Disable ethernet LAN ports

Post new topic   Reply to topic    DD-WRT Forum Index -> Ralink SoC based Hardware
Goto page 1, 2  Next
Author Message
bexley
DD-WRT Novice


Joined: 03 Dec 2008
Posts: 16

PostPosted: Sun Dec 06, 2009 15:57    Post subject: Disable ethernet LAN ports Reply with quote
Hi, i have a buffalo router with DD-WRT v24-sp2 (06/19/09) std installed.

It works great but is horribly insecure at the moment since i cant work out how to disable the ethernet ports.

It is connected to an ADSL modem via the rj45 wan port so i need to keep that up. the other 4 ports need to be disabled as anyone with an ethernet cable can currently get onto my network (it is accessable to the public)

This is a most basic requirement and i simply cannot believe that it cannot be done given some of the other advanced features that this has.

I have searched and search, poked around the file system and web interface. Cant work out how to do it.

here is my ifconfig there are no deviced attached at the moment so they dont show up, all i have to do is plug one in and it will come up though so ifdown etc... wont work since i cant make it persistant.

Code:
br0       Link encap:Ethernet  HWaddr 00:1D:73:11:11:12
          inet addr:192.168.11.1  Bcast:192.168.11.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:953872 errors:0 dropped:0 overruns:0 frame:0
          TX packets:977864 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:94253676 (89.8 MiB)  TX bytes:1100594153 (1.0 GiB)

br0:0     Link encap:Ethernet  HWaddr 00:1D:73:11:11:12
          inet addr:169.254.255.1  Bcast:169.254.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

eth2      Link encap:Ethernet  HWaddr 00:1D:73:11:11:12
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:951875 errors:0 dropped:0 overruns:0 frame:0
          TX packets:923968 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1084584515 (1.0 GiB)  TX bytes:108137575 (103.1 MiB)
          Interrupt:3

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ra0       Link encap:Ethernet  HWaddr 00:1D:73:D9:1B:78
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:531706 errors:0 dropped:0 overruns:0 frame:0
          TX packets:473545 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:66468225 (63.3 MiB)  TX bytes:517470018 (493.4 MiB)
          Interrupt:4

vlan1     Link encap:Ethernet  HWaddr 00:1D:73:11:11:12
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3535 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:437644 (427.3 KiB)

vlan2     Link encap:Ethernet  HWaddr 00:1D:73:11:11:13
          inet addr:192.168.1.252  Bcast:192.168.1.255  Mask:255.255.255.252
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:948599 errors:0 dropped:0 overruns:0 frame:0
          TX packets:920433 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1070847781 (1021.2 MiB)  TX bytes:107266355 (102.2 MiB)
Sponsor
Murrkf
DD-WRT Guru


Joined: 22 Sep 2008
Posts: 12675

PostPosted: Sun Dec 06, 2009 16:11    Post subject: Reply with quote
Lan Ports can easily be disabled on the setup/Vlans page, if your router supports them.
_________________
SIG:
I'm trying to teach you to fish, not give you a fish. If you just want a fish, wait for a fisherman who hands them out. I'm more of a fishing instructor.
LOM: "If you show that you have not bothered to read the forum announcements or to follow the advices in them then the level of help available for you will drop substantially, also known as Murrkf's law.."
bexley
DD-WRT Novice


Joined: 03 Dec 2008
Posts: 16

PostPosted: Sun Dec 06, 2009 16:24    Post subject: Reply with quote
Thanks dude but i dont have a vlan tab (my router does support vlans since i have a repeaster connecting to it and you can see the vlan int in the ifconfig i pasted

am i looking in the wrong place?

Murrkf
DD-WRT Guru


Joined: 22 Sep 2008
Posts: 12675

PostPosted: Sun Dec 06, 2009 16:27    Post subject: Reply with quote
Nope. That's the right place but if your router does not support vlans, you won't have the vlan page, where it is simple to uncheck the lan port "enable". This is different than creating a virtual ssid with a bridged router. If your router supports vlans, there will be an additional vlan page under the setup tab.

I don't know of another way to do it with the webgui, and certainly can't help with IPtables. Embarassed

_________________
SIG:
I'm trying to teach you to fish, not give you a fish. If you just want a fish, wait for a fisherman who hands them out. I'm more of a fishing instructor.
LOM: "If you show that you have not bothered to read the forum announcements or to follow the advices in them then the level of help available for you will drop substantially, also known as Murrkf's law.."
bexley
DD-WRT Novice


Joined: 03 Dec 2008
Posts: 16

PostPosted: Sun Dec 06, 2009 16:32    Post subject: Reply with quote
what about this in setup > networking



cant see my eth interfaces on this page anyway (perhaps because they are down at moment) and there is no dissable option, just enable or default.

i have a vlan set up and working so it does support vlans

does any one know where the network config files are in the file system? i use linux on a day to day basis so i'm happy to edit some file (comment the damn eth's out)
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7647

PostPosted: Sun Dec 06, 2009 16:37    Post subject: Reply with quote
bexley wrote:


i have a vlan set up and working so it does support vlans



WLAN = Wireless LAN

VLAN = Virtual LAN

_________________
Kernel panic: Aiee, killing interrupt handler!
bexley
DD-WRT Novice


Joined: 03 Dec 2008
Posts: 16

PostPosted: Sun Dec 06, 2009 16:40    Post subject: Reply with quote
thanks but i know what a vlan is (i'm a a cisco certified engineer)

Code:
root@DD-WRT:/# ifconfig vlan2
vlan2     Link encap:Ethernet  HWaddr 00:1D:73:11:11:13
          inet addr:192.168.1.252  Bcast:192.168.1.255  Mask:255.255.255.252
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1566991 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1608101 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1700081262 (1.5 GiB)  TX bytes:167431919 (159.6 MiB)


see, a vlan
GeeTek
DD-WRT Guru


Joined: 06 Jun 2006
Posts: 3763
Location: I'm the one on the plate.

PostPosted: Sun Dec 06, 2009 16:59    Post subject: Reply with quote
bexley wrote:
thanks but i know what a vlan is (i'm a a cisco certified engineer)

Is a vlan the same thing as a LAN port ? Murrkf's screen shot seems to imply that they are not the same exact animal.
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7647

PostPosted: Sun Dec 06, 2009 17:10    Post subject: Reply with quote
bexley wrote:
thanks but i know what a vlan is (i'm a a cisco certified engineer)



That's good , I thought you had mixed them up when you sad you had a repeater on a vlan.

As far as I remember, even routers without configurable vlan's has vlan alias for ethn for software compatibility reasons.
A virtual vlan so to speak..

There are quite a few Buffalo models of routers so whether your router supports configurable vlan's or not is hard to say without knowing which one you have.
(I'm sure that you as a CCE understands that Very Happy )

You still have the possibility to telnet into the router and remove LAN ports from the bridge.

_________________
Kernel panic: Aiee, killing interrupt handler!


Last edited by LOM on Sun Dec 06, 2009 17:15; edited 1 time in total
foamcup
DD-WRT Novice


Joined: 02 Jun 2008
Posts: 24

PostPosted: Sun Dec 06, 2009 17:11    Post subject: Reply with quote
Put it behind a locked door.
bexley
DD-WRT Novice


Joined: 03 Dec 2008
Posts: 16

PostPosted: Sun Dec 06, 2009 17:24    Post subject: Reply with quote
i see, quick question, what does disabling a port have to do with Vlan's anyway? :?

is that the only place to get to it through the web gui?

oh it's a Buffalo WHR-G300N by the way, should have mentioned that. Very Happy

i'm just looking at :/sys/devices/virtual/net/eth2 for clues, not much of use so far
bexley
DD-WRT Novice


Joined: 03 Dec 2008
Posts: 16

PostPosted: Sun Dec 06, 2009 17:31    Post subject: Reply with quote
GeeTek wrote:
bexley wrote:
thanks but i know what a vlan is (i'm a a cisco certified engineer)

Is a vlan the same thing as a LAN port ? Murrkf's screen shot seems to imply that they are not the same exact animal.


no a vlan is not the same as a lan port. i thought that the vlan tab that i am missing just happened to be the only place where you can shut a port?

edit: i found this http://www.dd-wrt.com/phpBB2/viewtopic.php?p=379100#379100

olmari wrote:
Define shutdown? You can add script that takes an LAN-port out of VLANs alltogether, rendering that particular port unusable until readded to VLAN again.

This affects ofcourse only physical port of DD-WRT router, you can't control computers that are connected to (another) switch or hub.



he didnt post the script though, it sounds like olmari chap knows a work around that will help me, hope he see's this
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7647

PostPosted: Sun Dec 06, 2009 17:48    Post subject: Reply with quote
The VLAN tab is the not the only place where you can
disconnect a port by removing it from a vlan.

telnet into the router and issue the command
nvram show | grep vlan

to see which ports are assigned to which vlan.
vlan1ports=1 2 3 4 8* and vlan2ports=0 8 is a possible outcome.
You will also be able see the physical interface name of vlan1 and vlan2.

dd-wrt doesn't route on physical interface name, only on virtual.
Routers without vlan support will therefore still need to have vlan names for their interfaces/ports.

_________________
Kernel panic: Aiee, killing interrupt handler!
NXIL
DD-WRT Guru


Joined: 29 Dec 2008
Posts: 649
Location: Southern California

PostPosted: Sun Dec 06, 2009 18:18    Post subject: Physical Access! Reply with quote
Bexley wrote:

Quote:
This is a most basic requirement and i simply cannot believe that it cannot be done given some of the other advanced features that this has.


The most BASIC requirement is PHYSICALLY SECURING YOUR HARDWARE.

Citation: Schneier.

http://www.google.com/search?domains=www.schneier.com&sitesearch=www.schneier.com&q=physical+access&hq=inurl%3Awww.schneier.com%2Fblog

Physical access is root access.


If someone can come along with a laptop and plug a Cat5 cable into your router, you have a very serious security problem.

Quote:

foamcup
PostPosted: Sun Dec 06, 2009 9:11 am
Put it behind a locked door.


QFT before your issue becomes WTF....really, restricting physical access is key. A router wants to route--if someone has physical access to it, they can override whatever software lock you put on it.

30/30/30, new password, sweet.

Edit: reset takes 3 seconds using a paperclip.....


NX

PS: highly recommend Schneier. He is like Chuck Norris for computer security.

Bruce Schneier knows Alice and Bob's shared secret.


Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes.


Bruce Schneier's secure handshake is so strong, you won't be able to exchange keys with anyone else for days.


Bruce Schneier once decrypted a box of AlphaBits.


Vs lbh nfxrq Oehpr Fpuarvre gb qrpelcg guvf, ur'q pehfu lbhe fxhyy jvgu uvf ynhtu.


Bruce Schneier writes his books and essays by generating random alphanumeric text of an appropriate length and then decrypting it.


Though a superhero, Bruce Schneier disdanes the use of a mask or secret identity as 'security through obscurity'.

_________________
WRT54G v1.1 DD-WRT v24-sp2 (07/22/09) std - build 12548 VINT Eko


SP1: it's a problem.


Last edited by NXIL on Sun Dec 06, 2009 20:18; edited 1 time in total
bexley
DD-WRT Novice


Joined: 03 Dec 2008
Posts: 16

PostPosted: Sun Dec 06, 2009 18:25    Post subject: Reply with quote
ok now we're cooking

root@DD-WRT:~# nvram show | grep vlan
vlan0ports=1 2 3 4 5*
port5vlans=0 1 16
port3vlans=0
port1vlans=0
wl0_vlan_prio_mode=off
wan_ifname2=vlan2
pppoe_wan_ifname=vlan2
vlan1_bridged=1
size: 25135 bytes (40401 left)
lan_ifnames=vlan1 vlan2 ra0
pppoe_ifname=vlan2
wan_default=vlan2
vlan1_mtu=1500
wan_ifnames=vlan2
vlan1hwname=et0
vlan1ports=0 5

port4vlans=0
vlans=0
wan_iface=vlan2
vlan_tagcount=1
port2vlans=0
port0vlans=1
wan_ifname=vlan2
dtag_vlan8=0
vlan0hwname=et0
vlan1_multicast=0
vlan1_nat=1

ok so if i've got this right, my ethernet ports are on VLAN1. my wan port is VLAN2.

That is about all i can glean from this

what is this telling me exactly?
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Ralink SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum