Turning off IPv4/IPv6 in Synology DiskStation (DSM 6.1.3-15152 Update 8)

I would like to share a short but useful experience that I had a few days ago when I was running a project for a customer. The project consisted of installing and configuring a Synology NAS. The given NAS has some interesting capabilities such a virtualization through a QEMU engine, among others. So, I dedicated a NIC for the NAS's I/O, and the others for the I/O of the VMs. The challenge started when I was configuring the physical NICs for the VMs due to I wanted to configure those just as an ethernet-passthrough, without the presence of IP by the host (NAS). Synology DSM has a straightforward option for disabling IPv6 through the GUI. It is very intuitive, just follow the path "Control Panel -> Network -> Network Interface -> LAN X -> Edit -> IPv6 -> IPv6 setup = Off.", that is it. But, the behavior changes for IPv4. That is to say, when speaking of IPv4 on Synology DSM, it offers only two options through the GUI (getting an IPv4 by DHCP and static assignment). But, I didn’t want to set a static IPv4 address for the dedicated physical NICs for the VMs, nor getting an IP by DHCP. In addition, as expected if a NIC is placed in a VLAN without a DHCP server (DMZ, for instance), the given NIC sets an APIPA address (even when the interface is disconnected).

Refer to the following screen-shoots to get a better idea of it.

Therefore, after some researching without any positive results, I fixed this inconvenient through the following steps (DISCLAIMER: the procedure is NOT described by Synology)

My first attempt was setting up a script to flush any IPv4 address from the VM's dedicated NICs. The script was run during the NAS boot-up process. It worked, but only for a few seconds due to SDM sends a DHCP Discover every 60 secs.

ip addr flush dev ovs_eth1
ip addr flush dev ovs_eth2
ip addr flush dev ovs_eth3


Eventually, I was forced to disabling the DHCLIENT in a abrupt manner. I did it by removing the DHCLIENT “executable”.

cp /usr/sbin/dhclient /usr/sbin/dhclient-COPY && rm /usr/sbin/dhclient

In conclusion, it is working, but if somebody has a suggestion please share to improve it.

Performing a Transparent Proxy by running PFSense Firewall + Cisco Route-Maps.

Also known as an intercepting proxy, inline proxy, or forced proxy, a transparent proxy intercepts normal communications at the network layer without requiring any special client configuration. (Wiki)

There are several options to perform a transparent proxy, being Squid one of the most popular software to implement it. The easiest way to implement a transparent proxy is setting it up as a default gateway. Nevertheless, it is not possible to implement it in a whole scenario. So, The Web Cache Communication Protocol (WCCP) was developed by Cisco Systems and adopted by other vendors. WCCP is one of the best choice to do a transparent proxy, however, it increases the complexity setup at the server side. Therefore, to simplify its implementation, I decided to do it in a different manner by running Route-Maps.

Let’s check the following configuration in order to accomplish this job.

Lab resources:
GNS3 (2.0.3) and VMWare WorkStation (12.5.7) as the framework.
Router image. (vios-adventerprisek9-m)
MLS Switch image. (vios_l2-adventerprisek9-m)
PFSense (community 2.3.4)
PC client. (Linux box 3.16.6-tinycore)

The focus of this configuration is the interactivity between PFSense and the MLS Switch.

PFSense was started from a fresh installation. Only one NIC was add, therefore the VLAN sub-interfaces had to be configured. VLAN10 has a subnet 172.16.0.0/27, while VLAN20 has a subnet 172.16.1.0/31. The default route was placed at the VLAN 20, so packets coming from VLAN10 are forwarded through VLAN20. In addition, NAT was completely disabled. Then, Squid and iftop packages were installed. Once Squid was installed and started, some basic changes were necessary to enable the transparent proxy feature.

The next step was configuring the MLS Switch (or router). IP Policy was enabled on the SVI 10, so that the packets that meet the IP policy be forwarded to PFSense, otherwise packets have to continue the established path by the routing table. Below, the router and MLS's configurations to get a better standpoint of the exposed so far

Building configuration... Current configuration : 4568 bytes ! ! Last configuration change at 20:05:50 UTC Tue Aug 8 2017 ! version 15.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption service compress-config ! hostname mls ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ! ! ! ! !          vtp mode transparent ! ip dhcp excluded-address 172.16.0.29 172.16.0.30 ! ip dhcp pool DHCP-POOL-VLAN10  network 172.16.0.0 255.255.255.224  default-router 172.16.0.1   dns-server 10.10.10.1  ! ! ip cef no ipv6 cef ! ! ! spanning-tree mode rapid-pvst spanning-tree portfast edge default spanning-tree portfast edge bpdufilter default spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 10,20  ! track 1 ip sla 1 reachability ! !  ! ! ! ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/1  switchport access vlan 10  switchport mode access  switchport nonegotiate  media-type rj45  negotiation auto !          interface GigabitEthernet0/2  switchport access vlan 10  switchport mode access  switchport nonegotiate  media-type rj45  negotiation auto ! interface GigabitEthernet0/3  switchport access vlan 10  switchport mode access  switchport nonegotiate  media-type rj45  negotiation auto ! interface GigabitEthernet0/0  no switchport  ip address 10.10.10.0 255.255.255.254  negotiation auto ! interface GigabitEthernet1/0  switchport access vlan 10  switchport mode access  switchport nonegotiate  media-type rj45  negotiation auto ! interface GigabitEthernet1/1  switchport access vlan 10  switchport mode access  switchport nonegotiate  media-type rj45  negotiation auto ! interface GigabitEthernet1/2  switchport access vlan 10  switchport mode access  switchport nonegotiate  media-type rj45  negotiation auto ! interface GigabitEthernet1/3  switchport trunk encapsulation dot1q  switchport mode trunk  switchport nonegotiate  media-type rj45  negotiation auto ! interface Vlan10  ip address 172.16.0.1 255.255.255.224  ip policy route-map RM-PROXY ! interface Vlan20  ip address 172.16.1.0 255.255.255.254 ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 10.10.10.1 254 ! ip access-list extended ACL-ROUTE-MAP  permit tcp 172.16.0.0 0.0.0.31 any eq www 443 ! ip sla 1  icmp-echo 172.16.0.29 source-ip 172.16.0.1  threshold 500  timeout 1000  frequency 1 ip sla schedule 1 start-time now ip sla logging traps ! route-map RM-PROXY permit 10  match ip address ACL-ROUTE-MAP  set ip next-hop verify-availability 172.16.0.29 20 track 1 ! route-map RM-PROXY permit 20  match ip address ACL-ROUTE-MAP  set ip next-hop 172.16.0.29 ! ! ! control-plane ! banner exec ^C ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS  * * education. IOSv is provided as-is and is not supported by Cisco's      * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any       * * purposes is expressly prohibited except as otherwise authorized by     * * Cisco in writing.                                                      * **************************************************************************^C banner incoming ^C ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS  * * education. IOSv is provided as-is and is not supported by Cisco's      * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any       * * purposes is expressly prohibited except as otherwise authorized by     * * Cisco in writing.                                                      * **************************************************************************^C banner login ^C ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS  * * education. IOSv is provided as-is and is not supported by Cisco's      * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any       * * purposes is expressly prohibited except as otherwise authorized by     * * Cisco in writing.                                                      * **************************************************************************^C ! line con 0  exec-timeout 0 0  privilege level 15  logging synchronous line aux 0 line vty 0 4  login ! ! end

sh runn Building configuration... Current configuration : 3402 bytes ! version 15.6 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname router ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ethernet lmi ce ! ! ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ! ! ! ! ! ! ! ! ! ! ! ip name-server 172.16.118.2 ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! redundancy !          ! !  ! ! ! ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/0  ip address 10.10.10.1 255.255.255.254  ip nat inside  ip virtual-reassembly in  duplex auto  speed auto  media-type rj45 ! interface GigabitEthernet0/1  ip address 172.16.118.254 255.255.255.0  ip nat outside  ip virtual-reassembly in  duplex auto  speed auto  media-type rj45 ! interface GigabitEthernet0/2  no ip address  shutdown  duplex auto  speed auto  media-type rj45 ! interface GigabitEthernet0/3  no ip address  shutdown  duplex auto  speed auto  media-type rj45 ! ip forward-protocol nd !          ! no ip http server no ip http secure-server ip dns server ip nat inside source list ACL-PAT-VLAN10 interface GigabitEthernet0/1 overload ip route 0.0.0.0 0.0.0.0 172.16.118.2 254 ip route 172.16.0.0 255.255.255.224 10.10.10.0 ip route 172.16.1.0 255.255.255.254 10.10.10.0 ! ip access-list extended ACL-PAT-VLAN10  permit ip 172.16.0.0 0.0.0.31 any ! ! ! ! control-plane ! banner exec ^C ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS  * * education. IOSv is provided as-is and is not supported by Cisco's      * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any       * * purposes is expressly prohibited except as otherwise authorized by     * * Cisco in writing.                                                      * **************************************************************************^C banner incoming ^C ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS  * * education. IOSv is provided as-is and is not supported by Cisco's      * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any       * * purposes is expressly prohibited except as otherwise authorized by     * * Cisco in writing.                                                      * **************************************************************************^C banner login ^C ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS  * * education. IOSv is provided as-is and is not supported by Cisco's      * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any       * * purposes is expressly prohibited except as otherwise authorized by     * * Cisco in writing.                                                      * **************************************************************************^C !          line con 0  exec-timeout 0 0  privilege level 15  logging synchronous line aux 0 line vty 0 4  login  transport input none ! no scheduler allocate ! end

Results:
As the screenshots show, once the IP Policy is up, every packet addressed to a L4 port defined on the extended ACL, will be forwarded to the PFSense box in order to be allowed or denied, according the Squid policy already defined. For example, the first screenshot shows that the browser got access to Google. Take a look the certificate is not the Google valid certificate, instead it is a self-signed certicate, but the access was permitted. Then, the next screenshot shows that even when Facebook is carried over SSL, the access was denied.

Then, the boxes show current status of the IP Policy and each one of its elements.

sh ip sla statistics details  IPSLAs Latest Operation Statistics IPSLA operation id: 1 Latest RTT: 1 milliseconds Latest operation start time: 21:05:48 UTC Tue Aug 8 2017 Latest operation return code: OK Over thresholds occurred: FALSE Number of successes: 3542 Number of failures: 29 Operation time to live: 0 Operational state of entry: Inactive Last time this entry was reset: Never

sh track                      Track 1   IP SLA 1 reachability   Reachability is Up     2 changes, last change 01:44:47   Latest operation return code: OK   Latest RTT (millisecs) 1   Tracked by:     Route Map 0

sh route-map                  route-map RM-PROXY, permit, sequence 10   Match clauses:     ip address (access-lists): ACL-ROUTE-MAP    Set clauses:     ip next-hop verify-availability 172.16.0.29 20 track 1  [up]   Policy routing matches: 6105 packets, 458966 bytes route-map RM-PROXY, permit, sequence 20   Match clauses:     ip address (access-lists): ACL-ROUTE-MAP    Set clauses:     ip next-hop 172.16.0.29   Policy routing matches: 0 packets, 0 bytes

sh ip policy                  Interface      Route map Vlan10         RM-PROXY

Troubleshooting:
Adding a new statement that include ICMP protocol on the top of the Route-Map ACL, and launching a traceroute from the client host, can gives a step by step of how the packets are been carried. Also, iftop be launched in the PFSense box to displays the packets incoming and outgoing on each VLAN subinterface.

Conclusion:
As we can see, it is an option when a transparent-proxy needs to be run. It does not need any configuration at the client side. Also if the transparent-proxy stops, the clients still reach their destination, and the most important is, HTTP/HTTPS policies can be applied.

Graylog GNS3 VMWare Cisco Systems Ubuntu Linux

Implementing VLAN ACLs in a Cisco Systems Switch

How many times have we needed to protect a given host from its neighbors of the same Broadcast Domain (VLAN)? As is widely known this kind of practice is often performed by implementing local Firewalls on Workstation and Servers. For example, Linux has IPTables, Windows since the release XP includes Windows Firewall and Apple OS-X has a Firewall service as well. Also, the requirement can be performed by third party vendors such as Symantec, F-Secure and so on.

The coming example wants to demonstrate how a Cisco Systems Switch is able to perform this goal by implementing VLAN ACLs (VACL). Please keep in mind there is not any routing process involved, even more, the switch has not IP routing enabled.

The given topology has not anything specialized, only three computers connected to a switch. One of those computers runs Linux, other runs Windows and the other one runs OS-X. The Switch is a Cisco Systems Catalyst 3560, which runs IOS c3560-ipservicesk9-mz.122-55.SE11.bin. In addition, the Switch has almost its default configuration, I only added VLAN11 and some more commands, nothing special. The initial configuration is shared below.

version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname switch01 ! boot-start-marker boot-end-marker ! ! ! ! no aaa new-model system mtu routing 1500 vtp mode transparent ! ! ! ! ! ! ! ! spanning-tree mode pvst spanning-tree portfast default spanning-tree portfast bpdufilter default spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 11 name Lab ! ! ! ! interface FastEthernet0/1 switchport access vlan 11 switchport mode access ! interface FastEthernet0/2 switchport access vlan 11 switchport mode access ! interface FastEthernet0/3 switchport access vlan 11 switchport mode access ! interface FastEthernet0/4 switchport access vlan 11 switchport mode access ! interface FastEthernet0/5 switchport access vlan 11 switchport mode access ! interface FastEthernet0/6 switchport access vlan 11 switchport mode access ! interface FastEthernet0/7 switchport access vlan 11 switchport mode access ! interface FastEthernet0/8 switchport access vlan 11 switchport mode access ! interface FastEthernet0/9 switchport access vlan 11 switchport mode access ! interface FastEthernet0/10 switchport access vlan 11 switchport mode access ! interface FastEthernet0/11 switchport access vlan 11 switchport mode access ! interface FastEthernet0/12 switchport access vlan 11 switchport mode access ! interface FastEthernet0/13 switchport access vlan 11 switchport mode access ! interface FastEthernet0/14 switchport access vlan 11 switchport mode access ! interface FastEthernet0/15 switchport access vlan 11 switchport mode access ! interface FastEthernet0/16 switchport access vlan 11 switchport mode access ! interface FastEthernet0/17 switchport access vlan 11 switchport mode access ! interface FastEthernet0/18 switchport access vlan 11 switchport mode access ! interface FastEthernet0/19 switchport access vlan 11 switchport mode access ! interface FastEthernet0/20 switchport access vlan 11 switchport mode access ! interface FastEthernet0/21 switchport access vlan 11 switchport mode access ! interface FastEthernet0/22 switchport access vlan 11 switchport mode access ! interface FastEthernet0/23 switchport access vlan 11 switchport mode access ! interface FastEthernet0/24 switchport access vlan 11 switchport mode access ! interface FastEthernet0/25 switchport access vlan 11 switchport mode access ! interface FastEthernet0/26 switchport access vlan 11 switchport mode access ! interface FastEthernet0/27 switchport access vlan 11 switchport mode access ! interface FastEthernet0/28 switchport access vlan 11 switchport mode access ! interface FastEthernet0/29 switchport access vlan 11 switchport mode access ! interface FastEthernet0/30 switchport access vlan 11 switchport mode access ! interface FastEthernet0/31 switchport access vlan 11 switchport mode access ! interface FastEthernet0/32 switchport access vlan 11 switchport mode access ! interface FastEthernet0/33 switchport access vlan 11 switchport mode access ! interface FastEthernet0/34 switchport access vlan 11 switchport mode access ! interface FastEthernet0/35 switchport access vlan 11 switchport mode access ! interface FastEthernet0/36 switchport access vlan 11 switchport mode access ! interface FastEthernet0/37 switchport access vlan 11 switchport mode access ! interface FastEthernet0/38 switchport access vlan 11 switchport mode access ! interface FastEthernet0/39 switchport access vlan 11 switchport mode access ! interface FastEthernet0/40 switchport access vlan 11 switchport mode access ! interface FastEthernet0/41 switchport access vlan 11 switchport mode access ! interface FastEthernet0/42 switchport access vlan 11 switchport mode access ! interface FastEthernet0/43 switchport access vlan 11 switchport mode access ! interface FastEthernet0/44 switchport access vlan 11 switchport mode access ! interface FastEthernet0/45 switchport access vlan 11 switchport mode access ! interface FastEthernet0/46 switchport access vlan 11 switchport mode access ! interface FastEthernet0/47 switchport access vlan 11 switchport mode access ! interface FastEthernet0/48 switchport access vlan 11 switchport mode access ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface GigabitEthernet0/3 ! interface GigabitEthernet0/4 ! interface Vlan1 no ip address shutdown ! ip classless no ip http server no ip http secure-server ! ! ! ! ! line con 0 line vty 5 15 ! end

Each computer has a static IP address assigned:
192.168.11.1/24 - - > Windows computers
192.168.11.11/24 - - > Linux box
192.168.11.111/24 - - > Apple computer

By the way, the switch has not a IP address assigned, because it is not required.

The Windows computer has Windows Firewall disabled, and the service of File and Printer Sharing (SMB) enabled.

The Linux box is publishing three folders by running python -m SimpleHTTPServer TCP-PORT. The web publishing service is assigning an unique TCP port to each folder, from 10001 to 10003.

The OS-X computer manages the switch through a serial port, sends some pings to Windows (192.168.11.1) and the Linux box (192.168.11.11), displays the content of each web folder (Text01, Text02...) and connects to the Windows computer through SMB. Everything happens as expected, everything is normal, nothing fancy.

The interesting thing starts once the VACL commands are introduced to the switch. As you can noticed in the video below, the Windows computer continues working normally. That is to say, Windows continues answering PING and sharing folders.

The lab has been focused on the Linux box. So, after introducing the VACLs commands in the switch, the Linux box stopped answering PING, also the administrator has decided to disable the TCP port 10003 to be reachable by the hosts in the same VLAN.

Let's watch a video to get a visual idea, step by step of the described topology.

The commands used by the VLAN ACL are shared below:

vlan access-map VACCESS-MAP-11 10 action forward match ip address VACL11-webfolder01 vlan access-map VACCESS-MAP-11 20 action forward match ip address VACL11-webfolder02 vlan access-map VACCESS-MAP-11 30 action drop match ip address VACL11-Ubuntu vlan access-map VACCESS-MAP-11 40 action forward ip access-list extended VACL11-webfolder01 permit tcp any any eq 10001 permit tcp host 192.168.11.11 any established ip access-list extended VACL11-webfolder02 permit tcp any any eq 10002 permit tcp host 192.168.11.11 any established ip access-list extended VACL11-Ubuntu permit ip any host 192.168.11.11 vlan filter VACCESS-MAP-11 vlan-list 11

In addition to the first example, I would like to share one more example.

The next example consists of only two computers connected to a Cisco Systems switch. The switch has its configuration almost by default, only the switch ports have been modified as access ports. So, everything is running in VLAN1.

Each computer has two IP address statically assigned:
192.168.100.11/24 and 192.168.200.11/24 - - > Apple computer
192.168.100.12/24 and 192.168.200.12/24 - - > Linux box
As the coming video shows, each computer can PING request and reply without any problem. But, as soon the VACL commands are deployed in the Switch, the normal development changes, and the addresses corresponding to the network 192.168.200.0/24 are sudenly stopped.

The commands used by the VLAN ACL are shared below:

ip access-list standard VACL-VLAN1 permit 192.168.100.0 0.0.0.255 vlan access-map VACCESS-MAP-1 10 action forward match ip address VACL-VLAN1 vlan filter VACCESS-MAP-1 vlan-list 1

Conclusion:

Deploying VACLs could be considered an important security feature for our networks. Also, in this manner, an administrator can avoid applying features locally in servers and workstations, instead running this features in specialized equipment for saving performance to the host and getting a more granular control.