Every now and then, cleaning through the devices abandoned at customers’ premises by the various providers, we also come across little toys that can still offer a lot, especially in a HomeLab context or for emergency solutions (being careful that they do not become permanent…).
These can certainly include the Huawei AR502 4G router**, kindly offered decommissioned by Vodafone, which happened to fall into my hands and to date is doing excellent 24/7 service as a HomeLab router.
Let’s see how to configure it for our basic needs.

First login and default password

Get a console cable, the classic Cisco console cable will be fine, and run Putty to connect via RS232 with speed 9600.

The default credentials of Huawei routers are:

  • user = admin
  • password = Admin@huawei

If, as in my case, the credentials have been changed and you do not know them, you will have to proceed with resetting them. Fortunately, the procedure is beyond simple!

huawei AR500

Password reset

While remaining connected via console we restart the router, during the boot phase at some point the following indication will appear:

Press Ctrl+B to break auto startup … 3

We then use Ctrl-B to access the BootROM menu, here we are asked for the default password, Admin@huawei.
At this point we move on through the various menus:

  • (7) - Password Manager
  • (2) - Clear the console login password
  • (0) - Return
  • (6) - Reboot

huawei password reset

And voilà! The router will perform a new reboot at the end of which the password is not requested, while maintaining the previously active configuration!

Huawei CLI Basic Commands

Before going into the actual configuration of the router, it will be useful to list some of the basic commands in the Huawei CLI.

system-view - enable system access, configuration can only be changed in this mode
quit - exit the current configuration view/block
display current-configuration - show the active configuration
display saved-configuration - show the active configuration at next boot
save - save the current-configuration as startup
factory-configuration reset - reset to factory default
display startup - show the files used at boot time, such as firmware and config file
display patch-information - show the patches applied to the active firmware
display version - show the sw and hw release of the device
display device - show the hw components and their status
reboot - restart device

Configuring Huawei AR502 router

Let’s start by setting the hostname:

<Huawei>system-view
[Huawei]
[Huawei]sysname Huawei-Lab
[Huawei-Lab]

Enable DNS resolution and NTP synchronization, useful for troubleshooting:

[Huawei-Lab]dns resolve
[Huawei-Lab]dns server 8.8.8.8
[Huawei-Lab]dns server 8.8.4.4
[Huawei-Lab]
[Huawei-Lab]ntp-service unicast-server 0.pool.ntp.org
[Huawei-Lab]ntp-service unicast-server 1.pool.ntp.org

Enable DHCP server service:

[Huawei-Lab]dhcp enable
[Huawei-Lab]dhcp server database enable
[Huawei-Lab]dhcp server database recover
[Huawei-Lab]bridge dhcp terminate enable

Set up an IP for VLAN 1, associate a DHCP pool, and make sure to enable all available GigabitEthernet ports:

[Huawei-Lab]interface Vlanif1
[Huawei-Lab-Vlanif1]ip address 192.168.30.1 255.255.255.0
[Huawei-Lab-Vlanif1]dhcp select interface
[Huawei-Lab-Vlanif1]dhcp server ip-range 192.168.30.100 192.168.30.200
[Huawei-Lab-Vlanif1]dhcp server dns-list 8.8.8.8 8.8.4.4
[Huawei-Lab-Vlanif1]quit
[Huawei-Lab]
[Huawei-Lab]interface GigabitEthernet0/0/0
[Huawei-Lab-GigabitEthernet0/0/0]description LAN0
[Huawei-Lab-GigabitEthernet0/0/0]undo shutdown
[Huawei-Lab-GigabitEthernet0/0/0]quit
[Huawei-Lab]
[Huawei-Lab]interface GigabitEthernet0/0/1
[Huawei-Lab-GigabitEthernet0/0/1]description LAN1
[Huawei-Lab-GigabitEthernet0/0/1]undo shutdown
[Huawei-Lab-GigabitEthernet0/0/1]quit

Make an ACL for internal network IPs that have to pass through Dynamic NAT to go out to the Internet.
In this case, I just trivially added all the classes defined as private according to RFC 1918.

[Huawei-Lab]acl number 2002
[Huawei-Lab-acl-adv-2002]description OUTGOOING-NAT
[Huawei-Lab-acl-adv-2002]rule 5 permit source 10.0.0.0 0.255.255.255
[Huawei-Lab-acl-adv-2002]rule 10 permit source 172.16.0.0 0.15.255.255
[Huawei-Lab-acl-adv-2002]rule 15 permit source 192.168.0.0 0.0.255.255

Now let’s define the APN to be used with our provider, Vodafone in this case:

[Huawei-Lab]apn profile VODAFONE
[Huawei-Lab-apn-profile-VODAFONE]apn web.omnitel.it
[Huawei-Lab-apn-profile-VODAFONE]quit

And finally set our WAN interface, Cellular0/0/0, and configure it as default route:

[Huawei-Lab]dialer-rule
[Huawei-Lab-dialer-rule]dialer-rule 1 ip permit
[Huawei-Lab-dialer-rule]quit
[Huawei-Lab]
[Huawei-Lab]interface Cellular0/0/0
[Huawei-Lab-Cellular0/0/0]dialer enable-circular
[Huawei-Lab-Cellular0/0/0]dialer-group 1
[Huawei-Lab-Cellular0/0/0]dialer timer idle 20
[Huawei-Lab-Cellular0/0/0]apn-profile VODAFONE
[Huawei-Lab-Cellular0/0/0]dialer timer autodial 10
[Huawei-Lab-Cellular0/0/0]dialer number *99# autodial
[Huawei-Lab-Cellular0/0/0]nat outbound 2002
[Huawei-Lab-Cellular0/0/0]modem auto-recovery dial action modem-reboot fail-times 128
[Huawei-Lab-Cellular0/0/0]antenna outer
[Huawei-Lab-Cellular0/0/0]modem auto-recovery services-unavailable action modem-reboot test-times 0 interval 3600
[Huawei-Lab-Cellular0/0/0]modem auto-recovery sim-invalid action modem-reboot enable
[Huawei-Lab-Cellular0/0/0]ip address negotiate
[Huawei-Lab-Cellular0/0/0]quit
[Huawei-Lab]
[Huawei-Lab]ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0

Turn on SSH access and only from LAN interfaces:

[Huawei-Lab]stelnet server enable
[Huawei-Lab]ssh server permit interface GigabitEthernet0/0/0 GigabitEthernet0/0/1
[Huawei-Lab]
[Huawei-Lab]user-interface vty 0
[Huawei-Lab-ui-vty0]authentication-mode aaa
[Huawei-Lab-ui-vty0]user privilege level 15
[Huawei-Lab-ui-vty0]protocol inbound ssh

As additional safeguards, we can limit SSH access only from specific IPs:

[Huawei-Lab]acl number 2098
[Huawei-Lab-acl-adv-2098]description VTI-SSH
[Huawei-Lab-acl-adv-2098]rule 0 permit source 192.168.30.0 0.0.0.255
[Huawei-Lab-acl-adv-2098]quit
[Huawei-Lab]user-interface vty 0
[Huawei-Lab-ui-vty0]acl 2098 inbound
[Huawei-Lab-ui-vty0]quit

Also, while there, let’s enable HTTPS access from VLAN 1:

[Huawei-Lab]ssl policy default_policy type server
[Huawei-Lab-ssl-policy-default_policy]pki-realm default
[Huawei-Lab-ssl-policy-default_policy]version tls1.2
[Huawei-Lab-ssl-policy-default_policy]ciphersuite rsa_aes_256_sha256 ecdhe_rsa_aes128_gcm_sha256
[Huawei-Lab-ssl-policy-default_policy]quit
[Huawei-Lab]
[Huawei-Lab]http secure-server ssl-policy default_policy
[Huawei-Lab]http server enable
[Huawei-Lab]http secure-server enable
[Huawei-Lab]http server permit interface Vlanif1

All that remains is to enable the user for each type of access and change the password:

[Huawei-Lab]aaa
[Huawei-Lab-aaa]local-user admin password irreversible-cipher YOUR_PASSWORD
[Huawei-Lab-aaa]local-user admin service-type terminal ssh http
[Huawei-Lab-aaa]local-user admin privilege level 15

Then finish by saving the configuration:

[Huawei-Lab]save

Huawei firewall rules configuration

The ACLs we have seen so far only work at the packet filter level and are stateless. If we want to add some additional controls, actually not so much on the AR502, we proceed as follows.

For protection from the most common attacks:

[Huawei-Lab]firewall defend land enable
[Huawei-Lab]firewall defend smurf enable
[Huawei-Lab]firewall defend fraggle enable
[Huawei-Lab]firewall defend winnuke enable
[Huawei-Lab]firewall defend syn-flood enable
[Huawei-Lab]firewall defend udp-flood enable
[Huawei-Lab]firewall defend icmp-flood enable
[Huawei-Lab]firewall defend icmp-redirect enable
[Huawei-Lab]firewall defend icmp-unreachable enable
[Huawei-Lab]firewall defend ip-sweep enable
[Huawei-Lab]firewall defend port-scan enable
[Huawei-Lab]firewall defend tracert enable
[Huawei-Lab]firewall defend ping-of-death enable
[Huawei-Lab]firewall defend teardrop enable
[Huawei-Lab]firewall defend tcp-flag enable
[Huawei-Lab]firewall defend ip-fragment enable
[Huawei-Lab]firewall defend large-icmp enable
[Huawei-Lab]firewall blacklist enable

To enable session tracking, which is active only between different security zones, we need to create at least two zones and assign them to the corresponding interfaces:

[Huawei-Lab]firewall zone TRUSTED
[Huawei-Lab-zone-TRUSTED]priority 14
[Huawei-Lab-zone-TRUSTED]quit
[Huawei-Lab]firewall zone UNTRUSTED
[Huawei-Lab-zone-UNTRUSTED]priority 1
[Huawei-Lab-zone-UNTRUSTED]quit
[Huawei-Lab]firewall interzone TRUSTED UNTRUSTED
[Huawei-Lab-interzone-TRUSTED-UNTRUSTED]firewall enable
[Huawei-Lab-interzone-TRUSTED-UNTRUSTED]quit
[Huawei-Lab]
[Huawei-Lab]interface Vlanif1
[Huawei-Lab-Vlanif1]zone TRUSTED
[Huawei-Lab-Vlanif1]quit
[Huawei-Lab]
[Huawei-Lab]interface Cellular0/0/0
[Huawei-Lab-Cellular0/0/0]zone UNTRUSTED
[Huawei-Lab-Cellular0/0/0]quit
# Verify
[Huawei-Lab]display firewall interzone TRUSTED UNTRUSTED
interzone TRUSTED UNTRUSTED                                                       
 firewall enable                                                                
 packet-filter default deny inbound                                             
 packet-filter default permit outbound   

Other useful commands

In the case of hotswap SIM replacement or APN change the internal modem must be reset:

<Huawei-Lab>system-view command to enter the system view.
[Huawei-Lab]interface Cellular0/0/0
[Huawei-Lab-Cellular0/0/0]modem reboot