Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Zxyel VMG8324-B10A - Access control  (Read 4972 times)

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4316
Zxyel VMG8324-B10A - Access control
« on: August 05, 2015, 08:21:18 PM »

Well it seems I'm not doing very well here again.

I have a TBB ping monitor set up, now I only want to allow pings from this to reach my router and thus be responded to.

So I set up two rules the first to allow ICMP from the TBB IP 80.249.99.164/28

The next rule then blocks all ICMP requests, trouble is I can still ping my IP address from work, so it's clearly not working as expected.

Any suggestions please?

 
Logged
Formerly restrained by ECI and ali,  now surfing along at 1147/105  ;D

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Zxyel VMG8324-B10A - Access control
« Reply #1 on: August 05, 2015, 08:33:22 PM »

When you leave an address field blank, presumably meaning “don't care” or “n/a”, then do you have to choose "specific ip" for the previous field value? What are the choices for that enumerated field?
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4316
Re: Zxyel VMG8324-B10A - Access control
« Reply #2 on: August 05, 2015, 08:40:36 PM »

The manual states that a blank source address is the equivalent to "any" and this is what's shown when I view the list of rules as attached.

The drop downs for "Specific IP Address" contains the IP addresses of devices on my internal LAN, and 0.0.0.0 (not sure what is meant by the 0.0.0.0 address though)


Logged
Formerly restrained by ECI and ali,  now surfing along at 1147/105  ;D

PhilipD

  • Reg Member
  • ***
  • Posts: 591
Re: Zxyel VMG8324-B10A - Access control
« Reply #3 on: August 05, 2015, 09:27:23 PM »

Hi

I'm afraid its another thing that is broken. 

Under Maintenance and Remote Management the setting to allow pings from the WAN happens before the firewall rules, so no ICMP firewall rules are acted on.

The only option you have I think is to take the tick out of allow pings from the WAN under remote management, then Telnet into the box and then copy this rule in:

iptables -I INPUT 1 -s 80.249.99.0/24 -p icmp --icmp-type echo-request -j ACCEPT

..and hit enter.  This is the Thinkbroadband IP address range and will just allow their pings in.

The only downside is if the router is rebooted the rule is lost and needs adding back again.

Regards

Phil

Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Zxyel VMG8324-B10A - Access control
« Reply #4 on: August 05, 2015, 09:48:18 PM »

> another thing that is broken

This isn't good enough at all. There are a lot of ropey domestic routers to out there and we definitely do not need any holes donated by the manufacturers to the vermin's beer fund.

Is there a way of reporting that bug?
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4316
Re: Zxyel VMG8324-B10A - Access control
« Reply #5 on: August 05, 2015, 10:16:56 PM »

Thanks Phil.

It's not good enough, guess I need to raise another support  ticket.

Makes one wonder just how many other holes and serious bugs there are!
Logged
Formerly restrained by ECI and ali,  now surfing along at 1147/105  ;D

PhilipD

  • Reg Member
  • ***
  • Posts: 591
Re: Zxyel VMG8324-B10A - Access control
« Reply #6 on: August 06, 2015, 07:36:26 AM »

Hi

I don't think any consumer router is without bugs and potential security issues, they are constantly finding new issues and vulnerabilities with all makes and models from both new code and years old open source code still being used.  Plus this market has changed in recent years from fairly stable models that don't change for years, to a move to relatively cheap routers that are only current for about a year (seemingly much less in Netgears case) before they bring out a new model with even bigger go faster antenna and bigger numbers on the box to get us to spend again!  No consumer router is supported long enough to get these bugs all squashed, perhaps with the exception of Billion, who then lose out to sales and complaints of product launches that never happen.

In case of ZyXEL, I'm not sure if the ping issue has only broken on this beta version.  The firmware is definitely a special debug firmware which can be seen by the logs, so it could be the released version of 11 doesn't have this issue.

Regards

Phil

« Last Edit: August 06, 2015, 07:39:06 AM by PhilipD »
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4316
Re: Zxyel VMG8324-B10A - Access control
« Reply #7 on: August 06, 2015, 10:26:18 AM »

That's the problem with so much tech these days, the upgrade cycle is just too quick for the bugs to be ironed out or with software they just add new features instead of fixing the bugs.

V11 is certainly a lot more stable, I've spent a lot of time in there and it hasn't crashed once. Connection is still stable as well, so overall an improvement on v6.
Logged
Formerly restrained by ECI and ali,  now surfing along at 1147/105  ;D

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4316
Re: Zxyel VMG8324-B10A - Access control
« Reply #8 on: August 08, 2015, 02:06:11 PM »

I've fired another email off to ZyXel support, wonder what they will make of this one.
Logged
Formerly restrained by ECI and ali,  now surfing along at 1147/105  ;D

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4316
Re: Zxyel VMG8324-B10A - Access control
« Reply #9 on: August 11, 2015, 10:27:38 AM »

I had response from ZyXel yesterday asking me to update the firmware,  this seems a standard response.

After telling them I was on V11 (which I did forget to put in my original email) I received this reply.

Quote
I was informed that this is how the router is designed to work.

Your settings are correct

So clearly they don't intend to fix it, I'm not impressed.
Logged
Formerly restrained by ECI and ali,  now surfing along at 1147/105  ;D

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7508
  • AAISP CF
Re: Zxyel VMG8324-B10A - Access control
« Reply #10 on: August 11, 2015, 10:56:00 AM »

Ronski I got 3 comments.

1 - The pings may be UDP based, so try UDP.
2 - Blocking "all" ICMP in my view is not a good idea.  As its used for more than just pings including mtu discovery which on PPPOE has importance given it doesnt use a standard 1500byte MTU.  Also blocking pings doesnt really do much for security but hurts diagnostics.
3 - For the block rule type 0.0.0.0 as ip to see if that works.

You may be better served by rate limiting icmp echo replies instead rather than blocking completely.
« Last Edit: August 11, 2015, 10:58:13 AM by Chrysalis »
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7508
  • AAISP CF
Re: Zxyel VMG8324-B10A - Access control
« Reply #11 on: August 11, 2015, 11:02:42 AM »

Hi

I don't think any consumer router is without bugs and potential security issues, they are constantly finding new issues and vulnerabilities with all makes and models from both new code and years old open source code still being used.  Plus this market has changed in recent years from fairly stable models that don't change for years, to a move to relatively cheap routers that are only current for about a year (seemingly much less in Netgears case) before they bring out a new model with even bigger go faster antenna and bigger numbers on the box to get us to spend again!  No consumer router is supported long enough to get these bugs all squashed, perhaps with the exception of Billion, who then lose out to sales and complaints of product launches that never happen.

In case of ZyXEL, I'm not sure if the ping issue has only broken on this beta version.  The firmware is definitely a special debug firmware which can be seen by the logs, so it could be the released version of 11 doesn't have this issue.

Regards

Phil



Sadly I agree with your statement, but the zyxel does seem much more buggier than average.  It reminds me of how buggy the superhub was when VM first released it but they still managed to fix that within a year or so of release.

This is one reason why I like linux based router's then if there is a bug you can often overide yourself with your own scripts.

In terms of security we will find out over the next couple of years as now routers are been targeted much more frequently for exploits.

Asus do support older routers, like their rt-n16 but the problem is they have a rapid development cycle, so there is constant feature and underlying code changes creating new bugs, thats one reason I now use john's fork of asuswrt-merlin as he has forked an old stable version with only bugfixes.
« Last Edit: August 11, 2015, 11:05:11 AM by Chrysalis »
Logged