#### #### PLEASE NOTE: this is an old text file. handy, but still, #### you'd be best to head along to.. #### #### http://corz.org/network/routers/Voyager/bt.voyager.205_router.how-to.php #### # BT Voyager 205 adsl router/modem. miscelleneous cli commands.. # (it is a globespan* "Viking" router inside (*now conextant)) # the router... # command: get system [code] Model : Viking Name : voyager Domain Name : corz.dyndns.org Description : DSL Modem Location : Aberdeen, Scotland Contact : cor.. http://corz.org Vendor : GlobespanVirata Inc.,100 Schulz Drive, Red Bank,NJ 07701,U.S.A LogThreshold: 1 Object-id : 1.3.6.1.4.1.50000 HwVersion : 810020 SwVersion : V1.1 DSL Version : Y1921a System Time : Sat Nov 27 14:11:44 2004 Time Zone : GMT DST : On Services : physical datalink internet end-to-end applications UpTime(HH:MM:SS) : 13:37:23 Backup Interval : Disable [/code] this unit is standard kit on all the new big BT adsl packages. it's a good wee box. as well as a USB modem, it's a "real" router, so you just connect it to a switch box and tada! your LAN has internet. no drivers required. it's got NAT, firewall, dhcp server, the works. but no tachnical data, anywhere! ok, the best way to go about hacking this, is to begin with the web interface.. http://192.168.1.1 (by default, you can change this) if you have a static IP on your puter, ensure you are in the same "subnet", maybe 192.168.1.3 or something. (if, like me, your whole LAN uses static IP's and they are *not* on that subnet, you can change the IP of the router to match your LAN. my router lives at 192.168.0.1, though I had to flip my mac IP to 192.168.1.3 temporarily, to alter the router's IP, then flip it back. oh the pain! you can also create "virtual" ethernet connexins, serving as many subnets as you need) note: the 205, as supplied by BT comes **insecure** out of the box. I think they imagined the ethernet port would be used only by gamers. BT are a wee bit slow when it comes to catching on to "new" technology like routers. the unit connects itself to the net right at startup, too, so first thing to set is.. Advanced >> Security >> IP Filter set it to "High". Apply, and Save your changes. (the save button appears on all the advanced pages) set the other things up the way you like it, roughly. when you're done with the basic setup, go to.. Advanced >> System >> Backup Config and save the config somewhere. this file is no more than a list of cli (command-line interface) commands for the router. make a copy, and start to hack.. when you're done, load the whole thing back in and your hacks go live! remember to "Save" the setup! (or else "commit" from the command line) to get to the command line, simply telnet into the router. by default it lives at 192.168.1.1 so go into your shell and do.. telnet 192.168.1.1 the account login is the same as the web interface (user: admin password: admin) you can ftp in, too, but although there's lots to see, there's not a lot to do, at least, so far. we'll see. with the right firmware it might do ssh, too. Windows users have telnet too, same command in a DOS shell will work (I think) better still use the excellent Putty http://www.chiark.greenend.org.uk/~sgtatham/putty/ I've only had this thing a day, but info is so scarce online I thought I might chuck up what I've found out so far. I'll probably do a page, with pics and stuff, gonna be a lot of these boxes kicking around pretty soon. I've used # commented lines, but you can't do comments in the console, it's # just to (hopefully) make things clearer. At least, clearer than they were to # me when I started messing with this thing this morning, and getting most of # my clues from chinese web sites! they've had this chipset a while. okAy.... # type any command and then a ? to get help for it, like this.. get ? # you'd then see a list of possible "get" commands, next do.. get ppp ? # for a list of "get ppp" commands, etc. pretty cool. # this works all over in the telnet console. will save you hours! ? # on it's own is the same as help # which is a list of top-level commands. # use the UP key to recall the last command. use this a lot. # after giving help, the cli puts that same command back on the command line # minus the "?", so you can build up long commands one command at a time, # getting help all the way. pretty cool. okay.. # get stats on stuff.. get system get nat stats get ip stats get sntp stats get pfraw stats get ethernet stats get fwl stats get dsl stats curr get user get ipf session # etc.. # set my own domain name.. modify system dname "2C" # create a new user create user name boss passwd mypassword root # NAT everything! create nat rule entry ruleid 100000 napt # port forwarding .. (max 20 rules!) # setup bittorrent to machine at 192.168.0.4 (we only really need one port per torrent) # this would work for any p2p application; edonkey, kazaa, Gnutella, Direct Connect, etc, etc. # same for servers; FTP server, Web Server, whatever. just alter to whatever ports you need. # this is easier than using the web interface, which does suck, at least the BT implementation. # note that many parameters can *not* be set from the web interface. the cli is quicker, too. # you can put multiple ports into one rule. handy (20 rules max) (these are "rdr" redirect rules) create nat rule entry ruleid 6881 rdr prot num 6 lcladdrfrom 192.168.0.4 lcladdrto 192.168.0.4 destportfrom num 6881 destportto num 6889 # I'm getting 120KB/s downloads, so this *definitely* works! (that's KILOBYTES per second) # each torrent will only use one incoming port. with 9 incoming ports, you could run 9 torrent downloads simultaneously # or, you could split the traffic between many machines, 3 ports each, or whatever, then everyone can be a torrenteer! create nat rule entry ruleid 6881 rdr prot num 6 lcladdrfrom 192.168.0.4 lcladdrto 192.168.0.4 destportfrom num 6881 destportto num 6883 create nat rule entry ruleid 6884 rdr prot num 6 lcladdrfrom 192.168.0.3 lcladdrto 192.168.0.3 destportfrom num 6884 destportto num 6886 create nat rule entry ruleid 6887 rdr prot num 6 lcladdrfrom 192.168.0.100 lcladdrto 192.168.0.100 destportfrom num 6887 destportto num 6889 create nat rule entry ruleid 6890 rdr prot num 6 lcladdrfrom 192.168.0.254 lcladdrto 192.168.0.254 destportfrom num 6890 destportto num 6894 # for non-standard torrent sites *wink* create nat rule entry ruleid 49200 rdr prot num 6 lcladdrfrom 192.168.0.4 lcladdrto 192.168.0.4 destportfrom num 49200 destportto num 49209 # all my puters can do BT great now! (you can creat ranges for IP's too (aka round-robin) useful for sharing load on servers) # I don't use these p2p rules, I just made 'em up. should work, though.. # for kazaa.. create nat rule entry ruleid 1214 rdr prot num 6 lcladdrfrom 192.168.0.4 lcladdrto 192.168.0.4 destportfrom num 1214 destportto num 1214 # gnutella (shareaza, etc) .. create nat rule entry ruleid 6346 rdr prot num 6 lcladdrfrom 192.168.0.4 lcladdrto 192.168.0.4 destportfrom num 6346 destportto num 6346 # direct connect.. create nat rule entry ruleid 411 rdr prot num 6 lcladdrfrom 192.168.0.4 lcladdrto 192.168.0.4 destportfrom num 411 destportto num 413 # etc.. # eMule... create nat rule entry ruleid 4662 rdr prot num 6 lcladdrfrom 192.168.0.4 lcladdrto 192.168.0.4 destportfrom num 4672 destportto num 4672 create nat rule entry ruleid 4711 rdr prot num 6 lcladdrfrom 192.168.0.4 lcladdrto 192.168.0.4 destportfrom num 4711 destportto num 4711 create nat rule entry ruleid 4672 rdr prot UDP lcladdrfrom 192.168.0.4 lcladdrto 192.168.0.4 destportfrom num 4672 destportto num 4672 # we'll need to route the±wire to my mac.. http://corz.org/wire/ create ipf rule entry ruleid 2769 ifname public dir in act accept destaddr self transprot eq num 6 destport eq num 2769 seclevel high medium low # wire me if you want to chat about all this! .. corz.no-ip.org # do.. create nat rule entry ? # for a list of options # stealth # better yet, we should really dump (delete) ALL the firewall rules and start again with stealth.. create ipf rule entry ruleid 10 dir out act accept storestate enable seclevel high medium low create ipf rule entry ruleid 500000 ifname public dir in act deny seclevel high medium low # ahh.. much better! a simple start. add what you need, somewhere in the middle. # if you have stealth, you'll need to create individual rules to allow the p2p stuff, like this.. create ipf rule entry ruleid 6881 ifname public dir in act accept destport range 6881 6899 transprot eq tcp seclevel high medium low # that covers all the bittorrent traffic (and after stealthing, still getting 120KB/s downloads!(peak speed, 110-115KB/s sustained ;o) # for "elite" torrent sites *wink* create ipf rule entry ruleid 49200 ifname public dir in act accept destport range 49200 49209 transprot eq tcp seclevel high medium low create nat rule entry ruleid 49200 rdr prot num 6 lcladdrfrom 192.168.0.4 lcladdrto 192.168.0.4 destportfrom num 49200 destportto num 49209 # individual rules can work better, strangely.. create ipf rule entry ruleid 6882 ifname public dir in act accept transprot eq num 6 destport eq num 6882 seclevel high medium low # and the other p2p networks.. create ipf rule entry ruleid 1214 ifname public dir in destaddr self destport eq num 1214 transprot eq tcp act accept seclevel high medium low create ipf rule entry ruleid 6346 ifname public dir in destaddr self destport eq num 6346 transprot eq tcp act accept seclevel high medium low create ipf rule entry ruleid 411 ifname public dir in destaddr self destport range 411 413 transprot eq tcp act accept seclevel high medium low create ipf rule entry ruleid 3392 ifname public dir in act accept destaddr self transprot eq num 6 destport eq num 3392 seclevel high medium low # ahh, traceroute won't work now. so.. create ipf rule entry ruleid 11 ifname public dir in transprot eq icmp icmptype eq num 11 act accept seclevel high medium low # eMule.. #firewall: create ipf rule entry ruleid 4662 ifname public dir in act accept transprot eq num 6 destport eq num 4662 seclevel high medium low create ipf rule entry ruleid 4672 ifname public dir in act accept transprot eq num 17 destport eq num 4672 seclevel high medium low #nat: create nat rule entry ruleid 4662 rdr lcladdrfrom 192.168.0.4 lcladdrto 192.168.0.4 destportfrom num 4662 destportto num 4662 create nat rule entry ruleid 4672 rdr lcladdrfrom 192.168.0.4 lcladdrto 192.168.0.4 destportfrom num 4672 destportto num 4672 #WinMX.. #firewall: create ipf rule entry ruleid 6699 ifname public dir in act accept transprot eq num 6 destport eq num 6699 seclevel high medium low create ipf rule entry ruleid 6257 ifname public dir in act accept transprot eq num 17 destport eq num 6257 seclevel high medium low #nat: create nat rule entry ruleid 6699 rdr lcladdrfrom 192.168.0.4 lcladdrto 192.168.0.4 destportfrom num 6699 destportto num 6699 create nat rule entry ruleid 6257 rdr lcladdrfrom 192.168.0.4 lcladdrto 192.168.0.4 destportfrom num 6257 destportto num 6257 # you can delete a nat port forwarding rule like this.. delete nat rule entry ruleid 4662 # to delete a firewall rule.. delete ipf rule entry ruleid 4672 # let's enable standard attack protections.. modify fwl global blistprotect enable attackprotect enable dosprotect enable # I think these are the default now, but do check your model/settings (and exported .cfg file). # who da bad boys? get fwl blacklist # a note about online firewall testing.. # before you run any firewall tests, like those at http://www.grc.com ensure you *disable* # blacklist protection, or else the router will blacklist the site right at the start # of the test and although it may look like you are secure, you are not! all your ports # could be open and it would look like stealth! not good. a false sense of security is worse # than no security. you can enable blacklist protection again afterwards, of course. # switch off blacklist protection.. modify fwl global blistprotect disable # replace a timeserver entry.. modify sntp cfg disable delete sntp servaddr dname Time.apple.com create sntp servaddr dname ntp0.strath.ac.uk modify sntp cfg enable get sntp stats # ttl modify ip cfg ttl 64 # disable upnp functionality.. upnp cfg nbstatus disable #enable ppp keepalive.. modify ppp global keepalive enable # ppp sessions time-out after 30m inactivity. let's change that.. modify ppp global pppsesstimer nevertimeout # alter the dns servers (only space for two!) create dns servaddr 212.159.11.150 create dns servaddr 212.159.13.150 # maximum number of IP sessions the modem can manipulate simultaneously.. # default is 192, max is 512. a ballpark figure.. modify nbsize maxipsess 256 # delete some of the unused alg rules... delete alg port portno 407 prot num 17 delete alg port portno 5190 prot num 6 delete alg port portno 21 prot num 6 delete alg port portno 389 prot num 6 delete alg port portno 1002 prot num 6 delete alg port portno 161 prot num 17 # etc (these aren't a security issue, I just like things simplified) # tools. # a couple of useful on-board tools to check connectivity, etc.. # ping! (google) ping 216.239.57.99 # (slow) traceroute commands.. (google again) traceroute ping 216.239.57.99 traceroute udp 216.239.39.99 # setup a trace on PPP and send to puter running syslogd.. modify trace cfg module PPP syslog dest 192.168.0.3 port 514 get trace cfg # more than just for fun... modify system contact "cor, http://corz.org" modify system location "Aberdeen, Scotland" modify system dname "corz.ath.cx" modify system name "Starship Voyager 205" # you can do them all at once, too. # SAVE!!!!!!! (or all will be lost) # you can do this after every command, if you like, like this.. commit # lastly, if you came here directly, from a search engine or a forum**, or something # check out the directory this text file is in for a couple of PDF's containing ALL the # possible commands.. # # http://corz.org/public/docs/comms/router/ # ** Hey Billy! cheque's in the post! heheh ps.. the original protective sticker is still stick over the USB socket of the Voyager 205, and it'll stay that way, too!