OBiTALK Community

General Support => Feature Requests => Topic started by: restamp on May 02, 2015, 07:16:30 PM

Title: Addition of WAN Stealth option to OBi202 router
Post by: restamp on May 02, 2015, 07:16:30 PM
The OBi202 comes with a fairly straightforward router capability built into it.  Although basic, it seems to possess all the functionality required of today's home-use router, and I can see myself employing it as the firewall device for my LAN in a pinch should my high-end router decide to bite the dust.

One feature I would love to see added (and one that I think could be added quite easily) is a WAN stealth feature:  The stealth feature would turn off all OBi responses to unsolicited external WAN packet probes.  This would include WAN-side pings, connects to port 80, etc.  Only packets crossing the LAN/WAN barrier (NATted packets, DMZ packets, etc.) and those generated by the OBi itself (e.g., its DHCP WAN client) would go out on the WAN side.  To the outside world, unless you had a connection established from an internal source, the WAN IP would look vacant.

Any chances something like this could be tucked into a future release?
Title: Re: Addition of WAN Stealth option to OBi202 router
Post by: jenkinsfam on June 09, 2016, 09:01:57 PM
I am a noob to obi (literally received my Obi202 today), but I think I figured out something important, and it relates to your request...

Caveat Emptor: I made any change I'm describing directly in/through the local Obi202 Device web interface, not the Obitalk website expert config webpage.  So, what I describe may not work if that is how you make important, technical changes to your device.  And, what I recommend could be construed as dangerous, if only in an administrative inconvenience/annoyance way.

Now then, I turned on the firewall option with NAT, and then I ran an online port-scanner, and it showed all ports in STEALTH mode, except for port 80 (HTTP/web server), which was still responsive, even with the Allow WAN Access option unchecked/disabled.  (NOTE: I believe this is because the web server software on the OBI sees the option disabled, and refuses to process web requests originating from the WAN -- an APPLICATION-layer filter, as opposed to a NETWORK-layer filter).

Since I am an experienced Information Security type, I did not like this, so I tried a variety of other manipulations, all of which failed.

So, I changed the port to 65080, which did have the intended effect...I had to connect to 192.168.10.1:65080 (default LAN interface address of the Obi202).

This would definitely REDUCE the amount of WAN Internet attacks, but would not eliminate them...so then I thought, "Why not just delete the web server port number and see what happens?!"  To my great satisfaction, if you uncheck the default option, and delete the port number altogether and SUBMIT the changes, it stops presenting the admin web page...
At this point, I have achieved EXACTLY what you requested!  All ports are in STEALTH mode...but...
The downside is that I have no access to the local web administration page...so if I need to change something, I'll need to pick up a phone handset and dial *** and then 0 and then pick an option to reset something...
I haven't tried the reset, so I don't know if I can just get away with option "30" (enabling/disabling the web interface), or if I have to choose option "82" to reset all the "router" settings, or even reset the entire device?
In the FAQ section, OBi Device Configuration Guide (in pdf form) provides different values that may be of use.

However, if you're like me, and you configured everything else to your liking before taking the drastic action of disabling the web interface, in totality, then future web admin page "recovery" may not matter :)