Router - TG582N - Firewall and Port Forwarding

From AAISP Support Site
Revision as of 08:03, 18 Haziran 2013 by AA-Andrew (talk | contribs) (Created page with "== Firewall & Security Related== === Really disabling the firewall === From a customer: While going mad with a tg582n tonight. I discovered they try to do stateful firewall...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Firewall & Security Related

Really disabling the firewall

From a customer: While going mad with a tg582n tonight. I discovered they try to do stateful firewalling even when the firewall is disabled in the web interface. This breaks where you want to failover to 3G. I guess it would also break if you had 2 ADSL lines.

Completely disabling the firewall seems to be necessary to allow IPv6 connections from WAN side to network, as even when IPv4 firewall is 'off', the IPv6 still seems to be firewalled.

To fix, put in CLI: 

firewall config state disabled 
firewall config icmpchecks disabled
firewall config udpchecks disabled 
firewall config tcpchecks none

Disabling the firewall also allows access to the routers' internal services from the WAN-side, although there seems to be some default logic disallowing these to function e.g. "User 'Administrator' is disallowed to login from wan to telnet" etc.

Disabling the firewall also exposes the DNS forwarder (whose software seems to have NO restrictions on the client-IP used!).

Creating Custom Firewall 'Service'

The Firewall fairly flexible, bit when creating a rule you have to select the 'service' from a drop down list. There are some example already included, eg telnet, smtp, but in order to create your own 'service' you need to use the telnet CLI first. here is an example to add an RTP service, which describes UDP traffic on port 1024 though to 65535: 

expr add name=RTP type=serv proto=udp dstport=1024 dstportend=65535

You can then go to the web interface and RTP will be in the drop down 'service' list.

Web Browsing Interception

Be default the router has a feature called 'Web Browsing Interception' set to Automatic. This is a proxy-like feature, and should be disabled. The setting can be found and easily changed on the web interface. From the Left Menu - Technicolor Gateway - Configuration - Configure. Set Web Browsing Interception to Disabled.


HTTP/HTTPS Port forward

You may have a conflicting error when trying to add a HTTP/S port forward using gaming application.

To stop the Technicolor listening on port 80 & 443 itself use the following commands via telnet, 

service system ifdelete name=HTTP group=wan
service system ifdelete name=HTTPs group=wan
saveall
exit

You can then create the port forward via the web interface or cli...


Restrict access to HTTP interface by IP:

You may prefer to just restrict access to the router by IP - note this applies to the LAN and WAN, so you'll need to add your LAN addresses too 

service system ipadd name=HTTP ip=YOUR.LAN.IP.BLOCK/MASK
service system ipadd name=HTTP ip=90.155.42.0/24
service system ipadd name=HTTPs ip=90.155.42.0/24
service system ipadd name=HTTPs ip=YOUR.LAN.IP.BLOCK/MASK

To view settings: 

service system list name=HTTP expand=enabled
service system list name=HTTPs expand=enabled

You should then see the IP(s) in 'Ip Access List'

Then, save the settings: 

saveall

Restrict access to TELNET interface by IP:

Add your LAN block first, as otherwise you'll be locked out! 

service system ipadd name=TELNET ip=YOUR.LAN.BLOCK/MASK
service system ipadd name=TELNET ip=90.155.42.0/24
service system ipadd name=TELNET ip=81.187.30.0/25

Note: 90.155.42.0/24 are AAISP offices, and 81.187.30.0/25 are an AAISP server block - this will allow AAISP to log in to the router.

to view settings: 

service system list name=TELNET expand=enabled

Save the settings: 

saveall

To later delete the restriction: 

service system ipdelete name=HTTP ip=90.155.42.0/24
saveall

Disable all ALG

You can flush all ALG bindings with the command: 

connection flush
saveall

This isn't well tested - please let us know if anything breaks when you do this!

WAN Access Restrictions (HTTP/TELNET to the Router)

Here are notes on how to restrict access to the routers web and telnet interfaces, by either disabling access from the WAN (Intetnet) altogether, or by restricting access by IP address. These settings are made live as soon as they are entered, so be careful not to lock yourself out!

Disable WAN access to HTTP/Telnet:

This will disable WAN access to the routers adminitrator services

To disable WAN access to HTTP, HTTPS and telnet: 

service system ifdelete name=HTTP group=wan
service system ifdelete name=HTTPs group=wan
service system ifdelete name=TELNET group=wan

To view the settings: 

service system list name=HTTP expand=enabled
service system list name=TELNET expand=enabled

It should say: 

Interface Group Access List lan

Save the settings: 

saveall

To later revert the setting, add back wan access by: 

service system ifadd name=HTTP group=wan
saveall
Retrieved from ‘http://support.aa.net.uk/index.php?title=Router_-_TG582N_-_Firewall_and_Port_Forwarding&oldid=3031