Jump to content

This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!

Router - TG582N: Difference between revisions

← Older editNewer edit →
Content deleted Content added
AA-Andrew (talk | contribs)
autoreview, Bureaucrats, editor, Interface administrators, reviewer, Administrators
12,616 edits
AA-Andrew (talk | contribs)
autoreview, Bureaucrats, editor, Interface administrators, reviewer, Administrators
12,616 edits
No edit summary
Line 1: Line 1:


=Technicolor TG582N=
= Technicolor TG582N =

http://aa.net.uk/i/images/t582-small.png
This page has information, config poitners for the Technicolor TG582N ADSL Router.

== Documents ==


== Documents ==
These files are from December 2011, supplied by Technicolor.
These files are from December 2011, supplied by Technicolor.


Line 11: Line 13:
*[http://www.technicolor.com/en/hi/digital-home/mediaaccess/dsl/wireless/adsl/technicolor-tg582n Datasheet and brochure] on the Technicolor website
*[http://www.technicolor.com/en/hi/digital-home/mediaaccess/dsl/wireless/adsl/technicolor-tg582n Datasheet and brochure] on the Technicolor website


==Firmware Versions==
== Firmware Versions ==


Version 8.4.4.1 is the factory default (as of November 2011)
Version 8.4.4.1 is the factory default (as of November 2011) Version 8.4.7.0 is IPv6 enabled, and is upgraded at AAISP when configured by AAISP.
Version 8.4.7.0 is IPv6 enabled, and is upgraded at AAISP when configured by AAISP.


AAISP usually configure the router on their TR-069 server and run the upgrade to 8.4.7.0 before shipping, but some customers have been shipped trial-routers with the 8.4.4.1...
AAISP usually configure the router on their TR-069 server and run the upgrade to 8.4.7.0 before shipping, but some customers have been shipped trial-routers with the 8.4.4.1...


Upgrading from 8.4.4.1 is arranged by AAISP via the TR-069 CPE WAN Management protocol. This involves installing the "isp.def" as needed to persuade the router to connect to AAISP's TR-069 servers and asking AAISP to request the upgrade. Twice it has happened that the upgrade only partially completed, and it has been recessary to FTP to the router, re-uploading the isp.def, before it 'reports in' to AAISP correctly.
Upgrading from 8.4.4.1 is arranged by AAISP via the TR-069 CPE WAN Management protocol. This involves installing the "isp.def" as needed to persuade the router to connect to AAISP's TR-069 servers and asking AAISP to request the upgrade. Twice it has happened that the upgrade only partially completed, and it has been recessary to FTP to the router, re-uploading the isp.def, before it 'reports in' to AAISP correctly.


==Other Settings & Config info==
== Other Settings & Config info ==


===Admin Settings===
=== Admin Settings ===


When configured by A&A, the default username from the LAN side is: Administrator and from the WAN: aaisp.
When configured by A&A, the default username from the LAN side is: Administrator and from the WAN: aaisp. The password will be printed on the card on the base of the router, and also seen on the control pages.
The password will be printed on the card on the base of the router, and also seen on the control pages.


===Setting up Routed Config===
=== Setting up Routed Config ===


Use the configuration-wizard (Firefox seems to work best) and choose ADSL(Expert).
Use the configuration-wizard (Firefox seems to work best) and choose ADSL(Expert). TODO: Describe where to find this.
TODO: Describe where to find this.


===Adding Static-routes===
=== Adding Static-routes ===


ip rtlist
ip rtlist
ip rtadd dst=network/mask gateway=gatewayip
ip rtadd dst=network/mask gateway=gatewayip
ip saveall
ip saveall


===Really disabling the firewall===
=== Really disabling the firewall ===


From a customer: While going mad with a tg582n tonight. I discovered they try to do stateful firewalling even when the firewall is disabled in the web interface. This breaks where you want to failover to 3G. I guess it would also break if you had 2 ADSL lines.
From a customer: While going mad with a tg582n tonight. I discovered they try to do stateful firewalling even when the firewall is disabled in the web interface. This breaks where you want to failover to 3G. I guess it would also break if you had 2 ADSL lines.


Completely disabling the firewall seems to be necessary to allow IPv6 connections from WAN side to network, as even when IPv4 firewall is 'off', the IPv6 still seems to be firewalled.
Completely disabling the firewall seems to be necessary to allow IPv6 connections from WAN side to network, as even when IPv4 firewall is 'off', the IPv6 still seems to be firewalled.

To fix, put in CLI:


To fix, put in CLI:
firewall config state disabled
firewall config state disabled
firewall config icmpchecks disabled
firewall config icmpchecks disabled
Line 50: Line 50:
firewall config tcpchecks none
firewall config tcpchecks none


Disabling the firewall also allows access to the routers' internal services from the WAN-side, although there seems to be some default logic disallowing these to function e.g. "User 'Administrator' is disallowed to login from wan to telnet" etc.
Disabling the firewall also allows access to the routers' internal services from the WAN-side, although there seems to be some default logic disallowing these to function e.g. "User 'Administrator' is disallowed to login from wan to telnet" etc.


Disabling the firewall also exposes the DNS forwarder (whose software seems to have NO restrictions on the client-IP used!).
Disabling the firewall also exposes the DNS forwarder (whose software seems to have NO restrictions on the client-IP used!).


===Web Browsing Interception===
=== Web Browsing Interception ===
Be default the router has a feature called 'Web Browsing Interception' set to Automatic. This is a proxy-like feature, and should be disabled. The setting can be found and easily changed on the web interface.
From the Left Menu - Technicolor Gateway - Configuration - Configure. Set Web Browsing Interception to Disabled.


Be default the router has a feature called 'Web Browsing Interception' set to Automatic. This is a proxy-like feature, and should be disabled. The setting can be found and easily changed on the web interface. From the Left Menu - Technicolor Gateway - Configuration - Configure. Set Web Browsing Interception to Disabled.
===Getting rid of Open DNS Forwarder===


=== Getting rid of Open DNS Forwarder ===
Once the firewall is 'actually' disabled, there is now the problem that the DNS Forwarding function is now open-access to the world! This is bad because small spoofed-source UDP-packets can be sent to the router, resulting it a *large* UDP reply of the attackers' choice, a bandwidth-multiplication attack.


Once the firewall is 'actually' disabled, there is now the problem that the DNS Forwarding function is now open-access to the world! This is bad because small spoofed-source UDP-packets can be sent to the router, resulting it a *large* UDP reply of the attackers' choice, a bandwidth-multiplication attack.
This can be resolved by:-


This can be resolved by:-
(a) On any machines with a static-IP-configuration, set their nameservers to go directly to AAISP (217.169.20.20 217.169.20.21) and do not try to use the routers' LAN IP address.

(a) On any machines with a static-IP-configuration, set their nameservers to go directly to AAISP (217.169.20.20 217.169.20.21) and do not try to use the routers' LAN IP address.

(b) Telnet into the Router, logon to Administrator, then enter commands:-


(b) Telnet into the Router, logon to Administrator, then enter commands:-
dhcp server config state=disabled
dhcp server config state=disabled
dhcp server pool config name LAN_custom localdns=disabled
dhcp server pool config name LAN_custom localdns=disabled
Line 75: Line 76:
saveall
saveall


What this does, is tells the DHCPv4 server to directly give out the addresses of AAISP's recursive DNS servers and not its, own, and then completely disable the integral DNS forwarder (notice the DHCP server can only be reconfigured while disabled).
What this does, is tells the DHCPv4 server to directly give out the addresses of AAISP's recursive DNS servers and not its, own, and then completely disable the integral DNS forwarder (notice the DHCP server can only be reconfigured while disabled).


NB: You can check if Legacy IP addresses are running an Open Recursive server using the website:-
NB: You can check if Legacy IP addresses are running an Open Recursive server using the website:- http://security.zensupport.co.uk/recdns/
http://security.zensupport.co.uk/recdns/


===Manually adjust DHCP range===
=== Manually adjust DHCP range ===

You can't delete the default DHCP range from the web GUI. You need to use the CLI!
You can't delete the default DHCP range from the web GUI. You need to use the CLI!

"dhcp server flush" removes all existing DHCP settings. In this example 81.187.X.Z is the router's LAN address.


"dhcp server flush" removes all existing DHCP settings. In this example 81.187.X.Z is the router's LAN address.
dhcp server flush
dhcp server flush
dhcp server config state=enabled
dhcp server config state=enabled
Line 90: Line 92:
saveall
saveall
dhcp server pool list
dhcp server pool list
"dhcp server pool list" should be used to check whether it is set up correctly or not.


"dhcp server pool list" should be used to check whether it is set up correctly or not.
===Problems connection to PPTP Servers===


=== Problems connection to PPTP Servers ===
One customer has reported problems connecting to PPTP VPN servers in either direction through a tg582n with the 8.4.7.0 firmware.

One customer has reported problems connecting to PPTP VPN servers in either direction through a tg582n with the 8.4.7.0 firmware.

Technicolor have stated that this may be due to the Application Layer Gateway system intercepting PPTP packets even when the firewall is disabled and is a deliberate feature, but that the feature can be disabled by entering the following commands in the CLI:


Technicolor have stated that this may be due to the Application Layer Gateway system intercepting PPTP packets even when the firewall is disabled and is a deliberate feature, but that the feature can be disabled by entering the following commands in the CLI:
connection applist
connection applist
connection unbind application PPTP port 1723
connection unbind application PPTP port 1723
saveall
saveall


However the same customer has reported that this solution has not actually fixed the problem and that the PPTP entry is still visible when running the "connection applist" command even after the unbind command has been successfully run.
However the same customer has reported that this solution has not actually fixed the problem and that the PPTP entry is still visible when running the "connection applist" command even after the unbind command has been successfully run.


(Another customer has been able to reproduce tho issue, unable to connect to swissvpn.net, etc. but does work using the alternative OpenWRT ADSL router instead).
(Another customer has been able to reproduce tho issue, unable to connect to swissvpn.net, etc. but does work using the alternative OpenWRT ADSL router instead).


After further testing with the help of Technicolor engineers we do have an actual fix for the PPTP problem.
After further testing with the help of Technicolor engineers we do have an actual fix for the PPTP problem.


The problem is that the default config leaves NAT turned on even when you are using real IPv4 addresses and it's not needed which leads to problems with PPTP when the packets are rewritten.
The problem is that the default config leaves NAT turned on even when you are using real IPv4 addresses and it's not needed which leads to problems with PPTP when the packets are rewritten.

To get around this NAT has to be fully turned off with the CLI command


To get around this NAT has to be fully turned off with the CLI command
nat ifconfig intf=Internet translation=disabled
nat ifconfig intf=Internet translation=disabled

followed by
followed by

saveall
saveall


After that inbound and outbound PPTP should be working again.
After that inbound and outbound PPTP should be working again.


===Changing PPP Password, via telnet CLI===
=== Changing PPP Password, via telnet CLI ===

The command ''should'' be:


The command ''should'' be:
ppp ifconfig intf=Internet user=x@a password=secret status=enabled
ppp ifconfig intf=Internet user=x@a password=secret status=enabled


===Enabling/Disabling NAT===
=== Enabling/Disabling NAT ===

If required, rather than going through the config wizard on the web interface, you can enable/disable NAT on the telnet interface by:
If required, rather than going through the config wizard on the web interface, you can enable/disable NAT on the telnet interface by:

nat ifconfig intf Internet translation enabled
nat ifconfig intf Internet translation enabled

or
or

nat ifconfig intf Internet translation disabled
nat ifconfig intf Internet translation disabled


You may then need to:
You may then need to:

saveall
saveall


===3G setup===
=== 3G setup ===

I've only worked out some of this, but I found the following got a dongle working:

{Administrator}=>mobile ifadd intf=umts
{Administrator}=>mobile ifconfig intf=umts apn=CHANGEME
{Administrator}=>ppp ifadd intf=mobilebroadband
{Administrator}=>ppp ifconfig intf=mobilebroadband dest=umts
{Administrator}=>nat ifconfig translation=enabled intf=mobilebroadband
{Administrator}=>ppp rtadd intf=mobilebroadband dst=0.0.0.0
{Administrator}=>exit


I then went to the web interface http://192.168.1.254/_pppom_cfg.lp?be=0&l0=2&l1=2&name=mobilebroadband - replace 192.168.1.254 with the IP address of your router, and entered the username, password, and APN. For my vodafone SIM, the username was web, the password was web, and the APN was pp.internet.
I've only worked out some of this, but I found the following got a dongle working:


Some further notes and sources on my blog:
{Administrator}=>mobile ifadd intf=umts
{Administrator}=>mobile ifconfig intf=umts apn=CHANGEME
{Administrator}=>ppp ifadd intf=mobilebroadband
{Administrator}=>ppp ifconfig intf=mobilebroadband dest=umts
{Administrator}=>nat ifconfig translation=enabled intf=mobilebroadband
{Administrator}=>ppp rtadd intf=mobilebroadband dst=0.0.0.0
{Administrator}=>exit


*http://www.mstevens.org/aa/tg582-3g.html
I then went to the web interface http://192.168.1.254/_pppom_cfg.lp?be=0&l0=2&l1=2&name=mobilebroadband - replace 192.168.1.254 with the IP address of your router, and entered the username, password, and APN. For my vodafone SIM, the username was web, the password was web, and the APN was pp.internet.
*http://www.mstevens.org/aa/tg582-3g-2.html


(feel free to copy here if you want)
Some further notes and sources on my blog:


== Third Party Pages ==
* http://www.mstevens.org/aa/tg582-3g.html
* http://www.mstevens.org/aa/tg582-3g-2.html


Here is someone elses page with telnet commands and info regarding the Technicolor:
(feel free to copy here if you want)


*http://npr.me.uk/telnet.html
==Third Party Pages==
Here is someone elses page with telnet commands and info regarding the Technicolor:
*http://npr.me.uk/telnet.html
*http://www.poly-math.com/blog/?p=68
*http://www.poly-math.com/blog/?p=68
Retrieved from "http://support.aa.net.uk/Router_-_TG582N"