EnthusiastXYZ
Limp Gawd
- Joined
- Jun 26, 2020
- Messages
- 221
How useful is IPS/IDS behind Double NAT for the router that is connected to local clients and not WAN?
Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
Yes and one of my routers leaks sensetive data to WAN. There is no fix for that yet. I have to get behind ISP's router to mitigate that.This a home set up or work, why is there a double nat situation?
Ah, the fun of trying to deal with the monkeyfest of company's self-serving implementations. I would be curious as to if your wan connection even routes those LLDP further down the line depending on what the ISP's network looks like--that may be why you're only finding yours advertising like that. Otherwise, yep, now I see why people dumped ubiquiti stuff in droves and why they had a massive security breech in the first place.I am not sure what is worse - having my personal router leak LLDP to WAN every 30 seconds or take chances with ISP router. LLDP is supposed to help security, but it gives out way too much info and on WAN it makes my router stick out like a sore thumb when I type "tcpdump -ni eth4 not proto 6 and not proto 17 and not arp" (which filters out non-UDP, non-TCP, and non-ARP on WAN). My router is the only one to show LLDP packets. All other WAN Layer 2 requests (for all IP's that are not mine) are ARP-only. LLDP also makes my router advertise itself as "UniFi" instead of IP-only.
ISP router may be worse, but it is unkown.There is no way to login to ISP router via SSH and perform TCPDump, but the "Disable UPnP" function in ISP router settings does not work at least for LAN because in Double NAT configuration, running TCPDump on personal router shows that ISP router keeps sending inbound IP 239.255.255.250 UDP Port 1900 packets to my personal router. My personal router filters out all such packets, but it is unknown what ISP router does on WAN...
Ah, the fun of trying to deal with the monkeyfest of company's self-serving implementations. I would be curious as to if your wan connection even routes those LLDP further down the line depending on what the ISP's network looks like--that may be why you're only finding yours advertising like that. Otherwise, yep, now I see why people dumped ubiquiti stuff in droves and why they had a massive security breech in the first place.
When ISP router is in Bridged Mode, I can run TCPDump in WAN and I can see the LLDP leak. I assume if I can see everyone's ARP requests on WAN along with my LLDP leak, then everyone else on WAN can see the same, including that LLDP leak.I presume your ISP router does not offer a Bridge mode? to pass through direct to your own router?
Crazy why the UDM would do that. Is it not a feature that can be shut off?I know LLDP has its own MAC address, its Layer 2, does not get an IP, cannot be blocked by any NAT Firewall rules and/or custom IPTables because they don't apply to Layer 2. UDM EBTables, which function on Layer 2, don't recognize LLDP EtherType 0x88cc and custom EBTables don't block it.
UDM allows to spoof WAN MAC addres and as such, my LLDP packets don't identify my WAN MAC address, but they identify what LLDP is supposed to identify - device specifics. Nobody else on WAN advertises anything other than ARP, making my router stand out.
I can't even see all my arp requests on my own lan, lol. I think you'd be fine because if the isp is allowing arp between customers, that's going to be a security issue on their end for sure.When ISP router is in Bridged Mode, I can run TCPDump in WAN and I can see the LLDP leak. I assume if I can see everyone's ARP requests on WAN along with my LLDP leak, then everyone else on WAN can see the same, including that LLDP leak.
When ISP router is in Router Mode, LLDP packets from my UDM cannot be routed past ISP router because LLDP is non-routable. Since I didn't see anyone else on WAN leaking LLDP, I assume ISP router does not send out its own LLDP frames to WAN, but I can't know that because ISP router is locked for users and won't allow SSH access.
When ISP router is in Router Mode, it has a UPnP function toggle and it does not appear to be working, at least not for LAN, because running TCPDump on my personal router shows that ISP router keeps sending inbound packets to IGMP IP 224.0.0.22 and UPnP 239.255.255.250 IP. I don't know if my ISP is dumb enough to not only allow UPnP on LAN, but also on WAN. My personal router filters all those packets.
Therefore I am not sure what is worse - UDM being the only router and leaking LLDP OR taking chances with ISP router allowing UPnP on WAN... UPnP is a significantly heavier threat for security than LLDP. LLDP helps with security at the cost of reducing device privacy, which in turn, decreases security. Just like most ISP's, my ISP uses Cisco switches, which use their own LLDP protocol.
Ubiquti is aware of the issue and disabling LLDP is as easy on their Edge routers as logging into UDM via SSH and editing a config file, but UDM uses its own OS and doesn't give the option to do that yet.
I can't even see all my arp requests on my own lan, lol. I think you'd be fine because if the isp is allowing arp between customers, that's going to be a security issue on their end for sure.
I don't think your LLDP requests are going to get far, but it is still unnerving to have them out there and I would definitely stick to your double-nat to get rid of them.
And going back to your original question--you're definitely smart enough to know if data is leaking in/out of your network and having the additional IPS/IDS will only help you.
Can you turn LLDP off on UDM?
LMAO ... sarcasm ?
Maybe the OP should consider why they are not seeing any other lldp on the sniffed wire. A compliant bridge will not forward packets with lldp dest mac.
The bridge, read cable modem, should not be forwarding the LAN side LLDP to the WAN side at all. This means not even the ISP should see it. You see the ARP because that's how IP works. No idea why you're conflating lldp and arp.So nobody else on the wire can see my LLDP packets, except the ISP? If such is the case, then why do I see a ton of ARP requests for other public IP's on WAN?
No, you cannot disable LLDP in UDM. You can only disable LLDP-Med, but not LLDP itself...Seeing ARP requests from other addresses in the same subnet is normal.
What is leading you to believe that LLDP is being passed on by the ISP? Why can't you just completely disable LLDP protocol on the Ubiquiti device? With enterprise devices, you can do this on a per-port basis.