- Jun 18, 2019
- 594
- Pool Size
- 30000
- Surface
- Plaster
- Chlorine
- Salt Water Generator
- SWG Type
- Pentair Intellichlor IC-60
I was able to get my Intellicenter online. Partially due to my complex and Enterprise UTM, I had to work around a bunch of really odd issues:
1) DHCP hard codes the Google DNS servers which I block on my network as I forced everything through Cisco Umbrella. Typically DHCP would also pull the advertised DNS servers. You can only override the DNS settings in static mode. I was able to work around by using static. I also did a DHCP reservation and made an ACL to allow 8.8.8.8 and 8.8.4.4 from exclusively that IP address. It tooks some troubleshooting on my UTM to discover what was going on.
2) I'm not convinced my electricians installed the equipment right. They wired the PoE injector to AUX7. I have to go into service mode and manually turn AUX7 on at every boot. I've since added AUX7 as a main feature, but I can't find a turn on at boot feature and it looks like there's a 12 hour default timeout, not sure if that can be disabled or set to 0. What am I missing here to get this to always be on? If I lose power to the panel, or have to reboot the panel, I lose connectivity until I can manually turn on AUX7 which requires me physically being in front of the panel. Similarly my lights are controlled on AUX3 and not the Lights feature, I can't find where that's programmed.
3) I've got more questions, but somebody is coming over to help me program it, but I don't have much faith this guy will know any more than I do since he hasn't seen as many Intellicenters.
Now I have a handful of security concerns I've observed that put me at a pause:
1) You can protect the admin panel with a 4-digit pin. That's not incredibly secure. Bigger concern is that once you're in, you can read the login email and passwords in clear text. So while someone would need to physically be there, your online password is only protected by a 4 digit pin code. I highly recommend using a unique password. I really prefer if the account setup process and password maintenance was done exclusively online and not via the panel.
2) I use long and secure random passwords. I had issues registering the new account. There was no indication on the LCD other than "Error Creating Account". Just so others can learn, it turns out the maximum allowed characters for the password are 15. Fortunately mixed case and special characters are allowed so you can create a very strong password, but more guidance on the limitations would've been nice.
3) I'm not convinced this Engenius bridge is secure. I haven't investigated how it works, but in a past life I created and product managed similar Ethernet bridge products from a major wireles manufacturer. I suspect the controller talks to it over a simple API or http-post method using pre-configured static IP addresses of 192.168.1.10 and 192.168.1.1. There's evidence of that being the IP address throughout the UI and help instructions. So you can scan and associate to the SSID through the panel using these APIs/http-post/get, that's straight forward, but I'm suspecting I can now take this bridge and plug any Ethernet device into LAN 2 and it'll be fully connected to my home LAN. Given the location of my panel and Engenius adapter, someone who wanted to get into my home network could just patch in and access devices. If I were ever and FBI or CIA agent and saw an Intellicenter, I'm sure I'd get very excited! I intend to secure the wireless connection in my Meraki AP specifically limiting it's access on its own VLAN that only has Internet access, but for the average Joe, this seems like a insecure solution. I need to test this, but knowing what I know about how these bridge devices work and reading some of the docs, it seems it was designed with little/no security in mind.
1) DHCP hard codes the Google DNS servers which I block on my network as I forced everything through Cisco Umbrella. Typically DHCP would also pull the advertised DNS servers. You can only override the DNS settings in static mode. I was able to work around by using static. I also did a DHCP reservation and made an ACL to allow 8.8.8.8 and 8.8.4.4 from exclusively that IP address. It tooks some troubleshooting on my UTM to discover what was going on.
2) I'm not convinced my electricians installed the equipment right. They wired the PoE injector to AUX7. I have to go into service mode and manually turn AUX7 on at every boot. I've since added AUX7 as a main feature, but I can't find a turn on at boot feature and it looks like there's a 12 hour default timeout, not sure if that can be disabled or set to 0. What am I missing here to get this to always be on? If I lose power to the panel, or have to reboot the panel, I lose connectivity until I can manually turn on AUX7 which requires me physically being in front of the panel. Similarly my lights are controlled on AUX3 and not the Lights feature, I can't find where that's programmed.
3) I've got more questions, but somebody is coming over to help me program it, but I don't have much faith this guy will know any more than I do since he hasn't seen as many Intellicenters.
Now I have a handful of security concerns I've observed that put me at a pause:
1) You can protect the admin panel with a 4-digit pin. That's not incredibly secure. Bigger concern is that once you're in, you can read the login email and passwords in clear text. So while someone would need to physically be there, your online password is only protected by a 4 digit pin code. I highly recommend using a unique password. I really prefer if the account setup process and password maintenance was done exclusively online and not via the panel.
2) I use long and secure random passwords. I had issues registering the new account. There was no indication on the LCD other than "Error Creating Account". Just so others can learn, it turns out the maximum allowed characters for the password are 15. Fortunately mixed case and special characters are allowed so you can create a very strong password, but more guidance on the limitations would've been nice.
3) I'm not convinced this Engenius bridge is secure. I haven't investigated how it works, but in a past life I created and product managed similar Ethernet bridge products from a major wireles manufacturer. I suspect the controller talks to it over a simple API or http-post method using pre-configured static IP addresses of 192.168.1.10 and 192.168.1.1. There's evidence of that being the IP address throughout the UI and help instructions. So you can scan and associate to the SSID through the panel using these APIs/http-post/get, that's straight forward, but I'm suspecting I can now take this bridge and plug any Ethernet device into LAN 2 and it'll be fully connected to my home LAN. Given the location of my panel and Engenius adapter, someone who wanted to get into my home network could just patch in and access devices. If I were ever and FBI or CIA agent and saw an Intellicenter, I'm sure I'd get very excited! I intend to secure the wireless connection in my Meraki AP specifically limiting it's access on its own VLAN that only has Internet access, but for the average Joe, this seems like a insecure solution. I need to test this, but knowing what I know about how these bridge devices work and reading some of the docs, it seems it was designed with little/no security in mind.
