Disable access to 169.254.1.1 in epmp

How do i disable access to 169.254.1.1 in epmp f300
I tried this but never succeeded.
image

software version is 4.6.2

It can not be 0.0.0.0
That is a reserved address that means any ip

Why are you trying to disable the recovery IP?

Security, means with the recovery ip, anyone can àccess it

Not quite, the 169.254.1.1 address can only be accessed from the ethernet port. The same web access page can be accessed from the ethernet port ip address regardless of the mode. So security wise it makes no real security difference.

If you are trying to prevent clients from accessing the page, place a very complex and long password for the admin user and use radius for technician access.
If you need to prevent access from the internet at large then I highly suggest you look at using a management vlan that does not use publicly routable addresses and enforce this segmentation via net fliters/ACLs.

2 Likes

@Douglas_Generous beat me to it… but yeah, from a security standpoint, blocking or removing the 169.254.1.1 IP is not an effective way to harden security for your overall network and radios. There are much more important attack vectors to consider.

1 Like

O, ok. I understand that now.

My other query is. How do I access the antennas when management vlan is enabled.

When I add management vlan for NOC management. I cease to locally access them unless I connect to them individually using the ethernet IP 169.254.1.1. Can’t even ping their LAN ips

To use the management vlan you need to setup the SM, AP, switch port and router to support this. So your router should not allow access from any address except from the NOC so you place your management vlan on this same subnet or tou build a private routable subnet and set per tower management subnets. This can be accomplished in several ways but the bulk of what needs to be done is on the tower router and switch after you enable and assign the management vlan on each SM then AP.

This is definitely not a simple or easy task especially since we have no real knowledge (and dont give it on the open forum) of your network design and layout.

1 Like

Thanks @Douglas_Generous

This is exactly what we do across our network in order to shut off the default IP after install. Here is the cnMaestro template for ePMP:

{
	"template_props": {
		"templateName": "",
		"version": "4.6.2"
	},
	"device_props": {
		"networkLanDefaultIP": "0.0.0.0"
	}
}
2 Likes

Hello,

I’m not too familiar with the ePMP range of products, but on the PMP 450 series there is a secret root password; if they are similar I would look at changing the root and admin (these are different on the 450) password and keep it same in a password manager. @Eric_Ozrelic are you able to confirm if this the same for ePMP?

I would also ENSURE that AAA Authentication, Radius is enabled!!

Having access to 169.254.1.1 isn’t a large security risk, by removing this IP is Security by Obscurity and as you know, Security by Obscurity is NO Security at all!

The 169.254.1.1 is non-routable through their home router and cannot be seen using ICMP; However if they were to bypass your home’s router they’ll be able to access the ePMP through the MGNT IP address you’ve assigned (static or dynamic private IPv4, CGNAT, public IPv6, etc, etc) in the ePMP SM, along with 169.254.1.1

These are the only accounts you need to make sure are disabled or the passwords changed from defaults on ePMP:

1 Like

Thanks @Eric_Ozrelic

I knew I could count on you, I really do need to get my hands on some demo ePMP equipment and get my hands dirty with it.

1 Like

you have a couple things wrong:

  1. on the 450/any of the radios that have Canopy heritage, the root user is not secret nor hidden. It is up to you to select it in the users list and change its password or use wireless manager to do it for you as it is the user used by WM and cnut to provide control and firmware upgrades.

  2. the AIPA addresses (169.254.0.0/16) are routable and can be used to get internet access as per how Microsoft (whom owns this subnet) has determined its applicable semi-public use. What a good ISP does is block these addresses from entering or leaving their network as part of good network design and best practices.

  3. on epmp radios, the 169.254.1.1 address is always available for radio recovery and is able to respond to any ICMP ping from the same subnet. This is a different behavior from the PMP line of radios that use a default plug in the accessory connector (6p6c jack) to make the recovery IP available.

I do agree that disabling it is pointless since it will cause issues with recovery efforts should the IP on the radio be forgotten or accidentally miss-configured. And if for security reasoning, this does nothing since the webpage is available on the gateway IP address provided to the customers router with the exception of a simple bridged radio which no IP is being provided by the radio.
Use of radius for user access control is so easy that I do not understand why the admin password isnt set to something complicated and just use radius users, but also for the few times where you need admin level access while not connected to the network it is still needed. These radios do need something like DenyHosts that tracks login attempts and bans the requesting IP for a time on repeated login failures and provides a way to report these login attempts.

Apply the Vlan only on the wireless side…