Episode: 3587
Title: HPR3587: 20220406_UDM
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3587/hpr3587.mp3
Transcribed: 2025-10-25 01:47:54

---

This is Hacker Public Radio Episode 3587 for Tuesday the 3rd of May 2022.
Today's show is entitled 20,220,406 U.D.M.
It is hosted by operator and is about 13 minutes long.
It carries an explicit flag.
The summary is I talk about my home router U.D.M. from Ubiquity.
Hello everyone and welcome to another episode of Hacker Public Radio with your host operator.
Today I'm going to be talking about home networking and my trials tribulations.
And I've already recorded this once and I ran it a lot.
So I'm going to get to the point and not rantable for 13 minutes before I realize what I'm talking about.
So U.D.M. has been my choice.
If I had 16 ports on my U.D.M. it's a little spherical guy.
They have a U.D.M. progress like a one U that's just a router and I don't think it does the wireless stuff.
But anyways, if you want to look for something home networking wise that's good,
it's pretty much ubiquity and maybe one other company I can't remember.
Like Google has their own thing and it's kind of similar open mesh used to have something.
I used to be open mesh but now they're not open mesh anywhere.
Anyways, what I started out as is how these security features I saw a friend with one.
Yeah, this thing looks cool. It's got a really cool looking UI and you know,
it's kind of, you know, just smoke a mirrors.
But I looked at all the security settings in there.
I said, ooh, this has like, you know, basic blocking, you know, bad lists.
This has, you know, all VLians in it.
This has, you know, beat packet inspections so I can see, you know,
what protocols are going across the network, what websites people are going to.
It's pretty much almost packet level visibility at as good as you can get for a router.
So I said, ooh, I'll try one.
We get it. My wife brings it in and bomb boxes all smushed.
I'm like, what's going on? Like what happened?
I just said, yeah, well, I didn't know what this is. I ran over it.
I'm like, well, that's our new router that you ran over.
And, you know, it was an accident, the EPS guy, you know, the FedEx guy or left it there.
This would have been Amazon.
Excuse me. So the Amazon guy, you know, I guess leaves it there in no fault of the people,
poor people that had to do last, last mile deliveries.
They are treated the worst, almost as bad as truckers, apparently.
But anyways, I started out leaving everything on and realized, you know,
it gave me all these warnings that was going to be slower.
And, you know, a charter kind of opened up there.
They were double charging me and they said they couldn't give me my money back.
So I said, okay, well, what can you do?
And they're like, well, we can get to the service you paid for.
And I'm like, okay, well, that's kind of bullshit.
You've been ripping me off for six months.
I had alerting and meant mobile or meant into it to alert me when charter went over a certain amount.
And they changed their line item name to Spectrum.
And I didn't get the alert.
So they were charging me an extra $5 a month.
So that's why you don't do auto pay.
If you really want to control how much you're giving to your mobile providers and your internet providers
and all the people that rip you off, you do monthly payments.
You pay monthly.
And that way, if they decide they don't want to whatever, you can switch over to AT&T
or do whatever you have to do to get your $3 a month back.
So anyways, they give me this back and I get some bandwidth back.
But because of the router, slow trying to inspect all the packets, I eventually turn that off.
And I left the block list on.
I used the VLAN tagging because I have another router because I don't have it at ports on the network.
That's all good.
I let that run for like a year and then after having kind of a scare with another friend,
the guy that had the UDM Pro originally, his whole home network got popped.
And he, you know, had to like pull all his devices out.
He had like iPhone stuff and TVs and he was like super paranoid.
And you know, I was trying to figure out exactly why how he got compromised.
And I gave him the device and I said, look, this is clean.
This is a clean device.
Anything you plug into it needs to be wiped and clean and happy.
And somehow ended up getting reinfected by some kind of, you know,
a server protocol or something like he got on his Wi-Fi and tricked him into connecting to the fake Wi-Fi or something.
Anyways, I had been using that UDM for a while and I said, ooh, I said something else happened.
It wasn't with me, it was somebody else.
I said, you know what, I haven't looked at my firewall.
I want to start like an internal lateral movement down, which means if a company, if a device gets compromised on your local network,
it can't really move around very easily and just arbitrarily scan stuff.
Or arbitrarily find somewhere to pivot to with all the ports open.
So what I did was, as I started building out access lists for everything.
And I'm not a firewall, guys.
So this took me a long time and what I landed on was you set your rules up and then the last rule isn't allow.
But you log that allow to at least the Damon or whatever you log it.
Then you can tail that log out and see what would have been blocked if you had turn on block all.
So I'm doing internal, not external, but internal port blocking.
So I'm identifying every single service that runs across the network.
That's why I got my Chromecast because I wanted to do broadcast protocol stuff.
I had VLAN isolation or client isolation on the wireless, which means every wireless device is independent from itself.
It can't talk to any of the other wireless devices on the network.
A lot of your embedded devices don't work thermostats, wall mount things.
They all want to talk to you or whatever.
And some of those don't work about half of them, if not more.
Anyways, got a client isolation down, set the firewall rules, get everything locked down.
I have like 16 services ports on the server that I have to allow to first up the work.
We're talking Plex, Cody, on the internal, all internal services that get used to automate all the TV stuff, automate all the CCTV stuff, darknet and yellow object recognition, doing the weather crap and I got a weather device.
And so there's 16 services, which just baffles me that have to run to make the server work.
So got those figured out locked down, you know, and you get things like printers.
What is this thing trying to talk to this other thing?
Oh, it's a printer and it's trying to talk to the printer.
Well, people need to print.
So eventually it took about six months,
adding a couple of firewall rules here and there one shouldn't work and getting rid of that got off of chrome test.
Ended up with a cheap $20 fire stick for regular, regular HD, not 4K.
So after about six months, everything locked down.
I will say I like it.
The only problem is, and this is just how networking work is that I have a switch daisy chained into it.
And I can't see any traffic on the daisy chain switch.
So something's going on or arrive at the network internally.
If that daisy chain switch down the line, if it's a to b talking, then I'm not going to be able to see that traffic.
But chances are, if it's internal traffic, internal to internal, I don't need to see the traffic anyways because it's not necessarily going to provide a whole lot of value.
Now when it passes and traverses through my router and it goes to the internet, that's what I'm going to have like bandwidth issues.
So certain devices, whether we're on the land plugged into the land, I had the land pretty much isolated to itself.
I kind of let the receiver go do whatever it wants to do, but it wouldn't, nothing could talk to anything internally.
Everything could go to the internet, go out, but nothing could talk to each other internally.
Because that's what I see a lot of times is that lateral movement piece.
Once they get in, they pivot from say, you know, my server to a workstation or Kathy's laptop or whatever.
Or if Kathy were to download some malware and it starts moving laterally, it's not going to be able without some actor being on the console and being like,
you know, this bro, dude, it's got like Plex version, O2AB.
And I'm going to find ODEX for it.
Like, it's pretty locked down at a port level.
Like you can't talk to anything, SMB, SMB is all locked down.
You can only talk to SMB via whatever.
There's no credentials for SMB. It's just flat.
There's nothing sensitive in there that's not already double encrypted.
Like, it's all protected in theory.
And I do my own scans that Pint has myself kind of everyone wants to allow.
And sometimes I'll leave it door open and forget to close it like every company does.
But overall, the interface is still good.
They update the interface a lot.
It can be frustrating, but at the end of the day, they're making that product better.
And to make the product better, you know, it has to change.
The interface is going to have to change for the product to be better.
I've had it for four years now.
It's meeting my needs if we ever get fiber, obviously.
I will have to get some, I'll have to step up my game.
I don't know how that's going to work.
But we don't need it.
I mean, you know, we can pull down a movie in eight seconds or something.
I don't need that type of bandwidth unless I want to extend my Plex server out to friends and family.
And they want to download, you know, I want to stream like more than two at a time.
But I'd like it. It's good stuff.
I've done the ubiquity from house to house with their omnidirectional stuff.
If you're not a wireless guy, you're going to have a hard time.
If essentially somebody gave me the analogy, my dad actually said it's like two freight trains.
So I had two of these omnidirectional antennas.
And they were across the street from each other, essentially.
But they were in the roof.
So I had some concerns about, you know, tin interference and stuff.
So I got two beefy omnidirectional, you know, $200 a piece or something.
And they're kind of, you know, the ubiquity stuff isn't commercial.
You know, it's not commercial grade.
It's high in retail grade.
So I had them both aimed at each other.
And it was like screaming freight trains is the idea is that I had to turn both of them down to like 20% for the traffic to be able to reverse the two things.
And of course, you know, three flights of stairs and had to go up and down and that kind of mess.
But I like it. I like the ubiquity stuff.
I used to have, like I said, open mesh.
And they got bought out.
And I was like, well, I don't know what to do.
And Google had just kind of started getting popular.
The Google access points.
And I was like, man, Google's already running my phone.
They're already all up in my stuff.
Let's just give somebody else my data.
Besides ubiquity.
And of course, ubiquity gets popped.
And everybody's all up and down about it.
And that's pretty much it.
I would say, you know, if you need any firewall help or help building out firewall rules or want to protect yourself from lateral movement.
I can help you out.
I can give you my firewall rules.
I'll actually even post them if I remember here.
Let me write a quick note.
Now we'll say, you know, if you're wanting to do client isolation, you're going to have a bad time.
For example, the Chromecast will give you hard times because it wants to do broadcast protocol stuff,
which is not going to work.
I landed on fire sticks.
And even fire stick I had to mess with because it wanted to when it didn't see when it saw that it could talk to pain.
And when it saw the server on the land, it thought it could directly connect to it.
And I hadn't set up the firewalls properly for it to do that.
So it was like doing some weird Jananigans to where it was like going.
I wanted it to actually go out to the internet and come back in but do that locally.
And the way routing work didn't really work out that way.
It ended up being a pain in the butt to it was really my own fault because I didn't allow that traffic to go directly to the server back and forth.
But I'll say client isolation is kind of a kind of a bitch to be honest.
Once I figured out the firewall stuff, once I figured out client isolation, I was pretty good.
Other than that, I don't have a whole lot to say.
I just say if you need help, just let me know.
I'm not a firewall guy but I had a decent amount of time learning it in the head fund.
So if anybody needs any help with that stuff, set enough locking down your local network.
We can help you out.
You have been listening to Hacker Public Radio at Hacker Public Radio.
Today's show was contributed by a HBR listener like yourself.
If you ever thought of recording a podcast, you click on our contribute link to find out how easy it really is.
Hosting for HBR has been kindly provided by an honesthost.com, the internet archive and our syncs.net.
On this although I stated, today's show is released under Creative Commons, Attribution, 4.0 International License.
www.hacker.com