08/10/2006
Intracom netroute2 hacks
Since I now own my own dsl I am using an intracom netroute2 as a dsl modem/router. What really rocks about it is that it is linux (busybox) based, so one can change a lot of how stuff works in it. The bad news about it is that Intracom no longer produces it! The good news is that someone might be able to get some second hand of those modems really cheap. I wonder who was the idiot to stop the production of those modems in Intracom…
Anyway…I’ll post here some of the changes I did to it . I am using firmware version 577 so everything I say here might not work on older ones.
A) Fix ntp.
The modem/router on boot reads /etc/date and changes the date according to that file. My version dated from april 2006 made the modem on boot to think that it was april. It is easy to fix this using an ntpclient cronjob. So create a file inside /etc/cron.d/ named cron_ntpclient and paste the following inside it:
0,15,30,45 * * * * root /usr/bin/ntpclient -s -h ntp.grnet.gr > /dev/null 2>&1
This will sync the time on the modem every 15minutes.
If you want to be even more accurate like I do check out the following. I had noticed that my modem takes about 1 min and 20 secs from the time I plugged it in till the time it got IP from my ISP. So if I could make it to ntp sync immediately after getting an IP it would be pretty cool. So, I edited /etc/date and replaced the contents of the file with the following:
091918002006
This makes the modem to set its date at 18:00 19-September-2006.
Then change the cron script to this:
02,15,30,45 * * * * root /usr/bin/ntpclient -s -h ntp.grnet.gr > /dev/null 2>&1
Now the modem syncs the date on the next minute after it gets IP from the ISP. This is really helpfull if you use syslog (read on for this).
BEWARE though that BEFORE you reboot you MUST run /etc/init.d/checkpoint. This command is VITAL! It saves the changes you do inside the configuration files so they are not overwritten on the reboot by the stuff inside /etc-ro/.
B) This version has snmpd installed but not started by default. So let’s make it start when netroute2 boots.
The only thing that needs to be done for this is add an entry inside /etc/net.conf. You need to add somewhere around the end an entry like this:
SNMP_RO_COMMUNITY=YOUR_SNMP_COMMUNITY
Change ‘YOUR_SNMP_COMMUNITY’ with a password of your choice. You can use vi to do it. Run /etc/init.d/checkpoint afterwards to save your changes.
You can now reboot Netroute2 and if you type ‘ps aux’ on it’s shell you will probably see something like this:
408 root 840 S /sbin/snmpd -c /etc/snmpd.conf -l /dev/null
That means snmpd is now listening for connections. You can now monitor the traffic with mrtg if you want from another PC. I’ll post my own mrtg.conf for the netroute2 but it does not necessarily mean that it will work for you too. It depends on which ethernet devices you use to connect it to your network. I use eth0.
Here’s the mrtg.conf for my netroute2: netroute2-mrtg.conf
Use it with your other mrtg scripts, I won’t tell you how here…if you don’t know…google for it. It’s realy simple. Here’s a HOWTO from the Gentoo Wiki HOWTO_SNMP_and_MRTG_Made_Easy for the lazy ones.
C) Syslog activation.
A syslog daemon is also included but not started in netroute2. It is primarily thought to be logging remotely to another machine. But netroute2 has 10Mb of free space at /tmp…so we can make it store some logs there. On reboot these logs are lost, so it’s only usefull if you netroute is on a UPS or if you want to monitor what’s going on while netroute is working. It’s not for watching what happened and your netroute2 crashed. If you want such behaviour you must activate remote syslog logging, and if you want that you must be able to easily find out how to do it, you don’t need my advice 🙂
First of all fire up vi and edit /etc/syslog.conf. Change all entries that start with /var/log to /tmp/var/log/. Then go find /etc/init.d/rc-syslog and edit it with vi. Find line 13. It should say something like this:
/bin/echo "Invalid Syslog Server IP!"
exit 1
Change it to:
/bin/echo "Invalid Syslog Server IP!"
/bin/echo "Logging Locally!"
mkdir -p /tmp/var/log/
#exit 1
What happens here is this, the script searches /etc/net.conf for a variable named SYSLOG_SERVER_IP. If it finds it it enables remote syslogging to that IP (damn!.. I’ve said it), but we want to enable local logging so we have to bypass it. We first create the /tmp/var/log directory and then put a “#” in front of the exit command so the script does not stop when it can’t find SYSLOG_SERVER_IP.
/etc/init.d/checkpoint again….reboot…and if all went fine if you “ps aux” you should see something like:
166 root 336 S /sbin/syslogd
169 root 264 S /sbin/klogd -c 3 -x
If you cd to /tmp/var/log you can find the log files. You can more them, tail them, grep them, whatever…it’s up to you now.
D) Enable iptables logging.
Netroute2 features iptables firewalling and tc for QoS!!! You can easily modify the firewall script to make it suit your needs better. What I am going to describe here is how to make iptables log to syslog so you can view what is being blocked by iptables.
First thing you have to do is go to the web interface (yes it IS sloooooooow but who cares ? You won’t be needing much anyway 🙂 ), go to “Wan Connections” and click on Firewall. Go where it says “Expert Configuration” (don’t you already feel l33t ? heh) and add a dummy line like this:
iptables -A INPUT -i ppp0 -p tcp --dport 135 -j DROP
Click on apply and wait a bit until it refreshes the firewall webpage.
This line, even it is totally useless (if you know a bit of iptables and see the rest of the firewall listing I am sure you already know why), it will force netroute2 to create a seperate firewall file for your connection and not use its default one.
Now go back to netroute2's shell. If you don't know/remember the name of your connection do an
ls /etc/wan/current/
and it will show you it's name. Then go to /etc/wan/firewall/ and edit the file with your connection name. You will see inside it the full listing of iptables rules.
Lines 25-27 should a bit like these:
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [43:9993]
:OUTPUT ACCEPT [73:33579]
Add below the last one a line like the following:
:LOG_DROP - [0:0]
Around line 65 there should be something like this:
-A INPUT -i ppp0 -j DROP
change it to:
-A INPUT -i ppp0 -j LOG_DROP
Then finally find the last line of the file that says COMMIT and add above it these two lines:
-A LOG_DROP -j LOG
-A LOG_DROP -j DROP
The editing is finished. DON’T forget to /etc/init.d/checkpoint….reboot and you are ready.
If you had previously enabled syslog logging correctly you can do a:
tail -f /tmp/var/log/kernel.log
and if you firewall blocks something you might see a line that looks like this:
Sep 24 02:16:57 (none) kernel: IN=ppp0 OUT= MAC= SRC=XX.XX.XX.XX DST=YY.YY.YY.YY LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=30976 DF PROTO=TCP SPT=3935 DPT=135 WINDOW=65535 RES=0x00 SYN URGP=0
You can change all the other “-j DROP” settings inside your firewall config with “-j LOG_DROP” to gather more information about what gets dropped. If you do that though it might be necessary to refine your /etc/syslog.conf to create more accurate log files..Which log files keeps what kinds of logs…play with it.
E) Netroute has some advanced commands that are not inside the PATH.
Look for some very interesting binaries like tcpdump, tc, etc inside /usr/sbin
F) Public key auth with dropbear:
on client machine:
ssh-keygen -t rsa
scp .ssh/id_rsa.pub root@netroute.ip:
on netroute2:
mkdir .ssh
mv id_rsa.pub .ssh/authorized_keys
chmod 400 ~/.ssh/authorized_keys
chmod 700 ~/.ssh
/etc/init.d/checkpoint
If everything is done properly you will now be able to ssh from your client to netroute2 without password.
I wish I could find more of these great machines. 2 Ethernet ports, usb, serial console, 2 FXS, it’s own small sip compatible PBX … what else can one need ? A usb port for an external disk and a torrent client probably… 🙂
Filed by kargig at 01:47 under Linux,Networking
7 Comments | 6,177 views
Did you manage to make a reasonableqos policy? I’m asking because I use a linux machine as a gateway. I think you’ll need a QoS policy to optimize your router at best.
Until recently I was not able to apply *any* policy that worked well. I found many examples and ready-2-run scripts on the Internet, but none worked well. I made a printed copy of the LARTC guide but that paper is written badly, it doesn’t explain everything as it should and requires a very deeper knowlegde of networking than I thought at the beggining.
Anyway, if you applied any QoS policy that worked well, plz let me know.
This modem/router comes with its own “tc” script. It prioritizes http and voip traffic over all the others. It works quite well I must say. I never ever had problems viewing websites while downloading from ftps, even when the downloads reached my adsl line’s limit.
Is your linux machine the “dialer” or is it just a gateway for all other machines ? How many interfaces does it have ? In order for QoS scripts to work properly the outgoing interface must be different from the one connecting the gateway with the LAN. You can’t apply proper QoS when your gateway has only one interface connected to a switch for example. You need to have 2 different ones…one that will talk with the rest of the lan (no QoS there) and one that will talk to the world (QoS applies here).
I will make a post sometime in the future to show how can somebody tweak netroute2’s QoS script to add/remove ports/protocols/etc…
Hello,
My machine act’s as a dialer and rouder. 2 NIC’s the 1st connected to the speedtouch 530i (bridge mode) and 2nd is connected to the switch.
The interface to which I should apply QoS is the ppp0 (the alias of eth0 for PPPoverEth).
You can check this if you want…
http://www.void.gr/kargig/blog/2005/07/27/traffic-shaping-a-dsl-line-with-linux/
it used to work quite well.
I would like to ask you where can someone find the latest firmware for NetRoute 2D. Thank you in advance for your reply. Panos.
I am afraid that you have to ask HOL or Intracom for a firmware first.
If you do so, and you don’t get a reply from them, post back here, and I’ll see what can be done…I’ll ask some people that work on those companies whether I am allowed to give you the firmware I was given.
HOL does not give any new firmware. The latest FW according to them should be 523. As for Intracom I do not know if they support it since they don’t even have a support web page. I have read that others who have called the helpdesk that Intracom does not seem to know that such a product even exists (http://www.myphone.gr/forum/showthread.php?p=1160465).
Nevertheless I still believe that it is a very fine router, although I believe that the VOIP functions are not very efficient. It seems to me that NetRoute 2D does not have enought processing power to handle both the routing functions and the VOIP functions. For example whenever I use the a softphone (call me X-Lite) with the ADSL line connected to the NetRoute I have very good voice quality. If I use a simple phone connected to the NetRoute port then the VOIP quality is below acceptable limits.
This is why I am searching for a new FW, because some bugs could be resolved.
By the way, my ADSL line is 1024/256 which sould be more than enough for the VOIP functions.
Kind regards,
Panos.