I was previously running 19.07.7 on my Netgear R7800, with an Apple HomeKit hub running on the LAN side (separate IOT network).
After installing 21.02.0-rc3, I'm now getting repeated alerts on my iPhone:
All home hubs are not responding.
followed later by A home hub is responding.
I tried moving the hub device to ethernet, no change in behavior, so I don't believe it's a wireless signal issue. (Also, the hub device is connecting to a different wireless AP on the IOT network, not related to the updated main router.)
Does anybody have suggestions on how to diagnose what's going on that the HomeKit hub keeps disconnecting/reconnecting on 21.02.0-rc3, but not when using 19.07.7?
Here's /etc/config/network
from 21.02.0-rc3:
config interface 'loopback'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option device 'lo'
config globals 'globals'
option ula_prefix 'fd2b:fd7d:16a4::/48'
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.1'
option stp '1'
option device 'br-lan'
config interface 'wan'
option proto 'dhcp'
option device 'eth0.2'
config interface 'wan6'
option proto 'dhcpv6'
option device 'eth0.2'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '1t 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 5'
option vid '2'
config interface 'guest'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '172.31.66.1'
option device 'br-guest'
config interface 'iot'
option proto 'static'
option ipaddr '172.29.34.1'
option netmask '255.255.255.0'
option device 'br-iot'
config interface 'vpnserver'
option proto 'none'
option auto '1'
option device 'ovpns0'
config interface 'vpnserver_tcp'
option proto 'none'
option auto '1'
option device 'ovpns1'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
option ports '1t 3 6t'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '4'
option ports '1t 2 4 6t'
config device
list ports 'eth1.4'
option type 'bridge'
option name 'br-lan'
config device
list ports 'guest'
option type 'bridge'
option name 'br-guest'
config device
list ports 'eth1.3'
option type 'bridge'
option name 'br-iot'
and /etc/config/firewall
for 21.02.0-rc3:
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule 'guestzone_dhcp'
option name 'guestzone_DHCP'
option src 'guestzone'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config rule 'guestzone_dns'
option name 'guestzone_DNS'
option src 'guestzone'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
config rule 'guestzone_vpn'
option name 'guestzone_VPN'
option src 'guestzone'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '8443'
option enabled '0'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '1194'
option name 'guestzone_VPN-1194'
option src 'guestzone'
option enabled '0'
config rule 'iot_rule_dns'
option name 'iot_DNS'
option src 'iot'
option dest_port '53'
option proto 'udp tcp'
option target 'ACCEPT'
config rule 'iot_rule_dhcp'
option name 'iot_DHCP'
option src 'iot'
option proto 'udp'
option target 'ACCEPT'
option dest_port '67-68'
config rule
option target 'ACCEPT'
option src '*'
option proto 'tcp udp'
option dest_port '8443'
option name 'Allow-OpenVPN-Inbound-8443'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '1194'
option name 'Allow-OpenVPN-Inbound-1194'
option src '*'
config rule 'vpnserver_rule_dns'
option name 'vpnserver_DNS'
option src 'vpnserver'
option dest_port '53'
option proto 'udp tcp'
option target 'ACCEPT'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config zone 'guestzone'
option name 'guestzone'
option output 'ACCEPT'
option input 'REJECT'
option forward 'ACCEPT'
option network 'guest'
config zone 'iot_zone'
option name 'iot'
option input 'REJECT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'iot'
config zone 'vpnserver_zone'
option name 'vpnserver'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'vpnserver vpnserver_tcp'
config forwarding 'guestzone_fwd'
option src 'guestzone'
option dest 'wan'
config forwarding 'iot_forwarding'
option src 'iot'
option dest 'wan'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'wan'
option src 'vpnserver'
config redirect
option target 'DNAT'
option src 'wan'
option name 'Forward1194'
option proto 'tcp'
option dest 'iot'
option dest_ip '172.29.34.1'
option src_dport '8443'
option dest_port '1194'
option src_dip '146.115.0.0/16'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '80'
option name 'Forward80'
option proto 'tcp'
option dest_ip '172.29.34.1'
option dest 'iot'
option dest_port '1194'
option src_dip '146.115.0.0/16'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '443'
option name 'Forward443'
option proto 'tcp'
option dest 'iot'
option dest_ip '172.29.34.1'
option dest_port '1194'
option src_dip '146.115.0.0/16'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '443'
option dest_port '1194'
option name 'ForwardUDP443'
option proto 'udp'
option dest 'wan'
option dest_ip '146.115.69.179'
option src_dip '146.115.0.0/16'
option enabled '0'
config rule
option target 'ACCEPT'
option src 'wan'
option dest_port '443'
option name 'Allow-OpenVPN-Inbound-443'
option proto 'tcp udp'
config rule
option target 'ACCEPT'
option src 'wan'
option dest_port '80'
option name 'Allow-OpenVPN-Inbound-80'
option proto 'tcp udp'
config redirect
option target 'DNAT'
option src 'wan'
option proto 'udp'
option src_dport '8443'
option dest_port '1194'
option name 'ForwardUDP8443'
option dest 'wan'
option dest_ip '146.115.69.179'
option src_dip '146.115.0.0/16'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '80'
option dest_port '1194'
option name 'ForwardUDP80'
option dest 'wan'
option dest_ip '146.115.69.179'
option proto 'udp'
option src_dip '146.115.0.0/16'
option enabled '0'
config rule
option src 'wan'
option name 'IPSec ESP'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option name 'IPSec IKE'
option proto 'udp'
option dest_port '500'
option target 'ACCEPT'
config rule
option src 'wan'
option name 'IPSec NAT-T'
option proto 'udp'
option dest_port '4500'
option target 'ACCEPT'
config rule
option src 'wan'
option name 'Auth Header'
option proto 'ah'
option target 'ACCEPT'
config forwarding
option dest 'vpnserver'
option src 'lan'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option dest 'lan'
option src 'vpnserver'
config rule
option target 'ACCEPT'
option src 'wan'
option name 'ipsec-forward-wan'
option family 'ipv4'
option src_ip '172.30.9.0/24'
option dest 'lan'
option enabled '0'
config rule
option target 'ACCEPT'
option src 'lan'
option name 'ipsec-forward-lan'
option family 'ipv4'
option dest 'wan'
option dest_ip '172.30.9.0/24'
option enabled '0'
config rule
option src 'iot'
option name 'IPSec ESP IOT'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'iot'
option name 'IPSec IKE IOT'
option proto 'udp'
option dest_port '500'
option target 'ACCEPT'
config rule
option src 'iot'
option name 'IPSec NAT-T IOT'
option proto 'udp'
option dest_port '4500'
option target 'ACCEPT'
config rule
option src 'iot'
option name 'Auth Header-IOT'
option proto 'ah'
option target 'ACCEPT'
config rule
option src 'guestzone'
option name 'IPSec ESP guest'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'guestzone'
option name 'IPSec IKE guest'
option proto 'udp'
option dest_port '500'
option target 'ACCEPT'
config rule
option src 'guestzone'
option name 'IPSec NAT-T guest'
option proto 'udp'
option dest_port '4500'
option target 'ACCEPT'
config rule
option src 'guestzone'
option name 'Auth Header guest'
option proto 'ah'
option target 'ACCEPT'
config rule
option src 'lan'
option name 'block-cheryl'
option src_mac 'A8:5B:78:00:89:4D'
option dest 'wan'
option target 'REJECT'
option enabled '0'
config rule
option src 'lan'
option name 'block-cheryl-2'
option src_mac 'CC:08:8D:3F:2D:2A'
option dest 'wan'
option target 'REJECT'
option enabled '0'
config rule
option src 'lan'
option name 'block-cheryl-chromebook'
option src_mac '90:2E:1C:90:04:BB'
option dest 'wan'
option target 'REJECT'
option enabled '0'
config rule
option src_port '5353'
option src 'iot'
option name 'allow mDNS IOT'
option target 'ACCEPT'
list dest_ip '224.0.0.251'
option dest_port '5353'
list proto 'udp'
config rule
option dest_port '5353'
option src 'lan'
option name 'allow mDNS LAN'
option target 'ACCEPT'
list dest_ip '224.0.0.251'
list proto 'udp'
option src_port '5353'
config rule
option dest_port '80'
option src 'lan'
option name 'allow lan to IOT 80'
option dest 'iot'
option target 'ACCEPT'
config rule
option dest_port '443'
option src 'lan'
option name 'allow lan to IOT 443'
option dest 'iot'
option target 'ACCEPT'
config rule
option dest_port '8080'
option src 'lan'
option name 'allow lan to IOT 8080'
option dest 'iot'
option target 'ACCEPT'
config rule
option dest_port '8060'
option src 'lan'
option name 'allow lan to 8060'
option dest 'iot'
option target 'ACCEPT'
list proto 'tcp'
config rule
option dest_port '3000'
option src 'lan'
option name 'allow LAN to 3000'
option dest 'iot'
option target 'ACCEPT'
list proto 'tcp'
config rule
option dest_port '31339'
option src 'lan'
option name 'allow LAN to TiVo'
option dest 'iot'
option target 'ACCEPT'
list proto 'tcp'
config rule
option dest_port '7000'
option src 'lan'
option target 'ACCEPT'
list proto 'tcp'
option dest 'iot'
list dest_ip '172.29.34.86'
option name 'allow LAN to Roku7000'
config rule
option dest_port '49835'
option src 'lan'
option name 'allow LAN to Roku49835'
option dest 'iot'
list dest_ip '172.29.34.86'
option target 'ACCEPT'
list proto 'tcp'
config rule
option dest_port '51145'
option src 'iot'
option name 'iot to homebridge'
option dest 'lan'
list dest_ip '192.168.1.79'
option target 'ACCEPT'
list proto 'tcp'
config rule
option dest_port '64841'
option target 'ACCEPT'
list proto 'tcp'
option dest 'lan'
option src 'iot'
option name 'iot to backupmac 64841'
list dest_ip '192.168.1.79'
config rule
option src 'lan'
option target 'ACCEPT'
list proto 'tcp'
option name 'lan to IOT TCP'
option dest 'iot'
config rule
option src 'iot'
option dest 'lan'
option target 'ACCEPT'
list proto 'udp'
option name 'IOT to LAN UDP 319-320'
option dest_port '319-320'
config rule
option dest_port '554'
option src 'lan'
option name 'lan to iot RTSP'
option dest 'iot'
option target 'ACCEPT'
config rule
option dest_port '3689'
option src 'lan'
option name 'lan to iot DAAP'
option dest 'iot'
option target 'ACCEPT'
config rule
option src 'iot'
option dest 'lan'
option target 'ACCEPT'
option dest_port '49152-65535'
list proto 'udp'
option name 'IOT to LAN 49152-65535'
config rule
option src 'iot'
option name 'HomeAutoHub to backupmac'
list src_ip '172.29.34.128'
option dest 'lan'
list dest_ip '192.168.1.79'
option target 'ACCEPT'
config rule
option src 'lan'
option name 'backupmac to homeautohub'
list src_ip '192.168.1.79'
option dest 'iot'
list dest_ip '172.29.34.128'
option target 'ACCEPT'
config rule
option src 'iot'
option name 'HomeHubWiFi to backupmac'
list src_ip '172.29.34.106'
option dest 'lan'
list dest_ip '192.168.1.79'
option target 'ACCEPT'
config rule
option src 'lan'
option name 'backupmac to HomeHubWiFi'
list src_ip '192.168.1.79'
option dest 'iot'
list dest_ip '172.29.34.106'
option target 'ACCEPT'
and /etc/firewall.user
for 21.02.0-rc3:
#!/bin/sh
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
logger firewall.user script updating iptables for strongswan
iptables -D INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -D FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -D FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -D OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP
exit 0
# Note that OpenVPN rules on port TCP-80 are not effective, because RCN blocks the port upstream, it seems.
# openvpn configuration doesn't create ovpns0 until after firewall might start,
# and/or firewall configuration scripting doesn't know how to
# find the interface associated with the vpnserver zone
# these commands add the missing rules that it can't figure out
# (and reorders the forward-reject rule to be last again)
#
# However, sometimes it seems a reload of the firewall doesn't execute this script?
logger firewall.user script updating iptables for ovpns0/ovpns1-not
iptables -D INPUT -i ovpns0 -m comment --comment "!fw3" -j zone_vpnserver_input
iptables -A INPUT -i ovpns0 -m comment --comment "!fw3" -j zone_vpnserver_input
iptables -D INPUT -i ovpns1 -m comment --comment "!fw3" -j zone_vpnserver_input
iptables -A INPUT -i ovpns1 -m comment --comment "!fw3" -j zone_vpnserver_input
iptables -D FORWARD -m comment --comment "!fw3" -j reject
iptables -D FORWARD -i ovpns0 -m comment --comment "!fw3" -j zone_vpnserver_forward
iptables -A FORWARD -i ovpns0 -m comment --comment "!fw3" -j zone_vpnserver_forward
iptables -D FORWARD -i ovpns1 -m comment --comment "!fw3" -j zone_vpnserver_forward
iptables -A FORWARD -i ovpns1 -m comment --comment "!fw3" -j zone_vpnserver_forward
iptables -A FORWARD -m comment --comment "!fw3" -j reject
iptables -D OUTPUT -o ovpns0 -m comment --comment "!fw3" -j zone_vpnserver_output
iptables -A OUTPUT -o ovpns0 -m comment --comment "!fw3" -j zone_vpnserver_output
iptables -D OUTPUT -o ovpns1 -m comment --comment "!fw3" -j zone_vpnserver_output
iptables -A OUTPUT -o ovpns1 -m comment --comment "!fw3" -j zone_vpnserver_output
iptables -D zone_vpnserver_dest_ACCEPT -o ovpns1 -m comment --comment "!fw3" -j ACCEPT
iptables -D zone_vpnserver_src_ACCEPT -i ovpns1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -A zone_vpnserver_dest_ACCEPT -o ovpns1 -m comment --comment "!fw3" -j ACCEPT
iptables -A zone_vpnserver_src_ACCEPT -i ovpns1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
exit 0
and for 19.07.7, /etc/config/network
:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd2b:fd7d:16a4::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.1'
option stp '1'
option ifname 'eth1.4'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '1t 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 5'
option vid '2'
config interface 'guest'
option ifname 'guest'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option type 'bridge'
option ipaddr '172.31.66.1'
config interface 'iot'
option proto 'static'
option ipaddr '172.29.34.1'
option netmask '255.255.255.0'
option type 'bridge'
option ifname 'eth1.3'
config interface 'vpnserver'
option proto 'none'
option ifname 'ovpns0'
option auto '1'
config interface 'vpnserver_tcp'
option proto 'none'
option ifname 'ovpns1'
option auto '1'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
option ports '1t 3 6t'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '4'
option ports '1t 2 4 6t'
firewall
is unchanged from 19.07.7 -> 21.02.0
as is /etc/firewall.user