These are instructions to turn the ASUS WL500g Premium2 router into a Universal Threat Management (UTM) system. Incidentally, the instructions on the packetprotector website were WAY lame (for version 3.4), which was why I started posting mine. After they upgraded their firmware from 3.4 to 3.5.1, the instructions are a LOT better (and so is the firmware), and a lot of the troubles I had getting this working melted away. So I recommend using 3.5.1 or newer. Here is a picture of the (Way Cool) router.
This router is a SWEET router, and I almost felt bad nuking the firmware that was on it. The router came with some great firmware, which I played around a little with. Here is a screenshot
But I decided to go for the UTM firmware from Packetprotector, as it gives me Snort, ClaimAV, DansGuardian, and OpenVPN. So, I can use this router to replace my VPN router, and as an IDS as well (I'm not too concerned about AV).
I Downloaded the 3.5.1 firmware (packetprotector-brcm-3.5.1.trx). The router WAS running firmware version 2.0.1.5. When I tried to install it, the ASUS would not just install the firmware from the web interface. So, I tried to 'tftp -i 192.168.1.1 PUT packetprotector....trx per their instructions---didn't work. I defaulted to unplugging router, plugged back in while holding reset button, and held until Power light blinked, indicating it was waiting for firmware. Then:
#tftp 192.168.1.1
>binary
>rexmt 1
>timeout 60
>trace
>put packet...
and this worked like a champ.
After waiting for a few minutes to ensure a successful upgrade, I unplugged the router and tried to log in with 192.168.1.1 (note, ssh doesn't work until you reset the password, which you can't do until you plug in a USB drive). So, I had to sacrifice my "Securix NSM 1.3" thumb drive for the cause. I downloaded the packetprotector-3.5.1.tar.gz tarball, unzipped it, and copied directories to the thumb. Then I un-plugged the router, plugged in in the USB, and rebooted.
The router came up perfectly. I changed the root password, and dug around. There were no SNORT codes, so I configured the WAN interface, plugged it into my router, input my oinkcode, and downloaded the current SNORT rules.
Note, that sometimes the router doesn't work well until after a reboot, so reboot it and be patient (it takes a while to come up at first)
After I looked around, I found out that the log files are stored under:
/mnt/disc0_1/packetprotector/usr/share/log/
and the snort rules are in
/mnt/disc0_1/packetprotector/etc/snort/drop-rules/
So I went to the snort configuration page, put in my oink code, and updated snort. If that works properly, you should be greeted with a screen like this:
I tested Snort with a ping, changing the /packetprotector/etc/snort/drop-rules/local-user.rule to detect and drop pings, and it worked fine. The log is stored in /tmp/log/snort-inline/, but it clears upon every reboot (probably not a good thing). I may change where this is stored, or alias it to the USB so that I can shut off the router and still have the logs.
I ran a NMAP basic scan to test the normal rules, and they worked as well from the LAN interface. Note that this is a firewall first, then an IPS, so when I ran a NMAP scan from to the WAN, the firewall dropped the packets before SNORT noticed the scan.
Since I wanted to put this router anywhere in my network, and might have to access it both from the LAN and WAN interfaces, I decided to try out the OpenVPN service. I've previously tried to get OpenVPN running on a WRT54G, a WRT54GS, and a WRT54GL with both dd-WRT and OpenWRT, and have never had any good success. But I tried it here, and it couldn't have been simpler.
First, you have to create your certificates. This is easily done via the GUI:
If you use the default results, you'll be left with something like this:
After you create your certificates, you have to copy them to your client computer (they are nicely already where they should be on the router). To do this, again, you can simply use the GUI to copy off your certificates. Here is a screenshot:
So I uploaded these to my Ubuntu machine, and tested them. They didn't work until I rebooted the router (like I mentioned above), but after I did, I have been able to create an OpenVPN tunnel from Ubuntu to the UTM effortlessly! Here's a screenshot from my Ubuntu machine setting up the interface.
I've done a little playing with it, and noticed that the router updates the Snort rules daily, as well as the ClamAV rules. I've also done a bit of playing with DansGuardian, and even though I initially thought it would be lame, I actually LOVE it! I was previously protecting my son's computer from porn/malware via OpenDNS, but on a couple of occasions I'd get a new IP address, and his computer was no longer protected. Also, although OpenDNS will filter websites it thinks is bad, a Google search for "Boobs" will still display a bunch of stuff (which you can't get to after you click on it, but it's still there because the ULD is google). But DansGuardian works on CONTENT, not addresses, so searching for "Boobs" in google simply results in a DansGuardian blockage notice.
For example: Here is what you get protected only by OpenDNS, and searching for "boobs" in Google:
And when you click on something you are, of course blocked by OpenDNS like so:
But when you do the same Google search behind the UTM, you get this as a response:
So using the UTM seems like a LOT better solution (heck, I use BOTH). PLUS, I get the IDS (actually an IPS) for malware, and the OpenVPN tunnel! ClamAV may be useful for checking for viruses in email and such, but I haven't played around with that much. Mostly I wanted an IDS that I could move around my network and wouldn't be a powrer hog (like a full-blown computer), but I love all the features of PacketProtector 3.5.1 on the ASUS WL500g!
As an update, 3.5.1 has invalid certificates (expired on 12/28/2009), so OpenVPN won't work out of the box. Additionally, 3.6.2 has bugs with the cert making scripts, so the easiest is probably to go with 3.6.1, which works find with OpenVPN, ClamAV, DansGuardian, and Snort (if you run short_update.sh from the shell, not the GUI). But an easy solution to this problem is to install 3.6.2, get OpenVPN working, and pull off the certificates. Then nuke it and install 3.5.1, and port those certificates over. This got me up and running quickly and easily.
But I decided to go for the UTM firmware from Packetprotector, as it gives me Snort, ClaimAV, DansGuardian, and OpenVPN. So, I can use this router to replace my VPN router, and as an IDS as well (I'm not too concerned about AV).
I Downloaded the 3.5.1 firmware (packetprotector-brcm-3.5.1.trx). The router WAS running firmware version 2.0.1.5. When I tried to install it, the ASUS would not just install the firmware from the web interface. So, I tried to 'tftp -i 192.168.1.1 PUT packetprotector....trx per their instructions---didn't work. I defaulted to unplugging router, plugged back in while holding reset button, and held until Power light blinked, indicating it was waiting for firmware. Then:
#tftp 192.168.1.1
>binary
>rexmt 1
>timeout 60
>trace
>put packet...
and this worked like a champ.
After waiting for a few minutes to ensure a successful upgrade, I unplugged the router and tried to log in with 192.168.1.1 (note, ssh doesn't work until you reset the password, which you can't do until you plug in a USB drive). So, I had to sacrifice my "Securix NSM 1.3" thumb drive for the cause. I downloaded the packetprotector-3.5.1.tar.gz tarball, unzipped it, and copied directories to the thumb. Then I un-plugged the router, plugged in in the USB, and rebooted.
The router came up perfectly. I changed the root password, and dug around. There were no SNORT codes, so I configured the WAN interface, plugged it into my router, input my oinkcode, and downloaded the current SNORT rules.
Note, that sometimes the router doesn't work well until after a reboot, so reboot it and be patient (it takes a while to come up at first)
After I looked around, I found out that the log files are stored under:
/mnt/disc0_1/packetprotector/usr/share/log/
and the snort rules are in
/mnt/disc0_1/packetprotector/etc/snort/drop-rules/
So I went to the snort configuration page, put in my oink code, and updated snort. If that works properly, you should be greeted with a screen like this:
I tested Snort with a ping, changing the /packetprotector/etc/snort/drop-rules/local-user.rule to detect and drop pings, and it worked fine. The log is stored in /tmp/log/snort-inline/, but it clears upon every reboot (probably not a good thing). I may change where this is stored, or alias it to the USB so that I can shut off the router and still have the logs.
I ran a NMAP basic scan to test the normal rules, and they worked as well from the LAN interface. Note that this is a firewall first, then an IPS, so when I ran a NMAP scan from to the WAN, the firewall dropped the packets before SNORT noticed the scan.
Since I wanted to put this router anywhere in my network, and might have to access it both from the LAN and WAN interfaces, I decided to try out the OpenVPN service. I've previously tried to get OpenVPN running on a WRT54G, a WRT54GS, and a WRT54GL with both dd-WRT and OpenWRT, and have never had any good success. But I tried it here, and it couldn't have been simpler.
First, you have to create your certificates. This is easily done via the GUI:
If you use the default results, you'll be left with something like this:
After you create your certificates, you have to copy them to your client computer (they are nicely already where they should be on the router). To do this, again, you can simply use the GUI to copy off your certificates. Here is a screenshot:
So I uploaded these to my Ubuntu machine, and tested them. They didn't work until I rebooted the router (like I mentioned above), but after I did, I have been able to create an OpenVPN tunnel from Ubuntu to the UTM effortlessly! Here's a screenshot from my Ubuntu machine setting up the interface.
For example: Here is what you get protected only by OpenDNS, and searching for "boobs" in Google:
And when you click on something you are, of course blocked by OpenDNS like so:
But when you do the same Google search behind the UTM, you get this as a response:
So using the UTM seems like a LOT better solution (heck, I use BOTH). PLUS, I get the IDS (actually an IPS) for malware, and the OpenVPN tunnel! ClamAV may be useful for checking for viruses in email and such, but I haven't played around with that much. Mostly I wanted an IDS that I could move around my network and wouldn't be a powrer hog (like a full-blown computer), but I love all the features of PacketProtector 3.5.1 on the ASUS WL500g!
As an update, 3.5.1 has invalid certificates (expired on 12/28/2009), so OpenVPN won't work out of the box. Additionally, 3.6.2 has bugs with the cert making scripts, so the easiest is probably to go with 3.6.1, which works find with OpenVPN, ClamAV, DansGuardian, and Snort (if you run short_update.sh from the shell, not the GUI). But an easy solution to this problem is to install 3.6.2, get OpenVPN working, and pull off the certificates. Then nuke it and install 3.5.1, and port those certificates over. This got me up and running quickly and easily.
Comments
Post a Comment