Divested-WRT: No-nonsense hardened builds for Linksys WRT series

Community Builds, Projects & Packages
366

Ok but the 19.07.7 build have the old switch method so something in the kernel has changed..btw there's some guide that help me to create two vlans with new dsa?

367

If you want to stick with swconfig just flash an older build to the other partition and keep it separate. 19.07.7 or the final Davidc502 builds both use it. 19.07.x will be maintained for a while so you'll be ok.

Long-term you definitely want to embrace DSA though, it's built into Linux kernel upstream, and that's how everything has moved to years ago.

368

Thanks but I want learn how to configure switch with dsa because sooner or later I will have to use it

1 Like
369

I don’t have any need for vlans, but this may have some relevance if you haven’t come across it yet.

370

I recreated (ie not converted) my configuration from a swconfig- to DSA-based and it was not difficult. Basically from a standard no-nonsense configuration you do the following (all from within LuCI):

  • disable the bridge associated with "lan" interface (uncheck "Physical Settings - Bridge interfaces")
  • add new virtual network interface(s) named "lan1.x" (for 1st switch port) so all become VLANs on top of "lan1"
  • configure these interfaces as they were physical interfaces (ie assign IP address, enable and configure DHCP, IPv6, etc)
  • add more virtual network interfaces as "lan2.x" for 2nd switch port if you need to, and so on (I did not do this)
  • in Network - Firewall add firewall zones for each newly created interface, so you can control inter-VLAN IP traffic (follow the forwarding rule for LAN). You will need to create explicit firewall rules if you want certain hosts to access services on a different VLAN
1 Like
371

Dear Zeppelin ( maybe Robert Plant - just a little humor / Jimmy Page ),
Any feedback on this here - DNSPRIVACY FOR ALL REDEUX
Happy Easter - if you observe and Peace - and thanks for the updated KMODS
BTW - I was inspired by your example to include videos for DOT on OpenWRT in the aforementioned link above - so thanks for you being so thorough in all your endeavours

372

@SkewedZeppelin -
latest build (r16405+8) on wrt1900v1 - sysupgrade via gui does not work. the firmware upload progress bar finishes, but then nothing. the file does flash from the command line.

373

Dear, in this firmware is same as stock firmware 21.02 regarding the LAN speed if is connected on router a 10mbps device?

So, with 21.02-SNAPSHOT if on my WRT1900ACS is connected a device with 10mbps LAN I have the upload fixed to 10mbps...

PS C:\Users\Andrea\Downloads\iperf-3.1.3-win64> .\iperf3.exe -c 192.168.181.1
Connecting to host 192.168.181.1, port 5201
[  4] local 192.168.181.159 port 50593 connected to 192.168.181.1 port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.01   sec   384 KBytes  3.12 Mbits/sec
[  4]   1.01-2.01   sec   640 KBytes  5.26 Mbits/sec
[  4]   2.01-3.01   sec  1.12 MBytes  9.35 Mbits/sec
[  4]   3.01-4.01   sec  1.12 MBytes  9.52 Mbits/sec
[  4]   4.01-5.01   sec  1.12 MBytes  9.41 Mbits/sec
[  4]   5.01-6.00   sec  1.12 MBytes  9.50 Mbits/sec
[  4]   6.00-7.00   sec  1.12 MBytes  9.46 Mbits/sec
[  4]   7.00-8.00   sec  1.12 MBytes  9.41 Mbits/sec
[  4]   8.00-9.01   sec  1.12 MBytes  9.40 Mbits/sec
[  4]   9.01-10.01  sec  1.12 MBytes  9.44 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.01  sec  10.0 MBytes  8.38 Mbits/sec                  sender
[  4]   0.00-10.01  sec  9.81 MBytes  8.23 Mbits/sec                  receiver

iperf Done.

As soon as I remove this device...

PS C:\Users\Andrea\Downloads\iperf-3.1.3-win64> .\iperf3.exe -c 192.168.181.1 -R
Connecting to host 192.168.181.1, port 5201
Reverse mode, remote host 192.168.181.1 is sending
[  4] local 192.168.181.159 port 50611 connected to 192.168.181.1 port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec  95.6 MBytes   802 Mbits/sec
[  4]   1.00-2.00   sec  97.9 MBytes   821 Mbits/sec
[  4]   2.00-3.00   sec   101 MBytes   847 Mbits/sec
[  4]   3.00-4.00   sec   101 MBytes   850 Mbits/sec
[  4]   4.00-5.00   sec   105 MBytes   884 Mbits/sec
[  4]   5.00-6.00   sec  92.3 MBytes   774 Mbits/sec
[  4]   6.00-7.00   sec   105 MBytes   877 Mbits/sec
[  4]   7.00-8.00   sec   102 MBytes   849 Mbits/sec
[  4]   8.00-9.00   sec  99.4 MBytes   836 Mbits/sec
[  4]   9.00-10.00  sec   107 MBytes   894 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Retr
[  4]   0.00-10.00  sec  1006 MBytes   844 Mbits/sec   23             sender
[  4]   0.00-10.00  sec  1006 MBytes   844 Mbits/sec                  receiver

In 19.07.7 without DSA all is ok. Thanks and sorry for this small OT.

1 Like
374

WRT32X: No issues after updating to 20210403-00: divested-wrt-snapshot-r16405+8-438e88e672-mvebu-cortexa9-linksys_wrt32x-squashfs-sysupgrade.bin

THANK YOU!

375

Hi!

How did you made work dnscrypt-proxy2?

Building my own image, including dnscrypt-proxy2, it just won't start. No debugging info, nada.
If I install it after flashing image, it works fine.

What i'm missing?

Thank you!

376

May I ask for assistance on DSA and VLAN tagging? I want to fully use this build but am struggling with VLANs - which I may not even need.

I have to connect to my ISP on VLAN10 on wan and was able to do this simply by renaming wan to wan.10 through LuCI so all good there, however it seems if I try to change any bridging on lan the unit freaks out and 90secs later I am reverting my changes.

I have read so many things that I admittedly don't understand on DSA and VLANs however there seems to be a gap in bridging the two topics and what a configured /etc/config/network with VLANs and tagging should look like.

I appreciate LuCI has only been recently updated to somewhat enable a GUI config for DSA.

What I am trying to achieve...
Main LAN 192.168.1.1

  • physical ports 1 & 3 (just how I happened to plug them in)
  • Wifi 5ghz (ssid ~house5)
  • Wifi 2.4ghz (ssid ~house2.4)

Kids LAN 192.168.x.x

  • physical port 2
  • Wifi 5ghz (ssid ~kids)
  • Needs to cross to static IP on VLAN.home to access SMB share (this just a firewall rule?)

NB: I was hoping to run a separate DNS instance to enable safe browsing etc

Guest LAN 10.10.x.x (IP was chosen as it came from the tutorial I was following)

  • physical port 3 (used for a work VPN connection)
  • Wifi 5ghz (ssid ~guest5)
  • Wifi 2.4ghz (ssid ~guest2.4)

Do I need 3 distinct VLANs?

Can I configure this thru LuCI?
I understand this image has a hardcoded dsnmasq.conf "interface=br-lan" that may need to be changed

What is the purpose of the local and primary options on VLAN in latest LuCI?

Any assistance, even just directing to a DSA and VLAN for Real Dumb Dummies, would be greatly appreciated.

Edited for clarity

377

Sounds as if you simply want to isolate some of the RJ45 ports into separate interfaces which are not part of the generic LAN bridge. For that you wouldn't need any specific VLAN configuration. Removing the corresponding ports (I guess "lan2" for kids and "lan3" for guest) from the br-lan bridge should be sufficient. You can then create two new interfaces (e.g. named "kids" and "guest") and assign "lan2" and "lan3" as physical interface to them respectively.

When reconfiguring the ethernet switch/ports of a device I usually connect via wifi to the unit, this way intermittent ethernet disruptions do not interfere with the apply process.

1 Like
378

too easy, thank you.

And to allow cross "switch" traffic, e.g. lan2 (kids) over to static.ip on lan1 (home) this would be achieved through a couple simple firewall rules to cover traffic from each source interface/zone to the other?

Finally, is it then easy to setup multiple DNS (many dnsmasq?) now with DSA? So "kids" are on a filtered DNS provider?

I recall reading it was possible with swconfig to have multiple dnsmasqs however it had to be done via command to bind the dsnmasq instance to the interface - I did try but would get cross DNS leaks (for the lack of a better term) where sometimes my browsing would get incorrectly filtered/blocked.

PS @jow - thank you for your work on the DSA LuCI update.

379

Yes, exactly. From then on it is ordinary routing/firewalling between separate interfaces/networks.

I think multiple dnsmasq instances are not supported by LuCI, but apart from that it should be doable yes. Have one instance serving br-lan and two more instances serving kids (lan2) and guest (lan3) each. Maybe coupled with some firewall rules forcibly redirecting all TCP/UDP port 53 traffic from lan2/lan3 to the local dnsmasq in order to prevent clients from bypassing it by manually setting another NS.

1 Like
381

NB: I am running Divested-WRT 3rd April image with not other software added.

How do I enable DCHP to work for other interfaces?

Using LuCI I have setup a new interface "tamariki" (kids) and assigned to lan2, but DCHP does not assign anything...

This is my /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '<hidden>'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ifname 'lan1 lan3'

config interface 'wan'
	option proto 'dhcp'
	option ifname 'wan.10'

config device 'wan_wan_dev'
	option name 'wan'
	option macaddr '<hidden>'

config interface 'wan6'
	option proto 'dhcpv6'
	option reqprefix 'auto'
	option ifname 'wan.10'
	option auto '0'
	option reqaddress 'none'

config device
	option name 'wan.10'
	option macaddr '<hidden>'

config interface 'tamariki'
	option proto 'static'
	option ifname 'lan2'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

And here is my /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'tamariki'
	option interface 'tamariki'
	option start '100'
	option leasetime '12h'
	option limit '10'

I see there is no "option dchp..." under the 'tamariki'
When I compare this to my 19.07 dhcp config I have these additional lines

	option ra 'server'
	option ra_management '1'

What am I missing please?

Edit: Also, if I bridge a wireless connection to lan2 (tamariki) the port becomes disabled - no light on router

config interface 'tamariki'
	option proto 'static'
	option ifname 'lan2'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option type 'bridge'

This related to the DHCP issue on the interface?

wireless on br-lan is OK

382

Earlier in this thread you wrote that dnsmasq.conf harcodes interface=br-lan in this firmware. You'd need to remove that to allow the tamariki DHCP pool to work.

1 Like
383

thank you @jow
This is why I should not do this so late at night, however the wife gets upset when the innernets are down. Hats off to you and everyone who keeps this project alive; and the many active contributors (looking at you @SkewedZeppelin too)

I am not sure if I should continue this here or move the LuCI testing thread. Let me know if I should move it.

However I am curious if anyone else is having this issue?

I still get the lan2 port becoming disabled when I bridge to 'kid' wifi. I even recreated the interface but as soon as there is a bridge created the interface port is gone. If I bridge the 'kid' wifi to br-lan it was all good.

I type "was" as I then added a couple wireless connections bridged to br-lan and a new interface guest (lan4); router dropped both the ports for 'kids' (lan2) and 'guest' (lan4), but clients could still connect to wifi.

I rebooted the router all ports lit up, then only lan4 remained lit - but I didn't test if it was working as I need to sleep now as I mistyped my wifi p/w connected to lan so I have to reset the config. Maybe I will try 21.02 then slowly work my way back up to this image.

384

A significant DSA roaming fix went into 21.02 branch yesterday for the MV88 switches in all mvebu routers (along with the new wireguard). It's in the new snapshots and will presumably be in this next build here. I wonder if that'll help some of these less common network setups people have here using external switches. Some really nice polishing is happening on 21.02 branch and it's starting to look like 21.02 will be a very solid release once its done.

1 Like
385

@phinn
that patchset has been included since the 20210202-00 build and was merged into master on 2021-02-23.

1 Like
386

I rolled a fresh 21.02 image with all defaults, except 'Advanced Reboot' to eliminate as many variables as possible. Issue was still present.

I posted about it here and I think it is best dealt with in that forum.

1 Like