IPv6 Routers: Difference between revisions
| Line 51: | Line 51: | ||
| Disabling the firewall also exposes the DNS forwarder (whose software seems to have NO restrictions on the client-IP used!). | Disabling the firewall also exposes the DNS forwarder (whose software seems to have NO restrictions on the client-IP used!). | ||
| ===Getting rid of Open DNS Forwarder=== | |||
| Once the firewall is 'actually' disabled, there is now the problem that the DNS Forwarding function is now open-access to the world!  This is bad because small spoofed-source UDP-packets can be sent to the router, resulting it a *large* UDP reply of the attackers' choice, a bandwidth-multiplication attack. | |||
| This can be resolved by:- | |||
| (a) On any machines with a static-IP-configuration, set their nameservers to go directly to AAISP (217.169.20.20 217.169.20.21) and do not try to use the routers' LAN IP address. | |||
| (b) Telnet into the Router, logon to Administrator, then enter commands:- | |||
|  dhcp server config state=disabled | |||
|  dhcp server pool config name LAN_custom localdns=disabled | |||
|  dhcp server pool config name LAN_custom primdns=217.169.20.20 | |||
|  dhcp server pool config name LAN_custom secdns=217.169.20.21 | |||
|  dhcp server config state=enabled | |||
|  dns server config state=disabled | |||
|  saveall | |||
| What this does, is tells the DHCPv4 server to directly give out the addresses of AAISP's recursive DNS servers and not its, own, and then completely disable the integral DNS server (notice the DHCP server can only be reconfigured while disabled). | |||
| NB: You can check if Legacy IP addresses are running an Open Recursive server using the website:- | |||
| http://security.zensupport.co.uk/recdns/ | |||
| ===Problems connection to PPTP Servers=== | ===Problems connection to PPTP Servers=== | ||
Revision as of 18:22, 28 January 2012
Technicolor TG582N
Documents
These files are from December 2011, supplied by Technicolor.
- File:Technicolor CPE Firewall.pdf Firewall Config Application note - giving details on how the firewall can be configured via CLI
- File:TG582n CLI Guide v1.0 public.pdf for 8.4.4 firmware
- File:IPv6 AppNote v4.0 public.pdf contains IPv6 related commands found in newer firmware
- Datasheet and brochure on the Technicolor website
Firmware Versions
Version 8.4.4.1 is the factory default (as of November 2011) Version 8.4.7.0 is IPv6 enabled, and is upgraded at AAISP when configured by AAISP.
AAISP usually configure the router on their TR-069 server and run the upgrade to 8.4.7.0 before shipping, but some customers have been shipped trial-routers with the 8.4.4.1...
Upgrading from 8.4.4.1 is arranged by AAISP via the TR-069 CPE WAN Management protocol. This involves installing the "isp.def" as needed to persuade the router to connect to AAISP's TR-069 servers and asking AAISP to request the upgrade. Twice it has happened that the upgrade only partially completed, and it has been recessary to FTP to the router, re-uploading the isp.def, before it 'reports in' to AAISP correctly.
Other Settings & Config info
Admin Settings
When configured by A&A, the default username from the LAN side is: Administrator and from the WAN: aaisp. The password will be printed on the card on the base of the router, and also seen on the control pages.
Setting up Routed Config
Use the configuration-wizard (Firefox seems to work best) and choose ADSL(Expert). TODO: Describe where to find this.
Adding Static-routes
ip rtlist ip rtadd dst=network/mask gateway=gatewayip ip saveall
Really disabling the firewall
From a customer: While going mad with a tg582n tonight. I discovered they try to do stateful firewalling even when the firewall is disabled in the web interface. This breaks where you want to failover to 3G. I guess it would also break if you had 2 ADSL lines.
Completely disabling the firewall seems to be necessary to allow IPv6 connections from WAN side to network, as even when IPv4 firewall is 'off', the IPv6 still seems to be firewalled.
To fix, put in CLI:
firewall config state disabled firewall config icmpchecks disabled firewall config udpchecks disabled firewall config tcpchecks none
Disabling the firewall also allows access to the routers' internal services from the WAN-side, although there seems to be some default logic disallowing these to function e.g. "User 'Administrator' is disallowed to login from wan to telnet" etc.
Disabling the firewall also exposes the DNS forwarder (whose software seems to have NO restrictions on the client-IP used!).
Getting rid of Open DNS Forwarder
Once the firewall is 'actually' disabled, there is now the problem that the DNS Forwarding function is now open-access to the world! This is bad because small spoofed-source UDP-packets can be sent to the router, resulting it a *large* UDP reply of the attackers' choice, a bandwidth-multiplication attack.
This can be resolved by:- (a) On any machines with a static-IP-configuration, set their nameservers to go directly to AAISP (217.169.20.20 217.169.20.21) and do not try to use the routers' LAN IP address. (b) Telnet into the Router, logon to Administrator, then enter commands:-
dhcp server config state=disabled dhcp server pool config name LAN_custom localdns=disabled dhcp server pool config name LAN_custom primdns=217.169.20.20 dhcp server pool config name LAN_custom secdns=217.169.20.21 dhcp server config state=enabled dns server config state=disabled saveall
What this does, is tells the DHCPv4 server to directly give out the addresses of AAISP's recursive DNS servers and not its, own, and then completely disable the integral DNS server (notice the DHCP server can only be reconfigured while disabled).
NB: You can check if Legacy IP addresses are running an Open Recursive server using the website:- http://security.zensupport.co.uk/recdns/
Problems connection to PPTP Servers
One customer has reported problems connecting to PPTP VPN servers in either direction through a tg582n with the 8.4.7.0 firmware.
Technicolor have stated that this may be due to the Application Layer Gateway system intercepting PPTP packets even when the firewall is disabled and is a deliberate feature, but that the feature can be disabled by entering the following commands in the CLI:
connection applist connection unbind application PPTP port 1723 saveall
However the same customer has reported that this solution has not actually fixed the problem and that the PPTP entry is still visible when running the "connection applist" command even after the unbind command has been successfully run.
(Another customer has been able to reproduce tho issue, unable to connect to swissvpn.net, etc. but does work using the alternative OpenWRT ADSL router instead).
Changing PPP Password, via telnet CLI
The command should be:
ppp ifconfig intf=Internet user=x@a password=secret status=enabled
Other routers that we've used in the past:
Billion BiPAC 7800N
Factory IP: 192.168.1.254 Factory User/Pass: admin/admin
Firmware
Latest Firmware is from Billion As of October 2011 the version we ship is 1.06d
We have a copy of 1.06d here: media:UKBillion7800NV6_106d.zip
 Another useful Billion page on spaldwick.com
Comtrend
Info here: *Comtrend
Thomson
We've tested a TG789vn router (Aug 2011) which had beta IPv6 firmware (10.1.0.3), and this works. A bit more info here: [1]
Apple Airport Extreme
The Airport Extreme claims to support native IPv6 over PPPoE but we don't know of anyone who has it working. It still works via tunnels though (tunnel configuration explained on the knowledge base). You need to set the remote tunnel endpoint address to 81.187.81.6, and you need two /64 subnets off us that are statically routed to the Airport's IPv4 address. Assign an IP from one /64 as the WAN address and set the default route to our ping address "bottomless", which is 2001:8b0:0:81::51bb:51bb. Set the LAN address to the first usable IP on the second /64 and it should just work.