Hi,
I've got an Origo ASR-8400 which is configured the way I need it to be configured but it tends to be a bit sensitive to power fluctuation and runs quite warm so I picked up a cheap GART2-4115 to hopefully replace it.
I have a /29 address range (assume 1.2.3.0/29 for this post). I've got the ASR-8400 set up as a full bridge so it gets 1.2.3.1 on both WAN and LAN interfaces. NAT is disabled. The firewall is enabled but I have added custom rules so 1.2.3.1 is fully protected from the Internet but all packets destined for 1.2.3.2 - 1.2.3.6 get passed through unfiltered.
I've got a hardware firewall sitting behind it protecting my Internet facing servers and LAN so that traffic doesn't need to be filtered by the router.
With the GART2-4115, I've got as far as getting the bridging working and outbound traffic is fine. If I disable the firewall then inbound traffic is allowed through to the firewall behind it but the router is unprotected. I've tested and it responds to pings so it's effectively unprotected. I'd like it to drop all traffic from the Internet to it!
I've tried with SC firmware and with the RT firmware and can't seem to get it to work. I've looked at 'Custom IP Filters' but that appears to only be for outbound traffic only. I've tried it but when I use 'Gateway System Information' I can't see the iptables rules showing up!
Any advice on this problem would be much appreciated. I'd like to get the router up and running and then keep the Origo as a spare (I've loaned out my spare SAMR-4115, so I'm running without a spare now!)
Many thanks in advance,
Neil.
Configuring a GART2-4115 to replace a ASR-8400
-
biro
- RouterTech Team
- Posts: 1274
- Joined: Wed Jan 25, 2006 10:03 pm
- Location: Letchworth Garden City, ENGLAND
- Contact:
Don't have the luxury of a block of static IP's so cant say from experience.
Have you enabled "Access Control" and entered the IP's that should be allowed to administer the router be aware that as soon as it is enabled with an IP then it will ( does when not used in bridge mode!) block all access from any other IP, be sure to have a recent config backup incase it does block you , I know it works when not used in bridge but have no idea how it will respond in bridge mode.
Have you enabled "Access Control" and entered the IP's that should be allowed to administer the router be aware that as soon as it is enabled with an IP then it will ( does when not used in bridge mode!) block all access from any other IP, be sure to have a recent config backup incase it does block you , I know it works when not used in bridge but have no idea how it will respond in bridge mode.
All my posts on RouterTech.org are Copyright RouterTech.org
G'Day Laura
Apologies for the delay getting back to this. I've tried adding the IP address of my firewall into the Access Control but that doesn't seem to have achieved anything!
Even with it enabled I can still connect to the web server from the WAN connection
which, as you can imagine, I don't want!
I've also added a dummy LAN Client and check in the Port Forwarding section that 'Allow incoming pings' was unchecked. The router still responds to pings though
Is there anywhere in the config that I can tell it to specifically add a firewall to drop all traffic on WAN to the WAN IP address of the router?
My ASR-8400 appears to be getting old - it's locked up twice in about three weeks now I'm about to add it onto my IP Power Switch and set the monitoring system to power cycle it when it stops responding!
Many thanks,
Neil.
Even with it enabled I can still connect to the web server from the WAN connection
which, as you can imagine, I don't want!I've also added a dummy LAN Client and check in the Port Forwarding section that 'Allow incoming pings' was unchecked. The router still responds to pings though
Is there anywhere in the config that I can tell it to specifically add a firewall to drop all traffic on WAN to the WAN IP address of the router?
My ASR-8400 appears to be getting old - it's locked up twice in about three weeks now
I'm about to add it onto my IP Power Switch and set the monitoring system to power cycle it when it stops responding!Many thanks,
Neil.
Might I ask what firmware you have running on your ASR? Sounds odd but a reflash never did mine any harm when things weren't running so smooth.
Kieran
"Indeed!"
Invaluable links: Forum Rules | Networking Guides | FAQ | Site Search | Forum Search <-- Use it or feel my wrath!
No support via PM, please ask your questions in the forum!
"Indeed!"
Invaluable links: Forum Rules | Networking Guides | FAQ | Site Search | Forum Search <-- Use it or feel my wrath!
No support via PM, please ask your questions in the forum!
Currently running CX82xxx_4.1.0.21 and I have been for a long, long time!
I'd like to have a backup device that works exactly like the ASR-8400 but the GART2-4115 doesn't appear to have as good a firewall
I'm currently looking around for sensible priced ADSL routers that will work as a bridge and are able to protect themselves! If I could fathom the instructions for the Cisco 827 I'd know if it could do it!
Neil.
I'd like to have a backup device that works exactly like the ASR-8400 but the GART2-4115 doesn't appear to have as good a firewall
I'm currently looking around for sensible priced ADSL routers that will work as a bridge and are able to protect themselves! If I could fathom the instructions for the Cisco 827 I'd know if it could do it!
Neil.
OK, a long time since I asked this question. I've tried using the access control and whilst it stops logons from addresses that aren't on the list, it still exposes the services and responds to pings
Looks like there's no way on these new fangled devices. I'd have hoped that Safecom would have added to the feature set and not removed the old features!
Looks like there's no way on these new fangled devices. I'd have hoped that Safecom would have added to the feature set and not removed the old features!
I don't know if you have resolved this problem, Neil, but I have been following it 
In the past there was some concern over the ping response of routers, but in reality the concern wasn't justified by the relatively small vulnerability it posed: kb.php?mode=article&k=20
Apologies if I'm stating the obvious, but I would have thought that even if the router itself is made vulnerable (because it responds to pings), the 'Remote Web Access', 'Access Control' and login details should offer a reasonable amount of protection. Have you tried accessing the router using a proxy?
Which services are exposed? 'Access Control' should be able to lock down services that shouldn't be exposed on the WAN.
Also, a reflash of the ASR-8400 to 4.1.0.9.F-3.2.1_021804 (see pages.php?page=20 and pages.php?page=18 ) should do the trick, unless the problem resides in the actual hardware.
In the past there was some concern over the ping response of routers, but in reality the concern wasn't justified by the relatively small vulnerability it posed: kb.php?mode=article&k=20
Apologies if I'm stating the obvious, but I would have thought that even if the router itself is made vulnerable (because it responds to pings), the 'Remote Web Access', 'Access Control' and login details should offer a reasonable amount of protection. Have you tried accessing the router using a proxy?
Which services are exposed? 'Access Control' should be able to lock down services that shouldn't be exposed on the WAN.
Also, a reflash of the ASR-8400 to 4.1.0.9.F-3.2.1_021804 (see pages.php?page=20 and pages.php?page=18 ) should do the trick, unless the problem resides in the actual hardware.
RouterTech Team and Founding Member
RouterTech Merchandise (UK)
No support via PM, please ask your questions on the forum!
RouterTech Merchandise (UK)
No support via PM, please ask your questions on the forum!
I understand the ping response but I'd rather not advertise the fact that a device is there. It's strange that the ASR-8400 can be configured to drop everything but the newer replacement can't! Seems like a step backwards to me.
The odd thing is that even though I'd removed the ticks from all services against the FTP server, Web frontend, etc. it still responded to them over the WAN connection! I was trying this from a remote network (I can VNC in and then attempt to connect back to my router). I can't use GRC - the router has its own IP address and I don't have NAT configured so can't run a shields up agaist it.
Unfortunately the remote site only has Windows boxes so I can't do an n.m.a.p. of the router!
I do have a list of how I configured the router which I'll dig out.
Does the firmware from the ASR-8400 work on the GART-4115? I'd rather not brick the router as I think I've found someone to take it off my hands!
The ASR-8400 appears to be fine now! Been up sinde 19-Dec-2006. Typical! I'd like to find out if my automated power cycling actually works!
The odd thing is that even though I'd removed the ticks from all services against the FTP server, Web frontend, etc. it still responded to them over the WAN connection! I was trying this from a remote network (I can VNC in and then attempt to connect back to my router). I can't use GRC - the router has its own IP address and I don't have NAT configured so can't run a shields up agaist it.
Unfortunately the remote site only has Windows boxes so I can't do an n.m.a.p. of the router!
I do have a list of how I configured the router which I'll dig out.
Does the firmware from the ASR-8400 work on the GART-4115? I'd rather not brick the router as I think I've found someone to take it off my hands!
The ASR-8400 appears to be fine now! Been up sinde 19-Dec-2006. Typical! I'd like to find out if my automated power cycling actually works!
OK, thanks for the update 
They have a totally different architecture (chipset etc), so I wouldn't try it
Definitely NOT!hillardn wrote:Does the firmware from the ASR-8400 work on the GART-4115? I'd rather not brick the router as I think I've found someone to take it off my hands!
They have a totally different architecture (chipset etc), so I wouldn't try it RouterTech Team and Founding Member
RouterTech Merchandise (UK)
No support via PM, please ask your questions on the forum!
RouterTech Merchandise (UK)
No support via PM, please ask your questions on the forum!