November 10, 2012
In my last blog post I have shown how to connect to a PPPoA provider with a Mikrotik router and get the public IP address on the router. I also mentioned that my provider has the bad habit of disconnecting every 8h. As thats not exactly 8h, it tends to wander, but I want at least always the same times. This blog post shows you how to do that if you want the same.
What the script basically does is to force a reconnect at a given time once a day. First we need to make sure that we’ve the correct time on the router. The simplest way to do that is following line:
/system ntp client set enabled=yes mode=unicast primary-ntp=126.96.36.199
But you can only use an IP address there, if you want DNS names take a look hat this script. Also verify that you’ve configured the correct time zone with this command:
/system clock set time-zone-name=Europe/Vienna
Verify the current time with
[admin@MikroTik] > /system clock print
Now we need to write the script, which we to in 2 steps. First we create the script ….
/system script add name=scriptForcedDslReconnect source=""
… than we open it in the editor and add the actual code
[admin@MikroTik] > /system script edit 0
After this you get an editor and just copy and paste following lines:
/interface pptp-client set [find name="pptpDslInternet"] disabled=yes
/interface pptp-client set [find name="pptpDslInternet"] disabled=no
/log info message="pptpDslInternet forced reconnect. Done!"
CRTL-O. You can now check if all is correct with (everything should be colored in the script)
/system script print
Now we only need to add it to the scheduler
/system scheduler add name=schedularForcedDslReconnect start-time=00:40:00 interval=24h on-event=scriptForcedDslReconnect
And we’re done, it will disconnect always at 00:40, 8:40, 16:40 … as we wanted.
November 4, 2012
I live in Austria and the biggest Internet provider is A1 Telekom Austria and they use PPPoA and not PPPoE. I’ve searched through out the Internet to find some documentation on how to configure a Mikrotik router for this. I wanted to have the public IP address on the Mikrotik and not on the provider router/modem. I did not find any documentation. But as I got it working I’ll provide such a documentation now.
1. The Basics
PPPoA is the abbreviation for PPP over ATM or some say PPP over AAL5 and it is used to encapsulate PPP into ATM cells to get into the Internet via ADSL connections. The more commonly used standard in this space is PPPoE (PPP over Ethernet), but which has somewhat more overhead as you need also to encapsulate the Ethernet header too.
There are now two possibilities:
The first is that the provider modem/router handles everything and you get only a private IP address behind the router, and the router masquerade the private IP addresses. This is normally the default as it works for 95% of the customers but your PC or own router does not get a public IP address. You need to use port forwarding if you want to provide services which are reachable from the Internet. And something which I specially need. You don’t get a event when you get disconnected and assigned a new IP address. A1 Telekom Austria has the bad habit to disconnect you every 8 hours … 3 times a day. As I want to have the disconnects always at the same time I need my own router to time it once a day, so it gets reseted to my desired reconnect times.
The second way it to get somehow the public IP address on the PC or router. In this case your need a provider modem/router with a PPPoA-to-PPTP-Relays. Take a look at the picture I took from the German Wikipedia(CC-BY-SA-3.0, Author Sonos):
The computer (or Mikrotik router) thinks it establishes a PPTP tunnel with the modem, but instead the modem encapsulates the packets and send them on via ATM to the provider backbone. So the computer or Miktrotik router does not need to be able to talk PPPoA it is enough if it is able to talk PPTP, the rest is handled by the modem.
But of course there are some requirements:
- The provider modem needs to be able to make a PPPoA-to-PPTP-Relays and which is important you need to be able to configure it, as some provider firmwares restrict that.
- You need to know the username and password which is used for the ppp authentication
- And for the sake of completeness – you need a Mikrotik router
3. Provider modem / router
My provider gave me a Thomson Speedtouch TG585 v7 modem/router. The firmware is old (188.8.131.52) and branded but I was able to upload a new configuration via the web interface.
And as it works stable I did not see a reason to upgrade. I found in the Internet a INI file, which configured the router to PPPoA-to-PPTP-Relays mode. Three important notes:
- If you search the Internet for a configuration file … look for “single user” or “single user mode” (SU), the masquerade mode is called “multi user mode” (MU)
- It is also possible to configure the single user mode via telnet, there are some howto’s out there. The specific ones for Austria are of course in German.
- The version numbering is quite broken. The A1 Telekom Austria branded firmwares are often higher (e.g. 184.108.40.206) than the newer generic firmwares (e.g 220.127.116.11_AA).
After configuring the router as PPPoA-to-PPTP-Relays it has the IP address 10.0.0.138/24 for my setup.
4. Mikrotik PPP configuration
So now to the Mikrotik configuration … we start with resetting the configuration with no defaults.
/system reset-configuration no-defaults=yes
Then we rename the first interface and add a transit network IP address
/interface ethernet set 0 name=ether1vlanTransitModem
/ip address add address=10.0.0.1/24 interface=ether1vlanTransitModem
And now we only need to configure the PPTP
/ppp profile add change-tcp-mss=yes name=pppProfileDslInternet use-compression=no use-encryption=no use-vj-compression=no
/interface pptp-client add add-default-route=yes connect-to=10.0.0.138 disabled=no name=pptpDslInternet password=YourPassword profile=pppProfileDslInternet user=YourUsername
this configuration should lead after connecting the ether1 with the modem to following log entries:
[admin@MikroTik] > /log/print
00:29:03 pptp,ppp,info pptpDslInternet: initializing...
00:29:03 pptp,ppp,info pptpDslInternet: dialing...
00:29:05 pptp,ppp,info pptpDslInternet: authenticated
00:29:05 pptp,ppp,info pptpDslInternet: connected
you should see the IP address too:
[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 xxx.xxx.xxx.xxx 1
1 ADC 10.0.0.0/24 10.0.0.1 ether1vlanTrans... 0
2 ADC xxx.xxx.xxx.xxx/32 yyy.yyy.yyy.yyy pptpDslInternet 0
But if you try to ping something you’ll get
[admin@MikroTik] > ping 18.104.22.168
HOST SIZE TTL TIME STATUS
sent=2 received=0 packet-loss=100%
whats the problem? the router uses the wrong source IP address, try following (the xxx.xxx.xxx.xxx is the IP address from
/ip route print (entry 2) )
[admin@MikroTik] > /ping src-address=xxx.xxx.xxx.xxx 22.214.171.124
HOST SIZE TTL TIME STATUS
126.96.36.199 56 46 37ms
188.8.131.52 56 46 36ms
184.108.40.206 56 46 37ms
220.127.116.11 56 46 37ms
18.104.22.168 56 46 37ms
22.214.171.124 56 46 37ms
sent=6 received=6 packet-loss=0% min-rtt=36ms avg-rtt=36ms max-rtt=37ms
Now the Internet connection is working, we just need to make it usable ….
5. Mikrotik on the way to be usable
The first thing we need is a masquerade rule that we use the correct IP address into the Internet, following does the trick.
/ip firewall nat add action=masquerade chain=srcnat out-interface=pptpDslInternet
But we want also a client to test it … so here is the configuration I use for the clients (without explanation as it is not the topic of this Howto)
/interface ethernet set 2 name=ether3vlanClients
/ip address add address=10.23.23.1/24 interface=ether3vlanClients
/ip dns set allow-remote-requests=yes servers=126.96.36.199,188.8.131.52
/ip dns static add address=10.23.23.1 name=router.int
/ip pool add name=poolClients ranges=10.23.23.20-10.23.23.250
/ip dhcp-server add address-pool=poolClients authoritative=yes disabled=no interface=ether3vlanClients name=dhcpClients
/ip dhcp-server network add address=10.23.23.0/24 dns-server=10.23.23.1 domain=int gateway=10.23.23.1
Connect a client behind it, set it to DHCP and everything should work. I hope this Howto demystifies PPPoA and Mirkotik.
June 3, 2012
A local public library here in Tirol/Austria allows you to rent e-books, you only need to have Windows PC or Mac to run Adobe Digital Editions – at least that is stated on their homepage, but it is quite easy to get the software running on an Ubuntu 12.04.
This is a short description on how to install the software and than integrate a generic e-book reader so you can read the rented e-books on your e-book reader. The e-book reader just needs to presents itself a USB mass storage device. I’ve tried it with an Iriver Story HD and an old Sony PRS-505 – both work. I guess the e-book reader needs to be Adobe Digital Editions ready as both of mine show that during boot up.
Anyway lets start. First you need to start the Ubuntu Software Center and search for the meta package “wine” and install it.
Than you need to download the Adobe Digital Editions Installer for Windows. I provide here a direct link (hope it stays valid for a long time) as on the Adobe homepage you don’t get the download link as it “verifies” with Flash if your OS is supported which it is not in this case. So here is the link.
Start now your file browser (Nautilus) press the right mouse bottom on the installer and select than “Open With Wine Windows Program Loader”.
After some seconds you are within the installer. I would say just press “Next” as the software is installed anyway within the
.wine subdirectory in your home directory.
Now the Adobe Digital Editions got started and greets you with following window.
And after a next click you need to select “Authorize Computer” if you want later to connect an e-book reader.
Just click on “get an Adobe ID online” and your default browser is launched and you can create one.
The Adobe Digital Editions is running but it does not see the e-book reader. For this we need to start the program “Wine Configuration” (Just type “wine” in the “Dash Home”), which looks like this:
Go to the Drives tab where you need to add a new drive letter for your e-book reader (even if it shows it already with an other drive letter).
After choosing the drive letter select “Show Advanced” and choose the path of the mount point for your e-book reader (plug it into your computer and a directory within /media should be created automatically) and now the important setting: Change the type from automatic to “Floppy disk”.
Save the changes, and restart “Adobe Digital Editions” (Just close it and than type “adobe” in the “Dash Home” and select it). If your e-book reader is mounted in the specified directory, the e-book reader should be detected and its content shown or if you connected it the first time you will be asked to peer it.
December 31, 2011
I think it is well known that the DSL Internet plans from A1 Telekom Austria for private user (= not the more expensive business plans) have a forced 8h disconnect. I searched the Internet to check if it is the same for there UMTS USB sticks, and couldn’t find anything – seems that nobody cares or tried it. So I put the USB Stick into my server and let it run for a week now, and I can say now: Yes, there is a forced disconnect normally every 8h … but sometimes they seem to miss it. Take a look at the last few days – I did a grep on the connect time and the pid of the umts pppd:
# cat /var/log/messages | grep "Connect time" | grep "9069"
Dec 27 20:56:17 xxx pppd: Connect time 480.0 minutes.
Dec 28 04:56:53 xxx pppd: Connect time 480.0 minutes.
Dec 28 12:57:00 xxx pppd: Connect time 480.0 minutes.
Dec 28 20:57:05 xxx pppd: Connect time 480.0 minutes.
Dec 29 04:57:42 xxx pppd: Connect time 480.0 minutes.
Dec 29 12:57:49 xxx pppd: Connect time 480.1 minutes.
Dec 29 22:20:09 xxx pppd: Connect time 561.8 minutes.
Dec 30 06:20:44 xxx pppd: Connect time 480.0 minutes.
Dec 30 14:23:20 xxx pppd: Connect time 482.5 minutes.
Dec 30 22:05:07 xxx pppd: Connect time 461.7 minutes.
Dec 31 06:05:44 xxx pppd: Connect time 480.0 minutes.
Dec 31 14:06:21 xxx pppd: Connect time 480.1 minutes.
ps: 480min = 8h
Somebody knows why they are missing some disconnect times? Maybe it is traffic related – I try to make some traffic every few seconds on the link to verify that.
December 25, 2011
When I tried to connect from my mobile phone to my DSL router at home and had tcpdump running on the router at the same time I though there is something wrong. I saw connection requests from an 10.62.35.x IP address from the Internet. My router was of course dropping these packets, as this IP address cannot arrive on the Internet uplink interface.
After some checking I realized that my mobile phone is the 10.62.35.x source address, and I needed to accept packets from on the Internet with the source address within the range of 10.62.0.0/16. It is good that I don’t use 10.62.0.0/16 subnets at home …. but if someone does, he has a problem.
Anyway has anyone more information which 10.x.x.x IP addresses the A1 Telekom Austria (and Bob for my mobile) does use?
ps: The DSL router has a worldwide IP address but the mobile IP is local, surely to force businesses into more expensive plans to have a worldwide IP address.
September 3, 2008
The Austrian ISP UPC (Chello, Indo, Telesystem) has activated a system which sends your browser to UPC site if a domain could not be resolved. They say that this helps their less tech-savvy customers but I believe it helps them more. Because they can put some ads on this site. They are not the first to try this. 2003 Versign tried something similar (called Sitefinder) but it was stopped by ICCANN and user protests. But that was not a provider.
The system is an Opt-Out one and not Opt-In. You need to perform 5 clicks, fill out a form and time to wait for a support employee to get it deactivated. You should really Opt-Out as the system can lead to problems if an DNS server is responding too slow and the system tells you you’ve a wrong domain name. The other question is what happens with the data gathered by the search engine on this site, which tries to guess what you meant.
This site (german) contains all info how you can Opt-Out.
July 12, 2008
I got my hand on this list which is out of a PDF from the European commission, and I though it maybe also interests others. It shows the status of data retentions laws in the EU member states. So here is the list. (The list is sorted by the native names of the nations and not the English ones I used here, e.g. Deutschland vs Germany)
February 22, 2008
Many European nations have Computer Emergency Response Teams (CERT) for years now and finally Austria is on the way to play catchup. nic.at, the Austrian domain registry, plans to create it together with the Federal Chancellery of the Republic of Austria with four employees at the beginning. The Chancellor Alfred Gusenbauer declared: “The internet is a valuable infrastructure, which needs to be protect”. (Wow he truly go it!)
So much for the official version of it, but there is not all gold. The CERT should only be a information hub which provides international networking. So far so good, but what would be needed is a own infrastructure to react in cases of emergency otherwise no defense can be coordinated. But this is a typical Austrian solution, we will have our own CERT but it should not be that expensive as a real one.
January 27, 2008
I got my hand onto an A1 UMTS PC-CARD and I did some research on how to use it with Linux. At first just plug the card into your Notebook and look at the logfile (/var/log/syslog on Debian based distributions). On a Kubuntu Feisty and newer Kubuntu versions and Debian Etch it is supported as /dev/USBtty0. This worked for all Huwai based cards I got my hands on, also the USB versions.
You have now 2 possibilities:
The first is to use the official Linux drivers from Vodafone which work also for A1. Just go to http://www.vodafonebetavine.net/web/linux_drivers/
The advantage of the official closed source program is that it ships with a special program which shows you how good the reception is and if it’s using GPRS or UMTS â€“ but it is closed source and maybe not available for your hardware and/or software platform. And specially it is an GUI application you may want the UMTS internet access for a display less router. The following describes how I did it on an Debian Etch based router.
First you need to install the pppd
# apt-get install ppp
Than you create following files with the shown content:
# cat > /etc/ppp/peers/a1
connect "/usr/sbin/chat -v -f /etc/chatscripts/a1"
user "[email protected]"
# cat > /etc/ppp/pap-secrets
"[email protected]" a1 "www"
# cat > /etc/chatscripts/a1
# ispauth PAP
ABORT BUSY ABORT 'NO CARRIER' ABORT VOICE ABORT 'NO DIALTONE' ABORT 'NO DIAL
TONE' ABORT 'NO ANSWER' ABORT DELAYED
Now download this perl script and change the PIN code (line 11) to the one of your card. Don’t forget to set the executable flag. Now you can go online with
# pon a1
The setpin.pl script needs to be called once each time you inserted your UMTS card. This setup is mostly identical for the other Austrian UMTS provides as they sell the same Huwai cards A1 does, just some Init commands are different. It is easy to find the correct ones for your provider with Google.
January 23, 2008
Only last week I posted about the UPnP attack vector on home routers and now Symantec is reporting active attacks on Mexican internet users. The purpose of this attack is to manipulate the DNS settings of the router so the user is directed to the phishing site for a popular Mexican bank. As there is no change on the computer itself, security software will have a hard time to detect such attacks. Sure the SSL certificate the fake site will provide is most likely faked, but most users just click Ok anyway. But my guess would be anyway that the phishing site is just plain HTTP.
But this is not the only attack vector even if a password is set for the router (not counting the default password). If a router allows the user to authenticate himself via a cookie, than an attacker needs only to provide an URL which includes the commands for the router. Sure the attacker needs to know the router which is used by the user, but thats not that complicated as you might think. For example in Austria an attack would be best done against Alcatel SpeedTouch router (configured to multi user mode) which used by the Telekom Austria since the start of DSL in Austria. And to make it worse, there is no password defined by default, so we don’t need a cookie attack at all.
It is therefore important to change the default password and to make sure the router requires a password each time you start your browser. It is also a good idea to restart your browser after you authenticated yourself against the router and before you surf through the internet.
You ask yourself how to attacker knows the IP address of the router? Thats easy – following possibilities exist:
- just try 192.168.0.1 (or what is default setting for the router, which should be attacked)
- get the IP address of the computer, and replace the last number of it with an one. (java script?)
- use a applet (flash, java, ….) to get the default gateway or DNS server IP address â€“ you’ve your router
The first one is the easiest one, but also the easiest to defeat. Just change the network to a new C-Class network out for 192.168.0.0/16, 172.16.0.0/12 or 10.0.0.0/8. eg. 10.133.122.0/24. So lets change to following mantra a little bit. Recommended steps for setting up your home router:
- Throw the disk away
- Plug in your machine, Turn on the router and navigate to the Web-GUI
- Turn off UPNP
- Change the subnet of your router
- Change default name and password, set WPA-PSK
- Check that remote management is disabled
I’ve changed the subnets of my routers for years, just because the 192.168.0.0/24 stuff didn’t look cool â€“ so be cool and change yours too.