Double internet Wan

[rludo2]

Hello Everybody

I want to use NetAlertX with double internet Wan :

I have a Cisco RV345

• WAN1 (FTTH Modem : LAN : 192.168.0.1/24 ; WAN : DHCP)
• WAN2 (4G Modem : LAN : 192.168.1.1/24 ; WAN : DHCP)
• LAN : 192.168.2.1/24

How to configure NetAlertX to scan each network (192.168.0.1/24 ; 192.168.1.1/24 ; 192.168.2.1/24)

Thanks in advance

[jokob-sk]

Hi @rludo2 ,

It will depend if you have access to these networks from the network where NetAlertX is running. If you do, you should be able to scan the networks directly (e.g. with ARPSCAN or NMAP plugins) as per the Subnets configuration:

https://github.com/jokob-sk/NetAlertX/blob/main/docs/SUBNETS.md

If not, you can use alternative plugins, if you have e.g. access to DHCP file(s) or an SNMP API endpoint(s). Please check the individual plugin docs for details:

https://github.com/jokob-sk/NetAlertX/tree/main/front/plugins#-plugins

Lastly, you can try setting up separate NAX instances and synchronizing them via the Sync Hub plugin:

https://github.com/jokob-sk/NetAlertX/tree/main/front/plugins/sync

Hope the above helps!
j

[rludo2]

Hi J

I can acces to 192.168.0.1 and 192.168.1.1 from 192.168.2.0/24 from a PC on 192.168.2.0/24

In NetAlertX (in a docker on a synology nas) I have add :
192.168.0.0/24 --interface=eth0
192.168.1.0/24 --interface=eth0
192.168.2.0/24 --interface=eth0

In NetAlertX there are all from 192.168.2.0/24 but nothing from 192.168.0.0/24 and nothing from 192.168.0.1/24

Thanks in advance

[jokob-sk]

Hey,

You can try ssh-ing into the container and directly running the arp-scan commands on these subnets. If no results are returned, they are not accessible. For example:

sudo arp-scan --ignoredups --retry=6 192.168.0.0/24 --interface=eth0

[rludo2]

ping to 192.168.0.1 and 192.168.1.1 from 192.168.2.0/24 is ok but
sudo arp-scan --ignoredups --retry=6 192.168.0.0/24 --interface=eth0
no resulta
Thanks

[FlyingToto]

AFAIK, ping is going to go over routers but arp won't.
so the host running Nax needs to have a leg on the subnet that your want to arpscan

[FlyingToto]

stepping back a bit, normally you wouldn't expect devices connected directly to your wan's gateways...

background:
I happen to have a similar setup.

• hot WAN gateway is a cable modem connected to DMZ switch1
• warm standby WAN gateway is a 5g modem connected to DMZ DMZ switch2 (this also has its own wifi AP but it is turned off)
• hot firewall opnsense . one side is connected to the 2 DMZ switches, and 1 side is connected to my intranet switch (itself connected to a few WIFI access points)- > that's basically what I consider as the entry point of my network, all my devices should be behind it.
• cold firewall firewalla. same setup as above except that I keep it unplugged from the main intranet switch

I installed Nax on a device connected to my intranet switch. it is able to scan everything internally up the to firewall. it can't scan what's on the other side however it is able to guess that I have 1 WAN gateway (the active one). 100% of my devices are behind the firewall (on your 192.168.2.0/24). nothing else is connected to the DMZ switches or embeded wifi (your 192.168.0.0/24 and 192.168.1.0/24). Normally that would be a standard setup.

There shouldn't be a case to setup anything on the 192.168.1.0 and 192.168.2.0 but if for some reasons you do, you will need to setup a secondary Nax instance on each of these nodes and have them configured to send the data to your primary Nax on the 192.168.2.0 subnet however:

• this is a bad idea because these instances are deployed in your WANs subnets so they are exposed to potential intruders.
• this is a bad idea if one your WAN is a bridge instead of a router (your ISP should immediately kick you out if you try to nmap your neighbors).
• this is a bad idea because you will need to open firewalls to send data from the 2 DMZ-WAN probes into your intranet (not too bad but still unecessary risk, especially if one of your WAN is a bridge)

you could also run NaX on your firewall which presumably has 3 insterfaces, one of each DMZ_WAN and one of on your intranet but this would expose your primary firewall/router to an attacker especially since Nax runs as a privielge user to access lower network drivers.

[rludo2]

NetAlertX permit a network schematic and i want to do a complete schematic with 2 internet Ip and check that each internet ip is ok
and check that nothing appear on 192.168.0.0/24 and 192.168.1.0/24

[FlyingToto]

so you can add devices manually if you want using this plugin:
https://github.com/jokob-sk/NetAlertX/tree/main/front/plugins/undiscoverables
then you can probably insert them manually in the network diagram by populating the port and node(MAC)

however:

• keep in mind that netalertx has a number of limitations (its most granular level is basically MAC addresses); for instance it doesn't handle VIP or represent devices with multiple MAC network interfaces as you would expect.

@jokob-sk however, I just noticed that the IP address field is grayed out (also the status is online and grayed out).

[FlyingToto]

in terms of detecting that "nothing appear on 192.168.0.0/24 and 192.168.1.0/24" normally the best way is just to prevent it from happening in the first place,. so assuming your Firewall is connected to both WAN through physical ethernet cable, you would want to disalble any access points on the 2 WAN gateways. Normally every vendor should support that. I used to have an old 5g gateway which connected over wifi by default but I was able to use some usb adapter which provided power and an ethernet cable connection. Alternatively if you configure the wifi to only allow 1 IP address and enable a MAC filter based on your firewall address you will get alerted right away if someone tried to attach to it as they will conflict.

[rludo2]

Thanks a lot
I will try the plugins for manually add a device.
And i will check the no wifi on wan gateway only wired connexion