Itus Networks Owners Forum Technical Discussion

[FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
Locked 240 messages Options
1 ... 56789101112
Gnomad
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Gnomad
This could be useful for dnsmasq config.
https://github.com/notracking/hosts-blocklists
DNS over HTTPS will prevent clients in your network from using the default local DNS services. Mozilla Firefox has a feature to disable DOH network wide for all clients as described here. Add the following line to your dnsmasq.conf to disable DOH on all local clients
address=/use-application-dns.net/

For a Pi-hole setup
Because Pi-hole does not fully support loading of dnsmasq domain filters (details here), you should add your own .conf file in /etc/dnsmasq.d/. This way you can still use our blocklists with Pi-hole, but updating has to be done by an external daily cronjob. It's also recommended to remove all default Pi-hole lists, since these are already included in our list in a more efficient manner.
OpenWrt SNAPSHOT, r10391-3d8d528939
Grommish
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Grommish
Administrator
https://github.com/Grommish/Itus_Shield_v2/commit/77213cf5ceb6969a666a945043e8582c77a30350

New Commit.  I've not yet had time to look at your updated snort script, Gnomad.  But i did get this figured out - for the most part.  The requests for the bad URLs and Hostnames are now being redirected successfully.

Something about the snort rules I'm running is blocking SSH.. Real pain it the ass..

But, I've got no reduction in bandwidth this way.

Running Itus Shield v2 Firmware
Gnomad
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Gnomad
Much neater!  and speeds back to normal.
However, same situation if the source ever gets corrupted - I'll take a look at piping it through sed again to make sure all point to 0.0.0.0 (or ::)

I'm experiencing a new variation of the network interfaces not coming up properly on boot lately..  ifconfig shows everything as expected via a console connection, but I can't ping, navigate or SCP directly to 10.10.10.10 from the local network.  Despite that, regular internet browsing and other traffic still seems to route through the Shield fine.  A reboot or two solves the issue.  Seen this at all?
OpenWrt SNAPSHOT, r10391-3d8d528939
Grommish
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Grommish
Administrator
I think it's a snort rule blocking ssh.  I had to turn snort off in order to push that last commit. I've not had time to track it down.  I did get Hans's Shield in the mail today, though.

Question for the crowd.  I've got access to the email addresses now. Any thoughts about sending a "This is something Shield owners should look at" email out to the user base?

On Thu, Sep 19, 2019, 9:55 PM Gnomad [via Itus Networks Owners Forum] <[hidden email]> wrote:
Much neater!  and speeds back to normal.
However, same situation if the source ever gets corrupted - I'll take a look at piping it through sed again to make sure all point to 0.0.0.0 (or ::)

I'm experiencing a new variation of the network interfaces not coming up properly on boot lately..  ifconfig shows everything as expected via a console connection, but I can't ping, navigate or SCP directly to 10.10.10.10 from the local network.  Despite that, regular internet browsing and other traffic still seems to route through the Shield fine.  A reboot or two solves the issue.  Seen this at all?
OpenWrt SNAPSHOT, r10391-3d8d528939


If you reply to this email, your message will be added to the discussion below:
http://itus.accessinnov.com/FIRMWARE-Itus-Networks-Shield-Firmware-Upgrade-WIP-tp1726p1888.html
To unsubscribe from [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*, click here.
NAML
Running Itus Shield v2 Firmware
Gnomad
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Gnomad
Hmm..  It'd have to be blocking more than just ssh to prevent pings & browsing to the UI, but I suppose a snort rule could be the culprit (as to why it's inconsistent though..)

Re: emails, you mean (current/former) users of this forum?
I suppose couldn't hurt to put a call out to "technical users that ran their Shields in router configuration, interested in beta testing an update", in case there are any left that aren't monitoring this thread.  Could also get a list of any that have moved on & would be willing to pass on their Shields in case someone else is up for handling postage.. 

On Fri, 20 Sep 2019 at 10:00, Grommish [via Itus Networks Owners Forum] <[hidden email]> wrote:
I think it's a snort rule blocking ssh.  I had to turn snort off in order to push that last commit. I've not had time to track it down.  I did get Hans's Shield in the mail today, though.

Question for the crowd.  I've got access to the email addresses now. Any thoughts about sending a "This is something Shield owners should look at" email out to the user base?

On Thu, Sep 19, 2019, 9:55 PM Gnomad [via Itus Networks Owners Forum] <[hidden email]> wrote:
Much neater!  and speeds back to normal.
However, same situation if the source ever gets corrupted - I'll take a look at piping it through sed again to make sure all point to 0.0.0.0 (or ::)

I'm experiencing a new variation of the network interfaces not coming up properly on boot lately..  ifconfig shows everything as expected via a console connection, but I can't ping, navigate or SCP directly to 10.10.10.10 from the local network.  Despite that, regular internet browsing and other traffic still seems to route through the Shield fine.  A reboot or two solves the issue.  Seen this at all?
OpenWrt SNAPSHOT, r10391-3d8d528939


If you reply to this email, your message will be added to the discussion below:
http://itus.accessinnov.com/FIRMWARE-Itus-Networks-Shield-Firmware-Upgrade-WIP-tp1726p1888.html
To unsubscribe from [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*, click here.
NAML
Running Itus Shield v2 Firmware


If you reply to this email, your message will be added to the discussion below:
http://itus.accessinnov.com/FIRMWARE-Itus-Networks-Shield-Firmware-Upgrade-WIP-tp1726p1889.html
To unsubscribe from [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*, click here.
NAML
OpenWrt SNAPSHOT, r10391-3d8d528939
Grommish
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Grommish
Administrator
When you run into the issue with the no response from the Shield, check your local machine's IP and make sure it's in the 10.10.10.x range.  
Running Itus Shield v2 Firmware
Turrican
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Turrican
In reply to this post by Grommish
Grommish wrote

Question for the crowd.  I've got access to the email addresses now. Any
thoughts about sending a "This is something Shield owners should look at"
email out to the user base?
Definitely! Sure there’s lots of members who don’t check this forum these days who would love to know of you guys great progress.

Also, a guide on how to install your fw (when it’s ready for prime time) would be really helpful for those of us who are not so technically skilled !

Thanks again
Running v2 Firmware
Grommish
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Grommish
Administrator
I can tell you it is very, very easy to install.  I'm still trying to see about the update feature and how to get it to work properly.  My time has been real short here, recently, but the new domain blacklist don't seem to be breaking anything. Once we finish the updates that need to be working, I'm ready to call it done. Opkg support from OpenWrt means people can add whatever they want. Between that and Python support, there just isn't much left to do.

We've been focused on router mode. Is there an immediate need for bridge and gateway?

On Mon, Oct 7, 2019, 2:18 AM Turrican [via Itus Networks Owners Forum] <[hidden email]> wrote:
Grommish wrote

Question for the crowd.  I've got access to the email addresses now. Any
thoughts about sending a "This is something Shield owners should look at"
email out to the user base?
Definitely! Sure there’s lots of members who don’t check this forum these days who would love to know of you guys great progress.

Also, a guide on how to install your fw (when it’s ready for prime time) would be really helpful for those of us who are not so technically skilled !

Thanks again

Running Bridge Mode
v1.51 SP1 + Hotfix Mar 9


If you reply to this email, your message will be added to the discussion below:
http://itus.accessinnov.com/FIRMWARE-Itus-Networks-Shield-Firmware-Upgrade-WIP-tp1726p1892.html
To unsubscribe from [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*, click here.
NAML
Running Itus Shield v2 Firmware
Turrican
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Turrican
Thanks for the update, sounds like you’re really close.  Personally I used to use it in bridge mode but router mode would work better for me now, can’t speak for anyone else though. Gateway was never really working anyway if I recall. So this will be an auto updating unit? From an openwrt and snort perspective?
Running v2 Firmware
Grommish
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Grommish
Administrator
Snort and dnsmasq rules will Auto update. Snort 3 support is still up in the air as they keep screwing with the dependencies.  Suricata support was tabled/dropped because of programming language limitations.  As for the firmware itself, we should be able to use the update function in luCi, assuming I can get it to work right.  This is important because it's live code and will continue to be updated by OpenWrt upstream, if nothing else. And even if I don't keep it updated for some reason, someone else can.

What I need is someone who can explain what they expect bridge mode to do. What are the key differences between router and bridge modes?


On Tue, Oct 8, 2019, 1:55 AM Turrican [via Itus Networks Owners Forum] <[hidden email]> wrote:
Thanks for the update, sounds like you’re really close.  Personally I used to use it in bridge mode but router mode would work better for me now, can’t speak for anyone else though. Gateway was never really working anyway if I recall. So this will be an auto updating unit? From an openwrt and snort perspective?

Running Bridge Mode
v1.51 SP1 + Hotfix Mar 9


If you reply to this email, your message will be added to the discussion below:
http://itus.accessinnov.com/FIRMWARE-Itus-Networks-Shield-Firmware-Upgrade-WIP-tp1726p1894.html
To unsubscribe from [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*, click here.
NAML
Running Itus Shield v2 Firmware
Turrican
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Turrican
For me, bridge mode meant that I could keep my avm fritzbox as my primary router and have the shield between my cable modem and router to filter the traffic. My router was feature rich so I used it for parental control of device on/off times, voip etc.  I think bridge would still be a good option to have. Not sure technically what the differences we’re aside from using the 192.168.111.x range.
Running v2 Firmware
Grommish
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Grommish
Administrator
So, bridge mode wouldn't have the firewall on the Shield, but would have Snort and dnsmasq.  It would need DHCP on eth0, and have to relay DHCP to the lan, but no dchp server on eth2?

While I'm thinking about it, on the router, do we want a dmz zone on eth1?
Running Itus Shield v2 Firmware
Turrican
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Turrican

Eth2 would go to the wan port of the router, see quick start guide

http://itus.accessinnov.com/file/n24/SP1-Quick-Start-Guide-12-6-1.pdf
Running v2 Firmware
Grommish
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Grommish
Administrator
Ok, so they are just misnamed.  Bridges are used to connect different types of networks.  Ethernet to Ethernet shouldn't be called bridge, but I think i can work with it.

I'm working on the update system, seeing if I can fix it.  If/Once we get the ability to update the firmware/system itself without losing EVERYTHING, it'll be a huge boon.
Running Itus Shield v2 Firmware
Shielder
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Shielder
In reply to this post by Turrican
Same story applies for me. I am not technically inclined, but i often follows this thread.
I am awaiting the day to get the "new" firmware installed.:))
Grommish
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Grommish
Administrator
Shielder wrote
Same story applies for me. I am not technically inclined, but i often follows this thread.
I am awaiting the day to get the "new" firmware installed.:))
Next time I can validate a build, I will let you know. The image currently works in "router" format, as far as IP addressing and whatnot.  If you normally use the R selector on the Shield, it is exactly what you'd expect.  Even better, it won't remove or alter your current R-selected image.

As another small update: I added some default dnsmasq blacklist rules.  Otherwise, it fails to start and it breaks the network.  I'm also still working on the update system.  I'm elbow-deep in the kernel because something didn't get defined right or something.. meh.
Running Itus Shield v2 Firmware
Gnomad
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Gnomad
Grommish wrote
As another small update: I added some default dnsmasq blacklist rules.  Otherwise, it fails to start and it breaks the network.
Yeah, I'm still having some network grief, haven't had the time to get far with it since I had to start reading up about dnsmasq from scratch..  My router doesn't still seem to be forwarding DNS queries properly to the Shield either, might be related?  So let me know when you can post your latest build & I'll happily give it a whirl!
OpenWrt SNAPSHOT, r10391-3d8d528939
Grommish
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Grommish
Administrator
Gnomad wrote
Yeah, I'm still having some network grief, haven't had the time to get far with it since I had to start reading up about dnsmasq from scratch..  My router doesn't still seem to be forwarding DNS queries properly to the Shield either, might be related?  So let me know when you can post your latest build & I'll happily give it a whirl!
Well, if the blacklist files get deleted somehow and the service restarts for dnsmasq, it'll silently die.  This makes the dns on the Shield inop, including to itself.  You can ping IP addresses all day, but no dns.  And, you can't run the updater to get the files, because... no dns :D  

As long as you're running from eth1/2 to your router's WAN port, I don't know why it wouldn't process requests.  The router's dns will be set to the Shield (by the Shield's DHCP response).  It should just daisy-chain up the line.

My personal network, which is a mess at the moment, goes:

Build Laptop -> Dlink router -> Shield -> Dlink router -> Netgear 48-port switch -> Edge Router -> Cable OPE.  And, just for giggles, my first domain's DNS/DHCP is handled by my server rather than the initial Dlink for the stub.  I suspect the issue you're seeing are just dnsmasq not running and not telling anyone it wasn't running.  Check your `ps` from the console and make sure it's there.  If not, grab the files and toss them onto your Shield..  Or..

At the bottom of your /etc/dnsmasq.conf, comment out the following lines and reboot (or service dnsmasq restart)
# Import bad URL and Domains for blocking
addn-hosts=/etc/snort/rules/bad-domains.txt
conf-file=/etc/snort/rules/bad-hostnames.txt

Then you should be able to get dnsmasq running, run the update script manually, and then uncomment them again.
Running Itus Shield v2 Firmware
Grommish
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Grommish
Administrator
Just a small "I'm still here!" post.  Between being super busy with things and being sidelined by an illness for nearly two weeks, I've not had time to do much to the test image. Hopefully, I'll be able to pick it back up this week, although I see some updates are in order for security stuff.

Is there any specific requests for a feature before I close it out and start the finalization process?  I still need to put the mode hooks in places that need settings specific to Router, Gateway, etc.

One thing I was thinking was ditching one of the Itus modes since it really was misnamed.

A bridge device connects two networks running the same protocol (TCP/IP, for example) while a gateway device converts from one protocol to another (Ethernet to ATM)

Since the Shield only has Ethernet adapters, Gateway mode is just filler.

So, thoughts on something like:

Router - 10.10.10.10, eth0 WAN, eth1/2 LAN
Bridge - 192.168.0.111, eth0 WAN, eth1 Administration, eth2 LAN

These are standard for the Shield, but I was thinking of seeing if I could do a Router hybrid mode to DMZ a segment.

Router Hybrid - eth0 WAN, eth1 DMZ on it's own collision domain, eth2 LAN

So maybe the Shield can be 10.10.10.10 on eth2, but 10.11.11.11 on eth1 with all unsolicited inbound traffic going there. Webservers, mail servers, IoT devices can be hooked to a router and kept separate from the internal LAN that way.

Thoughts or suggestions?
Running Itus Shield v2 Firmware
Turrican
Reply | Threaded
Open this post in threaded view
|

Re: [FIRMWARE] Itus Networks Shield Firmware Upgrade *WIP*

Turrican
This post was updated on .
Hi Grommish

Hope you’re feeling better! Thanks for the update.  I really like the idea of a dedicated and isolated iot network, this would be a really valuable addition!

Edit: the more I think about it, this added feature (iot isolation) really makes this little box relevant again and stays true to the reason it was born, i.e. to provide enterprise (ish) protection to home users. Network segregation is not generally attainable for the home user.  Wondering if this would have been the path itus would have gone should they still have been around?

Thanks!
Running v2 Firmware
1 ... 56789101112
Free forum by Nabble Edit this page