Posted: Sun Dec 06, 2009 15:57 Post subject: Disable ethernet LAN ports
Hi, i have a buffalo router with DD-WRT v24-sp2 (06/19/09) std installed.
It works great but is horribly insecure at the moment since i cant work out how to disable the ethernet ports.
It is connected to an ADSL modem via the rj45 wan port so i need to keep that up. the other 4 ports need to be disabled as anyone with an ethernet cable can currently get onto my network (it is accessable to the public)
This is a most basic requirement and i simply cannot believe that it cannot be done given some of the other advanced features that this has.
I have searched and search, poked around the file system and web interface. Cant work out how to do it.
here is my ifconfig there are no deviced attached at the moment so they dont show up, all i have to do is plug one in and it will come up though so ifdown etc... wont work since i cant make it persistant.
Lan Ports can easily be disabled on the setup/Vlans page, if your router supports them. _________________ SIG:
I'm trying to teach you to fish, not give you a fish. If you just want a fish, wait for a fisherman who hands them out. I'm more of a fishing instructor.
LOM: "If you show that you have not bothered to read the forum announcements or to follow the advices in them then the level of help available for you will drop substantially, also known as Murrkf's law.."
Thanks dude but i dont have a vlan tab (my router does support vlans since i have a repeaster connecting to it and you can see the vlan int in the ifconfig i pasted
Nope. That's the right place but if your router does not support vlans, you won't have the vlan page, where it is simple to uncheck the lan port "enable". This is different than creating a virtual ssid with a bridged router. If your router supports vlans, there will be an additional vlan page under the setup tab.
I don't know of another way to do it with the webgui, and certainly can't help with IPtables. _________________ SIG:
I'm trying to teach you to fish, not give you a fish. If you just want a fish, wait for a fisherman who hands them out. I'm more of a fishing instructor.
LOM: "If you show that you have not bothered to read the forum announcements or to follow the advices in them then the level of help available for you will drop substantially, also known as Murrkf's law.."
cant see my eth interfaces on this page anyway (perhaps because they are down at moment) and there is no dissable option, just enable or default.
i have a vlan set up and working so it does support vlans
does any one know where the network config files are in the file system? i use linux on a day to day basis so i'm happy to edit some file (comment the damn eth's out)
thanks but i know what a vlan is (i'm a a cisco certified engineer)
That's good , I thought you had mixed them up when you sad you had a repeater on a vlan.
As far as I remember, even routers without configurable vlan's has vlan alias for ethn for software compatibility reasons.
A virtual vlan so to speak..
There are quite a few Buffalo models of routers so whether your router supports configurable vlan's or not is hard to say without knowing which one you have.
(I'm sure that you as a CCE understands that )
You still have the possibility to telnet into the router and remove LAN ports from the bridge. _________________ Kernel panic: Aiee, killing interrupt handler!
Last edited by LOM on Sun Dec 06, 2009 17:15; edited 1 time in total
Define shutdown? You can add script that takes an LAN-port out of VLANs alltogether, rendering that particular port unusable until readded to VLAN again.
This affects ofcourse only physical port of DD-WRT router, you can't control computers that are connected to (another) switch or hub.
he didnt post the script though, it sounds like olmari chap knows a work around that will help me, hope he see's this
The VLAN tab is the not the only place where you can
disconnect a port by removing it from a vlan.
telnet into the router and issue the command
nvram show | grep vlan
to see which ports are assigned to which vlan.
vlan1ports=1 2 3 4 8* and vlan2ports=0 8 is a possible outcome.
You will also be able see the physical interface name of vlan1 and vlan2.
dd-wrt doesn't route on physical interface name, only on virtual.
Routers without vlan support will therefore still need to have vlan names for their interfaces/ports. _________________ Kernel panic: Aiee, killing interrupt handler!
If someone can come along with a laptop and plug a Cat5 cable into your router, you have a very serious security problem.
Quote:
foamcup
PostPosted: Sun Dec 06, 2009 9:11 am
Put it behind a locked door.
QFT before your issue becomes WTF....really, restricting physical access is key. A router wants to route--if someone has physical access to it, they can override whatever software lock you put on it.
30/30/30, new password, sweet.
Edit: reset takes 3 seconds using a paperclip.....
NX
PS: highly recommend Schneier. He is like Chuck Norris for computer security.
Bruce Schneier knows Alice and Bob's shared secret.
Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes.
Bruce Schneier's secure handshake is so strong, you won't be able to exchange keys with anyone else for days.
Bruce Schneier writes his books and essays by generating random alphanumeric text of an appropriate length and then decrypting it.
Though a superhero, Bruce Schneier disdanes the use of a mask or secret identity as 'security through obscurity'. _________________ WRT54G v1.1 DD-WRT v24-sp2 (07/22/09) std - build 12548 VINT Eko
SP1: it's a problem.
Last edited by NXIL on Sun Dec 06, 2009 20:18; edited 1 time in total