DumbAP Security Advice

jk3wl · January 28, 2021, 11:47pm

Greetings,
I am new to OpenWRT, but not new to networking and firewalls.
I have my device working as desired, but need some guidance on the security aspect.

Device: Netgear WAC104
Netgear WAC104
It is currently running:
OpenWrt SNAPSHOT r15563-3bd8f660a4 / LuCI Master git-21.020.56896-af422b1

I set it up as a DumbAP as per the guides here on the forum.
It is working exactly as I wanted, no problems on that front.

My questions are about security.
Historically, I have never allowed admin interfaces to be available via WiFi, only via wired LAN. As it is currently configured, I do not see a way to do that. So my questions are:

Am I worrying about something that I do not need to? If I give it a strong password and or use custom ports and users, is that sufficient?
If I should prevent luci/ssh access via WiFi, the only way I see to accomplish that is to re-enable the firewall and routing, thus making it a smart AP again. I do not have enough experience with this hardware or OpenWRT to know if that will add enough overhead to affect traffic speeds?
I like to disable remote access of the default admin accounts (root in this case), and use custom users with tiered privileges. Since this is Linux based, I know I can do that via CLI, but will LuCi still function correctly? (and allow logins from a user that is not root).
(To be fully transparent, I have not researched this question in the forums yet, it may already be answered)

I am open to any and all input or advice, and I thank you for your time in advance.
Configs to follow.
-jk3wl

jk3wl · January 28, 2021, 11:54pm

Config Files:

#   uci show network
------------------------------------
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.packet_steering='1'
network.globals.ula_prefix='fd5b:fb09:fe86::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ifname='lan1 lan2 lan3 lan4'
network.lan.ipaddr='10.X.X.4'
network.lan.gateway='10.X.X.1'
network.lan.dns='10.X.X.1'


   #   uci show wireless
-------------------------------------
wireless.radio0=wifi-device
wireless.radio0.type='mac80211'
wireless.radio0.hwmode='11g'
wireless.radio0.path='1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
wireless.radio0.htmode='HT20'
wireless.radio0.country='US'
wireless.radio0.channel='auto'
wireless.radio0.cell_density='0'
wireless.default_radio0=wifi-iface
wireless.default_radio0.device='radio0'
wireless.default_radio0.mode='ap'
wireless.default_radio0.ssid='SSID1'
wireless.default_radio0.encryption='psk2'
wireless.default_radio0.key='XXX'
wireless.default_radio0.wpa_disable_eapol_key_retries='1'
wireless.default_radio0.network='lan'
wireless.radio1=wifi-device
wireless.radio1.type='mac80211'
wireless.radio1.hwmode='11a'
wireless.radio1.path='1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
wireless.radio1.htmode='VHT80'
wireless.radio1.country='US'
wireless.radio1.channel='auto'
wireless.radio1.cell_density='0'
wireless.default_radio1=wifi-iface
wireless.default_radio1.device='radio1'
wireless.default_radio1.mode='ap'
wireless.default_radio1.ssid='SSID2'
wireless.default_radio1.encryption='psk2'
wireless.default_radio1.key='XXX'
wireless.default_radio1.network='lan'
wireless.default_radio1.wpa_disable_eapol_key_retries='1'


  #     cat /etc/config/network
------------------------------------------
config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd5b:fb09:fe86::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ifname 'lan1 lan2 lan3 lan4'
        option ipaddr '10.X.X.4'
        option gateway '10.X.X.1'
        list dns '10.X.X.1'


  #     cat /etc/config/wireless
-------------------------------------------
config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option htmode 'HT20'
        option country 'US'
        option channel 'auto'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'SSID1'
        option encryption 'psk2'
        option key 'XXX'
        option wpa_disable_eapol_key_retries '1'
        option network 'lan'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11a'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option htmode 'VHT80'
        option country 'US'
        option channel 'auto'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'SSID2'
        option encryption 'psk2'
        option key 'XXX'
        option network 'lan'
        option wpa_disable_eapol_key_retries '1'

vgaetera · January 29, 2021, 6:58am

Yep, use strong Wi-Fi and root passwords and enable encryption and it should be fine in most cases.
If you feel like paranoid, there're more options such as tunneling over SSH or VPN.
Enabling and setting up firewall is also possible and it shouldn't negatively affect performance since there's no NAT involved.
Although privilege separation for SSH is feasible, it might be difficult for LuCI.

Borromini · January 29, 2021, 11:48am

You could put your WLAN on a different subnet, and have uhttpd only listen on the wired subnet. It's a rather easy solution. Not ideal if you want/need your WiFi devices to be able to talk to your wired clients though.

jk3wl · January 29, 2021, 7:02pm

Hi vgaetera,
Yes, already using strong passwords, and have already setup SSL for LuCi.
Configuring SSH with only certs auth was on my short todo list.
Was contemplating disabling non-SSL, but I do like the idea of just disabling the uhttpd service altogether, and only turning it on via SSH as needed. Once configured, I will not have a need to get into this thing very often anyway.
Given all of that, I see no need to go further and complicate it more than necessary.
Thank you for the insight and "extra set of eyes".

jk3wl · January 29, 2021, 7:04pm

Hi Borromini,
I appreciate the info, however as you indicate, I do not want it on separate subnet.
Thank you for your input.

system · February 8, 2021, 7:05pm

This topic was automatically closed 0 minutes after the last reply. New replies are no longer allowed.