mailto: blog -at- heyrick -dot- eu

Navi: Previous entry Display calendar Next entry
Switch to desktop version

FYI! Last read at 18:31 on 2024/11/21.

Netgear N300 WNR2000v5 - a little toy

I popped into the supermarket yesterday and saw a Netgear N300 router for €12. Well, a quick look at Amazon shows several Netgear N300 devices, none of them anything like mine.
So, the full model is N300 WNR2000v5.

It looks like this:

The Netgear N300 WNR2000v5
The Netgear N300 WNR2000v5

 

It is a rather strange device. It attempts to be a complete solution for handling internet connectivity, only needing to have an ethernet connection. It can even, if necessary, connect to your service provider.
Is this a 'thing' in some other countries? As far as I'm aware (UK and France), your ADSL package usually comes with a router that does all these sorts of things. Like the Orange Livebox, the BT Home Hub... of course in many cases you can choose to use your own router, possibly with some loss of functionality (when a faulty electricity line was slaughtering my broadband, I used a little WAG200 router running OpenWAG because it was better at dealing with harsh/noisy conditions, but it had no provision whatsoever for the SIP telephone).

The thing is, internet boxes tend to be integrated and all-in-one gizmos. I'm not aware of one that has a phone line on one side and an ethernet port on the other and only mashes the two together.

The Netgear router can act as a mere access point, however in doing that, most of the functionality is disabled. Sadly it cannot act as a bridge. One needs OpenWRT for that, and I don't think this device is ever going to be supported due to mediocre hardware.

So, when running as a full router, slaved off the Livebox, it actually provides a few interesting features. You can choose to block access to sites (by URL/keyword), you can set up access controls (MAC address, by time, or use a downloadable application for "parental controls"), you can block certain ports, you can allow trusted machines (blocking everybody else), and the reason that interested me - it can run a guest network (a different access point) which is segmented so that not only can people on the guest network not see or access any of the machines on the local network, they can't see each other either.

Unfortunately the theory falls down somewhat in that the Netgear device sets itself up using the IP address 10.0.0.1, with connected devices being 10.0.0.x. When connected to the segmented guest network, it was perfectly possible to access 192.168.1.1 (the Livebox), but I guess being on a different subnet makes things just a little bit harder.
Unfortunately the address livebox.home worked... however since this router has keyword blocking, it wasn't too hard to add "192.168." and ".home" to the block list. Now attempts to access any part of my local network (on main and guest APs) will result in this:

The computer says OH HELL NO!
The computer says OH HELL NO!

Oh, and this too:

Every breath you take, every move you make...
Every breath you take, every move you make...

The router is known to have a vulnerability or two (that's British understatement), not to mention the ability to open up a telnet console using a special secret packet (that is documented all over the web, complete with C/Python code and a Metasploit module), so clearly it isn't anything to leave on all the time, but it can be a nice way to allow visitors (hah! visitors! me!?) to access the internet with their shiny-shiny without having to divulge my WiFi password or having their devices existing within my LAN.
Not only that, but the administration uses a simple "name and password" prompt over HTTP.

 

In terms of hardware, the little box had so many holes (it doesn't appear to run that hot, or was this design a style statement?) that it was hardly necessary to take the lid off. But I did anyway, because, what the hell, some things are just expected around here. ☺

Electronic viscera
Electronic viscera

The goodies are hidden under a big silver tin. It's actually nothing particularly interesting. A Qualcomm (Atheros) QCA9531 system-on-a-chip intended for WLAN applications. It's a MIPS core that can run up to 650MHz, it supports 2x2 802.11a/b/g and n with a peak speed of 300 Mbps using 2× 3dBi antennas. It also supports 5 wired ethernet ports running at 10/100, four of them for connecting devices and one for connecting the router to the outside world... and here we start to see some truth. It doesn't matter what speed your WiFi can run at if your connection to the outside world is a single 100Mbit maximum port. Granted, a lot of ADSL is not particularly going to stretch that, but fibre is increasingly commonplace, as is SpaceX coverage for their constellation of dots in the sky. It's really a surprise that the box (released in 2014) doesn't support Gigabit ethernet.
Carrying on, the reason that OpenWRT has little interest in supporting this device is because it offers a paltry 32MiB of RAM and a teeny-tiny 4MiB of Flash. To put this into context, my Neuros OSD PVR (from 2008ish, I bought it in 2011) has 16MiB Flash and 64MiB SRAM. Of course the OSD would need more memory for processing frames of video, but still, those Netgear specs are pretty low.

Notice the four pads on the circuit to the right of the big metal box. Four in a row like that? I'd put money on that being a serial port. Most likely your bog standard 115200-8N1, and given the level of "security" inherent in this device, I'd expect it to expose a console with either no password, or the password being, well, "password"...

In terms of use, the funny-looking antenna work but are nothing special. Their output power, according to WiFi analyzer on my phone, is slightly weaker than the Livebox. The Livebox is on channel 1, the Netgear with both APs on channel 4. Oddly the guest network seems to come and go. This must be some sort of quirk of the device, as when I switched to being connected to the guest network, the main AP came and went instead...?

The router in use seems responsive enough. Looking up stuff on Google doesn't take noticably longer. The administration console, on the other hand, is not particularly fast.

There are three LEDs on the front - Power, Internet, and WiFi. These communicate status by being either yellow or green, and either steady or blinking. Everything steady green is 'normal'.
There are also two buttons. The top one turns WiFi on and off, the lower one is for WPS. I have disabled WPS (under Advanced settings, WiFi, Disable router's PIN). Also in advanced setup, slaughter UPnP with prejudice...and smile at the number of times you'll need to reconnect to the AP and sign in again. It resets the WiFi with just about every change you make. It's as bad as Windows 95...

I had to disable IPv6. With it enabled (all auto-config), the router would get an IPv6 address on the WAN port, but it wouldn't pass on IPv6 addresses to the LAN side. Which meant a number of things (including Google) suddenly stopped working as the IPv6 IP address was being passed through, but no way to connect using IPv6. Maybe that's why it is disabled by default?
On the Livebox, switching on IPv6 meant basically going into the settings and ticking a box marked "Enable IPv6". That was it. It just worked.

 

When booting, it takes 30 seconds before getting as far as turning on the ethernet LED, and another 20 seconds before that turns green (connected to the internet). We're up to 65 seconds before WiFi comes on-line, and about 5-10 seconds more and the power LED turns green, with all three LEDs (power, internet, WiFi) being green and the box ready for use. It's a little faster than the Livebox, but on the other hand it has a lot less to do (no ADSL to detect and sync to, no sign in/authentication, no telephone to set up...), so arguably it's rather slower...

 

It isn't bad for the price of a burger meal, and as I said, it can allow people to use my internet without having either the main password (which is a lot of gobbledegook) or access to any of the devices on the internal network. Which means it'll be used, well, practically never (I'm hardly a socialite), but when the need arises, I have just the gizmo...

I just... wouldn't let anybody under the age of about 25, or anything more complicated than a mobile phone/tablet near it, or there's a non-insignificant chance that they'll have hacked in and lifted the admin password out of NVRAM before I've had the chance to say "Oi! You! Noooo!".
Especially if it's a thirteen year old girl enjoying a lollipop. You're supposed to think "oh, cute" and not realise that her candyfloss-pink phone is running Termux and is actively penetration testing everything with an IP address because she will own your ass and you won't see it coming.

 

 

Your comments:

Zoinks!, 28th July 2021, 21:55
Only you could write a snarky review of a router that ends with making us afraid of little girls. 😱
Rick, 28th July 2021, 22:09
Thanks...I think?
Rob, 28th July 2021, 22:14
I think the separation between private and guest networks is only on the wifi side; anything "upstream" of the router will be considered public, actual xDSL router and anything else on that subnet...  
 
As for "one that has a phone line on one side and an ethernet port on the other and only mashes the two together" - when I'm not using my ISP supplied router (acting in pseudo-bridge mode only, built in wifi off and everything passing through to the firewall box) I use an old BT Openreach "DSL modem" - this indeed has a telephone line on one side, and Ethernet on the other -you connect your router to the Ethernet port and have to talk PPPoE to it. (The abovementioned firewall box speaks this, so it effectively is directly on the internet at this point.)

Add a comment (v0.11) [help?]
Your name:

 
Your email (optional):

 
Validation:
Please type 18628 backwards.

 
Your comment:

 

Navi: Previous entry Display calendar Next entry
Switch to desktop version

Search:

See the rest of HeyRick :-)