| 1 |
Am Fri, 31 Oct 2014 12:16:04 +0100 |
| 2 |
schrieb "J. Roeleveld" <joost@××××××××.org>: |
| 3 |
|
| 4 |
> On Friday, October 31, 2014 11:47:50 AM Marc Joliet wrote: |
| 5 |
> > Am Fri, 31 Oct 2014 07:52:54 +0100 |
| 6 |
> > |
| 7 |
> > schrieb "J. Roeleveld" <joost@××××××××.org>: |
| 8 |
> > > On Tuesday, October 28, 2014 07:31:56 PM Marc Joliet wrote: |
| 9 |
> > [...] |
| 10 |
> > |
| 11 |
> > > > Oh, and there are two powerline/dLAN adapters in between (the modem is |
| 12 |
> > > > in |
| 13 |
> > > > |
| 14 |
> > > > the room next door), but direct connections between my computer and my |
| 15 |
> > > > brother's always worked, and they've been reliable in general, so I |
| 16 |
> > > > assume |
| 17 |
> > > > that they're irrelevant here. |
| 18 |
> > > |
| 19 |
> > > Uh-oh... If you have multiple machines that can ask for a DHCP-lease, you |
| 20 |
> > > might keep getting a different result each time it tries to refresh. |
| 21 |
> > |
| 22 |
> > How so? You mean if the modem is directly connected to the powerline |
| 23 |
> > adapter? I would be surprised if this were a problem in general, since |
| 24 |
> > AFAIU they're ultimately just bridges as far as the network is concerned, |
| 25 |
> > not to mention that they explicitly target home networks with multiple |
| 26 |
> > devices. |
| 27 |
> |
| 28 |
> Actually, a HUB is a better comparison. |
| 29 |
> All the powerline adapters all connect to the same network. Some you can set |
| 30 |
> to a network-ID (think vlan) to limit this. |
| 31 |
|
| 32 |
Also, AFAICS, all newer ones support encryption (AES128 in my case), where you |
| 33 |
pair the devices, for which you need physical access to press the necessary |
| 34 |
buttons. This can be used to similar effect IIUC. No clue on cross-vendor |
| 35 |
compatibility, though. However, encryption was mainly targeted at solving the |
| 36 |
next problem: |
| 37 |
|
| 38 |
> The one time I played with one, I ended up seeing my neighbours NAS. |
| 39 |
|
| 40 |
Yeah, that problem gets mentioned a lot. You can access every other |
| 41 |
(compatible) powerline adapter on the same electric network. Adapters on |
| 42 |
different phases could have trouble communicating, I believe, and cross-talk |
| 43 |
between cables can lead to data leaking into another network (but my knowledge |
| 44 |
on things electric is reaching its end). In my case, our apartment has an |
| 45 |
electric meter that isolates our apartment from the others, so we're fine |
| 46 |
(plus, the adapters use encryption as mentioned above) |
| 47 |
|
| 48 |
> > But in the end, it doesn't matter, since it's just for my desktop (which |
| 49 |
> > doesn't have WLAN built-in); all other clients connect via WLAN. |
| 50 |
> > |
| 51 |
> > FWIW, I chose poewrline because it seemed like a better (and driverless!) |
| 52 |
> > alternative to getting a WLAN USB-stick (or PCI(e) card), and so far I'm |
| 53 |
> > quite happy with it. |
| 54 |
> |
| 55 |
> If you can ensure that only 2 devices communicate, it's a valid replacement |
| 56 |
> for a dedicated network cable. |
| 57 |
|
| 58 |
I didn't explicitly mention this, but the problem is that the router and modem |
| 59 |
are in my brothers room (four room shared students apartment, plus bathroom and |
| 60 |
kitchen). Now, I'm not about to drag a cable out of my room, across the hall, |
| 61 |
and into my brother's room, never mind that neither of us could close our doors |
| 62 |
anymore without unplugging the cable and dragging it back. |
| 63 |
|
| 64 |
So the alternative would have been to teach my desktop WLAN, which would've been |
| 65 |
slower unless I could find something for PCI(e) or USB3 that works with Linux, |
| 66 |
*without* me having to check out some git repository and manually compile |
| 67 |
things in the hope that it works. The first USB3 WLAN adapter I found would've |
| 68 |
lead to that, so I made a snap decision in favour of powerline. It also didn't |
| 69 |
hurt that I was curious about it and wanted to try it out :) . |
| 70 |
|
| 71 |
(I actually had to (unexpectedly) to do that with my wireless keyboard. Now |
| 72 |
there's app-misc/solaar, thankfully, although why Logitech couldn't just stick |
| 73 |
with infrared...) |
| 74 |
|
| 75 |
> (If you accept the reduction in line-speed) |
| 76 |
|
| 77 |
How long ago was this? I read that all modern devices incorporate various |
| 78 |
filters to mitigate disturbances coming from other devices and, thus, that they |
| 79 |
perform much better (or at least more robustly) than previous generations |
| 80 |
(they also *cause* less disturbances). Either way, I can saturate our 16 MiB/s |
| 81 |
internet connection with enough parallel downloads (or with a fast enough |
| 82 |
server, such as with speedtest.net), and LAN performance is satisfactory. I |
| 83 |
suspect one limiting factor is that the powerline adapters only have Fast |
| 84 |
Ethernet connections (of course, so does the router, so it doesn't matter). |
| 85 |
|
| 86 |
[...] |
| 87 |
> > > I once connected a fresh install directly to the modem. Only took 20 |
| 88 |
> > > seconds to get owned. (This was about 9 years ago and Bind was running) |
| 89 |
> > |
| 90 |
> > Ouch. |
| 91 |
> |
| 92 |
> I was, to be honest, expecting it to be owned. (Just not this quick). |
| 93 |
> It was done on purpose to see how long it would take. I pulled the network |
| 94 |
> cable when the root-kit was being installed. Was interesting to see. |
| 95 |
|
| 96 |
I bet :) ! |
| 97 |
|
| 98 |
> > I just hope the Fritz!Box firewall is configured correctly, especially since |
| 99 |
> > there doesn't appear to be a UI for it. Well, OK, there is, but it's not |
| 100 |
> > very informative in that it doesn't tell me what rules (other than manually |
| 101 |
> > entered ones) are currently in effect; all it explicitly says is that it |
| 102 |
> > blocks NetBIOS packets. The only other thing that's bothered me about the |
| 103 |
> > router is the factory default (directly after flashing the firmware) of |
| 104 |
> > activating WPA2 *and* WPA (why?!). I turned off WPA as soon as I noticed. |
| 105 |
> |
| 106 |
> It will have NAT enabled, which blocks most incoming packets. As long as the |
| 107 |
> router isn't owned, you should be ok. |
| 108 |
|
| 109 |
Right, I *expected* that, but it's nice to be able to verify it. |
| 110 |
|
| 111 |
> > Out of curiosity, I looked through the exported configuration file (looks |
| 112 |
> > like JSON), and found entries that look like firewall rules, but don't |
| 113 |
> > really know how they apply. It's less the rules themselves, though, than |
| 114 |
> > the context, i.e., the rules are under "pppoefw" and "dslifaces", even |
| 115 |
> > though the router uses neither PPPoE nor DSL (perhaps a sign that AVM's |
| 116 |
> > software grows just as organically as everybody else's ;-) ). The one thing |
| 117 |
> > I'm most curious about is what "lowinput", "highoutput", etc. mean, as |
| 118 |
> > Google only found me other people asking the same question. |
| 119 |
> |
| 120 |
> Not familiar with those routers. Maybe someone with more knowledge can have a |
| 121 |
> look at the config and shed some light. I would do a find/replace on the |
| 122 |
> username and password you use to ensure that is masked before sending it to |
| 123 |
> someone to investigate. |
| 124 |
|
| 125 |
It's not really important, again, I just like to be able to verify it, although |
| 126 |
right now I'm probably just being unnecessarily paranoid. AVM's routers have a |
| 127 |
good reputation (which is why we got one), and I'm inclined to trust them unless |
| 128 |
given reason to. |
| 129 |
|
| 130 |
> > Anyway, it *looks* like it blocks everything from the internet by default |
| 131 |
> > (except for "output-related" and "input-related", which I interpret to mean |
| 132 |
> > responses to outgoing packets and... whatever "input-related" means), and |
| 133 |
> > the manual seems to agree by implying that the firewall is for explicitly |
| 134 |
> > opening ports. Also, I used the Heise "Netzwerk Check" and it reports no |
| 135 |
> > problems, so I'm mostly relieved. |
| 136 |
> |
| 137 |
> Yes, that's a common setting. |
| 138 |
|
| 139 |
Again, me being overly focused on this, with a dose of paranoia. I would be |
| 140 |
surprised if the firewall were set up differently. |
| 141 |
|
| 142 |
[...] |
| 143 |
> > Anyway, I think that I'll contact the dhcpcd maintainer (Roy Marples) |
| 144 |
> > directly and ask for his opinion. |
| 145 |
> |
| 146 |
> Oki, keep us updated. |
| 147 |
|
| 148 |
Will do. |
| 149 |
|
| 150 |
-- |
| 151 |
Marc Joliet |
| 152 |
-- |
| 153 |
"People who think they know everything really annoy those of us who know we |
| 154 |
don't" - Bjarne Stroustrup |
Archives