So, I needed a new router for my home network. I have about 45 IP addresses in the house/home office: IOT devices, APs, home entertainment, laptops, file servers, etc. etc., and my current router was showing some performance issues dealing with it all.
Also, being the cheap bastard that I am, I naturally was looking for an inexpensive option. The search led me to the Linksys EA6350 on Amazon. $79.97 at the time of purchase.
The router arrived, was set up and running inside of 30 minutes. So far, not bad. Quad-core CPU seems to be able to handle the traffic nicely.
The next day, for whatever reason, I decided to do a port scan on my WAN IP address.
WTF? Port 80 is open to the world.
I browsed through the router's web-based firmware interface, and guess what? There is no way that this router will allow you to block specific ports. Like port 80, for example.
It just hangs out there, open to the world, apparently expecting you to trust that whatever firewall that came packaged with the EA6350 will keep all the bad actors at bay.
I was curious what the Linksys support people had to say about this, so I initiated what turned out to be a level-2 escalation in order to get a technical assessment on why port 80 was non-blockable for this router.
The answer came back in the form of a phone call from a Linksys support engineer. Yes, an actual call! Admitedly, the guy sounded like he *really* really didn't want to be having that conversation with me in which he tried to explain why a Linksys router could not block individual ports, much less port 80.
But we had the conversation.
He sounded embarrassed. I imagine sounded a bit irritated. I told him that I had already purchased a Netgear R7800 router because you can install dd-wrt on it. He said, "Good!"
I said, "Right!".
Stupid, unnecessary waste of time and money, but the whole episode was educational. I guess.
A router that can't block individual ports. What were they thinking?
Nice article, Doug! Oh man that can be frustrating not having software control over your router ports.
ReplyDeleteHave you tried a hardware hack to block a specific port when manufacturers do not provide a software API?
Assuming your Linksys EA6350 is 8.9" wide, simply lasercut a thin strip of Firewall tape 3.45 micrometers (8.9" / 2^16 ports) wide and *lightly* place 246 micrometers (80 * 3.45) from the left side of the back panel. Pretty sure Linksys is a big-endian router. On testing if you see that port 65456 is accidentally blocked, remove the tape and place it on the right side. Once you're confident you got the endian issue right, firmly press down on the tape an seal it up tight.
While you mentioned being cheap in the article and why you got the 6350 in the first place, don't skimp on the tape. Make sure to get the Reflect-A-Gold. The Aluminum Firewall tape will eventually deteriorate and might allow aggressive packet traffic through. I recommend HM&FC brand:
http://bit.ly/LinksysPortBlockingTape
Happy to help,
-S
:-}
ReplyDeleteI tried to reply, but I had too much packet loss at 2.4 GiggleHurtz.