Add support for Xiaomi AX1800 Wifi 6 router

It would definitely be better to add ip/domains to the firewall (iptables) than to adblock. If you have full list of ip/domains - please share for other users.

Right, using iptables makes sense!
I might still block domains with adblock, and make a script to retrieve each IP associated with those domains (+ static ips), and drop them in iptables (and maybe add this to a cron?). Does that sound good to you?

Here is the list I've gathered for now, but it's not a complete list at all:
https://dpaste.com/CRDHZXZAQ
If you're interested maybe we should create a git or something

I think there's no right answer.... As there might also be exploits in the latest Chinese version on purpose :wink:
But if you trust Xiaomi support you should probably go with the official updates (thus xqrepack as the post mentioned)

Sort of offtopic. I've just run into a device "Redmi Router AX1800" a.k.a. "RA71". Yup, a really big mess is around the ax1800 "family". (I think they do it on purpose.)

  • "xiaomi black": "xiaomi ax1800", "rm1800"
  • "redmi white": "redmi ax5", "ra67"
  • "new redmi white": "redmi 1800", "ra71"

Hope it works (not tested).

# download list from the site
curl https://dpaste.com/CRDHZXZAQ.txt -k > CRDHZXZAQ.txt.tmp
# remove ^m characters from file
sed -e "s/\r//g" CRDHZXZAQ.txt.tmp > CRDHZXZAQ.txt 
# remove old and unused files
rm -f CRDHZXZAQ.txt.tmp ips.txt.tmp ips.txt

# resolve domains to ip
while IFS= read -r domain; do nslookup $domain | grep '^Name' -A1 | awk '{print $3}' |grep . 2>/dev/null; done < CRDHZXZAQ.txt > ips.txt.tmp

# do not duplicate ips
uniq ips.txt.tmp > ips.txt

# create command to execute
while IFS= read -r ip; do 
 echo iptables -I INPUT -s $ip -j DROP
 echo iptables -I OUTPUT -d $ip -j DROP
done < ips.txt

# remove old files to save space
rm -f ips.txt.tmp ips.txt CRDHZXZAQ.txt

If you want to execute iptables command, remove "echo" from the script.

1 Like

Hello, i know i am wrong here, maybe there is a support forum on the ax1800 white ?
well anyways, maybe is so kind and knows what to do: i meshed together 3 of them (EU firmware), they see each other barely via wlan, but are connected via cable. Any can use full ISP bandwidth . Now 1 of them stopped doing the routing, regardless of the right wan port for the cable. He is acting like a bridge into the wan network while delivering the same wlan ssid's as his 2 twins .lights are blue and orange then, not blue and blue . i reset it and rejoined it, no change. half a day ago it was blue and blue and routing. to be clear: i dont want or need the routing, i would like bridge /ap mode but also mesh. I think about flashing chinese. what services shall i stop then, and will the chinese web ui only have chinese language ?

thanks for any other ideas , if there are
greetings

Looks good! Using an upgradable list instead of a static dpaste would be nice to add it as a CRON.

On another subject does anyone know if it's possible to install inetd and perl? I can't find the packages with opkg.
I need them because I'd like to install munin-node on the router, muninlite is also not available so I wanted to try this: https://github.com/Maffsie/openwrt-munin-node

I'm not sure but one of this is fast roaming:
option bsd '1'
option rrm '1'
option wnm '1'

I think a zone or something was missing, it didn't block for both the router & the client when I tested it (not sure which one it was).

I ended up using ipset & firewall instead for a cleaner config & prevent errors (and still using the list for adblock at the same time just in case).
Here is my modified script:

#!/bin/sh
cp /etc/adblock/adblock.blacklist CRDHZXZAQ.txt.tmp
# remove ^m characters from file
sed -e "s/\r//g" CRDHZXZAQ.txt.tmp > CRDHZXZAQ.txt
# remove old and unused files
rm -f CRDHZXZAQ.txt.tmp ips.txt.tmp ips.txt

if [ ! -f ipset.txt ]; then
  touch ipset.txt
fi

# resolve domains to ip
while IFS= read -r domain; do nslookup $domain | grep '^Name' -A1 | awk '{print $3}' |grep . 2>/dev/null; done < CRDHZXZAQ.txt > ips.txt.tmp

# do not duplicate ips
uniq ips.txt.tmp > ips.txt

# just a security to prevent blocking local IPs
ESCAPED_LOCAL_IP="192\.168\."

# create command to execute
while IFS= read -r ip; do
  if ! grep -q "$ip" ipset.txt && ! (echo $ip| awk "!/$ESCAPED_LOCAL_IP/{exit 1}") ; then echo "$ip/24" >> ipset.txt && echo $ip >> new.txt ; fi
done < ips.txt

echo "`date "+%Y-%m-%d %H:%M"` `wc -l ipset.txt` blocked including `wc -l new.txt`" >> /var/log/ipset_auto.log

# remove old files to save space
rm -f ips.txt.tmp CRDHZXZAQ.txt new.txt

And here are my /etc/config/firewall custom rules:

config  ipset
        option  name            'xiaomi_ips'
        option  match           'src_net'
        option  match           'dest_net'
        option  enabled         '1'
        option  loadfile        '/root/ipset.txt'

config  rule
        option  dest            'wan'
        option  ipset           'xiaomi_ips'
        option  target          'DROP'
        option  name            'reject-xiaomi-local'
        option  enabled         '1'
        option family 'ipv4'
        option proto 'all'

config  rule
        option  src             'lan'
        option  dest            'wan'
        option  ipset           'xiaomi_ips'
        option  target          'DROP'
        option  name            'reject-xiaomi-lan'
        option  enabled         '1'
        option family 'ipv4'
        option proto 'all'

Probably not the cleanest way to do (I don't know much about firewall config), it but it works!

Keep in mind that it will add IPs almost every time you run the script as they change quite often, not sure what's the best CRON schedule yet.
And might need to reset ipset.txt at some point if they're using cloudflare or some standard cloud provider...

Now we'd just need an updated/upgradable domain list! :thinking:

EDIT: While I was testing I had no internet anymore from my clients at some point, that drove me crazy I couldn't find why, and finally I've found out that dnsmask has been killed because of low memory. That's really impressive how bad those specs are!

Hi, I have problem with my Xiaomi Router AX1800 (Black Tower) channel 5Ghz only shown channel 50 bellow.

How can I enable channel 100 above on 5Ghz? my firmware 1.0.394.

FYI, as I expected, I had some issues with other services (ie Signal), probably some AWS servers blocked or something, might be better to reset ipset.txt often then, and keep adblock on (but don't forget to suspend adblock while running the script so domains can resolve)...

If you want to execute iptables command, remove "echo" from the script.

It means if you want to block domain, remove "echo" part from command.

So, change in my script (line 16-17) from:

 echo iptables -I INPUT -s $ip -j DROP
 echo iptables -I OUTPUT -d $ip -j DROP

to:

 iptables -I INPUT -s $ip -j DROP
 iptables -I OUTPUT -d $ip -j DROP

How I can create more than ssid with MIWifi app, I do not see option?

How you did, I did ssh but on perm instructions I cannod find 180000 like on instruction for 3200

Can we change root fs from 22.03.3 branch and stay on kernel 4.4.60 with compiled modules?