IPv6 Routers: Difference between revisions

From AAISP Support Site
m (Bring the default routers up to date)
(24 intermediate revisions by 6 users not shown)
Line 1: Line 1:
*For generic information on how AAISP do [[IPv6]] on DSL lines, see: [[IPv6]].
=Technicolor TG582N=


=ZyXEL VMG3925 and VMG1312=
== Documents ==
These files are from December 2011, supplied by Technicolor.


The [[:Category:ZyXEL VMG3925 B10B|VMG3925 B10B]] and [[:Category:ZyXEL VMG1312 B10D|VMG1312 B10D]] are currently AAISP's default routers, both with [[IPv6]] support.
*[[Image:Technicolor CPE Firewall.pdf]] Firewall Config Application note - giving details on how the firewall can be configured via CLI
*[[Image:TG582n CLI Guide v1.0 public.pdf]] for 8.4.4 firmware
*[[Image:IPv6 AppNote v4.0 public.pdf]] contains IPv6 related commands found in newer firmware
*[http://www.technicolor.com/en/hi/digital-home/mediaaccess/dsl/wireless/adsl/technicolor-tg582n Datasheet and brochure] on the Technicolor website


=Technicolor TG582N=
==Firmware Versions==


The [[TG582N]] was AAISP's default [[ADSL Router|ADSL router]] prior to May 2015, it was chosen due to its [[IPv6]] support. The Firmware versions that AAISP use which support [[IPv6]] include 8.4.7.0 and 10.2.0.B.
Version 8.4.4.1 is the factory default (as of November 2011)
Version 8.4.7.0 is IPv6 enabled, and is upgraded at AAISP when configured by AAISP.


The [[TG582N]] is a 4 port [[ADSL Router|ADSL router]], and can be configured so that one of the [[ethernet]] ports can support PPPoE - for connecting to an external [[FTTC Modem]] as it does not have a built-in VDSL modem. It has Wi-Fi too.
AAISP usually configure the router on their TR-069 server and run the upgrade to 8.4.7.0 before shipping, but some customers have been shipped trial-routers with the 8.4.4.1...


See the [[TG582N]] page for further information, and configuration notes (problems & fixes)
Upgrading from 8.4.4.1 is arranged by AAISP via the TR-069 CPE WAN Management protocol. This involves installing the "isp.def" as needed to persuade the router to connect to AAISP's TR-069 servers and asking AAISP to request the upgrade. Twice it has happened that the upgrade only partially completed, and it has been recessary to FTP to the router, re-uploading the isp.def, before it 'reports in' to AAISP correctly.

==Other Settings & Config info==

===Admin Settings===

When configured by A&A, the default username from the LAN side is: Administrator and from the WAN: aaisp.
The password will be printed on the card on the base of the router, and also seen on the control pages.

===Setting up Routed Config===

Use the configuration-wizard (Firefox seems to work best) and choose ADSL(Expert).
TODO: Describe where to find this.

===Adding Static-routes===

ip rtlist
ip rtadd dst=network/mask gateway=gatewayip
ip saveall

===Really disabling the firewall===

From a customer: While going mad with a tg582n tonight. I discovered they try to do stateful firewalling even when the firewall is disabled in the web interface. This breaks where you want to failover to 3G. I guess it would also break if you had 2 ADSL lines.

Completely disabling the firewall seems to be necessary to allow IPv6 connections from WAN side to network, as even when IPv4 firewall is 'off', the IPv6 still seems to be firewalled.

To fix, put in CLI:
firewall config state disabled
firewall config icmpchecks disabled
firewall config udpchecks disabled
firewall config tcpchecks none

Disabling the firewall also allows access to the routers' internal services from the WAN-side, although there seems to be some default logic disallowing these to function e.g. "User 'Administrator' is disallowed to login from wan to telnet" etc.

Disabling the firewall also exposes the DNS forwarder (whose software seems to have NO restrictions on the client-IP used!).

===Web Browsing Interception===
Be default the router has a feature called 'Web Browsing Interception' set to Automatic. This is a proxy-like feature, and should be disabled. The setting can be found and easily changed on the web interface.
From the Left Menu - Technicolor Gateway - Configuration - Configure. Set Web Browsing Interception to Disabled.

===Getting rid of Open DNS Forwarder===

Once the firewall is 'actually' disabled, there is now the problem that the DNS Forwarding function is now open-access to the world! This is bad because small spoofed-source UDP-packets can be sent to the router, resulting it a *large* UDP reply of the attackers' choice, a bandwidth-multiplication attack.

This can be resolved by:-

(a) On any machines with a static-IP-configuration, set their nameservers to go directly to AAISP (217.169.20.20 217.169.20.21) and do not try to use the routers' LAN IP address.

(b) Telnet into the Router, logon to Administrator, then enter commands:-
dhcp server config state=disabled
dhcp server pool config name LAN_custom localdns=disabled
dhcp server pool config name LAN_custom primdns=217.169.20.20
dhcp server pool config name LAN_custom secdns=217.169.20.21
dhcp server config state=enabled
dns server config state=disabled
saveall

What this does, is tells the DHCPv4 server to directly give out the addresses of AAISP's recursive DNS servers and not its, own, and then completely disable the integral DNS forwarder (notice the DHCP server can only be reconfigured while disabled).

NB: You can check if Legacy IP addresses are running an Open Recursive server using the website:-
http://security.zensupport.co.uk/recdns/

===Problems connection to PPTP Servers===

One customer has reported problems connecting to PPTP VPN servers in either direction through a tg582n with the 8.4.7.0 firmware.

Technicolor have stated that this may be due to the Application Layer Gateway system intercepting PPTP packets even when the firewall is disabled and is a deliberate feature, but that the feature can be disabled by entering the following commands in the CLI:
connection applist
connection unbind application PPTP port 1723
saveall

However the same customer has reported that this solution has not actually fixed the problem and that the PPTP entry is still visible when running the "connection applist" command even after the unbind command has been successfully run.

(Another customer has been able to reproduce tho issue, unable to connect to swissvpn.net, etc. but does work using the alternative OpenWRT ADSL router instead).

After further testing with the help of Technicolor engineers we do have an actual fix for the PPTP problem.

The problem is that the default config leaves NAT turned on even when you are using real IPv4 addresses and it's not needed which leads to problems with PPTP when the packets are rewritten.

To get around this NAT has to be fully turned off with the CLI command
nat ifconfig intf=Internet translation=disabled
followed by
saveall

After that inbound and outbound PPTP should be working again.

===Changing PPP Password, via telnet CLI===

The command ''should'' be:
ppp ifconfig intf=Internet user=x@a password=secret status=enabled

===3G setup===

I've only worked out some of this, but I found the following got a dongle working:

{Administrator}=>mobile ifadd intf=umts
{Administrator}=>mobile ifconfig intf=umts apn=CHANGEME
{Administrator}=>ppp ifadd intf=mobilebroadband
{Administrator}=>ppp ifconfig intf=mobilebroadband dest=umts
{Administrator}=>nat ifconfig translation=enabled intf=mobilebroadband
{Administrator}=>ppp rtadd intf=mobilebroadband dst=0.0.0.0
{Administrator}=>exit

I then went to the web interface http://192.168.1.254/_pppom_cfg.lp?be=0&l0=2&l1=2&name=mobilebroadband - replace 192.168.1.254 with the IP address of your router, and entered the username, password, and APN. For my vodafone SIM, the username was web, the password was web, and the APN was pp.internet.

Some further notes and sources on my blog:

* http://www.mstevens.org/aa/tg582-3g.html
* http://www.mstevens.org/aa/tg582-3g-2.html

(feel free to copy here if you want)

==Third Party Pages==
Here is someone elses page with telnet commands and info regarding the Technicolor:
http://npr.me.uk/telnet.html


----
----


=Other routers that we've used in the past:=
=Other routers that we've used in the past=




Line 147: Line 28:


We have a copy of 1.06d here:
We have a copy of 1.06d here:
[[media:UKBillion7800NV6_106d.zip]]
[[media:UKBillion7800NV6 106d.zip]]




Line 157: Line 38:


==Thomson==
==Thomson==
We've tested a TG789vn router (Aug 2011) which had beta IPv6 firmware (10.1.0.3), and this works.
We've tested a TG789vn router (Aug 2011) which had beta [[IPv6]] firmware (10.1.0.3), and this works.
A bit more info here:
A bit more info here:
[http://revk.www.me.uk/2011/08/ipv6-routers-thomson-step-up-their-game.html]
[http://revk.www.me.uk/2011/08/ipv6-routers-thomson-step-up-their-game.html]
Line 163: Line 44:
==Apple Airport Extreme==
==Apple Airport Extreme==


The Airport Extreme claims to support native IPv6 over PPPoE but we don't know of anyone who has it working. It still works via tunnels though (tunnel configuration explained on the [http://aa.net.uk/kb-broadband-ipv6-tech.html knowledge base]). You need to set the remote tunnel endpoint address to 81.187.81.6, and you need two /64 subnets off us that are statically routed to the Airport's IPv4 address. Assign an IP from one /64 as the WAN address and set the default route to our ping address "bottomless", which is 2001:8b0:0:81::51bb:51bb. Set the LAN address to the first usable IP on the second /64 and it should just work.
The Airport Extreme claims to support native [[IPv6]] over PPPoE but we don't know of anyone who has it working. It still works via tunnels though (tunnel configuration explained on the [http://aa.net.uk/kb-broadband-ipv6-tech.html knowledge base]). You need to set the remote tunnel endpoint address to 81.187.81.6, and you need two /64 subnets off us that are statically routed to the Airport's IPv4 address. Assign an IP from one /64 as the WAN address and set the default route to our ping address "bottomless", which is 2001:8b0:0:81::51bb:51bb. Set the LAN address to the first usable IP on the second /64 and it should just work.

Note that the firmware 7.6.3 breaks tunnels configured under earlier firmware but there is a simple fix. Using the latest version of Airport Utility you need to add an [[IPv6]] Delegated Prefix. The easy way seems to be to copy and paste the address from the [[IPv6]] LAN address field and add /64 to the end - otherwise it assumes a /48. Further details here: http://arstechnica.com/apple/2013/02/airport-extreme-update-breaks-ipv6-tunnels-but-heres-how-to-fix-it/

==ASUS RT-N66U==

The RT-N66U does pretty much "just work" with [[IPv6]]. Running the TomatoUSB firmware it was just a case of enabling "Native [[IPv6]]" in the [[IPv6]] options and giving the router's LAN interface an address from the allocated /64. The router appears to have enabled RA by default, so everything on the LAN side "just works"

==TP-Link TD-8817==

From a customer:

"The current v8 firmware does support [[IPv6]] properly, but for it to be distributed to connected devices, not only DHCPv6 needs to be enabled, but also RADVD (this setting is not currently described in the modem's user manual). Leaving the sub-settings for RADVD to their default seems fine."


[[Category:IPv6]] [[Category:Router]]

Revision as of 16:43, 19 September 2019

  • For generic information on how AAISP do IPv6 on DSL lines, see: IPv6.

ZyXEL VMG3925 and VMG1312

The VMG3925 B10B and VMG1312 B10D are currently AAISP's default routers, both with IPv6 support.

Technicolor TG582N

The TG582N was AAISP's default ADSL router prior to May 2015, it was chosen due to its IPv6 support. The Firmware versions that AAISP use which support IPv6 include 8.4.7.0 and 10.2.0.B.

The TG582N is a 4 port ADSL router, and can be configured so that one of the ethernet ports can support PPPoE - for connecting to an external FTTC Modem as it does not have a built-in VDSL modem. It has Wi-Fi too.

See the TG582N page for further information, and configuration notes (problems & fixes)


Other routers that we've used in the past

Billion BiPAC 7800N

Factory IP: 192.168.1.254 Factory User/Pass: admin/admin

Firmware

Latest Firmware is from Billion As of October 2011 the version we ship is 1.06d

We have a copy of 1.06d here: media:UKBillion7800NV6 106d.zip



Another useful Billion page on spaldwick.com

Comtrend

Info here: *Comtrend

Thomson

We've tested a TG789vn router (Aug 2011) which had beta IPv6 firmware (10.1.0.3), and this works. A bit more info here: [1]

Apple Airport Extreme

The Airport Extreme claims to support native IPv6 over PPPoE but we don't know of anyone who has it working. It still works via tunnels though (tunnel configuration explained on the knowledge base). You need to set the remote tunnel endpoint address to 81.187.81.6, and you need two /64 subnets off us that are statically routed to the Airport's IPv4 address. Assign an IP from one /64 as the WAN address and set the default route to our ping address "bottomless", which is 2001:8b0:0:81::51bb:51bb. Set the LAN address to the first usable IP on the second /64 and it should just work.

Note that the firmware 7.6.3 breaks tunnels configured under earlier firmware but there is a simple fix. Using the latest version of Airport Utility you need to add an IPv6 Delegated Prefix. The easy way seems to be to copy and paste the address from the IPv6 LAN address field and add /64 to the end - otherwise it assumes a /48. Further details here: http://arstechnica.com/apple/2013/02/airport-extreme-update-breaks-ipv6-tunnels-but-heres-how-to-fix-it/

ASUS RT-N66U

The RT-N66U does pretty much "just work" with IPv6. Running the TomatoUSB firmware it was just a case of enabling "Native IPv6" in the IPv6 options and giving the router's LAN interface an address from the allocated /64. The router appears to have enabled RA by default, so everything on the LAN side "just works"

TP-Link TD-8817

From a customer:

"The current v8 firmware does support IPv6 properly, but for it to be distributed to connected devices, not only DHCPv6 needs to be enabled, but also RADVD (this setting is not currently described in the modem's user manual). Leaving the sub-settings for RADVD to their default seems fine."