Is the 2.5GbE LAN/WAN port a security risk?

OzarkEdge

Part of the Furniture
Is the 2.5GbE LAN/WAN port a security risk when used for WAN and the firmware is reset, connecting the WAN/Internet to the LAN?

OE
 

bbunge

Part of the Furniture
Is the 2.5GbE LAN/WAN port a security risk when used for WAN and the firmware is reset, connecting the WAN/Internet to the LAN?

OE
Why would you think that? The firmware should shift the firewall settings over to the 2.5 GB port when it is set up.
 

OzarkEdge

Part of the Furniture
Why would you think that? The firmware should shift the firewall settings over to the 2.5 GB port when it is set up.

Read it again.

OE
 

bbunge

Part of the Furniture
Read it again.

OE
I did several times. The firmware should detect that port is on a WAN connection. Was also thinking you had put something in your tea this morning
 
Last edited:

OzarkEdge

Part of the Furniture
I did several times. The firmware should detect that port is on a WAN connection. Was also thinking you had put something in your tea this morning

Given the configurable LAN/WAN port is configured for WAN and wired to the Internet... if the firmware is reset and that port defaults to LAN port5, is the Internet now wired directly to the LAN and is this a security risk until disconnected?

OE
 

Tech Junky

Very Senior Member
If it doesn't result in a 192 IP I'm thinking there's a mechanism in the FW that should take care of that. Then again these aren't the smartest devices either.
 

OzarkEdge

Part of the Furniture
If it doesn't result in a 192 IP I'm thinking there's a mechanism in the FW that should take care of that. Then again these aren't the smartest devices either.

Yeah, that's the uncertainty I'm wondering about. I can think of various scenarios where the condition could go unnoticed for an extended period of time.

OE
 

bbunge

Part of the Furniture
I did a quick look through of the English AX86U PDF manual. Not surprised that there was nothing about using the 2.5 GB port for WAN. Thought it should be in the QIS area but it wasn't.
OE, have you tried it?
 

ColinTaylor

Part of the Furniture
Given the configurable LAN/WAN port is configured for WAN and wired to the Internet... if the firmware is reset and that port defaults to LAN port5, is the Internet now wired directly to the LAN and is this a security risk until disconnected?

OE
I think the thing that would stop it becoming a problem is that in the scenario where you do a factory reset you're forced to go thorough the initial setup procedure before anything works.

EDIT: And of course it depends on what kind of device your router is connected to, e.g. a cable modem, etc.
 

Tech Junky

Very Senior Member
Yeah, that's the uncertainty I'm wondering about. I can think of various scenarios where the condition could go unnoticed for an extended period of time.

OE
I would think the default setting is LAN which would be offering DHCP to the ISP which wouldn't work.
 

OzarkEdge

Part of the Furniture
I think the thing that would stop it becoming a problem is that in the scenario where you do a factory reset you're forced to go thorough the initial setup procedure before anything works.

Yes, but... previously my concern was for the novice commissioning multiple routers for AiMesh and inadvertently reconnecting the WAN cable to a LAN port. Now a configurable LAN/WAN port and firmware reset makes this much more likely to happen. So, just wondering how the firmware might handle it to protect the user's LAN.

Where's Tech9 when I really need an answer! :)

OE
 

OzarkEdge

Part of the Furniture

ColinTaylor

Part of the Furniture
Yes, but... previously my concern was for the novice commissioning multiple routers for AiMesh and inadvertently reconnecting the WAN cable to a LAN port. Now a configurable LAN/WAN port and firmware reset makes this much more likely to happen. So, just wondering how the firmware might handle it to protect the user's LAN.

Where's Tech9 when I really need an answer! :)

OE
I think you're inventing edge case scenarios just for the sake of it. :) If some idiot wires things up incorrectly and doesn't check/notice that it's not working properly that's a human problem not a router problem.
 

OzarkEdge

Part of the Furniture
I think you're inventing edge case scenarios just for the sake of it. :) If some idiot wires things up incorrectly and doesn't check/notice that it's not working properly that's a human problem not a router problem.

We all appreciate calling people idiots in situations that come easy to ourselves, but... accidents happen. In this situation, if simply resetting the router creates a network security risk that could easily go unnoticed, it is worth knowing about. Safety... safe computing... is regular practice, not an edge case, imo.

OE
 

ColinTaylor

Part of the Furniture
We all appreciate calling people idiots in situations that come easy to ourselves, but... accidents happen. In this situation, if simply resetting the router creates a network security risk that could easily go unnoticed, it is worth knowing about. Safety... safe computing... is regular practice, not an edge case, imo.

OE
I understand that accidents happen but you have to draw the line somewhere. In the scenario you're describing I think it's highly unlikely (although not impossible) that the misconfigured network wouldn't be very quickly apparent. I don't think it could easily go unnoticed.

In the same scenario I think the much bigger security risk is that a) someone has reset the router, so b) the first person that tries to use the internet is presented with the initial setup screen allowing them to do whatever they want.
 
Last edited:

KevTech

Very Senior Member
You can set the primary WAN to the 2.5 on the Dual WAN page.
That way it stays set as primary WAN even if you reboot.

Screenshot 2022-02-22 073936.jpg
 

thiggins

Mr. Easy
Staff member
The WAN connection would still have its IP address, which would not be on the private address range that all your LAN devices are on. The risk would come from router DHCP broadcasts going out to the internet. I suppose that might bring unwanted attention to your WAN IP. But since nothing on your LAN has an internet connection, I don't know what the harm would be.

The router NAT firewall doesn't come into play between LAN ports
 

ColinTaylor

Part of the Furniture
You can set the primary WAN to the 2.5 on the Dual WAN page.
That way it stays set as primary WAN even if you reboot.
He's talking about a factory reset rather than a reboot.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top