Connection of the whole network to Yota or ASUS WMVN25E2+
In one of the articles, we have already studied network functioning of WiMAX provider Yota in regard to the connection of a single device. Now we’ll try to describe ASUS WMVN25E2+, a fully-featured router able to provide Internet access via WiMAX connection for both wired and wireless segments of the whole LAN. The device permits the connection of two POTS telephones to any of SIP providers as well. Let us examine it more thoroughly.
WMVN25E2+ is performed in a white plastic case. This design is not new. We can come across it with other network ASUS devices, for instance, RT-N15 which is a bit smaller and does not have external antenna. The router is designed for desktop mounting. It cannot be set up on the wall or in the rack without supplementary fixtures.
On the side panel there are the vendor and model name as well as the name of WiMAX provider the device is adapted for. Besides, there are vent holes at the bottom of the case.
There are status LEDs on the top panel of WMVN25E2+. The scale showing the power of the received WiMAX signal or indicating the special operation mode of the mobile WiMAX/Wi-Fi centre is marked with numbers from one to six.
On the bottom there is a turning stand for more stable positioning and the label with the name and MAC-addresses of the router.
The rear panel is more interestig. It has four RJ-45 LAN ports (Fast Ethernet), two RJ-11 FXS ports for the POTS telephone connection, power connector, antenna and Reset and EZsetup buttons, for reset to the default settings and for establishing wireless network respectively.
Now we are done with the exterior design of the device under test. Let’s have a look at its hardware.
Electronic staff of WMVN25E2+ consists of two double-sided boards of green textolite. Let’s study each of them in detail.
There is Ralink RT2860T chip set for wireless communication on the minor board. It’s not the first time ASUS uses this chip set. The same chipset is placed on a wireless network PCI-card WL130N. Broadcom BCM5325EKQMG the flow chart of which is shown below is responsible for wired Fast Ethernet segment in WMVN25E2+.
Let’s have a look at the major board. On the one side there is Serial Flash memory STMicroelectronics 25P64V6G with storage capacity of 8 Mbytes. Both on this and reverse side there are heat sinks of considerable dimensions and screens above the antennas.
There is a power connector and ports for POTS telephones provided by Zarlink Le88221DLC on the same side of the board. Connection with WiMAX is provided with the help of chipsets Maxim MAX2839 and Sequans SQN1130.
That’s all for hardware. Now let’s pass over to firmware update.
Firmware update of WMVN25E2+ can be performed in two ways, either by the traditional file download via web-interface from the administrator computer or by turning the router to search for new firmware on the internet.
Just to be on the safe side we decided to update firmware by downloading its image through the browser. So we go to Update Firmware category in Management menu where we select From Local PC. Then it was necessary to specify new firmware file and click Update Firmware. By the time the article was finished the new firmware had become available on Yota web-site.
It should be mentioned that our attempt to update firmware via Opera 9.64 was not a success.
Though the same file can be downloaded with the help of Microsoft Internet Explorer 8.
The whole updating process takes about two minutes and does not require any additional actions from the user.
When firmware update is completed, it can be checked either in the left lower corner of web interface or via Information about the device from Status menu.
In any case it’s better to check firmware updates via WMVN25E2+ update server.
That’s all as the procedure of firmware update of the router is concerned.
To get an access to the web interface of WMVN25E2+ it is necessary to type http://192.168.1.1 in the address bar of the browser. The web interface can be reached with the help of any browser, though ASUS advises to use Internet Explorer. After addressing to the router it’s necessary to type in the user name and the password which are admin/admin by default.
If the logon information contains a mistake, the user will get the message about the denied access with the name of HTTP server in WMVN25E2+. This is not the best solution as far as security is concerned. The function of the web server in the tested router is performed by micro_httpd.
It is worth mentioning that we will not describe all the opportunities of the web interface of the device and will turn our attention to the most interesting ones.
The first menu group – Connect to the Internet – does not contain any submenus, it allows scanning wireless network IEEE 802.16e for WiMAX signal of Yota network. There is also some information about the device and the data about the technical support of the provider WMVN25E2+ is oriented to. There is also exists an option to switch the interface language between English and Russian on this page.
There is some information about the device in the Device Information submenu in the Status menu, i.e. the information about MAC addresses of network interfaces of WMVN25E2+ and its uptime as well as the information about the versions of all firmware components.
WiMAX Network Status submenu in the Status menu contains the information about the current status of WiMAX connection.
Traffic Statistics submenu in the Status menu contains information about the amount of data transmitted and received through different interfaces of the router. It is important to note that here presented total Ethernet statistics, in other words, it is impossible to say through which particular interfaces of Fast Ethernet the data has passed.
Let’s pass to the first submenu Local Network Configuration in the Andanced menu. Here we see four tab pages: IP Settings, DHCP Server, UPnP and IGMP Snooping. But we are interested in the first two. We consider Secondary IP Address in the local interface of the router to be a pleasant but not frequently used opportunity. Secondary IP address can be useful for a smoother change-over of local computers into the subnet with new IP-addresses.
WMVN25E2+ can either provide proper IP address settings (built-in DHCP Server), or relay DHCP to a particular server (by IP-address). The same opportunity is provided in Cisco routers where it is called ip helper-address.
That is all for Fast Ethernet. Now let’s come over to Wi-Fi Wireless Configuration, Advanced menu. There are four tab pages here as well. They are Basic Settings, Security, Access Control and Repeater. The first tab page allows setting up to four Wi-Fi Wireless networks. An interesting function is the restriction of users’ access to each other which is regulated by User Isolation option.
It is possible to configure IP-settings of WiMAX interface and NAT in the Advanced submenu, WiMAX Wireless Configuration. There is also information about the device certificates here.
Virtual Server Configuration page looks a little bit unusual (Advanced – Virtual Server). It is possible to forward up to three ports with one rule to the server within LAN. Though the ports are forwarded with the same numbers they come if you configure extent forward. It means that it’s impossible to forward ingoing TCP-ports from 10000 up to 20000 to some inner server TCP-ports from 30000 up to 40000. Message about the corresponding mistake is presented below. Though single port forwarding is possible.
Let’s turn to another tab page – Static DNS Configuration. This page allows configuring DNS mapping between name and IP-address for your local hosts. We’ll speak about this tab page in details in Testing section.
Administrator can configure quite in detail filtering rules (for a SOHO device) in Anvanced submenu, Firewall Configuration.
Beside application traffic transfer WMVN25E2+ can edit voice calls as far as it has SIP client and two ports RJ-11 for the POTS telephone connection. So this is a complete solution for LAN (Wired and Wireless) and Telephony organization in a small office. SIP client can be customized in Advanced submenu, Internet Telephony Configuration.
The most interesting submenu in Management menu is Management Control from Remote, so let’s speak about its twists and turns. In the old firmware it has two tab pages: from remote computer and from local computer. Though after firmware update to 3.106d Management Control from Remote disappears so the user cannot turn on/off services available from LAN. The page has not disappeared indeed but there is no link to it from the web-interface. It is necessary to use URL http://192.168.1.1/accesslocal.cmd?action=viewcfg to get an access to it. Management Control from LAN can be used, for instance, to deny access to inbuilt TFTP-server. It will be explained in details in testing section.
These are all fine points concerning web-interface of WMVN25E2+.
To get an access to the command line of WMVN25E2+ it is necessary to tick Telnet in From Local Computer tab page of Management Control – From Remote. User name and password are the same as in the web-interface.Mobile WiMAX Subscriber Station Software Version: 3.106dLogin name: adminPassword:> ? ?helplogoutrebootbrctlcatddnsdfdumpcfgechoifconfigkillarpdefaultgatewaydhcpserverdnslanpasswdlocalaccessrestoredefaultroutesaveswversionsqnmodewimaxiotcmdpingpspwdsntpsysinfotftpvoicewlctlwirelessgpiorfledatemodegetresetdefaultbuttongetwpsbuttonallledonallledoff
The command line differs from the ones of previous ASUS products. It is necessary to write system calls and their configuration in full, abbreviations are not allowed. Let’s study some available commands.
It is possible to look up or to change the settings of network interfaces with the help of the call ifconfig command. A part of data submitted can be received with the help of lan command.> ifconfigbr0 Link encap:Ethernet HWaddr 00:22:15:A5:B4:FFinet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:295019 errors:0 dropped:0 overruns:0 frame:0TX packets:16248 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0RX bytes:20652553 (19.6 MiB) TX bytes:10298537 (9.8 MiB)eth0 Link encap:Ethernet HWaddr 00:24:8C:27:3D:94UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:295621 errors:0 dropped:0 overruns:0 frame:0TX packets:17819 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000RX bytes:26016910 (24.8 MiB) TX bytes:10548782 (10.0 MiB)Interrupt:25 Base address:0x4800eth1 Link encap:Ethernet HWaddr 00:22:15:A5:B4:FFUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:36954 errors:0 dropped:0 overruns:0 frame:0TX packets:1888 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000RX bytes:2364992 (2.2 MiB) TX bytes:166486 (162.5 KiB)Interrupt:23 Base address:0x4000lo Link encap:Local Loopbackinet addr:127.0.0.1 Mask:255.0.0.0UP LOOPBACK RUNNING MTU:16436 Metric:1RX packets:0 errors:0 dropped:0 overruns:0 frame:0TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)> ifconfig --helpBusyBox v1.00 (2009.06.06-01:53+0000) multi-call binaryUsage: ifconfig [-a] <interface> [<address>]configure a network interfaceOptions:[[-]broadcast [<address>]] [[-]pointopoint [<address>]][netmask <address>] [dstaddr <address>][hw ether <address>] [metric <NN>] [mtu <NN>][[-]trailers] [[-]arp] [[-]allmulti][multicast] [[-]promisc] [txqueuelen <NN>] [[-]dynamic][up|down] ...
The defaultgateway command is responsible for routing. The same results can be reached with the help of route utility.> defaultgatewayUsage: defaultgateway config autodefaultgateway config static <[<IP address>] [<interface>]>defaultgateway showdefaultgateway --help> defaultgateway showKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface192.168.1.0 * 255.255.255.0 U 0 0 0 br0192.168.0.0 192.168.1.2 255.255.0.0 UG 1 0 0 br0> routeUsage: route add <IP address> <subnet mask> <[<gateway>] [<interface>]>route delete <IP address> <subnet mask>route showroute --help
The localaccess command configures the access to the services of the router. It should be mentioned that even SSH access permission will not allow to connect to WMVN25E2+ since the corresponding daemon is not running.> localaccessUsage: localaccess config <http> <telnet> <tftp> <ftp> <ssh>localaccess --helpenable or disable local management via various methodsExample: localaccess config on on on on onlocalaccess config on on off off off
To see the list of processes (daemons) running one should use ps utility. The kill command stops any process.> psPID Uid VmSize Stat Command1 admin 332 S init2 admin SWN [ksoftirqd/0]3 admin SW< [events/0]4 admin SW< [khelper]5 admin SW< [kblockd/0]17 admin SW [pdflush]18 admin SW [pdflush]19 admin SW [kswapd0]20 admin SW< [aio/0]24 admin SW [mtdblockd]34 admin 364 S -sh66 admin 1444 S cfm248 admin 240 S tftpd385 admin 2164 S httpd387 admin 2032 S rvsip393 admin 1288 S thpmgr396 admin 308 S dproxy397 admin 2032 S rvsip398 admin 2032 S rvsip399 admin 2032 S rvsip400 admin SW< [BosThread]401 admin SW< [BosThread]402 admin SW< [BosThread]403 admin SW< [BosThread]404 admin SW< [BosThread]405 admin SW< [BosThread]406 admin SW< [BosThread]407 admin 1288 S thpmgr408 admin 1288 S thpmgr409 admin 1288 S thpmgr412 admin 2032 S rvsip413 admin 2032 S rvsip414 admin 2032 S rvsip415 admin 2032 S rvsip416 admin 2032 S rvsip418 admin 244 S mpd420 admin 2032 S rvsip421 admin 2032 S rvsip422 admin 2032 S rvsip29088 admin 1288 S thpmgr8239 admin 1464 S telnetd8240 admin 1504 S telnetd8887 admin 312 S sh -c ps8888 admin 332 R ps> killBusyBox v1.00 (2009.06.06-01:53+0000) multi-call binaryUsage: kill [-signal] process-id [process-id ...]Send a signal (default is SIGTERM) to the specified process(es).Options:-lList all signal names and numbers.
The ARP-protocol is guided by the command with the same name.> arpUsage: arp add <IP address> <MAC address>arp delete <IP address>arp showarp --help> arp showIP address HW type Flags HW address Mask Device192.168.1.2 0x1 0x2 00:1C:F0:1D:80:41 * br0192.168.1.7 0x1 0x2 00:13:D4:B7:F1:3F *br0
The administrative password can be changed with the help of the call passwd command.> passwdUsage: passwd <admin|support|user> <password>passwd --help
Firmware version can be received with the help of the swversion utility. Information about the system can be called by the sysinfo command. The system uses BusyBox v1.00 (06.06.2009).> swversionUsage: swversion showswversion --help> swversion showFirmware Version: 3.106dWiMAX Driver Version: 4.60.6-19028WL_RT_ioctl: ioctl error during set commandWireless Driver Version:> sysinfoNumber of processes: 446:13am up 2 days, 6:13,load average: 1 min:0.00, 5 min:0.01, 15 min:0.00total used free shared buffersMem: 29772 28592 1180 0 2772Swap: 0 0 0Total: 29772 28592 1180> sysinfo --helpBusyBox v1.00 (2009.06.06-01:53+0000) multi-call binaryUsage: sysinfo System status reportSystem status report
Voice settings of WMVN25E2+ are gathered in voice command.> voiceCommand syntax:voice --help - show the voice command syntaxvoice show [all|PhoneStatus|PhoneState] - show the voice parametersvoice start - start the voice applicationvoice stop - stop the voice applicationvoice restart - restart the voice applicationvoice set interface <interface> - set interface name used by the voice application (br0, ppp_8_35_1, etc.)voice set registrar <IPADDR:PORT> - set IP address and port for SIP registrarvoice clear registrar - clear IP address and port for SIP registrarvoice set obproxy <IPADDR:PORT> - set IP address and port for outbound SIP proxyvoice clear obproxy - clear IP address and port for outbound SIP proxyvoice set proxy <IPADDR:PORT> - set IP address and port for SIP proxyvoice clear proxy - clear IP address and port for SIP proxyvoice set phone1 <num:callername:UserName:passwd> - set phone 1 configurationvoice clear phone1 - clear phone 1 configurationvoice set phone2 <num:callername:UserName:passwd> - set phone 2 configurationvoice clear phone2 - clear phone 2 configurationvoice set prefcodec <codec> - set the preferred codec (G711U, G711A, G723, G726, G729A)voice set country <number> - set PSTN Country :01:US 02:EU 03:UK 04:NL 05:FR 06:CH 07:SE 08:BE 09:JP 10:CN 11:FI 12:DE 13:IT 14:BR 15:DK16:HU 17:CL 18:NZ 19:AU 20:RU 21:ES 22:AT 23:CZ 24:IE 25:PL 26:RO 27:SK 28:SIvoice set testmode <enable/disable> - Enable or disable test modevoice set dialplan <dialplan>- Setup the dial plan
That’s all as far as command line interface is concerned.
We started testing WMVN25E2+ with the estimation of load time of the router that is the time from the moment of power connection of the device till the return of the first ICMP echo-response . WMVN25E2+ boots in 18 seconds that is a very good result.
Then we tested security of the mobile WiMAX Wi-Fi center and its stability to network attacks. We made this testing from LAN deliberately because many ports which could be accessed by the network scanner were open from the inside. Positive Technologies XSpider 7.7 (Demo build 3100) was chosen as a network analyzer. Three open ports were discovered, they are TCP-23 (Telnet), TCP-69 (TFTP) and TCP-80 (HTTP). The most interesting messages about the security problems of WMVN25E2+ are presented below.
Yet the indicated security vulnerabilities are not the most terrible ones. When scanning TFTP-service the router reboots, it can be seen because the echo-responses (ICMP) disappear and the uptime in the web interface is offloaded (Status – Device Information). It’s the first time we come across to such behaviour of ASUS devices, though we have tested more than ten different commutators, routers, access points and cameras. Of course, the administrator can switch off TFTP service but it is switched on by default and is accessible both from LAN and WLAN. It should be mentioned that the user can come across some difficulties if the access to the TFTP-service is switched off. This situation is described in detail in Web Interface Review secton.
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64Request timed out.Reply from 192.168.1.2: Destination host unreachable.Reply from 192.168.1.2: Destination host unreachable.Reply from 192.168.1.2: Destination host unreachable.Reply from 192.168.1.1: bytes=32 time=1999ms TTL=64Reply from 192.168.1.1: bytes=32 time<1ms TTL=64Reply from 192.168.1.1: bytes=32 time<1ms TTL=64Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
The latest versions of firmware of 3.106 series do not allow the user to set the access to the wireless centre from LAN and TFTP access so the TFTP-service became inaccessible from LAN and WLAN. If the user needs due to some reason the access via TFTP to the router then he can switch it on but the device will become vulnerable to the attack described above. It goes without saying that we have informed Yota technical specialists about this vulnerability and hoped that it would be corrected. But unfortunately, after our month attempts to contact by telephone and email with the technical support service of the provider selling WMVN25E2+ in Russia we could only get a formal reply that the data had been sent to their specialists.
When studying the web interface of the router we came across static DNS. We created a new record with the wrong data.
After that we addressed to the router under testing with DNS query to allow the name www.ru, the answer was 192.168.1.2.
C:\>nslookup www.ru. 192.168.1.1Server: WMVN25E2plus.homeAddress: 192.168.1.1Non-authoritative answer:DNS request timed out.timeout was 2 seconds.Name: www.ruAddress:192.168.1.2
The operating system used on the computer tested is Microsoft Windows Vista x64 SP2 with switched on IPv6 support that caused two-second timeout in DNS-response. At that time a vain query for AAAA record of IPv6 protocol takes place. The presence of such a query is seen if the packets are captured with Wireshark when testing.
To our opinion, the only highly sought test of bandwidth can be wireless 802.11n segment efficiency testing that is the speed of data transmission between LAN and WLAN segments. The results of the test are presented in the table below though we cannot say they are impressive. Perhaps the reader will get higher speed using WMVN25E2+ in another environment or in pair with another client-adapter.
That is all as far as testing is concerned, let’s sum everything up.
Wireless router ASUS WMVN25E2+ tested is a complete solution for local networking in a small office and WiMAX internet connection. The examined model was adapted for work with Yota providing internet in Moscow, Saint-Petersburg and Ufa. The testing of wireless WiMAX/Wi-Fi centre evokes mixed feelings, on the one hand, it is a multifunctional concept overlapping quite a range of network problems, on the other hand, the low speed of Wi-Fi segment and security flow do not allow us to give the highest mark to the device. Yota support service disappointed us very much. You can connect to this ISP if only you are ready to solve all the arising problems on your own. When the article was written, we came across the latest firmware of wmvn25e2plus_st-3.106r version where the TFTP access to the user station was forbidden and therefore one of the security vulnerabilities of the router was corrected. This is an intermediate beta-version and in the end the user can be offerred a firmware with another letter code. Unfortunately, it will take time for the Yota technical specialists to present the new firmware on their site for free access. For the time the article was written, the price of a mobile WiMAX/Wi-Fi centre in Yota e-shop was 9500 roubles.