You can get around the wholy-disgusting PPTP-to-PPP relaying (or known as VPN to the Windows users). How? Simply change your Alcatel SoftTouch Home to a Pro version, by some simple hex editing. Here's a short guide written by Robert Elman:
Most of the following information came from an article at: http://hacks.sateh.com/alcatel.php The only thing that's flat out wrong for use in Israel, is that the article says NOT to check the PAP button, whereas in fact it *must* be checked here.
Apply patch to change Alcatel SpeedTouch Home to SpeedTouch Pro:
Login via telnet to the ADSL modem at 192.168.2.138
Hit enter to "User :" prompt.
Note the challenge. For me it was: SpeedTouch (00-90-D0-1B-76-34)
(If you've set a password, which you should(!), enter it.)
After you're logged in, type (all caps): EXPERT
You can get the password for your particular modem's MAC at site:
http://security.sdsc.edu/self-help/alcatel/challenge.cgi
Respond with password: 3534175761
To enter RIP mode; type: rip
Read a register; type: drv_read 2 1 b
Response was 8704, but could be different on other modems.
Write it back with low nibble as 6; type: drv_write 2 1 b 8706
Exit RIP mode; type: exit
Enter system mode; type: system
Reboot the modem; type: reboot
Login via your browser to http://192.168.2.138
Delete PPTP enrty:
RELAY_PPP1 VCMUX never
Press "Apply"
Delete Phonebook entry:
RELAY_PPP1 8 48 pptp
Press "Apply"
Add a new Phonebook entry:
Name: MXS VPI: 8 VCI: 48 Type: ppp
Press "Apply"
Add a new PPP entry:
Name: MXS Encap: vc-mux
Press Config for the entry and fill in the form:User: your user id, e.g., camtmx@INetvision
Password: your password
Connection Sharing: Everybody (or whomever you want to be able to use it)
Destination network: All networks
Specific network: leave blank
Address translation (NAT-PAT): checked
Primary DNS: primary DNS for your ISP, Bezeq's is 192.115.106.10, Netvision's is: 194.90.1.5, Internet Zahav is: 192.116.202.99 Secondary DNS: secondary DNS for your ISP or blank or somebody else's!
Local IP: none
Remote IP: none
Mode: always-on (unless you prefer connection established on demand or manually vial the Dial dialog on the modem's HTML pages)
Idle time-limit: leave blank (unless you want disconnect after idle time)
LCP echo: checked
PAP: checked (***Contrary to the article's settings ***)
ACCOMP: checked
Press Apply
On PPP page:
Change Status on MXS entry to "on".
Press Apply.
It takes a short while to connect. The "State" will change from "trying..." to "up" when successful. It should stay that way until the next time you power-cycle the modem or something fails on the DSL phone line.
Note that these settings will all go away the next time you power cycle or reboot the modem unless you press SAVE ALL.
Now, you can get rid of the VPN dial-up connection on your machines!
Basically, you just need to set the default gateway on the computers on the network to be 192.168.2.138. Of course, since I've got a whole routing/firewall/server on the Linux machine - it isn't quite that simple.
This is what I did:
Added to routing on the ADSL modem:
(source) 192.168.1.0/24 (destination) 192.168.2.0/24 (gateway) 192.168.2.34 (intf) eth0
to allow returning packets to the home network.
Also, from the CLI, do:
nat defserver addr=192.168.2.34
to route all unknown packets to the linux, but there is a problem with it
the ADSL modem ACCEPTs all connections before forwarding them, even if the
linux REJECTs them. So all the port-scanners that check for 1080 or other
ports, seem to find it. Solution? Create static NAT routes:
# webserver, mailserver, ident server, 2nd webserver, and the alternate telnet ports $ :nat create protocol=tcp inside_addr=192.168.2.34 inside_port=80 outside_addr=0 outside_port=80 $ :nat create protocol=tcp inside_addr=192.168.2.34 inside_port=25 outside_addr=0 outside_port=25 $ :nat create protocol=tcp inside_addr=192.168.2.34 inside_port=113 outside_addr=0 outside_port=113 $ :nat create protocol=tcp inside_addr=192.168.2.34 inside_port=60801 outside_addr=0 outside_port=60801 $ :nat create protocol=tcp inside_addr=192.168.2.34 inside_port=2408 outside_addr=0 outside_port=2408
Added to linux:
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE
so that all packet sent to default gateway will get masqueraded.
Back to Tech Journal