I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ (RPi
running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both
opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but I am
puzzled why the other ports now show as 'closed'.
AFAIK a 'closed' port will show up on a port scan by 'bad people' whereas
a 'stealthed' one will not.

OTOH is I have 22 and 1723 open the router must be standing out like a
sore thumb anyway.

So does the team think that this strategy is O.K. or should I be looking
at a more robust implementation of a DMZ?

Cheers

Dave R

On 15/02/2014 11:09, David.WE.Roberts wrote:
I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ (RPi
running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both
opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but I am
puzzled why the other ports now show as 'closed'.
AFAIK a 'closed' port will show up on a port scan by 'bad people' whereas
a 'stealthed' one will not.

OTOH is I have 22 and 1723 open the router must be standing out like a
sore thumb anyway.


Don't put SSH in DMZ, use port forwarding with some other chosen number
instead, disable password authentication in SSH (or they'll be brute
forcing that) and enforce the use of private key certificates instead.

DMZ is a bit of a wildcard for web facing services where you don't want
those users also trawling through your local network (hence closed).

Best services of your LAN stays stealthed, and get a bit devious about
the use of 'standard' port numbers.

--
Adrian C

"David.WE.Roberts" wrote in message
...
I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ (RPi
running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both
opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but I am
puzzled why the other ports now show as 'closed'.
AFAIK a 'closed' port will show up on a port scan by 'bad people' whereas
a 'stealthed' one will not.

OTOH is I have 22 and 1723 open the router must be standing out like a
sore thumb anyway.

So does the team think that this strategy is O.K. or should I be looking
at a more robust implementation of a DMZ?

Try here
free.virginmedia.discussion.general

On Sat, 15 Feb 2014 12:01:06 +0000, Adrian C wrote:

On 15/02/2014 11:09, David.WE.Roberts wrote:
I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ
(RPi running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both
opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but I
am puzzled why the other ports now show as 'closed'.
AFAIK a 'closed' port will show up on a port scan by 'bad people'
whereas a 'stealthed' one will not.

OTOH is I have 22 and 1723 open the router must be standing out like a
sore thumb anyway.


Don't put SSH in DMZ, use port forwarding with some other chosen number
instead, disable password authentication in SSH (or they'll be brute
forcing that) and enforce the use of private key certificates instead.

DMZ is a bit of a wildcard for web facing services where you don't want
those users also trawling through your local network (hence closed).

Best services of your LAN stays stealthed, and get a bit devious about
the use of 'standard' port numbers.

Thanks for the reminder about brute forcing SSH - have closed that port on
the firewall.

I haven't found a 'stealth' option in the firewall on the SuperHub2 though.

Now looking at alternative hardware and will start a new thread.

Cheers

Dave R

On Sat, 15 Feb 2014 12:59:48 +0000, Mr Pounder wrote:

"David.WE.Roberts" wrote in message
...
I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ
(RPi
running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both
opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but I
am puzzled why the other ports now show as 'closed'.
AFAIK a 'closed' port will show up on a port scan by 'bad people'
whereas a 'stealthed' one will not.

OTOH is I have 22 and 1723 open the router must be standing out like a
sore thumb anyway.

So does the team think that this strategy is O.K. or should I be
looking at a more robust implementation of a DMZ?

Try here free.virginmedia.discussion.general

Well, I looked at the Broadband NG and it was not very active.

The General NG doesn't seem to be about VM at all - more OT that uk.d-i-y
by a factor of about 100.

So I come back to the usually reliable uk.d-i-y and uk.comp.homebuilt
which are usually full of (quite) good advice :-)

Cheers

Dave R

"David.WE.Roberts" wrote in message
...
On Sat, 15 Feb 2014 12:59:48 +0000, Mr Pounder wrote:

"David.WE.Roberts" wrote in message
...
I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ
(RPi
running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both
opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but I
am puzzled why the other ports now show as 'closed'.
AFAIK a 'closed' port will show up on a port scan by 'bad people'
whereas a 'stealthed' one will not.

OTOH is I have 22 and 1723 open the router must be standing out like a
sore thumb anyway.

So does the team think that this strategy is O.K. or should I be
looking at a more robust implementation of a DMZ?

Try here free.virginmedia.discussion.general

Well, I looked at the Broadband NG and it was not very active.

The General NG doesn't seem to be about VM at all - more OT that uk.d-i-y
by a factor of about 100.

So I come back to the usually reliable uk.d-i-y and uk.comp.homebuilt
which are usually full of (quite) good advice :-)

The broadband group has been quiet for ages.
There are some learned people on the general group.

On 15/02/2014 11:09, David.WE.Roberts wrote:
I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ (RPi
running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both
opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but I am
puzzled why the other ports now show as 'closed'.
AFAIK a 'closed' port will show up on a port scan by 'bad people' whereas
a 'stealthed' one will not.

Last time I looked you got a different response from the final router
for a destination that wasn't there and for one that didn't respond.
That is you can stealth your ports but someone can still tell you are there.

In article om,
dennis@home scribeth thus
On 15/02/2014 11:09, David.WE.Roberts wrote:
I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ (RPi
running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both
opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but I am
puzzled why the other ports now show as 'closed'.
AFAIK a 'closed' port will show up on a port scan by 'bad people' whereas
a 'stealthed' one will not.

Last time I looked you got a different response from the final router
for a destination that wasn't there and for one that didn't respond.
That is you can stealth your ports but someone can still tell you are there.



Think I'm missing a post here;(..

Can the OP explain again just what it is he's looking to do, as if its
VPN's over cable systems they can be done without any fuss at all.

Or is he after something else?..

--
Tony Sayer

On Sun, 16 Feb 2014 10:59:10 +0000, tony sayer wrote:

In article om,
dennis@home scribeth thus
On 15/02/2014 11:09, David.WE.Roberts wrote:
I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ
(RPi running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are
both opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but
I am puzzled why the other ports now show as 'closed'.
AFAIK a 'closed' port will show up on a port scan by 'bad people'
whereas a 'stealthed' one will not.

Last time I looked you got a different response from the final router
for a destination that wasn't there and for one that didn't respond.
That is you can stealth your ports but someone can still tell you are
there.



Think I'm missing a post here;(..

Can the OP explain again just what it is he's looking to do, as if its
VPN's over cable systems they can be done without any fuss at all.

Or is he after something else?..

I wish to run a VPN server at home, to allow connection into my home LAN
then out again, so that the call looks to be coming from my home network.

Useful when you are abroad and sites refuse to talk to non-UK IP addresses.

Now implemented using the DMZ feature of the Virgin SH2, which forwards
all incoming calls to a selected IP address, and a Raspberry Pi as the VPN
Server.

My concerns now centre on the way the SH2 implements the DMZ feature.

HTH

Dave R

On 16/02/2014 13:20, David.WE.Roberts wrote:
On Sun, 16 Feb 2014 10:59:10 +0000, tony sayer wrote:

I wish to run a VPN server at home, to allow connection into my home LAN
then out again, so that the call looks to be coming from my home network.

Useful when you are abroad and sites refuse to talk to non-UK IP addresses.

Now implemented using the DMZ feature of the Virgin SH2, which forwards
all incoming calls to a selected IP address, and a Raspberry Pi as the VPN
Server.

My concerns now centre on the way the SH2 implements the DMZ feature.


I've a similar use of VPN (actually OpenVPN), but poke a hole in the
firewall and simply use port forwarding to the server/UDP port. I don't
use/need DMZ. If I were running www Web servers (which I kind of thought
you were) then I'd be investigating DMZ and possibly addtional assigned
IP addresses for each server. Hmmm, do Virgin even roll out additional
static addresses for home users?

--
Adrian C

On Sun, 16 Feb 2014 18:46:17 +0000, Adrian C wrote:

On 16/02/2014 13:20, David.WE.Roberts wrote:
On Sun, 16 Feb 2014 10:59:10 +0000, tony sayer wrote:

I wish to run a VPN server at home, to allow connection into my home
LAN then out again, so that the call looks to be coming from my home
network.

Useful when you are abroad and sites refuse to talk to non-UK IP
addresses.

Now implemented using the DMZ feature of the Virgin SH2, which forwards
all incoming calls to a selected IP address, and a Raspberry Pi as the
VPN Server.

My concerns now centre on the way the SH2 implements the DMZ feature.


I've a similar use of VPN (actually OpenVPN), but poke a hole in the
firewall and simply use port forwarding to the server/UDP port. I don't
use/need DMZ. If I were running www Web servers (which I kind of thought
you were) then I'd be investigating DMZ and possibly addtional assigned
IP addresses for each server. Hmmm, do Virgin even roll out additional
static addresses for home users?

AIUI the 'DMZ' feature on the SH2 is just a massive port redirect where
everything incoming goes to one internal IP address. Then you just have to
worry about which ports to open. Don't need static IP address unless the
assigned one changes too often.

I haven't asked about one or more static addresses - it sounds expensive :-
)

Cheers

Dave R

I've a similar use of VPN (actually OpenVPN), but poke a hole in the
firewall and simply use port forwarding to the server/UDP port. I don't
use/need DMZ. If I were running www Web servers (which I kind of thought
you were) then I'd be investigating DMZ and possibly addtional assigned
IP addresses for each server. Hmmm, do Virgin even roll out additional
static addresses for home users?

No..


AIUI the 'DMZ' feature on the SH2 is just a massive port redirect where
everything incoming goes to one internal IP address. Then you just have to
worry about which ports to open. Don't need static IP address unless the
assigned one changes too often.

This may well be a problem if with VM as if you have the server at that
end the clients want to know where to look for their connection.

A varying VM IP address ain't that useful;!..

I haven't asked about one or more static addresses - it sounds expensive :-
)

If its Virgin Media they dont have any, they use DHCP or their version
of it all the time. My IP addy has changed over time but its not that
often. For added addresses you'll have to go to another non VM
provider...


Cheers

Dave R

--
Tony Sayer

On Tue, 18 Feb 2014 09:34:09 +0000, tony sayer wrote:


I've a similar use of VPN (actually OpenVPN), but poke a hole in the
firewall and simply use port forwarding to the server/UDP port. I
don't use/need DMZ. If I were running www Web servers (which I kind of
thought you were) then I'd be investigating DMZ and possibly addtional
assigned IP addresses for each server. Hmmm, do Virgin even roll out
additional static addresses for home users?

No..


AIUI the 'DMZ' feature on the SH2 is just a massive port redirect where
everything incoming goes to one internal IP address. Then you just have
to worry about which ports to open. Don't need static IP address unless
the assigned one changes too often.

This may well be a problem if with VM as if you have the server at that
end the clients want to know where to look for their connection.

A varying VM IP address ain't that useful;!..

I haven't asked about one or more static addresses - it sounds expensive
:-
)

If its Virgin Media they dont have any, they use DHCP or their version
of it all the time. My IP addy has changed over time but its not that
often. For added addresses you'll have to go to another non VM
provider...

One alternative, of course, is just to have a cron job on the Pi which
checks the WAN IP address every now and then.

If it has changed, then a quick mailshot to the small user base provides
the new information.

So fine for a small proxy service, but not so much for a web site with a
wider audience.

[Although it is possible that a redirect from a domain management site
could be worked up.]

Another interesting thing is the DNS name of my link, which seems to
include a customer ID and geographical location. It may be that this
remains constant even if the IP address changes.

I will need to monitor the whole thing to establish what (if any) the
rules are.

Cheers

Dave R

On 18/02/14 11:12, David.WE.Roberts wrote:
On Tue, 18 Feb 2014 09:34:09 +0000, tony sayer wrote:


I've a similar use of VPN (actually OpenVPN), but poke a hole in the
firewall and simply use port forwarding to the server/UDP port. I
don't use/need DMZ. If I were running www Web servers (which I kind of
thought you were) then I'd be investigating DMZ and possibly addtional
assigned IP addresses for each server. Hmmm, do Virgin even roll out
additional static addresses for home users?

No..


AIUI the 'DMZ' feature on the SH2 is just a massive port redirect where
everything incoming goes to one internal IP address. Then you just have
to worry about which ports to open. Don't need static IP address unless
the assigned one changes too often.

This may well be a problem if with VM as if you have the server at that
end the clients want to know where to look for their connection.

A varying VM IP address ain't that useful;!..

I haven't asked about one or more static addresses - it sounds expensive
:-
)

If its Virgin Media they dont have any, they use DHCP or their version
of it all the time. My IP addy has changed over time but its not that
often. For added addresses you'll have to go to another non VM
provider...

One alternative, of course, is just to have a cron job on the Pi which
checks the WAN IP address every now and then.

If it has changed, then a quick mailshot to the small user base provides
the new information.

So fine for a small proxy service, but not so much for a web site with a
wider audience.

[Although it is possible that a redirect from a domain management site
could be worked up.]

Just open an account with one of the various providers that will host
your domain and forward traffic to whatever IP address you are using
today. No-IP is one. You install an application on your system that
periodically sends a message to your provider which will then
dynamically update their DNS servers if your IP changes.



--
Bernard Peek

"David.WE.Roberts" wrote in message
...
On Tue, 18 Feb 2014 09:34:09 +0000, tony sayer wrote:


I've a similar use of VPN (actually OpenVPN), but poke a hole in the
firewall and simply use port forwarding to the server/UDP port. I
don't use/need DMZ. If I were running www Web servers (which I kind of
thought you were) then I'd be investigating DMZ and possibly addtional
assigned IP addresses for each server. Hmmm, do Virgin even roll out
additional static addresses for home users?

No..


AIUI the 'DMZ' feature on the SH2 is just a massive port redirect where
everything incoming goes to one internal IP address. Then you just have
to worry about which ports to open. Don't need static IP address unless
the assigned one changes too often.

This may well be a problem if with VM as if you have the server at that
end the clients want to know where to look for their connection.

A varying VM IP address ain't that useful;!..

I haven't asked about one or more static addresses - it sounds expensive
:-
)

If its Virgin Media they don't have any, they use DHCP or their version
of it all the time. My IP addy has changed over time but its not that
often. For added addresses you'll have to go to another non VM
provider...

One alternative, of course, is just to have a cron job on the Pi which
checks the WAN IP address every now and then.

If it has changed, then a quick mailshot to the small user base provides
the new information.

So fine for a small proxy service, but not so much for a web site with a
wider audience.

[Although it is possible that a redirect from a domain management site
could be worked up.]

Another interesting thing is the DNS name of my link, which seems to
include a customer ID and geographical location. It may be that this
remains constant even if the IP address changes.

I will need to monitor the whole thing to establish what (if any) the
rules are.


Stop wasting time and visit this site. It is all free as long as you log
into account every so often.
http://freedns.afraid.org/