Virgin SuperHub2 and DMZ setting

I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ (RPi running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but I am puzzled why the other ports now show as 'closed'. AFAIK a 'closed' port will show up on a port scan by 'bad people' whereas a 'stealthed' one will not.

OTOH is I have 22 and 1723 open the router must be standing out like a sore thumb anyway.

So does the team think that this strategy is O.K. or should I be looking at a more robust implementation of a DMZ?

Cheers

Dave R

Reply to
David.WE.Roberts
Loading thread data ...

Don't put SSH in DMZ, use port forwarding with some other chosen number instead, disable password authentication in SSH (or they'll be brute forcing that) and enforce the use of private key certificates instead.

DMZ is a bit of a wildcard for web facing services where you don't want those users also trawling through your local network (hence closed).

Best services of your LAN stays stealthed, and get a bit devious about the use of 'standard' port numbers.

Reply to
Adrian C

Try here free.virginmedia.discussion.general

Reply to
Mr Pounder

Thanks for the reminder about brute forcing SSH - have closed that port on the firewall.

I haven't found a 'stealth' option in the firewall on the SuperHub2 though.

Now looking at alternative hardware and will start a new thread.

Cheers

Dave R

Reply to
David.WE.Roberts

Well, I looked at the Broadband NG and it was not very active.

The General NG doesn't seem to be about VM at all - more OT that uk.d-i-y by a factor of about 100.

So I come back to the usually reliable uk.d-i-y and uk.comp.homebuilt which are usually full of (quite) good advice :-)

Cheers

Dave R

Reply to
David.WE.Roberts

There are some learned people on the general group.

Reply to
Mr Pounder

Last time I looked you got a different response from the final router for a destination that wasn't there and for one that didn't respond. That is you can stealth your ports but someone can still tell you are there.

Reply to
dennis

Think I'm missing a post here;(..

Can the OP explain again just what it is he's looking to do, as if its VPN's over cable systems they can be done without any fuss at all.

Or is he after something else?..

Reply to
tony sayer

I wish to run a VPN server at home, to allow connection into my home LAN then out again, so that the call looks to be coming from my home network.

Useful when you are abroad and sites refuse to talk to non-UK IP addresses.

Now implemented using the DMZ feature of the Virgin SH2, which forwards all incoming calls to a selected IP address, and a Raspberry Pi as the VPN Server.

My concerns now centre on the way the SH2 implements the DMZ feature.

HTH

Dave R

Reply to
David.WE.Roberts

I've a similar use of VPN (actually OpenVPN), but poke a hole in the firewall and simply use port forwarding to the server/UDP port. I don't use/need DMZ. If I were running www Web servers (which I kind of thought you were) then I'd be investigating DMZ and possibly addtional assigned IP addresses for each server. Hmmm, do Virgin even roll out additional static addresses for home users?

Reply to
Adrian C

AIUI the 'DMZ' feature on the SH2 is just a massive port redirect where everything incoming goes to one internal IP address. Then you just have to worry about which ports to open. Don't need static IP address unless the assigned one changes too often.

I haven't asked about one or more static addresses - it sounds expensive :- )

Cheers

Dave R

Reply to
David.WE.Roberts

No..

This may well be a problem if with VM as if you have the server at that end the clients want to know where to look for their connection.

A varying VM IP address ain't that useful;!..

If its Virgin Media they don?t have any, they use DHCP or their version of it all the time. My IP addy has changed over time but its not that often. For added addresses you'll have to go to another non VM provider...

Reply to
tony sayer

One alternative, of course, is just to have a cron job on the Pi which checks the WAN IP address every now and then.

If it has changed, then a quick mailshot to the small user base provides the new information.

So fine for a small proxy service, but not so much for a web site with a wider audience.

[Although it is possible that a redirect from a domain management site could be worked up.]

Another interesting thing is the DNS name of my link, which seems to include a customer ID and geographical location. It may be that this remains constant even if the IP address changes.

I will need to monitor the whole thing to establish what (if any) the rules are.

Cheers

Dave R

Reply to
David.WE.Roberts

There's always the Virgin Media forums ...

Reply to
Jethro_uk

Just open an account with one of the various providers that will host your domain and forward traffic to whatever IP address you are using today. No-IP is one. You install an application on your system that periodically sends a message to your provider which will then dynamically update their DNS servers if your IP changes.

Reply to
Bernard Peek

Stop wasting time and visit this site. It is all free as long as you log into account every so often.

formatting link

Reply to
Raj Kundra

HomeOwnersHub website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.