PROTOCOL FILTERING issue?

zeta · March 25, 2008, 5:33pm

Hi all,

I have an AP and many SMs with one PC behind each SM. I see all computers can access others through network neiborhood in windows, with SMB checked in all SMs in PROTOCOL FILTERING!

I tryed with P9 and P10 with all combination of firmware 8.1.5.1 and 8.2.2, can anybody helpme with that, please?

Sebastian

VLAN1 · March 25, 2008, 5:55pm

do you have the SM isolation on the AP turned on?

seano · March 25, 2008, 6:13pm

microsoft has added some ports that smb uses that moto hasn’t updated the firmware to block. you can manually add the other ports.

here’s a link to another thread that talks about which ports you need to block:
http://motorola.canopywireless.com/supp … php?t=4980

zeta · March 26, 2008, 1:03pm

Lamentablemente curso telefonia IP entre ellos por lo que no puedo activar el “Isolation” en el AP.
He probado bloqueando combinaciones de SMB y todos los puertos extras:

Windows Vista
3702
5357
5358

Dispositivos de red
1900
2869

y aun asi se siguen viendo las PCs entre si. Puede ser un bug del firmware? Alguien ha podido solucionar este inconveniente sin agregar hardware extra?

Saludos

zeta · March 26, 2008, 1:08pm

Sorry! now in English

Unfortunately I can’t activate Isolation because they have IP phones to talk between them.

I have been tested all combination (SMB and other ports) with no results.

Windows Vista
3702
5357
5358

Dispositivos de red
1900
2869

Has somebody resoved this issue without add new hardware?

Regards

Anonymous1 · March 26, 2008, 6:28pm

Can you use NAT and port forwarding with these SMs? That would effectively eliminate the problem.

zeta · March 27, 2008, 12:18pm

Actually I can’t do that. I have to many clients with public IP and services running in servers. I can’t make port forwarding every time they want to add a new service.

Z

Anonymous1 · March 27, 2008, 2:18pm

You could DMZ to a router on the inside and let them deal with the port forwarding from that point.

Jerry_Richardson · March 27, 2008, 4:54pm

Here is how we handle business customers.

SM in bridge mode
Enable Filters:
- PPPoE
- SMB (Network Neighborhood)
- SNMP
- Bootp Client
- Bootp Server
- IPv4 Multicast

Customer supplies a router (required) and is responsible for managing it. We set it up for remote management and respond to Ping. If we can ping and access the router, we have met our responsibility.

If they don’t have an in-house IT person we refer them to one. We don’t touch anything in the customer’s network as we don’t get paid for that type of work, and we don’t want to be responsible for it. Interestingly, customers appreciate being told “This is where our responsibility ends but here is the number of a company that can help you”.

This is how every other business ISP does it as it provides a clear Demarcation point. My philosophy is that WISP’s should focus on being WISP’s and do that better than the Big Telco if they want to survive.

Of course if you have a division that does IT support that’s a different story, but the setup should be the same. This way if the ISP division can ping the router, they can turn it over to the IT division who will CHARGE for working on a customer network, server, desktop, etc.

BigTrumpet · March 27, 2008, 8:28pm

Jerry Richardson wrote:
Customer supplies a router (required) and is responsible for managing it. We set it up for remote management and respond to Ping. If we can ping and access the router, we have met our responsibility.

Jerry
I'm a little reluctant to adopt your philosophy because I see it as a potential risk. For example, the customer could change his public IP causing big issues to the network.
How can you control that? Do you apply any control on his router MAC address?

Ciao
Massimo

Jerry_Richardson · March 27, 2008, 9:14pm

It has never happened in 6 years.

If it became an issue I would warn them once and terminate the second time.

zeta · March 29, 2008, 3:01pm

Ok,

After reread user guide and talk with Canopy support I finally understand… The filter work in ethernet to wireless way and not take care of wirelles to ethernet at all. So, I need to block all SMs to keep PCs safe from other computers.
Moto guys told me this work is to protect the network from issues in the customer side (behind SM).

So, to protect customers from Internet, I have to update border firewalls, and of course, every costumer have to take care of your own safety.

Regards,

Zeta

vanilla · April 27, 2008, 11:52am

How do you block more than THREE other ports on the SM?

There is only room for three additional ports.

zeta · April 28, 2008, 1:32pm

There is no way to block more than 3 ports at the same time.

Regards,

Z