[ale] 10.1.10.1 Comcast access from local LAN? (Slightly OT BUT there is Ubuntu AND PI involved!)
Derek Atkins
derek at ihtfp.com
Sat Feb 6 14:45:06 EST 2021
Hi,
On Sat, February 6, 2021 11:35 am, Neal Rhodes via Ale wrote:
> Thanks for all the responses. As suggested,
> https://www.dropbox.com/s/hdeizsvptc4gmpe/WAN-LAN-Comcast-Cisco.pdf?dl=0
> is a link to a pdf of a hand-drawn diagram. I suspect the list server
> will flag a .pdf file. Sorry that Ascii diagram didn't show.
So just to make sure I understand, you have ports 4464 and 61002-621000
forwarded from your COMCAST to the JacTrip on 10.1.10.100, right? Or are
they forwarded in some other way? It is unclear *from* where the ports
are being forwarded (I am assuming they are forwarded *to* the 10.1.10.100
jacktrip server).
> While JackTrip and Jack audio have been around for a long time at
> Stanford, the security aspect is unclear. The Ubuntu Jacktrip server
> needs to be accessible at port 4464 to any and all Jacktrip Virtual
> Studio Pi boxes in the area. I have some concern over a security
> breach in JackTrip spilling over into the LAN. And some trepidation
> over actually getting inbound port forwarding to happen over two layers,
> eg Comcast and Cisco. All that made me lean towards placing the server
> on one the Comcast LAN ports.
I see nothing wrong with that. Then you just need to ensure the Cisco
knows how to talk to the jacktrip, and that the jacktrip can reply back to
the cisco.
> I'm a bit hazy on what would happen IF I setup a DMZ address on the
> Cisco side, inside the perimeter. I guess I could make the Ubuntu
> server have an address NOT on the 192.168.1.x network. But, seems like
> with it sitting on the switch with all the other LAN resources, that's a
> paper-thin wall from it getting to the LAN if it's compromised. I
> don't want to be "THAT Guy".
If you set up the Cisco so it has both 50.248.230.105 *AND* 10.1.10.99, I
think it would completely solve your problem. You can certainly set up
the cisco so as NOT to allow new connections from 10.1 into 192.168, while
allowing connections from 192.168 to 10.1. This would protect you from a
potential source-route attack if someone is able to break into the Ubuntu
Jacktrip server.
> From a Desktop, whatismyipaddress reports 50.248.230.105. Thus I'm
> expecting that the Cisco router is doing it's NAT job, and any outbound
> traffic requested to 10.1.10.1, or 10.1.10.100 may be going out to
> Comcast, but coming from 50.248.230.105, and it's saying "oh hell no" at
> routing it to 10.1.10.X.
Yes, that is what is currently happening.
> I don't see any setup which would improve
> that on either side.
I have given you a suggestion, the same suggestion, multiple times now,
but you have never said why it wont work for you. Indeed, others have
suggested the same thing: Give the Cisco a SECOND IP address, 10.1.10.99
(or some other address). That should make everything *just work*.
> Staring at this I'm concluding there is no way of accessing the Comcast
> router admin login from the LAN.
Not as-configured; you need a configuration change on the cisco to enable it.
> The simplest configuration for the Ubuntu server appears to involve:
> - Put it on the Comcast Lan port at 10.1.10.something;
> - Port Forward 4464 and the UDP ports;
(where are you forwarding it from)?
> - Port Forward some high port to 22 (ssh);
(again, forwarded from where?)
> - Setup an Iptables firewall on the Ubuntu side to limit ssh to my
> external IP address at home. (oh, joy of joys)
> - IF I have to get into the Ubuntu server onsite I've just gotta go down
> to the furnace room.
>
> At the moment simplest appears best. Any other thoughts are welcome.
Again, have you tried giving the cisco a 10.1 address?
-derek
>
> On 2021-02-05 15:03, Derek Atkins wrote:
>> HI,
>>
>> On Fri, February 5, 2021 2:02 pm, Neal Rhodes via Ale wrote:
>>> Thanks. I forgot about NAT. So the RV180 is doing NAT on..
>>> everything
>>> that goes out the WAN port? Which essentially means it changes the
>>> packet to say it's coming from its 50.248 address, but somehow
>>> remembers
>>> the local address to send the response.
>>
>> Yes, that is how it works. It gets a packet from 192.168.x.y port z
>> destined for 1.2.3.4 port a -- so it rewrites the packet (the AT --
>> Address Translation) so it's coming from 50.248.230.10{6?} port B, and
>> sends it to 1.2.3.4:a. Then, when it gets a REPLY from 1.2.3.4:a
>> destined
>> to port B, it knows to translate that back to 192.168.x.y port z.. And
>> this is how NAT works.
>>
>>> Would the RV180 be deciding NOT to do the NAT on something bound for
>>> 10.1 address? Obviously the NAT is working for everything else.
>>
>> Unlikely. MORE likely the comcast box is not allowing 50.248.230.x to
>> talk to the 10.1 network, and the Ubuntu box does not know how to talk
>> to
>> the 50.248 router.. I.e., ComCast's box is separarating the two
>> networks.
>>
>>> Maybe there is some packet capture on the Comcast router that will
>>> shed
>>> some light on that. (ultimately, it always comes back to printf's in
>>> the kernel...)
>>
>> Maybe. Or you could put a dumb hub (not a switch) between the routers
>> and
>> plug in a device to run wireshark?
>>
>> Have you tried putting a 10.1 address on your router?
>>
>> If the default route is still via 50.248, it would only use the 10.1
>> address when talking to other 10.1 addresses.
>>
>> Another question: Is there a reason the Ubuntu box is sitting on the
>> 10.1
>> network? Couldn't you plug it in to the 192.168 network?
>>
>> -derek
>>
>>>
>>> On 2021-02-05 11:20, Derek Atkins wrote:
>>>> HI,
>>>>
>>>> Youre ascii art is hard to read, so I can't tell what's where.
>>>> But basically, no, what SHOULD be happening is that your RV180 would
>>>> NAT
>>>> your 192.168 network to its 50.248 address. then it will send a
>>>> request
>>>> to 10.1 -- the DPC3939 might not allow that.
>>>>
>>>> I think it very unlikely that the Comcast device is seeing the packet
>>>> coming from 192.168.
>>>>
>>>> More likely it's blocking access from the 50.248 to the 10.1 address.
>>>>
>>>> Here's something to try: Can you ADD a 10.1. address to the Comcast
>>>> side
>>>> of the RV180? In other words, let it have the 50.248 address as the
>>>> default address, but also add a static address of 10.1.10.X? And
>>>> ensure
>>>> it properly NAT's from 192.168 to 10.1.
>>>
>>> I only partially understand that. You are saying can I compel the
>>> Comcast router to add an additional 10.1 address it listens on?
>>> Unsure. And in fact would that address allow http login?
>>>
>>>
>>>>
>>>> -derek
>>>>
>>>>
>>>> On Fri, February 5, 2021 11:45 am, Neal Rhodes via Ale wrote:
>>>>> Our church has a Business Comcast DPC3939 connected to Our little
>>>>> Cisco
>>>>> RV 180 VPN.
>>>>>
>>>>> The Comcast has a local IP of 10.1.10.1, and the WAN Static Address
>>>>> of
>>>>> 50.248.230.105.
>>>>>
>>>>> Our Cisco router has a WAN address of 50.248.230.106, and it
>>>>> supports
>>>>> a
>>>>> 192.168.1.X network behind that, which is where everything on the
>>>>> LAN
>>>>> lives.
>>>>>
>>>>> INTERNET==>Comcast DPC3939 <===>Our Cisco RV180VPN<====Our
>>>>> 192.168.1.X
>>>>> LAN <==JackTrip Raspberry Pi Virtual Studio
>>>>> 50.248.230.105
>>>>> 50.248.230.106
>>>>> <==
>>>>> Everything
>>>>> else on the LAN
>>>>> 10.1.10.1
>>>>> |== Ubuntu JackTrip Audio Server
>>>>> 10.1.10.91
>>>>> Port Forwarding 4464, UDP
>>>>> 61002-62000
>>>>>
>>>>> We really need to do a couple of things:
>>>>> - our office administrators need to occasionally be able to http
>>>>> access
>>>>> the Comcast router from our 192.168.1.X LAN. They cannot. Any
>>>>> attempt
>>>>> times out. (Fun fact: you CAN http to 50.248.230.105, and get a
>>>>> login
>>>>> response, BUT the correct userid/password will result in a Password
>>>>> failure. It only allows login from the 10.1.10.1 address.)
>>>>> - we need for ME to be able to occassionally get an ssh session from
>>>>> an
>>>>> office PC TO the Ubuntu server. Similar challenge I think.
>>>>> - The Raspberry Pi Virtual Studio box in the sanctuary needs to
>>>>> connect
>>>>> to the Ubuntu server on port 4464. I think it can hit the external
>>>>> address of the Comcast router for that. I've got that port
>>>>> forwarding
>>>>> all working now at home with a UVerse router.
>>>>>
>>>>> We can access the Comcast Router as http://10.1.10.1 IF we go
>>>>> downstairs
>>>>> to the furnace room and plug into the LAN ports on the DPC3939. The
>>>>> PC
>>>>> will then get a 10.1.10.X address.
>>>>>
>>>>> Now, when I look at the DPC3939, I see no evidence that it has a
>>>>> static
>>>>> route for our LAN. So, when someone on, say 192.168.1.145 puts
>>>>> 10.1.10.1 in their browser, the PC hands it to our Cisco router, it
>>>>> knows it's not on our LAN, so it hands it to its gateway: the
>>>>> DPC3939.
>>>>>
>>>>> And then I THINK the DPC3939 then says, "I don't know where to send
>>>>> 192.168.1.145" and so it times out.
>>>>>
>>>>> I THINK the Comcast router needs a static route that says
>>>>> 192.168.1.X
>>>>> is
>>>>> behind our Cisco router: 50.248.230.106.
>>>>>
>>>>> Am I thinking right? I don't mind stuffing in the route myself, but
>>>>> I
>>>>> asked Comcast first, since it's their equipment. Tier 1 said, "no
>>>>> that's not possible". Tier 3 response was:
>>>>>
>>>>> _1- you need to know, in order for two local networks to communicate
>>>>> they have to be in the same lan scheme, either both 192.168.x.x or
>>>>> 10.1.x.x_
>>>>>
>>>>> _2- My suggestion is to change the local IP scheme for Comcast
>>>>> modem/router to match the other router _
>>>>> _192.168.1.X_
>>>>> _ _
>>>>> _3- Make sure the IP scope of the modem is not conflicting with the
>>>>> other router._
>>>>> _ _
>>>>> _For example if the other router IP scope is from 192.168.1.1 to
>>>>> 192.168.1.100 then make the modem DHCP 192.168.1.101 to
>>>>> 192.168.1.200.
>>>>> Same lan scheme different IP scope to avoid future issues._
>>>>>
>>>>> The Tier 3 response sounds insane to me; if I'm on 192.168.1.145,
>>>>> and
>>>>> I
>>>>> want to send data to 192.168.1.4, my IP stack will just put it out
>>>>> on
>>>>> the LAN wire. The Comcast router is never going to see that,
>>>>> 'cause
>>>>> it's connected to the WAN port on our router. The only way my
>>>>> gateway
>>>>> would get involved is when a workstation knows that the destination
>>>>> is
>>>>> NOT on the local network, and hence the packet needs to get passed
>>>>> to
>>>>> the gateway. The Tier 3 response also seems to open up all kinds of
>>>>> security issues if it in fact worked; then a compromise to anything
>>>>> on
>>>>> the Comcast side could easily bleed into our LAN.
>>>>>
>>>>> What is kinda weird to me is that at home this "just works". I have
>>>>> an
>>>>> AT&T Uverse router which provides 192.168.1.X. I have a Sonicwall
>>>>> VPN
>>>>> router plugged into that, which provides a LAN of 192.168.100.X.
>>>>> The
>>>>> linux and PC devices are on the 100.X network. There are a few
>>>>> expendable devices and IOT on the 1.1 network. I can ssh and http
>>>>> from the 100.1 network to hosts on the 1.1 network; but of course
>>>>> they
>>>>> cannot go the other way. I didn't do anything for this to happen.
>>>>> Did the routers exchange BGP and just figure that out?
>>>>>
>>>>> Regards,
>>>>>
>>>>> Neal Rhodes_______________________________________________
>>>>> Ale mailing list
>>>>> Ale at ale.org
>>>>> https://mail.ale.org/mailman/listinfo/ale
>>>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>>>> http://mail.ale.org/mailman/listinfo
>>>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> https://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
--
Derek Atkins 617-623-3745
derek at ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
More information about the Ale
mailing list