Reply

Editing Configuration files

Milleniumaire
Aspirant

Editing Configuration files

I've just purchased a DGND4000 dual band wireless router modem to accompany my existing Nighthawk R7000. The Nighthawk is setup downstairs with the modem functionality disabled and the DGND4000 is upstairs connected to the master BT point and this acts as the modem. Both routers are connected to my gigibit LAN and the SSID's on both routers are set to the same names. This appears to work well (early days yet).

However, as I have done with many Netgear routers in the past, I like to allocate specific IP addresses to my devices and so I've setup the address reservation table on the DGND4000. This is rather laborious using the genie web front end, but it's done now. My intention was then to save the settings to a config file and copy/paste them into my R7000 config file, however the R7000 config file appears to be in a binary format and so can't be changed using a text editor.

Is there any way to create a config file for the R7000 that isn't in binary format? I really can't face having to re-type ALL the mac addresses and IP addresses of all my equipment and I always like to organise them so they are listed by IP address. Unfortunately, this only seems to be possible by editing the config file!

I really hope you can help with this. I've no idea why Netgear have chosen to create binary config files but this is going to be a real pain!

Alternatively, is there a better way to acheive what I'm trying to do i.e. to ensure IP addresses are allocated to specific devices, regardless of which router the equipment connects to.
Message 1 of 11
lutin78
Aspirant

Re: Editing Configuration files

hello
I'm intending to do quite the same as you describe : to define a reserved set of IP adresses corresponding to @MAC and a list of trusted @MAC.

regarding to backdoors in each netgear router (usable through telnet), I want to restrict @MAC as a hard limit to hacking. So I have to define it on:
- DG2200M (used as backuped modem),
- DGND4000 used as router/firewall/wifi access point, wired switch)
- WG602 (acces point for badly securitized devices like DS's)
- DG834PN (hard backup with a presetting to replace the 2 first)
- several smart switches and configurable switches "prosafe"

I found on net that unreadable files can be
- a MD5 checksum first,
- then each byte coded by binary shift : abcdefgh becomes bcdefgha

on DGND4000 I found a 4bytes block at end of file without knowing what it is


1) Have you updated your DGND400 cfg file for the copy/paste of MAC and IP adresses?

2) Netgear support "expert" have said me that is possible (French and US teams) but after buying DGnD2200M, DGND4000and R8000 after their validation on that point, nothing works
Have you had such a bad experience with netgear newbies sold as experts ?

3) Have you found a solution ?

Thanks to answer

Lutin78, Paris, France
Message 2 of 11
Retired_Member
Not applicable

Re: Editing Configuration files

To OP, You shouldn't have to enter the address reservations in both devices PICK one to be the DHCP server and enter the configs in it. Better yet use AP MODE in the r7000 and then all you need to do is setup SSID and security. I use a spread sheet with all the IP's (in order) , MAC's and device names. Then it's only a matter of copying and pasting when setting up the configuration. If you pay attention you can add them in IP order to the reservation list which helps keep track. I've been doing this for years and I found by using a spread sheet (split screen) while using the GUI it's not problem. Another way is to turn all devices on first, then select add form the setup and choose and edit IP so the list is in order. This will require some rebooting when finished to get all the devices on the assigned IP. I test and it's not uncommon for me to reconfig several times a month 2~3 routers with 30 reserved IP's and a blocked site list.
Message 3 of 11
fordem
Mentor

Re: Editing Configuration files

lutin78 wrote:
I want to restrict @MAC as a hard limit to hacking.


Just though I would mention it - any hacker worth his (or her) salt would bypass this in less time than it takes you to read this post.

Have you ever heard of a "locally administered MAC address"? Maybe some research into MAC spoofing would be in order.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 4 of 11
RogerSC
Virtuoso

Re: Editing Configuration files

fordem wrote:
Just though I would mention it - any hacker worth his (or her) salt would bypass this in less time than it takes you to read this post.

Have you ever heard of a "locally administered MAC address"? Maybe some research into MAC spoofing would be in order.


Yes, if you want the best home wireless security, just use WPA2/AES with a strong password, and you won't need anything else to prevent "hacking". The rest of it (whitelisting MAC addresses or "hiding" your SSID) only gives you an illusion of security.
Message 5 of 11
lutin78
Aspirant

Re: Editing Configuration files

Hello, thanks for your answers

1°) to Fordem and RogerSC - trusted MAC@ topic:
Yes I have heard about giving a localy administrated MAC@ and saw it (even on netgear devices like routers, switches). Wi-Fi security is currently turned to WPA-PSK + WPA2-PSK, but I have been hacked by neighbor and by Austrian and New Zealander addresses.
My point was to put a filter based on @MAC against whom only knows external IP address without local Trojan, assuming that neighboor has limited technical skills.
++>> About the “telnet backdoor” that provides access to a debug mode and gives patch capabilities and access to settings: Does it only works from the 4 LAN wired slots or through the WAN one too?
++>> About the special settings (on some Netgear routers that can be provided by IP providers) that allows their technicians to configure routers from external way directly through WAN access: Are DGND4000 or R8000 or DG2200M concerned by that ?

2°) thanks for SeaRay for advicing about AP mode
searay wrote:
To OP,
You shouldn't have to enter the address reservations in both devices …
… Better yet use AP MODE in the r7000 ...
I test and it's not uncommon for me to reconfig several times a month 2~3 routers with 30 reserved IP's and a blocked site list.

My current IP list gets 77 IP@/MAC@ (I have not defined the additional addresses when each same device has 2wired+wifi ). This include 26 wifi ones to be defined as trusted on each access point. So copying/pasting is not my preferred solution regarding my other activities, but AP mode is better.
I will spare some settings.
I agree with your solution to turn on all devices at beginning but regarding to their count and to back-up needs on several different routers, the point becomes harder and testing process for all devices too (please, have a look on configuration description below).
==> Reminding questions:
a) using AP mode means that all firewall functions would only works on DGND4000. Are they as good as those on R8000 which is more up-to-date and powered by better processors?
b) My point for copy/paste between configuration files to translate addresses settings is not solved.
The 4 bytes and file end seems to be a numerical hashed code to check integrity of configuration file.

3°) Is there a program certified by Netgear to transfer such heavily duplicated settings ?

Thanks for your further answers
Lutin78

=====NETWORK DESCRIPTION======

For clearer understanding of my network structure, I draw my network as describes below :
Wi-Fi security is set on WPA-PSK + WPA2-PSK.
Currently, DG834PN is wired to 1 PC and 3 switches and manages
- Professional use + the laptops when not restricted to wired connection only
- Smartphones and tablets.
For the home-use “game” part only (reserved to DS and some gamepad), I have a WG604 with WEP64.
The rest of devices is on wired network: Wi-Fi Access Point, switches, printers, smart TV, desktops (when these devices have Wi-Fi skills too, I only keep Bluetooth and Wi-Fi is deactivated).
Vlans : 1 Vlan is defined for security control, 1 Vlan for all the rest .

New network would become :
level 0 : DG2200M used as modem only (ADSL and a backup through USBadapter to 3G/4G). It needs to be preconfigured to work as a backup if DGND4000 burns (2netgears routers have done within 6 of them along 14 years 24/24 service)
level 1 : DGND4000 for router, DHCP, exceptional Wi-Fi usage (if R8000 crashes), main wired switching node (to R8000, GS110T, security-control device, and main admin desktop PC)
level 2 :
- GS110T wired
- NAS, web server
- 4 Professional use of wired PC + the laptops when restricted to wired connection only
- GS108PE (PC, switch, TVs and cameras POE)
- CPL adapter
- R8000 (Thanks for advice, Searay) will use AP mode, no NAT, wifi security will be WPA-PSK + WPA2-PSK.
Wifi
1 - Professional Wifi use + the laptops when not restricted to wired connection only
2 - Smartphones and tablets
wired (the rest of devices on wired network):
* Switches GS105E + 2 GS108GE (for rooms sharing): to printers, smart TVs, desktops and some laptops (when these devices have wifi skills too, I only keep Bluetooth and Wi-Fi is deactivated)
* Additional Wi-Fi Access Point for the home-use “game” part only (same choices), WG604 with WEP64
I do precise that:
- a lot of OS powers my devices : Windows (XP SP2 family, XP SP3 family, XP pro, vista family, W7 family, W7 pro, W8.1), BBB OS, Android, Mac OS, OS for iPAD;
- DLNA sharing is needed and itune server too;
- residential group too for windows sharing;
- network mapping too for printers and scan discovering.
Message 6 of 11
fordem
Mentor

Re: Editing Configuration files

lutin78 wrote:
Hello, thanks for your answers 1°) to Fordem and RogerSC - trusted MAC@ topic: Yes I have heard about giving a localy administrated MAC@ and saw it (even on netgear devices like routers, switches). Wi-Fi security is currently turned to WPA-PSK + WPA2-PSK, but I have been hacked by neighbor and by Austrian and New Zealander addresses. My point was to put a filter based on @MAC against whom only knows external IP address without local Trojan, assuming that neighboor has limited technical skills.
First - IF you have WPA enabled AND a strong password, and your neighbor has hacked you, his technical skills are NOT limited. Second - the chances of you seeing any MAC address on your network, that is not PHYSICALLY connected is slim to nil - any intrusion coming in from an external ip will have the MAC address of the router/gateway device through which the connection was made - IF I were to connect to you from here, you would see my ip address with your router's MAC address.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 7 of 11
lutin78
Aspirant

Re: Editing Configuration files

Thanks Fordem,

Regarding to your answer, I have to add that I frequently forget access to main router (preceeding router was a D6300. 2other Wifi points were added : 1 router/switch/access point WNRT270 + 1 wifi access point WG602).
When I have installed backup solution with DG834PN instead of the D6300, same troubles happened.
Main symptoms are:
- The router answers sometimes on www.routerlogin.net but not on it's IP-LAN.@
- The router answer with status screen without asking for admin name nor password and something like...'/debug' appears in the end of the web url line (similar to the turn debug-mode on for further telnet intrusion.
- I keep a small broadband to internet and severe slowness on the gigabit lan (working more like 10Mb Lan and far less than 100M lan).
- I have not seen any abnormal connected device.

fordem wrote:
First - IF you have WPA enabled AND a strong password, and your neighbor has hacked you, his technical skills are NOT limited.

Second - the chances of you seeing any MAC address on your network, that is not PHYSICALLY connected is slim to nil - any intrusion coming in from an external ip will have the MAC address of the router/gateway device through which the connection was made - IF I were to connect to you from here, you would see my ip address with your router's MAC address.


==> Could it be related to another type of intrusion ?
==> can I close the "tellnet backdoor" on DG834PN / DGND4000 / DGN2200M or reroute demand to somewhere to avoid intrusion through that way?
==> would you advice for me to implement another solution ?

For the 2 intrusions of which I was "sure", I had used:
- netstat on potentially hacked PCs
- then a tracert on each final IP addresses
- finally internet to find a locator for final iP localisation


thanks you for further answers

Lutin78
Message 8 of 11
fordem
Mentor

Re: Editing Configuration files

lutin78 wrote:

For the 2 intrusions of which I was "sure", I had used:
- netstat on potentially hacked PCs
- then a tracert on each final IP addresses
- finally internet to find a locator for final iP localisation


What makes you so sure these were "intrusions"?

Netstat shows you the connections to a given host - it provides NO information on how the connections were established.

IF you were using any NAT router, any connection to a device NOT on your LAN would have to have been established, either by that computer, or through the use of port forwarding, either manually configured or autoconfigured using uPnP - the NAT process used by ALL the routers you have listed, and by pretty much EVERY consumer router discards incoming connections unless they have been specifically allowed.

It appears to me that you're looking in the wrong places and "jumping at shadows"

It is virtually IMPOSSIBLE for someone to connect to your PC once it is protected by a consumer firewall, UNLESS, you allow it to happen, either by using weak (or no) wireless encryption, or you're in the habit of using pirated software, visiting compromised websites or opening compromised emails.

In short - it's more likely that your "potential hacks" were caused by user error, rather than a misconfigured router, and you need to fix this by educating the user rather than elaborate schemes.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 9 of 11
IrvSp
Master

Re: Editing Configuration files

Wondering if the 'intrusion' by neighbor was really a phantom phone that shows under DEVICES and PRINTERS in the Control Panel on W8?

I discovered that it was a Sevice, Windows Connect Now that made it happen. Disabling that stopped the phantom Phones from showing.

I too thought my neighbor or someone else nearby (different phones appeared with only a MAC address) was on my network. However other than showing there I could find no instance of an actual IP Address on my LAN assigned.
Message 10 of 11
lutin78
Aspirant

Re: Editing Configuration files

Hello Fordem

fordem wrote:
What makes you so sure these were "intrusions"?

It appears to me that you're looking in the wrong places and "jumping at shadows"
.....
In short - it's more likely that your "potential hacks" were caused by user error, rather than a misconfigured router, and you need to fix this by educating the user rather than elaborate schemes.


Problem is that education does not guarantee something (especially with teen agers and employees whom seek to chat ...). For phone issues (single wired pair with small efficiency), the same line provides home and professional use for my consultancy (phone+internet).
Intrusion is a nightmare due to private datas and need to keep broadband alive. DOS too.

DGND4000 connected in my network sent a lot of "Dos Attack" ACK..." from IP addresses in Cupertino/California last friday, only 2 hours after internet connection.
Of course attack is not intrusion but at least a DOS downgrading.


Back to initial
do you know the formula to calculate the last 4 bytes in configuration file for me to do the settings ?

thanks
Lutin78
Message 11 of 11
Discussion stats
  • 10 replies
  • 11190 views
  • 0 kudos
  • 6 in conversation
Announcements

Orbi WiFi 6E