Firewalla Gold and Fing: How do I monitor an outage?

FingyFangz

Firewalla and Fing. In the picture, 1 is ISP > 2 FWG > 2.1 Bitdefender Box 2 (AP) > 2.2 switch > 2.2.1 camera > 2.2.2 Fing

Fing sends me hella notifications about bitdefender box (wifi radio signal) going on and off. Signal is constant. If I turn off notifications on Fing, that stops the alerts, but limits the monitoring function. I'd like to differentiate between ISP outage, wifi disruption, and so on. 

Any ideas where I should plug this thing in or what I should do?

Robin_Ex_Fing

Hi,
The way the Fingbox works is through ARP poisoning and DNS Spoofing.  So what is happening is that when you block a single device, the computer DHCP address and DNS entries gets changed and pointed to the Fingbox.  So this device is not blocked from getting to the internet or internal resources.  

The Firewalla also uses ARP spoofing to become the gateway for the network in a way that triggers Fingbox's alarms. Firewalla may use MAC randomization which means that the MAC address of the computer can change and it will simply change MAC address and get a new IP address, thus producing alert from Fingbox. 

 Both Firewalla and Firebox can work side by side. Some of the features like Internet pause/ block might not work if Firewalla is installed. You can try to put Firewalla in passive mode and then connect Fingbox with router actively. This network set up should be able to maintain the network. Please follow these steps:  

1. You can turn monitoring off on Fingbox in Firewalla app, so that Firewalla won't arp spoof Fingbox, and Fingbox won't report gateway change alert. 

https://help.firewalla.com/hc/en-us/articles/360008407613-Turn-on-off-Monitoring 

 

2. If you don't use the blocking feature in FingBox, it won't trigger arp spoofing against devices. But if you want to use the blocking feature, the arp spoof messages from FingBox may interference how Firewalla works. Our recommendation will be to use Firewalla app to block devices. 

FingyFangz

coool. Ok So I've turned off FWG monitoring for the Fing box device only.

Haven't moved it over to the ISP router, because I want to know how Fingbox is able to read information on other FWG devices. 

And maybe this is a Firewalla question, but if I have a rule set to port 3 (where the switch that Fing is on is connected) that blocks all traffic to/from all local networks (the other FWG ports) how exactly is Fingbox able to go in and retrieve any data? 

Thanks.

SRP

The FWG can only block traffic between networks/devices when it is directly involved in the route traffic takes.

If your topology is FWG Port 3 -> switch -> Fingbox & other devices are connected to that switch then connections can be made between the FB and those other devices directly via the switch without FWG involvement. If one of those other devices connected to the switch is an AP then connections can be made between devices on the AP directly, and to all those wired into the switch - the AP acts like a second switch to all intents and purposes.

In other words, the FWG, or any firewall for that matter, can only block traffic that passes through it and switches provide bypass routes.

Finally, are you running the FWG in router, DHCP or simple mode? It's only in the latter that you run into conflicts with ARP spoofing I believe. I run my FWG in router mode with a Fingbox with no issues.

If you've got the other ports on the FWG running different LAN/VLAN networks, DHCP serving discrete local IP ranges and subnets the Fingbox won't be able to see these networks or devices on them. If you don't have these setup I believe the FWG bridges the spare ports and the Fingbox will.

I hope that helps.

Cheers,

S.

FingyFangz

So yeah, basically, someone has the power to get past my network defense and physically enter my apartment undetected by cameras and alarms etc.

Check out the photo, and tell me where you'd plug in the Fing box. Any other suggestions?

I've got the Bitdefender Box 2 as my AP. Worked for a couple of weeks. Eventually someone found a path through and it gets shut down sometimes (security features disabled with full connectivity or worse) and had to reset every other day or so. Better, with the FWG but not great. One device at a time, I'm attempting to secure my network. A Gryphon AC1200 arrives tomorrow, so maybe I'll have more luck with that. Should I use both APs to make things more complicated? Any other devices that do different things? I've got a VPN client service on the FWG in addition to the macbook/iphone. Using a password service and secure email as well.

Just did a factory restart of the Fing Box (on the switch) and its says a few things:

• I'm connected to Bitdefender Box
• Firewalla device is blocked (monitoring off)
• BD Box and Alarm occasionally connecting/disconnecting a lot (with full connectivity)

All devices visible (even with the Firewalla rules blocking traffic from/to all local networks).
Also have a RATtrap on the way. Maybe redundant. In front of the cameras or something?

Wish I had the skills to just use FWG to find the IP addresses that are causing the problems, or to see what the heck is happening and why my cameras flash at me or record when disabled, why my computer has ghost windows and acts like someone is in there, or why I get logged out of apps due to logging in elsewhere. The list goes on. 

Thanks so much for the recommendations! 

SRP

Hi @FingyFangz,
Thanks for the photo. That helps a lot.
Since you’ve got your FWG set up in router mode with segmented networks you’re in a good spot. The FWG rule blocking traffic from and to all other local networks will stop each of these segmented networks seeing each other. You may want to look into variations of this that block only traffic from other local networks so that one of your devices can access all the others in your different subnets for management purposes.

As I said in my previous post whilst the rules on the FWG stop devices from network 2 connecting with network 3 and 4 and vice versa, they won’t stop devices connected on your APs connecting with others on the same AP, nor devices connected to the switch communicating with each other. This has only ever proved frustrating to me when I believed quarantining a newly discovered device totally locked it down using the rule you mention. Additionally I block internet traffic to and from quarantined devices. For some reason the default FWG quarantine rule doesn’t do this!

OK, now where to put the Fingbox? As you already know the Fingbox does some nice stuff that the FWG doesn’t. They overlap in some areas like device blocking and parental controls but where the Fingbox really differentiates itself is in device recognition, Wi-Fi SSID security monitoring, user identification, speed testing and Wi-Fi fencing. I’m not familiar with the Bitdefender box but it seems this does some very similar stuff too.  With your setup, however, because you’ve split your network into three subnets you’d need three Fingboxes in theory to monitor the entire thing. A FB is only aware of the devices on the network segment it is connected to.

Given you’ve got a single FB I’d put it on segment 3, the one connected to your AP marked Gryphon. If this AP doesn’t have Ethernet ports to plug the FB into then you’d need a small gang switch between each AP and the FWG to achieve this. Your unused 8 port switch would serve this purpose on network branch 3 but perhaps be a bit of an overkill.

I probably wouldn’t bother with a FB on FWG port 4 since there’s no Wi-Fi on this and instead rely upon the FWG monitoring solely for this branch of your network. If you wanted to supplement the Bitdefender functionality then you’d need to purchase a second Fingbox and put it on segmented network branch 2,

I’m not personally familiar with the RATtrap but it appears this crosses over with the FWG firewall functionality a lot. I’ve found the FWG to be great as a Firewall personally so I’d probably stick with just that and not have multiple firewalls running.

I hope this is useful and good luck keeping out the bad actors!

Cheers,

S.