Router - TG582N

From AAISP Support Site

Technicolor TG582N

This page has information, config pointers for the Technicolor TG582N ADSL Router.

Documents

These files are from December 2011, supplied by Technicolor.

Firmware Versions

Version 8.4.4.1 was the factory default (as of November 2011)

Version 8.4.7.0 is IPv6 enabled version, and was being used up to June 2012.

Version 10.2.0.B is being used from June 2012.

AAISP usually configure the router on their TR-069 server and run the upgrade to 8.4.7.0 before shipping, but some customers have been shipped trial-routers with the 8.4.4.1...

Upgrading from 8.4.4.1 is arranged by AAISP via the TR-069 CPE WAN Management protocol. This involves installing the "isp.def" as needed to persuade the router to connect to AAISP's TR-069 servers and asking AAISP to request the upgrade. Twice it has happened that the upgrade only partially completed, and it has been necessary to FTP to the router, re-uploading the isp.def, before it 'reports in' to AAISP correctly.

TFTP Firmware Upgrade

In some cases, customers may want to upgrade their router manually, this can be done via TFTP or via a Windows program. Files available on request.

When setting up DHCPD, and example config is such:

host gateway {
hardware ethernet MAC:OF:YOUR:TECHNICOLOR;
fixed-address IP.GIVEN.TO.TECHNICOLOR;
next-server IP.OF.TFTP.SERVER;
filename "FIMWARE-FILE.rbi";
option tftp-server-name "DAN-T";
}

For a Firebrick:

<dhcp name="technicolor" ip="IP.GIVEN.TO.TECHNICOLOR" mac="589835 0876FF" boot="IP.OF.TFTP.SERVER" boot-file="FIMWARE-FILE.rbi">
  <send-string id="66" value="DANT-T"/>
</dhcp>

To get the router to upgrade:

  1. Power it off
  2. Hold in the reset button
  3. Turn on the power
  4. Release reset button when power light turns orange (after 10 seconds ish)

It will take about 5 minutes.

Other Settings & Config info

Admin Settings

When configured by A&A, the default username from the LAN side is: Administrator and from the WAN: aaisp. The password will be printed on the card on the base of the router, and also seen on the control pages.

Setting up Routed Config

Use the configuration-wizard (Firefox seems to work best) and choose ADSL(Expert). TODO: Describe where to find this.

HTTPS Port forward

You may have a conflicting error when trying to add a HTTPS port forward.

To stop the Technicolor listening on port 443 itself use the following commands via telnet,

service system ifdelete name=HTTPs group=wan
saveall
exit

You can then create the port forward via the web interface or cli...

Factory Reset

To factory reset a router configured by AAISP, the isp.def file will need deleting as this is not deleted when using the reset button. The isp.def file contains configuration details used by the AAISP TR069 server - as well as defining a default PPP username. The file can be deleted by FTP, eg:

ftp 192.168.1.254 
user: Administrator
pass: blank
del isp.def

The hold in the factory reset button (again) until it reboots.

IP Type Settings

Manually adjust DHCP range

You can't delete the default DHCP range from the web GUI. You need to use the CLI!

"dhcp server flush" removes all existing DHCP settings. In this example 81.187.X.Z is the router's LAN address.

dhcp server flush
dhcp server config state=enabled
dhcp server pool add name=LAN index=0
dhcp server pool config name=LAN intf=LocalNetwork poolstart=81.187.X.X poolend=81.187.X.Y netmask=28 gateway=81.187.X.Z server=81.187.X.Z primdns=217.169.20.20 secdns=217.169.20.21
saveall
dhcp server pool list

"dhcp server pool list" should be used to check whether it is set up correctly or not.

Disabling Router Advertisements (RA rt6advd)

Telnet in and: To display the inferface(s) that RA is on:

ip rt6advd iflist

Shows something like:

Flags Legend: [A]ttached [M]anaged [O]ther - Def. Rtr. Pref. [L]ow / Medi[U]m / [H]igh
Interface        AdvInterval Lifetime Reachable  Retrans.   CurHopLimit LinkMTU Flags  NextRA
---------------- ----------- -------- ---------- ---------- ----------- ------- ------ --------
LocalNetwork      200 /  600     1800          0          0          64       0 [A.OU]      249

To remove it:

ip rt6advd ifdelete

And then to a iflist again to check, and LocalNetwork should be gone.

Adding Static-routes

ip rtlist
ip rtadd dst=network/mask gateway=gatewayip
ip saveall

Enabling/Disabling NAT

To view NAT status:

nat iflist

If required, rather than going through the config wizard on the web interface, you can enable/disable NAT on the telnet interface by:

nat ifconfig intf Internet translation enabled

or

nat ifconfig intf Internet translation disabled

You may then need to:

saveall

Mixing NAT and Public addresses

Mixed NAT explains how to configure the router so that you can have NAT clients and clients with public addresses at the same time.

Firewall & Security Related

Really disabling the firewall

From a customer: While going mad with a tg582n tonight. I discovered they try to do stateful firewalling even when the firewall is disabled in the web interface. This breaks where you want to failover to 3G. I guess it would also break if you had 2 ADSL lines.

Completely disabling the firewall seems to be necessary to allow IPv6 connections from WAN side to network, as even when IPv4 firewall is 'off', the IPv6 still seems to be firewalled.

To fix, put in CLI:

firewall config state disabled 
firewall config icmpchecks disabled
firewall config udpchecks disabled 
firewall config tcpchecks none

Disabling the firewall also allows access to the routers' internal services from the WAN-side, although there seems to be some default logic disallowing these to function e.g. "User 'Administrator' is disallowed to login from wan to telnet" etc.

Disabling the firewall also exposes the DNS forwarder (whose software seems to have NO restrictions on the client-IP used!).

Creating Custom Firewall 'Service'

The Firewall fairly flexible, bit when creating a rule you have to select the 'service' from a drop down list. There are some example already included, eg telnet, smtp, but in order to create your own 'service' you need to use the telnet CLI first. here is an example to add an RTP service, which describes UDP traffic on port 1024 though to 65535:

expr add name=RTP type=serv proto=udp dstport=1024 dstportend=65535

You can then go to the web interface and RTP will be in the drop down 'service' list.

Web Browsing Interception

Be default the router has a feature called 'Web Browsing Interception' set to Automatic. This is a proxy-like feature, and should be disabled. The setting can be found and easily changed on the web interface. From the Left Menu - Technicolor Gateway - Configuration - Configure. Set Web Browsing Interception to Disabled.

Getting rid of Open DNS Forwarder

Once the firewall is 'actually' disabled, there is now the problem that the DNS Forwarding function is now open-access to the world! This is bad because small spoofed-source UDP-packets can be sent to the router, resulting it a *large* UDP reply of the attackers' choice, a bandwidth-multiplication attack.

This can be resolved by:-

(a) On any machines with a static-IP-configuration, set their nameservers to go directly to AAISP (217.169.20.20 217.169.20.21) and do not try to use the routers' LAN IP address.

(b) Telnet into the Router, logon to Administrator (or aaisp from the WAN side), then enter commands:-

dhcp server config state=disabled
dhcp server pool config name LAN_custom localdns=disabled
dhcp server pool config name LAN_custom primdns=217.169.20.20
dhcp server pool config name LAN_custom secdns=217.169.20.21
dhcp server config state=enabled
dns server config state=disabled
saveall

What this does, is tells the DHCPv4 server to directly give out the addresses of AAISP's recursive DNS servers and not its, own, and then completely disable the integral DNS forwarder (notice the DHCP server can only be reconfigured while disabled).

The router may still be wanting to use itself as a resolver for internal lookups - eg looking up names from it's configuration such as time servers etc. Telnet in to the router and set it to use the ISPs DNS servers, eg:

dns client dnsadd addr=217.169.20.20 port=53
dns client dnsadd addr=217.169.20.21 port=53
saveall

NB: You can check if Legacy IP addresses are running an Open Recursive server using the website:- http://security.zensupport.co.uk/recdns/

Problems connection to PPTP Servers

One customer has reported problems connecting to PPTP VPN servers in either direction through a tg582n with the 8.4.7.0 firmware.

Technicolor have stated that this may be due to the Application Layer Gateway system intercepting PPTP packets even when the firewall is disabled and is a deliberate feature, but that the feature can be disabled by entering the following commands in the CLI:

connection applist
connection unbind application PPTP port 1723
saveall

However the same customer has reported that this solution has not actually fixed the problem and that the PPTP entry is still visible when running the "connection applist" command even after the unbind command has been successfully run.

(Another customer has been able to reproduce tho issue, unable to connect to swissvpn.net, etc. but does work using the alternative OpenWRT ADSL router instead).

After further testing with the help of Technicolor engineers we do have an actual fix for the PPTP problem.

The problem is that the default config leaves NAT turned on even when you are using real IPv4 addresses and it's not needed which leads to problems with PPTP when the packets are rewritten.

To get around this NAT has to be fully turned off with the CLI command

nat ifconfig intf=Internet translation=disabled

followed by

saveall

After that inbound and outbound PPTP should be working again.

PPTP & NAT? - We've seen problems when the client is behind NAT, and the ALG/NAT on the router not passing GRE through (or something) - on a Microsoft 2003 PPTP server, the client was getting timeout Error 721. The solution was to route a block of IPs for the LAN...

Restrict access to HTTP interface by IP:

You may prefer to just restrict access to the router by IP - note this applies to the LAN and WAN, so you'll need to add your LAN addresses too

service system ipadd name=HTTP ip=YOUR.LAN.IP.BLOCK/MASK
service system ipadd name=HTTP ip=90.155.42.0/24
service system ipadd name=HTTPs ip=90.155.42.0/24
service system ipadd name=HTTPs ip=YOUR.LAN.IP.BLOCK/MASK

To view settings:

service system list name=HTTP expand=enabled
service system list name=HTTPs expand=enabled

You should then see the IP(s) in 'Ip Access List'

Then, save the settings:

saveall

Restrict access to TELNET interface by IP:

Add your LAN block first, as otherwise you'll be locked out!

service system ipadd name=TELNET ip=YOUR.LAN.BLOCK/MASK
service system ipadd name=TELNET ip=90.155.42.0/24
service system ipadd name=TELNET ip=81.187.30.0/25

Note: 90.155.42.0/24 are AAISP offices, and 81.187.30.0/25 are an AAISP server block - this will allow AAISP to log in to the router.

to view settings:

service system list name=TELNET expand=enabled

Save the settings:

saveall

To later delete the restriction:

service system ipdelete name=HTTP ip=90.155.42.0/24
saveall

Disable all ALG

You can flush all ALG bindings with the command:

connection flush
saveall

This isn't well tested - please let us know if anything breaks when you do this!

WAN Access Restrictions (HTTP/TELNET to the Router)

Here are notes on how to restrict access to the routers web and telnet interfaces, by either disabling access from the WAN (Intetnet) altogether, or by restricting access by IP address. These settings are made live as soon as they are entered, so be careful not to lock yourself out!

Disable WAN access to HTTP/Telnet:

This will disable WAN access to the routers adminitrator services

To disable WAN access to HTTP, HTTPS and telnet:

service system ifdelete name=HTTP group=wan
service system ifdelete name=HTTPs group=wan
service system ifdelete name=TELNET group=wan

To view the settings:

service system list name=HTTP expand=enabled
service system list name=TELNET expand=enabled

It should say:

Interface Group Access List lan 

Save the settings:

saveall

To later revert the setting, add back wan access by:

service system ifadd name=HTTP group=wan
saveall

Disable Wifi (Wireless)

Via HTTP interface - Home Network - WLAN - Configure - untick WLAN Enable, click Apply

Other Settings

Changing PPP Password, via telnet CLI

The command should be:

ppp ifconfig intf=Internet user=x@a password=secret status=enabled

TR069

Routers should be configured by AAISP to talk back to the AAISP TR069 server - this allows management of firmware and config by AAISP staff if required. Some older routers may not be set up correctly, and some routers on older firmware (v8) on Non natted connections may not be able to talk to the TR069 server due to a firmware bug. Routers with version 10 firmware are likely to be configured ok though. To View the TR069 settings, via telnet:

cwmp server config


3G setup

I've only worked out some of this, but I found the following got a dongle working:

  {Administrator}=>mobile ifadd intf=umts
 {Administrator}=>mobile ifconfig intf=umts apn=CHANGEME
 {Administrator}=>ppp ifadd intf=mobilebroadband
 {Administrator}=>ppp ifconfig intf=mobilebroadband dest=umts
 {Administrator}=>nat ifconfig translation=enabled intf=mobilebroadband
 {Administrator}=>ppp rtadd intf=mobilebroadband dst=0.0.0.0
 {Administrator}=>exit

I then went to the web interface http://192.168.1.254/_pppom_cfg.lp?be=0&l0=2&l1=2&name=mobilebroadband - replace 192.168.1.254 with the IP address of your router, and entered the username, password, and APN. For my vodafone SIM, the username was web, the password was web, and the APN was pp.internet.

Some further notes and sources on my blog:

(feel free to copy here if you want)

Third Party Pages

Here is someone elses page with telnet commands and info regarding the Technicolor:

Plusnet have firmware for this router at: R10.0.2.0 and R10.2.2.9. In most cases AAISP and can upgrade customers firmware remotely, please do contact Support for more information on this. The Plusnet firmware has not been tried and tested by AAISP and can't give much help if it doesn't work for you.