Hacker News new | ask | show | jobs
by louwrentius 1718 days ago
Regarding the management interface being exposed on every interface: I think this might be true for the TP-LINK device I linked in my article.

However, in this particular setup/context, I think the risk of this is minimal, as the actual interface should be using a private-IP address on your home network.
2 comments
dormando 1718 days ago
Hope that works :) I have this set up to an AT&T fiber gateway trashcan in pass-thru mode, so technically the RPI's vlan port has a public IP address. Otherwise I couldn't get upnp/etc to work when I wanted to.

I also want to be able to set up a DMZ'ed VLAN to hook up an old NUC to host something like a valheim/minecraft/whatever server if I wanted. So having the VLAN be safe was a goal for me.

link
louwrentius 1718 days ago
Frankly, the more I think about it, the more I fail to seen actual way to attack the management interface.

Because the interface listens on a private IP-address on your home network. And if you want to be able to talk to that IP-address, you need some device that you control (as an attacker) connected to the switch, and be able to add an IP-address in the same range as your home network and then attack the managment interface?

The most likely scenario would indeed be the DMZ machine as a stepping-stone.

link
dormando 1718 days ago
It's not really realistic, you're right. For my own goals it's "defense in depth" - just because I can't think of a scenario now doesn't mean it's impossible to do. Access also makes it easier to accidentally configure it in a way that is in fact easy to blow up.

From a practical standpoint, I just don't want any not-me traffic hitting the management interface for any reason (intentional or not), as I assume they're poorly written and can easily be crashed or even bricked. I've locked myself out of very expensive enterprise switches in past lives by ssh'ing to them too many times.

So if IE someone can poke my management VLAN by sending an ICMP packet with a spoofed return address and my RPI doesn't filter that right because I did something wrong... I'm happier if that can't tickle the management interface at all.

link
mrmattyboy 1718 days ago
The only way I could see is if there is a malicious device on the WAN side (as in, actually on the same network as the WAN interface) that is configured on the same subnet as the internal network and it communicates with the management interface over the WAN VLAN - but very unlikely (and probably have to be an untrustworthy ISP, which sounds like a problem in itself :) ).
link
ArchOversight 1718 days ago
AFAIK the TP-Link in your article only runs a DHCP client on VLAN 1 to get an IP address. It is not addressable on other VLANs.
link