Stealth Ports on TL-R600VPN - Bridge mode

Stealth Ports on TL-R600VPN - Bridge mode
Stealth Ports on TL-R600VPN - Bridge mode
2020-10-01 00:35:29 - last edited 2021-04-16 10:21:33
Model: TL-R600VPN
Hardware Version: V4
Firmware Version: 4.0.4 Build 20200313 Rel.41831

I use GRC.com to test ports externally for stealth. When using TL-R600VPN in bridge mode (PPPoE), the test for stealth shows 2 out of 3 for response, the router still responds to "solicited" packets.

 

Is there a way to get this router full stealth?

0
0
#1
Options
1 Accepted Solution
Re:Stealth Ports on TL-R600VPN - Bridge mode-Solution
2021-03-29 09:52:35 - last edited 2021-04-16 10:21:33

@coleslaugh
thanks a lot for your help.
I've been using another router for external WAN, but as I now have a new high speed connection, decided to use the TL-R600VPN.
Following your guide, I managed to do it a little more simply, without the need of a real "blackhole server", but used a virtual one. Also, it is not reliant on your WAN IP.
Here is what I did...

 

1. Add the IP address for the Stealth Server NO_EXIST - the IP address is local, but non-existent.

 

 

2. Add the IP Group for that server, as IP_BLACKHOLE.

 

 

 

3. Add the Virtual Server STEALTH_XTRA to cover the services that still require stealth (22,23,80).

 

 

 

4. Add the Firewall Access Control rule.

 

 

 

Here are my full STEALTH Results:

 

 

 

That is fine!

Recommended Solution
1
1
#8
Options
8 Replies
Re:Stealth Ports on TL-R600VPN - Bridge mode
2020-10-07 10:52:50 - last edited 2021-04-16 10:21:33

@G777,

 

My R600VPN V4 couldn't pass PCI DSS before, but it has been resolved after upgrading the latest firmware from the TP-Link website. Try upgrading the firmware again, perhaps it can refresh the router. By the way, GRC.com might be affected by the network environment, factory reset the router and try using the NMAP software to test again for a more precise result. 

https://www.wikihow.com/Run-a-Simple-Nmap-Scan

0
0
#2
Options
Re:Stealth Ports on TL-R600VPN - Bridge mode
2020-10-07 23:55:59 - last edited 2021-04-16 10:21:33

@Yannie 

 

Thanks for your suggestions. I have the latest firmware, and have all the boxes ticked at: Firewall > Attack Defense - including Block Ping from WAN.

I don't think trying to "upgrade the firmware again" will do anything, and its always a risk, so will leave this option til last. I will try a reset at least.

The results of GRC.com ShieldsUp test were:

 

Solicited TCP Packets: RECEIVED (FAILED)

Unsolicited Packets: PASSED

Ping Echo: PASSED

 

I will do some more testing, as I tried only one session and reverted back from bridged mode.

If you are getting full stealth results, it means its possible, so I will keep trying.

I was hoping for some special setting in the router, which I have yet to discover.

Further suggestions welcome...

0
0
#3
Options
Re:Stealth Ports on TL-R600VPN - Bridge mode
2020-10-09 07:28:56 - last edited 2021-04-16 10:21:33

@Yannie 

 

I doubt this router can achieve full stealth on GRC.com ShieldsUp test. Yannie, did you actually try that test?

 

I tried security settings, reinstall firmware and reboots, NO change.

I did notice however, there is one port that achieves full stealth:

PORT 179  Border Gateway Protocol

 

This leads me to believe, that the developers of the firmware, purposely treated this port differently. And if that can be done to one port, the rest should be programatically possible, for the developers.

 

So unless someone can say they have passed ShieldsUp test, I doubt it can be done, on current firmware.

0
0
#4
Options
Re:Stealth Ports on TL-R600VPN - Bridge mode
2020-10-10 07:24:25 - last edited 2021-04-16 10:21:33

@G777 

 

I doubt this router can achieve full stealth on GRC.com ShieldsUp test. Yannie, did you actually try that test?
 

 

I didn't try GRC.com but now I do. I get the same results with and without reset the router. Maybe GRC test would be affected by the network environment. My WAN connection type is Dynamic IP. The ISP provide direct internet access, no modem provided.

 

0
0
#5
Options
Re:Stealth Ports on TL-R600VPN - Bridge mode
2020-10-10 07:52:37 - last edited 2021-04-16 10:21:33

@Yannie 

thanks for your efforts.

 

The Shieldsup test you did is for UPNP, not the broader check for all stealth ports.

 

Here are the tests you want to try, I predict a FAIL:

 

 

 

 

 

 

When I connect through the modem using Dynamic/Static IP (NOT bridged), these are my successful results, testing ALL service ports for stealth:

 

 

 

 

This is because my modem's ports are full stealth.

This cannot be achieved on TL-R600VPN using Bridge mode.

This has been a standard security for me for 20 years, and I don't like operating without it...

 

PS: For now I won't use bridge mode, unless this is solved.

 

 

 

 

 

0
0
#6
Options
Re:Stealth Ports on TL-R600VPN - Bridge mode
2020-12-06 15:54:28 - last edited 2021-04-16 10:21:33

@G777 Not sure if you have found a solution for this issue, but I was having a similar issue and I did manage to get the TL-R600VPN router (Which I'm using as my edge router) to get full stealth and pass the GRC Shields up test but it did require some firewall gymnastics. I thought I'd put something here in case you still need it or if someone else comes over this thread.

 

1. First thing you have to do is create a firewall rule that blocks all incoming traffic. To do this you will need to create an IP address and an IP group for your WAN IP. In the admin interface, create an IP address (Preferences | IP Group | IP Address) for the subnet that your WAN IP sits on. You want to do it for the entire subnet for you WAN IP so that if you ISP changes your dynanic IP then you still will be covered. If your ISP changes your IP outside your subnet then you wil lhave to reconfigure the IP in the admin tool. You will need to know a little about subnetting: For example if your IP from you ISP is 110.145.107.65 with a subnet mask of 255.255.255.0, then the IP Address/Mask you will enter will be 110.145.107.0/24. Name this IP address IP_WAN (or whatever you want)

2. Create an IP Group called IPGROUP_WAN (or whatever you want) that includes the IP_WAN address.

3. Create a Service Type (Preferences | Service Type) called ALL_PORTS that includes TCP/UDP as the protocol and 0-65535 and the source and destination port range.

4. Create a Access Control rule (Firewall | Access Control) with the following attributes: Policy: Block, Service Type: ALL_PORTS (Step 3), Interface: WAN1, Source: IPGROUP_ANY (System default group), Destination: (IPGROUP_WAN), Effective Time: Any.

 

At this point most of your ports will be stealthed, with the exception of 22, 23, 80, 443. I'm not sure why this doesn't stealth all ports. But this is how it work for me. In order to stealth these ports, you will need to create a virtual server (Transmission | NAT | Virtual Servers) to forward these ports to a IP that wont repond. I initially tried to forward these ports to a non-existent host but for some reason it didn't work (I didn't spend a lot of time trying to get this to work, so it may be possible). In my home network I have a secondary router with firewall sitting behind the TL-R600VPN that acts as a secondary control in case the TL_R600VPN is compromised and it creates space for a physical DMZ if I chose to use it. So I just forwarded those ports to the inner router that has the firewall enabled and will stealth those ports. If you don't have this setup, perhaps you can find an old router with a firewall that you can connect simply so that you can forward these ports to it.

 

5. To Sealth port 443 you can go to System Tools | Admin Setup | System Settings and uncheck HTTPS Server Status. I believe that this allows you to have HTTPS access into the admin console from the internal network. I didn't need that so I turned it off. I doesn't seem to effect HTTPS traffic to external websites. If you don't want to do this then you can just add port 443 to the list of forwarded ports in the next step. 

6. Create a Virtual Server (Transmission | NAT | Virtual Server) for each service that you want to close for Port 22 (SSH) I created an entry: Name BLACKHOLE_SSH, Interface: WAN1, External Port:22, Internal Port: 22, Internal Server IP: {IP address for my internal router/firewall], Protocol: All.

7. Repeat Step 6 for each port that is still responding.

 

Once I finished these steps I was able to get a full stealth scam from GRC, not only for the common ports but all service ports. I'll post the screen shot below.

 

I know that this is a little bit involved and I agree, a simple checkbox in the admin interface would have been nice. But I did get it to work if you or someone else is willing to go through the steps. I hope this helps. Good luck.

 

 

2
2
#7
Options
Re:Stealth Ports on TL-R600VPN - Bridge mode-Solution
2021-03-29 09:52:35 - last edited 2021-04-16 10:21:33

@coleslaugh
thanks a lot for your help.
I've been using another router for external WAN, but as I now have a new high speed connection, decided to use the TL-R600VPN.
Following your guide, I managed to do it a little more simply, without the need of a real "blackhole server", but used a virtual one. Also, it is not reliant on your WAN IP.
Here is what I did...

 

1. Add the IP address for the Stealth Server NO_EXIST - the IP address is local, but non-existent.

 

 

2. Add the IP Group for that server, as IP_BLACKHOLE.

 

 

 

3. Add the Virtual Server STEALTH_XTRA to cover the services that still require stealth (22,23,80).

 

 

 

4. Add the Firewall Access Control rule.

 

 

 

Here are my full STEALTH Results:

 

 

 

That is fine!

Recommended Solution
1
1
#8
Options
Re:Stealth Ports on TL-R600VPN - Bridge mode
a week ago

@G777 

 

I hadn't thought of using a Virtual Server ... Great Idea ... Updating my config now.

0
0
#9
Options
Related Articles