POE on/off?

[baylanger]

Hello,

What does this cli support so far? It's not obvious because I haven't receive my Netgear POE managed switch yet.

Can this cli turn on/off POE ports? If not, is it a lot of work to add? I can look into it but I'm no Go programmer.

Thanx.

[nicklasfrahm]

Currently the CLI supports read operations only for most parameters. You can get a list for those via nsdp keys. PoE is not yet supported, but I could give it a try, so you can both read and write this option. 😊

[nicklasfrahm]

@baylanger Which switch did you order? I could buy a PoE switch, but I don't really have a use-case for it. If you have your switch, I could implement this functionality if you commit to testing it.

[baylanger]

I still haven't receive the switch... I went with a GS308EPP but if you don't need so many ports there's the GS305EPP.

I have tp-link eap660hd access points and they need PoE+ but cameras usually don't need so much power, perhaps a few high end/expensive options?! maybe a small 5W heater for winter time?!

Netgear has a few other models like 8 ports w/ 4 ports PoE (+ ?) .. can't recall if that one was managed or not.

tp-link has a few options as well BUT per reviews on amazon.com etc .. they're not rated as good as the netgear. What bugs me is that if this switch fails, I'm out of wifi but the AP came with power adapters. In worst case, I have a backup plan. Maybe not for my cameras and that's fine for me.

In Canada and in the US the GS308EPP is back order, the GS305EPP is available on a few sites. If you happen to find GS308EPP in Europe, let me know I might ask you to ship me one ;)

[baylanger]

Oops ... forgot the last point. I see this is written in Go, I'm not a go guy but always wanted to learn it.

Let me first get the switch before starting any work :D , Newegg shows end of March to receive stock but last month the date was end of February. Delivery has already been pushed out at least once.

I'll be back ... hoping Putin doesn't nuke the world.

[nicklasfrahm]

You are a gem! Sorry I didn't come back earlier. I am currently getting ready to move.

Just FYI, I will rename the repo and make it more general purpose while retaining the same functionality.

You could try to order from amazon.de. They seem to have it in stock.

[Sylensky]

Iam really looking forward for these features. Keep up the great work!

[baylanger]

My order hasn’t ship yet …. Still back order everywhere…. when it ships it will be obsolete and PoW will be available. That is Power over Wireless 😁

[nicklasfrahm]

@baylanger I have a confession to make. I bought the GS308EPP and I might implement this now. 😅

Honestly just bought the switch because it seemed fun.

[baylanger]

@nicklasfrahm fantastic. Looks like there are other people inline waiting for this, I mean .. they already have such a switch. I might get mine after you've added this new feature 🤔 or just next year?! 😢 With Silicon backlog, Netgear is likely prioritizing business products where they probably make more money.

FYI I did check on amazon.de and they won't deliver to Canada.

[nicklasfrahm]

I could send mine to you once I implement this feature. I don't have a timeline, but I have 0 usage for PoE haha. Literally just bought it to implement this feature.

[nicklasfrahm]

FYI, I am doing a major rewrite so that I can support multiple protocols in the future so this will take some time. Hope that is okay. If you urgently need this feature, I can postpone the rewrite.

[baylanger]

@nicklasfrahm thank you for the offer, I was quite busy last week. FYI I received an email from online store saying my item is still backorder … currently the date shows in stock May 26. Is it really going to ship this week?!?!

[Sylensky]

Do you have an ETA for the rewrite and this particular feature?

[baylanger]

@nicklasfrahm fyi turns out my switch finally shipped out… I should receive it by end of day. Let us know at the end if you intend to sell it, perhaps someone here is interested. If you lose money, let us know - perhaps a few of us will chip in money to cover any lost.

[nicklasfrahm]

I put the rewrite on hold to prioritize this feature. Maximum a week, I would say.

[nicklasfrahm]

Okay, I need help. Are any of you running Windows?

[baylanger]

Depends what you need. I have access to a Windows computer but no admin access… can’t install anything.

[Sylensky]

I can test on whether OS you would like to except Mac OS.

[nicklasfrahm]

Could you modify the PoE configuration via the ProSafe tool from Netgear, record that via Wireshark and send me the capture file? For some reason I can only see my GS308E, but not my GS308EPP switch when I run the ProSafe tool via wine on Ubuntu.

[Sylensky]

Iam not sure if i missed something but the switch is detected from the prosafe plus utility but it doesn't let me login and tells me "The ProSafe Plus Utility management for this switch is currently disabled". I checked the webconfiguration and iam unable to find an entry that should enable this feature. Is it even included in that switch with firmware version 1.0.0.8?

[nicklasfrahm]

If you navigate to Settings > Switch Discovery you will find a toggle that is disabled by default. Setting this to On and clicking Apply will enable the Netgear Switch Discovery Protocol for out-of-band management. Please also see the attached screenshot.

[baylanger]

When I was looking for Netgear Prosafe… on the web site it says product is end of life.

When I search for gs308epp , the download link shows a new discovery product. Would this new tool do the job?

https://www.netgear.com/support/product/gs308epp.aspx#download

There’s a Mac and Linux version.

[baylanger]

I refer to the "netgear switch discovery tool“ but I just noticed on that same download page, Prosafe tool is also there.

Using search engine I tried to find information on the difference between the 2 tools and couldn’t find anything. I’m away from home otherwise I’d download the “new?” tool and give it a try.

[baylanger]

I’m on my phone in a waiting room…. I really have nothing to do 🤓

Netgear don’t seem to have any documentation available for NSDT , not even on the “official” download page.

https://www.netgear.com/support/product/netgear-switch-discovery-tool.aspx

[nicklasfrahm]

FYI, Netgear provides two tools. The fancy, new NSDT and the old ProSAFE Plus Configuration Utility v2.7.8, which may also be found on the website you provided. The tool from which I need the logs is the ProSAFE Plus Configuration Utility v2.7.8, because NSDT can only discover switches and link to their web interface, but not configure them. It is a really dumb tool, IMO.

[baylanger]

I kept telling myself, Netgear’s new tool must do everything the ”deprecated” tool was doing…. but per the name (discovery) it did sound like it was only to discover. Thanx for confirming Netgear is doing something … the wrong way :)

[Sylensky]

If you navigate to Settings > Switch Discovery you will find a toggle that is disabled by default. Setting this to On and clicking Apply will enable the Netgear Switch Discovery Protocol for out-of-band management. Please also see the attached screenshot.

This setting is enabled else i wouldnt see the switch in the ProSAFE Utility... However this is error is appearing when i try to access the switch from the Utility:

[baylanger]

On the download for the GS308EPP , the Prosafe is there along with NSDT ... but Prosafe doesn't support that switch. That doesn't look very good :/

@nicklasfrahm aside from the POE on/off , with netadm are you able to control anything on that switch? If so... is it worth looking into the firmware's binary? I found these but I don't think it helps at all.

/poe.cgi
/PoEPortConfig.cgi
/getPoePortEdit.cgi
/getPoePortStatus.cgi
/UninterruptedPoE.cgi

edit_poe_port_info();
back_poe_port_info();

While looking into the firmware, I found these :

Back door key check: Invalid checksum.
%s_%s.bin.key
Back door key check: Invalid magic number.
Back door key check: Invalid file name.
Back door key check: success.

I'm not sure what the above is all about .. but quickly that doesn't look too good.

[baylanger]

@Sylensky Just to make sure, you have Prosafe 2.7.8 ? That looks like the latest version but Netgear web site sucks. Maybe a newer release is hidden somewhere.....

[Sylensky]

yes i used v2.7.8

[nicklasfrahm]

Currently, the netadm tool does not support write operations, but in the depths of GitHub I found a PR that shows how to check for the key exchange mechanism and thus implement write operations.

I was actually seeing the same issue with the ProSAFE tool, but I was suspecting an issue with wine. Thanks for verifying that this is indeed a limitation of the tool.

The reason why it sucks that the ProSAFE tool doesn't work is that it is otherwise very hard to figure out the type identifiers that are used to set these properties.

I could attempt to write a script that does a dump of all parameters. 🤔 I will try that Sunday or beginning of next week as tomorrow is my sister's birthday.

[baylanger]

Can you share the PR that you found? I might not be able to help but at least I can understand a little more the issue.

I’m not sure how you can dump « all type » but seems you might have a way to « travel » (loop?) into them. I’ll take also a look at netadm source code, might give me some insights.

[nicklasfrahm]

The PR in question can be found at tabacha/ProSafeLinux#35. What's interesting is this piece of code.

[baylanger]

Interesting I was looking at the hashkey …. I was telling myself something seems very wrong here in terms of security…

The README from that ProSafeLinux confirms there’s a security issue. Not sure if there’s a way to disable or if Netgear patched their latest firmware…. if so, perhaps it explains why Prosafe would not work with latest switches/firmware?

[baylanger]

Netgear routers included in Zuorat.

https://thehackernews.com/2022/06/zuorat-malware-hijacking-home-office.html

[Sylensky]

I found the time to test out some various things with no success so far. Combined various firmware files and tried to connect to the switch via various ProSAFE versions aswell.

So far i tried:

• Switch FW 1.0.0.10 -> ProSAFE v2.7.8 result: Utility is disabled
• Switch FW 1.0.0.8 -> ProSAFE v2.7.8 result: Utility is disabled
• Switch FW 1.0.0.7 -> ProSAFE v2.7.8 result: not allowed by agent
• Switch FW 1.0.0.6 -> ProSAFE v2.7.8 result: not allowed by agent
• Switch FW 1.0.0.4 -> ProSAFE v2.7.8 result: not allowed by agent
• Switch FW 1.0.0.10 -> ProSAFE v2.4.3 result: Incorrect password (even if its the correct one)

Furthermore i traced some packets with wireshark with the webUI. I dont know if its beneficial to you but heres what i did:

1. logged into switch, changed password
2. go to poe page
3. disabled poe on port 3
4. disabled poe on port 4
5. enabled poe on port 3
6. enabled poe on port 4

Here are the captured packets captured.zip .

[nicklasfrahm]

@Sylensky Thanks for the captured packages. I did some work on the CLI to support looking up the encryption mode and I am currently implementing the write functionality. Could you just check which encryption mode your device supports using the following commands:

# List interfaces.
netadm if
# List devices on the local network.
netadm -i <interface> scan

[Sylensky]

It supports Hash64.

pi@raspberrypi ~ $ ./go/bin/netadm -i eth0 scan
Name        Model       MAC Address          IP Address         DHCP    Firmware     Encryption
GS308EPP    GS308EPP    34:98:b5:b1:3a:9d    192.168.100.135    true    V1.0.0.10    Hash64

[nicklasfrahm]

@Sylensky I have now implemented the set command for strings. It works for setting the device name. :rocket: Please try it out and report back if it works for you as well.

Now we need to figure out what the key ID for the PoE state is and then this issue should finally be resolved. I will have a look at the provided capture logs. :mag:

[Sylensky]

Alright i had the time to test the set command and it did not work for me. This is the output of it:

./go/bin/netadm set 192.168.100.135 name=TEST -i eth0 -p <password>
Error: operation failed with status code 0x0F00

@nicklasfrahm Can you share details about your setup and how you were able to execute the commands successfully?

[nicklasfrahm]

I have just checked it again and I am running into the same issue with my GS308EPP with firmware version V1.0.0.10, but not with my GS308E running firmware version 1.0.0.10 (yes this is not a typo, the firmware versioning is inconsistent).

The wireshark script that is included in ProSafeLinux claims that the management protocol is not enabled (code 0x0F00):

git clone https://github.com/tabacha/ProSafeLinux
cd ProSafeLinux/wireshark && sudo ./startWireshark.sh

This is very strange as the management protocol seems to be enabled when checking the web interface. This may be related to the issue you were describing with the official tool. I really hope this is not a bug in their firmware.

I also tried messing around with the settings for Access Control with no luck.

It may be due to me being sloppy with the sequence numbers as I generate them before dispatching the message to the device based on the current timestamp and they are most often not contiguous. I will try to handle that more nicely.

[Sylensky]

I really hope this is not a bug in their firmware.

If so it must be consistent throughout a lot of version i just tested before and i highly doubt that. I could do some more testing with previous firmware versions and the set command to see if that is the case.

[Sylensky]

Were you able to make any progress with this?