Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Tuesday, September 25, 2012

Linksys WRT120n and VPN
150Mbps N router, so not up to real N speeds, with 100 Mbit/s switches 

version 1.0
CPU:Atheros AR7240-AH1E @ 400 MHz

Frequenz  2.4 GHz 
not soported by dd-wrt firmware
User guide:

WRT120N Features
 Availability: currently available
 List price: $79
 Street price: $47
 Warranty: 1 year(s)
 LAN / WAN Connectivity
 WAN ports: 1
 WAN port(s) type: 10/100 Base-TX (RJ-45)
 LAN ports: 4
 LAN ports type: 10/100 Base-TX (RJ-45)
 LAN ports auto cross-over: yes
 NAT routing: yes
 Multihomed: yes
 DMZ: yes
 Port forwarding: yes
 Port forwarding of ranges: yes
 Port triggering: yes
 DHCP server: yes
 DHCP client: yes
 Dynamic DNS client: yes
 QoS: yes
 UPnP: yes
 MAC Address clone: yes
 MTU configurable (WAN): yes
 MTU limit (WAN): 1500
 PPPoE client: yes
 Maximum Wireless Speed: 150 Mbps
 WiFi standards supported: 802.11b (11 Mbps)
802.11g (54 Mbps)
802.11n (draft)
 Wifi security/authentication: WEP
Wireless MAC Address filtering
SSID Broadcast disable
 WiFi modes: Access point
 internal antenna(s): 2
 Antenna gain: 2 dBi
 Transmit Power: +14 dBm
 Receiver Sensitivity: 75 dBm
 Default SSID: linksys
 WMM (QoS): yes
 WPS (Wi-Fi Protected Setup): yes
 IPSec passthrough: yes
 L2TP passthrough: yes
 PPTP passthrough: yes
 SPI firewall: yes
 Filtering: IP Address filtering, Proxy, Java, ActiveX, Cookie
 Device Management
 Default IP address:
 Default admin username:
 Default admin password: admin
 Administration: Web-based (LAN)
Remote configuration (WAN)
Quick Setup Wizard
 Firmware upgradeable: yes
 Configuration backup/restore: yes
 Event log: yes
 Diagnostic functions: yes
ping, traceroute
 Product page:

Earlier releases of this router had an issue that caused a problem when trying to reset the router to default settings.
The router would not be reset the normal. This has since been fixed by upgrading its firmware using a specific method. See
when your ISP uses an ADSL router Zhone Paradyne
All 3 types of VPN tunnelling are enabled but VPN doesn't work
VPN = SonicWALL Global VPN Client
Using a Linksys BEFSR41 wired router with same VPN works ok
What setting is missing to use WRT120N ?
Easy fix is to go to router settings and enable DMZ for your computers IP address. 
Also you can actually find out what are the ports this VPN uses and go to Port Forwarding part of router and open the ports manually. 
My favorite is DMZ. All this does is open up ports for your computer IP address so there is no blocked packets. 
If you're using Windows machines (NT 5.2), client OSs can accept up to 10 incoming PPTP VPN connections (EDIT: only in the Professional or Business editions of these Windows accept up to 10 connections; Home editions only accept 1 incoming connection) as per these instructions. Of course, Windows has built-in PPTP VPN client capabilities so there is no software needed. You'll need to edit the router that the receiving computer is behind to forward PPTP ports to the newly created VPN "server". The real question is: does the router that the receiving computer is behind pass GRE through?
After upgrading the firmware did you reset/reconfigure the router? Did you try to enable DMZ feature? Here is the link provided which can help you in resolving the issue: connect-linksys-router-wired-wireless-access-point
Add VPN’s communication ports to your router’s settings. To do that, log in to your router and navigate to port forwarding settings (there are no standard instructions because every router’s interface varies from others). You need to create a new forwarding to port 1723 which is by default the port that VPNs use to connect. Also, this port needs to be pointed to your PC’s IP address that was obtained through ipconfig command. Save your settings and reboot the router once.
DMZ en el Cisco RV110w
habilitar los puertos 23,50,51,449,8470-8476  todos en tcp y udp

Problems connecting to the VPN through the Linksys router
Article ID: 4478

This article explains common reasons why trouble occurs when connecting to VPN through a Linksys router and how to troubleshoot.
Select a link below to go directly to a section:
Verify VPN Pass Through is Enabled on Your Linksys Router
Linksys Routers enable VPN Pass Through by default. To verify that VPN Pass Through is enabled, access the router's web-based setup page. For instructions, please follow the steps below.
Step 1:
Access the router's web-based setup page. For instructions, click here.

Step 2:
When the router's web-based setup page appears, select VPN, and then select VPN Pass Through.

Step 3:
Make sure IPSec, PPTP, and L2TP Pass Through are all enabled. Note: If all three Pass Throughs are enabled, contact the VPN Software developer to configure the software behind a router.
Step 4:
Disable Block WAN Request and Set to Gateway ModeAfter finishing VPN tunnel and IPSec set up, go to Firewall and then General page on remote gateway and disable Block WAN Request. This will prevent the ICMP package from being blocked and the remote gateway from being unreachable.

Disabling Block WAN request on Firewall General page
Also, make sure that both routers are working on Gateway mode and routing protocol RIP is disabled. In router mode, any computer connected to the router will not be able to connect to the internet unless you have another router as gateway.

Selecting Gateway working mode on Setup Advanced Routing page
Check Reachability of VPN Devices
Before making connection on VPN tunnel at VPN  Summary page, it is important to check the reachability of VPN devices. If the WAN IP address of remote gateway/client can not be pinged by local gateway/client, or WAN IP address of local gateway/client can not be pinged by remote gateway/client, VPN tunnel can not be created; network configuration should be checked instead.
Ping remote gateway before VPN connection.

Remote gateway can be reached successfully before VPN connectionAfter VPN connected successfully, remote host can be pinged.

Remote host can be reached after VPN connected successfully
Allow ICMP Pass Through on Remote Host Firewall
If remote host can not be pinged but the VPN tunnel is connected as indicated on VPN summary page, check the firewall setting on remote host.
Step 1: For Windows, select Start, then select Control Panel.
Step 2: Select Windows Firewall.
Step 3: Select the Off button to disable firewall.
Step 1: For Windows, select Start, then select Control Panel.
Step 2: Select Windows Firewall, and then select the Advanced tab.
Step 3: Select the appropriate Network Connection Settings.
Network Connection Settings
Step 4: Select the Settings… button in the Network Connection Settings section and then select the Advanced tab.
Step 5: Check the box next to Allow incoming echo request and then select OK.
Network Firewall Configuration on VPN
If remote gateway can not be reached or VPN connection set up fails, network firewall settings should be checked. Please contact your network administrator to allow ISAKMP traffic on your company's firewall. Company firewall should be configured properly to allow ISAKMP package, critical messages for VPN IPSec set up, pass through. Below is an example of  PIX Firewall configuration. An entry (highlighted in red) is created on access-list that permits isakmp traffic, which uses UDP port 500.  Without this entry, VPN connection will be fail due to firewall blocking.

An example of  PIX firewall configuration that allows isakmp package pass through
( Source: "CCIE Security Practice Labs", Author: Yusuf  Bhauji, Cisco Press, 2004)
I'm attempting to connect to the network through Microsoft PPTP VPN on port 1723, however when I add it to "Applications and Gaming" on the router (chosen from the drop down menu), it shows up as port 1720 and will not connect. If I manually port forward 1723 below, it still will not connect. If I add my IP address as a DMZ, it successfully connects. I started with firmware 1.0.04 and updated to 1.0.06 and it fails with both firmware versions and the built in PPTP setting still shows as port 1720.
VPN pass through is enabled and DMZ is not an option as we will not know the client source IP addresses.
sounds like a bug to me...
try to re-flash the 1.0.06 firmware then do the hard reset.
Why is DMZ not an option?
I don't understand it. You forward port 1723 to your VPN server inside your network. Fine. Or you set that IP address into the DMZ. Fine.
What has that to do with the client source IP address? 
With this router, I can either choose to allow ALL IP addresses to the DMZ system or specify a range of IP addresses (which I won't know because the remote connections will be potentially comming from anywhere), however my tests with DMZ enabled allow the VPN to connect successfully but that's irrelevant because my client could be coming from any IP and I don't want to open this server to anything and everything out on the internet,
Port forward just PPTP to the IP of the server, which is broken. This is what I would like to know if there is a fix for. Why does it show up as 1720. It should be 1723, I think the firmware is not programmed correctly. And when I manually port forward 1723, the VPN still does not connect.
If you enable the logs, do you see the incoming 1723 packets.
So far it sounds to me just like this bug:
The ISP uses DSL, I can't recall the modem. Went the Cisco support route and determined the router was bad. The agent said these model routers are known to have transport issues. I replaced it with a different model router and all is well. They never admitted that the PPTP setting was programmed with the wrong port, but whatever, the issue got resolved via different device.

Cisco's giving me the run-around about replacing it so in an effort to preserve my time, I plan to use it in a home network that doesn't need PPTP support or any other special settings. Just using this device as a basic router with simple port forwarding works fine. I suspect the real problem with my router is the vpn pass-through is actually not working. It seemed to be timing out when it was supposed to establish GRE. Oh well, moving on. Thanks for the responses everyone!
There seems to be a problem with is router. I had a problem. At home I have a XP PC and a WRT120N. On the remote location a Draytek 2200E with VPN server enabled. Sometimes no VPN connection possible. Switching the WRT off/on and than one time possible to setup the PPTP. Second time fails. Replacing the WRT120N by another Draytek 2200E (home side) and now all OK. It seems to be a bug in the PPTP passthrough software.
I agree. It's definitely a bug. I replaced the router with an E2000 with the exact same config and everything works perfectly.
WRT120N - Issues on establishing VPN connection
Before I suggest you for any troubleshooting steps, I would like to ask few questions. After upgrading the firmware did you reset/reconfigure the router? Did you try to enable DMZ feature? Here is the link provided which can help you in resolving the issue:
Answering your questions:
1 - After upgrading the firmware I restored the backup configuration.
2 - The DMZ feature is enabled and the destination is my notebook´s IP address.
3 - I had read the link, but, I had already applied those configurations and did not work.
I´m still having problems to connect VPN with the WRT120N in the middle of conversation.
Solución a algunos problemas con el factory firmware
(ingresar como usuario para ver gráficas)

1- Ingresa a la pagina de Linksys. A la de Estados Unidos, no la version pedorra de Argentina. 
3- Ahora en la parte de Support seleccionamos Linksys.
Descarga el firmware para tu modelo
Una vez que tenemos el Firmware en nuestra pc y no nos morimos en el proceso hacemos lo siguiente: 
1- Reseteamos el router presionando el boton de reset de la parte posterior del equipo. Usen algun alfiler, birome, escarbadientes o cualquier cosa finita q tengan a mano.
2- Mientras estan presionando el boton de reset, y sin soltarlo, apagan el router unos 5 segundos.
3- Una vez q pasan los 5 segundos, vuelven a prender el router. Esperan 10 segundos mas presionando el boton y luego lo sueltan.
4- Una vez q la luz de Power quede fija (rueguen a Dios o al santo q se les ocurra para q quede fija), ingresamos a la interfaz del router usando su IP de fabrica, la cual es Si todo salio bien pueden pasar 2 cosas. Entran a la interfaz normal y asunto solucionado o ver lo siguiente:
5- Si te paso lo 2do, putea un ratito, carga y actualiza el firmware.
6- Apagamos el router 10 segundos y volvemos a resetearlo por 30 segundos, esta vez sin apagarlo mientras se lo resetea.
7- Ahora si, al ingresar la IP del router deberia aceptarles "admin" como pass y podran configurar el equipo desde su interfaz.
No les voy a explicar como configurar el router porque eso ya lo postearon. Si necesitan una guia de como hacerlo, aca tienen una hecha por mi amigo Northwood128 
Flash Linksys Router with TomatoVPN 
I'm running Tomato firmware; however, when I visit I don't see where I can download the firmware update as 7zip file? They mention to download the update as 7zip file: but I cannot see the files on the site, or am I missing a process here that I need to do?
The link for the latest version on that page is under the text "You can download the binaries from here."
I have used that tomato mod and had very good success. But, I would suggest the following alternative, as it is slightly more up to date, with some nice additional features. - TomatoUSB
the forum listed the download here: There is a 7z file available.
The large chip is an AR7240 network processor SoC which includes a 5-port 10/100 Ethernet switch. Its MIPS32 24K processor core is clocked at 400 MHz and has a 16 bit DDR2 memory interface.
The smaller device surrounded by a solder footprint for an RF shield that apparently wasn't needed is an AR9285 single-stream N MAC/BB/radio. 2 MB of flash and 32 MB of RAM finish up the design.
The flash size 2MB has not changed since the question was raised in other WRT120N threads so the answer is still the same:
Not supported and will never be supported.

How can i do to extract the firmware of the Linksys WRT120N router?
I tried extract_firmware and extract-ng without success.
I was able to extract the pfs.img with binwalk but nothing else.
IP pública estática
La IP local de router es:
La IP local del server openVPN es:
Cuando la OpenVPN levanta en el server, le asigna la IP:
Dentro de la configuración de la OpenVPN (tomado de una documentación) la submáscara quedó como:
Las máquinas cliente cuando se pegan a la VPN toman direcciones:, y de allí para arriba.

Por ahorita la única máquina conectada al router es precisamente el server openVPN, además de la laptop para configurar el router.
Malas noticias, pude chatear con el soporte en línea de la Linksys y me dijeron que con ese modelo (y otros de esa familia) no es posible hacer lo que necesitamos para la VPN, que el Advanced Routing que viene allí es ahora para otros fines.
Que los modelos WRT54G y familiares sí tenían esa posibilidad pero con los N ya no se puede. 
Router LINKSYS WRT54G de los antiguos que las antenas eran atornilladas por lo que le tengo dos antenas de 7 DBi y el firmware se lo cambie por un DD-WRT

No comments: