Pushing specific parameters value

Hi all. We are using version 1.2.5.

I think this is an edge case and while it is not something terrible nasty, it can be a pain sometimes when our team wants to access a CPE configuration via web browser just to give customer support.

We use this key to enable access to CPE:
InternetGatewayDevice.X_HW_Security.AclServices.HTTPWanEnable

Works fine when the router is started for the first time, but the thing is, seems like Huawei Routers tends to disable it after several hours or even days.

Our provisioning script does declare the parameter but sometimes seems like either Genie ACS does not send it (because it believes it’s already configured as it should be) or Huawei ignores it. What confuses me is the fact that sometime it does work.

(I just did another test while looking at the genieacs-debug and it does seems seems like GenieACS does not send the parameter)

Any hints on how should I deal with this?

thanks

I had the same issue with AVM. They set some parameters (Speedtest Server related) on reboot to false.
My solution for this is, I am reading the parameter from the CPE, before I am writing it.

I am not doing it with an provisioning script, I am running an external tool which deals with that. We also have the guideline, that our team members should disable the remote access if they do not need it.

1 Like

Why not set ACLs and restrict remote access to specific IP addresses? This is how we accomplish this.

Here is a provision script that will set the ACLs. Fill in the values as necessary for your env. This provision script handles Zyxel CPEs using TR-181, SmartRG and Comtrend CPEs using TR-069.

/* global log:false, declare:false */
log('ACLs');
const now = Date.now();

let model = declare('VirtualParameters.Model', {value: 1}).value[0];

log('ACLs - Model', {model: model});

createAcls();
declare('Tags.HasACLs', null, {value: true});

return;

function createAcls() {
    /*
     * Clear all existing ACL rules. Because everything is done in one transaction,
     * if there are no actual changes, then nothing will actually be removed by GenieACS
     */

    declare('InternetGatewayDevice.X_SMARTRG_COM_MgmtAcl.*', {value: now, path: now});
    declare('InternetGatewayDevice.X_COMTREND_COM_AccessibleIPAddress.*', {value: now, path: now});

    declare('InternetGatewayDevice.X_SMARTRG_COM_MgmtAcl.[]', null, {path: 0});
    declare('InternetGatewayDevice.X_COMTREND_COM_AccessibleIPAddress.IPAddressEntry.[]', null, {path: 0});

    declare('InternetGatewayDevice.X_BROADCOM_COM_IPAddrAccCtrl.X_BROADCOM_COM_IPAddrAccCtrlListCfg.[]', null, {path: 0});
    declare('Device.X_ZYXEL_RemoteManagement.TrustDomain.[]', null, {path: 0});

    [
        {ip: '192.168.1.0', maskBits: 24, interface: 'lan', notes: 'Local LAN'},
        {ip: '8.8.8.8',     maskBits: 32, interface: 'wan', notes: 'Office'},
        {ip: '8.8.4.4',     maskBits: 32, interface: 'wan', notes: 'Another remote office'},
    ].forEach((acl) => {
        log('ACLs - Adding mgmt acl', acl);

        declare('InternetGatewayDevice.X_SMARTRG_COM_MgmtAcl.[SrcAddress:' + acl.ip + '/' + acl.maskBits + ']', {path: 1}, {path: 1});

        //Comtrend
        declare('InternetGatewayDevice.X_COMTREND_COM_AccessibleIPAddress.IPAddressEntry.[ipaddr:' + acl.ip +
            ',Subnet:' + createNetmaskAddr(acl.maskBits) + ',Interface:' + acl.interface + ']', {path: 1}, {path: 1});

        //SR555
        declare('InternetGatewayDevice.X_BROADCOM_COM_IPAddrAccCtrl.X_BROADCOM_COM_IPAddrAccCtrlListCfg.[SourceIPAddress:' +
            acl.ip + ',SourceNetMask:' + createNetmaskAddr(acl.maskBits) + ']', {path: 1}, {path: 1});

        declare('Device.X_ZYXEL_RemoteManagement.TrustDomain.[IPAddress:' + acl.ip + ',SubnetMask:' + acl.maskBits + ',Enable:true]', {path: 1}, {path: 1});
    });


    //Enable the ACLs for the SR555ac and the Comtrend
    declare('InternetGatewayDevice.X_BROADCOM_COM_IPAddrAccCtrl.Enable', {path: 1}, {value: true});
    declare('InternetGatewayDevice.X_COMTREND_COM_AccessibleIPAddress.Enable', {path: 1}, {value: true});
}

function createNetmaskAddr(bitCount) {
    let mask = [];
    for (let i = 0; i < 4; ++i) {
        let n = Math.min(bitCount, 8);
        mask.push(256 - Math.pow(2, 8 - n));
        bitCount -= n;
    }

    return mask.join('.');
}

1 Like

If you are using a provision script to set the value, then set the first value param to now. I.e.:
declare('InternetGatewayDevice.X_HW_Security.AclServices.HTTPWanEnable', { value: Date.now() }, { value: true });

This will cause genie to refresh the value from the CPE. If the CPE is reporting HTTPWanEnable as enabled when its really not, then try this in your provision script:

declare('InternetGatewayDevice.X_HW_Security.AclServices.HTTPWanEnable', { value: Date.now() }, { value: false });
commit(); // Necessary so GenieACS sets the state to the CPE
declare('InternetGatewayDevice.X_HW_Security.AclServices.HTTPWanEnable', { value: Date.now() }, { value: true });
1 Like

Tried so, but some ZTE devices are creating the ACL as Discard by default, and being not able to change to Accept… sad :frowning:

@akcoder ty for your answers. Yesterday I was about to do exactly that (setting it to false then commit and then setting it to true) but I was afraid of the “endless loop” fault. We thought about setting a firewall rule to restrict access from specific ip ranges but it’s all useless if the router cut the access by itself.

@JonasGhost ty for the hint.

If you do get the endless loop fault. The way around it would be two presets/provision scripts. One that disables the value and sets a tag. And another which is triggered on the tag and flips the bit back and removes the tag.

for the record, I just discovered a simple fact: I was sending the parameter the wrong way: second parameter must be a json object with a value key with timestamp.

declare( parameter, { value: Date.now( ) }, { value: value } );

For the second param, you can also put in a path parameter. This will cause GenieACS to refresh the path if the timestamp is older than the given value.

const twoDaysAgo = Date.now() - (86400 * 2);
const oneDayAgo = Date.now() - 86400;

declare('Some.Path', { path: twoDaysAgo, value: oneDayAgo}, {value: 'someValue'});

This will cause GenieACS to refresh the path if its older than two days, or refresh the value if its older than 1 day.

1 Like