Tuesday, July 3, 2012

Cisco / Linksys WRT610N and Management

Cisco / Linksys WRT610N and Management
Abstract:
Cisco's Linksys WRT610N is a consumer grade wireless router / access point which contains some higher-end features such as dual band, 5 port gigabit ethernet, and USB2 storage capabilities. When the device was released, the gigabit ethernet and dual-band capabilities were uncontested. Overall, for the price, it was a reasonable device, but some odd behaviors are exhibited.

Logging:
Network logging under the wrt610n was isolated to the network on the LAN interface and could not be forwarded to another network address. This means, centralized logging is impossible if one is trying to use this consumer grade product to provide unified support in an extended family situation, where different households need to be observed. Centralized administration (through a GUI) without centralized logging is pretty useless.

Fault, Performance, and Configuration Management:
With this device, you have some limited Configuration Management, but that is about it.
If you want to know whether a cable, port, or PC on you LAN port is experiencing errors due to something failing?- no way.
If you want to know what your consumption of network resources over your WAN connection to upgrade/downgrade your broadband - no way.
Want to know which device on your LAN is causing your VoIP phone service to degrade - no way.
Want to have your wireless router check into your own private Dynamic DHCP server, so you can help our your family members around the country when they have an problem - no way, unless you want their router name and ip to be broadcast to the rest of the world.
Want to detect viruses/worms infecting your PC's and pumping out tons of traffic, using up your WAN bandwidth - no way.
Want to detecting bots using your network to create a distributed denial service attack [resulting in the visit of local law enforcement] - no way.
Want to create a unified VPN network for your extended family, to share resources with privacy - no way.

Old Linksys VPN and VPN edge routers had some of these capabilites, without the wireless. The wrt610n was an expensive consumer device, with none of the useful features someone who would buy one of these would want. If you need real documented support, buy an old Cisco off of eBay (for less than you will buy this high-end consumer device) and configure it by hand using the following blog as an ADSL reference example.
You have to go with a real firmware from an alternate manufacturer, besides Cisco,  to do anything useful with this device, besides act as a gigabit switch. Unfortunately, because this high-end consumer item was fairly rare, most firmware providers consider the software beta, and some experiencing the proverbial "bricking" of their device.
Management Options:

SNMP Management:
Management via SNMP is unavailable. Early Linksys devices offered SNMP, but this is no longer. SNMP offers a safe way to view the configuration and performance performance characteristics of your router, but not with this high-end consumer device. This is a great disappointment, but there are some third-party firmware options.

Command Line Management:
Management via Telnet or SSH is unavailable. This allows fast access into a device, as well as being able to automate some basic operations, such as backing up configurations or collecting performance characteristics without SNMP. Unavailable, without going to a third-party firmware provider.

Web GUI Management:
Management via an HTTP or HTTPS web can be done via the LAN and the Wireless LAN. There is an option to administer the products over the internet, but this is pretty useless without the option of central logging outside of the LAN, SNMP, or command line interface.

Sure, you can wait until someone calls you to tell you the internet connection is flakey, but at that point, you better be prepare to drive to your family mambers house to read the logs locally or to help them navigate the web screen from their local web browser using the ip address.

Secret Web Management GUI:
There is a secret management GUI, where you can get some basic information about the device. Below is a small listing of available options. Many Telco and Bable providers will use the 192.168.1.x address range for their customer premesis terminations, so this following list will be applicable if you configured your Linksys device with a 192.168.3.1 ip address.

http://192.168.3.1/System.asp - Hidden Web Menu: Disable "Microsoft Vista" 6to4 multicast broadcasts
http://192.168.3.1/SysInfo.htm - Hardware Configuration (Vendor, Model, Serial, etc.)
http://192.168.3.1/SysInfo1.htm - RAM Counters: Total, Free, and Buffers
http://192.168.3.1/Cysaja.asp - Packet Counters: Transmit & Receive, both Good & Errors

These undocumented hidden menus can be used to get some of the basic information needed to understand the health of your network, no thanks to Cisco.
Strange Behaviors:
While trying to enable reasonable management of these high-end consumer level devices, one can expect various strange behaviors.

Junk Log Entries:
When logging is enabled, the logging machine would reflect a strange behavior - IPv6 packets would be constantly broadcasted, every 10 seconds, and getting logged! This will fill up the logs with useless data, making the logging facility pretty useless. This is related to IPv6 6to4 functionality.

sunsparc/user$ tail -f /var/adm/messages

Jul 3 14:02:53 wrt610n last message repeated 61 times
Jul 3 14:09:31 wrt610n klogd: IN=br0 OUT= MAC= SRC=fe80:0000:0000:0000:0221:29ff:febf:aaaa DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=96 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=134 CODE=0

Jul 3 14:09:31 wrt610n last message repeated 64 times
Jul 3 14:16:16 wrt610n klogd: IN=br0 OUT= MAC= SRC=fe80:0000:0000:0000:0221:29ff:febf:aaaa DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=96 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=134 CODE=0

Jul 3 14:16:16 wrt610n last message repeated 59 times
Jul 3 14:22:54 wrt610n klogd: IN=br0 OUT= MAC= SRC=fe80:0000:0000:0000:0221:29ff:febf:aaaa DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=96 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=134 CODE=0

Jul 3 14:22:54 wrt610n last message repeated 62 times
Jul 3 14:29:33 wrt610n klogd: IN=br0 OUT= MAC= SRC=fe80:0000:0000:0000:0221:29ff:febf:aaaa DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=96 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=134 CODE=0

Debugging Junk Logging:
Going through the standard menus is absolutely worthless.  There is no clue to show the user why their logging system is being filled up with absolute junk.

Eliminating Junk Logging:
Are you using IPv6? Well, if the answer is yes, then you are stuck with the horrible logging effects. No fix.

If you are not using IPv6, you can shut off the 6to4 protocol, using a secret menu. Oddly, a developer decided to blame his additional coding requirement on Microsoft, probably because Vista Premium support was placed on his firmware to-do list.

Use the secret "http://ipaddress.of.wrt610n.router/System.asp" menu, to "(X) Disable" the "Vista Premium" functionality. Be aware that when the "Save" button is pressed, the wireless access point will be rebooted. After the outage, be happy that the router will stop the packet creation and junk logging.


Large USB Drive Support:
Trying to attach 1.5TB external drive to the storage port was completely unsuccessful. Don't bother using the USB storage port for serious storage, it does not work well. There are now 4TB drives, I would not expect them to work. No fix.

USB sticks work pretty well, with an embedded FTP server. These have a much smaller capacity and slower to access than spinning disk, but that will change over time.
A stock Apple wireless access point with USB will be a more effective solution for storage. The newer Apple AirPort units offer gigabit ethernet in addition to dual-band now a days. At the time the WRT610N came out, no one offered these features, including Apple.

If USB storage is a requirements, the Apple wireless access point offers vastly more robust management from MacOSX, multiple USB drive support, sharing of mirrored disks in an external USB RAID enclosure, and even USB printing support as an added bonus.

DHCP Reservation:
The DHCP Reservation is able to be configured via "Setup -> Basic Setup -> DHCP Reservation" from the main administration GUI menu. The "Client Name" option can be set in the "Already Reserved" area - which provides for the ability to give a MAC Address an IP Address as well as a Name.

The problem with the Name? It is not used ANYWHERE. How about using the name in the DNS server or the other status menus? No fix.

1 comment:

  1. what a complicated post you share to the globe. You must be an expert in this particular subject. Thanks for sharing.

    Best regards,
    Sukma

    ReplyDelete