Remote Router Administration?

bduncan asks: "I'm wondering if the Slashdot community knows of bandwidth and remote admin friendly routers, accessible using either a telnet port or at least lynx (both from the inside network of course). I remotely admin a number of installations using Linux systems to do firewalling, email etc. and they all have dialup facilities in case the router misbehaves for some reason. This used to be easy, as the routers would normally provide a telnet port and/or a low bandwidth HTTP facility for setup, resetting etc.Unfortunately, the last installation using a major brand router was across the pond (in the UK) and provides only an HTTP interface, but uses high-bandwidth flash on top of this! Now, instead of just dialing in and using telnet or lynx to get to the router, I'm forced to set up a PPP connection into the Linux machine and then soak up most of the bandwidth with all kinds of useless Flash animation, just to make some changes on the router. Typing into the Flash forms can take many minutes to be echoed back and executed. Tunneling through to the Linux machine using SSH is an option, but of course not until the router is set up properly. Does anyone still make a low-bandwidth remote admin friendly DSL router for use in the UK (or anywhere else for that matter)?"

home routers

[avoelker]

SMC makes various inexpensive routers that have remote admin capability via a simple web interface (not flash, etc.).

zyxel

[OpperNerd]

Try zyxel. They're cheap and good.

Re:zyxel

[REBloomfield]

I'll second this. I actually had to replace a dead Cisco with a Zyxel, and was not best amused, until it went solid for three years, at which point we got rid of the line anyway. Was extremely shocked, and will happily recommend them....

Re:zyxel

[bhtooefr]

Yep. I've got a Sprint-modified Zyxel. It works great - unfortunately, mine won't function as a router if you add a hub!

fairly common in my experience

[woodix]

Odd. I've never seen a flash-heavy interface for router admin. That would require quite a bit more flash memory for the onboard webserver wouldn't it? I use a netgear mr814 at home and it allows you to remote admin via http only (sorry, I know you're looking for cmdline via terminal). I haven't seen a consumer router that offers that for some time now. You may end up having to go low end "pro" equipment. In such a case, I'd say check ebay and find a gently used Cisco, Netgear, Foundry, router that does what you require. I'm the kind of belt and suspenders guy that prefers a serial cable and terminal emulation. That's just me though.

Re:fairly common in my experience

[Merlin42]

I have the netgear rp114 at home and it offers a very simple web interface as well as telnet. Mind you, telnet is not mentioned anywhere in the documentation, but if you telnet to the router you get a simple text-based menu system, and buried several menus down you even have the option of dropping down to a command line interface!

Re:fairly common in my experience

[JAZ]

My rt311 is the same... another poster mentioned the zyxel system - that command interpreter in the netgear machines is actually the core ZyNOS from ZyXEL. The CI Command Reference is readily available online. The only problem i've had with mine trying to forward across ports that the router uses (forwarding into my network) it uses Telnet, HTTP, and TFTP. but I can ssh into my network across it and then telnet back to the router to admin it.

Of course this thread cannot come up with mentioning LRP or some such. Actually many linux distros would work for a router with low-bandwidth, secure (ssh - as long as you're quick on the patches) interface. I like gentoo on my external boxes cause they don't run any services that I don't need and explicitly put there.

Re:fairly common in my experience

[CowboyMeal]

Odd. I've never seen a flash-heavy interface for router admin. That would require quite a bit more flash memory...

Isn't that why it's called flash memory?

Um, yeah?

[Finni]

How about using the console ports of the routers and a terminal server? The routers need to have a CLI, like a Netopia, Cisco, Juniper, etc. The terminal server could be a dial-in, could be simple tty or fancy PPP/SLIP, or be web-accessible on its own (hopefully via SSL.) It's interface could just be a terminal, or show a terminal in a javascript window.

Cyclades, and god know how many others, make terminal servers. Or you could stuff a bunch of serial ports into a linux box and build your own.

Obviously...

[jo42]

You never heard of Cisco...

ridiculous

[austad]

Flash for administration? That's silly and it's obviously something the marketing dept came up with.

Replace it with something that runs good ol' IOS.

Re:ridiculous

[Zocalo]

Well, having made a similar comment to yours, slagging off including a Flash GUI for being ridiculous and advising to go with a CLI, preferably IOS, I did some Googling. This this *is* a Cisco I think, an 827 to be precise, or at least that's the only thing I could find that looked like it had a Flash GUI. However, I've seen some of these things, and despite what the poster says they *do* have a CLI - full blown IOS in fact.

As an aside, while searching for this, the sixth hit on my Google list was some poor sap's router, spidered by Google. Oops!

Re:ridiculous

[CowboyMeal]

That's not Flash, that's Java. Particularly of note is the status bar of the pop-up window that says "Warning: Applet window"

Re:ridiculous

[austad]

I don't think the 800 series is IOS. It's some bastardized OS that Cisco inherited when they bought the company that made the 800 before it was called the 800.

Re:ridiculous

[The+Real+Jeffer]

The 800's use true IOS. The 600 and 700 do not.

Try SNMP

A surprising number of routers actually use snmp for configuring via their windows only client.

If you can find the MIB for it, you could be able to use some linux snmp client for configuration.

Name names please!

[Zocalo]

Flash on any network device is ridiculous! I'm guessing that this one of the new breed of all-in-one router come firewall devices aimed at the home broadband market. I for one would be grateful if named vendor and models so I could avoid this product like the plague! What the hell *is* this lemon?

As to remote admin over dial; if you need to do that then a CLI, or at the very least a text mode menu option should be a prerequisite. It really doesn't matter what the interface is like, since you will almost certainly only be making minor configuration tweaks with the CLI once the router is up and running.

If you can afford the price premium, I'd go for one of the established CLI's like Cisco's IOS. While they can be daunting at first they do have the advantage of being a skill portable to a huge range of devices, especially in the case of IOS, and there are dozens of places with template configurations to get you started.

On the otherhand the general consensus on the UK Broadband newsgroups seems to be that Draytek make some excellent kit. I can certainly vouch for that, since I use one myself - a Vigor 2600we to be precise, which cost about 160, but the 2600g is just out that ups the wireless support from 802.11b to 802.11g. To summarise the key features in addition to the wireless:

• Lightweight HTTP GUI
• CLI access (straightforward, but no IOS feature-wise)
• DHCP server / DDNS support
• ISDN on some models - dial directly into the router to manage it!
• Stateful firewall with content filtering & DDoS protection
• VPN support
• Management tools including, NTP, SNMP & remote syslog support

All in all a very nice bit of kit, and unlike a certain Netgear product you don't have to help DDOS the University of Michigan NTP server. ;)

A Network termination device

[polyphemus-blinder]

All I use at the end of my DSL connection is a "network termination device" provided by the ISP, which I assume is a router that's so simple, it's almost just a wire. At any rate, with something as simple and transparent as that, I never get "router misbehavior." I don't know what the ISP's you use provide, but I'd assume they give customers something; I don't know if you need more complex routing to be done on the device, but whatever needs to be done for your internal network should really take place on the firewall anyway.

Re:A Network termination device

[CowboyMeal]

Sure that's not a modem? Or a bridge to be more precise?

Re:A Network termination device

[polyphemus-blinder]

Ahh....you know, I think it is a bridge. Oddly relevant for me right now, actually, because I'm getting more IP's from them. Can more than one IP be routed through a bridge, I wonder? I seem to remember that it can't be done. Guess I'd better figure that out...thanks!

Re:A Network termination device

[elemental23]

A bridge is network-transparent. Note that now you have a publically-routable IP address on your home machine (or firewall, or whatever), you don't have to use RFC1918 internal addresses behind the DSL bridge/modem. Once your ISP provisions additional IP address for you, using them is as simple as assigning them to whatever computers or devices you want.

Try the Linksys WRT54G

[EverLurking]

You may not need the wireless capabilities (which can be turned off), but you can administer it via a pretty simple HTTP interface, or better yet, get root access as it is running Linux with iptables and telnet into the sucker. Some have gotten it to work with SNORT or as a VPN server and other stuff as well as a SSH Daemon. There is also a way to run NoCat on it if you want to use it as a public wireless gateway. If you want to write your own apps to run on the router's 125 MHz MIPS CPU, there are pre-built cross compilers available as well.

Most of these enhancements to the stock WRT54G can be accomplished as changes to it's filesystem's ramdisk so that they are not permanent and a simple reboot of the router will get you back to the non-hacked state. If you're feeling brave however, you can try to create your own firmware and commit it to flash at the risk of messing up and creating a small doorstop out of a perfectly good router.

Unfortunately the built in capabilities accessed via it's HTTP interface are a bit slim and simplistic (ie. no SNMP router logging and the built in logging capabilities are VERY basic, only 5 port filters, no Static IP assignments based on MAC addresses, no port triggering) but par for a home/office grade router. Besides, you could always add what you want via your root linux access neh?

Reviews of the router performance have been positive, with little difference in bandwidth in running with WEP on or off (unlike many other inexpensive wireless routers, which have up to a 50% reduction in wireless bandwidth with encryption turned on).

Pretty exciting to have a little router that has the potential to do much more than the usually lukewarm manufacturer's firmware allows.

Dave

flash

[doofusclam]

I can confirm this - my DLink DSL-504 ADSL router has an annoying flash animation on the login screen, it's a nightmare through low-bandwidth VNC connections. Only the later firmware updates though.

Re:flash

[kenn]

You can make a bookmark after this flash screen and skip it entirely. I don't know exactly where I bookmarked (since I'm not in the office right now), but I _think_ you can bookmark any of the pages after login. I probably bookmarked the page just after login.

Later,
Kenn

"at least" lynx???

[Splork]

since when is a web interface considered less easy to implement than a telnet command line interface? sheesh. web interfaces aren't usable over serial. implement them as client software, not on the device.

Please post what router you have.

[FreeLinux]

I am sure that everyone here would like to know which brand/model that is and avoid it like the plague.

To answer your question, almost all brand name routers offer telnet access to the CLI. They also have a console serial port offering a direct connection to the CLI into which you can plug a modem for dial-up access to the CLI. The brands to look at are Cisco, 3Com, Nortel, Juniper and many more. In fact, you should avoid any router that does not offer telnet/ssh access and a console serial port.

Some of the new home based broadband routers like the LinkSys have only a web interface which is adequate if you have physical access to the router but, as you have seen this can be problematic.

Please post which router you were stuck with.

Freesco

[Chris+Brewer]

Roll your own box with Freesco. The base install has telnet and a web control panel but you can install the SSH package and be happy.

Re:Freesco

[cybermace5]

Ditto on that. I look at all these people buying crippled proprietary router devices and laugh.

My Freesco router was...free. I have the bottom half of an old HP network scanner, which is essentially a 486 motherboard and whisper-quiet power supply in a small styrofoam-lined steel box with no drive bays or ports other than three ISA slots. Threw in a couple 3Com Etherlink IIIs, a 4G hard disk and it's a great little cable router + caching DNS + internal file server. Doesn't reduce my bandwidth at all. However, I prefer NOT to administer it remotely...to me, that's the whole point.

What no CLI?

[toybuilder]

This must be a cheapie consumer routers intended to be "install and forget" devices. No serious self-respecting network/communications equipment make would ever rely solely on such cruft for out-of-band management of devices!

Two words

[Wonko42]

m0n0wall. Soekris. 'Nuff said.

(I even wrote about my Soekris/m0n0wall box on my website recently).

WGR614 is HTTP

[boy_afraid]

My Netgear WGR614 802.llg router can be controlled via HTTP. What I love more about it is that it can update its own ip on DynDns.org so I don't have to keep remembering the IP address and just use this free service to create my own domain name. I even using remote connect to my home PC from work.

Remote Administration

[freebase]

Sounds like you're using a soho router.

That said, if you were using a Cisco 2600 or 3700 series router, it would be a simple thing to slip in a WIC-1-AM, which is a one port analog modem. This modem can provide simple console access, handle PPP, dial-backup, callback, and probably several other neat things. You can implement authentication based on local accounts, or on authentication servers (tacacs/radius).

I've got about 200 of these deployed around the U.S. and they have been a major life saver many times when we've needed to trouble a circuit or router, or even to do bandwidth (port) upgrades. I no longer have to have my team travel around the country to install network modules or WIC cards. We can have an office technician on the phone and walk them through power down, removal, and re-insertion of most hardware, without having to give anyone else console access.

Netopia

Netopia and Cayman Routers both have very decent CLI (telnet) interfaces for configuration and simple web interfaces. Netopia seems to be a prefered dsl router maker for a number of european phone companies (not sure about england).

Netscreen...

[trance29]

Netscreen makes an excellent firewall/router product. You can SSH, Telnet, HTTP, HTTPS and SNMP the box.

Just curious which brand uses flash for their administrative frontend?