I think just enabling it in AppCfg is not enough, you need to open firewall for it, configuring FirewallException on LAN interface. Will try it tonight.
As to the log entries - my guess is that dropbear is expecting connections on IPv4, and although it is responding on IPv6, it might not be configured/enabled to work on IPv6.
I reckon we need to try getting to it on IPv4.

Darsh

Quote from: Matty123123

Still no luck with ICMP Echo...

Well, at least it works on your router. To secure it, you can set the destination IP to the IP of your WAN interface, and limit the source IP to the sources you want to allow pings from. Src/dst syntax can be taken from here: http://pastebin.com/jbJSWjbW

          <X_BROADCOM_COM_FirewallException instance="1">
            <Enable>TRUE</Enable>
            <FilterName>ICMP</FilterName>
            <IPVersion>4</IPVersion>
            <Protocol>ICMP</Protocol>
            <SourcePortStart>0</SourcePortStart>
            <SourcePortEnd>0</SourcePortEnd>
            <DestinationPortStart>0</DestinationPortStart>
            <DestinationPortEnd>0</DestinationPortEnd>
            <SourceIPAddress>(null)</SourceIPAddress>
            <SourceNetMask>(null)</SourceNetMask>
            <DestinationIPAddress>(null)</DestinationIPAddress>
            <DestinationNetMask>(null)</DestinationNetMask>
            <X_SAGEM_COM_HideForWEBGUI>FALSE</X_SAGEM_COM_HideForWEBGUI>
          </X_BROADCOM_COM_FirewallException>

Darsh

SSH:

Quote from: Darsh

http://pastebin.com/jbJSWjbW

Darsh Brilliant !!! I was not aware of the 'dumpmdm' command, I've attached a dump from this router.
(Still using IP6) I was able to get SSH access.
Add this in the config:

<InternetGatewayDevice>
	<X_BROADCOM_COM_AppCfg>
	  <SshdCfg>
	    <NetworkAccess>LAN</NetworkAccess>
	  </SshdCfg>
	</X_BROADCOM_COM_AppCfg>
	<SshControl>
	  <Enable>TRUE</Enable>
	  <UserName>username-here</UserName>
	  <Password>password-here</Password>
	</SshControl>
</InternetGatewayDevice>

I hope it works for you.

Note for other people, using Windows:
Enable IP6  (Although it should be already)
Download PUTTY http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Connect to fe80::XXXX:XXff:feXX:XXXX,  where the X's are the routers MAC Address.  ( I Hope )

Quote from: Matty123123

Connect to fe80::XXXX:XXff:feXX:XXXX,   where the X's are the routers MAC Address.  ( I Hope )

Almost the MAC address. IPv6 link-local addresses are formed according to EUI-64, where the seventh bit of the MAC address is inverted, resulting in the first octet of the MAC address to either increase (usually) or decrease by two.
Example: MAC 0012.7feb.6b40 will produce IPv6 link-local address fe80::0212:7fff:feeb:6b40.
More info here: http://packetlife.net/blog/2008/aug/4/eui-64-ipv6/
For connecting from Linux, you need to specify the local interface you are connecting from, as link-local addresses are not meant for normal traffic use. The syntax is (with the above address and eth0 as local interface): "ssh -l <username> fe80::0212:7fff:feeb:6b40%eth0".
UPD0: Wow! It works!
UPD1: Matt, from examining the router internals dumpsysinfo command looks much more interesting than dumpmdm. 🙂
UPD2: Found a hidden iptables command, which should allow to change the firewall settings.
UPD3: And hidden sh command brings you directly to the BusyBox shell. Ah! Finally! 🙂
UPD4: Eh, pity - no snmpd anywhere 😞

Darsh

Darsh, cheers for the MAC info.

I've made a couple more adjusted firmwares if anyone is interested in the future:
Revision 3-A:
https://drive.google.com/file/d/0B4-Ln6UubyEeeEtPMEZzUTB2bDg/
Went overboard and added more pages in 'expert_user.html'
Deleted Telnet
Enabled SSH (IPv6), cheers Darsh
Changed default MTU to 1492
BUG: when switching between ADSL <> Fibre, it sometimes does not remember large configs
Revision 3-B:
https://drive.google.com/file/d/0B4-Ln6UubyEeSU1oelhUY1ZRS0U/
Same as 3-A, with:
Deleted the TR69 binary  (for the paranoid, like me)
Closed port 7457            (I changed the binary, so a minor error will appear in the log)

Confirmed, to enable pings to the WAN interface, you need to add the following lines to your config:

<DslCpeConfig version="3.0">
  <InternetGatewayDevice>
    <X_BROADCOM_COM_AppCfg>
      <IcmpCfg>
        <NetworkAccess>LAN or WAN</NetworkAccess>
      </IcmpCfg>
    </X_BROADCOM_COM_AppCfg>
    <WANDevice instance="1">
      <WANConnectionDevice instance="1">
        <WANPPPConnection instance="1">
          <X_BROADCOM_COM_FirewallException instance="1">
            <Enable>TRUE</Enable>
            <FilterName>ICMP</FilterName>
            <Protocol>ICMP</Protocol>
          </X_BROADCOM_COM_FirewallException>
          <X_BROADCOM_COM_FirewallException nextInstance="2" ></X_BROADCOM_COM_FirewallException>
        </WANPPPConnection>
      </WANConnectionDevice>
    </WANDevice>
  </InternetGatewayDevice>
</DslCpeConfig>

Works now.

Darsh

Quote from: Matty123123

Revision 3-A: https://drive.google.com/file/d/0B4-Ln6UubyEeeEtPMEZzUTB2bDg/ Went overboard and added more pages in 'expert_user.html'

I don't have access to one of these devices at present, but I'm curious to see what options this opens up. Would anybody care to share a screen grab? (don't worry, I have no sinister reasons for asking ;))

Ah, I forgot to share a link to the Sagemcom manual for this router: http://lgsagem.free.fr/drivers__fast1704.htm
The manual is for Sagemcom's original firmware, so a number of GUI pages is different. Still, a good hint on what this router is capable of 🙂

Darsh

Is it possible to view firewall logs with the stock firmware by any chance.

It is, but not via the web GUI.
Add this config:

<DslCpeConfig version="3.0">
  <InternetGatewayDevice>
    <X_BROADCOM_COM_SyslogCfg>
      <Status>Enabled</Status>
      <Option>local buffer</Option>
      <LocalDisplayLevel>Error</LocalDisplayLevel>
      <LocalLogLevel>Debug</LocalLogLevel>
    </X_BROADCOM_COM_SyslogCfg>
  </InternetGatewayDevice>
</DslCpeConfig>

Voila! All logs (not only firewall logs) can now be seen, connecting via ssh and running syslog dump command. Firewall intrusions look like this:

Apr 16 20:37:29 (none) daemon.alert kernel: Intrusion -> IN=pppoa1 OUT= MAC= SRC=<attacker IP> DST=<your IP> LEN=60 TOS=0x00 PREC=0x80 TTL=58 ID=38967 DF PROTO=TCP SPT=45347 DPT=25555 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 16 20:37:30 (none) daemon.alert kernel: Intrusion -> IN=pppoa1 OUT= MAC= SRC=<attacker IP> DST=<your IP> LEN=60 TOS=0x00 PREC=0x80 TTL=58 ID=38968 DF PROTO=TCP SPT=45347 DPT=25555 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x8000000

(I've hidden the IPs).

Darsh

Cheers Darsh, I'll have a mooch at adding ssh as well then.
[tt]<InternetGatewayDevice>
<X_BROADCOM_COM_AppCfg>
  <SshdCfg>
    <NetworkAccess>LAN</NetworkAccess>
  </SshdCfg>
</X_BROADCOM_COM_AppCfg>
<SshControl>
  <Enable>TRUE</Enable>
  <UserName>username-here</UserName>
  <Password>password-here</Password>
</SshControl>
</InternetGatewayDevice>[/tt]

[tt]<DslCpeConfig version="3.0">
  <InternetGatewayDevice>
    <X_BROADCOM_COM_SyslogCfg>
      <Status>Enabled</Status>
      <Option>local buffer</Option>
      <LocalDisplayLevel>Error</LocalDisplayLevel>
      <LocalLogLevel>Debug</LocalLogLevel>
    </X_BROADCOM_COM_SyslogCfg>
  </InternetGatewayDevice>
</DslCpeConfig>[/tt]

Quote from: Darsh

Quote from: Matty123123 Connect to fe80::XXXX:XXff:feXX:XXXX,  where the X's are the routers MAC Address.  ( I Hope ) Almost the MAC address. IPv6 link-local addresses are formed according to EUI-64, where the seventh bit of the MAC address is inverted, resulting in the first octet of the MAC address to either increase (usually) or decrease by two. Example: MAC 0012.7feb.6b40 will produce IPv6 link-local address fe80::0212:7fff:feeb:6b40. More info here: http://packetlife.net/blog/2008/aug/4/eui-64-ipv6/ For connecting from Linux, you need to specify the local interface you are connecting from, as link-local addresses are not meant for normal traffic use. The syntax is (with the above address and eth0 as local interface): "ssh -l <username> fe80::0212:7fff:feeb:6b40%eth0". UPD0: Wow! It works! UPD1: Matt, from examining the router internals dumpsysinfo command looks much more interesting than dumpmdm. 🙂 UPD2: Found a hidden iptables command, which should allow to change the firewall settings. UPD3: And hidden sh command brings you directly to the BusyBox shell. Ah! Finally! 🙂 UPD4: Eh, pity - no snmpd anywhere 😞 Darsh

Been following this thread with interest, can I ask a semi-dumb question?
If I was to put my 2704N into bridge mode and connect it to my existing wired router would the 2704N in effect work as a WiFi AP for the existing router?
TIA.

What are you trying to achieve? Connect your existing router to the 2704N via WiFi? Yes, this should be possible (given than your existing router can work in wifi client mode). As far as I understand, 2704N in bridge mode simply bridges all packets on Layer2 between atm interface (or adsl, as ADSL is just a form of ATM) and ethernet interfaces. Since ethernet and wifi interfaces are already in this bridge - it shouldn't really matter how do you connect your existing router to this bridge, via ethernet or wifi.
If, however, you are trying to use 2704N as a bridge and also as an additional AP in your home network - I'm afraid this won't work. In this scenario the 2704N will be on the WAN side of your existing router, while your existing router is, obviously, serving its wifi on the LAN side.
Unless you try to configure vlans, set trunk on the WAN interface of your router and ethernet interface of the 2704N, remove 2704N's wifi interface from the bridge and put it into the vlan that corresponds to your existing router's LAN. Theoretically possible (and practically pretty simple on Cisco/Juniper/whatever), the real implementation highly depends on what your existing router and 2704N are capable of. I've seen vlans in the 2704N's config, but haven't played with them yet, so I don't know whether this is possible to configure on it. I reckon the chances are pretty low.
Or do you simply want to use the 2704N as an AP? Then you don't even need to convert it into bridge mode. Just connect ethernet from your existing router to it, configure the same SSID and security parameters - and there you go. 2704N is already bridging between wifi and ethernet interfaces, no need to add adsl interface to this bridge.

Darsh

Hi Darsh, thanks for replying.
I have PN fibre, a Draytek 2830n and a 2704N. The Draytek does everything I want in a router bar its WiFi performance - my 2704N seems to deliver great WiFi speeds.
I was hoping that via bridging I could connect the 2704N to the LAN side of the 2830n via ethernet, disable WiFi on the Draytek and use the 2704N as an AP.