ER7206: No "stealth" possible, implementation of DMZ erroneous?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

ER7206: No "stealth" possible, implementation of DMZ erroneous?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
ER7206: No "stealth" possible, implementation of DMZ erroneous?
ER7206: No "stealth" possible, implementation of DMZ erroneous?
2021-08-05 13:02:02 - last edited 2022-01-19 11:12:00
Model: ER7206 (TL-ER7206)  
Hardware Version: V1
Firmware Version: 1.1.1

Good day all,

 

I was trying to "harden" my security a bit of my ER7206 router in combination with the OC200 controller. I did a portscan via grc.com and saw the following results:

 

 

The above scan was n't a big surprise: My ports 80 an 443 are indeed open. The shown "stealth" ports might be a default implementation and the closed ports makes sense, as this is the default response if a port is not reachable.

 

However, my goal is to have as much "stealthed" ports as possible, so in my case, only port 80 and 443 should be open, the rest should be "stealth". As the firewall doesn't seem to have an option not to respond to ports without services, I tried a "trick": Set a DMZ which is pointing to an IP address which is not in use:

 

The result was as follows after doing a portscan:

 

 

Althought the results are slightly better, why are some ports still reported as "closed"? I have three NAT rules: 1 for port 80, 1 for port 443 and the DMZ rule shown above.

 

Things got weirder after starting a second portscan with the DMZ set to purgatory (so still the same IP address which was not in use):

 

 

The results are different: some ports which were reported stealth previously are now reported closed and vice versa. A third scan showed -again- different results. How is that possible? It seems that there is a flaw in the DMZ implementation of this router.

 

Is anyone having the same issue? I have tried different firmware versions, but this problem exists in all versions.

 

My wish would be that there would be an option in the firewall to drop unsollicited traffic (and not report as "closed"). Secondly, this might also be possible with the DMZ trick, but then the above findings should be fixed in my opinion, so that all non NAT-ed ports are reported as stealth instead of closed.

  0      
  0      
#1
Options
1 Accepted Solution
Re:ER7206: No "stealth" possible, implementation of DMZ erroneous? -Solution
2022-01-19 11:11:51 - last edited 2022-01-19 11:12:00

Dear @Tha_host,

 

Tha_host wrote

However, my goal is to have as much "stealthed" ports as possible, so in my case, only port 80 and 443 should be open, the rest should be "stealth". 

 

The R&D team has made a Beta firmware to optimize the issue above. 

 

Welcome to install the Beta firmware and comment with your feedback from the solution post below:

 

 Solution  Omada Gateway Cannot Get Full Stealth On The GRC ShieldsUp Test.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  0  
  0  
#2
Options
3 Reply
Re:ER7206: No "stealth" possible, implementation of DMZ erroneous? -Solution
2022-01-19 11:11:51 - last edited 2022-01-19 11:12:00

Dear @Tha_host,

 

Tha_host wrote

However, my goal is to have as much "stealthed" ports as possible, so in my case, only port 80 and 443 should be open, the rest should be "stealth". 

 

The R&D team has made a Beta firmware to optimize the issue above. 

 

Welcome to install the Beta firmware and comment with your feedback from the solution post below:

 

 Solution  Omada Gateway Cannot Get Full Stealth On The GRC ShieldsUp Test.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  0  
  0  
#2
Options
Re:ER7206: No "stealth" possible, implementation of DMZ erroneous?
2022-01-19 12:52:44

@Fae Thank you for your support. I've tested it and it works like a charm! I hope this function will make it into the final firmware version.

 

Thanks again!

  0  
  0  
#3
Options
Re:ER7206: No "stealth" possible, implementation of DMZ erroneous?
2022-01-20 00:59:30

Dear @Tha_host

 

Tha_host wrote

@Fae Thank you for your support. I've tested it and it works like a charm! I hope this function will make it into the final firmware version.

 

Thank you for your valued feedback!

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#4
Options