Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[neil]

There are so many apps on android which can scan the Wi-Fi network you are connected with and can show the number of devices connected and model and other network devices on the network. Is there any way to stop it?

[Alex Atkin UK]

Don't install those apps?

Thing is, those apps aren't always as clever as they look as while they may be using zeroconf to scan for devices, they could also be using a database to compare to the ARP table.  Unless you are using some sort of client isolation, every device on the LAN can see the list of every other device that has been talking on the LAN recently, this is by design.

[meritez]

There are so many apps on android which can scan the Wi-Fi network you are connected with and can show the number of devices connected and model and other network devices on the network. Is there any way to stop it?

Yes,

Code: [Select]

iptables -t mangle -A prerouting -i eth0.1 -j TTL --ttl-inc 1

from r/openwrt

https://www.reddit.com/r/openwrt/comments/c57hwe/share_your_wifi_hide_your_core/

Above is a simple iptable to hide the gateway, the second thing to use is client isolation, this will prevent the apps seeing anything but themselves.

[neil]

thank you for replies

[Weaver]

I use L2 isolation on my wireless LAN for guests but it isn’t practical to use it for normal machines because you want machines to be able to communicate with one another in some applications. I have two ZyXEL WAPs that offer this. Also this doesn’t apply to wired ethernet machines - L2 isolation is a wireless-only thing and you have to have a WAP that offers the feature, not all do.

A LAN scanner app could just scan all the IPv4 addresses in the LAN range. This is a solution for finding all the machines that speak IPv4. There are other partially successful LAN-scanning techniques. In the case of IPv6-speaking machines, it is complete impractical to scan 2⁶⁴ possible IPv6 addresses or 2⁴⁸ ethernet MAC addresses on the LAN. So using IPv6 only on your LAN is helpful if you’re paranoid about LAN scanning. For this to be at all a practical idea you would have to have no IPv4-using apps and in order to be able to access the IPv4 internet you would need an ISP that offers NAT64 trickery and DNS tricks in order to support IPv6-only machines in their desire to access IPv4 internet servers. A very drastic solution to a questionable ‘problem’.

[Chrysalis]

There are so many apps on android which can scan the Wi-Fi network you are connected with and can show the number of devices connected and model and other network devices on the network. Is there any way to stop it?

Sadly android is just a data harvesting OS at this point, the OS is designed to let apps detect when you go online, and to do all sorts of weird things.  Since the design is embedded into the OS itself, then its difficult to prevent it.  Many years ago with a rooted phone there was a great app where you could customise the triggers which wake up apps, and tame it nicely, but google were changing everything around every android update and of course unpaid open source developers couldnt keep up so those tools have died off.

I seen weaver's reply, and I will add my phone's only go on my guest VLAN (with the isolation), so if the concern is them scanning your LAN, it would mitigate that.

[Alex Atkin UK]

I use L2 isolation on my wireless LAN for guests but it isn’t practical to use it for normal machines because you want machines to be able to communicate with one another in some applications. I have two ZyXEL WAPs that offer this. Also this doesn’t apply to wired ethernet machines - L2 isolation is a wireless-only thing and you have to have a WAP that offers the feature, not all do.

That's what I thought, the WiFi to LAN part is a plain bridge.  Its probably a lot easier to do WiFi isolation as you're already putting a lot of CPU time into processing those clients anyway, so packet filtering on the LAN side too would mean even more CPU overhead.

Surely IPv6 its redundant as everything is done over broadcasts anyway so easily snoopable?

[Weaver]

@Alex, I don’t know how many situations/applications there are in IPv6 apps and protocols where multicast is used, not broadcast. Having well known multicast groups is great for efficiency, being a good citizen on very large LANs, especially where L2 bridges are used site-site.

[Alex Atkin UK]

As I've admitted before, my understanding of IP in general is limited, IPv6 seems all the more complicated.   I was just thinking though that the way it picks up a lot of details from Router Advertisements, could possibly give away the network layout even easier than IPv4?

[Weaver]

@Alex It’s more than 15 years since I studied all the IPv6-related core protocols - I have a big fat book somewhere by Microsoft Press. I’d have to re-read some of that stuff to refresh my memory about what is done by unicast vs multicast or broadcast. My vague and shaky memory tells me that IPv6 was designed with pervasive avoidance of broadcast because broadcast doesn’t scale well into very large LANs. Such a refresher would be needed before I could answer your question.

There is also the matter of whether or not one is using DHCPv6 at all. I just use RA from my Firebrick with the minimum amount of reliance on obtaining networking parameters such as prefix, addresses of dns servers etc by IPv6 zeroconf protocols. I have all such critical parameters hard coded : the IPv6 prefix, DNS servers are published to the LAN from values written in the Firebrick’s XML config.

I could get the IPv6 prefix value etc from the ISP using PPP, but I have no desire for such a thing that only adds another failure mechanism and a critical initial delay. Of course since I use IP-bonded internet access links, which PPP connection would I consult? Various weird bug condition possibilities from that. I read about some other Kitizens who use DHCPvx from their ISP for zeroconfig where they don’t have a PPP ISP connection.

I can’t understand the reasoning behind the acquisition of critical LAN config info from an internet connection, unless it’s a physically mobile setup, as my modems take about 70s to bring the DSL link up, and, worse still, getting from cold boot to showtime takes an eternity. That delay would mess up systems trying to use the LAN to soon in situations where they need critical IP-related LAN config and internet access parameter values right now and can’t wait for modems to come up. Indeed, some algorithms might fail if they’re trying to survive without completed zeroconf because an internet link from an ISP has come up yet.

IPv6 is more robust in awkward situations during systems initialisation because a lot is routinely done with link-local IPv6 addresses, while the equivalent in IPv4 is less used and when it is it is done without consistency and operating systems behaviour with IPv4 link local addressing seemed in the past to be all over the place, but maybe things have improved.

When Windows Vista came out, Microsoft took from their IPv6 design experience many superior, more robust and more general IPv6 algorithms (including for example things such as getting rid of bogus assumptions about interfaces only ever having max one associated IP address of a particular type) and applied these algorithms to IPv4 too. So as well as being the first WinNT family o/s that had fully-integrated IPv6 as a first-class citizen not an add-on, Vista had better IPv4 behaviour too, thanks to IPv6 algorithm design work.

[Alex Atkin UK]

On Zen you get a /48 via DHCP6 over PPPoE, but you're free to break that down into /64 subnets on the LAN so you aren't relying on the Internet side to enable LAN connectivity.  As I can set this static, I can also use NPt to do a form of NAT to my AAISP address range, so I only need to use the Zen subnet on the LAN.

I can't say anything good about Windows networking, it still to this day behaves oddly.  The feature it has to use a fallback static IP if DHCP fails has never worked for me, it always ends up with the default fallback IP rather than the one I specified.  The new new IP address page in Windows 11 wont even let you set an IP address without a gateway which is utterly moronic.

As I've said before though, my biggest issue with IPv6 is accountability.  They designed the Xbox to reset it UUID every boot, so you can't set its IP statically on the router, nor is there any option to do so on the console.

The thing is, on my main intranet page I have a list of all recently active clients in the arp table and what traffic they are sending over the pfSense LAN interface.  That way, I know exactly which client is doing what.  If I can't set the Xbox as static, I can't do that, neither do I even have a method for getting that information for IPv6.  That's really the only reason I leave IPv6 disabled on the LAN, as I don't like not being able to see what client is causing the traffic on the WAN.

pfSense are working on using iftop I believe to monitor IPv6 traffic but its still experimental.  But even if I force the Xbox into its own VLAN, that's still going to be a PITA to monitor.  Sure the console rarely get rebooted, but that just makes it easier to forget its changed.

[Weaver]

You’re exactly right. The later IPv6 designers 20 years ago seemed to be far more concerned with (some) users’ privacy demands than sysadmin friendliness and manageability. I can’t control my iPads’ address assignment practices at all.

[Alex Atkin UK]

I mean I totally get privacy, but when you want some clients to have an open firewall and others a closed one, how on earth are you supposed to handle that?

Forcing every client to rely on its own firewall causes way bigger privacy issues when you have devices that assume they're on a private LAN and so have little to no security themselves.  This has gotten a whole lot worse now with IoT and its not always possible to just put them on a restrictive VLAN as many devices rely on broadcasts to see other devices.  I see regular posts from people trying to do inter-VLAN NAT to get around this, which kinda defeats the purpose of having them in their own VLAN IMO.

[Weaver]

Relying on software firewalls in operating systems of individual machines implies that alien traffic could potentially be entering your LAN, causing DOS attacks, or hosing machines, or gobbling up bandwidth on your internet link. That is not good at all. Even in the best case, having alien traffic enter your LAN just to get dropped at a machine’s individual software firewall is stupid, and all the while the unwanted traffic is consuming CPU cycles on the target machine. In the worst cases, such traffic could crash a crappy ancient o/s, or get reflected onto another machine in the LAN because it had a spoofed source address, and the receiving machine replies to the bogus source address, as in a typical amplification attack. Such reflected traffic then looks very safe and plausible to the reflection target machine because the source address is an acceptable and trustworthy LAN-internal one, yet the packet’s content may be evil.

So I treat o/s firewalls merely as an optional equivalent of ACLs for limiting networking. And I sometimes simply turn them off.

[Alex Atkin UK]

Agreed, so many people don't seem to the get the point of a firewall at the router - to block traffic at the nearest point of ingress.  An aggressive attack would probably easily saturate many routers NAT tables and/or RAM, long before you run out of bandwidth.

I have geoblocking on my port forwards to my server, seen some people arguing that's pointless as it wont stop the attempts.  Except its not about stopping them (though arguably it should help, if they're being blackholed its a less appealing target), its about efficiency and ease of maintenance.  Much easier to deal with it all in one place.

I was helping someone recently who was annoyed with his new router he can't remotely configure port forwards from within Windows (never knew that existed) and it requires him to use DHCP Static Allocation.  He was strongly against that, despite it being the logical way to do it.

It honestly creeped me out at the idea of simply being able to right-click the router in Windows and edit port forwards.  If its that easy for the user, what's to say its not that easy for malware?