[ale] 10.1.10.1 Comcast access from local LAN? (Slightly OT BUT there is Ubuntu AND PI involved!)
Phil Turmel
philip at turmel.org
Sun Feb 7 09:43:05 EST 2021
+1000 for 2nd IP address on Cisco WAN side.
On 2/6/21 2:45 PM, Derek Atkins via Ale wrote:
> Hi,
>
> On Sat, February 6, 2021 11:35 am, Neal Rhodes via Ale wrote:
>> Thanks for all the responses. As suggested,
>> https://www.dropbox.com/s/hdeizsvptc4gmpe/WAN-LAN-Comcast-Cisco.pdf?dl=0
>> is a link to a pdf of a hand-drawn diagram. I suspect the list server
>> will flag a .pdf file. Sorry that Ascii diagram didn't show.
>
> So just to make sure I understand, you have ports 4464 and 61002-621000
> forwarded from your COMCAST to the JacTrip on 10.1.10.100, right? Or are
> they forwarded in some other way? It is unclear *from* where the ports
> are being forwarded (I am assuming they are forwarded *to* the 10.1.10.100
> jacktrip server).
>
>> While JackTrip and Jack audio have been around for a long time at
>> Stanford, the security aspect is unclear. The Ubuntu Jacktrip server
>> needs to be accessible at port 4464 to any and all Jacktrip Virtual
>> Studio Pi boxes in the area. I have some concern over a security
>> breach in JackTrip spilling over into the LAN. And some trepidation
>> over actually getting inbound port forwarding to happen over two layers,
>> eg Comcast and Cisco. All that made me lean towards placing the server
>> on one the Comcast LAN ports.
>
> I see nothing wrong with that. Then you just need to ensure the Cisco
> knows how to talk to the jacktrip, and that the jacktrip can reply back to
> the cisco.
>
>> I'm a bit hazy on what would happen IF I setup a DMZ address on the
>> Cisco side, inside the perimeter. I guess I could make the Ubuntu
>> server have an address NOT on the 192.168.1.x network. But, seems like
>> with it sitting on the switch with all the other LAN resources, that's a
>> paper-thin wall from it getting to the LAN if it's compromised. I
>> don't want to be "THAT Guy".
>
> If you set up the Cisco so it has both 50.248.230.105 *AND* 10.1.10.99, I
> think it would completely solve your problem. You can certainly set up
> the cisco so as NOT to allow new connections from 10.1 into 192.168, while
> allowing connections from 192.168 to 10.1. This would protect you from a
> potential source-route attack if someone is able to break into the Ubuntu
> Jacktrip server.
More information about the Ale
mailing list