Want to confine one device (à la VLAN) but can’t use usual methods. Tips?

[JimbobJay]

I have my parents set up with an AC87U running Merlin’s excellent fw. I manage their LAN remotely by logging into to an OpenVPN server running on the router.

What with all the recent VPNFilter stuff, I’ve been on a bit of a security purge.

One of my patents devices is a monitor for a solar panel they have on the roof, installed by their electrician/engineer. This device is connected to the internet so that you can see stats online etc.

Ideally I would like this device cordoned off from the rest of the LAN. It seems to be running a full linux system, and from what I can tell by the inofrmation I can get from it without logging in, has not been updated in almost 2 years (despite it having a constant internet connection).

Unfortunately, there doesn’t seem to be an easy way of doing this remotely. This isn’t helped by the fact the monitor’s settings can only be changed by the engineer, who has an authorized app.

If I were there, I would probably get the engineer round and get him to connect the monitor to a Guest WiFi network, and not enable LAN access on that WLAN. Unfortunately this isn’t an option.

So is there any way I can go about getting a similar result, by only using the software on the router’s web UI / ssh?

I have thought about adding the devices IP to the Network Services Filter blacklist, and adding the LAN subnet as the destination. But the NSF seems to be LAN to WAN. Would it work LAN to LAN? Apart from anything, by blocking the LAN subnet, I assume I would also be blocking it from accessing the router itself, and seeing as that’s the gateway, I’m guessing it would by extension also block it from the internet too?

Any tips would be appreciated

 

[ColinTaylor]

The first thing to check is whether there is any port forwarding happening to the device. Like for remote access when outside the home. That would be the main concern.

As you surmised the network services filter can't block LAN to LAN connections. You could probably use netstat-nat on the router to work out what internet destinations it's going to and then allow access only to those places.

You talk about getting the engineer to connect it to the guest Wi-Fi. Is it Wi-Fi connected at the moment or through an Ethernet cable?

 

[JimbobJay]

I don’t believe there is any port forwarding enabled on the device. I have disabled UPnP on the router, and only have port forwarding enabled for one (different) device on the LAN.

As far as I can tell, you don;t monitor the solar panel stats by logging into a server on the device itself. Rather, the device connects to the servers of the company that produces them, and to monitor the stats you login to your user account on their website and see the information via that. I’m guessing that’s safer than exposing a server on the LAN to the WAN, but I would still feel safer if it was demarcated from the rest of the network, especially as it appears to not be recieving regualr updates.

I looked through NetStat and couldn’t see any info regarding the IP for that device. Does that mean it has no active connections at that precise moment?

Yes, currently the device is connected to the router (and internet) via WiFi, using the standard WLAN that all “normal” wireless devices are using. If I had been around when the engineer set it up, I would have made sure that they connected it instead to one of the Guest WiFi Networks I have setup specifically for IoT devices. It was beyond my parents’ knowledge to get the engineer to do this

 

[ColinTaylor]

If there is no port forwarding setup and UPnP is disabled then it should be pretty secure.

I looked through NetStat and couldn’t see any info regarding the IP for that device. Does that mean it has no active connections at that precise moment?

Yes, but make sure you're looking at netstat-nat and not netstat, and select "By source IP". Unfortunately the connections are transitory and disappear quite quickly so unless you can somehow force the device to contact the external site you probably won't be able to catch it. Alternatively you could just email the company directly and ask them what URL's/IP's you need to whitelist in your firewall. Quite often this information is freely available.

Yes, currently the device is connected to the router (and internet) via WiFi, using the standard WLAN that all “normal” wireless devices are using. If I had been around when the engineer set it up, I would have made sure that they connected it instead to one of the Guest WiFi Networks I have setup specifically for IoT devices. It was beyond my parents’ knowledge to get the engineer to do this

If the issue is arranging an engineer visit how about instead, the next time you visit, you change the current SSID to be that of a new guest network and then setup a different primary Wi-Fi SSID. That does mean that you'd have to reconfigure all of your parent's normal Wi-Fi devices for the new primary SSID, but at least the solar panel will be on a guest Wi-Fi by itself. Saves you an engineer visit.