2017-07-31 - RE: [GRASE-Hotspot] inside network users getting onto outside network

Header Data

From: Daniel Crusoe <di***n@gmail.com>
Message Hash: 92db65aa968358a04ea4557b14e6783e8448f73a1587e2d2b5e78c0d2562138f
Message ID: <00e701d309cb$aaa334b0$ffe99e10$@gmail.com>
Reply To: <CAESLx0+pLHd3pSwKYKT4h-CeysM7oxQCjmevRB9uaj+shtEs0A@mail.gmail.com>
UTC Datetime: 2017-07-31 00:07:23 UTC
Raw Date: Mon, 31 Jul 2017 09:07:23 +0200

Raw message 

Hi Timothy,

 

I have sent a picture of my network layout.

 

System (labelled 1) is the Grase server

System (2) is a streaming server with access to both networks but does not have forwarding setup (no network traffic passes through)

System (3) is my Streaming Source (storage/NAS) that is connected to the streaming server

System (4) is my downloading computer (torrents)

System (5) is my Gaming system

 

All my other computers (including my work system) are located within the Grase network

 

The internet router does not supply DHCP (I have specified addresses for everything in the “outside” network and MAC filtering for my phone and tablet that sometimes connect there) I was just playing around with “angry ip scanner” on my download system when I noticed other devices connected to my “outside” network far outside the range I had determined for my devices (everything has an ip address below ending 40, and these “other” devices were using addresses 100-105)

 

I do not know how the connected (as you can see there is no other link between the “outside” and the “inside” network other than grase or my streaming server, and I checked with the streaming server disconnected and the intruders were still connected)

 

I will be glad to try and supply any further information you may require.

 

Thanks

Daniel

 

From: Timothy White [mailto:ti***8@gmail.com] 
Sent: 30 July 2017 09:29
To: Grase Hotspot
Subject: Re: [GRASE-Hotspot] inside network users getting onto outside network

 

Hi Daniel

 

This sounds like you might have an isolation issue. The WiFi on the Grase Hotspot side, should have to go through the Grase server to be able to access the "outside" network. By default, "inside" ip addresses can access "outside" ip addresses, but in no way should be able to assign themselves an outside IP address. If they do try, no traffic should flow, because the Grase server will be trying to access them on the outside network, and any access via the internet, will also not be trying to reach them behind the Grase server.

 

Can you possibly draw a diagram as to how your hardware is wired, what IP ranges are in use, and how you are seeing this "bypass" being done.

 

(If you are instead asking how to stop "inside" users from access resources in the "outside" network without preventing internet access, then it's a case of modifying the IP tables rules to masquerade to all addresses, except the outside addresses. But based on your email, it doesn't sound like that's your request).

 

Regards

 

Tim

 

On Sun, Jul 30, 2017 at 12:59 AM, Daniel Crusoe <di***n@gmail.com> wrote:

I am sure there is probably a thread where you explain how to close down traffic through the server to the outside(internet) network from the inside (Grase) network. but dumb me cannot find it. 

THE PROBLEM:
I basically have some users that are assigning their devices on the inside of the network an i.p. address from the outside network and this is allowing them unfettered access to the internet (not through Grase). how would i stop this through traffic from running on my network (i cannot go to each user and check their systems. i need to implement this from my server).


thanking you in advance for your help  

-- 
This mailing list is for the Grase Hotspot Project http://grasehotspot.org
--- 
You received this message because you are subscribed to the Google Groups "Grase Hotspot" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gr***e@grasehotspot.org.
To post to this group, send email to gr***t@grasehotspot.org.
Visit this group at https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
To view this discussion on the web visit https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/1eca536d-18c7-4096-899f-008811048d71%40grasehotspot.org <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/1eca536d-18c7-4096-899f-008811048d71%40grasehotspot.org?utm_medium=email&utm_source=footer> .

 

-- 
This mailing list is for the Grase Hotspot Project http://grasehotspot.org
--- 
You received this message because you are subscribed to the Google Groups "Grase Hotspot" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gr***e@grasehotspot.org.
To post to this group, send email to gr***t@grasehotspot.org.
Visit this group at https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
To view this discussion on the web visit https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0%2BpLHd3pSwKYKT4h-CeysM7oxQCjmevRB9uaj%2BshtEs0A%40mail.gmail.com <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0%2BpLHd3pSwKYKT4h-CeysM7oxQCjmevRB9uaj%2BshtEs0A%40mail.gmail.com?utm_medium=email&utm_source=footer> .



---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

Thread