How can this device be a firewall?

It only has 1 ethernet port.

There have been a few companies which have based security products which run their own firewall proxy similar to a PiHole, ReconSecurity had a similar device with a single ethernet port which was just a Pine64 board and they charged a similar yearly rate. (you can buy ReconSecurity units on clearance for under $20 depending upon where you browse, erase the SD card and make your own firewall/filter solution)

Even if the device had an “in” and an “out” port, it still might be ignored or bypassed.
Just have to set your other devices to not ignore it?

Unless there is no physical connection between both, so traffic has to go through the FW. But then, that FW is probably also a DHCP server and gateway anyway :stuck_out_tongue:

@PaintChips The pi-hole is a dns filter-all clients are configured to use it as a dns. Access to the net is still through the router which performs NAT.

This device only has one ethernet port. For it to be a router, the ethernet jack would be connected to the net. How could clients connect to it? Doesn’t a firewall have to be able to reject packets ?

A nic can have several IP addresses.
Throughout would be limited, but not many people have more than 100mbps anyway.

Okay, probably a higher proportion of us than the general public…

Personal I use a pi, with a USB second nic, but I presume it is not required

A NIC has about 65,000 sub-addresses, like a PO box setup, known as ports. The first 1024 ports are standardised or reserved for future use, the rest can be used at will. Traffic for a webserver will use port 80, FTP is port 21 and CUPS uses port 631. Pi-hole listens to incoming traffic on port 80 then redirects its output traffic to another port, like 8080, and the browser then listens to that filtered traffic on port 8080 instead of 80. The traffic streams can (and do) happily co-exist on the same physical NIC.

Short answer: Plug it into a VLAN capable managed switch.
Long answer: Router on a stick - Wikipedia

1 Like

Ok. Vlan on a stick. So then this cannot be a router- if you plug the internet into it’s only Ethernet port, it cannot talk to your lan. If you plug it into a switch on your lan, it can act like a managed switch but cannot filter the internet.

So any malicious packets that bypass your router are already on the lan and this thing can’t do anything about them. The evil is already in.

That’s not how VLANs work. You have a LAN and WAN VLAN on the switch. The router accesses both VLANS on the single port via a trunk port/tagged VLANs.
The WAN port on the switch can be a access port for the modem/ONT.
The rest of the switch will be access ports for the LAN VLAN with is routed to the internet on the WAN interface via the router.

@ NZSNIPER thanks for trying to explain it to me but I didn’t understand a word of it. This box sits inside the lan. It has ONE Ethernet port. If another pc client on the lan goes to then malicious packets come to the gateway and are routed directly to that client. This box never sees those packets.

I think part of your problem might be that a lot of people use the terms firewall and router interchangeably. For example, I often see pfSense referred to as a firewall whereas to me its a router, or router software to be pedantic. The fact that it has features that permit it to also act as a firewall doesn’t change the fact that first and foremost it’s acting as your router.

I think the device that you linked to is acting as a firewall, but not a router. Since it says “…connects to your home Wi-Fi router…” it’s clearly not intended to replace your existing router.

Given the target market, there is no way it’s acting as a router on a stick.

As just a guess, it could be using ARP and ARP poisoning as its means of controlling traffic. This is how the Circle parental control device operates.

1 Like

So in networking there is a concept of VLANs. On a network switch you can “tag” ports with a given VLAN, so all traffic coming in on that port is tagged with that VLAN number. If you had two devices plugged into a switch, say device “A” was plugged into port 1 and tagged with VLAN 10, and device “B” was plugged into port 2 and tagged with VLAN 20, those devices could not communicate with each other (on layer 2) without talking to a router (layer 3) which is configured to route traffic between them. Most consumer routers support this, its typically buried in the “advanced routing” section.

This is how a “router on a stick” works. One port, two networks, the router directs traffic from one to the other over the single port.

Now is this actually how the device works? I have no idea. This seems a bit over the top for most home users to configure, but if I were to build a product like this that is how I would do it.

1 Like

I saw trend micro and I had supermicro on my mind, thinking this was an enterprise solution.
I guess it would be doing ARP spoofing/ARP poisoning to make it easier to install in a niche home market at the expense of it being a hack.

1 Like