Re: [pfSense Support] Re: multi-wan, multi-lan security
On 07/08/10 06:06, Tortise wrote: My ISP advised us not use common private LAN addresses for this Woops - sorry for being misleading. I meant (and use) random numbers taken from within the private address ranges. (10.x.x.x etc) rfc1918, IIRC, actually says to choose a random range. at $JOB my predecessor stuck with the default 10.0.0/8 address in the draytek router (before I deployed pfsense), which caused problems with some members of staff who also used default 10.0.0/8 range. sigh. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: multi-wan, multi-lan security
- Original Message - From: Dave Warren dave-use...@djwcomputers.com To: support@pfsense.com Sent: Saturday, August 07, 2010 5:58 PM Subject: [pfSense Support] Re: multi-wan, multi-lan security In message b8ab6ffcb532416f938e8d117b87e...@dp2000xp Tortise tort...@paradise.net.nz was claimed to have wrote: - Original Message - From: Dave Warren dave-use...@djwcomputers.com To: support@pfsense.com Sent: Saturday, August 07, 2010 4:51 PM Subject: [pfSense Support] Re: multi-wan, multi-lan security In message 24b7224eff7c4e19b1a43fd4df416...@dp2000xp Tortise tort...@paradise.net.nz was claimed to have wrote: My ISP advised us not use common private LAN addresses for this (common problem) reason. (I now use randomly generated addresses) I do hope you never need to contact the legitimate owner of whatever IPs you're using... Personally, if my provider gave me such advice (not just a single rep, but the provider's official policy) I'd find competent provider. Woops - sorry for being misleading. I meant (and use) random numbers taken from within the private address ranges. (10.x.x.x etc) In that case, excellent advice and one I would absolutely agree with. I'm possibly overly sensitive on this particular issue just because I'm tired of dealing with it professionally, one of $DAYJOB's partners used to give out advice like this and we spent untold hours cleaning up. I hope no offense was taken, certainly none was intended on my part and if I came across to harshly, I do apologize. Hey no worries, I accept I could have been a little less ambiguous, dangerous to assume anything when communicating...! An interesting discussion. I was using random numbers to minimise the risk of arp poisoning, a dead connection is best avoided! The comments about minimal increased security from using random nos (within private network ranges!) was not on my mind however its food for thought. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: multi-wan, multi-lan security
In message 24b7224eff7c4e19b1a43fd4df416...@dp2000xp Tortise tort...@paradise.net.nz was claimed to have wrote: My ISP advised us not use common private LAN addresses for this (common problem) reason. (I now use randomly generated addresses) I do hope you never need to contact the legitimate owner of whatever IPs you're using... Personally, if my provider gave me such advice (not just a single rep, but the provider's official policy) I'd find competent provider. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: multi-wan, multi-lan security
In message 8c8f0f7add704cf491998cbe298fb...@dp2000xp Tortise tort...@paradise.net.nz was claimed to have wrote: Yes I was referring to ARP poisoning and my cable connection experience which is the reason for the random (obscure) LAN subnet range selection... It's worth noting that even if you use an uncommon LAN subnet range selection internally, anyone in your broadcast domain could easily observe your ARP packets and find your IP range, so you're not gaining much security by obscurity here, although you are decreasing the odds that two random 192.168.0.0/24 networks will cross-talk if you both made the same configuration error at once. This assumes the case of a large ancient cable modem network that still broadcasts ARPs between client side networks on different modems, and assuming a configuration error directly connects a LAN to the WAN bypassing the firewall. In reality it's been a while since this was that big a deal on cable modem networks (or at least any that I've touched), around here it's probably been 5+ years since you could see floods of ARP requests. I think that the cable modems only transmit ARP requests from WAN to LAN for MAC addresses already known to exist on the LAN side, so strictly speaking your cable modem won't pass valid traffic after the modem is rebooted until the LAN side machine sends at least one packet up to the modem. This is a handy side effect of cable modems already needing to track valid MAC addresses to limit the number of machines connected for billing purposes. 10/8 is huge, 172.16/12 is a little less widely used and also significantly large enough that I've never ever personally seen any remote network overlapping with the /21 that I picked out for myself, and I VPN into remote client sides regularly, and travel somewhat frequently. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: multi-wan, multi-lan security
- Original Message - From: Dave Warren dave-use...@djwcomputers.com To: support@pfsense.com Sent: Saturday, August 07, 2010 4:51 PM Subject: [pfSense Support] Re: multi-wan, multi-lan security In message 24b7224eff7c4e19b1a43fd4df416...@dp2000xp Tortise tort...@paradise.net.nz was claimed to have wrote: My ISP advised us not use common private LAN addresses for this (common problem) reason. (I now use randomly generated addresses) I do hope you never need to contact the legitimate owner of whatever IPs you're using... Personally, if my provider gave me such advice (not just a single rep, but the provider's official policy) I'd find competent provider. Woops - sorry for being misleading. I meant (and use) random numbers taken from within the private address ranges. (10.x.x.x etc) - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: multi-wan, multi-lan security
On Fri, Aug 06, 2010 at 09:51:35PM -0700, Dave Warren wrote: In message 24b7224eff7c4e19b1a43fd4df416...@dp2000xp Tortise tort...@paradise.net.nz was claimed to have wrote: My ISP advised us not use common private LAN addresses for this (common problem) reason. (I now use randomly generated addresses) I do hope you never need to contact the legitimate owner of whatever IPs you're using... Personally, if my provider gave me such advice (not just a single rep, but the provider's official policy) I'd find competent provider. He said random. He didn't say non-1918 space. 192.168.$RND(10,255).0/24 10.$RND(10,255).$RND(10,255).0/24 172.$RND(16,31).$RND(10,255).0/24 I work for a local ISP. The above is what I mean when I recomend businesses pick a random network. He may have meant what you thought he meant, but he didn't actually specify. -- Scott LambertKC5MLE Unix SysAdmin lamb...@lambertfam.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: multi-wan, multi-lan security
In message b8ab6ffcb532416f938e8d117b87e...@dp2000xp Tortise tort...@paradise.net.nz was claimed to have wrote: - Original Message - From: Dave Warren dave-use...@djwcomputers.com To: support@pfsense.com Sent: Saturday, August 07, 2010 4:51 PM Subject: [pfSense Support] Re: multi-wan, multi-lan security In message 24b7224eff7c4e19b1a43fd4df416...@dp2000xp Tortise tort...@paradise.net.nz was claimed to have wrote: My ISP advised us not use common private LAN addresses for this (common problem) reason. (I now use randomly generated addresses) I do hope you never need to contact the legitimate owner of whatever IPs you're using... Personally, if my provider gave me such advice (not just a single rep, but the provider's official policy) I'd find competent provider. Woops - sorry for being misleading. I meant (and use) random numbers taken from within the private address ranges. (10.x.x.x etc) In that case, excellent advice and one I would absolutely agree with. I'm possibly overly sensitive on this particular issue just because I'm tired of dealing with it professionally, one of $DAYJOB's partners used to give out advice like this and we spent untold hours cleaning up. I hope no offense was taken, certainly none was intended on my part and if I came across to harshly, I do apologize. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org