six demon bag

Wind, fire, all that kind of thing!

2020-03-23

FRITZ!Box Firewall is Broken

AVM's FRITZ!Box routers have builtin packet filtering capabilities that are configured via the parental controls. However, for some unknown reason the vendor deemed it a good idea to hard-link MAC addresses to IPs (hint: it's not) with no option to override it (hint #2: that's an even worse idea).


This becomes a problem when your LAN isn't a flat network but consists of routed subnets:

Internet --- [FritzBox] --- WLAN --- [router] --- LAN

Money quote from the AVM knowledge base:

If you use an additional router to connect the device, the other router does not transmit the device's MAC address to the FRITZ!Box. Since the FRITZ!Box uses a combination of IP address and MAC address to identify each device, it interprets requests from the same MAC address in combination with different IP addresses as an attempt to evade the parental controls.

Essentially that's saying unless you build your entire network with AVM products you cannot have a structured network. Which is stupid. My network is segmented for security reasons, and I don't want to remove that security by mangling it into one flat network.

Sure, the internal router could be configured to masquerade outbound connections from the internal network, but double NAT would cause other problems, e.g. when connecting from external devices to hosts in that network. I'd also lose granularity with filtering outbound connections, because the FRITZ!Box would be unable to distinguish between connections from the router itself and connections from any of the devices in the internel network.

So, please, dear AVM people, pull your heads out of your collective asses and at least give us the ability to disable this "feature."

Posted 16:06 [permalink]