DSL

From HerzbubeWiki
Jump to: navigation, search

This page has information about my DSL configuration. Other pages with network configuration details are


Device-independent information

Intranet subnets:

  • 192.168.178.0/255 is the DMZ subnet that connects the xDSL router to the Linux gateway
  • 192.168.1.0/255 is the wired subnet used for the LAN behind the Linux gateway
  • 192.168.2.0/255 is the Wi-Fi subnet used for the LAN behind the Linux gateway


Fritz Box

Device

The notes in this section were collected for a Fritz!Box 7340.


Internet

Permit Access

  • Port forwarding rules. The following ports are all forwarded to 192.168.178.20 (the Linux gateway):
    • port 22 (ssh)
    • port 25 (smtp)
    • port 80 (http)
    • port 143 (imap)
    • port 389 (ldap)
    • port 443 (https)
    • ports 1025-65535 (non-privileged ports, e.g. for file sharing), exceptions are 5060 (SIP) and 8089 (?) which the Fritz Box seems to reserve for itself internally

Remote Access

  • User name = admin
  • Password = secret
  • HTTPS port = 450


Telephony

Creating an answering machine device

  • Attach an USB device (e.g. a USB stick)
  • Go to "Telephony Devices > Configure New Device > Answering Machine (integrated in the FRITZ!Box)"
  • Accept the default values and create the answering machine device
  • For more configuration, go to "Telephony Devices > Select answering machine device"
    • Set the greeting delay to 30 seconds (up from the default 20 seconds)
    • Select "Properties > Send messages via e-mail = true"
      • Send to email address = fritzbox@herzbube.ch
      • SMTP server = smtp.herzbube.ch
      • SMTP authentication credentials = secret
      • Note that the web interface seems to have a bug: Once the SMTP details have been entered for the first time for the first answering machine device, they are not displayed and cannot be changed anymore in the web interface "Telephone devices" section. I was unable to get the settings back even by deleting and re-creating the answering machine, or by creating additional answering machines. The SMTP details can be changed, however, under "System > Push Service"

DECT phone interface to the answering machine

  • Dial **600 to connect to the answering machine device
  • From there you can listen to messages (the info LED on the Fritz!Box flashes when messages have newly arrived), or record a personal greeting message


Home Network

Devices and Users

  • Device = pelargir, IP address = 192.168.178.20, MAC = 00:24:32:01:A7:83, Always assign this network device the same IP address = Enabled

Network settings > IP routes

  • The following static routes are necessary in order to be able to administrate the Fritz Box from within the intranet. Without these static routes, the Fritz Box does not know where to send response IP packets (not even a ping is possible)
  • IP address = 192.168.1.0, subnet = 255.255.255.0, gateway = 192.168.178.20
  • IP address = 192.168.2.0, subnet = 255.255.255.0, gateway = 192.168.178.20


WLAN

WLAN radio network active = Disabled


DECT

Base Station

  • DECT enabled = true
  • PIN = 0000

Use the wizard to register DECT handset, then configure like this:

  • Call rejection on busy (busy on busy) = Enabled


System

  • System > Energy Monitor > Settings > LAN Port 2 = Disabled
  • System > Push Service = Enable
    • Frequency = monthly
    • Email address = fritzbox@herzbube.ch
    • Password = SMTP authentication password
    • E-Mail user name = SMTP authentication user
    • SMTP server = smtp.herzbube.ch
    • Server supports secure connection = Enable
  • System > Expert Mode > Show Expert Settings = Enabled
  • System > Language Settings = English


ADSL router

Device

The notes in this section were collected for a Zyxel 650R-E1.

I no longer use this router. I keep the information in this section for historical sake only.


Basic router setup

Go to menu 3.2 (LAN Setup -> TCP/IP and DHCP Setup).

Under "TCP/IP Setup" fill in the following values

  • IP Address = 192.168.0.1
  • IP Subnet Mask = 255.255.255.0

Under "DHCP Setup" fill in the following values:

  • DHCP = Server
  • Client IP Pool Starting Address = 192.168.0.2
  • Size of Client IP Pool = 32
  • Primary DNS Server = 192.168.1.6
  • Secondary DNS Server = 212.101.0.10

Notes:

  • If the router is not configured as a DHCP server, it will not accept any traffic from 192.168.0.2!!!
  • Since I now run my own DNS server on 192.168.1.6, this is used as the primary DNS server, while the ISP's primary DNS server is used only as the secondary backup DNS server. Because I cannot configure a third DNS server, the ISP's secondary DNS server 212.101.4.253 remains unused.


Go to menu 4 (Internet Access Setup) and fill in the following values:

  • ISP's Name = SolNet
  • My Login/My Password = Authentication information received by the ADSL provider.
  • IP Address Assignment = Static
  • IP Address = 212.101.18.224
  • Network Address Translation = SUA Only (because I have only 1 public IP). This setting disables the use of "Address Mapping Sets" in menu 15.1.


Go to menu 11.1 (Remote Node Setup -> Remote Node 1) and set the following option:

  • Nailed-Up Connection = Yes


Go to menu 1 (General Setup) and set the following option:

  • Domain Name = dmz.herzbube.ch

Note: This is the domain name that the router's DHCP server will use. If this domain name is not set, the DHCP server will use the domain of the ISP. The domain name handed out by the DHCP server is used at least (if not for more) for configuring the DNS setup of clients, i.e. /etc/resolv.conf.


Routing to 192.168.0.0

Because the Linux gateway does not perform NAT, requests originating in the internal LAN go out to the Internet with a source address from within the 192.168.0.0 network. When a response comes back from the Internet, the ADSL router has no idea about where to find the 192.168.0.0 network, therefore it simply drops the packets.

I have not found a way to set up a default route, therefore my solution was to configure the ADSL router with a static route to the 192.168.0.0 network.

Go to menu 12.1.1 (Static Routing Setup -> IP Static Route -> Route 1) and fill in the following values:

  • Enter a name (e.g. "To192.168")
  • Active = yes
  • Destination IP Address = 192.168.0.0 (this is the network address)
  • Subnet Mask = 255.255.255.0 (is calculated automatically)
  • Gateway = 192.168.0.2 (the Linux gateway)


Remove general block of incoming network traffic

By default 2 filter sets are activated that generally block incoming network traffic (e.g. if a client from the Internet wants to access a web site hosted on the Linux server). These filter sets need to be deactivated. In the next chapter we will configure other blocking features.

Several solutions exist for deactivating the filter sets:

  • in menu 11.1 the entry "Filter Sets = Yes" is set; the sets can be deactivated by changing this entry; this solution is probably too general, maybe you want to use other filter sets
  • the filter sets can be turned off via the Web interface, in the section "Security" (this is the solution I chose)
  • in menu 21, the rules for the two sets 11 and 12 can be deactivated one-by-one (this solution works, too, but more work is involved)


Port forwarding

In order to open only a defined set of ports for clients on the Internet, we can configure port forwarding in menu 15.2.1 (NAT Setup -> NAT Server Sets -> Server Set 1).

Note: The router model described here allows only the use of the "Server Set 1" (described as "Used for SUA only"). Since one server set only allows 12 port ranges to be defined, we are restricted to this number for our entire setup.

The default rule is to drop all packets (IP address to forward = 0.0.0.0).

The exceptions listed here are all forwarded to 192.168.0.2 (the Linux server):

  • port 20/21 (ftp-data/ftp); because I have disabled FTP, these ports are currently not forwarded
  • port 22 (ssh)
  • port 25 (smtp)
  • port 80 (http)
  • port 143 (imap)
  • port 389 (ldap)
  • ports 1023-65535

Note: This "port forwarding" configuration step obsoletes the use of the portsentry package on the Linux server. The ports that are being forwarded should still be treated with care, especially the SSH port is dangerous as a lot of brute force breakin attempts happen here.

Note: Although on the last port range I would have liked to set the starting port to 1025 (the first non-privileged port on Unix systems), I get a weird "server ports duplicate" error message as soon as I specify starting port 1024 or 1025; after googling a bit it appears that this could be a problem with the router firmware, but at the moment I am too lazy to do a firmware upgrade.


Traffic control using filter sets

LAN side

Menu 3.1 (LAN Setup -> LAN Port Filter Setup) allows to activate filter sets that control network traffic on the LAN side of the ADSL router. The LAN side of the router is the side where the Ethernet cable plugs in.


The filter sets themselves must be defined in menu 21 (Filter Set Configuration). The following types of filters exist:

Input Filter 
this is a filter that is applied to packets that come from within the LAN and go out to the WAN
Output Filter 
this is a filter that is applied to packets that come from the WAN and go into the LAN
Protocol Filter 
this is a filter that is connected to a specific protocol (e.g. TCP/IP)
Device Filter (also
Generic Filter) : this is a filter that treats a packet as a byte stream


NAT and filters (the following information can be found in chapter 23.5 of the router manual):

  • Input Protocol filters are applied before NAT: this means that packets still have local (LAN) addresses
  • Output Protocol filters are applied after NAT: this means that addresses in packets have been converted back to local (LAN) addresses
  • the situation with device filters is vice versa to the situation with protocol filters, i.e. Input Device filters are applied after NAT, Output Device filters are applied before NAT
  • the information about protocol filters was confirmed experimentally, device filters were not examined


Example:

  • 192.168.1.8 starts an FTP connection to some Internet host
  • Packets going out to the Internet can be filtered with an Input Filter that has
    • Source IP = 192.168.1.8
    • Destination Port = 21
  • Packets coming in from the Internet can be filtered with an Output filter that has
    • Destination IP = 192.168.1.8
    • Source Port = 21


WAN side

Menu 11.1 (Remote Node Setup -> Remote Node 1) allows to activate filter sets that control network traffic on the WAN side of the ADSL router. The WAN side of the router is the side where the ADSL cable plugs in.


The same filtering options exist as for the LAN side in menu 3.1 (see above), but the meaning of filters is slightly different:

Input Filter 
this is a filter that is applied to packets that come from the WAN and go into the LAN
Output Filter 
this is a filter that is applied to packets that come from within the LAN and go out to the WAN


NAT and filters:

  • as with filters used on the LAN side, the rule is that filters can use local addresses
  • Input Protocol filters are applied after NAT
  • Output Protocol filters are applied before NAT


Example:

  • 192.168.1.8 starts an FTP connection to some Internet host
  • Packets going out to the Internet can be filtered with an Output Filter that has
    • Source IP = 192.168.1.8
    • Destination Port = 21
  • Packets coming in from the Internet can be filtered with an Input filter that has
    • Destination IP = 192.168.1.8
    • Source Port = 21


In addition to protocol and device filter sets, it is also possible to use "Call Filter Sets".


Order of appliance

When a packet comes in from the Internet (WAN -> LAN):

  • First the filter sets activated in menu 11.1 ("Remote Node Setup", i.e. on the WAN side of the router) are applied
  • Second are the filter sets activated in 15.2 ("NAT Server Sets", in our case only port forwarding)
  • Third, and last, are the filter sets activated in menu 3.1 ("LAN Port Filter Setup", i.e. on the LAN side of the router)


When a packet goes out to the Internet (LAN -> WAN):

  • The order is reversed
  • NAT Server Sets are ignored


Note: if a packet does not pass a filter set, it will never "arrive" in any of the subsequent filter sets.


Other configuration

Menu 24.11 (System Maintenance -> Remote Management Control): disable remote administration of the ADSL routers for telnet and/or http


Menu 24.3.2 (System Maintenance -> Log And Trace -> UNIX Syslog) allows to configure where the router should send syslog data (= 192.168.0.2), and what data should be logged. syslogd on the target system must be started using the -r option in order to accept data from the network.