Time Capsule firewall allows broadcast traffic

It appears that Time Capsule will forward broadcast traffic from the LAN side to WAN and allow responses back. I would have thought that when the Router Mode was set to "DHCP and NAT" that this wouldn't happen. It seems like this might be a security flaw.
Here's my setup, and why I believe this is the case:
Comcast Xfinity service -> Motorola SB6121 -> Time Capsule (latest generation 7.6.1 software) -> Netgear GS116 -> home network with airport express and various hard-wired and WiFi devices.
The SB6121 cable modem is wired direclty to the WAN port on the Time Capsule. And then the first LAN port on the Time Capusule is wired direclty the Netgear switch. And then everything else is wired directly to the Netgear switch. The Time Capsule's DHCP server is set to hand out addresses in the 172.16.0.2 to 172.16.0.200 range and so everything in my home network should be getting addresses in that range.
The SB6121 is not a gateway or router - its just a modem, but does still have a weird little DHCP server that is supposedly only active when the cable service is dead, but in practice (at least for me) seems to always be on. And there's no way to turn it off, at least from my end - perhaps Comcast could, but that's a black hole. This weird little DHCP server is hard-wired to hand out addresses between 192.168.100.11 and 192.168.100.42 and there's no way to configure it differently.
What I see though I (which makes me think there is a security flaw in the Time Capsule firewall) is that DHCP requests from my home network are sometimes answered by the SB6121's DHCP server instead of the Time Capsule's. I say "sometimes" because most of my Apple equipment (laptops, iPhones, iPads and a Mac Mini) get configured with 172.16.0.X addresses. But most non-Apple equipment is getting 192.168.100.X addresses - this includes a Denon AV reciever and Comcast cable box. But I also have an Airport Express (latest version, 7.6.2 software) - its Router Mode is set to "Off (Bridge Mode)", but if its Internet -> Connect Using: is set to DHCP it also gets a 192.168 address.
I thought maybe it was just the hard-wired devices getting the 192.168 addresses, but they're not. The Mac Mini is hardwired and gets the right address range. And then I thought that all WiFi devices were getting 172.16 addresses, but they're not. I have a "Nest" thermostat that connects to the WiFi and gets a 192.168 address.
Obviously there are several problems here - having multiple DHCP servers on a network is a recipe for disaster. But it seems to me that the Time Capusule is mis-behaving. The weird little DHCP server on the cable modem on the WAN side of the Time Capsule shouldn't be accessible from my home network. The Time Capsule shouldn't be passing broadcast DHCPDiscover packets from the LAN side through to the WAN side.
I've been all through the Time Capsule settings and don't see a way to further lock down the WAN-LAN connection. I suppose I could get a managed switch or "real" firewall to stick between the cable modem and the Time Capsule and use it to block traffic, but I shouldn't have to. And I suppose I could ask Comcast to disable the DHCP server on the cable modem, but I don't have the fortitue to sit on hold for hours trying to explain it to them. Or I suppose I could get a different cable modem that doesn't have the silly DHCP server, and maybe that's the ultimate answer, but I still think the Time Capsule has a flaw.
I got the SB6121 plus Time Capsule combination specifically because I didn't want fidgety stuff to deal with. I could have gotten a router supporting DD-WRT if I wanted to play network engineer at home, but I do that at work and just wanted something I didn't have to debug or think about.
Anybody in a similar situation or have suggestions?
If you got this far, thanks for listening.
-dave.
(Oh yeah, I swapped the Time Capsule with the Aiport Express -- latest model with WAN and LAN ports -- and got the exact same behavior. I suspect that all Airport models just treat the multple ethernet ports as a dumb layer two switch and blindly forward ethernet broadcast traffic from one port to all the others.)

Thanks for reporting this.. I think you should advise Apple of this flaw.. It is a serious flaw.
The cable modems are always made with local IP address so you can check the settings and the DHCP in them is designed for using a block of public IP addresses.. ie.. if you were extremely rich.. you buy a block of IP addresses from the ISP, plug the modem directly to a switch. And every client that joined would get a public IP address. Since the ISP are not that generous as to actually hand out more than one IP, (our local cable ISP in Australia, Telstra actually gives out 3 for free). The modem however will switch from public to private IP address when it does so, once the first address is allocated. There is no security risk as that private IP has no internet connection. (Test it and see, but any device getting 192.168 address should have no internet connection). The Modem has no NAT.. so it is purely for internal purposes.
When you tested the Airport Express, did you set it up to 172.16.x.x range as well?
Could you please test if you haven't already the TC at its native IP address and range?
Domestic routers often fail to work properly if used off their default range.. somewhere in the coding they have fixed some addressing, instead of correctly using settings you put in. This is not at all unusual actually. My advice to people is always stick with default unless you really want some pain.
If you are happy with pain, I would ensure all names are set to SMB standard.. as it sounds like you know networks I presume you would already do this. Apple names are ghastly things.
Stick to short, no spaces, pure alphanumeric names for everything.
Make sure the dhcp range includes enough addresses that it cannot run out..the normal standard is 2-200.
If the lease time is set to 1day default, set it to 20min.
I would also turn off ipv6 (maybe only possible on the client). That does seem to lead to confusion.
If necessary you should be able to use static IP reservation via the dhcp setting in the TC.. that might also help.
Are you running a 5.6 utility to do the setup?? If not you must!!
You can load it even into Mountain Lion with a bit of fiddling.
Check logs and setup the reservation for any devices failing to get IP correctly.
And yes, in the end you may have to simply use a more standard router.. and hive off the TC to bridged role.

Similar Messages

  • Time capsule only allows 2 devices at a time as a router.  If I am using the iphone and macbook pro, it bumps the roku offline.  Any suggestions?

    time capsule only allows 2 devices at a time as a router.  If I am using the iphone and macbook pro, it bumps the roku offline.  Any suggestions?

    At a guess you have cable internet connection.. please confirm exactly what you have.. two public IPs are allowed by some ISP.. once you use up the two IPs, there are no more..
    Make sure the TC is in router mode. And to get it working you probably need to shut off the cable modem.. if it has battery backup remove the battery.. try 5min off .. if not long enough try 20min off. then overnight. The ISP equipment must reset to allow a new MAC address to capture the IP.
    If you cannot work it out.. plug in the old router again.. and set the TC to bridge mode.. which I suspect it is in now.. and plug it into the main router.. it should work fine like that.

  • Time Capsule firewall

    Does anyone know if there are settings to adjust the Time Capsule firewall?  It appears to be blocking some of the applications I use on my Mac, iPhone and iPad.
    Thanks,
    Jackie

    Hi,
    Did you manage to resolve this? I am experiencing a similar issue with my TC in that it seems to be preventing me from accessing anything that is secure/encrypted/requiring authentication, so I cannot download apps in iTunes, I cannot access https websites, I cannot send emails from the mailbox that syncs with my office Exchange server (although I can receive them), I cannot backup my iOS devices to iCloud, etc, etc.
    Regular websites are absolutely fine and the problem is unique to my home network because when I take my devices to work and use them on the work Wi-Fi network everything is OK.
    The issue is not Wi-Fi either, as switching off Wi-Fi on the Mac and plugging it in to the TC makes no difference.
    This seems to be a firewall/port issue, but the TC is brand new and I have not touched any settings beyond those required by the ISP.
    Thanks.
    Gareth

  • Time Capsule only allows one Macbook be on the internet at a time!

    So far no one even at Apple Care has been able to solve this problem.
    My wife and i have brand new Macbooks. Mine, the latest 2.4Ghz black model bought in the UK and her's the 2.1Ghz bought in the US.
    We both used the Orange livebox as our wireless router and it worked seamlessly (albeit only when security was turned off) until i purchased a 1TB Time Capsule.
    I managed to get the TC up as our wireless router with the Livebox as the modem, but, bizarrely, it will only allow ONE computer to be on the internet at a time - and giving preference to mine. Basically, the second i turn my airport on - she loses connection! It's like my computer ***** the internet away from hers.
    If hers is the only computer on in the house then it works perfectly.
    I have spent hours on the phone to Apple Care and changed a number of the settings within Airport Utility, but the longest we got both computer running on the internet together was for about 20 minutes when i switched to Radio Mode 802.11n only (5 Ghz). For a moment we thought the problem was solved until i put the phone down and low an behold, she lost her connection once more.
    Any suggestions?
    Thanks in advance.

    Don't know what an Orange livebox is, but I will treat it as a DSL modem and assume the ISP uses a DHCP server. Make sure you have connected the modem to the TC WAN port.
    Open AirPort Utility, select the TC, click on Manual Setup, click on the Internet tab.
    - is 'Connect Using:' set to 'Ethernet' - set to this if not.
    - is 'Configure IPv4:' set to 'Using DHCP' - set to this if not.
    - is 'Ethernet WAN Port:' set to 'Automatic (Default)' - set to this if not.
    - is 'Connection Sharing:' set to 'Share a public IP address' - set to this if not (if set to Bridge Mode then only one computer will be able to use the internet).
    Click 'Update and wait for TC to restart.
    Check the network settings on the client computers. Go to System Preferences/Network/AirPort:
    - click on the 'Network Name:' roll-button, select 'Join Other Network...', enter 'Network Name and select the security type you are using, and finally, enter your Password and click 'Join'.
    If ISP uses DHCP:
    - click on 'Advanced', TCP/IP and confirm that 'Configure IPv4:' is set to 'Using DHCP', click 'OK'.
    - click the 'Apply' button and exit System Preferences.
    May also be wise to Repair Permissions using Disk Utility and to reboot your network hardware:
    1. Turn power off to ISP modem and the TC, and shutdown computer - leave power off for 10 minutes.
    2. Turn on modem and wait for it to complete its test cycle. Then turn on the TC.
    3. Turn on computer and check your internet connection.

  • My time capsule will allow only one machine to connect to the internet at a time. Connection sharing is "off" on the Airport Utility. When I try to share an IP address I get the message that "DHCP range that I entered conflicts with the WAN IP address" I

    Suddenly, my time capsule will not allow more than one computer to connect to the internet at a time. On the Airport Utility on the internet tab, Connection Sharing is "Off (Bridge Mode)" When I try to change it to sharing an IP address, I get two messages that the beginning and ending DHCP addresses that the DHCP addresses I've entered conflict with the WAN address of my Apple wireless device."
    Any ideas?
    Thanks

    I use a DSL to connect to the internet. The modem is a Westell C90-810030-06. Two things happened in connection with the fail. I upgraded the firmware in both my Time Capsule (connected to the DSL) and the Airport Extreme (connected to my printer--used to extend the network). I also upgraded my Colof Nook to the Android Faux Tablet version. I can't imagine that that is creating some sort of mismatch.
    I have now downgraded the firmware on the Time Capsule to 7.4.1 which is what I had before. Fortunately, I found the trick to downloading the older airport utility to find the older firmware. All the older versions disappeared from my computers.
    I still have the same problem. Wifi works fine. If a second device connects to the wifi, then it works fine, but the first no longer has a connection.
    And my Airport Extreme is not working at all. It cannot be seen by the computer. I tried resetting it. I'm going to connect it by ethernet and downgrade the firmware on it.
    I appreciate any help. This is so frustrating.

  • My time capsule isn't broadcasting

    My time capsule is having power issues (?). When I unplug it to reset and plug it back in, the indicator light is on for a few seconds then shuts off. It does not broadcast a signal.
    There are no issues with the modem or the connections.

    It appears that the power supply is faulty in your Time Capsule. I would suggest that you take it to your local Apple Store to have them confirm your findings. Unfortunately there are no user serviceable parts.
    To get an idea on what's inside check out this Apple Insider article.

  • Time capsule firewall, do I need the mcafee firewall on my xp pc? ....

    Since the time capsule I'm using as a router servicing my pc running xp and my macbook includes a hardware firewall, do I need to use the software firewall that comes with my mcafee virus package on the pc???
    It's my understanding that running a pc without a firewall for even a few minutes is super dangerous.
    Thanks in advance,
    Jason

    The reason I ask, is that I'm trying to get my hp 6840 wireless printer to work wirelessly. So far, no go. The pc install software takes me through the wireless install steps then runs into the mcafee firewall.
    So I disabled it, since hp says the xp firewall will not interfere. Still won't work. So I disabled the xp firewall. Still no go. The install software on the mac doesn't even ask me about the wireless setup, so there's no love there.
    Any ideas??
    Thanks again,
    Jason

  • Firewall Allow all traffic on lan

    Is there a way to make a firewall rule to allow all traffic on en1? I have my ip ranges set to allow all traffic, but I still have to turn the firewall off for DHCP to give IP addresses to new devices on the network.

    dtich wrote:
    thx dean, yes, i had certainly looked at the log, which shows these entries:
    Nov 11 21:49:25 north-knoll-server ipfw[8789]: 65534 Deny UDP 169.254.14.242:138 169.254.255.255:138 in via en0
    but i have no idea where 169xxx is, nothing on my lan... if the port is 65534, that's an ftp passive port, tried opening that, doesn't solve the problem. if the port is 138, that's netbios, which would be odd, but i tried opening that too. nothing doing. can't figure it out. and the log really isn't helping too much.
    traceroute gives me:
    traceroute to 169.254.14.242 (169.254.14.242), 64 hops max, 40 byte packets
    1 169.254.14.242 (169.254.14.242) 0.593 ms 0.504 ms 0.195 ms
    so, i guess that's some internal address that my router uses or something..?? wacky. i'm out of my depth here.
    if i allow 169.254.x.x, i still get no joy.
    mean anything else to you?
    yeah, 169.254.x.x is part of the zeroconf net address range. (See http://en.wikipedia.org/wiki/Zeroconf for more details)
    Not sure why the device in particular is trying port 138 unless it's Windows box maybe? Is en0 on your local network or external?

  • Samsung says Time Capsule Firewall is reason for interupted connection

    I have frequent interuptions with my Samsung BluRay that is connected wirelessly to the internet via my Time Capsule. When I talk with Samsung help they say it's because of the "Firewall on my Router."
    Does anyone think that's true? If it is, is there a way to turn off the firewall?

    No, no problems with either my MacBook or Dell netbook.
    That info pretty much destroys the support person's theory that the firewall is the cause of your intermittent internet problems.
    How far is the DVD player from the Time Capsule? Any walls or other obstructions in the signal path between the Time Capsule and DVD player?
    If yes, is it possible for you to temporarily move the DVD player close to Time Capsule to test and see if it still has the same type of issues?
    If that's not possible, can you move a laptop as close as possible to the DVD player's location and test your internet connection from that point? Good connection?

  • Time Capsule Not Allowing Internet On iPhone and Apple TV

    I have a Time Capsule (3rd Generation), an iMac, a MacBook Air, an iPhone 4, an iPad and an Apple TV (2nd Generation).
    My Time Capsule is the provider for my Wi-Fi in the house, and I've only just set it up. The iPad, Air and iMac all work perfectly, but I have trouble with the Apple TV and the iPhone. They both let me connect to the network, but I'm unable to get any Internet signal on either. I've found that I can work around this by defining a static IP for each, but I hit problems when I leave the house with the iPhone, I have to then give it another IP address for it to work.
    Has anybody any suggestions as to why it;
    a) Won't automatically connect to the Internet and I have to give a static IP
    b) Whenever I leave the house it makes me have to forget the network, reassign an IP and start again.
    I also have two Windows PCs that work perfectly, and my girlfriend has an iPhone 3GS that can connect easily.
    Thanks in advance!

    As the original poster, I too had issues with my iPhone 4 (4.2.1) and Apple TV 2 playing nice. The Airplay icon was visible for music, and worked perfectly. However, when watching a video, purchased through iTunes, only the "audio" option would be selectable for Airplay. After updating the Apple TV software, everything works perfectly well. When watching a video on my iPhone and selecting the Airplay icon, one of the options is to play "video" through the Apple TV, not simply audio.
    It would have been nice to know that my Apple TV needed an update when I updated my iPhone 4 to 4.2.1.

  • Can a PC infected with virus make breaches if Time Capsule firewall?

    Hello!
    Recently had my PC (not mac) infected with virus. Is there a possibility that viruses can make changes to Time Capsuel settings andmake breaches in Time Capsuel firewall?
    For example set port mapping via UPnP  for viral activity on TC or something like that? I'm not very fond of network technologies - but know that some programs can set routing ports on their own. Or am I mistaken?
    Maybe it is worth to make a full reset for TC? I dont know.

    Alejandro_64 wrote:
    But any bother needs open ports to be able to use planted virus behind the firewall, right?
    This will not happen very often.. NAT is a not strictly a firewall. It can be broken under pretty intensive attack but still seldom happens. The virus gets into the computer via YOU.. you browse to a compromised website or download an infected application or email etc. The vast majority of infected computers cannot actually be prevented by firewalls.. unless as John pointed out, you cut yourself off from the internet. The internet is out there and for you to gain access to it, to some degree it has to have some access to you. But YOU are the one who infects the computer in 99% of cases.
    Once infected the computer on a LAN can infect other computers on the LAN.. because people do not password their shares. There is little protection. And from inside the LAN the virus can then call home. It does not do anything to the router. Because you have to have the ability to open ports from the LAN side the virus can take advantage of that.
    Note in a business with a strong firewall, only a very limited number of ports are available. And there is a lot more effort put into virus checking. For home system.. just NAT and NOT downloading suspect apps and emails will keep you pretty clear of problems with the need for a decent AV for the occasional mistake.
    Do not torrent, do not use USENET, do not go to Warez and suspect places. Download Prawn and you will have your computer loaded with viruses in no time. It is free and available but has a big sting in the tail.
    If you want to do all those things.. well plan on getting infected pretty often and use the computer in proper DMZ and wipe it pretty often.

  • Can I limit application web access using time capsule firewall?

    Wondered if tc firewall can be used like Zonealarms or similar pc apps

    I am assuming that u r doing this on a mac., then, your best bet might be to use parental controls option.  so you'd have one admin acct (pw protected, ofc) which would control the other, limited account.   then you have lots of options, including: white & black url lists, app control, timed access control, mail and ichat limits.  ya could go nuts with all of he options

  • Time Capsule Firewall Adequate?

    Is the TC firewall adequate? Or would it be better to put upstream of a router with w good firewall, such as my Linksys RV042?

    TC has no firewall, as it turns out. Too bad, though. It could be a complete device if it did.

  • Time Capsule Firewall configuration

    Does anyone have the IPv6 Firewall enabled? If so how do you have yours configured? There's basically little info in the docs regarding this firewall or how to properly configure it's settings.

    Issue is resolved. I used the initial random generated shared secret that was generated by Lion Server. The shared secret has special characters. IOS did not like the special characters. See iPhone Console Log below:
    Jul 26 20:00:36 iPhone-4 racoon[718] <Info>: [718] INFO: @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/)
    Jul 26 20:00:36 iPhone-4 racoon[718] <Info>: [718] INFO: Reading configuration from "/etc/racoon/racoon.conf"
    Jul 26 20:00:36 iPhone-4 racoon[718] <Info>: [718] ERROR: /var/run/racoon/68.9.232.78.conf:6: "?gLA" syntax error
    Jul 26 20:00:36 iPhone-4 racoon[718] <Info>: [718] ERROR: fatal parse failure (1 errors)
    That is why I never saw any attempt to connect. The actual process would bomb out before attempting to make a connection to the server.
    The shared secret key was:
    Y|WNwvM_O"?gLA$F@adT
    Looks like it was the " or the ? symbols.
    Once I changed the shared secret key the issue went away and the iPhone and iPad could connect to vpn without issue.
    Figured I'd let you all know

  • Issues Accessing VPN via Time Capsule

    My work has a VPN (via Palo Alto's Global Protect) set-up to allow for remote desktop connections.  For some future projects, it is really important that I get this working.  However, I am running into an issue that is directly related to my Apple Time Capsule (an older "flat" model, part number MC343AM/A, running the latest firmware, v7.6.4).
    Basically, I can access the VPN and remote desktop no problem if I connect my computer directly to the modem (or if I tether my computer to my phone).  However, if I connect the laptop to the router, then the VPN connects and is stable (as verified by my work's IT department), but I lose all other internet connectivity, and am unable to actually connect to the remote desktop.  This occurs if I use WiFi or connect through ethernet, and I've verified that it happens on two different computers (an iMac, and a MacBook Pro). 
    I'm wondering if it is because I use a MAC address filter to assign static IP addresses to the devices on my network?  Are there any other settings I should change on the Time Capsule to allow for the VPN passthrough?  Before I factory reset the router and lose all of my configurations (e.g., wifi security settings, etc), I was hoping someone might have run into a similar issue and would have some advice!
    Any tips would be extremely appreciated.
    Best,
    Matt

    Before I factory reset the router and lose all of my configurations (e.g., wifi security settings, etc),
    We can fix that.. export your configuration.. The TC must be open in edit area for this option to work. So at least you don't need to lose settings.
    7.6.4 has some real issues with ports.. That it establishes the vpn ok is good but it is clearly not able to pass some of the ports that are required. Are you able to ping or copy files at all over the tunnel??  it might be caused by a number of things. But you should realise that once the tunnel is open the computer is working on a different subnet.. and its own internal firewall can have issues.. or other issues at the other end.
    I would have a try at taking the firmware back to 7.6.1 and even 7.5.2 can be a good test.. since it is before BTMM with iCloud where the TC would also complicate things with ipsec security.
    To downgrade firmware simply hold down the option key while you click the version number.

Maybe you are looking for

  • 15-inch Mid-2010 memory upgrade issues

    Hi, I have a 15-inch mid-2010 MBP running Mountain Lion, that I upgraded from 4 to 8 Gb of memory in Sept. 2012. The memory i purchased was a 2x4 gb set of Corsair Value rated at 1333 MHz. The upgrade went smooth, and i did not have any problems for

  • Adobe Camera Raw VS. Photoshop?

    When should you use Camera Raw for white balancing and other image adjustments vs. Photoshop. Besides working with raw camera format images, are there things that ACR does better than PS? Thanks.

  • Photoshop.exe Application Error

    Open image in CS4, after a couple of minutes a dialog box opens, Photoshop.exe - Application Error, how to fix please?

  • How to implement table pagination/navigation in ADF pages?

    Hi, I am developing an ADF application, where I have a requirement to implement table pagination like the one used in Google (<< < 1 2 3 ... > >>). I have around 1 million rows and the user needs to navigate to different sets using the buttons at the

  • Mutlilevel Controlling in xRPM 4.0 and using ECC 5.0

    Hi Guys, Is there any way that i can have the Multilevel Controlling functionality with xRPM 4.0 and ECC 5.0. Please let me know your thoughts. Thanks & Regards, Gopi Message was edited by:         GBS-SO Accenture Message was edited by:         GBS-