Wednesday, 27 September 2017

Configuring Draytek 2860 from command line

We like to configure our Draytek 2860 Routers through telnet; our team paste the following script to configure everything except for WAN connections.  Pretty simplistic but makes the process easy and mistake free.

The command line manuals for these routers is out of date, perhaps because there has been so much progress within this functionality in the last few years. Commands are, however, well documented in the telnet interface accessible by typing ?

I have anonymised our setup which may make a useful starting point for others.

#HOW TO SETUP DRAYTEK 2860N FOR BRANCH OFFICES
#Update to latest firmware.
#Change site specific configuration to match the site, telnet in and paste into interface.
#Setup broadband connection(s).
#Add VPN IP to HQ Router.
#Add Systems which need VPN access to MAC filter
#Active Application Filter CSM > Appe Signature Upgrade  > Activate.


#SITE SPECIFIC CONFIGURATION
vpn option 1 mywip=10.1.6.254
vpn option 1 okey=vpnpassword
ip addr 10.1.6.254
srv dhcp startip 10.1.6.100
srv dhcp gateway 10.1.6.254
srv dhcp on
wl config ssid 1 1 wirelessnetwork
######################

#Wireless LAN > General Setup
wl config ssid 1 1 wifi
wl config mode 11gn
wl config security 1 wpa2psk wpa2password
wl config isolate 1 1 1 1
wl restart

#LAN > General Setup
ip nmask 255.255.255.0

#Turn off hardware acceleration
ppa -m 0

#VPN and Remote Access > LAN to LAN 
vpn remote L2TP off
vpn remote PPTP off

vpn option 1 pname=BHT ena=on thr=w1f dir=o idle=-1
vpn option 1 ctype=s dialto=our.vpn.host ometh=esp3a ikemode=a ikeid=somestuff
vpn option 1 rgip=10.254.254.254 rnip=10.254.0.0 rnmask=255.255.0.0
vpn option 1 itype=0
vpn l2lset 1 pfs on
vpn l2lset 1 main 13

#CSM > Disable APP Enforcement Profile
ipf set -M 0

#Setup IP & Service Objects

ipf default
ipf set -p 1

object ip obj 192 -n fullaccesserver -a 1 1.2.3.4

object service obj 1 -n http
object service obj 1 -p 6
object service obj 1 -d 0 80 80

object service obj 2 -n https
object service obj 2 -p 6
object service obj 2 -d 0 443 443

object service obj 3 -n cctv
object service obj 3 -p 255
object service obj 3 -d 0 6036 6036

object service obj 4 -n teamviewer
object service obj 4 -p 255
object service obj 4 -d 0 5938 5938

object service obj 5 -n smtp2525
object service obj 5 -p 6
object service obj 5 -d 0 2525 2525

object service obj 6 -n ftp
object service obj 6 -p 255
object service obj 6 -d 0 20 21

object service obj 7 -n ntp
object service obj 7 -p 17
object service obj 7 -d 0 123 123

object service obj 8 -n rdp
object service obj 8 -p 6
object service obj 8 -d 0 3389 3389

object service obj 20 -n dns
object service obj 20 -p 17
object service obj 20 -d 0 53 53

object service obj 21 -n smtp
object service obj 21 -p 6
object service obj 21 -d 0 25 25

#Setup Service Object Groups

object service grp 1 -n internet
object service grp 1 -a 1 2 3 4 5 6 7 8

object service grp 2 -n lan2wan
object service grp 2 -a 20 21

object ip grp 32 -n fullaccessdesti
object ip grp 32 -a 192

#CSM > APP Enforcement Profile
csm app prof -i 1 -n p2p
csm appe set -i 1 -e 35
csm appe set -i 1 -e 36
csm appe set -i 1 -e 37
csm appe set -i 1 -e 38
csm appe set -i 1 -e 39
csm appe set -i 1 -e 40
csm appe set -i 1 -e 41
csm appe set -i 1 -e 42
csm appe set -i 1 -e 43
csm appe set -i 1 -e 44
csm appe set -i 1 -e 45
csm appe set -i 1 -e 46
csm appe set -i 1 -e 47
csm appe set -i 1 -e 48
csm appe set -i 1 -e 49
csm appe set -i 1 -e 50
csm appe set -i 1 -e 51
csm appe set -i 1 -e 52

#Block DNS & SMTP
csm appe set -i 1 -e 54
csm appe set -i 1 -e 69

#Block VPN
csm appe set -i 1 -e 76
csm appe set -i 1 -e 77
csm appe set -i 1 -d 78
csm appe set -i 1 -d 79
csm appe set -i 1 -e 80
csm appe set -i 1 -e 81
csm appe set -i 1 -e 82
csm appe set -i 1 -e 83
csm appe set -i 1 -e 84
csm appe set -i 1 -e 85
csm appe set -i 1 -e 86
csm appe set -i 1 -e 87
csm appe set -i 1 -e 88
csm appe set -i 1 -e 89
csm appe set -i 1 -e 90
csm appe set -i 1 -e 91
csm appe set -i 1 -e 92
csm appe set -i 1 -e 93
csm appe set -i 1 -e 94

#Firewall > Filter Setup
ipf set 1 -m " "
ipf set 2 -m internet -n 3
ipf rule 2 1 -M "internet" -s "u 2" -d "u 2" -S "g 1" -a 0 -F 0 -e 1 -S "u 0"
ipf rule 2 1 -D 0

ipf rule 2 2 -M "lan2wan" -s "u 2" -d "u 0 10.254.0.0 255.255.0.0" -S "g 2" -F 0 -e 1
ipf rule 2 2 -D 2

ipf rule 2 3 -M "wan2lan" -s "u 0 10.254.0.0 255.255.0.0" -d "u 2" -e 1
ipf rule 2 3 -D 2

ipf rule 2 6 -M "fullaccessdestinati" -e 1 -s "u 2" -d "g 32"
ipf rule 2 6 -D 0

ipf rule 2 7 -M "nat" -e 1 -s "u 2" -d "u 2"
ipf rule 2 7 -D 1

ipf set 3 -m vpn-mac -n 4
ipf rule 3 1 -M "MAC1" -s "g 1" -d "u 0 10.0.0.0 255.0.0.0" -e 1 -F 0
ipf rule 3 1 -D 2
ipf rule 3 2 -M "MAC2" -s "g 2" -d "u 0 10.0.0.0 255.0.0.0" -e 1 -F 0
ipf rule 3 2 -D 2
ipf rule 3 3 -M "MAC3" -s "g 3" -d "u 0 10.0.0.0 255.0.0.0" -e 1 -F 0
ipf rule 3 3 -D 2
ipf rule 3 4 -M "MAC4" -s "g 4" -d "u 0 10.0.0.0 255.0.0.0" -e 1 -F 0
ipf rule 3 4 -D 2
ipf rule 3 5 -M "MAC5" -s "g 5" -d "u 0 10.0.0.0 255.0.0.0" -e 1 -F 0
ipf rule 3 5 -D 2
ipf rule 3 6 -M "MAC6" -s "g 6" -d "u 0 10.0.0.0 255.0.0.0" -e 1 -F 0
ipf rule 3 6 -D 2
ipf rule 3 7 -M "MAC7" -s "g 7" -d "u 0 10.0.0.0 255.0.0.0" -e 1 -F 0
ipf rule 3 7 -D 2

ipf set 4 -m block-mac -n 5
ipf rule 4 1 -M "MAC1" -s "g 1" -e 1 -F 1
ipf rule 4 2 -M "MAC2" -s "g 2" -e 1 -F 1
ipf rule 4 3 -M "MAC3" -s "g 3" -e 1 -F 1
ipf rule 4 4 -M "MAC4" -s "g 4" -e 1 -F 1
ipf rule 4 5 -M "MAC5" -s "g 5" -e 1 -F 1
ipf rule 4 6 -M "MAC6" -s "g 6" -e 1 -F 1
ipf rule 4 7 -M "MAC6" -s "g 7" -e 1 -F 1

ipf set 5 -m p2p-filter
ipf rule 5 1 -a 1 -e 1 -M "p2p"

#Firewall > DoS defense Setup
dos -A
dos -a
dos -s synflood 2000 10
dos -s udpflood 2000 10
dos -s icmpflood 250 10
dos -s portscan 2000

#System Maintenance > Management
mngt httpport 2080
mngt httpsport 2443
mngt telnetport 2023
mngt ftpport 2021
mngt sshport 2022
mngt noping off
echoicmp enable
mngt rmtcfg ftp off
mngt rmtcfg https on
mngt rmtcfg http off
mngt rmtcfg telnet off
mngt rmtcfg tr069 off
mngt rmtcfg ssh off
mngt lanaccess -s
mngt accesslist add 1 1.1.1.1 255.255.255.240
mngt bfp -e 1 -s All -l 5 -p 900asd
sys passwd adminpassword!
sys commit


sys reboot