Disable access to 169.254.1.1 in epmp

TimoWanume · October 7, 2022, 11:40am

How do i disable access to 169.254.1.1 in epmp f300
I tried this but never succeeded.

software version is 4.6.2

Douglas_Generous · October 7, 2022, 9:24pm

It can not be 0.0.0.0
That is a reserved address that means any ip

Why are you trying to disable the recovery IP?

TimoWanume · October 8, 2022, 2:23am

Security, means with the recovery ip, anyone can àccess it

Douglas_Generous · October 8, 2022, 2:39am

Not quite, the 169.254.1.1 address can only be accessed from the ethernet port. The same web access page can be accessed from the ethernet port ip address regardless of the mode. So security wise it makes no real security difference.

If you are trying to prevent clients from accessing the page, place a very complex and long password for the admin user and use radius for technician access.
If you need to prevent access from the internet at large then I highly suggest you look at using a management vlan that does not use publicly routable addresses and enforce this segmentation via net fliters/ACLs.

Eric_Ozrelic · October 8, 2022, 2:41am

@Douglas_Generous beat me to it… but yeah, from a security standpoint, blocking or removing the 169.254.1.1 IP is not an effective way to harden security for your overall network and radios. There are much more important attack vectors to consider.

TimoWanume · October 8, 2022, 2:58am

O, ok. I understand that now.

My other query is. How do I access the antennas when management vlan is enabled.

When I add management vlan for NOC management. I cease to locally access them unless I connect to them individually using the ethernet IP 169.254.1.1. Can’t even ping their LAN ips

Douglas_Generous · October 8, 2022, 3:11am

To use the management vlan you need to setup the SM, AP, switch port and router to support this. So your router should not allow access from any address except from the NOC so you place your management vlan on this same subnet or tou build a private routable subnet and set per tower management subnets. This can be accomplished in several ways but the bulk of what needs to be done is on the tower router and switch after you enable and assign the management vlan on each SM then AP.

This is definitely not a simple or easy task especially since we have no real knowledge (and dont give it on the open forum) of your network design and layout.

TimoWanume · October 8, 2022, 3:59am

Thanks @Douglas_Generous

Matt_Hopkins · October 12, 2022, 9:25pm

This is exactly what we do across our network in order to shut off the default IP after install. Here is the cnMaestro template for ePMP:

{
	"template_props": {
		"templateName": "",
		"version": "4.6.2"
	},
	"device_props": {
		"networkLanDefaultIP": "0.0.0.0"
	}
}

James_Mifsud · October 13, 2022, 11:04pm

Hello,

I’m not too familiar with the ePMP range of products, but on the PMP 450 series there is a secret root password; if they are similar I would look at changing the root and admin (these are different on the 450) password and keep it same in a password manager. @Eric_Ozrelic are you able to confirm if this the same for ePMP?

I would also ENSURE that AAA Authentication, Radius is enabled!!

Having access to 169.254.1.1 isn’t a large security risk, by removing this IP is Security by Obscurity and as you know, Security by Obscurity is NO Security at all!

The 169.254.1.1 is non-routable through their home router and cannot be seen using ICMP; However if they were to bypass your home’s router they’ll be able to access the ePMP through the MGNT IP address you’ve assigned (static or dynamic private IPv4, CGNAT, public IPv6, etc, etc) in the ePMP SM, along with 169.254.1.1

Eric_Ozrelic · October 14, 2022, 12:10am

These are the only accounts you need to make sure are disabled or the passwords changed from defaults on ePMP:

James_Mifsud · October 14, 2022, 12:22am

Thanks @Eric_Ozrelic

I knew I could count on you, I really do need to get my hands on some demo ePMP equipment and get my hands dirty with it.

Douglas_Generous · October 20, 2022, 7:41pm

you have a couple things wrong:

on the 450/any of the radios that have Canopy heritage, the root user is not secret nor hidden. It is up to you to select it in the users list and change its password or use wireless manager to do it for you as it is the user used by WM and cnut to provide control and firmware upgrades.
the AIPA addresses (169.254.0.0/16) are routable and can be used to get internet access as per how Microsoft (whom owns this subnet) has determined its applicable semi-public use. What a good ISP does is block these addresses from entering or leaving their network as part of good network design and best practices.
on epmp radios, the 169.254.1.1 address is always available for radio recovery and is able to respond to any ICMP ping from the same subnet. This is a different behavior from the PMP line of radios that use a default plug in the accessory connector (6p6c jack) to make the recovery IP available.

I do agree that disabling it is pointless since it will cause issues with recovery efforts should the IP on the radio be forgotten or accidentally miss-configured. And if for security reasoning, this does nothing since the webpage is available on the gateway IP address provided to the customers router with the exception of a simple bridged radio which no IP is being provided by the radio.
Use of radius for user access control is so easy that I do not understand why the admin password isnt set to something complicated and just use radius users, but also for the few times where you need admin level access while not connected to the network it is still needed. These radios do need something like DenyHosts that tracks login attempts and bans the requesting IP for a time on repeated login failures and provides a way to report these login attempts.

Tony_L · November 21, 2022, 8:26pm

Apply the Vlan only on the wireless side…

system · November 21, 2023, 8:26pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.