WNDR3700 - Correct the Static Routes Bug

Contents[Hide]

WNDR3700

The Netgear WNDR3700 is a very powerfull router, providing a lot of professional features. One of these features is the possibility of declaring some static routes.

Static routes are very interesting if you are having a second LAN gateway on your network or if you are using a routed OpenVPN server.

But, the WNDR3700 is having a nasty bug in its static routes handling : it drops all the tcp traffic !

So, for example, if you declare a static route on your router :

  • you will be able to ping any machine between the 2 subnets accessible thru this route,
  • but any ssh, ftp, http, … connexion will hang badly. No packet will be able to go thru.

This article will explain how to get rid of this bug with a Ubuntu (or any linux) workstation.

1. Principles

As the WNDR3700 is having a nasty routing bug, we have to correct it.

This router is running DD-WRT and is using iptables to handle the firewall job.

The problem comes from one specific iptable chain loc2loc used for static routes :

Chain loc2loc (1 references)
target     prot opt source               destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere state NEW tcp flags:!FIN,SYN,RST,PSH,ACK,URG/SYN
ACCEPT all -- anywhere anywhere

As you can see in the second rule, it drops any TCP packet. That's why a ping works as it uses ICMP, and a SSH doesn't, as it uses TCP. So, we need to modify that second rule.

We have to replace the second rule dropping the tcp packet with one rule accepting them, that's that simple !

To do so, we need to have a telnet access to the router. Telnet access is not available by default, but Netgear has provided a small Windows utility to open it.

For all Linux users, a google code project is there to provide the same functionnality with a Python script.
So, we have all the tools to correct the bug if we follow these steps :

  1. enable the telnet access
  2. connect to the router via telnet
  3. modify the faulty iptable rule

2. Pre-requisite

Before going further you have to install on your linux workstation the following packages :

  • python
  • py-crypto

Python and the crytographic libraries will be needed be the telnet access enabling script.

Under Ubuntu, you can install them easily :

# sudo apt-get install python py-crypto

3. Get the Telnet access

To get the Telnet access to your WNDR7000, you need to download a python script called telnetenable.py from http://code.google.com/p/netgear-telnetenable/.

This script will use a Netgear official backdoor to enable the Telnet access to the router from the station where it has been run.

From the directory where you've downloaded the script, run the following commands (you have to replace 192.168.x.y with your router LAN IP address) :

# host=192.168.x.y
# ping -c 1 ${host}
PING 192.168.x.y (192.168.x.y) 56(84) bytes of data.
64 bytes from 192.168.x.y: icmp_req=1 ttl=64 time=1.35 ms

--- 192.168.x.y ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.357/1.357/1.357/0.000 ms

# mac=`arp -n | awk "/${host}/"'  { gsub(/:/, "", \$3); print toupper(\$3)}'`
# echo $mac
AABBCCDDEEFF
# python ./telnetenable.py ${host} ${mac} Gearguy Geardog
Sent telnet enable payload to '192.168.x.y:23'
# telnet ${host}
Trying 192.168.x.y...
Connected to 192.168.x.y.
Escape character is '^]'.
=== IMPORTANT ============================
Use 'passwd' to set your login password
this will disable telnet and enable SSH
------------------------------------------

BusyBox v1.4.2 (2011-01-21 15:20:56 CST) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

_______                     ________        __
|       |.-----.-----.-----.|  |  |  |.----.|  |_
|   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
|_______||   __|_____|__|__||________||__|  |____|
|__| W I R E L E S S   F R E E D O M
KAMIKAZE (7.09) -----------------------------------
* 10 oz Vodka       Shake well with ice and strain
* 10 oz Triple sec  mixture into 10 shot glasses.
* 10 oz lime juice  Salute!
---------------------------------------------------
root@WNDR3700:/#
iptables -L
Chain INPUT (policy DROP)
...
Chain loc2loc (1 references)
target     prot opt source               destination         
ACCEPT  all  --  anywhere  anywhere  state RELATED,ESTABLISHED
DROP    tcp   -- anywhere  anywhere  state NEW tcp flags:!FIN,SYN,RST,...          
ACCEPT  all  --  anywhere  anywhere           
...
root@WNDR3700:/#
exit
Connection closed by foreign host.

Bingo ! You now have a Telnet access to your router as root.

By executing the commands iptables -L in your telnet session, you have even listed all the iptables rules and displayed the loc2loc faulty one.

4. Correct the Static Route Bug

It's now time to correct the routing bug by applying a new iptables rule to replace the faulty one.

To do so, create the following script in the same directory as enabletelnet.py.

enablestaticroute.sh

#!/bin/sh

# router IP address
host=your.router.ip.address

# command to replace the faulty iptable rule
cmd="iptables -R loc2loc 2 -p all -j ACCEPT"

# ping to fill the ARP cache
ping -c 1 ${host}

# get the MAC address of the router from the ARP cache
mac=`arp -n | awk "/${host}/"'  { gsub(/:/, "", \$3); print toupper(\$3)}'`

# send the telnet enable command, MAC Address is recovered from the ARP table
python ./telnetenable.py ${host} ${mac} Gearguy Geardog

# connect thru telnet to remove the faulty iptable rule
(
sleep 1
echo ${cmd}

sleep 1
echo exit
) | telnet ${host}

To enable your WNDR3700 static routes, you just need to run the following command :

# sh enablestaticroute.sh

You should now be able to connect to any machine behind the gateway used by your static route.

Please notice that this command has to be run after every router reboot, as the modification done is not a permanent one.

Hope it helps.

Signature Technoblog

This article is published "as is", without any warranty that it will work for your specific need.
If you think this article needs some complement, or simply if you think it saved you lots of time & trouble,
just let me know at This email address is being protected from spambots. You need JavaScript enabled to view it.. Cheers !

icon linux icon debian icon apache icon mysql icon php icon piwik icon googleplus