editor
698
edits
Router - TG582N - Firewall and Port Forwarding: Difference between revisions
Router - TG582N - Firewall and Port Forwarding (view source)
Revision as of 00:18, 18 August 2018
, 18 August 2018→top: clean up
(How to add services which cover all packets) |
(→top: clean up) |
||
| (7 intermediate revisions by 2 users not shown) | |||
|
[[Image:T582-small.png|link=:Category:
*Also see: Router - [[Router - TG582N - Port Forwarding UI]]
=== Really disabling the firewall ===
From a customer: While going mad with a [[TG582N|tg582n]] tonight. I discovered they try to do stateful firewalling even when the firewall is disabled in the web interface. This breaks where you want to failover to 3G. I guess it would also break if you had 2 ADSL lines.
''[ There should be a special circle of hell reserved for the designers who created a firewall '''level''' of 'Disabled' and a firewall '''state'''
Completely disabling the firewall seems to be necessary to allow [[IPv6]] connections from WAN side to network, as even when IPv4 firewall is 'off', the [[IPv6]] still seems to be firewalled. ▼
'' of 'disabled' which are very different concepts. ]
▲Completely disabling the firewall seems to be necessary to allow [[IPv6]] connections from WAN side to network, as even when IPv4 firewall is 'off', the [[IPv6]] still seems to be firewalled
To fix, put in CLI:
firewall config tcpchecks none
Disabling the firewall also allows access to the routers' internal services from the WAN-side, although there seems to be some default logic disallowing these to function e.g. "User 'Administrator' is disallowed to login from wan to telnet" etc. ''(Actually this is in the config - user 'Administrator' has Administrator rights for local admin only, user 'admin' has SuperUser rights for remote admin only).''
Disabling the firewall also exposes the DNS forwarder (whose software seems to have NO restrictions on the client-IP used!).
Be default the router has a feature called 'Web Browsing Interception' set to Automatic. This is a proxy-like feature, and should be disabled. The setting can be found and easily changed on the web interface. From the Left Menu - Technicolor Gateway - Configuration - Configure. Set Web Browsing Interception to Disabled.
= HTTP/HTTPS/Telnet servers on the TG582n =
There are servers which are often configured to run on the TG582n. These can cause issues when trying to port forward using their
= HTTP/HTTPS Port forward =▼
port numbers. There can also be security issues, especially if you have disabled the firewall.
If you are wanting to port forward HTTP or HTTPS on the technicolor, then as it also has a web server you may have a conflicting error when trying to add a HTTP/S port forward using gaming application.▼
▲If you are wanting to port forward HTTP or HTTPS on the
You will need to stop the Technicolor listening on port 80 & 443 itself on the WAN. Use the following commands via telnet,
== Restrict access to HTTP interface by IP ==
You may prefer to just restrict access to the router by IP - note this applies to the LAN and WAN, so you'll need to add your LAN addresses too
saveall
== Restrict access to TELNET interface by IP ==
'''Add your LAN block first, as otherwise you'll be locked out!'''
saveall
== WAN Access Restrictions (HTTP/TELNET to the Router) ==▼
= Disabling the SIP ALG =▼
Some users have found that the SIP ALG interferes with some devices and some SIP providers.▼
To completely disable the SIP ALG, you will need to connect via Telnet to your router.▼
The username and password are stored in the control pages (clueless) and should also be on a card on the bottom of your router.▼
Once you have connected via telnet, run the following commands:▼
<nowiki>▼
connection unbind application=SIP port=5060▼
saveall▼
exit</nowiki>▼
= Disable all ALG =▼
You can flush all ALG bindings with the command:▼
connection flush▼
saveall▼
This isn't well tested - please let us know if anything breaks when you do this!▼
▲= WAN Access Restrictions (HTTP/TELNET to the Router)=
Here are notes on how to restrict access to the routers web and telnet interfaces, by either disabling access from the WAN (Internet) altogether, or by restricting access by IP address. These settings are made live as soon as they are entered, so be careful not to lock yourself out!
===Disable WAN access to HTTP/Telnet===
This will disable WAN access to the routers administrator services
saveall
= Application Layer Gateways =
▲== Disabling the SIP ALG ==
▲Some users have found that the SIP ALG interferes with some devices and some SIP providers.
▲To completely disable the SIP ALG, you will need to connect via Telnet to your router.
▲The username and password are stored in the control pages (clueless) and should also be on a card on the bottom of your router.
▲Once you have connected via telnet, run the following commands:
▲ <nowiki>
▲connection unbind application=SIP port=5060
▲saveall
▲exit</nowiki>
== Disable PPTP ALG ==
See [[#Problems connecting to PPTP Servers]]
▲== Disable all ALG ==
▲You can flush all ALG bindings with the command:
▲ connection flush
▲ saveall
▲This ''really does'' remove ''all'' ALG bindings. The consequence isn't well tested - please let us know if anything breaks when you do this!
= Problems
One customer has reported problems connecting to PPTP VPN servers in either direction through a [[TG582N|tg582n]] with the 8.4.7.0 firmware.
PPTP & NAT? - We've seen problems when the client is behind NAT, and the ALG/NAT on the router not passing GRE through (or something) - on a Microsoft 2003 PPTP server, the client was getting timeout Error 721. The solution was to route a block of IPs for the LAN...
<ncl style=bullet maxdepth=5 headings=bullet headstart=2 showcats=1 showarts=1 showfirst=1>Category:Router
[[Category:Router TG582N|Firewall]]
| |||