My security software (Bitdefender) on Windows is blocking access of something from 192.169.8.1 (my GL-MT6000). The router’s firewall says it’s collecting data so I assume this it is trying to get something from the computer. Right now only one computer is on the router’s LAN but when I go “production” thee will be 5 of them, all blocking this access.
What is the router trying to access? Should I allow this access or is this a real security leak?
At the moment I have the GL-MT6000 daisy-chained off my “production” router with it’s own firewall (which, BTW, doesn’t cause any security alerts) so I’m pretty sure the blocked access originates in the GL-MT6000 rather than being nefarious activity from the web.
Ah, if only Bitdefender were so obliging. The popup will not appear again until after some unmentioned time. The popup, which contains next to no information, states that multiple attempts were blocked. The logged alert also contains next to no information:
I took a chance and added the even to Bitdefender exceptions. The result: the router successfully displayed firewall data. Bitdefender had been preventing the correct building of the firewall display - not the collection of PC data! Sheesh! There was probably a script involved.
My guess is that it gets triggered because of an invalid https cert and a remnant of the detect portal script which keeps simulating a click like on much older firmwares did with nodogsplash there was still a remmant left doing very much still the same for a long time not sure if it still exist, what I remember it was later part of the repeater function and leaked over the full ui, but this is from a much older early versioned gl sdk 4.x, don't take my words for it because I lost track of it, but I do remember having it reported back then.
or that it behaves as a proxy showing the wizard for setup which behaves as a captive portal which overrides all connections http/https to itself as redirection.
If you think about it this way in cybersecurity, actually if you were on a evil network these could actually be also posed as real threats the behaviours do match of various rebind attemps, but in this case it is false positive.
Either you can ignore the message in Bitdefender or I believe you can disable scanning of encrypted connections (https).
Honestly I have this disabled because I'm not a fan of AV's putting their root certificates on all https connections to ease drop it could even be more vulnerable if it downgrades the encryption, but it also threathens the legitimatecy of certificates on its whole.
I’ve got my new GL-MT6000 daisy-chained off my “production” router (while I’m getting familiar with the MT6000) so the suspicious activity is not coming from my “official” LAN. I suspect there would have been no alerts if my PC and the MT6000 were on the same LAN segment.
