 Notice. New forum software under development. It's going to miss a few functions and look a bit ugly for a while, but I'm working on it full time now as the old forum was too unstable. Couple days, all good. If you notice any issues, please contact me. |
Forum Index : Microcontroller and PC projects : Gateway 0.0.0.0 question....
Page 1 of 2   |
|||||
| Author | Message | ||||
Grogster Admin Group  Joined: 31/12/2012 Location: New ZealandPosts: 9610 |
Hello.  There are some very clever people here, so I thought I would ask this here among other forums. But you normally get a response here faster then any other forum in the world.  If you setup a static IP address on a machine(any machine), and state the LAN IP as something 192.168.1.x, and set the subnet mask to 255.255.255.0, but then set the GATEWAY to 0.0.0.0, this certainly stops that machine getting access to the Internet via the router - fine. However, does setting 0.0.0.0 have any real-world effect on preventing anyone from the WAN seeing that machine and being able to access it? I have a Puppy Linux server setup like this, and was shocked to discover a whole heap of TCP connections to it. Probing the IP's gave me locations from Canada to Taiwan, ALL of which were listed as ESTABLISHED - NOT GOOD, if that means they are actually able to access the box at all. I figured that 0.0.0.0 for the Gateway, essentially blocks that machine from ever seeing the Internet, but it can still see the LAN. Can someone in the know with IP addresses help me understand what is going on here? Smoke makes things work. When the smoke gets out, it stops! |
||||
MicroBlocks Guru  Joined: 12/05/2012 Location: ThailandPosts: 2209 |
It is YOUR gateway TO internet, not other peoples FROM the internet. They have THEIR own gateway to internet on their router. Your router still has a WAN IP address so that is accessible from the outside unless you activate a firewall in your router or place a firewall before it and close access to all ports. Your connection between the WAN and LAN is done by your router and it does not depend on a gateway setting. Incoming connections will be mapped to an internal computer (IP address) but only if you set it up. Some 'plug&play' features can setup those ports automatically so you might want to switch those off. Microblocks. Build with logic. |
||||
| Grogster Admin Group Joined: 31/12/2012 Location: New ZealandPosts: 9610 |
Okey dokey. So with that in mind, what is the 0.0.0.0 doing for me? Nothing? I have checked the router, and it has NAT firewall blocking, but I have also read somewhere just today that Puppy Linux keeps several ports open all the time, so I guess..... I am looking at changing my NAS to something like Open Media Vault - I hear good things about it, and it has users and passwords which would be another level of security. I don't want something so complex you need to be a NASA scientist to make it work. I had bad experiences with OpenNAS, so that one is definitely out. Smoke makes things work. When the smoke gets out, it stops! |
||||
TassyJim Guru Joined: 07/08/2011 Location: AustraliaPosts: 6283 |
When you initiate a connection from inside your network, your system needs to know the gateway address so it can find the path to the external address. You may have numerous gateways to other internal subnets etc and without the routes listed somewhere, you can't get the connection. When someone external makes a connection via your gateway, the server is told which gateway address to use (return address on the back of the envelope) so not having the default gateway set make little difference. Why your router is letting external connections in is the worry. If the router has UPnP turned on, internal devices can set the port forwarding without your assistance. You should be able to setup your puppy linux to only talk to local IPs. You should also turn off UPnP and whatever the current equivalents are. Jim VK7JH MMedit |
||||
| Grogster Admin Group Joined: 31/12/2012 Location: New ZealandPosts: 9610 |
UPnP is ON. This would be default setting, as I never really play with the router settings. Smoke makes things work. When the smoke gets out, it stops! |
||||
| MicroBlocks Guru Joined: 12/05/2012 Location: ThailandPosts: 2209 |
There you go 'UPnP' = 'Universal Plug And Play". It is a security problem. Switch it off. You can use 'Route PRINT' to see how your traffic is routed. Microblocks. Build with logic. |
||||
| Grogster Admin Group Joined: 31/12/2012 Location: New ZealandPosts: 9610 |
Do you think that would allow incoming connections? I thought that was only supposed to make life easier for the LAN? I will switch it off though. EDIT: Done. Smoke makes things work. When the smoke gets out, it stops! |
||||
Azure Guru Joined: 09/11/2017 Location: AustraliaPosts: 446 |
@Grogster 0.0.0.0 is definitely a "special" address. I would not normally expect to see any node on the network assigned this address. It used in certain packets and network address masking but not as a physical node address. These days so many terms are used incorrectly when referring to network functions (Router, Firewall, Bridge, Modem, Hub, Repeater, DNS, etc). This has become common with most public network connections made at home uses devices integrating a lot if not all of the functions needed into one box (because that is what us customers want). Your Firewall will block or allow access to certain address ranges and ports; Your router will try and find the best way to get packets to the destination address; Your gateway is used to connect to device on a different network. A lot of these functions appear to overlap but they are more correct to think of in terms of layers that support each other. Then there are the people that try and gain access maliciously for undesirable reasons. 2 common reasons for unknown connections to your network come from malicious attacks and service provider bots (and there are a lot of them) that sniff out networks trying to figure out where everything is and what it does. I agree with the others you need to close down your unused ports. I don't think I answered your question. Hopefully added some clarity, probably just more confusion :) |
||||
| Grogster Admin Group Joined: 31/12/2012 Location: New ZealandPosts: 9610 |
What is the best way to close down unused ports? Do you mean on the Puppy box, or within the router when you talk about that? .....or both? Smoke makes things work. When the smoke gets out, it stops! |
||||
| MicroBlocks Guru Joined: 12/05/2012 Location: ThailandPosts: 2209 |
Close them all, everywhere you can. Then open the ones you need. If you know what the ip address is for the process that needs an open port you can also include that to only accept traffix on that port from hat specific ip address. Microblocks. Build with logic. |
||||
| Azure Guru Joined: 09/11/2017 Location: AustraliaPosts: 446 |
If you care about your internet exposure or being hacked/hijacked then lock down as much as you can. Close all ports and only open what you need. Firewalls on internet connection (what people call your router these days) and on any PC. |
||||
CaptainBoing Guru Joined: 07/09/2016 Location: United KingdomPosts: 2170 |
With classic CIDR (classless inter-domain routing), anything on the LAN needs to see everything else and it works out what "your LAN" is by ANDing the mask to the IP address. If the left most bits (covered by the 1's of the mask) don't change, then the destination is in the same LAN as me: 192.168.000.xxx AND 255.255.255.000 = 192.168.000.000 the same number of 1 bits as in the mask (24) have not changed therefore, the destination is in "my LAN" - so I can route to it directly. If any of the leftmost bits change, then the destination is foreign so the unit throws the traffic at the gateway instead with a sort of "I can't get to it, you try" approach. It follows that the gateway address must have one "foot" in the same LAN and another on (the route to) the destination. So if you set the gateway to 0.0.0.0 (it is nice and tidy) it will only route if the same MASKing as above works (which it won't). So you determine a destination is foreign and you can't get to it directly, so you throw it at another address - which you can't get to directly (because you have no route off you LAN) and the traffic just disappears because no device accepted the packet of the LAN. There will be a small overhead for timeouts etc but it effectively stops anything getting off your LAN if the devices have ANY address not directly in their own address range... you could just as effectively set the gateway to 192.168.1.1, anything in 192.168.0.x would not be able to get to it (assuming a 24 bit mask). So the address isn't important, so long as it is not in your LAN it will stop you getting out of it. Needless to say you don't actually have to deal with any of this - it is all handled by the "stack" - software that progressively unpacks the traffic, works out protocols, addressing matters etc. to get it where it's are going. There are various tweaks to the above but they are pretty specialized and I doubt you eve bump into them for normal LAN stylee ops |
||||
| CaptainBoing Guru Joined: 07/09/2016 Location: United KingdomPosts: 2170 |
100% this is called "pinholing" create holes just for the traffic you need. Try to do secific IP addresses (or ranges if you must) and only the ports you want. "A point in every direction is the same as no point at all" - Harry Nilsson |
||||
| n8mdl Newbie  Joined: 11/08/2011 Location: United StatesPosts: 11 |
Well. Using 0.0.0.0 as your gateway address would not be considered best practice and will not achieve your goal. There are a few address's and address ranges that are special. 0.0.0.0 is typically used as the default static route in routers. Think of it as a sort of wildcard address - if there is no other route listed use this one. It is possible - depending on the OS - that your route table has 0.0.0.0 static routing to your gateway IP address on your LAN so access out from that machine would be technically doable. Best practice is to leave the gateway address blank. But this in itself would not keep an IP from the outside away from your internal address. The device (router/firewall) that connects you to the outside has an address on your LAN and everything on your LAN subnet is visible to it. So.... Without going in too deep there is also something else that needs to be kept in mind and that is the use of NAT. Network Address Translation. This is what allows the Internets to work as it does. 192.168.x.x addresses are considered non-routable - routers will not try to do anything with them in the public IP space. This is how most everyone has 192.168.x.x addresses on their LAN's without conflict. NAT translates the LAN address to the WAN address and back again. Hence why we can have many LAN IP's use a single WAN IP. NAT also can translate WAN IP (public) IP addresses to LAN (private) IP addresses. Think web servers, email servers, etc. This is the only way things from the outside can see inside. Just having ports open internally is not enough, there has to be IP as well. This goes back to the stack that was mentioned earlier. I realize there is much much more to this topic but am stopping here as there really is a vast amount of info out there about this already. Just thought I would throw my 2 cents in there as I do not get much of chance to comment on the boards. Gary |
||||
| lizby Guru Joined: 17/05/2016 Location: United StatesPosts: 3378 |
You've already determined that you have unexpected connections from the outside, so perhaps you are using this or something similar, but Steve Gibson's "shieldsup" at https://www.grc.com/shieldsup can help determine what ports are open and what they are typically used for. "Instant UPnP Exposure Test" is part of this. The hoped-for response is: THE EQUIPMENT AT THE TARGET IP ADDRESS DID NOT RESPOND TO OUR UPnP PROBES! "Shieldsup" is dated--there may be more current probes to use. PicoMite, Armmite F4, SensorKits, MMBasic Hardware, Games, etc. on fruitoftheshed |
||||
| Grogster Admin Group Joined: 31/12/2012 Location: New ZealandPosts: 9610 |
Thanks for the replies. Special thanks to CaptainBoing, as that post really made a lot of sence to me. But everything is useful, and networking........Gawd, there is so much detail to learn if you want to get into it.....   ANOTHER problem I have with closing down ports and restricting IP addresses, is that if I do ANYTHING to take the PC's that I want to have Internet access off of DHCP, they refuse to work then. No doubt this is something else I need to configure somewhere, but..... QUESTION: For the purposes of experimentation, if I were to configure for static IP's even on the PC's I want Internet access on, would I do something like: 1) Disable the DHCP server in the router. 2) Enter in the static IP address of PC #1 to the routing table in the router(and save) 3) Enter that IP into PC #1(such as 192.168.1.111 with Subnet mask 255.255.255.0) 4) State the GATEWAY IP as the IP address of the router Save all that and reboot. Should that kind of procedure ensure that PC's always get the same IP address, but can still have a gateway to the WAN and Internet? IF I can get that far, then by extension of that, I can start closing down all the ports, and just open the ones I want as mentioned here. How do you specify a port to use with an IP address in Windoze? All I ever see is how to set the IP, Subnet and gateway IP's, but never any ports.  Thanks for any more replies. I think this thread is going to teach me a lot more about networking, which is probably a good thing. Smoke makes things work. When the smoke gets out, it stops! |
||||
| TassyJim Guru Joined: 07/08/2011 Location: AustraliaPosts: 6283 |
Having as DHCP server is by far the easiest way to go, but if you want to confuse Santa: When your PC connects to the router with DHCP, the PC is given: an address subnet mask the gateway address The DNS servers (usually 2) It is probably also given IPv6 addresses but you can probably ignore them To see what you get, open a command prompt and enter "ipconfig /all" without the quotes. The section headed "Ethernet adapter Ethernet:" or similar is probably what you will be interested in. If you set the PC to static, you have to provide the above IPv4 values. Without the DNS servers, you are like the Christmas turkey - stuffed. Be prepared to reboot the PC between changes. You can leave the DHCP server running and choose to set some devices to static and some on DHCP Ignore ports for now, that next years lesson. Jim VK7JH MMedit |
||||
| Grogster Admin Group Joined: 31/12/2012 Location: New ZealandPosts: 9610 |
Heh, heh - you have a point. Perhaps best not to play with the settings for JUST now, till we are past Christmas day at least. No, I don't want to confuse Santa!!!! I hear what you are saying though, and ipconfig/all gives me quite a lot of info to read over. The Gateway AND the DHCP Server have the same IP address - I expect that is normal to see? The router itself gives me two IP addresses for two DNS servers, both starting with 202.x.x.x So, assuming I wanted to try it on take the IP address and make it static, enter in the 255.255.255.0 subnet mask, enter in the Gateway, and finally enter in the two DNS IP addresses and reboot - in THEORY that should put me on a static IP, but still with Internet access, yes? Smoke makes things work. When the smoke gets out, it stops! |
||||
| TassyJim Guru Joined: 07/08/2011 Location: AustraliaPosts: 6283 |
Yes. The DNS address will be what your ISP dished out to your modem when you connected. Some people like to use Google's DNS instead but I think Google know too much about me already. Your router might get upset if you use an address that it wants to use. It's worth a try. Jim VK7JH MMedit |
||||
| MicroBlocks Guru Joined: 12/05/2012 Location: ThailandPosts: 2209 |
If you want to have a heart attack, open up firewall (windows key then type firewall) and within that program click on Inbound rules (top left).Here you will see all the rules for incoming traffic. Easiest thing to do is select them all and click on 'disable rule' (on the right). There will be things that not work anymore, but that is the moment to start opening/closing ports one by one until what you need is working. If you need to know what each port does, google and time are your friends. Have fun. :) Microblocks. Build with logic. |
||||
| Page 1 of 2 |
|||||
 Print this page |
 |
The Back Shed's forum code is written, and hosted, in Australia. | © JAQ Software 2025 |
