Access to the local network behind the router from the provider's local network?

R

rvoid2014-01-23 16:59:27

ASUS

rvoid, 2014-01-23 16:59:27

Good evening. In connection with a bunch of news about backdoors in network equipment, the question of the safety of using a router is ripe.

Router ASUS RT-N10. The radio is disabled. A provider's wire is connected to the WAN port, a computer is connected to the LAN port. The provider provides Internet access via pppoe, forcing you to have an address like 10.*.*.* on the local network and knock on 10.0.0.1 as the "service name". After connecting, a normal white IP is issued. At the same time, the local provider network 10.*.*.* does not isolate clients from each other and everyone who is connected to the equipment in the house "sees" each other in the network. The router, in turn, creates a network like 192.168.*.*, and the control panel is available at 192.168.1.1

Questions:
1. Can anyone from the provider's network access the router panel 192.168.1.1?
2. Is my 192.168.1.2 visible to anyone from the provider's network, if we assume he changes his ip to 192.168.1.3 (did not check, but it seems that the provider's equipment allows you to have any ip on the local network).
3. If the answer to any of the questions is "yes", then how to deal with it?

Thanks in advance for your replies. I apologize for the noobness.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

N

n1ghtingale, 2014-01-23
@n1ghtingale

1. Yes, if access is open to the outside, as well as access via SSH and Telnet.
To solve it, you need to cover access from the outside in the settings and leave access only from the local network.
2. No, not visible.

T

TaroKun, 2014-01-24
@TaroKun

1. Asus of this series, on the WAN or Security tab, there is a checkbox "Allow management via wan". We remove it and the web panel is not accessible from the outside.
2. Through pppoe - they do not see.
3. For reinsurance, you can flash the router with some OpenWRT and study the firewall settings in detail, change the SSH / Telnet ports and set secure passwords. Well, find a provider that distributes the Internet via VPN.

R

rvoid, 2014-01-24
@rvoid

Thanks for answers.
The only setting that directly controls panel access is: Enable web access from WAN? - No (it was by default). This ban works, it was not possible to connect to the white ip through a proxy.
However, there is a very interesting section of LAN settings.
LAN - Route
This feature allows you to add routing rules to the RT-N10. This feature is useful when connecting multiple routers other than RT-N10 to share a single Internet connection.
List of static routes
Use DHCP routes? - Yes
Enable multicast routing? - Yes
Enable static routes? - No
and an empty plate at the bottom with fields:
Disabled
Use DHCP routes? - No
Enable multicast routing? - No
Are these settings okay?
LAN - LAN IP Address
Set the LAN IP address of the RT-N10. The DHCP server dynamically changes the IP address pool when the LAN IP address changes.
IP address: 192.168.1.1
Subnet mask: 255.255.255.0 Do
you have any idea what other potentially dangerous settings are on the router? I think it's still worth forcibly assigning an IP bound to the poppy and turning off DHCP.