If you CPE are routed, you don't have the issue of them plugging it in backwards. If your CPE are bridged, you don't have to worry about blocking anything.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com ----- Original Message ----- From: "RickG" <rgunder...@gmail.com> To: "Ubiquiti Users Group" <ubnt_users@wispa.org> Sent: Saturday, November 29, 2014 6:02:49 PM Subject: Re: [Ubnt_users] Default open/closed ports - [WAS] DMZ Management Ports, what are they? Customer plugs their router LAN port into bridged CPE affects network. On Sat, Nov 29, 2014 at 4:14 PM, Mike Hammett < wispaubntus...@ics-il.net > wrote: It wouldn't affect your network at all. Your customers do something dumb, it's their own fault. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com From: "RickG" < rgunder...@gmail.com > To: "Ubiquiti Users Group" < ubnt_users@wispa.org > Sent: Saturday, November 29, 2014 3:13:19 PM Subject: Re: [Ubnt_users] Default open/closed ports - [WAS] DMZ Management Ports, what are they? Unfortunately, the network doesn't care whose fault it is ;) On Sat, Nov 29, 2014 at 2:44 PM, Mike Hammett < wispaubntus...@ics-il.net > wrote: <blockquote> That's their fault for putting an incorrectly configured device behind the CPE. ;-) ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com From: "Adair Winter" < ada...@amarillowireless.net > To: "Ubiquiti Users Group" < ubnt_users@wispa.org > Sent: Saturday, November 29, 2014 12:31:54 PM Subject: Re: [Ubnt_users] Default open/closed ports - [WAS] DMZ Management Ports, what are they? Upnp is worthless if there is another Nat router behind your cpe. On Nov 29, 2014 12:30 PM, "RickG" < rgunder...@gmail.com > wrote: <blockquote> Adair, That's really interesting, I'll have to try that. So you don't use UPNP? On Fri, Nov 28, 2014 at 4:13 PM, Adair Winter < ada...@amarillowireless.net > wrote: <blockquote> This is how we set our route mode CPE's and IF anyone has trouble we tell them to manually set their router to the DMZ IP (and give them gateway, netmask and dns info). If they don't know how to do that. We log in to the radio and set the DMZ IP to whatever their router pulled from our radio. This setup works perfectly and we never have any problems with any services and generally only need to have people set their router in the DMZ IF they need port forwarding. With this setup the WAN port of the radio (WAN.1201 in the image) is not pingable and can not be managed from the internet. The only way we can manage CPE's is from the internal network. IF you want to access from the internet you'd have to uncheck the "Block Management Access" alternatively you may also need to uncheck the DMZ management ports. I can't remember. I do NOT want my CPE's to be accessed from the outside world in anyway shape or form. With our setup IF they need access to something inside this allows that to happen without having to bridge the radio. SIP, VPN, Games all work fine. Inline image 1 Inline image 2 On Fri, Nov 28, 2014 at 2:58 PM, RickG < rgunder...@gmail.com > wrote: <blockquote> Well, I occasionally get complaints that the XBox network test shows ports closed and security cameras aren't viewable remotely. I'll try UPNP. Thanks! On Fri, Nov 28, 2014 at 3:20 PM, Mike Hammett < wispaubntus...@ics-il.net > wrote: <blockquote> If there hasn't been an issue yet, then there's probably not a problem. Turn on uPNP, call it a day. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com From: "RickG" < rgunder...@gmail.com > To: "Ubiquiti Users Group" < ubnt_users@wispa.org > Sent: Friday, November 28, 2014 2:10:39 PM Subject: Re: [Ubnt_users] Default open/closed ports - [WAS] DMZ Management Ports, what are they? Mainly be sure I'm not causing issues for customers. Such as XBox or security cameras not being able to function properly. On Fri, Nov 28, 2014 at 8:12 AM, Mike Hammett < wispaubntus...@ics-il.net > wrote: <blockquote> What problem are you having that you're trying to solve? ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com From: "RickG" < rgunder...@gmail.com > To: "Ubiquiti Users Group" < ubnt_users@wispa.org > Sent: Friday, November 28, 2014 2:19:56 AM Subject: Re: [Ubnt_users] Default open/closed ports - [WAS] DMZ Management Ports, what are they? True. Perhaps what I need to do on the CPE is set the DHCP range for 1 IP addy and put that addy in the DMZ? Then the radio wouldn't inadvertently block anything. On Thu, Nov 27, 2014 at 10:57 PM, Mike Hammett < wispaubntus...@ics-il.net > wrote: <blockquote> There's nothing to open or close. You couldn't set port forwards ahead of time without knowing what they want and where they want it. That's what uPNP is for. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com From: "RickG" < rgunder...@gmail.com > To: "Ubiquiti Users Group" < ubnt_users@wispa.org > Sent: Wednesday, November 26, 2014 10:19:45 PM Subject: Re: [Ubnt_users] Default open/closed ports - [WAS] DMZ Management Ports, what are they? That helps a lot! I have my customers in router mode with NAT enabled without opening any ports. I really dont get any complaints but I'm trying to be sure I am not causing any undo issues for my customers, so, should I open any ports or is default sufficient? On Wed, Nov 26, 2014 at 2:48 PM, Sam Tetherow < tethe...@shwisp.net > wrote: <blockquote> I think there is some confusion. In router mode with NAT enabled and DMZ disabled the only thing it will pass to the customer is stuff that is set in the port forwarding section. (iptables -t nat -L) In router mode with NAT enabled and DMZ enabled it will pass everything to the DMZ IP except management ports (unless DMZ management ports is checked) (iptables -t nat -L will show all ports not passed to the router). If DMZ management ports is checked then everything is sent to the DMZ IP. In router mode without NAT enabled it will route all traffic to the LAN address space, this means you need to have a subnet on the LAN side that is routed externally to the radio IP address. In bridge mode all traffic coming in WLAN will be passed to LAN. On 11/26/2014 11:04 AM, RickG wrote: <blockquote> Thanks Sam! With that, should I assume only those ports are being passed through the UBNT radio to the customer? On Wed, Nov 26, 2014 at 10:13 AM, Sam Tetherow < tethe...@shwisp.net > wrote: <blockquote> Default should have ports 80, 443, 22 TCP for HTTP, HTTPS and SSH as well as 10001 UDP for the discovery protocol. By open that means those are the only ports on the radio that have something listening on them. If you turn those services off on the services tab then they will no longer be listening on those ports. You can also turn on SNMP (UDP 161) and telnet (TCP 23) To see what ports are being listened on use 'netstat -nl' from the command line, to see what ports are being forwarded you can use 'iptables -t nat -L' On 11/25/2014 08:27 PM, RickG wrote: <blockquote> I agree Mike, however my question is more basic than that. I realize that a UBNT radio comes with the firewall turned off and in fact I've never turned it on. So, my question is: Default from the factory, which ports are open and/or closed? Obviously most common ports are open. Do I need to open any to prevent any issues? On Tue, Nov 25, 2014 at 10:02 AM, Mike Hammett < wispaubntus...@ics-il.net > wrote: <blockquote> I think people go a bit excessive with firewalling. If there's no service there to answer, there's no need to firewall it. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com From: "RickG" < rgunder...@gmail.com > To: "Ubiquiti Users Group" < ubnt_users@wispa.org > Sent: Tuesday, November 25, 2014 9:00:45 AM Subject: Re: [Ubnt_users] Default open/closed ports - [WAS] DMZ Management Ports, what are they? Ya, thank goodness for upnp. I'm just trying to understand and be sure I'm not causing any issues for my customers as far as open & closed ports. Obviously certain ports are open but are they all? On Tue, Nov 25, 2014 at 7:32 AM, Josh Luthman < j...@imaginenetworksllc.com > wrote: <blockquote> If you're behind Nat your Xbox will say closed because they need to be dstnated. There's upnp on the later versions. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Nov 25, 2014 12:28 AM, "RickG" < rgunder...@gmail.com > wrote: <blockquote> So I should expect all ports to be open? On Mon, Nov 24, 2014 at 5:55 PM, Josh Luthman < j...@imaginenetworksllc.com > wrote: <blockquote> There are no firewall rules by default. Nothing is DMZ'ed nor PAT'ed. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Mon, Nov 24, 2014 at 5:25 PM, RickG < rgunder...@gmail.com > wrote: <blockquote> This reminded me of a question: What ports are open or closed by default of a UBNT radio in router mode? On Wed, Nov 19, 2014 at 5:56 PM, Sam Tetherow < tethe...@shwisp.net > wrote: <blockquote> Definitively list: TCP telnet (23) TCP http (80) TCP https (443) ICMP Echo-Request TCP ssh (22) TCP snmp (161) TCP 18888 UDP discard (9) UDP 10001 - ubiquiti discovery protocol although it never seems to reply when in DMZ mode If any of the services are disabled on the radio then the ports are forwarded on to the DMZ radio, if the ports are changed on the services tab then they will be changed in the DMZ section. If in doubt, ssh into the radio and run iptables -t nat -L On 11/14/2014 06:36 PM, Matt Jenkins wrote: > I assume 80, 22, 443. What others are there? I can't find it in any of > the manuals. > _______________________________________________ > Ubnt_users mailing list > Ubnt_users@wispa.org > http://lists.wispa.org/mailman/listinfo/ubnt_users _______________________________________________ Ubnt_users mailing list Ubnt_users@wispa.org http://lists.wispa.org/mailman/listinfo/ubnt_users -- -RickG KyWiFi _______________________________________________ Ubnt_users mailing list Ubnt_users@wispa.org http://lists.wispa.org/mailman/listinfo/ubnt_users </blockquote> _______________________________________________ Ubnt_users mailing list Ubnt_users@wispa.org http://lists.wispa.org/mailman/listinfo/ubnt_users </blockquote> -- -RickG KyWiFi _______________________________________________ Ubnt_users mailing list Ubnt_users@wispa.org http://lists.wispa.org/mailman/listinfo/ubnt_users </blockquote> _______________________________________________ Ubnt_users mailing list Ubnt_users@wispa.org http://lists.wispa.org/mailman/listinfo/ubnt_users </blockquote> -- -RickG KyWiFi _______________________________________________ Ubnt_users mailing list Ubnt_users@wispa.org http://lists.wispa.org/mailman/listinfo/ubnt_users _______________________________________________ Ubnt_users mailing list Ubnt_users@wispa.org http://lists.wispa.org/mailman/listinfo/ubnt_users </blockquote> -- -RickG KyWiFi _______________________________________________ Ubnt_users mailing list Ubnt_users@wispa.org http://lists.wispa.org/mailman/listinfo/ubnt_users </blockquote> _______________________________________________ Ubnt_users mailing list Ubnt_users@wispa.org http://lists.wispa.org/mailman/listinfo/ubnt_users </blockquote> -- -RickG KyWiFi _______________________________________________ Ubnt_users mailing list Ubnt_users@wispa.org http://lists.wispa.org/mailman/listinfo/ubnt_users </blockquote> _______________________________________________ Ubnt_users mailing list Ubnt_users@wispa.org http://lists.wispa.org/mailman/listinfo/ubnt_users </blockquote> -- -RickG KyWiFi _______________________________________________ Ubnt_users mailing list Ubnt_users@wispa.org http://lists.wispa.org/mailman/listinfo/ubnt_users _______________________________________________ Ubnt_users mailing list Ubnt_users@wispa.org http://lists.wispa.org/mailman/listinfo/ubnt_users </blockquote> -- -RickG KyWiFi _______________________________________________ Ubnt_users mailing list Ubnt_users@wispa.org http://lists.wispa.org/mailman/listinfo/ubnt_users _______________________________________________ Ubnt_users mailing list Ubnt_users@wispa.org http://lists.wispa.org/mailman/listinfo/ubnt_users </blockquote> -- -RickG KyWiFi _______________________________________________ Ubnt_users mailing list Ubnt_users@wispa.org http://lists.wispa.org/mailman/listinfo/ubnt_users _______________________________________________ Ubnt_users mailing list Ubnt_users@wispa.org http://lists.wispa.org/mailman/listinfo/ubnt_users </blockquote> -- -RickG KyWiFi _______________________________________________ Ubnt_users mailing list Ubnt_users@wispa.org http://lists.wispa.org/mailman/listinfo/ubnt_users </blockquote> -- Adair Winter VP, Network Operations / Owner Amarillo Wireless | 806.316.5071 C: 806.231.7180 http://www.amarillowireless.net _______________________________________________ Ubnt_users mailing list Ubnt_users@wispa.org http://lists.wispa.org/mailman/listinfo/ubnt_users </blockquote> -- -RickG KyWiFi _______________________________________________ Ubnt_users mailing list Ubnt_users@wispa.org http://lists.wispa.org/mailman/listinfo/ubnt_users </blockquote> _______________________________________________ Ubnt_users mailing list Ubnt_users@wispa.org http://lists.wispa.org/mailman/listinfo/ubnt_users _______________________________________________ Ubnt_users mailing list Ubnt_users@wispa.org http://lists.wispa.org/mailman/listinfo/ubnt_users </blockquote> -- -RickG KyWiFi _______________________________________________ Ubnt_users mailing list Ubnt_users@wispa.org http://lists.wispa.org/mailman/listinfo/ubnt_users _______________________________________________ Ubnt_users mailing list Ubnt_users@wispa.org http://lists.wispa.org/mailman/listinfo/ubnt_users </blockquote> -- -RickG KyWiFi _______________________________________________ Ubnt_users mailing list Ubnt_users@wispa.org http://lists.wispa.org/mailman/listinfo/ubnt_users
_______________________________________________ Ubnt_users mailing list Ubnt_users@wispa.org http://lists.wispa.org/mailman/listinfo/ubnt_users
