What's new

Is the 2.5GbE LAN/WAN port a security risk?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

OzarkEdge

Part of the Furniture
Is the 2.5GbE LAN/WAN port a security risk when used for WAN and the firmware is reset, connecting the WAN/Internet to the LAN?

OE
 
Is the 2.5GbE LAN/WAN port a security risk when used for WAN and the firmware is reset, connecting the WAN/Internet to the LAN?

OE
Why would you think that? The firmware should shift the firewall settings over to the 2.5 GB port when it is set up.
 
Why would you think that? The firmware should shift the firewall settings over to the 2.5 GB port when it is set up.

Read it again.

OE
 
Read it again.

OE
I did several times. The firmware should detect that port is on a WAN connection. Was also thinking you had put something in your tea this morning
 
Last edited:
I did several times. The firmware should detect that port is on a WAN connection. Was also thinking you had put something in your tea this morning

Given the configurable LAN/WAN port is configured for WAN and wired to the Internet... if the firmware is reset and that port defaults to LAN port5, is the Internet now wired directly to the LAN and is this a security risk until disconnected?

OE
 
If it doesn't result in a 192 IP I'm thinking there's a mechanism in the FW that should take care of that. Then again these aren't the smartest devices either.
 
If it doesn't result in a 192 IP I'm thinking there's a mechanism in the FW that should take care of that. Then again these aren't the smartest devices either.

Yeah, that's the uncertainty I'm wondering about. I can think of various scenarios where the condition could go unnoticed for an extended period of time.

OE
 
I did a quick look through of the English AX86U PDF manual. Not surprised that there was nothing about using the 2.5 GB port for WAN. Thought it should be in the QIS area but it wasn't.
OE, have you tried it?
 
Given the configurable LAN/WAN port is configured for WAN and wired to the Internet... if the firmware is reset and that port defaults to LAN port5, is the Internet now wired directly to the LAN and is this a security risk until disconnected?

OE
I think the thing that would stop it becoming a problem is that in the scenario where you do a factory reset you're forced to go thorough the initial setup procedure before anything works.

EDIT: And of course it depends on what kind of device your router is connected to, e.g. a cable modem, etc.
 
Yeah, that's the uncertainty I'm wondering about. I can think of various scenarios where the condition could go unnoticed for an extended period of time.

OE
I would think the default setting is LAN which would be offering DHCP to the ISP which wouldn't work.
 
I think the thing that would stop it becoming a problem is that in the scenario where you do a factory reset you're forced to go thorough the initial setup procedure before anything works.

Yes, but... previously my concern was for the novice commissioning multiple routers for AiMesh and inadvertently reconnecting the WAN cable to a LAN port. Now a configurable LAN/WAN port and firmware reset makes this much more likely to happen. So, just wondering how the firmware might handle it to protect the user's LAN.

Where's Tech9 when I really need an answer! :)

OE
 
Yes, but... previously my concern was for the novice commissioning multiple routers for AiMesh and inadvertently reconnecting the WAN cable to a LAN port. Now a configurable LAN/WAN port and firmware reset makes this much more likely to happen. So, just wondering how the firmware might handle it to protect the user's LAN.

Where's Tech9 when I really need an answer! :)

OE
I think you're inventing edge case scenarios just for the sake of it. :) If some idiot wires things up incorrectly and doesn't check/notice that it's not working properly that's a human problem not a router problem.
 
I think you're inventing edge case scenarios just for the sake of it. :) If some idiot wires things up incorrectly and doesn't check/notice that it's not working properly that's a human problem not a router problem.

We all appreciate calling people idiots in situations that come easy to ourselves, but... accidents happen. In this situation, if simply resetting the router creates a network security risk that could easily go unnoticed, it is worth knowing about. Safety... safe computing... is regular practice, not an edge case, imo.

OE
 
We all appreciate calling people idiots in situations that come easy to ourselves, but... accidents happen. In this situation, if simply resetting the router creates a network security risk that could easily go unnoticed, it is worth knowing about. Safety... safe computing... is regular practice, not an edge case, imo.

OE
I understand that accidents happen but you have to draw the line somewhere. In the scenario you're describing I think it's highly unlikely (although not impossible) that the misconfigured network wouldn't be very quickly apparent. I don't think it could easily go unnoticed.

In the same scenario I think the much bigger security risk is that a) someone has reset the router, so b) the first person that tries to use the internet is presented with the initial setup screen allowing them to do whatever they want.
 
Last edited:
You can set the primary WAN to the 2.5 on the Dual WAN page.
That way it stays set as primary WAN even if you reboot.

Screenshot 2022-02-22 073936.jpg
 
The WAN connection would still have its IP address, which would not be on the private address range that all your LAN devices are on. The risk would come from router DHCP broadcasts going out to the internet. I suppose that might bring unwanted attention to your WAN IP. But since nothing on your LAN has an internet connection, I don't know what the harm would be.

The router NAT firewall doesn't come into play between LAN ports
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top