Customer plugs their router LAN port into bridged CPE affects network. On Sat, Nov 29, 2014 at 4:14 PM, Mike Hammett <[email protected]> wrote:
> It wouldn't affect your network at all. Your customers do something dumb, > it's their own fault. > > > > ----- > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > > ------------------------------ > *From: *"RickG" <[email protected]> > *To: *"Ubiquiti Users Group" <[email protected]> > *Sent: *Saturday, November 29, 2014 3:13:19 PM > > *Subject: *Re: [Ubnt_users] Default open/closed ports - [WAS] DMZ > Management Ports, what are they? > > Unfortunately, the network doesn't care whose fault it is ;) > > On Sat, Nov 29, 2014 at 2:44 PM, Mike Hammett <[email protected]> > wrote: > >> That's their fault for putting an incorrectly configured device behind >> the CPE. ;-) >> >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions >> http://www.ics-il.com >> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> >> ------------------------------ >> *From: *"Adair Winter" <[email protected]> >> *To: *"Ubiquiti Users Group" <[email protected]> >> *Sent: *Saturday, November 29, 2014 12:31:54 PM >> >> *Subject: *Re: [Ubnt_users] Default open/closed ports - [WAS] DMZ >> Management Ports, what are they? >> >> Upnp is worthless if there is another Nat router behind your cpe. >> On Nov 29, 2014 12:30 PM, "RickG" <[email protected]> wrote: >> >>> Adair, That's really interesting, I'll have to try that. So you don't >>> use UPNP? >>> >>> On Fri, Nov 28, 2014 at 4:13 PM, Adair Winter < >>> [email protected]> wrote: >>> >>>> This is how we set our route mode CPE's and IF anyone has trouble we >>>> tell them to manually set their router to the DMZ IP (and give them >>>> gateway, netmask and dns info). If they don't know how to do that. We log >>>> in to the radio and set the DMZ IP to whatever their router pulled from our >>>> radio. >>>> This setup works perfectly and we never have any problems with any >>>> services and generally only need to have people set their router in the DMZ >>>> IF they need port forwarding. >>>> With this setup the WAN port of the radio (WAN.1201 in the image) is >>>> not pingable and can not be managed from the internet. >>>> The only way we can manage CPE's is from the internal network. IF you >>>> want to access from the internet you'd have to uncheck the "Block >>>> Management Access" alternatively you may also need to uncheck the DMZ >>>> management ports. I can't remember. I do NOT want my CPE's to be accessed >>>> from the outside world in anyway shape or form. With our setup IF they need >>>> access to something inside this allows that to happen without having to >>>> bridge the radio. SIP, VPN, Games all work fine. >>>> >>>> [image: Inline image 1] >>>> >>>> [image: Inline image 2] >>>> >>>> On Fri, Nov 28, 2014 at 2:58 PM, RickG <[email protected]> wrote: >>>> >>>>> Well, I occasionally get complaints that the XBox network test shows >>>>> ports closed and security cameras aren't viewable remotely. I'll try UPNP. >>>>> Thanks! >>>>> >>>>> On Fri, Nov 28, 2014 at 3:20 PM, Mike Hammett < >>>>> [email protected]> wrote: >>>>> >>>>>> If there hasn't been an issue yet, then there's probably not a >>>>>> problem. >>>>>> >>>>>> Turn on uPNP, call it a day. >>>>>> >>>>>> >>>>>> >>>>>> ----- >>>>>> Mike Hammett >>>>>> Intelligent Computing Solutions >>>>>> http://www.ics-il.com >>>>>> >>>>>> <https://www.facebook.com/ICSIL> >>>>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>>>>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>>>>> <https://twitter.com/ICSIL> >>>>>> >>>>>> ------------------------------ >>>>>> *From: *"RickG" <[email protected]> >>>>>> *To: *"Ubiquiti Users Group" <[email protected]> >>>>>> *Sent: *Friday, November 28, 2014 2:10:39 PM >>>>>> >>>>>> *Subject: *Re: [Ubnt_users] Default open/closed ports - [WAS] DMZ >>>>>> Management Ports, what are they? >>>>>> >>>>>> Mainly be sure I'm not causing issues for customers. Such as XBox or >>>>>> security cameras not being able to function properly. >>>>>> >>>>>> On Fri, Nov 28, 2014 at 8:12 AM, Mike Hammett < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> What problem are you having that you're trying to solve? >>>>>>> >>>>>>> >>>>>>> >>>>>>> ----- >>>>>>> Mike Hammett >>>>>>> Intelligent Computing Solutions >>>>>>> http://www.ics-il.com >>>>>>> >>>>>>> <https://www.facebook.com/ICSIL> >>>>>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>>>>>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>>>>>> <https://twitter.com/ICSIL> >>>>>>> >>>>>>> ------------------------------ >>>>>>> *From: *"RickG" <[email protected]> >>>>>>> *To: *"Ubiquiti Users Group" <[email protected]> >>>>>>> *Sent: *Friday, November 28, 2014 2:19:56 AM >>>>>>> >>>>>>> *Subject: *Re: [Ubnt_users] Default open/closed ports - [WAS] DMZ >>>>>>> Management Ports, what are they? >>>>>>> >>>>>>> True. Perhaps what I need to do on the CPE is set the DHCP range for >>>>>>> 1 IP addy and put that addy in the DMZ? Then the radio wouldn't >>>>>>> inadvertently block anything. >>>>>>> >>>>>>> On Thu, Nov 27, 2014 at 10:57 PM, Mike Hammett < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> There's nothing to open or close. >>>>>>>> >>>>>>>> You couldn't set port forwards ahead of time without knowing what >>>>>>>> they want and where they want it. That's what uPNP is for. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ----- >>>>>>>> Mike Hammett >>>>>>>> Intelligent Computing Solutions >>>>>>>> http://www.ics-il.com >>>>>>>> >>>>>>>> <https://www.facebook.com/ICSIL> >>>>>>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>>>>>>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>>>>>>> <https://twitter.com/ICSIL> >>>>>>>> >>>>>>>> ------------------------------ >>>>>>>> *From: *"RickG" <[email protected]> >>>>>>>> *To: *"Ubiquiti Users Group" <[email protected]> >>>>>>>> *Sent: *Wednesday, November 26, 2014 10:19:45 PM >>>>>>>> >>>>>>>> *Subject: *Re: [Ubnt_users] Default open/closed ports - [WAS] DMZ >>>>>>>> Management Ports, what are they? >>>>>>>> >>>>>>>> That helps a lot! I have my customers in router mode with NAT >>>>>>>> enabled without opening any ports. I really dont get any complaints >>>>>>>> but I'm >>>>>>>> trying to be sure I am not causing any undo issues for my customers, >>>>>>>> so, >>>>>>>> should I open any ports or is default sufficient? >>>>>>>> >>>>>>>> On Wed, Nov 26, 2014 at 2:48 PM, Sam Tetherow <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> I think there is some confusion. >>>>>>>>> >>>>>>>>> In router mode with NAT enabled and DMZ disabled the only thing it >>>>>>>>> will pass to the customer is stuff that is set in the port forwarding >>>>>>>>> section. (iptables -t nat -L) >>>>>>>>> >>>>>>>>> In router mode with NAT enabled and DMZ enabled it will pass >>>>>>>>> everything to the DMZ IP except management ports (unless DMZ >>>>>>>>> management >>>>>>>>> ports is checked) (iptables -t nat -L will show all ports not >>>>>>>>> passed to >>>>>>>>> the router). If DMZ management ports is checked then everything is >>>>>>>>> sent to >>>>>>>>> the DMZ IP. >>>>>>>>> >>>>>>>>> In router mode without NAT enabled it will route all traffic to >>>>>>>>> the LAN address space, this means you need to have a subnet on the >>>>>>>>> LAN side >>>>>>>>> that is routed externally to the radio IP address. >>>>>>>>> >>>>>>>>> In bridge mode all traffic coming in WLAN will be passed to LAN. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On 11/26/2014 11:04 AM, RickG wrote: >>>>>>>>> >>>>>>>>> Thanks Sam! With that, should I assume only those ports are being >>>>>>>>> passed through the UBNT radio to the customer? >>>>>>>>> >>>>>>>>> On Wed, Nov 26, 2014 at 10:13 AM, Sam Tetherow < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Default should have ports 80, 443, 22 TCP for HTTP, HTTPS and >>>>>>>>>> SSH as well as 10001 UDP for the discovery protocol. By open that >>>>>>>>>> means >>>>>>>>>> those are the only ports on the radio that have something listening >>>>>>>>>> on >>>>>>>>>> them. If you turn those services off on the services tab then they >>>>>>>>>> will no >>>>>>>>>> longer be listening on those ports. You can also turn on SNMP (UDP >>>>>>>>>> 161) >>>>>>>>>> and telnet (TCP 23) >>>>>>>>>> >>>>>>>>>> To see what ports are being listened on use 'netstat -nl' from >>>>>>>>>> the command line, to see what ports are being forwarded you can use >>>>>>>>>> 'iptables -t nat -L' >>>>>>>>>> >>>>>>>>>> On 11/25/2014 08:27 PM, RickG wrote: >>>>>>>>>> >>>>>>>>>> I agree Mike, however my question is more basic than that. I >>>>>>>>>> realize that a UBNT radio comes with the firewall turned off and in >>>>>>>>>> fact >>>>>>>>>> I've never turned it on. So, my question is: Default from the >>>>>>>>>> factory, >>>>>>>>>> which ports are open and/or closed? Obviously most common ports are >>>>>>>>>> open. >>>>>>>>>> Do I need to open any to prevent any issues? >>>>>>>>>> >>>>>>>>>> On Tue, Nov 25, 2014 at 10:02 AM, Mike Hammett < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> I think people go a bit excessive with firewalling. If there's >>>>>>>>>>> no service there to answer, there's no need to firewall it. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ----- >>>>>>>>>>> Mike Hammett >>>>>>>>>>> Intelligent Computing Solutions >>>>>>>>>>> http://www.ics-il.com >>>>>>>>>>> >>>>>>>>>>> <https://www.facebook.com/ICSIL> >>>>>>>>>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>>>>>>>>>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>>>>>>>>>> <https://twitter.com/ICSIL> >>>>>>>>>>> >>>>>>>>>>> ------------------------------ >>>>>>>>>>> *From: *"RickG" <[email protected]> >>>>>>>>>>> *To: *"Ubiquiti Users Group" <[email protected]> >>>>>>>>>>> *Sent: *Tuesday, November 25, 2014 9:00:45 AM >>>>>>>>>>> *Subject: *Re: [Ubnt_users] Default open/closed ports - [WAS] >>>>>>>>>>> DMZ Management Ports, what are they? >>>>>>>>>>> >>>>>>>>>>> Ya, thank goodness for upnp. I'm just trying to understand and >>>>>>>>>>> be sure I'm not causing any issues for my customers as far as open >>>>>>>>>>> & closed >>>>>>>>>>> ports. Obviously certain ports are open but are they all? >>>>>>>>>>> >>>>>>>>>>> On Tue, Nov 25, 2014 at 7:32 AM, Josh Luthman < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> If you're behind Nat your Xbox will say closed because they >>>>>>>>>>>> need to be dstnated. There's upnp on the later versions. >>>>>>>>>>>> >>>>>>>>>>>> Josh Luthman >>>>>>>>>>>> Office: 937-552-2340 >>>>>>>>>>>> Direct: 937-552-2343 >>>>>>>>>>>> 1100 Wayne St >>>>>>>>>>>> Suite 1337 >>>>>>>>>>>> Troy, OH 45373 >>>>>>>>>>>> On Nov 25, 2014 12:28 AM, "RickG" <[email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> So I should expect all ports to be open? >>>>>>>>>>>>> >>>>>>>>>>>>> On Mon, Nov 24, 2014 at 5:55 PM, Josh Luthman < >>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> There are no firewall rules by default. Nothing is DMZ'ed >>>>>>>>>>>>>> nor PAT'ed. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Josh Luthman >>>>>>>>>>>>>> Office: 937-552-2340 >>>>>>>>>>>>>> Direct: 937-552-2343 >>>>>>>>>>>>>> 1100 Wayne St >>>>>>>>>>>>>> Suite 1337 >>>>>>>>>>>>>> Troy, OH 45373 >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Mon, Nov 24, 2014 at 5:25 PM, RickG <[email protected]> >>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> This reminded me of a question: What ports are open or >>>>>>>>>>>>>>> closed by default of a UBNT radio in router mode? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Wed, Nov 19, 2014 at 5:56 PM, Sam Tetherow < >>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Definitively list: >>>>>>>>>>>>>>>> TCP telnet (23) >>>>>>>>>>>>>>>> TCP http (80) >>>>>>>>>>>>>>>> TCP https (443) >>>>>>>>>>>>>>>> ICMP Echo-Request >>>>>>>>>>>>>>>> TCP ssh (22) >>>>>>>>>>>>>>>> TCP snmp (161) >>>>>>>>>>>>>>>> TCP 18888 >>>>>>>>>>>>>>>> UDP discard (9) >>>>>>>>>>>>>>>> UDP 10001 - ubiquiti discovery protocol although it never >>>>>>>>>>>>>>>> seems to reply >>>>>>>>>>>>>>>> when in DMZ mode >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> If any of the services are disabled on the radio then the >>>>>>>>>>>>>>>> ports are >>>>>>>>>>>>>>>> forwarded on to the DMZ radio, if the ports are changed on >>>>>>>>>>>>>>>> the services >>>>>>>>>>>>>>>> tab then they will be changed in the DMZ section. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> If in doubt, ssh into the radio and run iptables -t nat -L >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 11/14/2014 06:36 PM, Matt Jenkins wrote: >>>>>>>>>>>>>>>> > I assume 80, 22, 443. What others are there? I can't find >>>>>>>>>>>>>>>> it in any of >>>>>>>>>>>>>>>> > the manuals. >>>>>>>>>>>>>>>> > _______________________________________________ >>>>>>>>>>>>>>>> > Ubnt_users mailing list >>>>>>>>>>>>>>>> > [email protected] >>>>>>>>>>>>>>>> > http://lists.wispa.org/mailman/listinfo/ubnt_users >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>> Ubnt_users mailing list >>>>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>>>> http://lists.wispa.org/mailman/listinfo/ubnt_users >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> -RickG KyWiFi >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>> Ubnt_users mailing list >>>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>>> http://lists.wispa.org/mailman/listinfo/ubnt_users >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>> Ubnt_users mailing list >>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>> http://lists.wispa.org/mailman/listinfo/ubnt_users >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> -RickG KyWiFi >>>>>>>>>>>>> >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> Ubnt_users mailing list >>>>>>>>>>>>> [email protected] >>>>>>>>>>>>> http://lists.wispa.org/mailman/listinfo/ubnt_users >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Ubnt_users mailing list >>>>>>>>>>>> [email protected] >>>>>>>>>>>> http://lists.wispa.org/mailman/listinfo/ubnt_users >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> -RickG KyWiFi >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Ubnt_users mailing list >>>>>>>>>>> [email protected] >>>>>>>>>>> http://lists.wispa.org/mailman/listinfo/ubnt_users >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Ubnt_users mailing list >>>>>>>>>>> [email protected] >>>>>>>>>>> http://lists.wispa.org/mailman/listinfo/ubnt_users >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> -RickG KyWiFi >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Ubnt_users mailing >>>>>>>>>> [email protected]http://lists.wispa.org/mailman/listinfo/ubnt_users >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Ubnt_users mailing list >>>>>>>>>> [email protected] >>>>>>>>>> http://lists.wispa.org/mailman/listinfo/ubnt_users >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> -RickG KyWiFi >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Ubnt_users mailing >>>>>>>>> [email protected]http://lists.wispa.org/mailman/listinfo/ubnt_users >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Ubnt_users mailing list >>>>>>>>> [email protected] >>>>>>>>> http://lists.wispa.org/mailman/listinfo/ubnt_users >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> -RickG KyWiFi >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Ubnt_users mailing list >>>>>>>> [email protected] >>>>>>>> http://lists.wispa.org/mailman/listinfo/ubnt_users >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Ubnt_users mailing list >>>>>>>> [email protected] >>>>>>>> http://lists.wispa.org/mailman/listinfo/ubnt_users >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> -RickG KyWiFi >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Ubnt_users mailing list >>>>>>> [email protected] >>>>>>> http://lists.wispa.org/mailman/listinfo/ubnt_users >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Ubnt_users mailing list >>>>>>> [email protected] >>>>>>> http://lists.wispa.org/mailman/listinfo/ubnt_users >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> -RickG KyWiFi >>>>>> >>>>>> _______________________________________________ >>>>>> Ubnt_users mailing list >>>>>> [email protected] >>>>>> http://lists.wispa.org/mailman/listinfo/ubnt_users >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Ubnt_users mailing list >>>>>> [email protected] >>>>>> http://lists.wispa.org/mailman/listinfo/ubnt_users >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> -RickG KyWiFi >>>>> >>>>> _______________________________________________ >>>>> Ubnt_users mailing list >>>>> [email protected] >>>>> http://lists.wispa.org/mailman/listinfo/ubnt_users >>>>> >>>>> >>>> >>>> >>>> -- >>>> >>>> Adair Winter >>>> VP, Network Operations / Owner >>>> Amarillo Wireless | 806.316.5071 >>>> C: 806.231.7180 >>>> http://www.amarillowireless.net >>>> >>>> >>>> _______________________________________________ >>>> Ubnt_users mailing list >>>> [email protected] >>>> http://lists.wispa.org/mailman/listinfo/ubnt_users >>>> >>>> >>> >>> >>> -- >>> -RickG KyWiFi >>> >>> _______________________________________________ >>> Ubnt_users mailing list >>> [email protected] >>> http://lists.wispa.org/mailman/listinfo/ubnt_users >>> >>> >> _______________________________________________ >> Ubnt_users mailing list >> [email protected] >> http://lists.wispa.org/mailman/listinfo/ubnt_users >> >> >> _______________________________________________ >> Ubnt_users mailing list >> [email protected] >> http://lists.wispa.org/mailman/listinfo/ubnt_users >> >> > > > -- > -RickG KyWiFi > > _______________________________________________ > Ubnt_users mailing list > [email protected] > http://lists.wispa.org/mailman/listinfo/ubnt_users > > > _______________________________________________ > Ubnt_users mailing list > [email protected] > http://lists.wispa.org/mailman/listinfo/ubnt_users > > -- -RickG KyWiFi
_______________________________________________ Ubnt_users mailing list [email protected] http://lists.wispa.org/mailman/listinfo/ubnt_users
