BT Infinity TR069 VLAN Access

Looking at the Customer Premise Equipment with a standard BT Infinity installation, we have;

The BT Home Hub 3

This isn’t really that interesting for looking at the infinity network, it’s a NAT router with WiFi that gets it’s internet connectivity via an Ethernet port and authenticates via PPPoE.

We’ll leave it there for the home hub, we’re more interested in the device that sits between the home hub and the BT wall socket, the re-badged Huawei HG612 VDSL router.

Huawei HG612

This device is used to bridge the VDSL link (Layer 1/2 protocol on which connectivity is delivered to the premise) to the Ethernet link into the home hub (or any other router for that matter).

The device is the demarcation point for BT Openreach’s service (who provide the VDSL infrastructure branded by BT as infinity) and probably belongs to BT Openreach even though it’s in your premise. (can someone confirm this?).

The device arrives with the Openreach engineer when the service is installed and is locked down with a custom firmware to provide only one customer-facing action, a bridge between the VDSL connection and an Ethernet port to the homehub. Authentication credentials are set on the homehub/router and also passed through the HG612 to the external infinity infrastructure via PPTP.

Anyway, enough background information. There are many places on the web already covering these devices in detail and we just don’t care that much within the scope of this post.

Getting more information from the HG612

So I started looking for more information from the configuration of this device and found that unofficial firmware has already been released; driven it seems by users wanting VDSL statistics from the device which the current firmware doesn’t provide. In-fact by default it provides no user portal/access and is meant to be a black box behind your homehub that you ignore.

Updating/unlocking this device to access it’s functionality is out of scope of this post, information can be found here;

Click to access hg612_unlock_instructions_v1-3.pdf

Looking around the HG612 configuration

So, DSL stats are fine, cacti will be happy, you’ll be interested in your new graphs for a couple of minutes, then once you’re bored; what else is there?

So, this is what I was interested in;

PTM (Packet transfer mode) is an encapsulation method supported on VDSL2 allowing the transport of IP, PPP, Ethernet or MPLS packets over the DSL link instead of using ATM. It’s based on EFM (first mile ethernet IEEE802.3ah).

We see there are two Ethernet VLAN’s being presented down the VDSL PTM link, one which gets bridged directly through to the internal ‘LAN1’ port on the Huawei device. This is our internet connection, which gets tagged with VLAN tag 101 on the PTM link.

However, there is another connection, VLAN301, which terminates on the Huawei device itself; If you click around the Huawei web interface, you’ll find a DHCP client expects to get an IP address from this VLAN, providing a control network for the HG216 to run TR-069 autoconfiguration.

https://en.wikipedia.org/wiki/TR-069

Because the existing PTM1.301 interface isnt a bridge it’s IP terminated, I couldn’t find any way of bridging this VLAN directly to a laptop via the ‘unused’ LAN2 port (that you’ll be familiar with if you’ve updated the firmware on your Huawei device, as it’s this port that is configured on 192.168.1.1/24 for the web interface and telnet access).

However, it can be done through the CLI;

using brctl command after logging in via telnet and typing ‘shell’, you can end up with the PTM1.301 interface bridged to the physical LAN2 port.

Connected to 192.168.1.1.
Escape character is ‘^]’.

Welcome Visiting Huawei  Home Gateway
Copyright by Huawei Technologies Co., Ltd.
Login:admin
Password:
ATP>shell

BusyBox v1.9.1 (2010-10-15 17:59:06 CST) built-in shell (ash)
Enter ‘help’ for a list of built-in commands.

# brctl show
bridge name            bridge id               STP enabled     interfaces
br0             8000.XXXXXXXXXXXX       no              eth0.2
                                                                                                 eth0.3
                                                                                                 eth0.4
                                                                                                 ptm1.301
br1             8000.XXXXXXXXXXXX                           ptm1.101
                                                                                                 eth0.5
#
ATP>

So, laptop connected to LAN2, dhclient;

[root@box ~]# dhclient eth0
[root@box ~]# ip addr list
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 30.4x:xx:xx/21 brd 30.4x:xx:xx scope global eth0
    inet6 fe80::xxx:xxx:xx:xx:xx:xxx/64 scope link
       valid_lft forever preferred_lft forever

Excellent, IP address in 30.4x.xx.xx/21 range with two nameservers and a default gateway.

You can dhclient the VLAN301 IP and still also manually set a 192.168.1.2/24 IP to keep your access to the management interface of the HG612 (of course).

Thats all for now, seems interesting.