Eish…. Q fdp de blog Porque as ideias são para partilhar

February 21, 2014

Lista de comandos CLI Thomson / Technicolor Router

Filed under: Hardware How-To,Pensamentos — admin @ 9:15 am

Aqui vai a lista de comandos uteis para utilização em routers Thomson via CLI.

Como sempre não me responsabilizo por problemas por vós causados 🙂

Os dados foram tirados deste site, que está recheado de easter eggs simplesmente deliciosos.

Para se usar OpenDNS (Firmware R8):

Command Comments
dns server route list List all DNS resolvers set in the router. ( optional )
dns server route flush Clear
dns server route add dns=208.67.222.222 metric=0 intf=Internet See note (1) below regarding “intf=Internet”
dns server route add dns=208.67.220.220 metric=0 intf=Internet See note (1) below regarding “intf=Internet”
dns server route list List all DNS resolvers set in the router.  (just checking)
saveall Make the change permanent.


The ISP DNS settings may creep back in over time.
A metric value of 0 has been used to give these new DNS settings priority over any ISP settings.
eg the lower the metric the higher the priority.

Undo, return to obtaining DNS resolvers via DHCP

Command Comments
dns server route flush Clear
dns server route list List all DNS resolvers set in the router.  (just checking)
saveall Make the change permanent.

May need to reboot or renew the ppp session to obtain the DNS settings.



Para se usar OpenDNS (Firmware 108):

Command Comments
dns server forward dnsset list List all DNS resolvers set in the router. ( optional )
dns server forward dnsset flush Clear
dns server forward dnsset add set=0 dns=208.67.222.222 metric=0 intf=Internet See note (1) below regarding “intf=Internet”
dns server forward dnsset add set=0 dns=208.67.220.220 metric=0 intf=Internet See note (1) below regarding “intf=Internet”
dns server forward dnsset list List all DNS resolvers set in the router.  (just checking)
saveall Make the change permanent.


The ISP DNS settings may creep back in over time.
A metric value of 0 has been used to give these new DNS settings priority over any ISP settings.
eg the lower the metric the higher the priority.

Undo, return to obtaining DNS resolvers via DHCP

Command Comments
dns server forward dnsset flush Clear
dns server forward dnsset list List all DNS resolvers set in the router.  (just checking)
saveall Make the change permanent.

May need to reboot or renew the ppp session to obtain the DNS settings.



Para se utilizar dyndns para actualizar o OpenDNS

Command Comments
dyndns service list View existing settings — It’s the “custom” section we’ll be changing
dyndns service modify name=custom server=updates.dnsomatic.com updateinterval=10800 Change service provider to dnsomatic.com
updateinterval is 3 hours. (10800 seconds)
saveall Make the change permanent.

Ensure your opendns account is set to — enable dynamic IP update
Go to www.dnsomatic.com , sign in with your OpenDNS username / password.
While there, enable update opendns.

Go to the routers web interface Toolbox > Dynamic DNS > Configure  :-
Tick “Enabled”
Interface  — Internet  —  See Note (1)
Username — Opendns username
Password — Opendns password
Service — custom
Host — enter your opendns network label or enter the catch all  —  all.dnsomatic.com
Click “Apply”

Check the routers event log to confirm “dyndns host has been updated”.


Disable telnet timeout

Command Comments
env get var=SESSIONTIMEOUT Check existing setting.
env set var=SESSIONTIMEOUT value=0 Disable session timeout.
saveall Make the change permanent.

 


Get router stats

Command Comments
xdsl info expand=enabled See Telnet Scripting for a method to get these stats quick.

 


Force connection modulation mode to ADSL1, ADSL2 or ADSL2+  (also disable Annex M)
A useful byproduct of this command is that it causes a resync.
ie resetting the modulation to default (ie no change) can be used to force the router to perform a resync.

Command Comments
xdsl debug multimode Show all enabled modes. (optional)
xdsl debug multimode config=t1.413issue2+g992.1_annex_a This forces ADSL1 (ie g992.1 Annex A)
xdsl debug multimode config=t1.413issue2+g992.3_annex_a This forces ADSL2 (ie g992.3 Annex A)
xdsl debug multimode config=t1.413issue2+g992.5_annex_a This forces ADSL2+ (ie g992.5 Annex A)
xdsl debug multimode config=t1.413issue2+g992.1_annex_a+g992.3_annex_a+g992.3_annex_l+g992.5_annex_a Disable Annex M on all connection modes
xdsl debug multimode config=t1.413issue2+g992.1_annex_a+g992.3_annex_a+g992.3_annex_l+g9
92.3_annex_m+g992.5_annex_a+g992.5_annex_m
Default, all modes available.
saveall Use one of the above commands then saveall !

 


Drop and Re-start ADSL (resync)

Command Comments
xdsl config status=down Drop ADSL connection
xdsl config status=up Raise ADSL connection

 


Drop / Start PPP Session
With some ISP connections this may change your gateway it may also change your IP address.
Useful if your ISP sometimes has congested gateways.

Command Comments
ppp ifdetach intf=Internet Drop PPP
ppp ifattach intf=Internet Connect PPP

 


DHCP Client Lease Renew

Command Comments
dhcp client ifrenew intf=Internet See note (1) below regarding “intf=Internet”
dhcp client iflist expand=enabled Optional — View DHCP Client Info

 


Reboot the router

Command Comments
system reboot

 


Change router password  — I’ve found this troublesome using the web interface.

Command Comments
user config name=SuperUser password=mypassword Must be an existing username ie “SuperUser” or “Administrator”
user config name=Administrator password=mypassword
saveall Don’t forget this!

 


Create username with “root” privileges.

Command Comments
script add name=useroot command=”user add name=me password=pass role=root” Change “me” and “pass” for your own username and password.
script run name=useroot pars=”” Run the script.
saveall Don’t forget this!

 


Spoof routers WAN MAC

Command Comments
ip iflist expand=enabled Show routers MAC and other stuff
ip ifdetach intf=Internet See note (1) below regarding “intf=Internet”
ip ifconfig intf=Internet hwaddr=00:xx:xx:xx:xx:xx See note (1) Replace “xx” with your spoof MAC
ip ifattach intf=Internet See note (1) below regarding “intf=Internet”
saveall Don’t forget this!

 


Disable CWMP — Remote management by the ISP

Command Comments
service system list Show if enabled or disabled.
service system modify name=CWMP-S state=disabled Disable remote assistance from the ISP.
service system modify name=CWMP-C state=disabled Disable checking for firmware updates etc “phone home”.
saveall Don’t forget this!


Undo — Enable CWMP — default mode

Command Comments
service system modify name=CWMP-S state=enabled Return to default setting
service system modify name=CWMP-C state=enabled Return to default setting
saveall Don’t forget this!

 


Enable reply to Pings from WAN

Command Comments
service system list name=PING_RESPONDER expand=enabled Check if  “interface group” is associated with WAN (ie enabled)
service system ifadd name=PING_RESPONDER group=wan Add to WAN “interface group” (ie enabled)
saveall Don’t forget this!


Undo — Disable reply to Pings from WAN — Default mode

Command Comments
service system ifdelete name=PING_RESPONDER group=wan Remove WAN from “interface group” (ie disabled) — Default
saveall Don’t forget this!

 


Disable wireless n speed 

Command Comments
wireless ifconfig Show wireless settings  (optional)
wireless ifconfig interop=802.11b/g Disable wireless n
saveall Don’t forget this!

Undo — Enable all wireless speeds (TG587n only)

Command Comments
wireless ifconfig interop=802.11b/g/n Enable wireless b, g and n  —  Default
saveall Don’t forget this!

 


Change wireless n speed (TG582n only)

Command Comments
wireless radio channelwidth=20 sgi=enabled Wireless Speed 144(n)
wireless radio channelwidth=20/40 sgi=disabled Wireless Speed 270(n)
wireless radio channelwidth=20/40 sgi=enabled Wireless Speed 300(n)
wireless radio channelwidth=20 sgi=disabled Wireless Speed 130(n)  Default
saveall Don’t forget this!

When in 270(n) or 300(n) mode the router is not very good at switching off the extra channels when not needed or when it may cause interference to other wireless access points.
For this reason please use these modes responsibly.


Wireless n tweaks (TG582n only)

Commands Comments
wireless radio cdd=enabled enabled = reduce dead spots in the wireless coverage
disabled = default
wireless radio stbc=enabled enabled = Improve signal quality
disabled = default
http://en.wikipedia.org/wiki/Space%E2%80%93time_block_code
wireless radio frameaggregation=ampdu Improve throughput by changing type of header.
amsdu — generaly most efficient
ampdu — (Default) Better in environments of high error rates.
http://en.wikipedia.org/wiki/Frame_aggregation
saveall Don’t forget this!

 


Change MTU setting

Command Comments
ip iflist Show present setting (optional)
ip ifconfig intf=Internet mtu=1458 See note (1) regarding “intf=Internet” — Set MTU for WAN
ip ifconfig intf=LocalNetwork mtu=1458 Set MTU for LAN
saveall Don’t forget this!

Undo — Return to default MTU of 1500

Command Comments
ip ifconfig intf=Internet mtu=1500 See note (1) regarding “intf=Internet” — Set 1500 MTU for WAN
ip ifconfig intf=LocalNetwork mtu=1500 Set 1500 MTU for LAN
saveall Don’t forget this!

 


Disable ethernet port

Command Comments
eth device ifconfig intf=ethif1 state=disabled Disable ethernet port 1. ( ethif1 = port 1, ethif2 = port 2 etc )
saveall Don’t forget this!
eth device iflist List state of ports (optional)

Undo — Enable ethernet port 

Command Comments
eth device ifconfig intf=ethif1 state=enabled Enable ethernet port 1. ( ethif1 = port 1, ethif2 = port 2 etc )
saveall Don’t forget this!

 


Wireless MAC access control  — Block a wireless connection

Command Comments
wireless macacl add ssid_id=0 radio_id=0 hwaddr=00:xx:xx:xx:xx:xx permission=allow Change “00:xx:xx:xx:xx:xx” to the wireless MAC of the target PC .
Only used once for each wireless MAC added to the list.
saveall

Use the following commands to stop or allow a wireless connection as required.

Command Comments
wireless macacl list Optional — Display preset wireless MAC’s
wireless macacl modify ssid_id=0 radio_id=0 hwaddr=00:xx:xx:xx:xx:xx permission=deny Deny connection from the target PC — Use when required
wireless macacl modify ssid_id=0 radio_id=0 hwaddr=00:xx:xx:xx:xx:xx permission=allow Allow connection from the target PC — Use when required

Undo — Remove from Wireless MAC access control list

Command Comments
wireless macacl list Optional  — display MAC address on list
wireless macacl delete ssid_id=0 radio_id=0 hwaddr=00:xx:xx:xx:xx:xx Remove MAC from list.
saveall Don’t forget this.

 


Check which devices are connected

Command Comments
hostmgr list Look in the “Flags” column,
“C” indicates connected

 


Enable WPS — This is disabled by default on some models.

Command Comments
wireless wps config state=enabled The WPS button should now work
saveall

Undo — Disable WPS

Command Comments
wireless wps config state=disabled
saveall

 


Syslog  —  This log survives a reboot

Command Comments
syslog msgbuf show View router log in the telnet window.
syslog msgbuf send dest=192.168.1.67 Send all the log to syslog client at IP address
syslog msgbuf flush Clear the log
ftp://ftp.3com.com/pub/utilbin/win32/3CSyslog.zip
Link now dead, a google search will find a suitable syslog client.
Free syslog client from 3Com
syslog config activate=enabled Enable continuous update to a syslog client.
syslog ruleadd fac=all sev=debug dest=192.168.1.67 Rule to send all the log items to syslog client at 192.168.1.67

 


Change the LAN IP of a Connected Device — Static DHCP

Command Comments
dhcp server lease list View the pool name and MAC address of the connected device
dhcp server lease delete clientid=00:23:4d:xx:xx:xx First delete the device.
clientid = [the MAC address found above]
dhcp server lease add clientid=00:23:4d:xx:xx:xx pool=LAN_private addr=192.168.1.100 leasetime=0 clientid = [the MAC address found above]
pool = [the pool name found above]
addr = [the lan IP you wish to assign – range 192.168.1.65 to 252]
leasetime=0 [infinite lease time]
saveall Don’t forget this.
Reboot the device to obtain the new IP address

 


Disable the Factory Reset Button

Caution
If you forget the username or password you will be locked out of the router permanently.
Be very sure you know the risks before using this command.

Command
system config resetbutton=disabled
saveall

Undo — Enable the Factory Reset Button (Default)

Command
system config resetbutton=enabled
saveall

 


Fix a Problem with VOIP not working

 

Command
connection unbind application=SIP port=5060
saveall


Undo — Default

Command
connection bind application=SIP port=5060
saveall

 


Disable Intrusion Detection (IDS) May help with online game problems but reduces security.

Command
ids config state=disabled
saveall

Undo

Command
ids config state=enabled
saveall

 


Disable CPU Low Clock Speed — TG587n v2 and TG582n
Make the router more responsive.

Command Comments
pwr config Optional – view state
pwr config cpu-lowspeed=disabled Disable slow speed CPU
saveall Make permanent

Undo — default

Command Comments
pwr config cpu-lowspeed=enabled Enable slow speed CPU
saveall Make permanent


Additional pwr config commands

Command Comments
pwr config eco-manager=enabled / disabled The ECO manager
pwr config cpu-microsleep=enabled / disabled Allow the CPU to use low power instructions
pwr config cpu-lowspeed=enabled /disabled Allows the CPU to adjust it’s clock speed.
pwr config usb-controller=enabled / disabled The USB controller
pwr config wlan-pwrcontrol=enabled / disabled Wireless LAN power control

Note:
There are reports that having these power settings enabled can cause intermittent network and internet access problems.
Disabling all of these settings followed by a router reboot cured the problem.
Awaiting more information on this issue.

 


Cone-type NAT’s for Teredo Tunneling
Required for Windows Meeting Space
The default for a Thomson router is symmetric-type NATs
UPnP needs to be enabled in the routers GUI.
Test with Microsoft’s Internet Connectivity Evaluation Tool

Command
connection bind application=CONE(UDP) port=3544
saveall

Undo — return to the default of symmetric-type NATs

Command
connection unbind application=CONE(UDP) port=3544
saveall

 


Log Web Site Visits

Command Comments
dsd config state=enabled Enable address based filtering.
dsd syslog config syslog=all Select what to log
saveall Make the change permanent.
dsd syslog list Use this command to view the log.
Alternatively use a syslog client as show in the syslog commands above.
syslog msgbuf flush Empty the log. — Optional

This may quickly fill the routers memory and cause unexpected issues.

Undo

Command Comments
dsd syslog config syslog=none
dsd config state=disabled
saveall

 


SNTP  — Change time server settings

Command Comments
sntp list List the time servers
sntp add name=2.uk.pool.ntp.org Add a time server.
This can be done in the routers GUI
sntp delete name=2.uk.pool.ntp.org Delete a time server.
This can be done in the routers GUI
sntp config poll=360
saveall
Set poll interval to 6 hours.
Default is 60 minutes.
system settime View system time settings

 


Unbind the FTP ALG — Fix access problem to a local FTP server from the internet.
Normal port forward rules are still required.

Command Comments
connection bindlist Optional – view the bind list
connection unbind application=FTP port=21 Unbind the FTP helper
connection bindlist Optional – view the bind list
saveall Make permanent

Undo

Command Comments
connection bind application=FTP port=21 Bind the FTP helper to port 21
connection bindlist Optional – view the bind list
saveall Make permanent

 


DLNA Server (Media Sharing) Not Discovered Across LAN / WLAN.    SOLVED This issue is present in firmware 8.2.7.7  Don’t know about other firmware versions.

Command Comments
eth bridge igmpsnooping config View present state.
If state=enabled then apply the fix
eth bridge igmpsnooping config brname=bridge state=disabled Apply fix
saveall Make permanent

 


Turn Off LED Lights

Command Comments
system qual led value=alloff Turn all LED’s off
saveall Make permanent

Undo — Enable LED lights

Command Comments
system qual led value=unlock Enable LED’s
saveall Make permanent

 


Correct The Decimal (.) and Digit (,) Separators 
Some firmware versions confuse the decimal point with the comma.

Command Comment
system locale Display present settings
system locale dec_symbol=. Assign the decimal point
system locale group_symbol=, Assign the comma
saveall Make permanent

 


No Auto Retrain
Prevent reconnecting after dropping the ADSL connection

Commands Comments
xdsl qual freeze-showtime state=enabled Stop reconnecting
saveall Make permanent

Undo

Commands Comments
xdsl qual freeze-showtime state=disable Default
saveall Make permanent

 


Note (1) :
The “intf=Internet” part of the above commands may need to be changed depending on the routers firmware.
ie “intf=Internet” should be correct for standard firmware.
O2 supplied routers may need “intf=Internet” replacing with :-
For O2 supplied routers on a LLU connections replace with “intf=O2_ADSL2plus” or in some cases “intf=RoutedEthoA”
For O2 supplied routers on the Access service replace with “intf=O2_ADSL”
Hint – You can check which one to use for the WAN interface by looking at the results from the “dns server route list” command.
See the screen capture below, in this case it’s “intf=O2_ADSL2plus”.

Note (2)
To close the telnet session type — exit — press “enter”

June 22, 2011

Backups de Routers Thomson / MEO / Vodafone TV

Filed under: Hardware How-To — admin @ 1:51 pm

Viva Amigos,

Tenho estado muito ausente por motivos profissionais.

No entanto na semana passada, passou-se algo que me fez agora vir aqui escrever umas linhas para ajudar a malta.

Quantos de vocês já teve de mudar um router da vodafone/meo e teve de andar a repor configurações de NAT com aquela interface web bomboca?

Pois bem… aqui vai um mini howto de como gerar regras de instalação:

a) No router e por interface de consola (telnet/ssh)  ANTES de ser substituído ( e se ainda conseguirem entrar nele) façam os seguintes comandos:

ip rtlist

nat maplist

Guardem os outputs.

O primeiro comando dá-vos a tabela de routeamento do router. Podem ser malucos e terem várias redes publicadas na vossa home Lan.

O segundo comando dá-vos a tabela de NAT / PAT que tem implementada no vosso equipamento.

Em ambos os comandos, só vos interessa as vossas configurações. Não as do operador.

Exemplo:

{Administrator}=>ip rtlist
Label             Destination          Gateway  Interface     Mtc Admin  Oper
10.49.16.12/32       127.0.0.1  loop          0   UP     [UP]
10.49.127.255/32       127.0.0.1  loop          0   UP     [UP]
77.54.116.22/32       127.0.0.1  loop          0   UP     [UP]
77.54.127.255/32       127.0.0.1  loop          0   UP     [UP]
127.0.0.1/32       127.0.0.1  loop          0   UP     [UP]
192.168.1.254/32       127.0.0.1  loop          0   UP     [UP]
192.168.1.255/32       127.0.0.1  loop          0   UP     [UP]
255.255.255.255/32       127.0.0.1  loop          0   UP     [UP]
87.103.113.139/32      77.54.96.1* ipInternet    0   UP     UP
87.103.113.203/32      77.54.96.1* ipInternet    0   UP     UP
87.103.119.196/32                  ipVideo       1   UP     UP
213.30.36.212/32                  ipVideo       1   UP     UP
213.30.43.16/32       10.49.0.1  ipVideo       1   UP     UP
95.136.4.112/29       10.49.0.1  ipVideo       1   UP     UP
213.30.36.208/29       10.49.0.1  ipVideo       1   UP     UP
212.18.177.96/27       10.49.0.1  ipVideo       1   UP     UP
93.108.253.128/25       10.49.0.1  ipVideo       1   UP     UP
10.10.0.0/24     192.168.1.1  LocalNetwork  0   UP     [UP]
10.10.1.0/24     192.168.1.1  LocalNetwork  0   UP     [UP]
10.10.2.0/24     192.168.1.1  LocalNetwork  0   UP     [UP]
10.10.3.0/24     192.168.1.1  LocalNetwork  0   UP     [UP]
10.10.50.0/24     192.168.1.1  LocalNetwork  0   UP     [UP]
192.168.1.0/24   192.168.1.254  LocalNetwork  0   UP     [UP]
10.20.100.0/24       10.49.0.1  ipVideo       1   UP     UP
10.20.110.0/24       10.49.0.1  ipVideo       1   UP     UP
10.20.120.0/24       10.49.0.1  ipVideo       1   UP     UP
10.20.150.0/24       10.49.0.1  ipVideo       1   UP     UP
95.136.4.0/23       10.49.0.1  ipVideo       1   UP     UP
87.103.116.0/22       10.49.0.1  ipVideo       1   UP     UP
77.54.96.0/19   77.54.116.122  ipInternet    0   UP     UP
10.49.0.0/17     10.49.16.12  ipVideo       0   UP     UP
0.0.0.0/0       77.54.96.1  ipInternet    1   UP     UP
{Administrator}=>nat maplist
Idx Type Interface       Outside Address                Inside Address                 Use
1 NAT  ipInternet      77.54.116.22:8                127.0.0.1:8                    0
2 NAT  ipInternet      77.54.116.22                  127.0.0.1                      0
3 NAPT ipInternet      77.54.116.22:22               10.10.0.153:22                1
4 NAPT ipInternet      77.54.116.22:25               10.10.0.147:25                2
5 NAPT ipInternet      77.54.116.22:53               10.10.0.149:53                0
6 NAPT ipInternet      77.54.116.22:80               10.10.0.148:80                7
7 NAPT ipInternet      77.54.116.22:119              192.168.1.100:22               0
8 NAPT ipInternet      77.54.116.22:120              192.168.1.101:22               0
9 NAPT ipInternet      77.54.116.22:443              10.10.0.148:443               1
10 NAPT ipInternet      77.54.116.22:514              10.10.0.52:514                2
11 NAPT ipInternet      77.54.116.22:993              10.10.0.147:993               1
12 NAPT ipInternet      77.54.116.22:5060             77.54.116.22:5060             0
13 NAPT ipInternet      77.54.116.22:[7000-7003]      10.10.3.5:[7000-7003]         18
14 NAPT ipInternet      77.54.116.22:9103             10.10.0.4:9103                1
15 NAPT ipInternet      77.54.116.22:[10003-10010]    10.10.3.5:[10003-10010]       1
16 NAPT ipInternet      77.54.116.22:12005            10.10.2.5:12005               1
17 NAPT ipInternet      77.54.116.22:23595            10.10.3.251:23595             1
18 NAPT ipInternet      77.54.116.22:51005            127.0.0.1:51005                0
19 NAPT ipInternet      77.54.116.22:53               10.10.0.149:53                0
20 NAPT ipInternet      77.54.116.22:68               77.54.116.22:68               0
21 NAPT ipInternet      77.54.116.22:5060             77.54.116.22:5060             0
22 NAPT ipInternet      77.54.116.22:[7000-7003]      10.10.3.5:[7000-7003]         136
23 NAPT ipInternet      77.54.116.22:[10003-10010]    10.10.3.5:[10003-10010]       469
24 NAPT ipInternet      77.54.116.22                  unmapped                       73
1 NAT  ipVideo         10.49.16.12:8                  127.0.0.1:8                    0
2 NAT  ipVideo         10.49.16.12                    127.0.0.1                      0
3 NAPT ipVideo         10.49.16.12:22                 10.10.0.153:22                0
4 NAPT ipVideo         10.49.16.12:25                 10.10.0.147:25                0
5 NAPT ipVideo         10.49.16.12:53                 10.10.0.149:53                0
6 NAPT ipVideo         10.49.16.12:80                 10.10.0.148:80                0
7 NAPT ipVideo         10.49.16.12:119                192.168.1.100:22               0
8 NAPT ipVideo         10.49.16.12:120                192.168.1.101:22               0
9 NAPT ipVideo         10.49.16.12:443                10.10.0.148:443               0
10 NAPT ipVideo         10.49.16.12:514                10.10.0.52:514                0
11 NAPT ipVideo         10.49.16.12:993                10.10.0.147:993               0
12 NAPT ipVideo         10.49.16.12:5060               10.49.16.12:5060               0
13 NAPT ipVideo         10.49.16.12:[7000-7003]        10.10.3.5:[7000-7003]         0
14 NAPT ipVideo         10.49.16.12:9103               10.10.0.4:9103                0
15 NAPT ipVideo         10.49.16.12:[10003-10010]      10.10.3.5:[10003-10010]       0
16 NAPT ipVideo         10.49.16.12:12005              10.10.2.5:12005               0
17 NAPT ipVideo         10.49.16.12:23595              10.10.3.251:23595             0
18 NAPT ipVideo         10.49.16.12:51005              127.0.0.1:51005                0
19 NAPT ipVideo         10.49.16.12:53                 10.10.0.149:53                0
20 NAPT ipVideo         10.49.16.12:68                 10.49.16.12:68                 0
21 NAPT ipVideo         10.49.16.12:5060               10.49.16.12:5060               0
22 NAPT ipVideo         10.49.16.12:[7000-7003]        10.10.3.5:[7000-7003]         0
23 NAPT ipVideo         10.49.16.12:[10003-10010]      10.10.3.5:[10003-10010]       0
24 NAPT ipVideo         10.49.16.12                    unmapped                       3

Só nos interessa no primeiro campo o que está atribuído a LocalNetwork, e no segundo comando o que está com o endereçamento publico/porto que nos interessa replicar.

Ou seja:

10.10.0.0/24     192.168.1.1  LocalNetwork  0   UP     [UP]
10.10.1.0/24     192.168.1.1  LocalNetwork  0   UP     [UP]
10.10.2.0/24     192.168.1.1  LocalNetwork  0   UP     [UP]
10.10.3.0/24     192.168.1.1  LocalNetwork  0   UP     [UP]
10.10.50.0/24     192.168.1.1  LocalNetwork  0   UP     [UP]
192.168.1.0/24   192.168.1.254  LocalNetwork  0   UP     [UP]

e

1 NAT  ipInternet      77.54.116.22:8                127.0.0.1:8                    0
2 NAT  ipInternet      77.54.116.22                  127.0.0.1                      0
3 NAPT ipInternet      77.54.116.22:22               10.10.0.153:22                1
4 NAPT ipInternet      77.54.116.22:25               10.10.0.147:25                2
5 NAPT ipInternet      77.54.116.22:53               10.10.0.149:53                0
6 NAPT ipInternet      77.54.116.22:80               10.10.0.148:80                0
7 NAPT ipInternet      77.54.116.22:443              10.10.0.148:443               1
8 NAPT ipInternet      77.54.116.22:5060             77.54.116.22:5060             0

No primeiro output temos as rotas publicadas que este router dá internet, e no segundo as portas que estão mapeadas:

SSH, DNS, SMTP, HTTP, HTTPS, SIP

Assim sendo, temos que configurar da seguinte forma:
B) Mal o novo router esteja instalado, coloquem os seguintes comandos (entre parentisis estão os comentários e explicação dos comandos):

:ip rtadd dst=10.10.0.0/24 gateway=192.168.1.1
:ip rtadd dst=10.10.1.0/24 gateway=192.168.1.1
:ip rtadd dst=10.10.2.0/24 gateway=192.168.1.1
:ip rtadd dst=10.10.3.0/24 gateway=192.168.1.1
:ip rtadd dst=10.10.50.0/24 gateway=192.168.1.1

(adição de rotas no formato – rede/mascara gateway=ip_da_firewall_que_da_servico_a_rede)

:connection timerconfig timer=udpidle value=20
:connection timerconfig timer=udpkill value=15
:hostmgr config state=disabled

(desativar o autodiscovery de rede para poupar CPU do router, diminuir o timeout de udp para múltiplas ligações – ver outros posts do blog)

:hostmgr saveall
:hostmgr clear
:saveall

(gravar configurações)

:service host add name=SSH mode=custom
:service host add name=smtpcluster mode=custom
:service host add name=wwwcluster mode=custom
:service host add name=wwwscluster mode=custom
:service host add name=dnscluster mode=custom

(criar novos servicos com os nomes que se deseja)

:service host rule add name=SSH protocol=tcp baseport=22 portrange=22
:service host rule add name=smtpcluster protocol=tcp baseport=25 portrange=25
:service host rule add name=wwwcluster protocol=tcp baseport=80 portrange=80
:service host rule add name=wwwscluster protocol=tcp baseport=443 portrange=443
:service host rule add name=dnscluster portrange=53

(atribuir portas tcp/udp/IP aos serviços)

:service host assign name=SSH host=10.10.0.153
:service host assign name=smtpcluster host=10.10.0.147
:service host assign name=wwwcluster host=10.10.0.148
:service host assign name=wwwscluster host=10.10.0.148
:service host assign name=dnscluster host=10.10.0.149

(atribuir os serviços aos hosts)

:saveall

(gravar configurações)

 
Após isto, se forem ao vosso router por web, vao la ver as vossas configurações de nat todas como estavam no antigo router.

Pode não parecer muito, mas imaginem que tem 30 ou 40 regras simultaneas, e vão ver o tempo que este truque vos irá poupar.

Se tiverem duvidas ou ideias enviem-me e-mail para xupetas <at> filhodaputa.net. Como sempre não sou responsável se meterem os pés pelas mãos, ou se o operador se lembrar de inventar alguma coisa para impedir este tipo de consolas.

Normalmente em caso de borrada apenas tem que fazer hardreset ao router a coisa volta a estaca 0.

 
Abraço,

Xupetas!!

 

 

June 30, 2010

HSHR – Firewall Transparente – Cluster Edition

Filed under: Hardware How-To,How-To's — admin @ 10:10 am

Olá amigos,

A muito tempo que não tenho tido oportunidade de fazer um post por aqui, nem de desenvolver coisas novas, mas hoje isso vai mudar.

Como já sabem sou fervoroso adepto da virtualização, tendo toda a minha infraestrutura de laboratório em dois servidores.

Um destes elementos em ambos os sistemas é um cluster activo-activo de firewalling, que é a continuação do projecto de firewall transparente.

O esquema é algo como isto:

Ambos os sistemas estão permanente activos, distribuindo a carga entre eles, e assegurando que em caso de falha de um dos nós físicos (ou virtuais) o nó sobrevivente terá a capacidade de garantir conectividades futuras e existentes, sem ser necessário um reconnect (por exemplo para sessão de ssh).

Para tal o material que foi necessário, alem dos virtualizadores claro,  foram duas instâncias de servidores virtuais linux (cada um com 4 interfaces ethernet).

Como sempre utilizei OpenSUSE 11.1, compilado através do OpenSUSE factory (JeOS).

Os componentes em avulso foram:

  • Fwbuilder 4.0 para gerar regras de Firewall (http://www.fwbuilder.org/)
  • Conntrackd para garantir que as ligações de firewall estabelecidas são replicadas em ambos os nós da firewall (http://conntrack-tools.netfilter.org/)
  • VRRP – Implementação de Virtual Router Redundant Protocol  (http://off.net/~jme/vrrpd/)

Na pratica, a FWbuilder apenas constrói as regras de forma a suportar os acesos, e em seguida replica para ambos os nós.

Será sempre necessário que seja atribuído endereçamento para cada das interfaces de ambos os nós (a excepção de interfaces ethernet que sejam elementos de bridge’s). P.exp:

br0       Link encap:Ethernet  HWaddr 00:0C:29:3C:E0:78
inet addr:172.16.0.240  Bcast:172.16.0.255  Mask:255.255.255.0

eth2      Link encap:Ethernet  HWaddr 00:00:5E:00:01:01
inet addr:172.16.1.245  Bcast:172.16.1.255  Mask:255.255.255.0

e

br0       Link encap:Ethernet  HWaddr 00:0C:29:3C:E0:79
inet addr:172.16.0.241  Bcast:172.16.0.255  Mask:255.255.255.0

eth2      Link encap:Ethernet  HWaddr 00:00:5E:00:01:02
inet addr:172.16.1.246  Bcast:172.16.1.255  Mask:255.255.255.0

E  ainda terão de reservar um terceiro IP que será o vosso endereço VIP (Virtual IP que receberá o pedido, e que sendo independente dos sistemas é gerido pelo VRRP ao nível de userspace do sistema).

Assim sendo, e após construírem as regras que as vossas necessidades exigem, será necessário activarem os elementos necessários para as gateways virtuais.
Estes endereços são activados pelos VRRP’s:

Por exemplo:

/apps/webapp/vrrpd/vrrpd/vrrpd -i br0 -v 1 172.16.0.254 -n
/apps/webapp/vrrpd/vrrpd/vrrpd -i eth2 -v 1 172.16.1.254

Pf notem que no caso das interfaces em bridge (br’s),  como o sistema de bridge já efectua a gestão de mac address, tem que se indicar ao vrrpd que não é ele a efectuar o controlo dos mac’s através da flag -n. Sem esta flag a interface bridged irá entrar em loop e falhar.

No caso de interfaces normais, a gestão pode ser efectuada pelo vrrpd (no caso deste exemplo a eth3).

Finalmente, é necessário que ambos os sistemas saibam que ligações estão a ser asseguradas naquele momento. Isto é efectuado através do conntrackd de uma forma totalmente transparente.

Lembrem-se que será necessário configurarem tanto o conntrackd como o vrrpd para comunicarem entre si, e que esta configuração terá de ser replicada ao nível das vossas regras de firewall (não queremos um deny ip any any se ainda não temos comunicação entre o vrrpd e/ou conntrackd).

Links úteis:

Cluster de Firewall com Heartbeat: http://www.fwbuilder.org/4.0/docs/users_guide/heartbeat_cluster.html
Cluster de Firewall para BSD’s e outros: http://www.fwbuilder.org/4.0/docs/users_guide/clusters.html
Cookbook para Firewalls com VRRP e outros: http://www.fwbuilder.org/4.0/docs/users_guide/cluster-cookbook.html
Cookbook para Firewalls com VRRP: http://www.fwbuilder.org/4.0/docs/users_guide/vrrpd_cluster.html
Howtoforge Cookbook para FWbuilder 4.0: http://howtoforge.net/new-features-in-firewall-builder-4.0

Já sabem. Se tiverem duvidas enviem-me mail para xupetas at filhodaputa.net

Abr.
Xupetas

Powered by WordPress