Is my CC3000 dying? No it's not

[Barry914]

I've had a CC3000 project running for probably over 6 months pretty much problem free. I have written guard code to deal with random WiFi disconnects, I have status lights for the WiFi connect process and a proof-of-life indicator in my main loop. I also ping it every 15 minutes or so just to make sure it's alive and I get an alert if it isn't. I've seen it reset the WiFi connection dozens of times without any issues, and I've seen the sketch freeze for various reasons, hopefully all corrected now. Lately I've been getting ping failures while the sketch is running and the CC3000 shows it's connected to my network. (The guard code does an "if (!cc3000.checkConnected()) ..." every time through the loop.). My router shows it as inactive and can't reach it either. Power cycle it and all's well for hours or days. Upgraded to the latest firmware and haven't made a software change in months. For the record, i'm using it with a Micro.

[Franklin97355]

My router shows it as inactive and can't reach it either.

Does you code act like it is still running, are the lights blinking normally?

[Barry914]

Yes it does. It appears the return from the cc3000.checkConnected() call just doesn't reflect the true state of the connection. I'll post the code if you think it would help. I've posted a couple of versions of the guard code already. The project is a variation of the Pet Food Dish

[Barry914]

No, there's nothing wrong with the CC3000 per se. It's suffering from death by packets. I've opened a couple of router ports for 2 other CC3000 projects and my network was being bombarded with all kinds of interesting stuff. As soon as I turned off port forwarding haven't had a hint of a problem. But of course that brings up another problem. How do you minimize this kind of attack and still provide public access to a server on your home network? Should projects only be clients that push data to real Internet sites (in this case Amazon's push messaging service)?

[adafruit_support_mike]

The official best practice is to create a firewall with a DMZ.

You start with an external router that accepts packets from the internet, does some simple filtering to avoid things like ping flooding and SYN/ACK flooding, and passes all other traffic to a machine called the DMZ.

The DMZ is locked down as tightly as possible in terms of potential exploits, runs a rule-based firewall, does address translation, and passes accepted traffic to a second router.

The internal router should ideally use only private/non-routeable IP addresses. That makes it harder to spoof addresses from outside the DMZ. It only accepts upstream packets from the DMZ's address and only passes upstream packets to the DMZ's address.

The actual network connects to the inner router, and only knows the inner router's address as a gateway to the internet.

There are several variants of the basic design. You can put two machines in the DMZ, one being the gateway to the external router, the other being the gateway to the internal router. That gives you one more layer of filtering between the inside and outside, and opens the possibility of putting machines like DNS or proxy servers into the DMZ.

[Barry914]

I think I almost get it. I assume I can use my existing cable modem/router as my external router, and any other wireless router as the internal router. I'd disable wireless on the external router. The DMZ host could be any PC that would run only a firewall and would pass everything to my now new, internal router/wireless AP. Does port forwarding to the servers get implemented on the internal router? Am I getting close?

[adafruit_support_mike]

I think I almost get it. I assume I can use my existing cable modem/router as my external router, and any other wireless router as the internal router.

Yep. If your cable modem and wifi router are separate devices, those are the external and internal faces of your firewall.

You normally plug an Ethernet cable from one to another. The DMZ would be a machine plugged between the two, technically acting as its own network.

The big point of a DMZ (besides firewalling) is network isolation:

Code: Select all

    +-------------------+
    |  cable modem      |
    | ----------------- |
    |  66.128.71.119  <-----> ISP
    | ----------------- |
    |  192.168.10.10  <-----+
    +-------------------+   |
                            |
    +-------------------+   |
    |  DMZ              |   |
    | ----------------- |   |
    |  192.168.10.1   <-----+
    | ----------------- |
    |  10.10.10.1     <-----+
    +-------------------+   |
                            |
    +-------------------+   |
    |  wifi router      |   |
    | ----------------- |   |
    |  10.10.10.2     <-----+
    | ----------------- |
    |  DHCP server/NAT <----> local machines
    +-------------------+

No machine from the local network can communicate directly with the cable modem, and vice versa. The only address visible to the internet is the one for the cable modem's upstream connection, and if someone manages to hack that they'll have to guess the routing through the DMZ to the wifi router.

I'd disable wireless on the external router. The DMZ host could be any PC that would run only a firewall and would pass everything to my now new, internal router/wireless AP.

Yep. You want the DMZ to be as unfriendly to potential hackers as possible.. no compilers or language interpreters, no binaries that aren't strictly necessary to run the firewall, and if you want to get serious about it, no shells.

To make that work you use a second, isolated machine as your DMZ configuration host. That has enough utilities to let you log in and tweak the configurations. When you have things arranged the way you like them you clone that drive to the DMZ, log in once, delete the shell, and log back out. At that point you've basically broken the key off in the lock, and the only way to alter the machine's behavior is to replace the OS by cloning a new image.

OpenBSD is a good for DMZ applications: http://www.openbsd.org/ The central goal of the project is security.

Does port forwarding to the servers get implemented on the internal router?

Wifi routers already have that feature built in, so that would be easiest.