope that helps a little and sorry, I do not use AP900
Many thanks
John
-
Hi John,
Thanks for the reply, there is on online demo here http://eu.draytek.com:10900/
I can't access it on it's last known IP address, refreshing does not show it, rebooting both the router and AP900 doesn't make it appear either.
It's almost as if it's on a different VLAN or subnet, but the management VLAN was not enabled, and it was set to obtain it's address via DHCP.
The AP-900 was set to AP mode.
It was set to obtain an IP address via DHCP
It was also set to use AP management and auto profile - https://www.draytek.co.uk/support/guides/ap-900-auto-provision
I manually entered the auto profile settings in the router.
The router auto detected the AP-900 and set up the wi-fi.
I could see and access the AP from the management interface in the router.
It was all working last week except the issue's with the guest network.
After swapping the network cable yesterday morning that supplies the AP-900 from the procurve to the router the AP-900 disappeared and the guest network started working, otherwise the wireless and network works as expected - so it is functioning, just not reachable for some reason.
The AP900 MAC does not show in the ARP Cache table.
One test would be to swap the network cable back to the procurve just to see if it re-appears.
It's weird, I'm going to figure it out another day as I have work to do.
-
The AP900 MAC does not show in the ARP Cache table.
I was just fiddling and tried changing the IP address of the procurve as that was set to what the AP900 was prior to changing that to DHCP. Anyway I noticed that after I changed the IP address of the switch it no longer showed up in the ARP Cache. So a bit of googling found this
This goes back to the way switches (or bridges) work. They have to see a frame from an end device to know its MAC address and once they see it they add an entry in their CAM (or MAC) table. The entry basically tells the switch that a specific MAC is reachable via a particular port and this is meant to prevent subsequent flooding of unicast frames. In short an end device needs to send at least one frame for the switch to 'see' it. Another point to remember is that each entry in the CAM table has an age associated with it and if a switch does not see subsequent frames from that host it will age out the entry and start flooding all frames destined to this MAC address until it is learnt again (and learning is done only when the owner of the MAC starts to communicate again).
So I pinged the router from the switch and the switches IP and MAC appeared in the ARP Cache, doesn't help me find the AP900 though - may just have to resort to resetting it at some point.
-
Hi ronski
Hmm sounds like you may be better advised to clear arp cache on router/switch/ap
You could grab colasoft max scanner I think it’s called and see if you could see the ap but a quicker way, would be to connect a pc to ap directly and login
Just to clarify though, are you saying your switch and ap were using same IP address
Many thanks
John
-
Thanks for your reply.
Hi ronski
Hmm sounds like you may be better advised to clear arp cache on router/switch/ap
Whilst I've rebooted the router and the AP point I haven't rebooted the switch, I'll try that tonight.
You could grab colasoft max scanner I think it’s called and see if you could see the ap but a quicker way, would be to connect a pc to ap directly and login
My computer is directly connected to the AP via a 5 port unmanaged switch (so computer - unmanaged switch - AP - router). However if you think it would make a difference I could connect a laptop directly via a wired connection (after turning off the wifi).
Just to clarify though, are you saying your switch and ap were using same IP address
Many thanks
John
Not at the same time no, the switch was originally on a completely different subnet. When I first set up the AP I set it to a static IP, to get auto provision to work I had to set it to obtain it's address via DHCP. Only after this point did I gain access to the switch and change it's IP address to the next unused one (outside the DHCP pool) which just happened to be the one I'd previously used for the AP, but was no longer in use due to the AP obtaining it's IP by DHCP.
-
Hi ronski
Many thanks
Sorry rebooting will not flush arp cache normally. You have to manually flush and on procurve, I think from memory it is cli only
Just a thought, but have you tried accessing all dhcp ip in a browser to see if it any of them. Some you would recognise as not been the ap, but some you may not recognise and it maybe one of them
Just a thought
Many thanks
John
-
ronski is the ap900 on its own subnet?
-
No, it was set to obtain its IP address via DHCP, which it had been doing. Up until I swapped it's network cable from the procurve switch and connected it directly to the router it was accessible via the AP management interface built into the router. After swapping the cable it just disappeared.
PS Hadn't realised that rebooting wouldn't clear the ARP cache. None of the IPs listed in the ARP cache show the Mac address of the AP.
-
I tried Colasoft MAC scanner, and no sign of the AP900's MAC, not on any of the IP ranges I've used here.
I also just tried an experiment, I setup a totally separate hardwired network using the Zyxel router connected to the AP900 and a laptop (wireless turned off) and whilst the laptop obtained an IP address and showed in the Zyxel interface the AP900 never did.
Its certainly done a very good disappearing act, I will have to at some point reset the AP900, in theory it should just auto provision from the Draytek :fingers: