[ale] 10.1.10.1 Comcast access from local LAN? (Slightly OT BUT there is Ubuntu AND PI involved!)
Alex Carver
agcarver+ale at acarver.net
Sun Feb 7 14:11:37 EST 2021
If you know the IPs of the Jacktrip boxes outside and inside then just
whitelist them (after putting everything on the Cisco with multiple IP's
on its WAN as suggested). You don't need to allow someone on the other
side of the planet to access it.
Another thing to investigate would be either SSH tunnels or private VPN
to tunnel the Jacktrip data. Any remote Jacktrip device would need to
establish the tunnel into your network (through a single port using keys
and passwords) and then the Jacktrips can see each other as they all
become members of the inside network.
On 2021-02-06 08:35, Neal Rhodes via Ale wrote:
> Thanks for all the responses. As suggested,
> https://www.dropbox.com/s/hdeizsvptc4gmpe/WAN-LAN-Comcast-Cisco.pdf?dl=0
> is a link to a pdf of a hand-drawn diagram. I suspect the list server
> will flag a .pdf file. Sorry that Ascii diagram didn't show.
>
> While JackTrip and Jack audio have been around for a long time at
> Stanford, the security aspect is unclear. The Ubuntu Jacktrip server
> needs to be accessible at port 4464 to any and all Jacktrip Virtual
> Studio Pi boxes in the area. I have some concern over a security
> breach in JackTrip spilling over into the LAN. And some trepidation
> over actually getting inbound port forwarding to happen over two layers,
> eg Comcast and Cisco. All that made me lean towards placing the server
> on one the Comcast LAN ports.
>
> I'm a bit hazy on what would happen IF I setup a DMZ address on the
> Cisco side, inside the perimeter. I guess I could make the Ubuntu
> server have an address NOT on the 192.168.1.x network. But, seems like
> with it sitting on the switch with all the other LAN resources, that's a
> paper-thin wall from it getting to the LAN if it's compromised. I
> don't want to be "THAT Guy".
>
> From a Desktop, whatismyipaddress reports 50.248.230.105. Thus I'm
> expecting that the Cisco router is doing it's NAT job, and any outbound
> traffic requested to 10.1.10.1, or 10.1.10.100 may be going out to
> Comcast, but coming from 50.248.230.105, and it's saying "oh hell no" at
> routing it to 10.1.10.X. I don't see any setup which would improve
> that on either side.
>
> Staring at this I'm concluding there is no way of accessing the Comcast
> router admin login from the LAN.
>
> The simplest configuration for the Ubuntu server appears to involve:
> - Put it on the Comcast Lan port at 10.1.10.something;
> - Port Forward 4464 and the UDP ports;
> - Port Forward some high port to 22 (ssh);
> - Setup an Iptables firewall on the Ubuntu side to limit ssh to my
> external IP address at home. (oh, joy of joys)
> - IF I have to get into the Ubuntu server onsite I've just gotta go down
> to the furnace room.
>
> At the moment simplest appears best. Any other thoughts are welcome.
>
>
> On 2021-02-05 15:03, Derek Atkins wrote:
>> HI,
>>
>> On Fri, February 5, 2021 2:02 pm, Neal Rhodes via Ale wrote:
>>> Thanks. I forgot about NAT. So the RV180 is doing NAT on.. everything
>>> that goes out the WAN port? Which essentially means it changes the
>>> packet to say it's coming from its 50.248 address, but somehow remembers
>>> the local address to send the response.
>>
>> Yes, that is how it works. It gets a packet from 192.168.x.y port z
>> destined for 1.2.3.4 port a -- so it rewrites the packet (the AT --
>> Address Translation) so it's coming from 50.248.230.10{6?} port B, and
>> sends it to 1.2.3.4:a. Then, when it gets a REPLY from 1.2.3.4:a
>> destined
>> to port B, it knows to translate that back to 192.168.x.y port z.. And
>> this is how NAT works.
>>
>>> Would the RV180 be deciding NOT to do the NAT on something bound for
>>> 10.1 address? Obviously the NAT is working for everything else.
>>
>> Unlikely. MORE likely the comcast box is not allowing 50.248.230.x to
>> talk to the 10.1 network, and the Ubuntu box does not know how to talk to
>> the 50.248 router.. I.e., ComCast's box is separarating the two
>> networks.
>>
>>> Maybe there is some packet capture on the Comcast router that will shed
>>> some light on that. (ultimately, it always comes back to printf's in
>>> the kernel...)
>>
>> Maybe. Or you could put a dumb hub (not a switch) between the routers and
>> plug in a device to run wireshark?
>>
>> Have you tried putting a 10.1 address on your router?
>>
>> If the default route is still via 50.248, it would only use the 10.1
>> address when talking to other 10.1 addresses.
>>
>> Another question: Is there a reason the Ubuntu box is sitting on the
>> 10.1
>> network? Couldn't you plug it in to the 192.168 network?
>>
>> -derek
>>
>>>
>>> On 2021-02-05 11:20, Derek Atkins wrote:
>>>> HI,
>>>>
>>>> Youre ascii art is hard to read, so I can't tell what's where.
>>>> But basically, no, what SHOULD be happening is that your RV180 would
>>>> NAT
>>>> your 192.168 network to its 50.248 address. then it will send a
>>>> request
>>>> to 10.1 -- the DPC3939 might not allow that.
>>>>
>>>> I think it very unlikely that the Comcast device is seeing the packet
>>>> coming from 192.168.
>>>>
>>>> More likely it's blocking access from the 50.248 to the 10.1 address.
>>>>
>>>> Here's something to try: Can you ADD a 10.1. address to the Comcast
>>>> side
>>>> of the RV180? In other words, let it have the 50.248 address as the
>>>> default address, but also add a static address of 10.1.10.X? And
>>>> ensure
>>>> it properly NAT's from 192.168 to 10.1.
>>>
>>> I only partially understand that. You are saying can I compel the
>>> Comcast router to add an additional 10.1 address it listens on?
>>> Unsure. And in fact would that address allow http login?
>>>
>>>
>>>>
>>>> -derek
>>>>
>>>>
>>>> On Fri, February 5, 2021 11:45 am, Neal Rhodes via Ale wrote:
>>>>> Our church has a Business Comcast DPC3939 connected to Our little
>>>>> Cisco
>>>>> RV 180 VPN.
>>>>>
>>>>> The Comcast has a local IP of 10.1.10.1, and the WAN Static Address of
>>>>> 50.248.230.105.
>>>>>
>>>>> Our Cisco router has a WAN address of 50.248.230.106, and it supports
>>>>> a
>>>>> 192.168.1.X network behind that, which is where everything on the LAN
>>>>> lives.
>>>>>
>>>>> INTERNET==>Comcast DPC3939 <===>Our Cisco RV180VPN<====Our 192.168.1.X
>>>>> LAN <==JackTrip Raspberry Pi Virtual Studio
>>>>> 50.248.230.105
>>>>> 50.248.230.106
>>>>> <==
>>>>> Everything
>>>>> else on the LAN
>>>>> 10.1.10.1
>>>>> |== Ubuntu JackTrip Audio Server
>>>>> 10.1.10.91
>>>>> Port Forwarding 4464, UDP
>>>>> 61002-62000
>>>>>
>>>>> We really need to do a couple of things:
>>>>> - our office administrators need to occasionally be able to http
>>>>> access
>>>>> the Comcast router from our 192.168.1.X LAN. They cannot. Any
>>>>> attempt
>>>>> times out. (Fun fact: you CAN http to 50.248.230.105, and get a login
>>>>> response, BUT the correct userid/password will result in a Password
>>>>> failure. It only allows login from the 10.1.10.1 address.)
>>>>> - we need for ME to be able to occassionally get an ssh session from
>>>>> an
>>>>> office PC TO the Ubuntu server. Similar challenge I think.
>>>>> - The Raspberry Pi Virtual Studio box in the sanctuary needs to
>>>>> connect
>>>>> to the Ubuntu server on port 4464. I think it can hit the external
>>>>> address of the Comcast router for that. I've got that port
>>>>> forwarding
>>>>> all working now at home with a UVerse router.
>>>>>
>>>>> We can access the Comcast Router as http://10.1.10.1 IF we go
>>>>> downstairs
>>>>> to the furnace room and plug into the LAN ports on the DPC3939. The
>>>>> PC
>>>>> will then get a 10.1.10.X address.
>>>>>
>>>>> Now, when I look at the DPC3939, I see no evidence that it has a
>>>>> static
>>>>> route for our LAN. So, when someone on, say 192.168.1.145 puts
>>>>> 10.1.10.1 in their browser, the PC hands it to our Cisco router, it
>>>>> knows it's not on our LAN, so it hands it to its gateway: the DPC3939.
>>>>>
>>>>> And then I THINK the DPC3939 then says, "I don't know where to send
>>>>> 192.168.1.145" and so it times out.
>>>>>
>>>>> I THINK the Comcast router needs a static route that says 192.168.1.X
>>>>> is
>>>>> behind our Cisco router: 50.248.230.106.
>>>>>
>>>>> Am I thinking right? I don't mind stuffing in the route myself, but I
>>>>> asked Comcast first, since it's their equipment. Tier 1 said, "no
>>>>> that's not possible". Tier 3 response was:
>>>>>
>>>>> _1- you need to know, in order for two local networks to communicate
>>>>> they have to be in the same lan scheme, either both 192.168.x.x or
>>>>> 10.1.x.x_
>>>>>
>>>>> _2- My suggestion is to change the local IP scheme for Comcast
>>>>> modem/router to match the other router _
>>>>> _192.168.1.X_
>>>>> _ _
>>>>> _3- Make sure the IP scope of the modem is not conflicting with the
>>>>> other router._
>>>>> _ _
>>>>> _For example if the other router IP scope is from 192.168.1.1 to
>>>>> 192.168.1.100 then make the modem DHCP 192.168.1.101 to
>>>>> 192.168.1.200.
>>>>> Same lan scheme different IP scope to avoid future issues._
>>>>>
>>>>> The Tier 3 response sounds insane to me; if I'm on 192.168.1.145, and
>>>>> I
>>>>> want to send data to 192.168.1.4, my IP stack will just put it out on
>>>>> the LAN wire. The Comcast router is never going to see that, 'cause
>>>>> it's connected to the WAN port on our router. The only way my
>>>>> gateway
>>>>> would get involved is when a workstation knows that the destination is
>>>>> NOT on the local network, and hence the packet needs to get passed to
>>>>> the gateway. The Tier 3 response also seems to open up all kinds of
>>>>> security issues if it in fact worked; then a compromise to anything on
>>>>> the Comcast side could easily bleed into our LAN.
>>>>>
>>>>> What is kinda weird to me is that at home this "just works". I have
>>>>> an
>>>>> AT&T Uverse router which provides 192.168.1.X. I have a Sonicwall VPN
>>>>> router plugged into that, which provides a LAN of 192.168.100.X. The
>>>>> linux and PC devices are on the 100.X network. There are a few
>>>>> expendable devices and IOT on the 1.1 network. I can ssh and http
>>>>> from the 100.1 network to hosts on the 1.1 network; but of course they
>>>>> cannot go the other way. I didn't do anything for this to happen.
>>>>> Did the routers exchange BGP and just figure that out?
>>>>>
>>>>> Regards,
>>>>>
>>>>> Neal Rhodes_______________________________________________
>>>>> Ale mailing list
>>>>> Ale at ale.org
>>>>> https://mail.ale.org/mailman/listinfo/ale
>>>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>>>> http://mail.ale.org/mailman/listinfo
>>>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> https://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
More information about the Ale
mailing list