Reply

AC1000 R6080 VLAN Security issue/flaw

Centercircle
Aspirant

AC1000 R6080 VLAN Security issue/flaw

AC R6080 VLAN security flaw? Or Apartment complex security flaw or both?
 
I have an AC1000 R6080 router, FW V1.0.0.40, connected to the ISP/INTERNET.
It provides IP addresses to the my five wifi-devices as 192.168.1.x, and
the R6080 appears to my laptop/PC's as 192.168.1.1. 
My browser's attached devices will not change from hereon.
  tracert google.com
  1     1 ms    <1 ms    <1 ms  www.routerlogin.com [192.168.1.1]
  2     1 ms    <1 ms     1 ms  10.1.44.1
  3     *        *        *     Request timed out.
  4     3 ms     2 ms     2 ms  "xe....mynearesetbigcity.xxx.net [4.xx.xx.xx]"
 
VB Kali Linux on same laptop
I also have recently done a VirtualBox Virtual Linux on my laptop and I temporarily many days ago connected it to the Internet via the network port (i.e. the laptop's wifi)
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255
        inet6 fe80::a00:27ff:fe4c:f76a
        As stated above, it does not appear on the R6080 browswer attached device
 
  root@kali:~# traceroute www.google.com
  traceroute to www.google.com (172.217.12.4), 30 hops max, 60 byte packets
  1  _gateway (10.0.2.2)  1.747 ms  1.641 ms  1.554 ms
  2  * * *  all *** for next 28 lines
 
2) NETGEAR WNR2000v5  FW V1.0.0.38 (old which I want for education)
   (security came open, and I left it for education for now.)
- From VB-Kali connected to browser, disabled network adapter
- Use a new USB wifi adapter to connect kali to NETGEAR WNR2000v5
Kali gets IP 172.16..something, no cable connections.
 
2b) TOWARDS ISSUE
Selected R6080 (Router's) LAN1 to be a VLAN
 (on its browser just clicked on radio button for LAN1)
Change WNR2000v5 to be access point
 (on its browserjust clicked on check box)
 
Connected WNR2000v5AP's WAN/Internet to R6080 LAN1.
Kali now gets IP 10.2.44.17
WNR2000v5AP appears at 10.1.44.13, from kali
WNR200v5AP browser at 10.1.44.13, shows devices attached
  wired device (must be from WNR200v5AP WAN port)
   unknown   192.168.1.1   SomeMACAddrIDon'tKnow
   unknown   10.1.44.1     SameSomeMACAdd  weird???
  wireless
   unknown        10.1.44.17    MY KALI
   MACINTOSH 10.1.44.18    I DON"T ONWN ANY APPLEs!!! 
                           SECURITY ISSUE ???
   Again, I do not own anything APPLE.
 
QUESION 1:
   Why does my Kali get a 10..., should it not get a 192. ?
   It seems to be getting an address from the ISP via the R6080
   VLAN (not from the R6080 but rather passthrough the R6080)
 
Question 2:
    How does the Macintosh attach immediately?
    (It must be unknowingly thinking it is com with the ISP)
 
IT GETS MORE WEIRD ** *** ***
On kali, since I expected a 192.
  nmap 192.168.1.0/24  
   and about 7 devices showed up, I don't own them,
   (again they do not appear attached to router nor AP.)
  One in particular is the printer in the Apartment Office
  several buildings away.
  I can log into the printer via the default password at
  192.168.1.112  (many ports open)
 
QUESTION 3: WHY does my kali get 10.2.44.17, and see 192.168.1.devs
I don't own?
  (remember on my Kali's browser to WNR200v5AP shows 192.169.1.1
   with attached to wired devices to 192.)
 
QUESTION 3b:
  It is as if the R6080 WAN to ISP Internet is on some
  aparment complex shared LAN -- you think? 
 
  I expect my WNR2000V5 to get 192. IP not 10.
  and maybe that is the issue.
 
Thanks.
 
Model: R6800|Nighthawk AC1900 Smart WiFi Router
Message 1 of 10
schumaku
Guru

Re: AC1000 R6080 VLAN Security issue/flaw


@Centercircle wrote:
AC R6080 VLAN security flaw?
....
Selected R6080 (Router's) LAN1 to be a VLAN
 (on its browser just clicked on radio button for LAN1)

What do you have intended to be configured here, and why?

 

Wild guess you have enabled a bridge of the LAN port #1 (LAN1) to some VLAN on the Internet side. That's why some systems get transparent addresses assigned from the building network, instead of the NATed LAN.

Message 2 of 10
Centercircle
Aspirant

Re: AC1000 R6080 VLAN Security issue/flaw

So I am not sure why matters, as much as this is a good educational situation anyway.  However, my intention is to have my kali sometimes access the network via an isolated path where no other devices see my kali, particualrly nothing from the R6080 router.  So I isolated LAN1 by setting it as VLAN.  Also, I am playing with Pen testing on the WNR2000v5 access point (when I have it as a router, at which point I want it off the network most of the time).

 

As far as the guess, that is what I alluded to.  How can I avoid that?  It seems that I should not be able to that by accident in the scernario/step I described.

 

Do you have any insight on the quetions, e.g.

QUESION 1:
   Why does my Kali get a 10..., should it not get a 192. ?

   Shouldn't the R6080 provide a 192...?

Message 3 of 10

Re: AC1000 R6080 VLAN Security issue/flaw


@Centercircle wrote:

 

QUESION 1:
   Why does my Kali get a 10..., should it not get a 192. ?

   Shouldn't the R6080 provide a 192...?


That sort of thing is sometimes a sign that there are two routers on a network and one router sees the second router on the network and sets its IP address accordingly.

Just another user.

My network DM200 -> R7800 -> GS316 -> PL1000 -> Orbi RBR40 -> Orbi RBS50Y -> RBS40V
Message 4 of 10
schumaku
Guru

Re: AC1000 R6080 VLAN Security issue/flaw


@Centercircle wrote:

However, my intention is to have my kali sometimes access the network via an isolated path where no other devices see my kali, particualrly nothing from the R6080 router.  So I isolated LAN1 by setting it as VLAN.


This is not a VLAN configuration - much more you bind the LAN port selected direct to the WAN/Internet port on a certain VLAN ID. This is typically used to run some IPTV boxes which are feed by the ISP on dedicated VLANs.

 

The R6080 (not any other Netgear consumer are VLAN routers) are allowing to configure multiple VLAN with NAT, DHCP, ... 

 


@Centercircle wrote:

Do you have any insight on the quetions, e.g.

QUESION 1:
   Why does my Kali get a 10..., should it not get a 192. ?

   Shouldn't the R6080 provide a 192...?


With this configuration, the LAN1 port is direct put to the Internet/WAN - you isolate it from the other devices on the NATed devices on the router (which get 192....) but expose it to all other systems on that in-house network (like e.g. the Apple system you mentioned) where a DHCP does assign 10.... addresses.

 

The issue you describe is caused by your inappropriate configuration.

Message 5 of 10
Centercircle
Aspirant

Re: AC1000 R6080 VLAN Security issue/flaw

I am not following the response and what you mean by inappropriate.  I followed the diretions on the WNR2000v5 in which it even has a picture on the page where it has the set as access point (for curiousity I looked at the R6080 and it has equivalent instructions, I also looked online).  Not a single 192. device that I see from my wifi to the WNT2000v5-AP is mine.     

By the way, consider that that the WNR2000v5 is ino longer there, and nstead it is a video camera, a tv, a security system control panel, a group of devices  (no more access point involved) so the router should be giving all devices 192.... off of its LAN1 port (which just happens to be configured as a VLAN.

 

Message 6 of 10
Centercircle
Aspirant

Re: AC1000 R6080 VLAN Security issue/flaw

So it is not a misconfiguration, e.g. I am keeping it for a while off and on.  

The reason:

 the configuration of LAN1 to VLAN causes packets between LAN1 and that WAN/Internet port to not be processed by the router.   Thus, the device on LAN1 gets its IP address from then first router off the Internet port.

 

I still think that the ISP or techs that setup the Apartment complex have made a mistake in allowing me to see other devices, it seems as though I have crossed a VLAN or something.   Their laptops/users/devices can see my devices/laptop! 

 

I don't understand the need for VLAN capability on the router, I thought it was a great way to isolate the LAN ports on the router from each other (similar to subnets).

 

I can see a much better use that makes sense is having a switch implement the VLAN's and the switch connected to the router, thus the router is the router that is seen by all devices from any VLAN on the switch.

 

Message 7 of 10
schumaku
Guru

Re: AC1000 R6080 VLAN Security issue/flaw


@Centercircle wrote:

I still think that the ISP or techs that setup the Apartment complex have made a mistake in allowing me to see other devices, it seems as though I have crossed a VLAN or something.   Their laptops/users/devices can see my devices/laptop! 


Scratch the VLAN term - both your router Internet port and the mapped LAN1 port talk to the very same network. If users are connecting systems direct to the appartment network (without a NAT router, security appliance) they will be discoverable, and they will be able to discover and see your system(s) connected to the LAN port 1 while it's directly bridged to that network (the 10.x.x.x netowrk). Nothing your router must do because of the aim of the configuration option is to allow a fully transparent access for dedicated devices (typically IPTV, sometimes VoIP) to the ISPs network.

 

The devices not exposed direct (not on LAN1 bridged) are on your private LAN and IP subnet (the 192.x.x.x one) and won't be visible thanks to NAT and firewall on the router.

 

In my opinion, your bridging the LAN1 to the ISP network is a misconfiguration. Just like digging a hole in the all to the neighbours apartment and then complain you can see them and they can see you.

Message 8 of 10
Centercircle
Aspirant

Re: AC1000 R6080 VLAN Security issue/flaw

Keep in mind that,e g. that Macintosh that I do not own attached to my WNR2000v5 Access Point.

 

What it is the point of the R6080 providing the ability to set any access as VLAN, e.g. in this case LAN1?

The very common physical solution would be to have a switch cabled into a router's LAN port, and on the switch configure the VLAN's.   So if the router does not emulate this physical picture, then again, what is the point of the VLAN enable option on the R6080 router?

Message 9 of 10
schumaku
Guru

Re: AC1000 R6080 VLAN Security issue/flaw

This config is unrelated to any 802.1q VLAN configuration on the LAN, with a VLAN capable switch installation on the LAN.

 

How do I set up a bridge for a VLAN tag group on my Nighthawk router?

 

It's only purpose is to bridge one LAN port (or for the sake of it a Wi-Fi interface) to the WAN port, bypassing any NAT, firewall, typically to a tagged VLAN on the Internet/WAN side where e.g. a IPTV service is available. Because it's a bridge, the router does nothing with it - no NAT, no DCHP, no routing, ... it's a direct connection, IP addresses at all are handled by the ISP/building network.

 

With your configuration, LAN port #1 is direct connected to the building network, where other people can also direct connect thier systems, computers, IoT, ... without having a NAT router in place, behaving like no router in place.

 

So for the last time: No "VLAN security issue/flaw" in sight here.

 

Can't get rid of the impression that we're looping...

Message 10 of 10
Top Contributors
Discussion stats
  • 9 replies
  • 1793 views
  • 0 kudos
  • 3 in conversation
Announcements

Orbi WiFi 6E