2017-07-31 - Re: [GRASE-Hotspot] inside network users getting onto outside network

Header Data

From: Timothy White <ti***8@gmail.com>
Message Hash: 3c399546a1b6d887f925f9cc9bf9630764d1461e13b8cea26053743efed6ba4d
Message ID: <CAESLx0+wq04d39bWzd=oiORBSDeobmeD=ZvRedCx=MEtCVviWA@mail.gmail.com>
Reply To: <00e701d309cb$aaa334b0$ffe99e10$@gmail.com>
UTC Datetime: 2017-07-31 03:25:39 UTC
Raw Date: Mon, 31 Jul 2017 20:25:39 +1000

Raw message

Hi Daniel

I think you're going to need to do some more investigation on your side.
Check that you can ping them. Check what the MAC addresses that have those
IP's are. With a standard Grase setup, everything behind Grase is NATted,
so will not have an IP address on the "outside" network.
You can always run tcpdump on the Grase server to try and see if anything
is passing through, you'd want to run it filtering based on IP address if
you already have lots of traffic.

Unfortunately, without being on the network, it's a little hard to find out
where those odd IP's are coming from, but if you haven't modified Grase,
then it shouldn't be via Grase.

Regards

Tim

On Mon, Jul 31, 2017 at 5:07 PM, Daniel Crusoe <di***n@gmail.com>
wrote:

> Hi Timothy,
>
>
>
> I have sent a picture of my network layout.
>
>
>
> System (labelled 1) is the Grase server
>
> System (2) is a streaming server with access to both networks but does not
> have forwarding setup (no network traffic passes through)
>
> System (3) is my Streaming Source (storage/NAS) that is connected to the
> streaming server
>
> System (4) is my downloading computer (torrents)
>
> System (5) is my Gaming system
>
>
>
> All my other computers (including my work system) are located within the
> Grase network
>
>
>
> The internet router does not supply DHCP (I have specified addresses for
> everything in the “outside” network and MAC filtering for my phone and
> tablet that sometimes connect there) I was just playing around with “angry
> ip scanner” on my download system when I noticed other devices connected to
> my “outside” network far outside the range I had determined for my devices
> (everything has an ip address below ending 40, and these “other” devices
> were using addresses 100-105)
>
>
>
> I do not know how the connected (as you can see there is no other link
> between the “outside” and the “inside” network other than grase or my
> streaming server, and I checked with the streaming server disconnected and
> the intruders were still connected)
>
>
>
> I will be glad to try and supply any further information you may require.
>
>
>
> Thanks
>
> Daniel
>
>
>
> *From:* Timothy White [mailto:ti***8@gmail.com]
> *Sent:* 30 July 2017 09:29
> *To:* Grase Hotspot
> *Subject:* Re: [GRASE-Hotspot] inside network users getting onto outside
> network
>
>
>
> Hi Daniel
>
>
>
> This sounds like you might have an isolation issue. The WiFi on the Grase
> Hotspot side, should have to go through the Grase server to be able to
> access the "outside" network. By default, "inside" ip addresses can access
> "outside" ip addresses, but in no way should be able to assign themselves
> an outside IP address. If they do try, no traffic should flow, because the
> Grase server will be trying to access them on the outside network, and any
> access via the internet, will also not be trying to reach them behind the
> Grase server.
>
>
>
> Can you possibly draw a diagram as to how your hardware is wired, what IP
> ranges are in use, and how you are seeing this "bypass" being done.
>
>
>
> (If you are instead asking how to stop "inside" users from access
> resources in the "outside" network without preventing internet access, then
> it's a case of modifying the IP tables rules to masquerade to all
> addresses, except the outside addresses. But based on your email, it
> doesn't sound like that's your request).
>
>
>
> Regards
>
>
>
> Tim
>
>
>
> On Sun, Jul 30, 2017 at 12:59 AM, Daniel Crusoe <di***n@gmail.com>
> wrote:
>
> I am sure there is probably a thread where you explain how to close down
> traffic through the server to the outside(internet) network from the inside
> (Grase) network. but dumb me cannot find it.
>
> THE PROBLEM:
> I basically have some users that are assigning their devices on the inside
> of the network an i.p. address from the outside network and this is
> allowing them unfettered access to the internet (not through Grase). how
> would i stop this through traffic from running on my network (i cannot go
> to each user and check their systems. i need to implement this from my
> server).
>
>
> thanking you in advance for your help
>
> --
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org
> ---
> You received this message because you are subscribed to the Google Groups
> "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gr***e@grasehotspot.org.
> To post to this group, send email to gr***t@grasehotspot.org.
> Visit this group at https://groups.google.com/a/
> grasehotspot.org/group/grase-hotspot/.
> To view this discussion on the web visit https://groups.google.com/a/
> grasehotspot.org/d/msgid/grase-hotspot/1eca536d-18c7-
> 4096-899f-008811048d71%40grasehotspot.org
> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/1eca536d-18c7-4096-899f-008811048d71%40grasehotspot.org?utm_medium=email&utm_source=footer>
> .
>
>
>
> --
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org
> ---
> You received this message because you are subscribed to the Google Groups
> "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gr***e@grasehotspot.org.
> To post to this group, send email to gr***t@grasehotspot.org.
> Visit this group at https://groups.google.com/a/
> grasehotspot.org/group/grase-hotspot/.
> To view this discussion on the web visit https://groups.google.com/a/
> grasehotspot.org/d/msgid/grase-hotspot/CAESLx0%2BpLHd3pSwKYKT4h-
> CeysM7oxQCjmevRB9uaj%2BshtEs0A%40mail.gmail.com
> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0%2BpLHd3pSwKYKT4h-CeysM7oxQCjmevRB9uaj%2BshtEs0A%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>
>
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> Virus-free.
> www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
> <#m_3074420087705082376_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
> --
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org
> ---
> You received this message because you are subscribed to the Google Groups
> "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gr***e@grasehotspot.org.
> To post to this group, send email to gr***t@grasehotspot.org.
> Visit this group at https://groups.google.com/a/
> grasehotspot.org/group/grase-hotspot/.
> To view this discussion on the web visit https://groups.google.com/a/
> grasehotspot.org/d/msgid/grase-hotspot/00e701d309cb%
> 24aaa334b0%24ffe99e10%24%40gmail.com
> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/00e701d309cb%24aaa334b0%24ffe99e10%24%40gmail.com?utm_medium=email&utm_source=footer>
> .
>

Thread