The result? I got my free lunch (I am not going to give any detail on the techniques I used. But many of these similar techniques are readily available on the internet and some do not even require any technological background at all!), and it took me just a few minutes to render his site inaccessible from the outside world.

Since most of the cheap routers (wired and wireless) are primarily targeted for home use, their design of their security systems were often quite simple, and thus their capabilities were quite limited. Thus it is much easier to break into these systems then do full fledged operating systems (in general of course). My co-worker’s router was a Belkin Wireless G Router F5D7232-4, and apparently it has some serious security flaws including this one: no default password (he did set his password, otherwise the hack would have been even more trivial).

This particular Belkin router actually has a mini Linux OS built in, and this brings another point why we shouldn’t leave its administrative web interface accessible over the Internet: since the device is cheap and has to support the Linux kernel,  the kernel could not have been powered by any powerful CPUs. And thus, even a small amount of traffic could overwhelm  its ability to serve. And sure enough, in a later experiment, I found out that even just a few dozens of simultaneous ping could achieve a pretty successful DoS attack.

So, here is my advice: Never enable the option to allow remote administration on your home router (including DSL router and cable modems), and disable DMZ and block all the unnecessary incoming ports (e.g. telnet, ftp, etc)

Happy surfing…

You can turn off the router on router detection from the management and diagnostic console of your gateway. To get to the MDC: http://gateway.2wire.net/mdc http://192.168.1.254/mdc http://172.16.0.1/mdc http://home/mdc http://homeportal/mdc Once there, go to Local Network, Configure, the last option will allow you to turn off Router on Router detection.

Well, the proposed work-around did not solve the particular problem of running VMWare host OS’s in bridged networked mode (my router detection option is already off), but it does work if you have a physical router attached to the 1701HG Gateway.

But I thought that the information 2Wire’s customer service gave might be helpful for those advanced users, because the MDC gives tons of options that you can use to tweak your 2wire gateway. One option particularly worth noting is the ability to change your up stream speed. I guess that your DSL provider might have some limitations on how much you can modify this setting. According to my own tests though, it does work.

Well, this was clearly not the case according to Murphy’s Law. When I booted up my server that is running under a VMWare (Version 5.5.1 build-19175) session, everything seemed to be working fine… until I fired up a browser on my host machine. I was immediately greeted with a message from the 2Wire router “Router behind Router…” To be fair, this message is actually correct. Since VMWare sets up bridged network on the host by default, to the outside would it would seem like there is a “router” on the host machine (vitual device VMware Network Adapter VMnet8 and VMnet1 behave like routers). The 2Wire router suggested that it needed to assign one machine with a “static” IP address to avoid the “Router behind Router” issue. Well, I did not have a choice as to which machine I wanted to assign a static IP to. But fortunately, when I clicked OK, the host machine was chosen to be static.

For a while, everything seemed to be working until I booted up my wife’s machine, which is also connected to the new 2Wire router (I only have two physical machines connected to the router, nothing fancy.). When I opened up a browser window, I received the same message as I did on my machine. I had to let the router decide which machine to assign a static IP to again! Well, this time the 2Wire router decided to assign my wife’s computer a static IP. After that everything seemed to work, including my computer and the virtual machines running on it.

I guess that that was just my illusion. After about five minutes, when I went back to check on my computers again, I was greeted with the same “Router behind Router” message on my machine, but this time I couldn’t assign it a static IP anymore because the router reported that it had detected that “another device” is using a static IP and it can’t (for some reason) forcibly taken away! And the same message appeared on my wife’s computer and the virtual server as well. So I was in a situation where there was no internet access from any of the machines… Out of curiosity, I checked my server from another internet connection. It seemed that my server was actually up and running because I could see my web pages, and also I could do a remote desktop back to my server! But I just could not see the “outside” world from my home. I had to hard reset the router to start all over again.

I spent the next few days, trying different configurations, including setting the 2Wire router to DMZ mode and hooking up my own router instead (note, this was my original setting since 2Wire HomePortal 1000SW only has one Ethernet port)… It failed to work also. A couple of other configurations (including changing the subnet IP range) also failed. It seems that 2Wire 1701HG Gateway is very stubborn. It insists on being the only device that assigns all the IPs.

After three day’s struggle, I finally came to the conclusion that there is no hope trying to use that router and VMWare virtual hosts at the same time, at least not using bridged network mode. The only way I could use a VMWare session is to set it to use NAT. Unfortunately I couldn’t use NAT for my web server since I need to assign my port 80 to route to the host and NAT makes my virtual host sharing the same IP as my host…

Well, for the time being I am stuck. In order to get my website running and everyone happy at the same time, I had to copy my website from the virtual server to my workstation, which is far from ideal. But that is the only setting that makes the router happy…

So now my website is “downgraded” (running on a workstation vs. running on a server). Well, probably I don’t have that big a traffic to see the real impact right now. But I lost my ftp server as the result as well.

Clearly, the design of 2Wire 1701HG is flawed. Unfortunately, not many home users do what I do at home. I will try to contact 2Wire to see if they can find a solution.