Efficient 5861 Router Configuration
HOWTO / FAQ / BY EXAMPLE
By: Paul (Tony) Watson
24 Dec 2002
(latest revision 13 April 2004)
Overview
I am an old-school geek. I labored for years as a Unix administrator. Done my time as a Cisco router and switch junkie. Written countless lines of code in every language imaginable. Much to my shame, I have even done Windows administration (Gasp!). But nothing prepared me for the painful experience of trying to decipher the cryptic command line interface of the Efficient 5861 DSL router.
I tried to dive straight into the command line, using my intuition to guide me. I googled for answers to my questions, but found nothing helpful… Eventually, to my shame, I was eventually humbled enough to begin reading the documentation (oh the humiliation…) I was even more distressed when after reading the documentation, I was still confused on much of the configuration options. So, after much trial and error I finally divined the commands required to perform many of the functions I sought. In keeping with the long held traditions of the Internet, I decided to document my findings and provide this quick reference for others.
This document is not inclusive of all the features and functionality provided in the router, only those that were of interest to me. If some of the commands documented here do not work for you, you may consider upgrading your kernel/firmware (see the Firmware Upgrading section). If you find this useful, or have contributions you would like to make to this document, please send them to paw(a)paw.org and I will continue to update this FAQ / HOWTO / Reference for the benefit of all.
Table of Contents
Routing a Subnet to your Local Ethernet
Virtual (Multiple) Addresses on Ethernet Interface
Adding and Deleting Static Routes
Mapping Ports to an Internal Server
Sending Logging Information to Syslog Server
Turing NAT (Network Address Translation) On and Off
Disable or Enable DHCP Services
NTP Protocol (Network Time Protocol)
Building a Redundant and/or Load Balanced DSL Internet Connection
What This Configuration Can and Cannot Do
Configuration 1: Using Dynamic IP’s
Configuring Other Routers, Firewalls, and Hosts
Configuration 2: Using Static IP’s and ISP Assigned Subnets
Configuring Other Routers, Firewalls, and Hosts
Debugging Router Settings
Those familiar with Cisco IOS are typically frustrated with the lack of a “show” command on the Efficient 5861 router. Instead of a single command to display the configuration of the router settings, there exist several commands that display the settings.
UPDATE 10/28/04:Steven Neal has contributed an undocumented command "system configlist" which will display the entire database as CLI commands. Thanks Steven!
To display entire database as CLI commands:
- system configlist
To display the settings that are enabled with the “system” command:
- system list
To display the settings that are enabled with the “eth” command:
- eth list
To display the settings that are enabled with the “remote” command:
- remote list
Checking the status of the built-in DHCP service can sometimes be helpful.
- dhcp list
Display the “arp” table with the following command:
- arp list (Similar to “arp –a” for Unix and Windows people)
To display the various Interfaces, settings, and statistics:
- ipifs (Only shows IP Interfaces, similar to “ifconfig –a” on Unix)
- ifs (Shows Console, ATM, Ethernet; speeds, protocols, states, etc.)
Most importantly, to view the routing table:
- iproutes
Finally, to get an exhaustive list detailing all the configuration settings, processes, files, memory usage, and more, we can use the “system supporttrace” command. Be sure to have a good scroll-back buffer in your console window as the list is quite long and doesn’t pause after each screenful of data:
- system supporttrace
Routing a Subnet to your Local Ethernet
My ISP, SBCAmeritech, offers a class of service, which provides a small subnet of IP addresses for web hosting, and other services. Typically a /29 subnet providing 6 addresses, of which 5 are usable and 1 is assigned to the 5861 router. They are complete morons when it comes to setting this up however. They insist that the valid IP’s must be mapped to private internal addresses. Not very clean, and leads to difficulties where the servers believe themselves to be one IP address, and the Internet sees them as a totally different address (sometimes creating problems for SSL, IPSec, VPN, etc.)
The solution is to simply have those “valid IP’s” be routed to your local Ethernet. SBCAmeritech will not help you to get this done, in fact, they don’t even know how (its not in their helpdesk manual.)
Should you desire to do this, its really quite simple. First, turn off NAT (IP Translation). Next, disable DHCP services. Finally, assign a valid IP to your routers Ethernet interface and reboot (typically, the 5861 routers will be assigned the highest IP on your subnet.) The following assumes you have been assigned 68.1.1.24 with a /29 netmask, and 68.1.1.30 is your Efficient 5861 Valid IP Address.
- remote setiptranslate off INTERNET
- dhcp disable all
- eth ip addr 68.1.1.30 255.255.255.248
- save
- reboot
WARNING: Be sure to assign your router’s Ethernet address with the correct netmask. Failure to get the netmask correct could result in your router’s inability to reach this ISP’s router, resulting a loss of Internet connectivity. I haven’t seen this happen, but I can see the possibility for those who are not comfortable with subnets and netmasks.
Once the steps above have been completed, simply assign your valid IP addresses and netmasks to your systems. You can use the valid IP of the router as both your default-gateway (gateway of last resort) and your DNS server.
How hard was that?
Virtual (Multiple) Addresses on Ethernet Interface
Typically, the 5861 router is pre-configured with an address of 192.168.254.254 and a network of 192.168.254.0 / 24. However, in some circumstances, it is desirable to have the router configured with more than one IP address on the Ethernet interface. For example, I have 2 logical networks (192.168.1.0 and 192.168.254.0) on the same physical network. This is typically referred to as a “sub-interface”. The sub-interface must be created, assigned an address, and then started.
Enable a second address on ETHERNET/0 (sub-interface 1)
- eth add 0:1 (Create virtual interface)
- eth ip addr 192.168.1.1 255.255.255.0 0:1 (Assign address to interface)
- eth start 0:1 (Bring up virtual interface)
- eth list (Verify settings)
Disable a second address on ETHERNET/0 (sub-interface 2)
- eth stop 0:2 (Stop virtual interface)
- eth delete 0:2 (Delete virtual interface)
- eth list (Verify settings)
Adding and Deleting Static Routes
Static routes are an essential part of most small networks. This is easily done on the 5861, but requires a reboot after adding the routes.
To add a static route to 10.0.0.0/8 through gateway 192.168.254.1 with 2 hops:
- eth ip addroute 10.0.0.0 255.0.0.0 192.168.254.1 2
- save
- reboot
To add a static route to 172.16.0.0/16 through gateway 192.168.1.1 (which is reached through virtual interface 2) with 3 hops:
- eth ip addroute 172.16.0.0 255.255.0.0 192.168.1.1 3 0:2
- save
- reboot
Deleting a static route to 10.1.1.0/24 through gateway 192.168.254.1:
- eth ip delroute 10.1.1.0 255.255.255.0 192.168.254.1
- save
- reboot
Deleting a static route to 172.16.1.0/24 through gateway 192.168.1.1 (which is reached through virtual interface 1):
- eth ip delroute 172.16.1.0 255.255.255.0 192.168.1.1 0:1
- save
- reboot
Allowing Administrative Access From Internal Networks
If you have more internal networks than the 5861 default of 192.168.254.0/24, then you may want to administrate the 5861 from systems residing on the networks. Assuming you have added the appropriate static routes and/or sub-interfaces, you will need to update the filters on the router to allow access from your additional networks. This is done by using the “system addXXXfilter [start IP] [end IP]” command. The start and end IP are simple the first and last address of a network range. For example:
- system addtelnetfilter 10.1.1.1 10.1.1.254
- system addhttpfilter 172.16.2.0 172.16.2.31
- system addsyslogfilter 172.16.0.0 172.31.0.0
- save
For once, you will not require a reboot after making a change. The changes are effective immediately. You should at least perform a “save”, however, so you do not lose your work after your next reboot.
Additionally, you can also specify LAN instead of an IP address range. However, this doesn’t seem to allow access from any address coming from the internal LAN, but rather only from the subnet defined in the Ethernet interface. This can be specified in the following manner:
- system addtelnetfilter LAN
- save
The corresponding functions exist to remove access, such as “deltelnetfilter”, “delhttpfilter”, “delsyslogfilter”, and others. They are entered in the same manner as the “add” commands.
Allowing Administrative Access From External Networks
This is probably a bad idea, but there may be a time when you require remote administrative access to your 5861 from the Internet. Setting this up is quite easy and is very similar to allowing access from Internal networks as describes in the previous section. However, instead of “system” you will use the “remote” command. For example:
- remote addtelnetfilter INTERNET
- remote addhttpfilter INTERNET
- save
Likewise, access can be removed with the converse “delete” commands:
- remote deltelnetfilter INTERNET
- remote delhttpfilter INTERNET
- save
Mapping Ports to an Internal Server
If you have a server running on the internal network that you would like users on the Internet to be able to access, you can enable incoming port mapping. Connections coming from the Internet to the valid IP address of the 5861 router can be redirected to an internal address and port.
For example: I have an internal HTTP server on port 8080 located at IP address 192.168.254.1, and an FTP server located at IP address 192.168.254.2. I want HTTP connections to the valid address of the router to be redirected to my webserver and ftp connections to be redirected to my ftp server.
- system addserver 192.168.254.1 tcp 80 80 8080
- system addserver 192.168.254.2 tcp ftp ftp
- save
- reboot
The first command uses numeric ports instead of predefined services. As a result, we must specify the first and last port to be mapped, as well as the first destination port. Therefore, we get “80 80 8080”, which means from port 80 to port 80 send to port 8080. If we specified “80 85 8080” then ports 80 through 85 would be redirected to 8080 through 8085 respectively.
The second command uses an internally defined service, “ftp”, so it suffices to specify “ftp ftp.”
Sending Logging Information to Syslog Server
It is quite common for many devices on a network to be configured to send log information to a central syslog server. The 5861 supports this through the use of the “system addSyslogServer” command. Once again, however, the 5861 requires a “save” and “reboot” for the settings to take effect.
To send our logging information to a syslog server at address 172.16.100.250:
- system addsyslogserver 172.16.100.250
- save
- reboot
And to remove a syslog server:
- system delsyslogserver 172.16.100.250
- save
- reboot
Turing NAT (Network Address Translation) On and Off
NAT is used to allow many internal systems to share a single valid IP address when talk to other Internet systems. By default, this is enabled on the 5861 router. You may desire to disable NAT if you have a subnet of static IP addresses and do not want to utilize the NAT feature. To disable NAT on the 5861:
- remote setiptranslate off INTERNET
- save
- reboot
Should you need to enable NAT, the following commands are needed:
- remote setiptranslate on INTERNET
- save
- reboot
Disable or Enable DHCP Services
The 5861 has a built in DHCP server that is enabled by default. This is not always desirable, such as when you already have a Windows domain with a DHCP server already performing this function. To disable DHCP services on the 5861:
- dhcp disable all
- save
- reboot
To restart the DHCP service:
- dhcp enable 192.168.254.0
- save
- reboot
Changing “192.168.254.0” to whatever your private network is.
To verify the status and operation of the DHCP service, the following command can be used:
- dhcp list
Some additional DHCP functions that the 5861 can perform include a “relay” service, which forwards the DHCP request to another server.
- dhcp relay 10.1.1.1
- save
- reboot
TFTP to Copy Files
The copy command can be used to save or upload files from a remote TFTP server. To save a copy of our kernel to a TFTP server at 192.168.254.1, we can use the following command:
- copy kernel.f2k tftp@192.168.254.1:kernel.f2k
To retrieve the file “asic.aic” from the TFTP server 192.168.254.1, we use the following command:
- copy tftp@192.168.254.1:asic.aic asic.aic
- sync
The “sync” command is required to ensure the file is written to flash (the Unix geeks reading this probably already figured this out.)
NTP Protocol (Network Time Protocol)
Ensuring accurate time among network systems and devices is critical for accurate logs, as well as many encryption functions. The 5861 uses the “sntp” command for configuring and enabling this functionality, and as seems to be typical, a “save” and “reboot” is required.
- sntp server 192.168.254.127
- sntp offset -6
- sntp enable
- save
- reboot
Web GUI Administration
The 5861 router run an http server that is typically used for establishing and monitoring the internet connection. However, it has additional functionality that can be accessed if you know the right URL’s. If you cannot access these features, you may need a firmware upgrade. (see “Firmware Upgrading”)
- http://192.168.254.254/tools
- http://192.168.254.254/admin_gui
The default login is:
Username: login
Password: admin
If you have changed your password on the router, you will need to replace “admin” with your new password.
Firewall Filters
I haven't done much work with the 5861 filtering in over a year. However, I can give you a pretty good idea of how to set this up. Basically, there are two interfaces, "remote" and "eth". These represent the internet side and the local ethernet side. Additionally, there are two filters on each interface, input and output. Input and output represent the direction of the packet as seen on that interface. For example, an HTTP request coming from your browser on the local network side of the 5861 router and going out to the internet would first be seen by the "input" filter on the "eth" interface. It would be seen next by the "output" filter on the "remote" interface. Finally, the reply from the internet webserver would be seen on the "input" filter of the "remote" interface and then the "output" of the "eth". It sounds confusing, but if you read it a few times and try to draw it out it will make a lot more sense in case you have not had to deal with this sort of thing before. If you are familiar with Cisco Access Control Lists (ACL's) then this will probably be somewhat familiar to you, although its not in the same format.
Examples of various security configurations can be found on the CDROM that probably came with your DSL router... Search for files names MAXSEC.txt,
MEDSEC.txt, LOWSEC.txt, and NOSEC.txt. These files are contained in a SAMPLES directory on the CDROM that came with my router.
I have included links to these files in case you do not have them.
Now, I give you my best advice on this subject... Don't use them!!!
The Firewalling on the 5861 DSL router is weak at best, and almost trivial to circumvent at worst. Moreover, the defining and managing the firewall security policies can be quite difficult. I do not implement any firewall rules on my router, and instead depend on dedicated firewalls (Cisco PIX 501 and Nokia IP330 running CheckPoint NG) to do my security. The dedicated firewalls are much easier to manage, have better logging and alerting, and are much more secure. I setup my 5861 to route the valid addresses to the appliance, which then further routes the traffic to the appropriate system behind my firewall.
Another alternative to consider is simply running software based firewalls on each of your exposed systems (such as ZoneAlarm, BlackIce, or some other product).
Firmware Upgrading
Locate the part number (typically on the bottom) of your 5861 router. Then download the appropriate kernel/firmware upgrade from the following link on the Efficient Support Website: http://support.efficient.com/drivers/kernels/ss.html
To determine the appropriate kernel/firmware, use the last 3 digits of the part number. Example: If you router part number is 120-5861-005, then download 5861005-5320.zip
Create a directory to extract the files into, such as C:\. Unzip the file into this new directory.
Start the Configuration Manager tool that came with your router. If you have not installed it, it will be on the supplied CD-ROM. Click on the “connect” button to establish a connection to your router. Then click “tools”, and select “Upgrade/Backup”. Select “all files” from the options provided and click “restore.” A window will pop-up and allow you to select which files to Restore. Hold down the CTRL key and click once on each file until they are all selected (high-lighted.) Finally, click “ok.” A confirmation window will appear and you should select “yes” to confirm this operation. A status window will appear which will show the progress as the files are copied to the 5861 router. Once all the files are copied, a reboot will be required. Click “yes” on the reboot prompt that appears.
At this point, you can close the configuration manager tool, as it will no longer function. The new kernels disable SNMP functionality, so the old configuration manager tools, as well as any other SNMP utilities you use will no longer function.
You can download the newest version of the Speedstream GUI tools by clicking on the link to the latest version at http://support.efficient.com/drivers/kernels/ss.html . The link to the newest version of the Speedstream GUI should be located all the way at the bottom of the page. You can also manage many function of the 5861 router using the Web GUI tools that are provided in the new kernel/firmware (see Web GUI Administration.)
Building a Redundant and/or Load Balanced DSL Internet Connection
Let me preface this section with the following: I thought this would be an interesting configuration to put together, and it appears to work quite well. However, please don’t hold me accountable if you put your business critical applications on the Internet using this technique. If you need 100% uptime, you shouldn’t be using a cheap DSL solution.
There are a few possible reasons to utilize multiple DSL links. Sometimes, DSL links go down, routers fail, or you need to take a link or router down for maintenance and you cannot afford to be without Internet connectivity during this downtime. Or, maybe your DSL link is insufficient to meet the download needs of your office. If your ISP provides DSL download speeds of 768k, and your usage has exceeded that capacity, you may want to increase your download capacity to 1544k (2x768k). Here is a handy configuration that I have implemented with success. It utilizes many of the techniques described above, such as routing your subnets to the local Ethernet, and utilizing virtual interfaces. On the downside, the configuration utilizes one address from each of the subnets, leaving you with only 4 usable valid IP addresses.
What This Configuration Can and Cannot Do
This configuration can provide “outgoing” load balancing and redundancy. It cannot provide “incoming” load balancing. i.e. The valid subnet on network 1 will not be available to the Internet if router-1 or its associated DSL link fail. It will, however, continue to be reachable by the other subnet.
Configuration 1: Using Dynamic IP’s
In order for this to work, we will have a single physical network, with two logical subnets. For those who have trouble understanding this, it may be easier to understand it as have two machines, with different networks and addresses, connected to the same “hub” or “vlan.” If your Ethernet is using a hub, make sure both DSL routers are connected to the same hub. If using a switch, such as a Cisco 2924, make sure both DSL routers are configured onto the same VLAN. Diagram 1 shows the configuration we are putting together.
Diagram 1
Router-1 Configuration
First, we configure router-1 with a virtual IP address on the second subnet.
- eth add 0:1
- eth ip address 192.168.253.253 255.255.255.0 0:1
- eth start 0:1
Next, we need to add a route to the second subnet through Router-1.
- eth ip addroute 192.168.253.0 255.255.255.0 0 0:1
Notice that our route not only specifies the destination, but also the hop count (0), and the sub-interface (0:1). This is important, as we need to tell the router that the other segment is local, and also directly connected on our sub-interface.
Finally, we need to disable the RIP routing protocol on both the primary and sub-interface, and enable RIPv2. We use RIPv2 since it can handle variable length subnets.
- eth ip options rxrip off
- eth ip options txrip off
- eth ip options rxrip off 0:1
- eth ip options txrip off 0:1
- eth ip options rxrip2 on
- eth ip options txrip2 on
- eth ip options rxrip2 on 0:1
- eth ip options txrip2 on 0:1
Router-2 Configuration
- Router-2 will be configured very similar to router-1. First, we configure router-2 with a virtual IP address on the first subnet.
- eth add 0:1
- eth ip address 192.168.254.253 255.255.255.0 0:1
- eth start 0:1
Next, add a route to the first subnet.
- eth ip addroute 192.168.254.0 255.255.255.0 0 0:1
Finally, we need to disable the RIP routing protocol on both the primary and sub-interface, and enable RIPv2. We use RIPv2 since it can handle variable length subnets.
- eth ip options rxrip off
- eth ip options txrip off
- eth ip options rxrip off 0:1
- eth ip options txrip off 0:1
- eth ip options rxrip2 on
- eth ip options txrip2 on
- eth ip options rxrip2 on 0:1
- eth ip options txrip2 on 0:1
Configuring Other Routers, Firewalls, and Hosts
To complete the configuration, you will need a Firewall or Cisco (or other) router providing Hide NAT with 3 network interfaces. One interface will be connected to the first network, 1 interface connected to the second network, and 1 interface connected to a private internal network.
To load balance the outgoing traffic, you will need to have two “default-routes.” This can be achieved using Static routes, or can use the RIPv2 routing protocol that we enabled on the 5861 routers. Using two default-routes “should” work on most devices. Some systems will simply use the first default-route in the routing table and ignore the second. Other system will use both default-routes based on an even-odd sum of the source and destination IP addresses (beyond the scope here to explain). Here is a list of devices that I know WILL balance the outgoing traffic across a pair of default-routes:
- Nokia Firewall appliances (IP330, IP440, and others)
- Cisco Routers (2500, 2600, 3600, and others)
I have not tested this with other devices or operating systems. If you know of others that will balance over multiple default-routes, please email me at paw@paw.org and I will add them to this document, and provide you due credit for your contribution.
Configuration 2: Using Static IP’s and ISP Assigned Subnets
Network Setup
In order for this to work, we will have a single physical network, with two logical subnets. For those who have trouble understanding this, it may be easier to understand it as have two machines, with different networks and addresses, connected to the same “hub” or “vlan.” If your Ethernet is using a hub, make sure both DSL routers are connected to the same hub. If using a switch, such as a Cisco 2924, make sure both DSL routers are configured onto the same VLAN. Diagram 2 shows the configuration we are putting together.
Diagram 2
Router-1 Configuration
First, we configure “router-1”. We bridge / route the valid IP subnets to the local Ethernet.
- remote setiptranslate off
- dhcp disable all
- eth ip address 68.21.200.14 255.255.255.248
- save
- reboot
Then we configured router-1 with a virtual IP address on the second subnet.
- eth add 0:1
- eth ip address 68.21.200.69 255.255.255.248 0:1
- eth start 0:1
Next, we need to add a route to the second subnet through Router-1.
- eth ip addroute 68.21.200.64 255.255.255.248 0 0:1
Notice that our route not only specifies the destination, but also the hop count (0), and the sub-interface (0:1). This is important, as we need to tell the router that the other segment is local, and also directly connected on our sub-interface.
Finally, we need to disable the RIP routing protocol on both the primary and sub-interface, and enable RIPv2. We use RIPv2 since it can handle variable length subnets.
- eth ip options rxrip off
- eth ip options txrip off
- eth ip options rxrip off 0:1
- eth ip options txrip off 0:1
- eth ip options rxrip2 on
- eth ip options txrip2 on
- eth ip options rxrip2 on 0:1
- eth ip options txrip2 on 0:1
Router-2 Configuration
Router-2 will be configured very similar to router-1. First, we bridge / route the valid IP subnet to the local Ethernet.
- remote setiptranslate off
- dhcp disable all
- eth ip address 68.21.200.70 255.255.255.248
- save
- reboot
Then we configure router-2 with a virtual IP address on the first subnet.
- eth add 0:1
- eth ip address 68.21.200.13 255.255.255.248 0:1
- eth start 0:1
Next, add a route to the first subnet.
- eth ip addroute 68.21.200.8 255.255.255.248 0 0:1
Finally, we need to disable the RIP routing protocol on both the primary and sub-interface, and enable RIPv2. We use RIPv2 since it can handle variable length subnets.
- eth ip options rxrip off
- eth ip options txrip off
- eth ip options rxrip off 0:1
- eth ip options txrip off 0:1
- eth ip options rxrip2 on
- eth ip options txrip2 on
- eth ip options rxrip2 on 0:1
- eth ip options txrip2 on 0:1
Configuring Other Routers, Firewalls, and Hosts
To complete the configuration, you will need a Firewall or Cisco (or other) router providing Hide NAT with 3 network interfaces. One interface will be connected to the first network, 1 interface connected to the second network, and 1 interface connected to a private internal network.
To load balance the outgoing traffic, you will need to have two “default-routes.” This can be achieved using Static routes, or can use the RIPv2 routing protocol that we enabled on the 5861 routers. Using two default-routes “should” work on most devices. Some systems will simply use the first default-route in the routing table and ignore the second. Other system will use both default-routes based on an even-odd sum of the source and destination IP addresses (beyond the scope here to explain). Here is a list of devices that I know WILL balance the outgoing traffic across a pair of default-routes:
- Nokia Firewall appliances (IP330, IP440, and others)
- Cisco Routers (2500, 2600, 3600, and others)
I have not tested this with other devices or operating systems. If you know of others that will balance over multiple default-routes, please email me at paw@paw.org and I will add them to this document, and provide you due credit for your contribution.