UBNT EdgeRouter LAN Config Issue
-
Good morning all!
I wanted to run this by the Mangolassi team first
. So over the weekend, I determined that our router was compromised. Scott, this answers a lot of questions that we have been wondering for months! So I determined that after my assistant set up the router he never changed the default password (I know what you wanna say trust me). Well our router got probed, and eventually, someone set up a shadow process.I worked with UBNT support and here is what I got told:
EdgeOS uses rsyslogd that runs as root, not syslogd that runs as an unprivileged user ('ubnt' here). This is likely a malicious executable that was installed after a compromise.So, to fix the issue, we have reset the router to defaults and reconfigured it by CLI. Which now that I feel a little more comfortable with it, I don't see a point in some cases for using the GUI. Upon review of the config my assistant used, we noticed a configuration that I'm not sure about.
ethernet eth1 { address 10.10.2.1/22 address 10.10.3.1/22 address 10.10.4.1/22 description Local duplex auto poe { output off } speed autoSo just to give a little backstory, we are 100% virtualized for our servers. Our Active Directory server also is the host for dns and dhcp scopes. We have a super scope of 10.10.0.1 through 10.10.4.254. I'm not sure if the EdgeMax should have all 3 ip's on one interface. That raised a few questions from people at UBNT forums. What exactly is that "doing" in a case like this? As I'm under the impression all the work should be done with the Windows Server handling the scope.
As I dig a little deeper, this issue seems to get worse and worse. When I open up the DHCP Manager, we have the superscope setup. However, for the router properties, he programmed 10.10.2.1, 10.10.3.1, 10.10.4.1, 8.8.8.8, 4.2.2.2. UMM excuse me for not paying attention to this sooner, but why would the DNS servers be in the router option on Windows Server?
To be honest, this is making me wanna throw up
Yes I know about the .loc (I walked out the room when this was set up to my disgust.) What's happening is, if anyone uses for instance the wireless and it goes over to the 10.10.4.x network, they can't get online. So no big deal I know it's just not talking to 10.10.4.1. I'm not sure how or rather WTF would cause that at this point other than this config.
-
That can't be right. 10.10.2.1/22 is inclusive of those other ranges. Those are overlapping address assignments.
-
The GUI is fine, just set it up for internal use and not available to the outside.
-
@krisleslie said in UBNT EdgeRouter LAN Config Issue:
So, to fix the issue, we have reset the router to defaults and reconfigured it by CLI.
This will not clean your router. A reset does not nuke everything.
The only proper way to know you have a clean router is to use the EMRK process that totally wipes your flash drive.
-
@scottalanmiller said in UBNT EdgeRouter LAN Config Issue:
That can't be right. 10.10.2.1/22 is inclusive of those other ranges. Those are overlapping address assignments.
It is overlapping, and makes little sense. But there are valid cases for having more than one IP on a port. Just not in overlapping ranges.
I have one site with a LAN setup like this.
ethernet eth1 { address 10.1.1.1/24 address 10.204.1.1/24@krisleslie I find this CIDR calculator useful: http://www.subnet-calculator.com/cidr.php
-
@krisleslie said in UBNT EdgeRouter LAN Config Issue:
As I dig a little deeper, this issue seems to get worse and worse. When I open up the DHCP Manager, we have the superscope setup. However, for the router properties, he programmed 10.10.2.1, 10.10.3.1, 10.10.4.1, 8.8.8.8, 4.2.2.2. UMM excuse me for not paying attention to this sooner, but why would the DNS servers be in the router option on Windows Server?
Yeah, that is pretty bad. If anything you set DHCP to be either the WIndwos DNS or the router and then you let the router's forwarder be the Windows DNS server.
-
@jaredbusch said in UBNT EdgeRouter LAN Config Issue:
It is overlapping, and makes little sense. But there are valid cases for having more than one IP on a port. Just not in overlapping ranges.
How do you post photos? I have a few I need to show.
-
@krisleslie said in UBNT EdgeRouter LAN Config Issue:
@jaredbusch said in UBNT EdgeRouter LAN Config Issue:
It is overlapping, and makes little sense. But there are valid cases for having more than one IP on a port. Just not in overlapping ranges.
How do you post photos? I have a few I need to show.
I simply paste them in from clipboard. Or you use this button.
-
@krisleslie said in UBNT EdgeRouter LAN Config Issue:
@jaredbusch said in UBNT EdgeRouter LAN Config Issue:
It is overlapping, and makes little sense. But there are valid cases for having more than one IP on a port. Just not in overlapping ranges.
How do you post photos? I have a few I need to show.
When posting use this and upload them.
-
@jaredbusch said in UBNT EdgeRouter LAN Config Issue:
@krisleslie said in UBNT EdgeRouter LAN Config Issue:
So, to fix the issue, we have reset the router to defaults and reconfigured it by CLI.
This will not clean your router. A reset does not nuke everything.
The only proper way to know you have a clean router is to use the EMRK process that totally wipes your flash drive.
Brother thank you, I will go head and do this on downtime since the CLI wasn't as hard as I imagined. Thanks. I also posted some new photos in the original post.
-
@krisleslie said in UBNT EdgeRouter LAN Config Issue:
@jaredbusch said in UBNT EdgeRouter LAN Config Issue:
@krisleslie said in UBNT EdgeRouter LAN Config Issue:
So, to fix the issue, we have reset the router to defaults and reconfigured it by CLI.
This will not clean your router. A reset does not nuke everything.
The only proper way to know you have a clean router is to use the EMRK process that totally wipes your flash drive.
Brother thank you, I will go head and do this on downtime since the CLI wasn't as hard as I imagined. Thanks. I also posted some new photos in the original post.
Do that, then run the Basic Wizard in the GUI.
Then configure the rest as needed.
-
My thought process is to at the end of business day, disable those scopes, rebuild them, reboot equipment and then confirm things work as intended.
I assume I need to build a new super scope and properly put in 10.10.0.0/22 and define each scope. I'm getting 0 issues from my 10.10.2.x scope and 10.10.3.x scope. However the 10.10.4.x yea that is where all the problems are ( that I know of).
-
@krisleslie Just WTF is going on there.. After looking at your Windows DHCP I am just confused.
What is your network scope in reality because this just hurts.
I think you main netwokr is 10.10.0.0/22
And your wireless seems to be 10.10.4.0/24
Is this right?
What LAN IP should all of your systems have for their gateway?
-
@jaredbusch said in UBNT EdgeRouter LAN Config Issue:
@krisleslie Just WTF is going on there.. After looking at your Windows DHCP I am just confused.
What is your network scope in reality because this just hurts.
I think you main netwokr is 10.10.0.0/22
And your wireless seems to be 10.10.4.0/24
Is this right?
What LAN IP should all of your systems have for their gateway?
Yep, I see a total cluster there.
Does he even need SuperScopes there?
-
@jaredbusch this is just one of those times in life I wish I never let someone fiddle with the networking. All I can say is im thankful it βworkedβ somewhat but I do see that my concerns werenβt fake, they were real.
Now Iβve found after reviewing the port forwarding that RDP was open
guys im not a network guru, but i know RDP shouldnt be open on the internet. Now I have more fires to put out.@scottalanmiller is it too late for a flamming dr pepper?
-
@krisleslie said in UBNT EdgeRouter LAN Config Issue:
@scottalanmiller is it too late for a flamming dr pepper?
Never too late!
-
Ok Jared just popped into the Ubiquiti Controller so here is what we have.
-
Scott I like this community forum app better than spiceworks
in some ways it's faster and easier especially with the photos! -
@krisleslie said in UBNT EdgeRouter LAN Config Issue:
Scott I like this community forum app better than spiceworks
in some ways it's faster and easier especially with the photos!Oh it is WAY better. A lot more modern, too. We have the advantage here of being like eight years younger, so we weren't saddled with as much cruft. And we learned from loads of mistakes that they made (but all things we warned them about years before - so they had had all kinds of opportunity to fix them.) We basically went with the community design that we had proposed to them aroudn 2011
They said we were crazy and that we didn't know forum needs like they did. Tee hee. -
What is your network scope in reality because this just hurts.
I think you main netwokr is 10.10.0.0/22 (I think that was his intention, but during the revamp, I think he intended one of our remote sites to be the .0 and .1 and to vpn link them together, of course, that only worked wonkily and it was scrapped).
And your wireless seems to be 10.10.4.0/24 (doesn't appear to be correct looks like we have to WLANs, the main lan should be using our 10.x.x.x and the guest lan not sure yet, investigating)
Is this right? (all this what I'm seeing is up for debate
)What LAN IP should all of your systems have for their gateway? 10.10.2.1 is the router, 10.10.2.251 is the ad/dns/dhcp
