HUGE security issue! Guests on C9 v1 were able to delete files from my server, even with set to not allow LAN access!
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
HUGE security issue! Guests on C9 v1 were able to delete files from my server, even with set to not allow LAN access!
Model : Archer C9
Hardware Version : v1.0
Firmware Version : 4.0.0 Build 20150916 Rel. 37772
ISP : Not important to this issue.
-------------
I originally wanted to set it up as an access point only (network cable from my existing router/network ran to the LAN ports on the C9) with guest mode enabled, but it didn't work of course because the guests couldn't get DHCP requests and I sure as heck wasn't going to enable guest access to my local network. You guys really should put a DHCP "guest" server in the router to handle guest DHCP requests from ONLY guests when in access point mode!
So, I plugged a network cable into the WAN port instead so that I could enable guest mode. My local network going into the WAN port with my servers and stuff is 192.168.0.x and the C9 was set up for 192.168.1.x. I enabled guest SSID's but not "Allow guests to access my local network". With my laptop connected to guests and an ip of 192.168.1.x I was able to type in \\192.168.0.2 and then delete files from my server behind the router :( All guests would have to do is a simple nmap scan to discover all my network devices :(
So, with guests enabled, what can be done to protect the network behind the router?
Is there really no way to allow guest DHCP requests through the switch instead of WAN when in AP mode, but block the rest of the networking?? My linux friend said it's SUPER easy with a few firewall rules, he says if I flash it with DD-WRT he can do it in 30 seconds :(
And of course most important of all, is have an option in the firewall settings to block networking from in front to behind the router.
-Jamie M.
Hardware Version : v1.0
Firmware Version : 4.0.0 Build 20150916 Rel. 37772
ISP : Not important to this issue.
-------------
I originally wanted to set it up as an access point only (network cable from my existing router/network ran to the LAN ports on the C9) with guest mode enabled, but it didn't work of course because the guests couldn't get DHCP requests and I sure as heck wasn't going to enable guest access to my local network. You guys really should put a DHCP "guest" server in the router to handle guest DHCP requests from ONLY guests when in access point mode!
So, I plugged a network cable into the WAN port instead so that I could enable guest mode. My local network going into the WAN port with my servers and stuff is 192.168.0.x and the C9 was set up for 192.168.1.x. I enabled guest SSID's but not "Allow guests to access my local network". With my laptop connected to guests and an ip of 192.168.1.x I was able to type in \\192.168.0.2 and then delete files from my server behind the router :( All guests would have to do is a simple nmap scan to discover all my network devices :(
So, with guests enabled, what can be done to protect the network behind the router?
Is there really no way to allow guest DHCP requests through the switch instead of WAN when in AP mode, but block the rest of the networking?? My linux friend said it's SUPER easy with a few firewall rules, he says if I flash it with DD-WRT he can do it in 30 seconds :(
And of course most important of all, is have an option in the firewall settings to block networking from in front to behind the router.
-Jamie M.
1 Accepted Solution