dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
91
JPedroT
Premium Member
join:2005-02-18

1 edit

JPedroT to Gork

Premium Member

to Gork

Re: 2013 USG SHOULD ADD FUNCTIONALITY

said by Gork:

said by JPedroT:

I thought that WoL used Broadcast? The way it was done on ZyNOS was to forward the WoL port to .255 to send it to all devices on LAN.

Broadcast from WAN to LAN to .255 did work on Zynos but it does not work on the USG series. We've had discussions here about it in the past, and setting up a static ARP entry in the router for specific computers to use with WoL seemed to solve the problem for awhile. But even that doesn't work anymore.

Problem in general is that the magic packet is magic :)
But what you want is a proxy/gw for WoL packets then.

Shouldn't be to hard to fix, since it looks like its just a line in IPTables and a static arp entry.

»calvinsohk.blogspot.no/2 ··· oxy.html

sudo iptables -t nat -A PREROUTING -p udp --dport 7 -j DNAT --to-destination <UNUSED_IP>
sudo ip neigh add <UNUSED_IP> lladdr ff:ff:ff:ff:ff:ff nud permanent dev eth0
 

But if that was what was done before on the USG, it might be some smurf attack protection that now blocks it. See if you can disable dos protection etc on the USG.

Gork
Ou812ic
join:2001-10-06
Bountiful, UT

2 edits

Gork

Member

said by JPedroT:

But if that was what was done before on the USG, it might be some smurf attack protection that now blocks it. See if you can disable dos protection etc on the USG.

I have a NAT entry (& firewall rule) set up to forward WoL packets to the WAN (Internet in my case) address on port 9 to the computer I want to awaken. I also have an ARP entry in the USG (using the arp command via the CLI) relating the IP address of the computer I want to awaken to its MAC address. I have verified this entry still exists in the running configuration. This seemed to work for a few months but stopped for some reason I have yet to figure out. The log in the USG indicates the WoL packet is received and passed on. The only ADP settings in the USG I have set to block packets are related to flood protection. Blocked packets are set to be logged and there is nothing in the log indicating these ADP rules were initiated.

It would just be nice if ZyXEL would offer the capability to multicast from WAN to LAN as an option to users since, whether it's "correct" or not, much cheaper routers will do this.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

3 edits

2 recommendations

Brano

MVM

I think this thread is good for venting, but otherwise moot.
But hey, let's be a sport and vent with the crowds

It's been a while that I stopped recommending ZyXel routers for home users, instead I recommend decent open-wrt / dd-wrt compatible router (whatever has good specs at the time). In Europe I've installed couple Draytek Vigor's 2130 (integrated VoIP, IPSec acceleration, WiFi, IPv6 and more) which actually runs Draytek's open-wrt customization, but you get full root access and can modify/fix anything you like. Too bad you can't easily get Draytek in NA.

For small-medium business routers I'm actually leaning towards open-source router distros or open-wrt on dedicated HW. And I've just looked up the mentioned Cisco ISA570 and like it very much.

For larger business there's only one answer in my mind ... business class Cisco router.

ZyXel is not listening to the customer. And the number of bug-fixes (some really serious) in each FW release amazes me ... where the heck is your QA ZyXel???

...ok, I feel better now

Gork
Ou812ic
join:2001-10-06
Bountiful, UT

1 recommendation

Gork

Member

Been thinking along the same lines, sadly... I'm stuck with what I have for now, but someday I'll have money again. SOMEDAY...
JPedroT
Premium Member
join:2005-02-18

JPedroT to Brano

Premium Member

to Brano
said by Brano:

ZyXel is not listening to the customer. And the number of bug-fixes (some really serious) in each FW release amazes me ... where the heck is your QA ZyXel???

...ok, I feel better now, uf

I have theory about what happend....

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

I believe I have heard that theory before..........
»www.google.ca/url?q=http ··· emhj1vBA
JPedroT
Premium Member
join:2005-02-18

JPedroT

Premium Member

said by Anav:

I believe I have heard that theory before..........
»www.google.ca/url?q=http ··· emhj1vBA

Copyright infringement?
JPedroT

JPedroT to Gork

Premium Member

to Gork
said by Gork:

It would just be nice if ZyXEL would offer the capability to multicast from WAN to LAN as an option to users since, whether it's "correct" or not, much cheaper routers will do this.

I do not understand how Multicast will fix your problem here? Could you please explain?

Gork
Ou812ic
join:2001-10-06
Bountiful, UT

Gork

Member

It is customary (basically necessary) to send WoL "magic packets" to x.x.x.255 which as I understand it is also known as the multicast address. The USG will not allow you to do this through different interfaces, such as WAN to LAN.
JPedroT
Premium Member
join:2005-02-18

JPedroT

Premium Member

said by Gork:

It is customary (basically necessary) to send WoL "magic packets" to x.x.x.255 which as I understand it is also known as the multicast address. The USG will not allow you to do this through different interfaces, such as WAN to LAN.

Ahhh okay, now I understand, but that is not correct. The .255 address, if your subnet is a /24 (255.255.255.0) is the broadcast address.
Which is basically how a smurf attack works, which might be the reason they do not allow it.

»en.wikipedia.org/wiki/Sm ··· f_attack

Gork
Ou812ic
join:2001-10-06
Bountiful, UT

Gork

Member

If you look at a subnet calculator (»www.subnet-calculator.com/ for instance) it shows that class C addresses 192.168.0.1/24 (subnet mask 255.255.255.0) use an IP address of 192.168.0.255 as their broadcast address.
JPedroT
Premium Member
join:2005-02-18

JPedroT

Premium Member

Yes, but x.x.x.255 = 192.168.0.255 or 172.16.16.255 or 10.0.0.255 if you use a /24.

The multicast addresses are in the range
224.0.0.0 through 239.255.255.255.

»www.iana.org/assignments ··· sses.xml

That is for v4 and L3, now if we are talking L2 multicasting then look at this to see mapping from L2 to L3.

»technet.microsoft.com/en ··· 928.aspx

So I still do not understand what WoL needs Multicast for? Especially since the protocol is designed to be sent as broadcast, if I remember correctly.

Gork
Ou812ic
join:2001-10-06
Bountiful, UT

1 edit

Gork

Member

I am perhaps using incorrect terms. Instead of multicast please replace whatever the correct term is to send to all addresses in a given part of a network. I think the correct term may be "broadcast packet." ?? Using 192.168.1.1/24 on my LAN I would like to be able to send a magic packet over the Internet from work by forwarding it through the router to 192.168.1.255 so that it will wake any computer connected to the 192.168.1.1/24 interface addressed by the MAC address in the magic packet. That will not work on the USG, but it did used to work with ZyNOS.
JPedroT
Premium Member
join:2005-02-18

JPedroT

Premium Member

said by Gork:

I am perhaps using incorrect terms. Instead of multicast please replace whatever the correct term is to send to all addresses in a given part of a network. I think the correct term may be "broadcast packet." ?? Using 192.168.1.1/24 on my LAN I would like to be able to send a magic packet over the Internet from work by forwarding it through the router to 192.168.1.255 so that it will wake any computer addressed by the MAC address in the magic packet. That will not work on the USG, but it did used to work with ZyNOS.

That is the broadcast address again

So the question then comes down to, how to reverse what is in #2 in this link: »en.wikipedia.org/wiki/Sm ··· f_attack

That is the question you need to pose to ZyXEL, you can do it with a Cisco, the command is "ip directed-broadcast" it allows sending packets to broadcast addresses, like you did with ZyNOS.

Now ZyNOS is an old OS ie older than 1999 (well technically ZyNOS is released after/aroundish 1999, but its roots are older) so it allowed it. USG uses ZLD which is a more updated OS, it by default does not allow it.

So ping of to ZyXEL how to enable directed broadcast on ZLD devices. That should allow you to forward to the broadcast address of your subnet again.

You probably should also configure hosts that should not be awaken by WoL to not respond to direct broadcast packets.

You are in walking in limbo space here, you want to do something that is basically seen as allowing an exploit on the IP stack. So the "smart" guys decided to not allow it by default.

But everybody should have the choice to shoot themselves in the foot if you ask me ;P As long as you are aware of what the implications of what you are doing, it should be ok.

Gork
Ou812ic
join:2001-10-06
Bountiful, UT

4 edits

Gork

Member

Yup, now you know what I'm trying to say. That is what I'd like enabled in the router, subnet directed broadcasts. It would be an easy thing for the end user to either (as you say) disable devices from waking to the call of a magic packet if you didn't want them to, or moving devices you wanted to wake to a magic packet to a different subnet or the like. If Cisco allows it (even if not by default) then I don't see why ZyXEL shouldn't be allowing it.

Here's another page which talks about unicast vs subnet directed broadcasts, and it even mentions the DDoS "smurf attack" you referred to: »technet.microsoft.com/en ··· 911.aspx. It may be a silly thing to implement at this juncture due to its incompatibility with looming IPv6 though. But as I have mentioned, I am unable to get magic packets via unicast directed broadcasts to work with my setup any longer.

I don't see the harm in allowing this traffic to users who should understand the associated hazards. Were I running a business I'd be more concerned with this approach. But I run a personal network with a small personal web server and other web applications. If someone wants to spend the time infiltrating my setup, well, that's just silly. And I can easily block them anyway.

Thanks for sticking with me through my improper use of terms. I wish people could understand what I MEAN instead of only what I SAY/type.
Kirby Smith
join:2001-01-26
Derry, NH

Kirby Smith

Member

How about the hard way (to quote the mariachi).

Attach one port of a minimalist computer with two Ethernet ports to the DMZ, which is blocked from everything except your work address. When some appropriately crafted message gets to this computer , it generates a WOL on its second port. This port is connected to and is part of LAN1 (or what ever LAN the sleepy computer is on).

I doubt I'm knowledgeable enough to set this up without a lot of study, but I don't see why it wouldn't work.

kirby

Gork
Ou812ic
join:2001-10-06
Bountiful, UT

Gork

Member

I currently VPN to my network with my laptop, RDP to a server I try to keep running 24x7, then send a WoL packet from there. It works, but it's a pain in the rear. If I understood routing better, I might could send the packet directly from the laptop after the VPN is established. Anyway, the biggest problem is that I'm hosed if that server computer goes down. It'd be must easier to work it as I did before... Log on to BBR and send a magic packet. DONE.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

1 recommendation

Brano

MVM

A suggestion (workaround) ... Raspberry Pi. I've recently put RPi on my network as a "utility server" ... costs about $50, power consumption none. I'm running my ssh server on it, WoL utilities, FTP ... you name it. It runs of SD card, all other stuff is mounted via network as needed. You put it on UPS it's always there. I really love it. You can backup the SD card (image to file), should anything go wrong just replace it with new SD card that you can have pre-imaged.

janderso1
Jim
MVM
join:2000-04-15
Saint Petersburg, FL

1 recommendation

janderso1

MVM

Finish IPv6 DHCP web interface.
There doesn’t appear to be a way to display IPv6 DHCP addresses in use, reserve IPv6 addresses or set lease times (unless the IPv4 time is also the IPv6 time).

Add NTP server. Since the router is on 24/7 it might as well be my local NTP server.

If you are looking for an inexpensive Linux server that uses very little power Adorama has Pogoplug v2s for $25 shipped

»www.adorama.com/COCPOGOE ··· odQUcASA

It is very easy to install Arch Linux on them.

»archlinuxarm.org/platfor ··· pinkgray

»obihoernchen.net/wordpress/

Yes I know Pogoplugs with Arch Linux can also be NTP servers.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

Brano

MVM

I'm aware of Pogoplug and similar devices, they work, but really (at least for me) I'm done with hacking and trying to keep up with updates on these devices.
RPi has it's own full blown fully supported, maintained and open distro with huge repo so for me the $25 savings it's not really worth it ... been there, done that.

Gork
Ou812ic
join:2001-10-06
Bountiful, UT

Gork to Brano

Member

to Brano
said by Brano:

Raspberry Pi.

This is the coolest thing I've heard of in a long time! Granted, I'd have to quit my job, never see my family again and completely lose what semblance of a personal life I have left in order to figure it out... But, well, I just might! (Best I've done is dabble in Ubuntu with the GUI, heh.)

bbarrera
MVM
join:2000-10-23
Sacramento, CA

bbarrera to Brano

MVM

to Brano
said by Brano:

RPi has it's own full blown fully supported, maintained and open distro with huge repo

Where do I buy support?

Like your enthusiasm but RPi is targeted at education and hobbyists. The Raspberry Pi foundation is a charity and while Linux has gotten to the point where little hacking is needed for many tasks, I can't say RPi is fully supported with a straight face.

Gork
Ou812ic
join:2001-10-06
Bountiful, UT

Gork

Member

bbarrera See Profile... Be nice! You know what he meant!

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano to bbarrera

MVM

to bbarrera
... I've almost started to worry that you've given up on us!

bbarrera
MVM
join:2000-10-23
Sacramento, CA

bbarrera

MVM

Too busy selling free software Lots of interesting things happening with GNU, Linux and Android around here -- the company I'm at is now the number one commercial provider of automotive linux infotainment systems.

Gork
Ou812ic
join:2001-10-06
Bountiful, UT

Gork

Member

I wish I could do and had your job.
JPedroT
Premium Member
join:2005-02-18

JPedroT

Premium Member

said by Gork:

I wish I could do and had your job.

Its not hard just go outside, pick up a blade of grass or anthing else thats is free for you to aquire and just sell it

Now you are competing with bbarrera

Gork
Ou812ic
join:2001-10-06
Bountiful, UT

Gork

Member

heh -- Perhaps...

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav to JPedroT

Premium Member

to JPedroT
said by JPedroT:

said by Gork:

I wish I could do and had your job.

Its not hard just go outside, pick up a blade of grass or anthing else thats is free for you to aquire and just sell it

Now you are competing with bbarrera

I think your getting mixed up with a different type of plant. Smoke the android pipe!

bbarrera
MVM
join:2000-10-23
Sacramento, CA

bbarrera to JPedroT

MVM

to JPedroT
said by JPedroT:

said by Gork:

I wish I could do and had your job.

Its not hard just go outside, pick up a blade of grass or anthing else thats is free for you to aquire and just sell it

Now you are competing with bbarrera

Haha, LOL, its like selling ice to eskimos. Do you want your ice cubed, half-cubed, chewable, shaved, flake, or nugget? Don't waste your time making and shaping ice when you could be out hunting walrus, beluga whale, seal, caribou, musk ox, and fish!