AWSWrt-merlin API or MQTT subscriber

[carefulcomputer]

Apologies if this is wrong forum. This is my first post.

For my home automation, I am looking to send commands to my router from my home automation server (to enable/disable guest network on demand, or to open/close ports on demand). When searching forums, all I could find was MQTT publish where router is publishing messages, but I was hoping to find a post where router is listening for messages (and run local script on certain messages).
Here are couple of options I am considering -
1) MQTT subscriber on router listening for message on another broker (hosted in local lan). Is it possible with any available packages ?
2) API listener on router which can accept different commands. Is it possible with any available packages ?
3) Worst case option - automate it by trying to emulate a webbrowser (not sure if asuswrt-merlin has some protection against detecting web scrapers/bots which will interfere with this)

 

[Jack Yaz]

Apologies if this is wrong forum. This is my first post.

For my home automation, I am looking to send commands to my router from my home automation server (to enable/disable guest network on demand, or to open/close ports on demand). When searching forums, all I could find was MQTT publish where router is publishing messages, but I was hoping to find a post where router is listening for messages (and run local script on certain messages).
Here are couple of options I am considering -
1) MQTT subscriber on router listening for message on another broker (hosted in local lan). Is it possible with any available packages ?
2) API listener on router which can accept different commands. Is it possible with any available packages ?
3) Worst case option - automate it by trying to emulate a webbrowser (not sure if asuswrt-merlin has some protection against detecting web scrapers/bots which will interfere with this)

connect to the router via SSH and play away

 

[carefulcomputer]

Thanks for suggestion. That would definitely work. However, it sounds equivalent to 3rd option, where caller would have full admin access to router. I was hoping to have limit access (only to limited set of command/scripts) like in first two options.

 

[Jack Yaz]

Thanks for suggestion. That would definitely work. However, it sounds equivalent to 3rd option, where caller would have full admin access to router. I was hoping to have limit access (only to limited set of command/scripts) like in first two options.

The router only has 1 user anyway (admin/root). Remember this is an embedded system with Busybox and not a full blown Linux environment, it's designed for everything to run as the same user.

 

[JGrana]

Maybe netcat or curl could be used?

Netcat (nc) Command with Examples

Netcat (or nc) is a command-line utility which reads and writes data across network connections, using the TCP or UDP protocols. Netcat is cross platform and it is available for Linux, macOS, Windows and BSD.

linuxize.com

 

[carefulcomputer]

The router only has 1 user anyway (admin/root). Remember this is an embedded system with Busybox and not a full blown Linux environment, it's designed for everything to run as the same user.

true. however my point was little different. I was trying to make it so that security is enforced by server not client. if there was ssh access, server would allow any command (including "sudo rm -rf /" ) to be run and it will be at mercy of client to not do anything bad. However in case of MQTT/REST calls, client can try do whatever it wants but server will only run preprogrammed commands.

 

[carefulcomputer]

Maybe netcat or curl could be used?

Netcat (nc) Command with Examples

Netcat (or nc) is a command-line utility which reads and writes data across network connections, using the TCP or UDP protocols. Netcat is cross platform and it is available for Linux, macOS, Windows and BSD.

linuxize.com

sorry didn't understand. how would that work ?

 

[JGrana]

I was looking at your potential use cases. For #2, I had played with netcat (available in Entware). This application does a number of things - but does allow you to listen on a port number (the server) and have a client send to it using netcat as well. There is also a mini netcat called "nc" available with Asuswrt-merlin. I don't believe it is robust enough.

You would need to create your own "API" but here is an example (very rough, just put them together with a little testing) of a server side and a client side. No checks for netcat or Entware installed, etc. I leave this as an exercise for the user (take some of Jack Yaz code for that - beauty of Open Source).

As far as the commands, you could script what you need. You had mentioned enabling or disabling Guest Network. There might be some actual commands on the router that can do this. For my example I am thinking changing nvram variables. Again, you would need to do some additional research on how you would do this using shell commands.

Unfortunately, netcat isn't very secure. It's doesn't care where commands come from - as long as they are posted to the port - it acts on them. For an internal network it might be fine.

Here is an example of the server. You would run this on the router you want to "control". It runs in a forever loop like a daemon. I normally would run it in the background ("&").
One of the command examples is Reboot. Dangerous command so I make it a requirement to only reboot if the command is sent twice in a row.

The client script is pretty basic (and crude ;-). Note the 1 second sleep on the SendCmd function. For some reason without this, sending commands to quickly get dropped

Hack away on these if you want.

Server side:

#!/bin/sh
#
# netlistn - listen on port 1234 and perform commands
# should be run in background i.e.  netlistn &
#

NETCATPORT=1234

echo "Starting to listen on " $NETCATPORT
DOREBOOT=0

while true
do
        cmd=`/opt/bin/netcat -l -p $NETCATPORT`
        if [ ! -z "$cmd" ]; then
                case "$cmd" in
                  EnableGuest)
                    echo "do some enable nvram settings"
                    nvram commit
                    DOREBOOT=0
                    ;;
                 DisableGuest)
                    echo "do some nvram disable settings"
                    nvram commit
                    DOREBOOT=0
                    ;;
                 "Multi word")  # try passing more than 1 word
                    echo "Multi word - some nvram disable settings"
                    DOREBOOT=0
                    ;;
                 Sync)   # execute a local command
                    /bin/sync >/dev/null 2>$1
                    DOREBOOT=0
                    ;;
                 Reboot) # danger will robinson
                    if [ $DOREBOOT = 1 ]; then  # need to send reboot twice in a row
                        echo "would reboot"
#                       service reboot >/dev/null 2>&1
                    else
                         echo "Setting DoReboot"
                         DOREBOOT=1
                    fi
                    ;;
                *)
                    echo "Unknown command: " "$cmd"
                    logger -t netlistn "Unknown cmd:" "$cmd"
                    DOREBOOT=0
                    ;;
                esac
        fi
done

Client side example:

#!/bin/sh
#
# netsnd - send some commands to a netcat server
#

NETCATSERVER=192.168.1.1
NETCATPORT=1234

SendCmd(){
   echo $1
   printf "$1\n" | /opt/bin/netcat -c $NETCATSERVER $NETCATPORT
   sleep 1   # need short delay for some reason
}

# send a command from the command line - i.e. netsend EnableGuest

if [ ! -z "$1" ];then
        SendCmd "$1"
fi

# send some commands from this script

SendCmd "EnableGuest"
SendCmd "Two Words"
SendCmd "DisableGuest"
SendCMD "Sync"
SendCmd "Reboot"
SendCmd "Not Really"
SendCmd "Reboot"
SendCmd "Reboot"