Build for Netgear R7800

Community Builds, Projects & Packages
3264

LuCI support for showing the nftables firewall rules is just coming. There is a PR from jow, which I have patched to my build at r18621-af8a059bb4, but it is not yet merged into the main LuCI repo.

Status --> Firewall(nftables) shows like this

image
image1096×866 64.7 KB

Although you couldn't see the fireweall contents from LuCI, you should have been able to see it from console with nft list ruleset or fw4 print

fw4 print:

root@router1:~# fw4 print
Section @redirect[0] (wan2202ssh) is disabled, ignoring section
table inet fw4
flush table inet fw4

table inet fw4 {
        #
        # Set definitions
        #
...
        chain input {
                type filter hook input priority filter; policy accept;

                iifname "lo" accept comment "!fw4: Accept traffic from loopback"

                ct state established,related accept comment "!fw4: Allow inbound established and related flows"
                tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
                iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
                iifname "eth0.2" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
        }

        chain forward {
                type filter hook forward priority filter; policy drop;

                ct state established,related accept comment "!fw4: Allow forwarded established and related flows"

nft list ruleset:

root@router1:~# nft list ruleset
table inet fw4 {
        chain input {
                type filter hook input priority filter; policy accept;
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
                ct state established,related accept comment "!fw4: Allow inbound established and related flows"
                tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
                iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
                iifname "eth0.2" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
        }

        chain forward {
                type filter hook forward priority filter; policy drop;
                ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
                iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
                iifname "eth0.2" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
                jump handle_reject
        }
2 Likes
3265

sqm-scripts seems to depend on iptables so... I guess not?

3266

Well, see discussion in

and onward from

2 Likes
3267

Is it possible to move away from /etc/config/firewall and instead configure nftables directly?

3268

Why wouldn't it be possible? Nftables is there.
(By you need to provide all the functionality normally provided by the removed firewall. NAT etc.)

3269

Hi any report from the pstore changes? Does anyone manage to extract a panic from a random crash?

@hnyman would be good to put some info and ask the user to provide the logs. Would really help the situation (considering the big userbase I assume many have this problem but they just don't care as the reboot is only every 4-5 days)

3270

I just had another reboot for my R7800. This time there're no logs captured in pstore. Router was up for about 5 days, and there wasn't any load at the router at all. Only have 3 WiFi clients connected to it, with only the 5G WiFi interface active. 2G is off.

I have another Askey RT4230W (ipq8065) running the same build config as the R7800, started at about the same time as the R7800. So far it is still running.

R7800 was running as an AP config while the Askey is being tested running in router mode, connected to the R7800.

Not sure if the R7800 is showing it's age with thermal issues? Maybe I should strip it down and replace all the thermal pads.

3271

can you try adding thermal pads to the regulators?

3272

Sure. Will try that when I crack open my R7800.

3273

On that note, what's the "proper" way to upgrade from a previous, "non-nftables" build?
Does the update process handle iptables -> nftables transition well?
If you look at my previous post, looks like it doesn't.

ie. does a user have to do anything after updating to a nftables-based, newer build?

Thanks.
I.

3274

Upgrading worked fine for me.
Applying firewall rules through LuCI does not seem to work tho', I have to do /etc/init.d/firewall reload from console

1 Like
3275

Running the latest r18638 over here, but seeing some crashes (reboots) every now and then. I am willing to provide some debug data, but have no clue where to look.

3276

Could be the issue with my r7800 as well of course: let us know if it worked for you

1 Like
3277

No crashes on r18609.

Another thing is what i have for a longer period is these kind of messages:

Wed Jan 26 18:48:51 2022 daemon.err nlbwmon[2992]: Netlink receive failure: Object busy
Wed Jan 26 18:48:51 2022 daemon.err nlbwmon[2992]: Unable to dump conntrack: I/O error
Wed Jan 26 18:57:22 2022 daemon.err nlbwmon[2992]: Netlink receive failure: Object busy
Wed Jan 26 18:57:22 2022 daemon.err nlbwmon[2992]: Unable to dump conntrack: I/O error
Wed Jan 26 19:08:54 2022 daemon.err nlbwmon[2992]: Netlink receive failure: Object busy
Wed Jan 26 19:08:54 2022 daemon.err nlbwmon[2992]: Unable to dump conntrack: I/O error

I have searched online and found that i could increase the buffers in the config of nlbwmon.

        #option netlink_buffer_size 524288
        option netlink_buffer_size 1048576

cat /proc/sys/net/netfilter/nf_conntrack_count
91
cat /proc/sys/net/netfilter/nf_conntrack_max
16384

Uptime 2d 21h 54m 57s

Changed this but for now no solution. Does anybody has any thoughts?

3278

They may have already been asked, but today when I flashed
a sys-upgrade firmware (i built based on this config file) on my R7800 the router rebooted but the wired ethernet didn't work, but the wireless did. I went to Luci on my phone and the version # was the updated firmware. Tried rebooting from luci and also by the power button on back of the unit but wired ethernet still didn't work..

I ended up re-flashing the same sys-upgrade firmware from my phone and then it started working again. Anyone know what would cause this?

3279

Running 18609 for a while to see if it's related to the new firewall implementation or if it's hardware related

3281

My build does not included NSS, so your issues may be unrelated.
(Please take the NSS discussion to threads regardin NSS builds)

2 Likes
3282

Since a few days I'm using fw4 builds and noticed router slowing down from time to time. That can be observed only while establishing new connections (openning web page). Existing streams (VoIP for example) are not affected.
Anybody is having similar observations?

3283

The reboots are still there. I even tried a total different spare r7800 and the issues are the same, so it's not hardware related.
Going to give r18650 a go. I have SQM deactivated for now

3284

Mr Hnyman once again thank you for your work

I have been on this build for some time without any issues its been rock solid

I am currently on 70/16 from Plusnet, on February the 9th I am upgrading to BT full fibre 900/150

Do I need to upgrade or stay as I am?

Screenshot_20220129_152759
Screenshot_20220129_1527593840×2160 377 KB