Microsoft Homegroup

We’re seeing an issue on on our network where customers that plug their Windows Vista/7 computer directly into the CPE broadcast their homegroup on the network, allowing other customers to join it. This presents a small security risk, and we’re looking to disable the feature.

From what I’ve been able to determine so far, Homegroup uses the following ports:
To find other Vista/7 computers:
UDP 3702
UDP 5355
TCP 5357
TCP 5358
To find network devices
UDP 1900
TCP 2869
UDP 3702
UDP 5355
TCP 5357
TCP 5358

Unfortunately, we can only block 3 additional ports in the Canopy radios, and at a minimum would need to block 6. We already have SMB (Network Neighborhood) blocked in the upstream direction which blocks the following ports.
UDP 137
UDP 138
TCP 137
TCP 139
TCP 445

Are there any plans to enable a one button check that would block all 6 ports necessary to block this, or has anyone figured out a way to block it on their network?

What you need to is enable subscriber isolation. What is your network topology? I’m guessing this is a single flat VLAN with bridged CPEs? On the APs set “Option 1 - do not forward SM destined packets” and on all of your CMMs set up port-based VLANs so that APs cannot talk to each other. Then you’ll need to look into your core infrastructure, with either separate VLANs per tower, or using Private VLANs or Protected Ports to isolate things further.

You can also look into a routed infrastructure, where SMs are in NAT mode, or bridged with isolation to a router at the tower base.

Until IPv6 support comes out in these radios you can only do the custom IPv4 port blocking like you say, SMB, and IPv4 multicast. However computers will still be able to communicate via IPv6 multicast.

salad wrote:
What you need to is enable subscriber isolation. What is your network topology? I'm guessing this is a single flat VLAN with bridged CPEs? On the APs set "Option 1 - do not forward SM destined packets" and on all of your CMMs set up port-based VLANs so that APs cannot talk to each other. Then you'll need to look into your core infrastructure, with either separate VLANs per tower, or using Private VLANs or Protected Ports to isolate things further.

You can also look into a routed infrastructure, where SMs are in NAT mode, or bridged with isolation to a router at the tower base.

Until IPv6 support comes out in these radios you can only do the custom IPv4 port blocking like you say, SMB, and IPv4 multicast. However computers will still be able to communicate via IPv6 multicast.

We do run different VLANs on each tower (and a couple of towers have multiple VLANs), but not all of our towers have CMM's (and the ones that do are the older CMM's). I know we can block the ports in the router if we had to, but that can cause other issues.

What model of CMM? CMMv3 (CMM Micro) supports port isolation just fine. Unless you switch to a routed topology this is really the only way to fix this problem.

turning NAT on the CPEs are the simpliest fix.

the subscriber isolation and CMM port isolation works just as well, downside is if you need 2 CPEs to talk to each other IE hauling video from one end of town to the other you will have to haul it to a router upstream and then back again, wastes BH bandwidth.

a router at the towers would solve that as well.

flat networks bring up a entire host of secuirty challeges like this.