It would definitely be better to add ip/domains to the firewall (iptables) than to adblock. If you have full list of ip/domains - please share for other users.
Right, using iptables makes sense!
I might still block domains with adblock, and make a script to retrieve each IP associated with those domains (+ static ips), and drop them in iptables (and maybe add this to a cron?). Does that sound good to you?
Here is the list I've gathered for now, but it's not a complete list at all:
https://dpaste.com/CRDHZXZAQ
If you're interested maybe we should create a git or something
I think there's no right answer.... As there might also be exploits in the latest Chinese version on purpose 
But if you trust Xiaomi support you should probably go with the official updates (thus xqrepack as the post mentioned)
Sort of offtopic. I've just run into a device "Redmi Router AX1800" a.k.a. "RA71". Yup, a really big mess is around the ax1800 "family". (I think they do it on purpose.)
- "xiaomi black": "xiaomi ax1800", "rm1800"
- "redmi white": "redmi ax5", "ra67"
- "new redmi white": "redmi 1800", "ra71"
Hope it works (not tested).
# download list from the site
curl https://dpaste.com/CRDHZXZAQ.txt -k > CRDHZXZAQ.txt.tmp
# remove ^m characters from file
sed -e "s/\r//g" CRDHZXZAQ.txt.tmp > CRDHZXZAQ.txt
# remove old and unused files
rm -f CRDHZXZAQ.txt.tmp ips.txt.tmp ips.txt
# resolve domains to ip
while IFS= read -r domain; do nslookup $domain | grep '^Name' -A1 | awk '{print $3}' |grep . 2>/dev/null; done < CRDHZXZAQ.txt > ips.txt.tmp
# do not duplicate ips
uniq ips.txt.tmp > ips.txt
# create command to execute
while IFS= read -r ip; do
echo iptables -I INPUT -s $ip -j DROP
echo iptables -I OUTPUT -d $ip -j DROP
done < ips.txt
# remove old files to save space
rm -f ips.txt.tmp ips.txt CRDHZXZAQ.txt
If you want to execute iptables command, remove "echo" from the script.
1 Like
Hello, i know i am wrong here, maybe there is a support forum on the ax1800 white ?
well anyways, maybe is so kind and knows what to do: i meshed together 3 of them (EU firmware), they see each other barely via wlan, but are connected via cable. Any can use full ISP bandwidth . Now 1 of them stopped doing the routing, regardless of the right wan port for the cable. He is acting like a bridge into the wan network while delivering the same wlan ssid's as his 2 twins .lights are blue and orange then, not blue and blue . i reset it and rejoined it, no change. half a day ago it was blue and blue and routing. to be clear: i dont want or need the routing, i would like bridge /ap mode but also mesh. I think about flashing chinese. what services shall i stop then, and will the chinese web ui only have chinese language ?
thanks for any other ideas , if there are
greetings
Looks good! Using an upgradable list instead of a static dpaste would be nice to add it as a CRON.
On another subject does anyone know if it's possible to install inetd and perl? I can't find the packages with opkg.
I need them because I'd like to install munin-node on the router, muninlite is also not available so I wanted to try this: https://github.com/Maffsie/openwrt-munin-node
I'm not sure but one of this is fast roaming:
option bsd '1'
option rrm '1'
option wnm '1'
I think a zone or something was missing, it didn't block for both the router & the client when I tested it (not sure which one it was).
I ended up using ipset & firewall instead for a cleaner config & prevent errors (and still using the list for adblock at the same time just in case).
Here is my modified script:
#!/bin/sh
cp /etc/adblock/adblock.blacklist CRDHZXZAQ.txt.tmp
# remove ^m characters from file
sed -e "s/\r//g" CRDHZXZAQ.txt.tmp > CRDHZXZAQ.txt
# remove old and unused files
rm -f CRDHZXZAQ.txt.tmp ips.txt.tmp ips.txt
if [ ! -f ipset.txt ]; then
touch ipset.txt
fi
# resolve domains to ip
while IFS= read -r domain; do nslookup $domain | grep '^Name' -A1 | awk '{print $3}' |grep . 2>/dev/null; done < CRDHZXZAQ.txt > ips.txt.tmp
# do not duplicate ips
uniq ips.txt.tmp > ips.txt
# just a security to prevent blocking local IPs
ESCAPED_LOCAL_IP="192\.168\."
# create command to execute
while IFS= read -r ip; do
if ! grep -q "$ip" ipset.txt && ! (echo $ip| awk "!/$ESCAPED_LOCAL_IP/{exit 1}") ; then echo "$ip/24" >> ipset.txt && echo $ip >> new.txt ; fi
done < ips.txt
echo "`date "+%Y-%m-%d %H:%M"` `wc -l ipset.txt` blocked including `wc -l new.txt`" >> /var/log/ipset_auto.log
# remove old files to save space
rm -f ips.txt.tmp CRDHZXZAQ.txt new.txt
And here are my /etc/config/firewall custom rules:
config ipset
option name 'xiaomi_ips'
option match 'src_net'
option match 'dest_net'
option enabled '1'
option loadfile '/root/ipset.txt'
config rule
option dest 'wan'
option ipset 'xiaomi_ips'
option target 'DROP'
option name 'reject-xiaomi-local'
option enabled '1'
option family 'ipv4'
option proto 'all'
config rule
option src 'lan'
option dest 'wan'
option ipset 'xiaomi_ips'
option target 'DROP'
option name 'reject-xiaomi-lan'
option enabled '1'
option family 'ipv4'
option proto 'all'
Probably not the cleanest way to do (I don't know much about firewall config), it but it works!
Keep in mind that it will add IPs almost every time you run the script as they change quite often, not sure what's the best CRON schedule yet.
And might need to reset ipset.txt at some point if they're using cloudflare or some standard cloud provider...
Now we'd just need an updated/upgradable domain list! 
EDIT: While I was testing I had no internet anymore from my clients at some point, that drove me crazy I couldn't find why, and finally I've found out that dnsmask has been killed because of low memory. That's really impressive how bad those specs are!
Hi, I have problem with my Xiaomi Router AX1800 (Black Tower) channel 5Ghz only shown channel 50 bellow.
How can I enable channel 100 above on 5Ghz? my firmware 1.0.394.
FYI, as I expected, I had some issues with other services (ie Signal), probably some AWS servers blocked or something, might be better to reset ipset.txt often then, and keep adblock on (but don't forget to suspend adblock while running the script so domains can resolve)...
If you want to execute iptables command, remove "echo" from the script.
It means if you want to block domain, remove "echo" part from command.
So, change in my script (line 16-17) from:
echo iptables -I INPUT -s $ip -j DROP
echo iptables -I OUTPUT -d $ip -j DROP
to:
iptables -I INPUT -s $ip -j DROP
iptables -I OUTPUT -d $ip -j DROP
How I can create more than ssid with MIWifi app, I do not see option?
How you did, I did ssh but on perm instructions I cannod find 180000 like on instruction for 3200
Can we change root fs from 22.03.3 branch and stay on kernel 4.4.60 with compiled modules?
Hey guys, is there any option to set a VPN on it? I'm with the default firmware with ssh enabled as I had to change the vlan, but now I'm struggling to use a VPN since it only comes with L2TP or PPTP natively, and I couldn't find a VPN provider that still has it available.
Kernel modules fo 4.4.60:
https://drive.google.com/file/d/1SGwCKt9sufSPvldn7GrTz2HmoCWwC9eF/view?usp=sharing
Wireguard - OK
Other - not tested
1 Like
Thanks a lot. I was just looking for this to setup wireguard. I've tested it and its working well, only one problem is theres no binary for wg-quick so you have to setup the interface manually or use an alternative application.
For anyone wondering how to setup,
Load the wireguard module,
- Move wireguard.ko to /lib/modules/4.4.60/
- Load wireguard
modprobe wireguard
- Enable loading the module on boot.
echo "wireguard" > /etc/modules.d/79-wireguard
- Install wireguard-tools
Basic wireguard setup (w/o wg-quick),
- /etc/wireguard/wg0.conf
[Interface]
#Address = 192.168.28.1/24
ListenPort = 55555
PrivateKey = ???=
[Peer]
PublicKey = 6cH2TFokAkKsIcGiMR1JeK4iCzXdBO7bIdJHPGTEgXc=
AllowedIPs = 192.168.28.2/32
[Peer]
PublicKey = J+zmjjtXrtdnsW5k8ktRdISDeTuJwrpAcSyAEIzhM0Y=
AllowedIPs = 192.168.28.3/32
[Peer]
PublicKey = nuGDKHhk1GiIdELaUYxEHUQ6qjXMPf7o5gdUlfC1mU0=
AllowedIPs = 192.168.28.4/32
- Init Script
ip link add dev wg0 type wireguard
ip address add dev wg0 192.168.28.1/24
wg setconf wg0 /etc/wireguard/wg0.conf
ip link set up dev wg0
iptables -I FORWARD -i wg0 -o eth4 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth4 -j MASQUERADE
result:
Unnecessarily. You can add all this one-time to the network and firewall configs.
smth like this:
config interface 'wg0'
option private_key '+Kd/Xq/S+75haZSDFr8vfD/LI1pcR9hXYZbAr+aCp0Q='
list addresses '10.6.0.3/24'
option listen_port '51821'
option proto 'wireguard'
option mtu '1420'
config zone
option name 'wg0'
option family 'ipv4'
option masq '1'
option output 'ACCEPT'
option forward 'ACCEPT'
option input 'ACCEPT'
option network 'wg0'
config forwarding
option src 'lan'
option dest 'wg0'
and:
$ wg setconf wg0 "path to wireguard config file"
1 Like
Hey,
did unfortunately copy the whole directory to /lib/modules/ on newest firmware miwifi....399.bin.
Now the device doesn't start anymore and recovery via "test.bin" in /srv/tftpd/ doesn't seem to work either the miwifirecoverytool.
When I unplug, hold the reset button, plug back in the power cord after 8-10 seconds the orange LED begins to blink, but I see in wireshark or ifconfig no data transporting.
T510:/srv/tftp$ ifconfig
enp0s25: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.31.100 netmask 255.255.255.0 broadcast 192.168.31.255
inet6 fe80::61d2:ca22:5556:8ad3 prefixlen 64 scopeid 0x20<link>
ether f0:de:f1:45:67:80 txqueuelen 1000 (Ethernet)
RX packets 672 bytes 232512 (232.5 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 256 bytes 41950 (41.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory 0xf2400000-f2420000 ```