[ale] 10.1.10.1 Comcast access from local LAN? (Slightly OT BUT there is Ubuntu AND PI involved!)

Derek Atkins derek at ihtfp.com
Mon Feb 8 07:58:39 EST 2021 

HI,

On Sun, February 7, 2021 9:03 pm, Neal Rhodes via Ale wrote:
> I appreciate all the responses to date, and need a bit of time to absorb
> them.
>
> I have implemented the port forwarding and UFW firewall as outlined,  as
> the initial tests seem to
> imply that it works.  It's annoying that Comcast cannot port forward
> port 643122 to port 22; it can only forward port 22 to port 22.   So I
> have some bozo attempting ssh showing up in the UFW logs every 2
> minutes.

There is no port 643122.  Max port number is 65535.

Having said that, you SHOULD be able to forward arbitrary ports, but it's
certainly possible that comcast would limit the forwarding.  I cannot
answer for them.

> I needed the solution to look totally pristine, and retain the current
> very clear perimeter between LAN and the outside world.   Anything that
> looks like it is piercing that perimeter is just not going to fly with
> the folks I have to live with.

You technically have two borders:
* outside comcast
* between comcast and cisco
* inside cisco

Personally, I would consider comcast to be your perimiter between outside
world -- although I can also see how you could consider "between comcast
and cisco" to be a DMZ.

In most security infrastructures I've seen, getting from LAN to DMZ is
allowed, but getting from DMZ to LAN is not.  Just adding a 10.1 address
to the cisco would generally do that.

> The Jacktrip clients are singers living in homes with random IP
> addresses every time something reboots.  So, thus far I'm reasonably
> happy with this solution.   Just finished getting the low-latency kernel
> rebooted, and we're focusing on coordination and audio leveling for use
> next Sunday.
>
> Once I get some time I will try to digest all the responses, but I'm not
> sure I'll get to the point of understanding enough Cisco to create a
> parallel 10.1.10.X and make that work.

Unfortunately I don't own or manage any cisco equipment (except for an IP
Phone) so I can't tell you the commands to use to do this.  I am fairly
confident that you CAN do this.  If you had a Unifi device I could tell
you how to do it :)  It might be as easy as just literally adding another
IP address to to the device.  For example, see
https://community.cisco.com/t5/networking-documents/how-to-configure-multiple-ip-addresses-on-an-interface/ta-p/3132716
 or possibly
https://community.cisco.com/t5/routing/how-to-assign-multiple-ip-addresses-to-a-cisco-router-interface/td-p/3217747

Good Luck!

> regards to all,
>
> Neal

-derek

>
> On 2021-02-07 13:56, Boris Borisov via Ale wrote:
>> Assuming :
>>
>> 1. You don't want to touch Comcast device.
>> 2. Cisco has VPN.
>>
>> You can create VPN from Ubuntu server to the Cisco with static IP
>> address in same network as office LAN is aka 192.168.1.250.
>>
>> Then add static route in Cisco to access 10.1.10.1 using that static
>> 192.168.1.250 for gateway.
>>
>> And eventually NAT in Ubuntu server to get the traffic from
>> 192.168.1.250 to the default gw.
>>
>> On Sun, Feb 7, 2021, 14:11 Alex Carver via Ale <ale at ale.org> wrote:
>>
>>> If you know the IPs of the Jacktrip boxes outside and inside then
>>> just
>>> whitelist them (after putting everything on the Cisco with multiple
>>> IP's
>>> on its WAN as suggested).  You don't need to allow someone on the
>>> other
>>> side of the planet to access it.
>>>
>>> Another thing to investigate would be either SSH tunnels or private
>>> VPN
>>> to tunnel the Jacktrip data.  Any remote Jacktrip device would need
>>> to
>>> establish the tunnel into your network (through a single port using
>>> keys
>>> and passwords) and then the Jacktrips can see each other as they all
>>>
>>> become members of the inside network.
>>>
>>> On 2021-02-06 08:35, Neal Rhodes via Ale wrote:
>>>> Thanks for all the responses.   As suggested,
>>>>
>>>
>> https://www.dropbox.com/s/hdeizsvptc4gmpe/WAN-LAN-Comcast-Cisco.pdf?dl=0
>>>
>>>> is a link to a pdf of a hand-drawn diagram.   I suspect the list
>>> server
>>>> will flag a .pdf file.   Sorry that Ascii diagram didn't show.
>>>>
>>>> While JackTrip and Jack audio have been around for a long time at
>>>> Stanford, the security aspect is unclear.  The Ubuntu Jacktrip
>>> server
>>>> needs to be accessible at port 4464 to any and all Jacktrip
>>> Virtual
>>>> Studio Pi boxes in the area.   I have some concern over a security
>>>
>>>> breach in JackTrip spilling over into the LAN.  And some
>>> trepidation
>>>> over actually getting inbound port forwarding to happen over two
>>> layers,
>>>> eg Comcast and Cisco.   All that made me lean towards placing the
>>> server
>>>> on one the Comcast LAN ports.
>>>>
>>>> I'm a bit hazy on what would happen IF I setup a DMZ address on
>>> the
>>>> Cisco side, inside the perimeter.   I guess I could make the
>>> Ubuntu
>>>> server have an address NOT on the 192.168.1.x network.   But,
>>> seems like
>>>> with it sitting on the switch with all the other LAN resources,
>>> that's a
>>>> paper-thin wall from it getting to the LAN if it's compromised.
>>> I
>>>> don't want to be "THAT Guy".
>>>>
>>>> From a Desktop, whatismyipaddress reports 50.248.230.105.   Thus
>>> I'm
>>>> expecting that the Cisco router is doing it's NAT job, and any
>>> outbound
>>>> traffic requested to 10.1.10.1, or 10.1.10.100 may be going out to
>>>
>>>> Comcast, but coming from 50.248.230.105, and it's saying "oh hell
>>> no" at
>>>> routing it to 10.1.10.X.   I don't see any setup which would
>>> improve
>>>> that on either side.
>>>>
>>>> Staring at this I'm concluding there is no way of accessing the
>>> Comcast
>>>> router admin login from the LAN.
>>>>
>>>> The simplest configuration for the Ubuntu server appears to
>>> involve:
>>>> - Put it on the Comcast Lan port at 10.1.10.something;
>>>> - Port Forward 4464 and the UDP ports;
>>>> - Port Forward some high port to 22 (ssh);
>>>> - Setup an Iptables firewall on the Ubuntu side to limit ssh to my
>>>
>>>> external IP address at home.  (oh, joy of joys)
>>>> - IF I have to get into the Ubuntu server onsite I've just gotta
>>> go down
>>>> to the furnace room.
>>>>
>>>> At the moment simplest appears best.   Any other thoughts are
>>> welcome.
>>>>
>>>>
>>>> On 2021-02-05 15:03, Derek Atkins wrote:
>>>>> HI,
>>>>>
>>>>> On Fri, February 5, 2021 2:02 pm, Neal Rhodes via Ale wrote:
>>>>>> Thanks.  I forgot about NAT.  So the RV180 is doing NAT on..
>>> everything
>>>>>> that goes out the WAN port?   Which essentially means it changes
>>> the
>>>>>> packet to say it's coming from its 50.248 address, but somehow
>>> remembers
>>>>>> the local address to send the response.
>>>>>
>>>>> Yes, that is how it works.  It gets a packet from 192.168.x.y
>>> port z
>>>>> destined for 1.2.3.4 port a -- so it rewrites the packet (the AT
>>> --
>>>>> Address Translation) so it's coming from 50.248.230.10{6?} port
>>> B, and
>>>>> sends it to 1.2.3.4:a.  Then, when it gets a REPLY from 1.2.3.4:a
>>>
>>>>> destined
>>>>> to port B, it knows to translate that back to 192.168.x.y port
>>> z..  And
>>>>> this is how NAT works.
>>>>>
>>>>>> Would the RV180 be deciding NOT to do the NAT on something bound
>>> for
>>>>>> 10.1 address?  Obviously the NAT is working for everything else.
>>>>>
>>>>> Unlikely.  MORE likely the comcast box is not allowing
>>> 50.248.230.x to
>>>>> talk to the 10.1 network, and the Ubuntu box does not know how to
>>> talk to
>>>>> the 50.248 router..  I.e., ComCast's box is separarating the two
>>>>> networks.
>>>>>
>>>>>> Maybe there is some packet capture on the Comcast router that
>>> will shed
>>>>>> some light on that.   (ultimately, it always comes back to
>>> printf's in
>>>>>> the kernel...)
>>>>>
>>>>> Maybe. Or you could put a dumb hub (not a switch) between the
>>> routers and
>>>>> plug in a device to run wireshark?
>>>>>
>>>>> Have you tried putting a 10.1 address on your router?
>>>>>
>>>>> If the default route is still via 50.248, it would only use the
>>> 10.1
>>>>> address when talking to other 10.1 addresses.
>>>>>
>>>>> Another question:  Is there a reason the Ubuntu box is sitting on
>>> the
>>>>> 10.1
>>>>> network?  Couldn't you plug it in to the 192.168 network?
>>>>>
>>>>> -derek
>>>>>
>>>>>>
>>>>>> On 2021-02-05 11:20, Derek Atkins wrote:
>>>>>>> HI,
>>>>>>>
>>>>>>> Youre ascii art is hard to read, so I can't tell what's where.
>>>>>>> But basically, no, what SHOULD be happening is that your RV180
>>> would
>>>>>>> NAT
>>>>>>> your 192.168 network to its 50.248 address.  then it will send
>>> a
>>>>>>> request
>>>>>>> to 10.1 -- the DPC3939 might not allow that.
>>>>>>>
>>>>>>> I think it very unlikely that the Comcast device is seeing the
>>> packet
>>>>>>> coming from 192.168.
>>>>>>>
>>>>>>> More likely it's blocking access from the 50.248 to the 10.1
>>> address.
>>>>>>>
>>>>>>> Here's something to try:  Can you ADD a 10.1. address to the
>>> Comcast
>>>>>>> side
>>>>>>> of the RV180?  In other words, let it have the 50.248 address
>>> as the
>>>>>>> default address, but also add a static address of 10.1.10.X?
>>> And
>>>>>>> ensure
>>>>>>> it properly NAT's from 192.168 to 10.1.
>>>>>>
>>>>>> I only partially understand that.  You are saying can I compel
>>> the
>>>>>> Comcast router to add an additional 10.1 address it listens on?
>>>>>> Unsure.   And in fact would that address allow http login?
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> -derek
>>>>>>>
>>>>>>>
>>>>>>> On Fri, February 5, 2021 11:45 am, Neal Rhodes via Ale wrote:
>>>>>>>> Our church has a Business Comcast DPC3939 connected to Our
>>> little
>>>>>>>> Cisco
>>>>>>>> RV 180 VPN.
>>>>>>>>
>>>>>>>> The Comcast has a local IP of 10.1.10.1, and the WAN Static
>>> Address of
>>>>>>>> 50.248.230.105.
>>>>>>>>
>>>>>>>> Our Cisco router has a WAN address of 50.248.230.106, and it
>>> supports
>>>>>>>> a
>>>>>>>> 192.168.1.X network behind that, which is where everything on
>>> the LAN
>>>>>>>> lives.
>>>>>>>>
>>>>>>>> INTERNET==>Comcast DPC3939 <===>Our Cisco RV180VPN<====Our
>>> 192.168.1.X
>>>>>>>> LAN <==JackTrip Raspberry Pi Virtual Studio
>>>>>>>> 50.248.230.105
>>>>>>>> 50.248.230.106
>>>>>>>> <==
>>>>>>>> Everything
>>>>>>>> else on the LAN
>>>>>>>> 10.1.10.1
>>>>>>>> |== Ubuntu JackTrip Audio
>>> Server
>>>>>>>> 10.1.10.91
>>>>>>>> Port Forwarding
>>> 4464, UDP
>>>>>>>> 61002-62000
>>>>>>>>
>>>>>>>> We really need to do a couple of things:
>>>>>>>> - our office administrators need to occasionally be able to
>>> http
>>>>>>>> access
>>>>>>>> the Comcast router from our 192.168.1.X LAN.  They cannot.
>>> Any
>>>>>>>> attempt
>>>>>>>> times out.  (Fun fact: you CAN http to 50.248.230.105, and get
>>> a login
>>>>>>>> response, BUT the correct userid/password will result in a
>>> Password
>>>>>>>> failure.  It only allows login from the 10.1.10.1 address.)
>>>>>>>> - we need for ME to be able to occassionally get an ssh
>>> session from
>>>>>>>> an
>>>>>>>> office PC TO the Ubuntu server.   Similar challenge I think.
>>>>>>>> - The Raspberry Pi Virtual Studio box in the sanctuary needs
>>> to
>>>>>>>> connect
>>>>>>>> to the Ubuntu server on port 4464.   I think it can hit the
>>> external
>>>>>>>> address of the Comcast router for that.   I've got that port
>>>>>>>> forwarding
>>>>>>>> all working now at home with a UVerse router.
>>>>>>>>
>>>>>>>> We can access the Comcast Router as http://10.1.10.1 IF we go
>>>>>>>> downstairs
>>>>>>>> to the furnace room and plug into the LAN ports on the
>>> DPC3939.  The
>>>>>>>> PC
>>>>>>>> will then get a 10.1.10.X address.
>>>>>>>>
>>>>>>>> Now, when I look at the DPC3939, I see no evidence that it has
>>> a
>>>>>>>> static
>>>>>>>> route for our LAN.  So, when someone on, say 192.168.1.145
>>> puts
>>>>>>>> 10.1.10.1 in their browser, the PC hands it to our Cisco
>>> router, it
>>>>>>>> knows it's not on our LAN, so it hands it to its gateway: the
>>> DPC3939.
>>>>>>>>
>>>>>>>> And then I THINK the DPC3939 then says, "I don't know where to
>>> send
>>>>>>>> 192.168.1.145" and so it times out.
>>>>>>>>
>>>>>>>> I THINK the Comcast router needs a static route that says
>>> 192.168.1.X
>>>>>>>> is
>>>>>>>> behind our Cisco router: 50.248.230.106.
>>>>>>>>
>>>>>>>> Am I thinking right?  I don't mind stuffing in the route
>>> myself, but I
>>>>>>>> asked Comcast first, since it's their equipment.   Tier 1
>>> said, "no
>>>>>>>> that's not possible".  Tier 3 response was:
>>>>>>>>
>>>>>>>> _1- you need to know, in order for two local networks to
>>> communicate
>>>>>>>> they have to be in the same lan scheme, either both
>>> 192.168.x.x or
>>>>>>>> 10.1.x.x_
>>>>>>>>
>>>>>>>> _2-  My suggestion is to change the local IP scheme for
>>> Comcast
>>>>>>>> modem/router to match the other router _
>>>>>>>> _192.168.1.X_
>>>>>>>> _ _
>>>>>>>> _3- Make sure the IP scope of the modem is not conflicting
>>> with the
>>>>>>>> other router._
>>>>>>>> _ _
>>>>>>>> _For example if the other router IP scope is from 192.168.1.1
>>> to
>>>>>>>> 192.168.1.100 then make the modem DHCP  192.168.1.101 to
>>>>>>>> 192.168.1.200.
>>>>>>>> Same lan scheme different IP scope to avoid future issues._
>>>>>>>>
>>>>>>>> The Tier 3 response sounds insane to me; if I'm on
>>> 192.168.1.145, and
>>>>>>>> I
>>>>>>>> want to send data to 192.168.1.4, my IP stack will just put it
>>> out on
>>>>>>>> the LAN wire.   The Comcast router is never going to see that,
>>> 'cause
>>>>>>>> it's connected to the WAN port on our router.    The only way
>>> my
>>>>>>>> gateway
>>>>>>>> would get involved is when a workstation knows that the
>>> destination is
>>>>>>>> NOT on the local network, and hence the packet needs to get
>>> passed to
>>>>>>>> the gateway.  The Tier 3 response also seems to open up all
>>> kinds of
>>>>>>>> security issues if it in fact worked; then a compromise to
>>> anything on
>>>>>>>> the Comcast side could easily bleed into our LAN.
>>>>>>>>
>>>>>>>> What is kinda weird to me is that at home this "just works".
>>> I have
>>>>>>>> an
>>>>>>>> AT&T Uverse router which provides 192.168.1.X.  I have a
>>> Sonicwall VPN
>>>>>>>> router plugged into that, which provides a LAN of
>>> 192.168.100.X. The
>>>>>>>> linux and PC devices are on the 100.X network.   There are a
>>> few
>>>>>>>> expendable devices and IOT on the 1.1 network.    I can ssh
>>> and http
>>>>>>>> from the 100.1 network to hosts on the 1.1 network; but of
>>> course they
>>>>>>>> cannot go the other way.    I didn't do anything for this to
>>> happen.
>>>>>>>> Did the routers exchange BGP and just figure that out?
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>>
>>>>>>>> Neal Rhodes_______________________________________________
>>>>>>>> Ale mailing list
>>>>>>>> Ale at ale.org
>>>>>>>> https://mail.ale.org/mailman/listinfo/ale
>>>>>>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>>>>>>> http://mail.ale.org/mailman/listinfo
>>>>>>>>
>>>>>> _______________________________________________
>>>>>> Ale mailing list
>>>>>> Ale at ale.org
>>>>>> https://mail.ale.org/mailman/listinfo/ale
>>>>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>>>>> http://mail.ale.org/mailman/listinfo
>>>>>>
>>>> _______________________________________________
>>>> Ale mailing list
>>>> Ale at ale.org
>>>> https://mail.ale.org/mailman/listinfo/ale
>>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>>> http://mail.ale.org/mailman/listinfo
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> https://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> https://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>


-- 
       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

More information about the Ale mailing list