Connection of the whole network to Yota or ASUS WMVN25E2+

Introduction

Exterior Design

Hardware
Firmware update
Web-interface review
Command line interface review
Testing
Conclusion

Introduction

In one of the articles, we have already studied network functioning of WiMAX provider Yota in regard to the connection of a single device. Now we’ll try to describe ASUS WMVN25E2+, a fully-featured router able to provide Internet access via WiMAX connection for both wired and wireless segments of the whole LAN. The device permits the connection of two POTS telephones to any of SIP providers as well. Let us examine it more thoroughly.

Exterior Design

WMVN25E2+ is performed in a white plastic case. This design is not new. We can come across it with other network ASUS devices, for instance, RT-N15 which is a bit smaller and does not have external antenna. The router is designed for desktop mounting. It cannot be set up on the wall or in the rack without supplementary fixtures.

On the side panel there are the vendor and model name as well as the name of WiMAX provider the device is adapted for. Besides, there are vent holes at the bottom of the case.

There are status LEDs on the top panel of WMVN25E2+. The scale showing the power of the received WiMAX signal or indicating the special operation mode of the mobile WiMAX/Wi-Fi centre is marked with numbers from one to six.

On the bottom there is a turning stand for more stable positioning and the label with the name and MAC-addresses of the router.

The rear panel is more interestig. It has four RJ-45 LAN ports (Fast Ethernet), two RJ-11 FXS ports for the POTS telephone connection, power connector, antenna and Reset and EZsetup buttons, for reset to the default settings and for establishing wireless network respectively.

Now we are done with the exterior design of the device under test. Let’s have a look at its hardware.

Hardware

Electronic staff of WMVN25E2+ consists of two double-sided boards of green textolite. Let’s study each of them in detail.

There is Ralink RT2860T chip set for wireless communication on the minor board. It’s not the first time ASUS uses this chip set. The same chipset is placed on a wireless network PCI-card WL130N. Broadcom BCM5325EKQMG the flow chart of which is shown below is responsible for wired Fast Ethernet segment in WMVN25E2+.

Flash-memory Spansion S29GL064N90TFI04 with capacity of 8 Mbytes is located on the other side of the board.

Let’s have a look at the major board. On the one side there is Serial Flash memory STMicroelectronics 25P64V6G with storage capacity of 8 Mbytes. Both on this and reverse side there are heat sinks of considerable dimensions and screens above the antennas.

There is a power connector and ports for POTS telephones provided by Zarlink Le88221DLC on the same side of the board. Connection with WiMAX is provided with the help of chipsets Maxim MAX2839 and Sequans SQN1130.

That’s all for hardware. Now let’s pass over to firmware update.

Firmware update

Firmware update of WMVN25E2+ can be performed in two ways, either by the traditional file download via web-interface from the administrator computer or by turning the router to search for new firmware on the internet.

Just to be on the safe side we decided to update firmware by downloading its image through the browser. So we go to Update Firmware category in Management menu where we select From Local PC. Then it was necessary to specify new firmware file and click Update Firmware. By the time the article was finished the new firmware had become available on Yota web-site.

It should be mentioned that our attempt to update firmware via Opera 9.64 was not a success.

Though the same file can be downloaded with the help of Microsoft Internet Explorer 8.

The whole updating process takes about two minutes and does not require any additional actions from the user.

When firmware update is completed, it can be checked either in the left lower corner of web interface or via Information about the device from Status menu.

In any case it’s better to check firmware updates via WMVN25E2+ update server.

That’s all as the procedure of firmware update of the router is concerned.

Web-interface review

To get an access to the web interface of WMVN25E2+ it is necessary to type http://192.168.1.1 in the address bar of the browser. The web interface can be reached with the help of any browser, though ASUS advises to use Internet Explorer. After addressing to the router it’s necessary to type in the user name and the password which are admin/admin by default.

If the logon information contains a mistake, the user will get the message about the denied access with the name of HTTP server in WMVN25E2+. This is not the best solution as far as security is concerned. The function of the web server in the tested router is performed by micro_httpd.

It is worth mentioning that we will not describe all the opportunities of the web interface of the device and will turn our attention to the most interesting ones.

The first menu group – Connect to the Internet – does not contain any submenus, it allows scanning wireless network IEEE 802.16e for WiMAX signal of Yota network. There is also some information about the device and the data about the technical support of the provider WMVN25E2+ is oriented to. There is also exists an option to switch the interface language between English and Russian on this page.

There is some information about the device in the Device Information submenu in the Status menu, i.e. the information about MAC addresses of network interfaces of WMVN25E2+ and its uptime as well as the information about the versions of all firmware components.

WiMAX Network Status submenu in the Status menu contains the information about the current status of WiMAX connection.

Traffic Statistics submenu in the Status menu contains information about the amount of data transmitted and received through different interfaces of the router. It is important to note that here presented total Ethernet statistics, in other words, it is impossible to say through which particular interfaces of Fast Ethernet the data has passed.

Let’s pass to the first submenu Local Network Configuration in the Andanced menu. Here we see four tab pages: IP Settings, DHCP Server, UPnP and IGMP Snooping. But we are interested in the first two. We consider Secondary IP Address in the local interface of the router to be a pleasant but not frequently used opportunity. Secondary IP address can be useful for a smoother change-over of local computers into the subnet with new IP-addresses.

 

 

WMVN25E2+ can either provide proper IP address settings (built-in DHCP Server), or relay DHCP to a particular server (by IP-address). The same opportunity is provided in Cisco routers where it is called ip helper-address.

 

That is all for Fast Ethernet. Now let’s come over to Wi-Fi Wireless Configuration, Advanced menu. There are four tab pages here as well. They are Basic Settings, Security, Access Control and Repeater. The first tab page allows setting up to four Wi-Fi Wireless networks. An interesting function is the restriction of users’ access to each other which is regulated by User Isolation option.

It is possible to configure IP-settings of WiMAX interface and NAT in the Advanced submenu, WiMAX Wireless Configuration. There is also information about the device certificates here.

Virtual Server Configuration page looks a little bit unusual (Advanced – Virtual Server). It is possible to forward up to three ports with one rule to the server within LAN. Though the ports are forwarded with the same numbers they come if you configure extent forward. It means that it’s impossible to forward ingoing TCP-ports from 10000 up to 20000 to some inner server TCP-ports from 30000 up to 40000. Message about the corresponding mistake is presented below. Though single port forwarding is possible.

Let’s turn to another tab page – Static DNS Configuration. This page allows configuring DNS mapping between name and IP-address for your local hosts. We’ll speak about this tab page in details in Testing section.

Administrator can configure quite in detail filtering rules (for a SOHO device) in Anvanced submenu, Firewall Configuration.

Beside application traffic transfer WMVN25E2+ can edit voice calls as far as it has SIP client and two ports RJ-11 for the POTS telephone connection. So this is a complete solution for LAN (Wired and Wireless) and Telephony organization in a small office. SIP client can be customized in Advanced submenu, Internet Telephony Configuration.

The most interesting submenu in Management menu is Management Control from Remote, so let’s speak about its twists and turns. In the old firmware it has two tab pages: from remote computer and from local computer. Though after firmware update to 3.106d Management Control from Remote disappears so the user cannot turn on/off services available from LAN. The page has not disappeared indeed but there is no link to it from the web-interface. It is necessary to use URL http://192.168.1.1/accesslocal.cmd?action=viewcfg to get an access to it. Management Control from LAN can be used, for instance, to deny access to inbuilt TFTP-server. It will be explained in details in testing section.

These are all fine points concerning web-interface of WMVN25E2+.

Command line interface review

To get an access to the command line of WMVN25E2+ it is necessary to tick Telnet in From Local Computer tab page of Management Control – From Remote. User name and password are the same as in the web-interface.

Mobile WiMAX Subscriber Station Software Version: 3.106d
Login name: admin
Password:
> ?
 
?
help
logout
reboot
brctl
cat
ddns
df
dumpcfg
echo
ifconfig
kill
arp
defaultgateway
dhcpserver
dns
lan
passwd
localaccess
restoredefault
route
save
swversion
sqnmode
wimaxiot
cmd
ping
ps
pwd
sntp
sysinfo
tftp
voice
wlctl
wireless
gpio
rfled
atemode
getresetdefaultbutton
getwpsbutton
allledon
allledoff

The command line differs from the ones of previous ASUS products. It is necessary to write system calls and their configuration in full, abbreviations are not allowed. Let’s study some available commands.

It is possible to look up or to change the settings of network interfaces with the help of the call ifconfig command. A part of data submitted can be received with the help of lan command.

> ifconfig
br0 Link encap:Ethernet HWaddr 00:22:15:A5:B4:FF
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:295019 errors:0 dropped:0 overruns:0 frame:0
TX packets:16248 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:20652553 (19.6 MiB) TX bytes:10298537 (9.8 MiB)
eth0 Link encap:Ethernet HWaddr 00:24:8C:27:3D:94
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:295621 errors:0 dropped:0 overruns:0 frame:0
TX packets:17819 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:26016910 (24.8 MiB) TX bytes:10548782 (10.0 MiB)
Interrupt:25 Base address:0x4800
eth1 Link encap:Ethernet HWaddr 00:22:15:A5:B4:FF
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:36954 errors:0 dropped:0 overruns:0 frame:0
TX packets:1888 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2364992 (2.2 MiB) TX bytes:166486 (162.5 KiB)
Interrupt:23 Base address:0x4000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> ifconfig --help
BusyBox v1.00 (2009.06.06-01:53+0000) multi-call binary
Usage: ifconfig [-a] <interface> [<address>]
configure a network interface
Options:
[[-]broadcast [<address>]] [[-]pointopoint [<address>]]
[netmask <address>] [dstaddr <address>]
[hw ether <address>] [metric <NN>] [mtu <NN>]
[[-]trailers] [[-]arp] [[-]allmulti]
[multicast] [[-]promisc] [txqueuelen <NN>] [[-]dynamic]
[up|down] ...

The defaultgateway command is responsible for routing. The same results can be reached with the help of route utility.

> defaultgateway
Usage: defaultgateway config auto
defaultgateway config static <[<IP address>] [<interface>]>
defaultgateway show
defaultgateway --help
> defaultgateway show
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
192.168.0.0 192.168.1.2 255.255.0.0 UG 1 0 0 br0
> route
Usage: route add <IP address> <subnet mask> <[<gateway>] [<interface>]>
route delete <IP address> <subnet mask>
route show
route --help

The localaccess command configures the access to the services of the router. It should be mentioned that even SSH access permission will not allow to connect to WMVN25E2+ since the corresponding daemon is not running.

> localaccess
Usage: localaccess config <http> <telnet> <tftp> <ftp> <ssh>
localaccess --help
enable or disable local management via various methods
Example: localaccess config on on on on on
localaccess config on on off off off

To see the list of processes (daemons) running one should use ps utility. The kill command stops any process.

> ps
PID Uid VmSize Stat Command
1 admin 332 S init
2 admin SWN [ksoftirqd/0]
3 admin SW< [events/0]
4 admin SW< [khelper]
5 admin SW< [kblockd/0]
17 admin SW [pdflush]
18 admin SW [pdflush]
19 admin SW [kswapd0]
20 admin SW< [aio/0]
24 admin SW [mtdblockd]
34 admin 364 S -sh
66 admin 1444 S cfm
248 admin 240 S tftpd
385 admin 2164 S httpd
387 admin 2032 S rvsip
393 admin 1288 S thpmgr
396 admin 308 S dproxy
397 admin 2032 S rvsip
398 admin 2032 S rvsip
399 admin 2032 S rvsip
400 admin SW< [BosThread]
401 admin SW< [BosThread]
402 admin SW< [BosThread]
403 admin SW< [BosThread]
404 admin SW< [BosThread]
405 admin SW< [BosThread]
406 admin SW< [BosThread]
407 admin 1288 S thpmgr
408 admin 1288 S thpmgr
409 admin 1288 S thpmgr
412 admin 2032 S rvsip
413 admin 2032 S rvsip
414 admin 2032 S rvsip
415 admin 2032 S rvsip
416 admin 2032 S rvsip
418 admin 244 S mpd
420 admin 2032 S rvsip
421 admin 2032 S rvsip
422 admin 2032 S rvsip
29088 admin 1288 S thpmgr
8239 admin 1464 S telnetd
8240 admin 1504 S telnetd
8887 admin 312 S sh -c ps
8888 admin 332 R ps
> kill
BusyBox v1.00 (2009.06.06-01:53+0000) multi-call binary
Usage: kill [-signal] process-id [process-id ...]
Send a signal (default is SIGTERM) to the specified process(es).
Options:
-lList all signal names and numbers.

The ARP-protocol is guided by the command with the same name.

> arp
Usage: arp add <IP address> <MAC address>
arp delete <IP address>
arp show
arp --help
> arp show
IP address HW type Flags HW address Mask Device
192.168.1.2 0x1 0x2 00:1C:F0:1D:80:41 * br0
192.168.1.7 0x1 0x2 00:13:D4:B7:F1:3F *br0

The administrative password can be changed with the help of the call passwd command.

> passwd
Usage: passwd <admin|support|user> <password>
passwd --help

Firmware version can be received with the help of the swversion utility. Information about the system can be called by the sysinfo command. The system uses BusyBox v1.00 (06.06.2009).

> swversion
Usage: swversion show
swversion --help
> swversion show
Firmware Version: 3.106d
WiMAX Driver Version: 4.60.6-19028
WL_RT_ioctl: ioctl error during set command
Wireless Driver Version:
> sysinfo
Number of processes: 44
6:13am up 2 days, 6:13,
load average: 1 min:0.00, 5 min:0.01, 15 min:0.00
total used free shared buffers
Mem: 29772 28592 1180 0 2772
Swap: 0 0 0
Total: 29772 28592 1180
> sysinfo --help
BusyBox v1.00 (2009.06.06-01:53+0000) multi-call binary
Usage: sysinfo System status report
System status report

Voice settings of WMVN25E2+ are gathered in voice command.

> voice
Command syntax:
voice --help - show the voice command syntax
voice show [all|PhoneStatus|PhoneState] - show the voice parameters
voice start - start the voice application
voice stop - stop the voice application
voice restart - restart the voice application
voice set interface <interface> - set interface name used by the voice application (br0, ppp
_8_35_1, etc.)
voice set registrar <IPADDR:PORT> - set IP address and port for SIP registrar
voice clear registrar - clear IP address and port for SIP registrar
voice set obproxy <IPADDR:PORT> - set IP address and port for outbound SIP proxy
voice clear obproxy - clear IP address and port for outbound SIP proxy
voice set proxy <IPADDR:PORT> - set IP address and port for SIP proxy
voice clear proxy - clear IP address and port for SIP proxy
voice set phone1 <num:callername:UserName:passwd> - set phone 1 configuration
voice clear phone1 - clear phone 1 configuration
voice set phone2 <num:callername:UserName:passwd> - set phone 2 configuration
voice clear phone2 - clear phone 2 configuration
voice set prefcodec <codec> - set the preferred codec (G711U, G711A, G723, G726, G729A)
voice set country <number> - set PSTN Country :
01:US 02:EU 03:UK 04:NL 05:FR 06:CH 07:SE 08:BE 09:JP 10:C
N 11:FI 12:DE 13:IT 14:BR 15:DK
16:HU 17:CL 18:NZ 19:AU 20:RU 21:ES 22:AT 23:CZ 24:IE 25:P
L 26:RO 27:SK 28:SI
voice set testmode <enable/disable> - Enable or disable test mode
voice set dialplan <dialplan>- Setup the dial plan

That’s all as far as command line interface is concerned.

Testing

We started testing WMVN25E2+ with the estimation of load time of the router that is the time from the moment of power connection of the device till the return of the first ICMP echo-response . WMVN25E2+ boots in 18 seconds that is a very good result.

Then we tested security of the mobile WiMAX Wi-Fi center and its stability to network attacks. We made this testing from LAN deliberately because many ports which could be accessed by the network scanner were open from the inside. Positive Technologies XSpider 7.7 (Demo build 3100) was chosen as a network analyzer. Three open ports were discovered, they are TCP-23 (Telnet), TCP-69 (TFTP) and TCP-80 (HTTP). The most interesting messages about the security problems of WMVN25E2+ are presented below.

Yet the indicated security vulnerabilities are not the most terrible ones. When scanning TFTP-service the router reboots, it can be seen because the echo-responses (ICMP) disappear and the uptime in the web interface is offloaded (Status – Device Information). It’s the first time we come across to such behaviour of ASUS devices, though we have tested more than ten different commutators, routers, access points and cameras. Of course, the administrator can switch off TFTP service but it is switched on by default and is accessible both from LAN and WLAN. It should be mentioned that the user can come across some difficulties if the access to the TFTP-service is switched off. This situation is described in detail in Web Interface Review secton.

 

Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Request timed out.
Reply from 192.168.1.2: Destination host unreachable.
Reply from 192.168.1.2: Destination host unreachable.
Reply from 192.168.1.2: Destination host unreachable.
Reply from 192.168.1.1: bytes=32 time=1999ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64

The latest versions of firmware of 3.106 series do not allow the user to set the access to the wireless centre from LAN and TFTP access so the TFTP-service became inaccessible from LAN and WLAN. If the user needs due to some reason the access via TFTP to the router then he can switch it on but the device will become vulnerable to the attack described above. It goes without saying that we have informed Yota technical specialists about this vulnerability and hoped that it would be corrected. But unfortunately, after our month attempts to contact by telephone and email with the technical support service of the provider selling WMVN25E2+ in Russia we could only get a formal reply that the data had been sent to their specialists.

When studying the web interface of the router we came across static DNS. We created a new record with the wrong data.

After that we addressed to the router under testing with DNS query to allow the name www.ru, the answer was 192.168.1.2.

C:\>nslookup www.ru. 192.168.1.1

Server: WMVN25E2plus.home
Address: 192.168.1.1
Non-authoritative answer:
DNS request timed out.
timeout was 2 seconds.
Name: www.ru
Address:192.168.1.2

The operating system used on the computer tested is Microsoft Windows Vista x64 SP2 with switched on IPv6 support that caused two-second timeout in DNS-response. At that time a vain query for AAAA record of IPv6 protocol takes place. The presence of such a query is seen if the packets are captured with Wireshark when testing.

To our opinion, the only highly sought test of bandwidth can be wireless 802.11n segment efficiency testing that is the speed of data transmission between LAN and WLAN segments. The results of the test are presented in the table below though we cannot say they are impressive. Perhaps the reader will get higher speed using WMVN25E2+ in another environment or in pair with another client-adapter.

 

Direction

Speed, Mbps

LAN->WLAN

47.2

LAN<->WLAN

49.6

LAN<-WLAN

46.4

 

That is all as far as testing is concerned, let’s sum everything up.

Conclusion

Wireless router ASUS WMVN25E2+ tested is a complete solution for local networking in a small office and WiMAX internet connection. The examined model was adapted for work with Yota providing internet in Moscow, Saint-Petersburg and Ufa. The testing of wireless WiMAX/Wi-Fi centre evokes mixed feelings, on the one hand, it is a multifunctional concept overlapping quite a range of network problems, on the other hand, the low speed of Wi-Fi segment and security flow do not allow us to give the highest mark to the device. Yota support service disappointed us very much. You can connect to this ISP if only you are ready to solve all the arising problems on your own. When the article was written, we came across the latest firmware of wmvn25e2plus_st-3.106r version where the TFTP access to the user station was forbidden and therefore one of the security vulnerabilities of the router was corrected. This is an intermediate beta-version and in the end the user can be offerred a firmware with another letter code. Unfortunately, it will take time for the Yota technical specialists to present the new firmware on their site for free access. For the time the article was written, the price of a mobile WiMAX/Wi-Fi centre in Yota e-shop was 9500 roubles.

Add comment


Security code
Refresh

Found a typo? Please select it and press Ctrl + Enter.