dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
8787
share rss forum feed

JPedroT

join:2005-02-18
kudos:1
reply to Gork

Re: 2013 USG SHOULD ADD FUNCTIONALITY

said by Gork:

It would just be nice if ZyXEL would offer the capability to multicast from WAN to LAN as an option to users since, whether it's "correct" or not, much cheaper routers will do this.

I do not understand how Multicast will fix your problem here? Could you please explain?
--
"Perl is executable line noise, Python is executable pseudo-code."


Gork
Ou812ic

join:2001-10-06
Bountiful, UT

It is customary (basically necessary) to send WoL "magic packets" to x.x.x.255 which as I understand it is also known as the multicast address. The USG will not allow you to do this through different interfaces, such as WAN to LAN.


JPedroT

join:2005-02-18
kudos:1

said by Gork:

It is customary (basically necessary) to send WoL "magic packets" to x.x.x.255 which as I understand it is also known as the multicast address. The USG will not allow you to do this through different interfaces, such as WAN to LAN.

Ahhh okay, now I understand, but that is not correct. The .255 address, if your subnet is a /24 (255.255.255.0) is the broadcast address.
Which is basically how a smurf attack works, which might be the reason they do not allow it.

»en.wikipedia.org/wiki/Smurf_attack
--
"Perl is executable line noise, Python is executable pseudo-code."


Gork
Ou812ic

join:2001-10-06
Bountiful, UT
Reviews:
·magicjack.com

If you look at a subnet calculator (»www.subnet-calculator.com/ for instance) it shows that class C addresses 192.168.0.1/24 (subnet mask 255.255.255.0) use an IP address of 192.168.0.255 as their broadcast address.


JPedroT

join:2005-02-18
kudos:1

Yes, but x.x.x.255 = 192.168.0.255 or 172.16.16.255 or 10.0.0.255 if you use a /24.

The multicast addresses are in the range
224.0.0.0 through 239.255.255.255.

»www.iana.org/assignments/multica···sses.xml

That is for v4 and L3, now if we are talking L2 multicasting then look at this to see mapping from L2 to L3.

»technet.microsoft.com/en-us/libr···928.aspx

So I still do not understand what WoL needs Multicast for? Especially since the protocol is designed to be sent as broadcast, if I remember correctly.
--
"Perl is executable line noise, Python is executable pseudo-code."



Gork
Ou812ic

join:2001-10-06
Bountiful, UT
Reviews:
·magicjack.com

1 edit

I am perhaps using incorrect terms. Instead of multicast please replace whatever the correct term is to send to all addresses in a given part of a network. I think the correct term may be "broadcast packet." ?? Using 192.168.1.1/24 on my LAN I would like to be able to send a magic packet over the Internet from work by forwarding it through the router to 192.168.1.255 so that it will wake any computer connected to the 192.168.1.1/24 interface addressed by the MAC address in the magic packet. That will not work on the USG, but it did used to work with ZyNOS.


JPedroT

join:2005-02-18
kudos:1

said by Gork:

I am perhaps using incorrect terms. Instead of multicast please replace whatever the correct term is to send to all addresses in a given part of a network. I think the correct term may be "broadcast packet." ?? Using 192.168.1.1/24 on my LAN I would like to be able to send a magic packet over the Internet from work by forwarding it through the router to 192.168.1.255 so that it will wake any computer addressed by the MAC address in the magic packet. That will not work on the USG, but it did used to work with ZyNOS.

That is the broadcast address again

So the question then comes down to, how to reverse what is in #2 in this link: »en.wikipedia.org/wiki/Smurf_attack

That is the question you need to pose to ZyXEL, you can do it with a Cisco, the command is "ip directed-broadcast" it allows sending packets to broadcast addresses, like you did with ZyNOS.

Now ZyNOS is an old OS ie older than 1999 (well technically ZyNOS is released after/aroundish 1999, but its roots are older) so it allowed it. USG uses ZLD which is a more updated OS, it by default does not allow it.

So ping of to ZyXEL how to enable directed broadcast on ZLD devices. That should allow you to forward to the broadcast address of your subnet again.

You probably should also configure hosts that should not be awaken by WoL to not respond to direct broadcast packets.

You are in walking in limbo space here, you want to do something that is basically seen as allowing an exploit on the IP stack. So the "smart" guys decided to not allow it by default.

But everybody should have the choice to shoot themselves in the foot if you ask me ;P As long as you are aware of what the implications of what you are doing, it should be ok.
--
"Perl is executable line noise, Python is executable pseudo-code."


Gork
Ou812ic

join:2001-10-06
Bountiful, UT
Reviews:
·magicjack.com

4 edits

Yup, now you know what I'm trying to say. That is what I'd like enabled in the router, subnet directed broadcasts. It would be an easy thing for the end user to either (as you say) disable devices from waking to the call of a magic packet if you didn't want them to, or moving devices you wanted to wake to a magic packet to a different subnet or the like. If Cisco allows it (even if not by default) then I don't see why ZyXEL shouldn't be allowing it.

Here's another page which talks about unicast vs subnet directed broadcasts, and it even mentions the DDoS "smurf attack" you referred to: »technet.microsoft.com/en-us/libr···911.aspx. It may be a silly thing to implement at this juncture due to its incompatibility with looming IPv6 though. But as I have mentioned, I am unable to get magic packets via unicast directed broadcasts to work with my setup any longer.

I don't see the harm in allowing this traffic to users who should understand the associated hazards. Were I running a business I'd be more concerned with this approach. But I run a personal network with a small personal web server and other web applications. If someone wants to spend the time infiltrating my setup, well, that's just silly. And I can easily block them anyway.

Thanks for sticking with me through my improper use of terms. I wish people could understand what I MEAN instead of only what I SAY/type.


Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..

How about the hard way (to quote the mariachi).

Attach one port of a minimalist computer with two Ethernet ports to the DMZ, which is blocked from everything except your work address. When some appropriately crafted message gets to this computer , it generates a WOL on its second port. This port is connected to and is part of LAN1 (or what ever LAN the sleepy computer is on).

I doubt I'm knowledgeable enough to set this up without a lot of study, but I don't see why it wouldn't work.

kirby



Gork
Ou812ic

join:2001-10-06
Bountiful, UT
Reviews:
·magicjack.com

I currently VPN to my network with my laptop, RDP to a server I try to keep running 24x7, then send a WoL packet from there. It works, but it's a pain in the rear. If I understood routing better, I might could send the packet directly from the laptop after the VPN is established. Anyway, the biggest problem is that I'm hosed if that server computer goes down. It'd be must easier to work it as I did before... Log on to BBR and send a magic packet. DONE.



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:8
Reviews:
·TekSavvy DSL
·Bell Fibe

1 recommendation

A suggestion (workaround) ... Raspberry Pi. I've recently put RPi on my network as a "utility server" ... costs about $50, power consumption none. I'm running my ssh server on it, WoL utilities, FTP ... you name it. It runs of SD card, all other stuff is mounted via network as needed. You put it on UPS it's always there. I really love it. You can backup the SD card (image to file), should anything go wrong just replace it with new SD card that you can have pre-imaged.



janderso1
Jim
Premium,MVM
join:2000-04-15
Saint Petersburg, FL

1 recommendation

Finish IPv6 DHCP web interface.
There doesn’t appear to be a way to display IPv6 DHCP addresses in use, reserve IPv6 addresses or set lease times (unless the IPv4 time is also the IPv6 time).

Add NTP server. Since the router is on 24/7 it might as well be my local NTP server.

If you are looking for an inexpensive Linux server that uses very little power Adorama has Pogoplug v2s for $25 shipped

»www.adorama.com/COCPOGOE02G.html···odQUcASA

It is very easy to install Arch Linux on them.

»archlinuxarm.org/platforms/armv5···pinkgray

»obihoernchen.net/wordpress/

Yes I know Pogoplugs with Arch Linux can also be NTP servers.
--
Jim Anderson



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:8
Reviews:
·TekSavvy DSL
·Bell Fibe

I'm aware of Pogoplug and similar devices, they work, but really (at least for me) I'm done with hacking and trying to keep up with updates on these devices.
RPi has it's own full blown fully supported, maintained and open distro with huge repo so for me the $25 savings it's not really worth it ... been there, done that.



Gork
Ou812ic

join:2001-10-06
Bountiful, UT
Reviews:
·magicjack.com
reply to Brano

said by Brano:

Raspberry Pi.

This is the coolest thing I've heard of in a long time! Granted, I'd have to quit my job, never see my family again and completely lose what semblance of a personal life I have left in order to figure it out... But, well, I just might! (Best I've done is dabble in Ubuntu with the GUI, heh.)


bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
kudos:1
reply to Brano

said by Brano:

RPi has it's own full blown fully supported, maintained and open distro with huge repo

Where do I buy support?

Like your enthusiasm but RPi is targeted at education and hobbyists. The Raspberry Pi foundation is a charity and while Linux has gotten to the point where little hacking is needed for many tasks, I can't say RPi is fully supported with a straight face.


Gork
Ou812ic

join:2001-10-06
Bountiful, UT

bbarrera See Profile... Be nice! You know what he meant!



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:8
reply to bbarrera

... I've almost started to worry that you've given up on us!



bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
kudos:1

Too busy selling free software Lots of interesting things happening with GNU, Linux and Android around here -- the company I'm at is now the number one commercial provider of automotive linux infotainment systems.



Gork
Ou812ic

join:2001-10-06
Bountiful, UT

I wish I could do and had your job.


JPedroT

join:2005-02-18
kudos:1

said by Gork:

I wish I could do and had your job.

Its not hard just go outside, pick up a blade of grass or anthing else thats is free for you to aquire and just sell it

Now you are competing with bbarrera
--
"Perl is executable line noise, Python is executable pseudo-code."


Gork
Ou812ic

join:2001-10-06
Bountiful, UT

heh -- Perhaps...


Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..
reply to Anav

At the other extreme from free grass, but close to "free" Linux, is the object of this paper, which probably could perform AV and IDP at FTTH bandwidth rates. (Well written, but in case you don't have time to read it due to urgent grass sales, it is about using an nVidia GPU and other COTS parts to build a 40 GbE router. Power drain is a bit higher than a USG 50, however.)

»www.ndsl.kaist.edu/~kyoungsoo/pa···ader.pdf

kirby



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4
reply to JPedroT

said by JPedroT:

said by Gork:

I wish I could do and had your job.

Its not hard just go outside, pick up a blade of grass or anthing else thats is free for you to aquire and just sell it

Now you are competing with bbarrera

I think your getting mixed up with a different type of plant. Smoke the android pipe!
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


mozerd
Light Will Pierce The Darkness
Premium,MVM
join:2004-04-23
Nepean, ON
reply to mozerd

said by mozerd:

»www.cisco.com/en/US/prod/collate···997.html
I'm impressed with the ISA570

Got the ISA570 .... installed in 20 user office and I can state that this unit PERFORMS with all UTM services online .... no one is complaining of any speed issues in this very busy office from a computing perspective.

A superb value proposition at $734.75 [ISA570-BUN3-K9] from PROVANTAGE that includes 3 years subscription to ALL 8 UTM services.

Take Note:
Q. Do I need to buy a separate license to use security subscription services?

A. Cisco ISA500 comes standard with both hardware and UTM security services. Customers do not need to purchase a separate license for the security services.

The ISA570-BUN3-K9 bundle makes the USG 300 look a very sick puppy.

Am I impressed ---- You better believe it.
--
David Mozer
IT-Expert on Call
Information Technology for Home and Business

lorennerol
Premium
join:2003-10-29
Seattle, WA

What's the annual maintenance/support contract cost? That has to be considered from a TCO standpoint.



mozerd
Light Will Pierce The Darkness
Premium,MVM
join:2004-04-23
Nepean, ON

1 edit

1 recommendation

$70 for 3 year contract under the CISCO package called
CON-SBS-SVC2

This includes Phone or Online support and Firmware updates.
[edit] Also includes next day box replacement if the box fails.

Very CHEAP.
--
David Mozer
IT-Expert on Call
Information Technology for Home and Business


lorennerol
Premium
join:2003-10-29
Seattle, WA

1 recommendation

said by mozerd:

$70 for 3 year contract under the CISCO package called
CON-SBS-SVC2

This includes Phone or Online support and Firmware updates.

Very CHEAP.

Not as inexpensive as free, though.

I have a philosophical issue with the policy of requiring a service contract to obtain fixes for security and stability defects.


mozerd
Light Will Pierce The Darkness
Premium,MVM
join:2004-04-23
Nepean, ON

1 recommendation

$23 per year is not free agree but still CHEAP for a CISCO box. Plus the ISA570 has features and capabilities that FAR exceed the USG stuff -- LOOK it up for your self and DROOL. AND the CISCO documentation is written in understandable ENGLISH.


Kirby Smith

join:2001-01-26
Derry, NH

Agree service contract cost is in the noise for a business.

Q. But how CHEAP is the renewal after three years?

Q. Is the CLI fairly standard by CISCO standards (sorry), or different, or not accessible?

kirby


lorennerol
Premium
join:2003-10-29
Seattle, WA

1 recommendation

reply to mozerd

The specs look impressive:

Stateful Packet Inspection Throughput: 500 Mbps
Maximum Connections: 40,000
Sessions Per Second (cps) : 3000
IPS Throughput: 90Mbps
AV Throughput: 80 Mbps
UTM Throughput: 75 Mbps
IPsec VPN Throughput (Data Encryption Standard [DES] / Triple DES [3DES] / Advanced Encryption Standard [AES]):130 Mbps
IPsec VPN Site-to-Site Tunnels: 100
IPsec VPN Remote Access Tunnels: 75

Especially after being told by ZyXEL support that the USG100 maxes out at 5 mbit throughput over an IPsec VPN.

Still would like to see real-world tests. As we've seen with ZyXEL the published speeds are often best-case scenarios that don't reflect what happens on typical networks.