We have a client who says that he was seeing an unknown computer on his network as displayed on his Mac OS X finder window under the Shared Devices section of the sidebar. For those who may not be familiar with the Mac OS interface, this is an area where the Mac automatically shows any device on your network that is available to be connected to.
He claims that he has tracked this down and that this unknown shared computer belongs to a guy who was visiting our small town and claims that he was staying at another client of ours house (miles away from this client). So at one point they were both on our network at the same time, but at different sites, and behind 2 different routers.
My argument is that although technically EVERYONE on our network is on the same network (infrastructure), each site is behind a router with FIXED public IP addresses (we have a class C). So I do not see how in the world 2 computers located behind 2 separate routers could be seeing each other.
Is there something I am missing? Is there anyway that this is possible unless this clients router’s firewall is not working. This client is raising questions about the security of our network, so I have to find an answer for him.
Thanks.
technically if they are “behind” a router they should not be able to each other such as with SMB or other network sharing. that would indicate they are either “switched” (as in no router at all) or someone has their cable going into the switch ports on the router which in turn would cause one of them to see whoever has their cable plug in incorrectly. if that makes any sense.
nucoles wrote: technically if they are "behind" a router they should not be able to each other such as with SMB or other network sharing. that would indicate they are either "switched" (as in no router at all) or someone has their cable going into the switch ports on the router which in turn would cause one of them to see whoever has their cable plug in incorrectly. if that makes any sense.
Well, for that to happen they would BOTH need to be bypassing their routers. I have seen that issue before when I suddenly saw DHCP being broadcasted through our network because someone had plugged in the cable from the radio into one of their LAN ports, and when I was plugged into one of our radios I was getting an IP address. It confused the hell out of me for a little while.
I guess what I want to confirm is that there is nothing that we can be doing or not doing that would allow such a thing to happen. Bottom line is that that is the whole point of a router is to provide a firewall, so there is no way 2 people could be seeing each other unless both their routers has a hole in it! I will most probably needing to go to this client's house to see what he is talking about. Of course the phantom device is no longer showing up, so the chances of us being able to get to the bottom of this is not very good. I just need to somehow convince them that there is nothing we as the WISP are doing that could cause this to happen.
only other thing i can think of is UPnP which would automatically forward a particular port for the network shares? not too sure how mac’s finder works but just a thought. might have customer turn it off on router.
sounds like a security hole on the client side, problem is getting a client to help troubleshoot somthing like this is next to impossible, as well as it not showing up anymore. I would tell the customer about how the internet works. if someone has taken their hand at trying to network somthing on their own i would assume they would also open ports maybe even DMZ somthing that shouldn’t be open. i’m interested tho, i’ve always wondered about security for the client side and what they can actually access.
SM isolation on APs and per-port VLANing on CMMs will stop this behavior dead in its tracks.
salad wrote: SM isolation on APs and per-port VLANing on CMMs will stop this behavior dead in its tracks.
Unfortunately most of our AP's are older (pre-advantage). I don't believe that SM isolation is available in those, is it?
We already do port isolation on all our switches.
the SM isolation is done at the ap located at configuration>genral, under the bridge configuration heading… i’m pretty sure this is avaliable on version 8 and up software, I’m on 10.5 network wide and its been a while for me on the older software
mgthump wrote: the SM isolation is done at the ap located at configuration>genral, under the bridge configuration heading... i'm pretty sure this is avaliable on version 8 and up software, I'm on 10.5 network wide and its been a while for me on the older software
Yeah most of our AP's are end of life at 7.3.6. I am pretty sure SM isolation is not available. I will take another look.
I am thinking that this is most probably caused by some sort of UPNP protocol enable din he router or something.
Try this (based on 10.5 firmware, so it may be a bit different on other firmware):
SM --> CONFIGURATION --> PROTOCOL FILTERING --> Packet Filter Configuration
Under “Packet Filter Types”, put a check mark in the box next to:
PPPoE (unless that’s what you use; we use static IP)
SMB (Network Neighborhood)
Bootp Client
Bootp Server
IPv4 Multicast
User Defined Port 1
All others (NOT All other IPv4)
Then under “Filter Direction”, put a check mark in the box next to:
Upstream
Then, under “User Defined Port Filtering Configuration”,
Port #1: 440 (Decimal Value)
TCP: enabled
UDP: enabled
That’s how we resolved that issue (plus DoS attacks, reverse DHCP, etc.)
using nat on the SM will fix this also
Salad … Do you ever offer training or more insight into how to do something like that on Motorola networks? Seriously, I’d love to talk to you about how to do some of the things you’ve suggested. Let me know if you ever can make contact with me. --Mark
I’m flattered over the training comment but I’m afraid we’re not one of those organizations. I’d be happy to lend you a hand, however. Feel free to give me a shout over email
Cheers
Ross