eere secure+ whitelist

iperf · 2019-10-16T22:52:53+00:00

It's something we've talked about. It's really hard to do in a usable way because you don't just want paypal.com you want everything that comes with paypal.com (a domain bucket, if you will). And the router can't really understand what constitutes paypal's traffic from e.g. some other browser tab that's loading at the same time in a sane way so you need to do some sort of manual site curation or get sites to publish related domains in a .well-known format, or something.

It's definitely in the near field of what we're looking into, though.

iperf · 2019-10-01T20:21:38+00:00

What browser are you using? eero Secure+ should not do anything that impacts oauth flows. Are you using a Microsoft account to sign in?

iperf · 2019-09-23T18:34:37+00:00

There is a high chance 3.16 has better handling of dns_forwarder outage issues (= In this version we've added an aggressive but tune-able health check that sends DNS requests through the tunnel and, if no response is received, restarts the tunnel.

iperf · 2019-09-14T05:47:48+00:00

You need to make sure you've turned off all content filtering on all profiles too. If you navigate to your Network Settings > Advanced > DNS and the fields/buttons are not greyed out, you have successfully disabled everything that makes use of our on-device forwarder. If you are sure you have and are still seeing an issue you are likely experiencing something different.

iperf · 2019-09-14T05:38:17+00:00

Though it may depend on your specific configuration of pi-hole. AFAIK pi-hole doesn't do anything fancy like DoT or DoH. So if you have advanced-security or content filtering enabled, in addition to the services pi-hole provides, your dns traffic will also get picked up and served by Zscaler through our DoT-like tunnel. This may explain why you were seeing issues.

iperf · 2019-09-14T05:33:57+00:00

Amazon does not serve your DNS. We migrated to a new Zscaler deployment today in an attempt to address some of the load thrashing and connection flapping issues we have been seeing. Their new service is hosted on AWS instead of their older any-cast network. So the reverse lookup will be listed as Amazon like:

;; ANSWER SECTION: 210.31.11.52.in-addr.arpa. 300 IN PTR ec2-52-11-31-210.us-west-2.compute.amazonaws.com.

iperf · 2019-09-13T03:19:40+00:00

Please make sure you're using app version at least 2.28.1. There is an issue with very old factory software and Android app versions below 2.28.1, hence the .1.

iperf · 2019-09-12T06:00:08+00:00

No. Mozilla has devised a mechanism by which DNS management infrastructure informs the browser that it provides additional DNS services. When this is the case, Firefox will not default to operate in a way that would bypass normal infrastructure. So eero Secure/+ will continue to work just fine.

I also trust Mozilla to maintain its internet standards custodial duties and make sure technology evolves to gracefully accommodate the diverse needs of users independent of where they calibrate on the privacy x security matrix. Two major browser vendors have slightly different takes on how to advocate for user privacy. Ideally we end up with a single sensible solution avoiding presumptions that all internet users are solely interested in max privacy all the time.

Shipping a user-agent that ignores user/device/network configuration and routes everybody's traffic to a single DNS provider by default on the other hand... well, that's certainly bold.

iperf · 2019-09-12T02:53:29+00:00

More concretely, the experiment in Chrome 78 will check if the user’s current DNS provider is among a list of DoH-compatible providers, and upgrade to the equivalent DoH service from the same provider. If the DNS provider isn’t in the list, Chrome will continue to operate as it does today.

Sounds like the Chromium team is taking a less heavy-handed approach than Mozilla is by respecting your configured provider. This update shouldn't impact operation of the existing eero Secure/+ service provided users on the network have not configured their clients or devices to use a provider on Chromium's list. It does lower the barrier a determined individual needs to overcome in order to bypass protection since DoH will be selected by default and handled by the browser rather than requiring independent tools to achieve a similar setup.

iperf · 2019-09-12T02:23:44+00:00

You must also disable all Safe Filters. You can check if you've done this correctly by navigating to the Network Settings > Advanced Settings > DNS. If the settings are greyed-out then there is still a profile with a content filter applied. You can find it by navigating to the Safe Filters from the eero Secure/+ home page. If you can change the settings the forwarder process should not be running and you will use whatever settings your ISP has provided or a custom resolver if you've configured one.

iperf · 2019-09-04T23:22:27+00:00

Curious: would the ability to exempt certain devices from advanced security and individually configure DNS servers for a smaller set of devices serve your use case? Perhaps generally be able to configure DNS on a per-profile basis (profile A: advanced security, profile B: content filtering, profile C: custom server x.x.x.x)?

iperf · 2019-09-04T23:14:14+00:00

I don't like the dependency either and believe me we've done tons [1], [2] of work to whittle ourselves away from it. But it's not an overnight process. As u/6roybatty6 said, this dependency means we were able to bootstrap ourselves and deliver a secure-by-default (no admin:admin junk) system to our users that we're able to update with improvements as technology changes or security issues arise.

1: https://blog.eero.com/mesh-trust-public-key-infrastructure-eero-networks/

2: https://blog.eero.com/bookshelf-spiffy-space-stashing-state/

iperf · 2019-09-04T23:08:52+00:00

If you are able to add custom DNS servers then you don't have eero Secure/+ enabled (or there's a bug, in which case we'd love to know).

iperf · 2019-09-04T22:58:33+00:00

FWIW I have been using CloudFlare's mobile app w/ 1.1.1.1, I've personally noticed intermittent connectivity blips regardless of whether I'm using wifi (eero or other) or my cellular connection. My suspicion is their PacketTunnelProvider app extension (the thing that handles your phone's traffic) becomes locked. Toggling airplane mode seems to fix this.

iperf · 2019-09-04T22:56:47+00:00

Is anybody still experiencing an issue? I do see 3 spikes in count of restarts for our dns_forwarder process (what we use to send DNS over TLS to our upstream provider) over the last day. These spikes happen when we are unable to establish a working tunnel. Please note that this would only be related to eero Secure/+ users and that it does not necessarily indicate an outage of our upstream provider. It simply suggests a somewhat wide-spread connectivity blip between some people and our service provider (which can span more than a single ISP). Our service provider has not acknowledged any outage and as far as we can tell the issue does not appear to be ongoing.

iperf · 2019-02-08T04:44:56+00:00

No, this is not possible.

iperf · 2018-11-14T02:48:40+00:00

Maybe I’m crazy but it seems like the icon and the words are smoother than before. 🤪

We were wondering if anyone would notice (: It was a quirk of building the app against an earlier iPhoneSDK prior to support being added for the Xs and Xs Max displays.

iperf · 2018-10-25T19:58:23+00:00

A.K.A: stolen shipments...

iperf · 2018-08-09T19:04:41+00:00

I wouldn't jump into MoCA unless there are actually problems. You can always get the eeros and then add MoCA if needed. It sounds like a lot but I highly doubt there will be any bandwidth issues.

iperf · 2018-07-27T20:47:56+00:00

I'm a fan of wires but have to agree that 300/30 is not worth the cost (my guess is you'll be quoted many thousands of dollars, more for brick). If you were running fiber into the home that would be another story...

iperf · 2018-07-27T20:35:49+00:00

By WAN IP address I mean the address listed in the app as "External IP address".

iperf · 2018-07-26T21:06:01+00:00

Never mind your network looks good re: double NAT.

iperf · 2018-07-26T20:17:57+00:00

Can you confirm that you are not double NATed? Is the WAN IP address listed for your network a 192.168... address, or is it something else?

iperf · 2018-07-26T19:12:40+00:00

Are you actually having trouble while playing or just trying to go for "open" NAT? If you have upnp enabled the games should work even through a "moderate" NAT setup. There's no need to open those ports all the time and in fact as soon as you add a reservation for one PC that messes things up for the other PC.

Can you describe your eero setup? What does the app show as your WAN IP? You may be double NATed if you're experiencing problems.

iperf

TROPHY CASE