WingNews logo WingNews
top | item 28698682

(no title)

dormando | 4 years ago

Hope that works :) I have this set up to an AT&T fiber gateway trashcan in pass-thru mode, so technically the RPI's vlan port has a public IP address. Otherwise I couldn't get upnp/etc to work when I wanted to.

I also want to be able to set up a DMZ'ed VLAN to hook up an old NUC to host something like a valheim/minecraft/whatever server if I wanted. So having the VLAN be safe was a goal for me.

discuss

order

louwrentius|4 years ago

Frankly, the more I think about it, the more I fail to seen actual way to attack the management interface.

Because the interface listens on a private IP-address on your home network. And if you want to be able to talk to that IP-address, you need some device that you control (as an attacker) connected to the switch, and be able to add an IP-address in the same range as your home network and then attack the managment interface?

The most likely scenario would indeed be the DMZ machine as a stepping-stone.

dormando|4 years ago

It's not really realistic, you're right. For my own goals it's "defense in depth" - just because I can't think of a scenario now doesn't mean it's impossible to do. Access also makes it easier to accidentally configure it in a way that is in fact easy to blow up.

From a practical standpoint, I just don't want any not-me traffic hitting the management interface for any reason (intentional or not), as I assume they're poorly written and can easily be crashed or even bricked. I've locked myself out of very expensive enterprise switches in past lives by ssh'ing to them too many times.

So if IE someone can poke my management VLAN by sending an ICMP packet with a spoofed return address and my RPI doesn't filter that right because I did something wrong... I'm happier if that can't tickle the management interface at all.

mrmattyboy|4 years ago

The only way I could see is if there is a malicious device on the WAN side (as in, actually on the same network as the WAN interface) that is configured on the same subnet as the internal network and it communicates with the management interface over the WAN VLAN - but very unlikely (and probably have to be an untrustworthy ISP, which sounds like a problem in itself :) ).