Router - TG582N - Firewall and Port Forwarding: Difference between revisions

← Older edit

Router - TG582N - Firewall and Port Forwarding (view source)

Revision as of 00:18, 18 August 2018

5,711 bytes added , 18 August 2018

→‎top: clean up

Reedy

editor

698

edits

Revision as of 08:03, 18 June 2013 (view source) AA-Andrew (talk \| contribs) (Created page with "== Firewall & Security Related== === Really disabling the firewall === From a customer: While going mad with a tg582n tonight. I discovered they try to do stateful firewall...")		Latest revision as of 00:18, 18 August 2018 (view source) Reedy (talk \| contribs) (→‎top: clean up)
(31 intermediate revisions by 6 users not shown)
[[Image:T582-small.png\|link=:Category:Router TG582N\|Got to Main TG582N Page]] ~~== Firewall & Security Related==~~ Also see: Router - [[Router - TG582N - Port Forwarding UI]] = Firewall & Security Related= Certain aspects of the firewall can be configured from the web interface, but not all. (e.g. adding a new 'service' needs to be done from Telnet). There is some information in the Firewall PDF Document: [[File:Technicolor CPE Firewall.pdf]] *Other information can be found on this 3rd party page: http://phil.tinsleyviaduct.com/tg582nfirewall.html === Really disabling the firewall === From a customer: While going mad with a [[TG582N\|tg582n]] tonight. I discovered they try to do stateful firewalling even when the firewall is disabled in the web interface. This breaks where you want to failover to 3G. I guess it would also break if you had 2 ADSL lines. ''[ There should be a special circle of hell reserved for the designers who created a firewall '''level''' of 'Disabled' and a firewall '''state''' '' of 'disabled' which are very different concepts. ] Completely disabling the firewall seems to be necessary to allow [[IPv6]] connections from WAN side to network, as even when IPv4 firewall is 'off', the [[IPv6]] still seems to be firewalled. - but first see [[#Configure the Firewall for IPv6]] To fix, put in CLI: firewall config tcpchecks none Disabling the firewall also allows access to the routers' internal services from the WAN-side, although there seems to be some default logic disallowing these to function e.g. "User 'Administrator' is disallowed to login from wan to telnet" etc. ''(Actually this is in the config - user 'Administrator' has Administrator rights for local admin only, user 'admin' has SuperUser rights for remote admin only).'' Disabling the firewall also exposes the DNS forwarder (whose software seems to have NO restrictions on the client-IP used!). ===Creating Custom Firewall 'Service'=== The Firewall fairly flexible, ~~bit~~but when creating a rule you have to select the 'service' from a drop down list. There are some example already included, ege.g. telnet, smtp, but in order to create your own 'service' you need to use the telnet CLI first. here is an example to add an RTP service, which describes UDP traffic on port 1024 though to 65535: expr add name=RTP type=serv proto=udp dstport=1024 dstportend=65535 You can then go to the web interface and RTP will be in the drop down 'service' list. If you fancy some experimentation, one could add 'services' which essentially cover all packets: ~~=== Web Browsing Interception ===~~ :expr add name=all_tcp_ports type=serv proto=tcp dstport=1 dstportend=65535 :expr add name=all_udp_ports type=serv proto=udp dstport=1 dstportend=65535 :expr add name=all_icmp type=serv proto=icmp icmpcode=0 icmpcodeend=15 :expr add name=all_icmp6 type=serv proto=icmpv6 icmpcode=0 icmpcodeend=15 and use these services in rules for some local host(s). This would allow you to run the firewall, but have unfettered access to some local host(s). ===Configure the Firewall for IPv6=== Instead of shutting down the firewall completely, you can configure it to allow access to specific services on specific hosts. It actually works just like the IPv4 firewall—but the WebUI has the firewall mixed up with port-forwarding. So all of this has to be done with the Telnet CLI. First, identify or define a firewall service: :expr list type=serv :expr add name=plex type=serv proto=tcp dstport=32400 Identify your host (or netblock): :expr add name=myserv_v6 type=ip addr=2001:db8::dead:beef :expr add name=allhosts_v6 type=ip addr=2001:db8::/64 Add the new rule to the forward_custom chain (you can use e.g.'name=inbound_ssh' to give the rule a name which will be shown in the rule list): :firewall rule add chain=forward_custom srcintf=wan dstip=myserv_v6 serv=plex action=accept :firewall rule add chain=forward_custom srcintf=wan dstip=allhosts_v6 serv=ssh action=accept Show the rules: :firewall rule list chain=forward_custom Show the rules in the same format as used to enter them (handy for cut 'n paste): :firewall rule list chain=forward_custom format=cli Remove a rule: :firewall rule delete chain=forward_custom index=1 (Thanks to the links above and extensive use of the router's built-in 'help' facility.) = Web Browsing Interception = Be default the router has a feature called 'Web Browsing Interception' set to Automatic. This is a proxy-like feature, and should be disabled. The setting can be found and easily changed on the web interface. From the Left Menu - Technicolor Gateway - Configuration - Configure. Set Web Browsing Interception to Disabled. = HTTP/HTTPS/Telnet servers on the TG582n = There are servers which are often configured to run on the TG582n. These can cause issues when trying to port forward using their ~~=== HTTP/HTTPS Port forward ===~~ port numbers. There can also be security issues, especially if you have disabled the firewall. == HTTP/HTTPS Port forward == ~~You may have a conflicting error when trying to add a HTTP/S port forward using gaming application.~~ If you are wanting to port forward HTTP or HTTPS on the Technicolor, then as it also has a web server you may have a conflicting error when trying to add a HTTP/S port forward using gaming application. ~~To stop the Technicolor listening on port 80 & 443 itself use the following commands via telnet,~~ You will need to stop the Technicolor listening on port 80 & 443 itself on the WAN. Use the following commands via telnet, service system ifdelete name=HTTP group=wan === Restrict access to HTTP interface by IP:= == You may prefer to just restrict access to the router by IP - note this applies to the LAN and WAN, so you'll need to add your LAN addresses too saveall === Restrict access to TELNET interface by IP: === '''Add your LAN block first, as otherwise you'll be locked out!''' saveall == WAN Access Restrictions (HTTP/TELNET to the Router) == ~~=== Disable all ALG ===~~ Here are notes on how to restrict access to the routers web and telnet interfaces, by either disabling access from the WAN (Internet) altogether, or by restricting access by IP address. These settings are made live as soon as they are entered, so be careful not to lock yourself out! ===Disable WAN access to HTTP/Telnet=== ~~You can flush all ALG bindings with the command:~~ This will disable WAN access to the routers administrator services ~~connection flush~~ ~~saveall~~ ~~This isn't well tested - please let us know if anything breaks when you do this!~~ ~~=== WAN Access Restrictions (HTTP/TELNET to the Router)===~~ Here are notes on how to restrict access to the routers web and telnet interfaces, by either disabling access from the WAN (Intetnet) altogether, or by restricting access by IP address. These settings are made live as soon as they are entered, so be careful not to lock yourself out! ~~===Disable WAN access to HTTP/Telnet:===~~ ~~This will disable WAN access to the routers adminitrator services~~ To disable WAN access to HTTP, HTTPS and telnet: service system ifadd name=HTTP group=wan saveall = Application Layer Gateways = == Disabling the SIP ALG == Some users have found that the SIP ALG interferes with some devices and some SIP providers. To completely disable the SIP ALG, you will need to connect via Telnet to your router. The username and password are stored in the control pages (clueless) and should also be on a card on the bottom of your router. Once you have connected via telnet, run the following commands: <nowiki> connection unbind application=SIP port=5060 saveall exit</nowiki> == Disable PPTP ALG == See [[#Problems connecting to PPTP Servers]] == Disable all ALG == You can flush all ALG bindings with the command: connection flush saveall This ''really does'' remove ''all'' ALG bindings. The consequence isn't well tested - please let us know if anything breaks when you do this! = Problems connecting to PPTP Servers = One customer has reported problems connecting to PPTP VPN servers in either direction through a [[TG582N\|tg582n]] with the 8.4.7.0 firmware. Technicolor have stated that this may be due to the Application Layer Gateway system intercepting PPTP packets even when the firewall is disabled and is a deliberate feature, but that the feature can be disabled by entering the following commands in the CLI: connection applist connection unbind application PPTP port 1723 saveall However the same customer has reported that this solution has not actually fixed the problem and that the PPTP entry is still visible when running the "connection applist" command even after the unbind command has been successfully run. (Another customer has been able to reproduce tho issue, unable to connect to swissvpn.net, etc. but does work using the alternative OpenWRT [[ADSL Router\|ADSL router]] instead). After further testing with the help of Technicolor engineers we do have an actual fix for the PPTP problem. The problem is that the default config leaves NAT turned on even when you are using real IPv4 addresses and it's not needed which leads to problems with PPTP when the packets are rewritten. To get around this NAT has to be fully turned off with the CLI command nat ifconfig intf=Internet translation=disabled followed by saveall After that inbound and outbound PPTP should be working again. PPTP & NAT? - We've seen problems when the client is behind NAT, and the ALG/NAT on the router not passing GRE through (or something) - on a Microsoft 2003 PPTP server, the client was getting timeout Error 721. The solution was to route a block of IPs for the LAN... =Other pages regarding this router= <ncl style=bullet maxdepth=5 headings=bullet headstart=2 showcats=1 showarts=1 showfirst=1>Category:Router TG582N</ncl> [[Category:Router TG582N\|Firewall]]