See also TG582N
:ppp ifconfig intf=Internet ipv6=disabled :tunnel 6to4 add ifname=6to4tunnel :tunnel 6to4 modify ifname=6to4tunnel sourceintf=Internet rrs=192.88.99.1 pltime=604800 vltime=2592000 :ip rtadd dst=::/0 intf=6to4tunnel :ip rt6advd config zerotime enabled :tunnel 6to4 list :ip rt6advd pdlist :ip rt6advd pfxlist
We want to advertise 1480 as the mtu to the internet over 6to4 as does the AdvLINKMTU option in radvd. This seems to be the config but might not have that effect
:ip rt6advd ifdetach intf=LocalNetwork :ip rt6advd ifconfig intf=LocalNetwork linkmtu=1480 :ip rt6advd pdadd intf=LocalNetwork subnet-id=0:0:0:1::/64 interface-id=slaac origin=Internet types=dhcp+6rd+6to4+ula aflag=enabled lflag=enabled :ip rt6advd ifattach intf=LocalNetwork :saveall
That is done with the basic IPv6 configuration, if wanting to run servers read the next section…
We need to have the :firewall and :nat modules let the TG582N sink 6to4 packets, it is desirable to leave firewall active if possible as further control of incoming data is possible, incoming IPv6 will traverse the firewall twice, first as IPv4 carrying IPv6 into the =sink chain, then as native IPv6 via =forward if accepted by the sink rule tree.
Without the following the firewall closes the router to new incoming IPv6 sessions after the last session ceases activity after about 60 seconds, even if firewall is set to disabled in the web gui. If you like to run a server you might not want that so let’s switch it off… but still retain most of the benefits of the router firewall.
:expr add name=IPv6inIP type=serv proto=41 :firewall rule add chain=sink_fire index=1 srcintf=wan serv=IPv6inIP action=accept :nat flush :nat ifconfig intf=Internet translation=enabled :nat ifconfig intf=LocalNetwork translation=transparent :nat tmpladd intf=Internet type=nat outside_addr=0.0.0.1 inside_addr=0.0.0.1 protocol=ipv6
We can use these to test the tracking of incoming IPv6 connections to see if TG582N firewall, ids or nat modules interfere with incoming IPv6. Even if that happens, some protection of TELNET,HTTP,DNS-S services can be done in :service
Also it confirms that the 60 second tracking timeout does not stop new incoming connections after that.
:connection list proto=ipv6 :connection clean
It may also be useful to activate ping responses and up tunnelled MTU to 1480.
:service system list name=PING_RESPONDER expand=enabled :service system list name=PINGv6_RESP expand=enabled :service system ifadd name=PING_RESPONDER group=wan :service system ifadd name=PINGv6_RESP group=wan :ip ifconfig intf=6to4tunnel mtu=1480 :saveall
We also like this device to serve PXE options to a static ip
It allows the DHCP options and values to be called whatever the owner wants, only the optionid and value is sent to the client. Also the LAN_private pool has to be temporarily disabled while changing options.
Router ipv4 range is 192.168.1.64 through 192.168.1.252
:dhcp server lease delete clientid=AC:DE:48:00:00:80 :dhcp server lease add clientid=AC:DE:48:00:00:80 pool=LAN_private addr=192.168.1.64 leasetime=0 allocation=manual :dhcp server option tmpladd name=s optionid=66 :dhcp server option tmpladd name=f optionid=67 :dhcp server option instadd policy=always name=s tmplname=s value=(addr)192.168.1.64 :dhcp server option instadd policy=always name=f tmplname=f value=(ascii)pxelinux.0 :dhcp server pool config name=LAN_private state=disabled :dhcp server pool optadd name=LAN_private instname=s :dhcp server pool optadd name=LAN_private instname=f :dhcp server pool config name=LAN_private state=enabled
To remove all the options, such as if it wants to configure them again:
:dhcp server pool config name=LAN_private state=disabled :dhcp server pool optdelete name=LAN_private instname=s :dhcp server pool optdelete name=LAN_private instname=f :dhcp server pool config name=LAN_private state=enabled :dhcp server option instdelete name=s :dhcp server option instdelete name=f :dhcp server option tmpldelete name=s :dhcp server option tmpldelete name=f
note that the ip access list defaults to permit
any address when empty. When we add our first address all others are now denied so add the one you are using for TELNET first, test thoroughly for satisfaction before using :saveall
Adding these 2 at least is recommendable, then add extra addresses as desired after attaching to wan interfaces.
:service system list name=HTTP expand=enabled :service system ipadd name=HTTP ip=192.168.1.0/24 :service system ifdelete name=HTTP group=lan :service system list name=TELNET expand=enabled :service system ipadd name=TELNET ip=192.168.1.0/24 :service system ipadd name=TELNET ip=fe80::/64 :service system ipadd name=DNS-S ip=192.168.1.0/24 :service system ipadd name=DNS-S ip=fe80::/64 :service system ifdelete name=TELNET group=lan
We want to grant admin account all rights,
we use some tricks to change the role of admin
from Administrator to SuperUser,
normally the :user config name=admin role=SuperUser fails
:user config name=admin role=SuperUser # fails :mlp role list :mlp role config name=Administrator parent=root :mlp role config name=SuperUser parent=Administrator :user config name=admin role=SuperUser # now it works! :mlp role config name=SuperUser parent=root :mlp role config name=Administrator parent=TechnicalSupport
Might not want HTTP on wan port 80, this makes it usable only on the LAN interface so user can now forward the wan port to the main web server.
:service system mapdelete name=HTTP port=80 :service system mapadd name=HTTP intf=LocalNetwork port=80 :service system list name=HTTP expand=enabled
Note user roles for TG582N are same as for other device, configuration for vlan is also possible
It is possible to place ports into another vlan to separate devices with assumed weak security (e.g printers, ip cameras) from the internet such as because their control stacks are proprietary software.
suppose a printer connected to port 2, and computer is on port 1. We want a printer vlan untagged on port 2 and 802.1Q tagged as 30 on port 1
:eth bridge config vlan=enabled :eth vlan add name=printer vid=30 addrule=disabled :eth bridge vlan ifadd name=printer intf=ethport1 untagged=disabled :eth bridge vlan ifadd name=printer intf=ethport2 untagged=enabled :eth bridge vlan ifdelete name=default intf=ethport2
At this stage the device appears to the computer on vlan 30, but the router deoes not expose ethertype 0x86dd or 0x0800, 0x0806 so user may need to run radvd and dhcpd on eth0.30 to offer ip service.
Alternatively router can assign the addresses to the other device. This may be preferred where the computer is not a dedicated server, not fully tested as it may be announcing routes. disabling the forwarding appears to correctly isolate this vlan, the computer can talk to the printer but the printer and Internet cannot communicate.
:eth ifadd intf=printergate :eth ifconfig intf=printergate dest=bridge vlan=printer :eth ifattach intf=printergate :ip ifadd intf=printergate_ip dest=printergate :ip ifconfig intf=printergate_ip group=lan forwarding=disabled symmetric=disabled :ip ifattach intf=printergate_ip :ip iflist intf=printergate_ip expand=enabled :ip rt6advd ifadd intf=printergate_ip :ip rt6advd ifconfig intf=printergate_ip linkmtu=1480 :ip rt6advd pdadd intf=printergate_ip subnet-id=0:0:0:30::/64 interface-id=slaac origin=Internet types=dhcp+6rd+6to4+ula aflag=enabled lflag=enabled :ip rt6advd ifattach intf=printergate_ip
Caution, the ifdetach command will drop the ppp session. This is best done from a lan port.
Plusnet negotiated a MTU of 1534 on trying this.
:ppp ifdetach intf=Internet :ppp ifconfig intf=Internet mru=1600 :ppp ifattach intf=Internet :ping proto=ip addr=192.88.99.1 size=1501 DF-bit=enabled