Pushing specific parameters value

rudymartin · October 19, 2021, 6:09pm

Hi all. We are using version 1.2.5.

I think this is an edge case and while it is not something terrible nasty, it can be a pain sometimes when our team wants to access a CPE configuration via web browser just to give customer support.

We use this key to enable access to CPE:
InternetGatewayDevice.X_HW_Security.AclServices.HTTPWanEnable

Works fine when the router is started for the first time, but the thing is, seems like Huawei Routers tends to disable it after several hours or even days.

Our provisioning script does declare the parameter but sometimes seems like either Genie ACS does not send it (because it believes it’s already configured as it should be) or Huawei ignores it. What confuses me is the fact that sometime it does work.

(I just did another test while looking at the genieacs-debug and it does seems seems like GenieACS does not send the parameter)

Any hints on how should I deal with this?

thanks

JonasGhost · October 19, 2021, 7:50pm

I had the same issue with AVM. They set some parameters (Speedtest Server related) on reboot to false.
My solution for this is, I am reading the parameter from the CPE, before I am writing it.

I am not doing it with an provisioning script, I am running an external tool which deals with that. We also have the guideline, that our team members should disable the remote access if they do not need it.

akcoder · October 19, 2021, 7:55pm

Why not set ACLs and restrict remote access to specific IP addresses? This is how we accomplish this.

Here is a provision script that will set the ACLs. Fill in the values as necessary for your env. This provision script handles Zyxel CPEs using TR-181, SmartRG and Comtrend CPEs using TR-069.

/* global log:false, declare:false */
log('ACLs');
const now = Date.now();

let model = declare('VirtualParameters.Model', {value: 1}).value[0];

log('ACLs - Model', {model: model});

createAcls();
declare('Tags.HasACLs', null, {value: true});

return;

function createAcls() {
    /*
     * Clear all existing ACL rules. Because everything is done in one transaction,
     * if there are no actual changes, then nothing will actually be removed by GenieACS
     */

    declare('InternetGatewayDevice.X_SMARTRG_COM_MgmtAcl.*', {value: now, path: now});
    declare('InternetGatewayDevice.X_COMTREND_COM_AccessibleIPAddress.*', {value: now, path: now});

    declare('InternetGatewayDevice.X_SMARTRG_COM_MgmtAcl.[]', null, {path: 0});
    declare('InternetGatewayDevice.X_COMTREND_COM_AccessibleIPAddress.IPAddressEntry.[]', null, {path: 0});

    declare('InternetGatewayDevice.X_BROADCOM_COM_IPAddrAccCtrl.X_BROADCOM_COM_IPAddrAccCtrlListCfg.[]', null, {path: 0});
    declare('Device.X_ZYXEL_RemoteManagement.TrustDomain.[]', null, {path: 0});

    [
        {ip: '192.168.1.0', maskBits: 24, interface: 'lan', notes: 'Local LAN'},
        {ip: '8.8.8.8',     maskBits: 32, interface: 'wan', notes: 'Office'},
        {ip: '8.8.4.4',     maskBits: 32, interface: 'wan', notes: 'Another remote office'},
    ].forEach((acl) => {
        log('ACLs - Adding mgmt acl', acl);

        declare('InternetGatewayDevice.X_SMARTRG_COM_MgmtAcl.[SrcAddress:' + acl.ip + '/' + acl.maskBits + ']', {path: 1}, {path: 1});

        //Comtrend
        declare('InternetGatewayDevice.X_COMTREND_COM_AccessibleIPAddress.IPAddressEntry.[ipaddr:' + acl.ip +
            ',Subnet:' + createNetmaskAddr(acl.maskBits) + ',Interface:' + acl.interface + ']', {path: 1}, {path: 1});

        //SR555
        declare('InternetGatewayDevice.X_BROADCOM_COM_IPAddrAccCtrl.X_BROADCOM_COM_IPAddrAccCtrlListCfg.[SourceIPAddress:' +
            acl.ip + ',SourceNetMask:' + createNetmaskAddr(acl.maskBits) + ']', {path: 1}, {path: 1});

        declare('Device.X_ZYXEL_RemoteManagement.TrustDomain.[IPAddress:' + acl.ip + ',SubnetMask:' + acl.maskBits + ',Enable:true]', {path: 1}, {path: 1});
    });


    //Enable the ACLs for the SR555ac and the Comtrend
    declare('InternetGatewayDevice.X_BROADCOM_COM_IPAddrAccCtrl.Enable', {path: 1}, {value: true});
    declare('InternetGatewayDevice.X_COMTREND_COM_AccessibleIPAddress.Enable', {path: 1}, {value: true});
}

function createNetmaskAddr(bitCount) {
    let mask = [];
    for (let i = 0; i < 4; ++i) {
        let n = Math.min(bitCount, 8);
        mask.push(256 - Math.pow(2, 8 - n));
        bitCount -= n;
    }

    return mask.join('.');
}

akcoder · October 19, 2021, 7:57pm

If you are using a provision script to set the value, then set the first value param to now. I.e.:
declare('InternetGatewayDevice.X_HW_Security.AclServices.HTTPWanEnable', { value: Date.now() }, { value: true });

This will cause genie to refresh the value from the CPE. If the CPE is reporting HTTPWanEnable as enabled when its really not, then try this in your provision script:

declare('InternetGatewayDevice.X_HW_Security.AclServices.HTTPWanEnable', { value: Date.now() }, { value: false });
commit(); // Necessary so GenieACS sets the state to the CPE
declare('InternetGatewayDevice.X_HW_Security.AclServices.HTTPWanEnable', { value: Date.now() }, { value: true });

Julian · October 19, 2021, 8:04pm

Tried so, but some ZTE devices are creating the ACL as Discard by default, and being not able to change to Accept… sad

rudymartin · October 20, 2021, 11:27am

@akcoder ty for your answers. Yesterday I was about to do exactly that (setting it to false then commit and then setting it to true) but I was afraid of the “endless loop” fault. We thought about setting a firewall rule to restrict access from specific ip ranges but it’s all useless if the router cut the access by itself.

@JonasGhost ty for the hint.

akcoder · October 20, 2021, 5:11pm

If you do get the endless loop fault. The way around it would be two presets/provision scripts. One that disables the value and sets a tag. And another which is triggered on the tag and flips the bit back and removes the tag.

rudymartin · November 1, 2021, 7:15pm

for the record, I just discovered a simple fact: I was sending the parameter the wrong way: second parameter must be a json object with a value key with timestamp.

declare( parameter, { value: Date.now( ) }, { value: value } );

akcoder · November 1, 2021, 9:25pm

For the second param, you can also put in a path parameter. This will cause GenieACS to refresh the path if the timestamp is older than the given value.

const twoDaysAgo = Date.now() - (86400 * 2);
const oneDayAgo = Date.now() - 86400;

declare('Some.Path', { path: twoDaysAgo, value: oneDayAgo}, {value: 'someValue'});

This will cause GenieACS to refresh the path if its older than two days, or refresh the value if its older than 1 day.

AAS · October 9, 2023, 7:44am

@akcoder For some of the ONTs the path InternetGatewayDevice.X_HW_Security.AclServices is not available. I’ve searched the complete configuration file. For such cases to enable ACL what is to be done. Kindly guide. Thanks in Advance

rudymartin · October 9, 2023, 2:24pm

Obviously. Path is Huawei specific as the path itself suggests.

since you resurrected a dead thread, as a follow up I will mention I ended up not using that value, but instead I did something similar to what akcoder suggested back then.

Since we use a VLAN dedicated to the ACS (as everyone should imho), we ended up creating a rule just to allow connections from that vlan and by doing that we solved the problem of not being able to connect to the router setup, which is sometimes needed by our guys at customer support (yes, I know they should not, but that’s another story).

sample code is in this recent thread.-

Topic		Replies	Views
Setting up wifi password on Huawei CPE	11	6147	May 1, 2024
What parameter is this in TP-Link Archer AC1200?	2	638	November 9, 2021
Push WAN profile from ACS to CPE	16	3378	October 16, 2023
URL Filter Policy	2	415	November 15, 2021
Huawei ACL parameter meaning	2	124	October 27, 2024

Pushing specific parameters value

Related topics