BiPAC 8900AX(L)-2400 - Questions from a new Billion user

[dalyboy]

Hi all,

I've recently acquired a BiPAC 8900AX(L)-2400 to replace my Sky Q hub (UK Fibre connection) as I require a bit more configurability, VPN etc. on my local network. I'm not a skilled networking person but reasonably IT savvy (software development background) and chose this router as it is quite well regarded, it's probably overkill for my needs but I wanted something I was confident could meet my needs and I'm finding it does work well. Below are some findings/questions, I'm hoping I can get clarified please...

1) WAN Service - My internet connection drops every couple of days requiring a router reboot; I'm not sure if this is expected (due to no longer being Sky equipment) or if something is not configured correctly. The settings used in can be found in the attached screenshots, the internet connection works well whilst it does work though (fast, good wifi) so hoping someone can confirm there isn't something obvious that is incorrect with my settings.

Screenshot 2019-06-13 at 15.16.22.png

Screenshot 2019-06-13 at 15.16.44.png

2) openVPN - I can connect back to my local network remotely now having configured the openVPN server on the router. More generally is there anyway I can use the router to restrict the client VPN connections e.g. by VPN client account, to specific IP addresses on the LAN whilst connected via VPN e.g. I have a somebody I wish to allow VPN access but then only them access to server A but not server B; or is this something needing to be configured on the destination machine/server itself i.e. either via local server firewall, or application access etc..

3) Router remote access - What is the purpose of the 'support' account? I have managed to log in to the router remotely via my static dns enter (port 80) using the admin 'account'. I was under the impression that only the 'support' account could access the router remotely. Also is it possible to make access more secure? e.g. via HTTPS or changing the port.

Edit:-

Firmware/Software version: 2.52.d34 (pre-installed from new)

Thanks,

dalyboy

[billion_fan]

Hi all,

I've recently acquired a BiPAC 8900AX(L)-2400 to replace my Sky Q hub (UK Fibre connection) as I require a bit more configurability, VPN etc. on my local network. I'm not a skilled networking person but reasonably IT savvy (software development background) and chose this router as it is quite well regarded, it's probably overkill for my needs but I wanted something I was confident could meet my needs and I'm finding it does work well. Below are some findings/questions, I'm hoping I can get clarified please...

1) WAN Service - My internet connection drops every couple of days requiring a router reboot; I'm not sure if this is expected (due to no longer being Sky equipment) or if something is not configured correctly. The settings used in can be found in the attached screenshots, the internet connection works well whilst it does work though (fast, good wifi) so hoping someone can confirm there isn't something obvious that is incorrect with my settings.

Screenshot 2019-06-13 at 15.16.22.png


Screenshot 2019-06-13 at 15.16.44.png

2) openVPN - I can connect back to my local network remotely now having configured the openVPN server on the router. More generally is there anyway I can use the router to restrict the client VPN connections e.g. by VPN client account, to specific IP addresses on the LAN whilst connected via VPN e.g. I have a somebody I wish to allow VPN access but then only them access to server A but not server B; or is this something needing to be configured on the destination machine/server itself i.e. either via local server firewall, or application access etc..

3) Router remote access - What is the purpose of the 'support' account? I have managed to log in to the router remotely via my static dns enter (port 80) using the admin 'account'. I was under the impression that only the 'support' account could access the router remotely. Also is it possible to make access more secure? e.g. via HTTPS or changing the port.

Edit:-

Firmware/Software version: 2.52.d34 (pre-installed from new)

Thanks,

dalyboy

1. The setup looks fine, you will have to check the system log after the connection has dropped to see why the router does not auto reconnect (don't reboot the router until you have checked the logs, as after a reboot the logs will be cleared)

2. I will check with our engineers if there is something we can do, but I have a feeling we won't be able to limit access on the LAN

3. If I remember correctly the support account will give you limited access the to web gui, (so not full admin access) not really used by anyone, but part of the standard Broadcom code. (to limit user access in away) the support account is disabled by default so not a security risk.

Yes you can change the port under 'Advanced Setup >> Management >> HTTP Port', no HTTPS support

[dalyboy]

Great! I'll check the logs if/when it happens again. Good to know all 'looks' OK though. Don't know how I missed the setting for the HTTP port

Thanks for your help.

[billion_fan]

Great! I'll check the logs if/when it happens again. Good to know all 'looks' OK though. Don't know how I missed the setting for the HTTP port

Thanks for your help.

Something I just noticed the Option 61 Client ID should normally be in the format of username@skydsl|password eg 12345676@skydsl|password. The '|' is important to separate the username and password

[dalyboy]

OK, the connection had been stable since last week but went down today. Having checked the logs most/all the entries relate to openVPN so I guess either nothing relevant was logged or the openVPN is a factor.

Anyway I've set the Option 61 Client ID to 'abcdefgh@skydsl|1234567890abcdef' (taken as an example from another thread). Will continue to monitor and will feedback.

[billion_fan]

OK, the connection had been stable since last week but went down today. Having checked the logs most/all the entries relate to openVPN so I guess either nothing relevant was logged or the openVPN is a factor.

Anyway I've set the Option 61 Client ID to 'abcdefgh@skydsl|1234567890abcdef' (taken as an example from another thread). Will continue to monitor and will feedback.

Also set the logging to debugging (Configuration >> System >> Configure Log) set both options to (Log/Display Level) to 'Debugging'

Also got a reply from our engineers regarding your Open VPN question about limiting LAN access to servers, they said this can't be done on the router, once you dial into the network, you have full access to the network

[dalyboy]

Also set the logging to debugging (Configuration >> System >> Configure Log) set both options to (Log/Display Level) to 'Debugging'

Also got a reply from our engineers regarding your Open VPN question about limiting LAN access to servers, they said this can't be done on the router, once you dial into the network, you have full access to the network

Thanks for the feedback. I had a disconnect overnight but now I have set the logging level to 'Debugging' like you have advised so will now monitor and capture the log more 'properly'. Is it ok to attach the log to this thread or does it contain sensitive information not suitable for uploading?

[billion_fan]

Also set the logging to debugging (Configuration >> System >> Configure Log) set both options to (Log/Display Level) to 'Debugging'

Also got a reply from our engineers regarding your Open VPN question about limiting LAN access to servers, they said this can't be done on the router, once you dial into the network, you have full access to the network

Thanks for the feedback. I had a disconnect overnight but now I have set the logging level to 'Debugging' like you have advised so will now monitor and capture the log more 'properly'. Is it ok to attach the log to this thread or does it contain sensitive information not suitable for uploading?

Its fine to attach the log, just delete any lines with your IP address and replace it with xxx.xxx.xxx.xxx for example

[dalyboy]

Hi billion_fan,

I've set the logging level to 'Debugging' but wanted to check if it is working correctly. Attached is what I can see on screen under Status > Log > System, taken at 0741 on 21st June 2019. I had to create PDF, as wasn't allowed to attach '.txt' file.

Some things I've noticed:

• The same set of messages seem to be being repeated, every few minutes.

• The log only displays approx. 10 minutes of entries; presuming this is due to length. I copied from screen into a text editor, is there a proper 'export log' function?

• The level of detail appears to be no greater than before setting level to 'Debugging'

So I wondered whether the logging itself was working as expected.

Firmware/Software version: 2.52.d34 (pre-installed from new)

Thanks,

dalyboy

[billion_fan]

Hi billion_fan,

I've set the logging level to 'Debugging' but wanted to check if it is working correctly. Attached is what I can see on screen under Status > Log > System, taken at 0741 on 21st June 2019. I had to create PDF, as wasn't allowed to attach '.txt' file.

Some things I've noticed:

• The same set of messages seem to be being repeated, every few minutes.

• The log only displays approx. 10 minutes of entries; presuming this is due to length. I copied from screen into a text editor, is there a proper 'export log' function?

• The level of detail appears to be no greater than before setting level to 'Debugging'

So I wondered whether the logging itself was working as expected.

Firmware/Software version: 2.52.d34 (pre-installed from new)

Thanks,

dalyboy

It seems to be working fine (just the normal ethernet logs), but I think the logs will fill up quick and delete the previous logs when the disconnection occurs, hence you weren't able to see the logs last time, as they were over written with the open vpn logs.

Attached is a guide on how to setup a syslog server, so all logs can be captured without over writing the previous logs, you will need to leave a PC on running to capture the logs though (if possible)