Routers and firewalls

In My Humble Opinion
1

I have Verizon FIOS. The router went bad, so I had them send me a new one. In the meantime, I connected my Orbi mesh network directly to the box that converts light into the internet.

It works fine. However, I recently realized that the Orbi doesn’t have a built-in firewall, unlike the supplied Verizon router. Is that an issue?

My normal use case:
Verizon router to Orbi, with Verizon wi-fi turned off
Orbi for all intranet connections (PCs, Chromebooks, smart devices, phones)

When the router went bad, I just took it out and all is fine. I have a new router from them. The only reason I hesitate to put it back in is that I just got my VPN server up and running, and I’m worried that I’ll screw up the port forwarding on the Verizon router.

So, how important is it that the router has a built-in firewall?

2

TL;DR: Probably not very important, but possibly vitally important. Somewhere in that range! The probably correct simple answer is, nothing is getting through that you haven’t setup port forwarding for, the long answer is not as simple.

Just to make sure we’re all talking about the same thing, you have a box (possibly called an ONT) that connects to the incoming fiber optic connection, and it has various outgoing ports on it. The one concerning us is the ethernet port. Previously you had your Verizon router connected to that ethernet port. You then had your Orbi base unit connected to the router.

The router died, so you connected the Orbi base unit directly to the ONT, and everything kept working.

Where have you setup the port forwarding for your VPN? Or, have you not setup port forwarding for the VPN because your server is getting a routed IPV4 address and is directly on the internet?

If you setup the port forwarding in the Orbi, then it is acting as a router. If it is doing NAT (real IPV4 address on the outside, private IPV4 addresses at home), then having a firewall is not terribly useful.

Your routable IPV4 address (what you see when you go to https://ipv4.icanhazip.com/), is being bombarded with connections on port 22. If you have port forwarding setup for 22, then those connections are passed along, and it’s up to your computer to deal with it. If you don’t have port forwarding setup on 22, then nothing happens to those packets (assuming the Orbi itself isn’t responding). So whether firewall or not, nothing is getting through that you haven’t configured to be forwarded.

The worst case is that instead of any kind of routing, Verizon is just handing off multiple routable IP addresses to you. I can’t imaging this is the case, but dumber things have happened.

An in the middle case, is that instead of forwarding just your VPN port, you’re forwarding everything. Then any incoming connections are handed to your computer to deal with. Of course, your computer needs to have something listening on (as per the example) port 22, or it will just drop the packets.

Either of the two previous examples could be real bad if you have, for example, internal only services, like file sharing, setup that are now accessible to the whole internet. That is probably not the case, and is almost definitely not the case if you are behind NAT.

This can be complicated if you also have IPV6 (do you see anything at https://ipv6.icanhazip.com/) If so, and you have no firewall on the router, then it is possible that someone could connect directly to your computers over IPV6. The IPV6 address space is too large for brute force scanning, but any IPV6 host you connect to will know your current address, so could potentially scan your computer to see what services are running.

Defense in depth says that you should be running firewalls on all of your computers, anyway. Don’t run any services you don’t want. If some of those services are for LAN use only, then you should have a firewall on that computer which restricts connections to just your LAN. As long as your router is configured properly, that firewall may never be triggered, but if your router is not correct…

3

This is exactly what I’m looking for! Thanks for the comprehensive answer.

The Orbi is directly connected to the ONT, like you guessed. The Orbi is only forwarding port 33333, which is what the how-to for Wireguard told me to use.

I know that my (and all of our) Windows computers have a built-in firewall, but I don’t know about our phones, smart TVs, tablets and Chromebooks.

The Orbi set up private IPV4 addresses (10.x.x.x) at home, and the outside sees us as some Verizon address. I don’t have an IPV6 address from what I can tell (from your link or other places I’ve checked).

My external IPV4 rarely changes, if ever. If it does change, I’ll have to send out new VPN files to my family members who have them.

I think those are the various things you mentioned? Sounds like I’m OK, since the Orbi will only forward 33333 and only my VPN server will be listening for that.

4

The Orbi may not have a stateful firewall (I am not familiar with it) but by using Network Address Translation (NAT), your LAN is inaccessible other than explicitly forwarded ports.

5

If everything is on the 10.0.0.0/8 network, then it is not directly addressable from outside of your network. Nothing will be able to get to your TV try and break in.

An aside for some nuance. If you’re router (the Orbi) is running something like upnp where a device in your network can request port forwarding from the router, or you have some misconfiguration on the router where it forwards some or all traffic to the TV, then your TV (or whatever) could potentially be open to the outside world. I expect any router from the last 5-10 years has upnp turned off, it is supports it at all.

6

Great answers, @echoreply!

Really? When and why did this change? I thought this was commonly used for PC gaming and such (so that players could host peer to peer games without a central server). I’ve seen it on by default in some routers, but I haven’t checked recently.

OP, you should also make sure to keep your router’s own firmware updated. They are tiny little computers in their own right, with their own vulnerabilities, that could also be exploited by hackers.

The Orbi has had many of its own vulnerabilities, including some that enabled remote code execution from a HTTP packet (that means an attacker can send your IP address a special message and take over your entire router and home network): PoC exploits released for Netgear Orbi router vulnerabilities

Sometimes that’s how botnets are made, not by attacking your computers but by attacking the routers themselves.

When you had one router behind another, you were probably unintentionally behind two layers of NAT unless you put one in bridge mode on purpose. That afforded you another layer of protection, with the Verizon router (which they probably auto update on your behalf) protecting the Orbi router. With that gone, it’s a good idea to make sure you keep the Orbi itself up to date since it’s now the first computer reached by any outside attackers.

Routers and consumer network equipment are unfortunately some of the weakest links in an average home system. They are still computers, but with software and firmware written by small overseas teams and not scrutinized by the big teams of Microsoft and Google etc. They are often overlooked when it comes to cybersec and can be a vulnerable entry point into your home network.

It’s not something you have to lose sleep over*, but if you’re thinking through all this, might as well take the extra few minutes to make sure to keep it updated too (or turn on auto update if that’s an option in your router).

*The theoretical risk is there, but in practice there are too many different routers and versions and such that it’s probably not worth an attacker’s time to try every possible exploit on every possible random home IP range. I’ve never known someone to have been affected by such an attack. Or maybe we all are and we just don’t know it, lol, secretly crypto mining for a subtle attacker.

7

I do make sure the firmware is updated. ETA: Just checked again and I’m good on that front.

UPNP is on actually (advertisement period=30 minutes, advertisement time in hops=4, whatever those mean). Is there any reason to have it on?

8

Unless you play PC games whee you host your own server, usually not. It’s mainly useful for when you need to start impromptu, short-lived servers like that.

But these days most software don’t do it that way anymore. Turn it off for a month and see if anything breaks. Probably nothing will. And if you need to manually configure a port, like you did for the VPN, you already know how to do that anyway.

That said, I’ve left mine on for decades and never noticed an issue. I do use it for gaming though.

UPNP trades security for convenience. If you care more about security, just turn it off and you can always configure manual port forwards as you need to.

9

I never host LAN parties (or, WAN parties, I guess), so I’ll turn it off. Thanks to everyone for all the comprehensive answers. This has been really helpful.

10

Yeah, this is the main thing. Many people argue that it goes too far in the convenience direction. It has a history of poor implementations, bugs, and being used in the spread of botnets, but hopefully that’s behind us.

The end result of port forwarding manually or using upnp is the same, you’ve created a hole in the firewall. The difference is that any device on your network, without authorization or your knowledge, can create the upnp port forwarding.

Like many security things, it won’t be a problem until it is. If you don’t need it, turn it off, because leaving it on increases your attack surface. If you do use it’s important to be aware you’re using it.

My biggest complaint about upnp is it brings back memories of pnp, the 90s system of automatically setting up ISA irqs on a PC.