Router - TG582N
Technicolor TG582N
This page has information, config pointers for the Technicolor TG582N ADSL Router.
Documents
These files are from December 2011, supplied by Technicolor.
- File:Technicolor CPE Firewall.pdf Firewall Config Application note - giving details on how the firewall can be configured via CLI
- File:TG582n CLI Guide v1.0 public.pdf for 8.4.4 firmware
- File:IPv6 AppNote v4.0 public.pdf contains IPv6 related commands found in newer firmware
- Datasheet and brochure on the Technicolor website
Firmware Versions
Version 8.4.4.1 was the factory default (as of November 2011)
Version 8.4.7.0 is IPv6 enabled version, and was being used up to June 2012.
Version 10.2.0.B is being used from June 2012.
AAISP usually configure the router on their TR-069 server and run the upgrade to 8.4.7.0 before shipping, but some customers have been shipped trial-routers with the 8.4.4.1...
Upgrading from 8.4.4.1 is arranged by AAISP via the TR-069 CPE WAN Management protocol. This involves installing the "isp.def" as needed to persuade the router to connect to AAISP's TR-069 servers and asking AAISP to request the upgrade. Twice it has happened that the upgrade only partially completed, and it has been necessary to FTP to the router, re-uploading the isp.def, before it 'reports in' to AAISP correctly.
TFTP Firmware Upgrade
In some cases, customers may want to upgrade their router manually, this can be done via TFTP or via a Windows program. Files available on request.
When setting up DHCPD, and example config is such:
host gateway { hardware ethernet MAC:OF:YOUR:TECHNICOLOR; fixed-address IP.GIVEN.TO.TECHNICOLOR; next-server IP.OF.TFTP.SERVER; filename "FIMWARE-FILE.rbi"; option tftp-server-name "DAN-T"; }
For a Firebrick:
<dhcp name="technicolor" ip="IP.GIVEN.TO.TECHNICOLOR" mac="589835 0876FF" boot="IP.OF.TFTP.SERVER" boot-file="FIMWARE-FILE.rbi"> <send-string id="66" value="DANT-T"/> </dhcp>
To get the router to upgrade:
- Power it off
- Hold in the reset button
- Turn on the power
- Release reset button when power light turns orange (after 10 seconds ish)
It will take about 5 minutes.
Other Settings & Config info
Admin Settings
When configured by A&A, the default username from the LAN side is: Administrator and from the WAN: aaisp. The password will be printed on the card on the base of the router, and also seen on the control pages.
Setting up Routed Config
Use the configuration-wizard (Firefox seems to work best) and choose ADSL(Expert). TODO: Describe where to find this.
Adding Static-routes
ip rtlist ip rtadd dst=network/mask gateway=gatewayip ip saveall
Really disabling the firewall
From a customer: While going mad with a tg582n tonight. I discovered they try to do stateful firewalling even when the firewall is disabled in the web interface. This breaks where you want to failover to 3G. I guess it would also break if you had 2 ADSL lines.
Completely disabling the firewall seems to be necessary to allow IPv6 connections from WAN side to network, as even when IPv4 firewall is 'off', the IPv6 still seems to be firewalled.
To fix, put in CLI:
firewall config state disabled firewall config icmpchecks disabled firewall config udpchecks disabled firewall config tcpchecks none
Disabling the firewall also allows access to the routers' internal services from the WAN-side, although there seems to be some default logic disallowing these to function e.g. "User 'Administrator' is disallowed to login from wan to telnet" etc.
Disabling the firewall also exposes the DNS forwarder (whose software seems to have NO restrictions on the client-IP used!).
Web Browsing Interception
Be default the router has a feature called 'Web Browsing Interception' set to Automatic. This is a proxy-like feature, and should be disabled. The setting can be found and easily changed on the web interface. From the Left Menu - Technicolor Gateway - Configuration - Configure. Set Web Browsing Interception to Disabled.
Getting rid of Open DNS Forwarder
Once the firewall is 'actually' disabled, there is now the problem that the DNS Forwarding function is now open-access to the world! This is bad because small spoofed-source UDP-packets can be sent to the router, resulting it a *large* UDP reply of the attackers' choice, a bandwidth-multiplication attack.
This can be resolved by:-
(a) On any machines with a static-IP-configuration, set their nameservers to go directly to AAISP (217.169.20.20 217.169.20.21) and do not try to use the routers' LAN IP address.
(b) Telnet into the Router, logon to Administrator (or aaisp from the WAN side), then enter commands:-
dhcp server config state=disabled dhcp server pool config name LAN_custom localdns=disabled dhcp server pool config name LAN_custom primdns=217.169.20.20 dhcp server pool config name LAN_custom secdns=217.169.20.21 dhcp server config state=enabled dns server config state=disabled saveall
What this does, is tells the DHCPv4 server to directly give out the addresses of AAISP's recursive DNS servers and not its, own, and then completely disable the integral DNS forwarder (notice the DHCP server can only be reconfigured while disabled).
The router may still be wanting to use itself as a resolver for internal lookups - eg looking up names from it's configuration such as time servers etc. Telnet in to the router and set it to use the ISPs DNS servers, eg:
dns client dnsadd addr=217.169.20.20 port=53 dns client dnsadd addr=217.169.20.21 port=53 saveall
NB: You can check if Legacy IP addresses are running an Open Recursive server using the website:- http://security.zensupport.co.uk/recdns/
Manually adjust DHCP range
You can't delete the default DHCP range from the web GUI. You need to use the CLI!
"dhcp server flush" removes all existing DHCP settings. In this example 81.187.X.Z is the router's LAN address.
dhcp server flush dhcp server config state=enabled dhcp server pool add name=LAN index=0 dhcp server pool config name=LAN intf=LocalNetwork poolstart=81.187.X.X poolend=81.187.X.Y netmask=28 gateway=81.187.X.Z server=81.187.X.Z primdns=217.169.20.20 secdns=217.169.20.21 saveall dhcp server pool list
"dhcp server pool list" should be used to check whether it is set up correctly or not.
Problems connection to PPTP Servers
One customer has reported problems connecting to PPTP VPN servers in either direction through a tg582n with the 8.4.7.0 firmware.
Technicolor have stated that this may be due to the Application Layer Gateway system intercepting PPTP packets even when the firewall is disabled and is a deliberate feature, but that the feature can be disabled by entering the following commands in the CLI:
connection applist connection unbind application PPTP port 1723 saveall
However the same customer has reported that this solution has not actually fixed the problem and that the PPTP entry is still visible when running the "connection applist" command even after the unbind command has been successfully run.
(Another customer has been able to reproduce tho issue, unable to connect to swissvpn.net, etc. but does work using the alternative OpenWRT ADSL router instead).
After further testing with the help of Technicolor engineers we do have an actual fix for the PPTP problem.
The problem is that the default config leaves NAT turned on even when you are using real IPv4 addresses and it's not needed which leads to problems with PPTP when the packets are rewritten.
To get around this NAT has to be fully turned off with the CLI command
nat ifconfig intf=Internet translation=disabled
followed by
saveall
After that inbound and outbound PPTP should be working again.
PPTP & NAT? - We've seen problems when the client is behind NAT, and the ALG/NAT on the router not passing GRE through (or something) - on a Microsoft 2003 PPTP server, the client was getting timeout Error 721. The solution was to route a block of IPs for the LAN...
Changing PPP Password, via telnet CLI
The command should be:
ppp ifconfig intf=Internet user=x@a password=secret status=enabled
Enabling/Disabling NAT
If required, rather than going through the config wizard on the web interface, you can enable/disable NAT on the telnet interface by:
nat ifconfig intf Internet translation enabled
or
nat ifconfig intf Internet translation disabled
You may then need to:
saveall
TR069
Routers should be configured by AAISP to talk back to the AAISP TR069 server - this allows management of firmware and config by AAISP staff if required. Some older routers may not be set up correctly, and some routers on older firmware (v8) on Non natted connections may not be able to talk to the TR069 server due to a firmware bug. Routers with version 10 firmware are likely to be configured ok though. To View the TR069 settings, via telnet:
cwmp server config
Factory Reset
To factory reset a router configured by AAISP, the isp.def file will need deleting as this is not deleted when using the reset button. The isp.def file contains configuration details used by the AAISP TR069 server - as well as defining a default PPP username. The file can be deleted by FTP, eg:
ftp 192.168.1.254 user: Administrator pass: blank del isp.def
The hold in the factory reset button (again) until it reboots.
3G setup
I've only worked out some of this, but I found the following got a dongle working:
{Administrator}=>mobile ifadd intf=umts {Administrator}=>mobile ifconfig intf=umts apn=CHANGEME {Administrator}=>ppp ifadd intf=mobilebroadband {Administrator}=>ppp ifconfig intf=mobilebroadband dest=umts {Administrator}=>nat ifconfig translation=enabled intf=mobilebroadband {Administrator}=>ppp rtadd intf=mobilebroadband dst=0.0.0.0 {Administrator}=>exit
I then went to the web interface http://192.168.1.254/_pppom_cfg.lp?be=0&l0=2&l1=2&name=mobilebroadband - replace 192.168.1.254 with the IP address of your router, and entered the username, password, and APN. For my vodafone SIM, the username was web, the password was web, and the APN was pp.internet.
Some further notes and sources on my blog:
(feel free to copy here if you want)
WAN Access Restrictions (HTTP/TELNET to the Router)
Disable WAN access to HTTP/Telnet:
This will disable WAN access to the routers adminitrator services
To disable WAN access to HTTP, HTTPS and telnet:
service system ifdelete name=HTTP group=wan service system ifdelete name=HTTPs group=wan service system ifdelete name=TELNET group=wan
To view the settings:
service system list name=HTTP expand=enabled service system list name=TELNET expand=enabled
It should say:
Interface Group Access List lan
Save the settings:
saveall
Restrict access to HTTP interface by IP:
You may prefer to just restrict access to the router by IP - note this applies to the LAN and WAN, so you'll need to add your LAN addresses too
service system ipadd name=HTTP ip=90.155.42.0/24 service system ipadd name=HTTP ip=81.187.40.208/28 service system ipadd name=HTTPs ip=90.155.42.0/24 service system ipadd name=HTTPs ip=81.187.40.208/28
to view settings:
service system list name=HTTP expand=enabled service system list name=HTTPs expand=enabled
You should then see the IP(s) in 'Ip Access List'
Save the settings:
saveall
Restrict access to TELNET interface by IP:
Add your LAN block first, as otherwise you'll be locked out!
service system ipadd name=TELNET ip=YOUR.LAN.BLOCK/MASK service system ipadd name=TELNET ip=90.155.42.0/24 service system ipadd name=TELNET ip=81.187.30.0/25
Note: 90.155.42.0/24 are AAISP offices, and 81.187.30.0/25 are an AAISP server block - this will allow AAISP to log in to the router.
to view settings:
service system list name=TELNET expand=enabled
Save the settings:
saveall
To later delete the restriction:
service system ipdelete name=HTTP ip=90.155.42.0/24 saveall
Third Party Pages
Here is someone elses page with telnet commands and info regarding the Technicolor:
R10.0.2.0 DEMO firmware for TG582N from PlusNet