Messages

Because in my case TL-MR3420 with 4G/LTE is used only for WAN backup and I can't have open ports on 4G/LTE or a true Public IP with my operator I have no problems with dual NAT, Primary WAN - fiber optic is not used via TL-MR3420.

Hi,
I made some experiments some time ago with this modem and because the problems you mention now I use a TL-MR3420 with this modem, and no more problems...

When I used only E3372 I made my script, I also added a cron that will run it every 5 min.

On my setup I first set ue0: static 192.168.10.10/24 gateway 192.168.10.1, add gateway... gateway group...
and pkg install usb_modeswitch

It is possible that you will need to make changes to this script for your setup but you have the main work done:

Code Select Expand

#!/bin/sh
# delete cd0 prepare USB E3372 modem
# LLC script v0.1

# test if USB dongle exist
usbdata=`usbconfig | grep HUAWEIMOBILE`
if [ -z "$usbdata" ]
then
echo "INSERT USB E3372 !"
exit
fi

cdata1=`/sbin/camcontrol devlist | grep cd0`
# test if no exist cd0 -> NO cd0
#echo "$cdata1"
if [ -n "$cdata1" ]
then
# exec commands to eject cd0 and activate network modem
echo "EJECT cd0"
/sbin/camcontrol eject cd0
/usr/local/sbin/usb_modeswitch --default-vendor 0x12d1 --default-product 0x1f01 -J
fi

#echo "EXIT USB-E3372 CD"
#exit 0

ue0inet=`/sbin/ifconfig ue0 | grep inet`
# test if exist ue0inet
while [ -z "$ue0inet" ]
do
echo "working to ue0 IP..."
/sbin/ifconfig ue0 up
/bin/sleep 1
/sbin/ifconfig ue0 inet 192.168.10.10 netmask 255.255.255.0
ue0inet=`/sbin/ifconfig ue0 | grep inet`
done

#/sbin/ifconfig ue0
echo "EXIT USB-E3372"
exit


you have to change ntp config generated to listen only for IPv4
here it is how to do it:

edit:
/urs/local/etc/inc/plugins.inc.d/ntpd.inc
change lines:

Code Select Expand


$ntpcfg .= 'restrict default';         in ->   $ntpcfg .= 'restrict -4 default';
...
$ntpcfg .= "interface ignore all\n"; in ->   $ntpcfg .= "interface ignore wildcard\n";

disable / comment lines with IPv6 reference, add # in front of lines:

Code Select Expand

# $ntpcfg .= "\nrestrict -6 default";
# if (empty($config['ntpd']['kod'])) { /*note: this one works backwards */
# $ntpcfg .= ' kod limited';
# }
# if (empty($config['ntpd']['nomodify'])) { /*note: this one works backwards */
# $ntpcfg .= ' nomodify';
# }
# if (!empty($config['ntpd']['noquery'])) {
# $ntpcfg .= ' noquery';
# }
# if (empty($config['ntpd']['nopeer'])) { /*note: this one works backwards */
# $ntpcfg .= ' nopeer';
# }
# if (!empty($config['ntpd']['noserve'])) {
# $ntpcfg .= ' noserve';
# }
# if (empty($config['ntpd']['notrap'])) { /*note: this one works backwards */
# $ntpcfg .= ' notrap';
# }

save and restart, now NTP will not open port on IPv6 any more.

to disable IPv6 from system
edit in :
/urs/local/etc/inc/

system.inc
and other files .inc

there you will find a lot of reference to :: / IP6 / IPv6 default settings that you can toggle off/disable 1 -> 0

disable / comment lines that refer to IPv6 with #
so your system will not generate IPv6 address for interfaces and route IPv6

good luck and have fun...  ;)

The first start is to have a look at Sockets and see who/what service open IPv6 port to listen;
then to find that service config and disable IPv6.
For this you need:
1) to tamper with sources and disable / comment running services opening IPv6 port.
2) have a script that delete IPv6 address from interfaces at filter/interface reload/restart.

A very basic script for your interfaces will look like this:

Code Select Expand


first find your IPv6 interfaces addresses with:
/sbin/ifconfig | grep inet6
then delete the IPv6 address from interfaces with
ifconfig lo0 inet6 ::1 delete

#!/bin/sh
# delete IPV6 from interfaces
ifconfig lo0 inet6 ::1 delete
ifconfig lo0 inet6 fe80::1 delete
# here you add your IPv6 interfaces address...
ifconfig em0 inet6 fe80::64a3:27ff:fe0a:f59 delete
ifconfig em1 inet6 fe80::230:18ff:fec4:45c6 delete


No problems with option 5 on my Linux with Firefox Quantum 66.0.2.

I also disabled IPV6 on my firewalls and more than this I also tampered with source and deleted any IPv6 port opening, listening, reference ...

here it is another sources for DoH:

Code Select Expand

https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers
https://en.wikipedia.org/wiki/Public_recursive_name_server

here it is my first list I use, feel free to change, correct, add:

Code Select Expand

# Public resolvers list with DoH 10-04-2019 v0.0.1 LLC
dns-gcp.aaflalo.me
35.231.69.77

dns.aaflalo.me
176.56.236.175

176.103.130.132
176.103.130.130

dns-family.adguard.com
176.103.130.132

dns.adguard.com
176.103.130.130

139.59.16.130

178.128.255.28

dns.dnscrypt-tupi.org
191.252.100.35

139.59.48.222

51.15.106.176

208.67.220.220
208.67.220.123

185.228.168.10
185.228.168.168
185.228.168.9

dns.cloudflare.com
1.1.1.1
1.0.0.1

commons.host

8.20.247.2

77.51.181.209

81.17.31.34

128.127.104.108

213.163.64.208

185.107.80.84

185.117.118.20

5.133.8.187

185.212.169.139
185.94.193.234

212.129.46.32

195.154.40.48

109.71.42.228

103.16.27.53

5.254.96.195

178.175.139.211

109.248.149.133

82.163.72.123

84.16.240.43

89.163.214.174

162.221.207.228

167.114.84.132

173.234.159.235
173.234.56.115

104.238.195.139

64.120.5.251

198.7.58.227

209.58.147.36

64.42.181.227

155.254.29.113

23.19.67.116

104.255.175.2

93.95.226.165

41.79.69.13

209.250.235.170

199.167.130.118
199.167.128.112

77.66.84.233

176.56.237.171

167.86.90.103

45.76.35.212

doh.dnscrypt.nl
108.61.199.170

139.59.200.116

108.61.201.119

159.69.198.101

doh2.dnswarden.com
159.69.16.58

doh1.dnswarden.com
94.130.183.18

doh-de.blahdns.com
159.69.198.101

doh-jp.blahdns.com
108.61.201.119

doh.cleanbrowsing.org

doh.crypto.sx
104.28.0.106

ibksturm.synology.me
178.82.103.5

23.111.74.216
23.111.69.126

205.185.116.116

edns.233py.com
47.101.136.37

wdns.233py.com
118.24.208.197

sdns.233py.com
119.29.107.85

ndns.233py.com
114.115.240.175

dns.google.com
216.58.215.110

jp.gridns.xyz
172.105.241.93

sg.gridns.xyz
139.162.3.123

178.82.103.5

149.28.152.81

doh.tiar.app
45.32.105.4

194.132.32.32

180.131.144.144

195.10.195.195

142.4.204.111
142.4.205.47

doh.powerdns.org
136.144.215.158

doh.seby.io
45.76.113.31

106.51.128.78

dns.quad9.net
149.112.112.112

dns9.quad9.net
9.9.9.9
9.9.9.10
149.112.112.9
149.112.112.10

173.82.232.232

dns.rubyfish.cn
118.89.110.78

ea-dns.rubyfish.cn

uw-dns.rubyfish.cn

212.47.228.136

146.185.167.43

doh.securedns.eu
146.185.167.43

163.172.180.125

178.216.201.222

51.158.106.42

37.221.195.181

107.170.57.34

77.88.8.78

5.189.170.196

151.80.222.79

78.47.64.161

mozilla.cloudflare-dns.com
104.16.249.249

cloudflare-dns.com
104.16.111.25

doh.dns.sb
185.222.222.222
185.184.222.222

dns.dnsoverhttps.net
104.236.178.232

dns.dns-over-https.com
45.77.124.64

doh.appliedprivacy.net
37.252.185.229


I think you have to change the value to 5 to complete disable DoH on mozilla browser

Code Select Expand

https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/

I saved the list and used good old and slow method with gedit to search and replace strings and end result with IPv4 and dns I imported in an alias.

I had to take some counter measure after Mozilla added DoH by default on browsers so I used that public resolvers list to block any trafic from LANs to IPs... and one of the offenders caught is a smart tv LG with latest firmware that already had blocked one of LG DNS used for advert: lgsmartad.com
this time tv is using: dns.google.com  port: 443

Code Select Expand

https://download.dnscrypt.info/resolvers-list/json/public-resolvers.json

@chemlud
do you have any other resolver list or ideas ?

Super interesting topic, at this moment I am using:
- IP and DNS blocking from public lists for malware and ads.
- my DNS server, blocking request to other DNS servers from LAN.
- Suricata.

Unfortunately all this will not block DNS over HTTPS...

I remember some time ago I mod all my firewalls install to allow web access only from 127.0.0.1 and I forward web secure interface port on SSH tunnel... extra secure steps I have in my config: I can access SSH only from VPN, one interface not shared with V/LANs and one defined IP for V/LANs.

Darkness is expanding ? Anybody know the story behind this ?


It is not easy to hide the past:
https://github.com/doktornotor/pfsense-still-closedsource
https://github.com/rapi3/pfsense-is-closed-source

If it help to speed development here you can find few packages for another fork, just need to be adapted for OPNsense:
https://github.com/marcelloc/Unofficial-pfSense-packages

try to do this using 2 rules:
first: allow rule for that alias ip for scheduled time defined.
second: block rule for that alias ip all the time.

when first rule is not active traffic will be dropped for that IP regardless of connection state.

p.s. in my case I allow traffic to private LANs all the time.

Ar you using this policy in corporate or home environment ?
Because basically you are blocking all UDP traffic ( except DNS, NTP ), did you block UDP traffic in firewall rules also?

Try to log on wan interface if you see traffic from other IPs in the same class as your WAN IP.
If you see such traffic then your provider have other customers with unsecured/bad configured network, on the same improper configured switch ( or it is just a dumb switch).
The good thing for you it is that maybe you can hide your traffic using other customers IP on that switch, the bad thing is that others can do the same using your IP.

More tests:

I have in firewall General Setup as DNS servers:
208.67.222.222
208.67.220.220

If testing on this DNS server, traffic on any port will not be blocked as they are part of HomeNet -> alert it is triggered with few variation of dns rules.

Using Unbound Resolver with Enable DNSSEC Support -> Suricata will not see traffic from Unbound... dns traffic encrypted !?

with Unbound Resolver active testing on other DNS server ( dig .... @91.239.100.100 -p 5353 ) with few variation of dns rules and NO triggered alert so I have to admit rules are not working properly for me also and I discarded them.