cancel
Showing results for 
Search instead for 
Did you mean: 

Securing HG612 modems in Bridge Mode

Yorkshirekev99
Dabbler
Posts: 22
Registered: 31-07-2015

Securing HG612 modems in Bridge Mode

I thought I'd feed back some thoughts on securing Huawei HG612 routers in bridge mode. Due to the fact it's in bridge mode, security isn't as big a concern as if it's in routing mode, due to the fact there is no IP address in the data path; the only IP address will be on LAN2, which can be seen as a dedicated Out Of Band management interface, and that will be a private address which - providing you don't carelessly NAT it through your firewall / gateway / routing point - should never be able to access the Internet. This post assumes the router has been unlocked and you have full access to the GUI and command line. 

One seemingly problematic sticking point is that changing the admin password within the GUI doesn't change the admin password for telnet access. I searched the web and they said you couldn't do it; here's how Smiley

First of all, ensure you're running in bridge mode; I'm not going to cover securing routed mode because that's a whole different kettle of fish. It will need strong firewall rules to protect it, and you have the challenge of BTAgent and potential other unknown back doors. It's such an old product that I wouldn't trust the code to be at all secure, even with good firewall rules. Far better to use it purely as a modem and buy a new, up to date router / firewall to place behind it. Also, this post isn't intended to be a "click this" Janet & John instruction book - it's more what to do, rather than how to do it.

Next, change the admin password to something secure, and optionally set a user password. This is actually key to locking down the telnet password; if you create a new account of "Bob" and give it your password of choice, you'll find the next bit easier.

As I said, changing the admin password doesn't change the telnet password. What you'll need to do is download the modified config to your PC, change the extension to .txt and then edit it. Now if you created a user account, just search for Bob - and after that, you'll see a string of garbage in double quotes - that's your hashed password. Copy the whole of that string to clipboard. Now go back to the top of the text file and search for admin - there are a couple of entries, but the one you want is followed by something like "telnet password" and again, there will be a string of garbage - this is the hash of "admin". paste your hash in place of the admin hash and you're sorted Smiley Now save the file and remove the .txt extension, go back to your router and upload it.

One word of caution; it seems when you upload a config file, it screws up your bespoke DHCP and routing setup - the DHCP scope will revert to the full subnet (if you had previously set something smaller) and static routes just don't seem to work, though they look ok. You might be thinking "why would you have static routes on a bridged modem?" Well, I've connected my LAN2 interface to a DMZ on my firewall, so I can manage it from my LAN but without bypassing my firewall (I have rules that allow me to http & telnet to the modem, but doesn't allow the modem to initiate connections anywhere), so I have a route pointing to my LAN via the DMZ interface. If you also do this, my suggestion would be to now disable the DHCP server and delete all routes; then reenable and set up DHCP server as you want it and re-add the static routes. (Note, without deleting the routes, it was odd - I could connect when plugged straight into LAN2, but although the static route looked fine, it just didn't work; rebooting made no difference, I had to delete the route and start again).

Now, you should be able to telnet in using your chosen password, and not the default Cheesy

 

Next, go to advanced / CWMP and disable TR069 - this is the remote config protocol. As there is no IP address in the data path, it shouldn't matter, but you never know... I don't like the idea of TR069 / ACS.

 

If anyone has any specific questions, I'll try to flesh it out, and if anyone has other ideas for securing it (in bridge mode), please feel free to add.

13 REPLIES
danielmorris
Newbie
Posts: 1
Registered: 16-02-2018

Re: Securing HG612 modems in Bridge Mode

hi kev  are you about i have unlocked HG612  and cannot get it to talk to my router i have interface access doing my head in 

but running in lan 1 to router  wan  ,accessing interface lant 2 pc    help 

Yorkshirekev99
Dabbler
Posts: 22
Registered: 31-07-2015

Re: Securing HG612 modems in Bridge Mode

Hi Daniel

 

What exactly are you trying to do? Can you actually log into LAN2 using a direct cable? Just checking, have you set it in Bridge mode? If it's in Routed mode then only 1 interface will be enabled and I can't remember which. On the Basic / WAN page, make sure Connection Mode = Bridged and Bridge Type = IP_Bridged.

 

On that page you should also have set up a WAN profile called ptm1.101 or something - I have mine set as follows:

Layer2 interface = ptm1/(ptm1_0_1)

WAN connection = enable

Service List = Internet 

Port Binding = LAN1

Connection Mode = Bridge

Bridge Type = IP_bridged

DHCP Transparent Transmission = disable

WAN 802.1q = enable

VLAN ID = 101

WAN 802.1p = enable

Value = 1

LAN 802.1q = disable

LAN 802.1p = disable

 

When you say it won't talk to your router, do you mean the data path LAN1 isn't working or are you trying to get the LAN2 admin interface working on a DMZ like I wrote about? Note that's an advanced setup, so I'd suggest getting it working "basic" first - connect a laptop directly to LAN2 using a straight through ethernet cable and you should get an IP address - then just browse to your PC's gateway, which will be the modem LAN2.

 

Once you're logged in, go to Status / LAN / Ethernet - you should see both interface are connected and packets for "receive" and "send" next to LAN1 with 0 errors or discards.

 

If you get Send but not Receive (or maybe nothing at all), check your cable - maybe you need to have a crossover cable between your router WAN and LAN1 - not all devices will automatically cross over transmit to receive, and that's needed when you connect 2 routers / modems together.

 

Theres a few ideas Smiley Let me know how you get on.

Yorkshirekev99
Dabbler
Posts: 22
Registered: 31-07-2015

Re: Securing HG612 modems in Bridge Mode

Hi Daniel

 

Did you get anywhere with this?

 

Kev

ceemjay
Hooked
Posts: 5
Registered: 21-04-2018

Re: Securing HG612 modems in Bridge Mode

[Edited to clarify between VDSL and ADSL]

 

I want to use the HG612 purely as an VDSL modem and use my rather expensive and already configured ADSL router to do everything eg routing, NAT, port mapping, DHCP etc. Is that Bridge Mode? 

Cheers

 

VileReynard
Seasoned Pro
Posts: 10,978
Thanks: 265
Fixes: 11
Registered: 01-09-2007

Re: Securing HG612 modems in Bridge Mode

Is it still possible to buy ADSL modems without a built-in router and access point?

Isn't a HG612 VDSL only, anyway?

Superuser
Superuser
Posts: 6,774
Thanks: 854
Fixes: 55
Registered: 30-07-2007

Re: Securing HG612 modems in Bridge Mode

@ceemjay

I want to use the HG612 purely as an ADSL modem and use my rather expensive non fibre broadband router to do everything eg routing, NAT, port mapping, DHCP etc. Is that Bridge Mode? 

That IS bridge mode. Normally the HG612 is used as a VDSL modem but I believe it WILL work in ADSL mode. You probably need to unlock it first though.

This https://support.aa.net.uk/Router_-_EchoLife_HG612 seems to provide all the information you should need, including how to set it to ADSL mode once it's unlocked

Yorkshirekev99
Dabbler
Posts: 22
Registered: 31-07-2015

Re: Securing HG612 modems in Bridge Mode

Hi Ceemjay 

 

Yes, that's bridge mode - the opposite of routed. That's exactly what I use it for, except I'm on VDSL (FTTC / fibre to the cabinet / faster broadband).

 

 

Good luck.

 

Kev

Yorkshirekev99
Dabbler
Posts: 22
Registered: 31-07-2015

Re: Securing HG612 modems in Bridge Mode

@VileReynard

I think you can still find new pure xDSL modems, or routers that can be switched to bridge mode but they are few and far between and / or not cheap. I had to go to ebay for the HG612...

 

Now I would never recommend buying / installing a router or other IP-enabled device from a non-reputable source, as it's very feasible to install persistent malicious code (bad software that survives reboots and reinstallation). It's not worth the risk. However, when in bridge mode it doesn't have an inline IP address, so it's not able to intercept traffic. Configured as I described it, the only IP address is a private one, that can never be routed onto the internet, and that's on a separate interface that I use for management only (and I've also firewalled it off on a DMZ 😉).

 

As to it supporting ADSL, I'm pretty sure it does but can't remember for sure, though the are a lot of references on Google to say it does.

 

Cheers

 

Kev

RealAleMadrid
All Star
Posts: 820
Thanks: 325
Fixes: 14
Registered: 07-07-2009

Re: Securing HG612 modems in Bridge Mode

I have used the HG612 on ADSL for a while before FTTC was available on my line. It needs to be unlocked so that the configuration can be changed to support an ATM connection. There is info on the Kitz website about setting up the HG612 for ADSL lines.

ceemjay
Hooked
Posts: 5
Registered: 21-04-2018

Re: Securing HG612 modems in Bridge Mode

Thanks to all the replies so far. Error in my original post I meant VDSL not ADSL!

Superuser
Superuser
Posts: 6,774
Thanks: 854
Fixes: 55
Registered: 30-07-2007

Re: Securing HG612 modems in Bridge Mode

In that case you shouldn't need (but may be useful) to unlock it. It's default configuration is VDSL

ceemjay
Hooked
Posts: 5
Registered: 21-04-2018

Re: Securing HG612 modems in Bridge Mode

Thanks again to all who assisted me with this - it is now working perfectly using the config as above.

 

So now HG612 is just being used as a "modem" (logically not technically!) with all the clever stuff being done by my TP-LINK ADSL router. Happy to provide details if anyone else wants to do this.

 

Had I found out how to statically bind IP addresses to MAC addresses in the HG612 I would probably have dumped the TP-LINK. Cant seem to do it via the GUI and couldn't find anything helpful about using Telnet commands to configure it - did I miss something? 

 

 

 

Yorkshirekev99
Dabbler
Posts: 22
Registered: 31-07-2015

Re: Securing HG612 modems in Bridge Mode

@ceemjay

I don't know if you can set up static ARP entries but anything as old as this should be considered obsolete - it's not going to keep up with security and the code will remain and become more vulnerable over time. As a modem, you shift the point of access inwards, so I may be wrong, but I don't think it will be (as) vulnerable in bridge mode - and if it is, you'll be at no greater risk than when the traffic passes through any internet gateway.

 

What you've got, with a modern router / firewall on the inside is the best of both worlds.

 

Glad you got it running.