DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

unable to turn stuff OFF

  • graemev
  • Topic Author
  • Offline
  • New Member
  • New Member
More
24 Apr 2020 19:04 #1 by graemev
unable to turn stuff OFF was created by graemev
Most folks have issues with stuff not working. I'm having trouble stopping stuff.
The device is a 2860 (no WiFi).
I have port1 (physical) plugged into a multi-way switch and hence around my house, this is set as LAN1 (192.168.1.0/24)
I have port6 (physical) plugged into a min WifI router , used by guests, this is set as LAN6 (192.168.6.0/24)

In essence I don't want folks on LAN6 being able to tinker with my household systems.

step1: In the web GUI --> Inter-LAN Routing has the original simple diagonal , so no inter lan routing
despite this, wifi guests can see all the addresses on LAN1
step2: in Web GUI ---> In LAN Access Setup to disable access to the web GUI (as in https://www.draytek.com/support/knowledge-base/5401)
again access still works, both 192.168.1.254 and 192.168.6.254 both work
step3: On LAN Access Setup , disable FTP, and various other (eg all)
again still able to ftp to the box, from both LAN1 and LAN6


I also tried this in CLI on vigor, but even with eg FTP shown as disabled, was still able to connect with FTP client
ABTW, SSH never works, even with it enabled . The behaviour is just "wide open access is hardcoded" I seem unable to turn things off.

Please Log in or Create an account to join the conversation.

  • hornbyp
  • User
  • User
More
25 Apr 2020 01:34 #2 by hornbyp
Replied by hornbyp on topic Re: unable to turn stuff OFF
You don't mention "enabling VLANS" ... have you done that?

Are you sure that the clients are all getting an IP address on the expected network? [use '[i]ipconfig[/i]'] ... i.e. that they're not all actually on the same subnet...

If you do a 'Tracert -d 192.168.1.x' from somewhere on the 192.168.6.0 network (and vice-versa), what do you get?

(In the first case, you should get a response from your gateway (192.168.6.254), then 'Request Timed Out'. If Routing is allowed, you'd get the the 192.168.1.x address as the second and final hop - 192.168.1.254 wouldn't show up.)
If there's only one address in the list (i.e. the target), then no Routing's occurring; you're on the same network...

Please Log in or Create an account to join the conversation.

  • graemev
  • Topic Author
  • Offline
  • New Member
  • New Member
More
25 Apr 2020 20:54 #3 by graemev
Replied by graemev on topic Re: unable to turn stuff OFF
OK, thanks for the response. This situation was more complicated than I
explained. I'd hoped the difference didn't matter....but:

1: So a simple ping from 192.168.6.1 to 192.168.1.151 fails (as does a traceroute)
2: From "vigor" (10.168.[1-6].*) to 192.168.1.151 works (just to show 192.168.1.151 exist & responds)

However I don't directly use 192.168.8.X I have a small router (gl-AR300M AKA "shadow") which had Wifi & a VPN.
Right now I've turned off both the VPN and Wifi, so it just has two ports labelled WAN (outgoing) and LAN (incoming)

shadow.WAN is plugged into Vigor.P6 . It gets the IP address 192.168.6.253 (fixed, based on its MAC)
shadow.LAN is plugged into my laptop (AKA bluelap) shadow.LAN is 172.16.6.1

vigor.p1 [192.168.1.254 ] is plugged into a server with the IP 192.168.1.151 (see above)
vigor.p6 [192.168.6.254 ] is plugged into shadow with the IP 192.168.6.253 (see above)

bluelap.LAN gets: 172.16.6.162



So on shadow I see:


root@GL-AR300M:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.6.254 0.0.0.0 UG 10 0 0 eth0
172.16.6.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.6.0 * 255.255.255.0 U 10 0 0 eth0


root@GL-AR300M:~# ifconfig
br-lan Link encap:Ethernet HWaddr E4:95:6E:43:A1:D1
inet addr:172.16.6.1 Bcast:172.16.6.255 Mask:255.255.255.0
...

eth0 Link encap:Ethernet HWaddr E4:95:6E:43:A1:D0
inet addr:192.168.6.253 Bcast:192.168.6.255 Mask:255.255.255.0
...



In essence one way in one way out .

...continued in part 2

Please Log in or Create an account to join the conversation.

  • graemev
  • Topic Author
  • Offline
  • New Member
  • New Member
More
25 Apr 2020 20:55 #4 by graemev
Replied by graemev on topic Re: unable to turn stuff OFF
Part2

Then from bluelap I see:


Script started on Sat 25 Apr 2020 19:08:46 BST

root@bluelap:/tmp# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.16.6.1 0.0.0.0 UG 1024 0 0 eth0
172.16.6.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

root@bluelap:/tmp# ifconfig
eth0 Link encap:Ethernet HWaddr 00:1e:68:eb:8d:68
inet addr:172.16.6.162 Bcast:172.16.6.255 Mask:255.255.255.0
...

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
...

wlan0 Link encap:Ethernet HWaddr 00:23:4d:3d:02:25
UP BROADCAST MULTICAST MTU:1500 Metric:1
...

root@bluelap:/tmp# traceroute -n -I 192.168.1.151
traceroute to 192.168.1.151 (192.168.1.151), 30 hops max, 60 byte packets
1 172.16.6.1 0.402 ms 0.836 ms 0.808 ms
2 192.168.6.254 0.784 ms 1.029 ms 1.020 ms
3 192.168.1.151 2.099 ms 2.096 ms 2.182 ms>

root@bluelap:/tmp# exit

Script done on Sat 25 Apr 2020 19:09:39 BST



So you see traffic starting on bluelap (172.16.6.162) goes via shadow then to the VIGOR on 192.168.6.254 ...***but then goes out to 192.168.1.151***
which it should not ??

So the obvious question, on the vigor:


> vlan status

VLAN is Enable :


VLAN Enable VID Pri p1 p2 p3 p4 p5 p6 s1 s2 s3 s4 subnet

0 OFF 0 0 V V V V V 1:LAN1
1 OFF 0 0 V 6:LAN6
2 OFF 0 0 2:LAN2
3 OFF 0 0 1:LAN1
4 OFF 0 0 1:LAN1
5 OFF 0 0 1:LAN1
6 OFF 0 0 6:LAN6
7 OFF 0 0 1:LAN1

Note: they are only untag for s1/s2/s3/s4, but they can join tag vlan with lan ports.
Permit untagged device in P1 to access router: ON.





ABTW: I have "DrayTek-CLIRef-2016 1-3.pdf" but, for example, this vlan command is not listed there?

I'd like to be able to show the Inter-LAN Routing (from GUI) ...it just has LAN1 ...LAN6 DMZ as both column and row headers
the only check boxes are in the diagonal (LAN1->LAN1, LAN2->LAN2 etc)

So I don't think LAN6 traffic should be able to route to LAN1

Please Log in or Create an account to join the conversation.

  • hornbyp
  • User
  • User
More
26 Apr 2020 02:46 #5 by hornbyp
Replied by hornbyp on topic Re: unable to turn stuff OFF

graemev wrote:
OK, thanks for the response. This situation was more complicated than I
explained. I'd hoped the difference didn't matter....but:



They do say, a "little inaccuracy saves a lot of explanation" :D


1: So a simple ping from 192.168.6.1 to 192.168.1.151 fails (as does a traceroute)
2: From "vigor" (10.168.[1-6].*) to 192.168.1.151 works (just to show 192.168.1.151 exist & responds)

root@bluelap:/tmp# traceroute -n -I 192.168.1.151
traceroute to 192.168.1.151 (192.168.1.151), 30 hops max, 60 byte packets
1 172.16.6.1 0.402 ms 0.836 ms 0.808 ms
2 192.168.6.254 0.784 ms 1.029 ms 1.020 ms
3 192.168.1.151 2.099 ms 2.096 ms 2.182 ms>



That is Weird.


ABTW: I have "DrayTek-CLIRef-2016 1-3.pdf" but, for example, this vlan command is not listed there?


The command is not described in the "2860 User's Guide", nor the "Vigor2860 Telnet Commands" document. It is possible it's in "Appendix I:VLAN Application on Vigor Router", but that doesn't exist! The command is documented in the "2926 User's Guide" :roll:

I can't for the life of me see what's going on. I tried the same sort of configuration on my 2860n and it worked exactly as expected. (I already had 4 tagged VLANs configured, which I thought might upset it, but it didn't)

Here is Draytek's configuration document , on the off-chance you've done things differently. If all else fails, you can probably add a Firewall rule to isolate the two networks...

One observation - though it's not going to fix the Routing issue - is that it would be more usual, to just utilise the LAN ports on your "gl-AR300M" - thus avoiding the (probable) double-nat and an additional subnet.

(Just some random thoughts ... Is Port Mirroring turned on? ... are the subnet masks all correct?)

Please Log in or Create an account to join the conversation.

  • graemev
  • Topic Author
  • Offline
  • New Member
  • New Member
More
01 May 2020 17:07 #6 by graemev
Replied by graemev on topic Re: unable to turn stuff OFF
The command is documented in the "2926 User's Guide.... <OK got that now, thanks>

your comment ...."is that it would be more usual, to just utilise the LAN ports on your "gl-AR300M" got me thinking , how did I end up here?

The gl-AR300M is a "dumb, smart box" it has various modes and only 2 RJ45 ports.

If I set it to "Wireless access point" is loses a key feature (the wireguard VPN)
If I leave it as a router but say "use the WAN port as a LAN port" .... it then uses WiFi to connect to the "upstream" router

It's designed to be taken travelling , it hooks into e.g. Hotel Wifi or Hotel RJ45 and provides a familiar WLAN ...with a VPN ...typically the client while travelling . This is intended to be the other end of that.

The double NAT is a concern ... need to think on that again
However it does suggest the root cuase of the routing issue ... a static route on the Vigor to make the 172.16.6.0/24 network accessible from vigor (intended for established/related )

I obviously need to think some more on this (BTW my inability to turn on/off telnet ssh etc..I assume there is some "restart" I need to do to activate it (based on how some other commands work)

Not had a lot of chance to work on this, power was out all day, somebody parked a massive truck in the street mains (2-3CM under gravel) and there was an explosion and no electricity. (gravel & truck are back in place, I expect a repeat)

Please Log in or Create an account to join the conversation.