Divested-WRT: No-nonsense hardened builds for Linksys WRT series

Sounds as if you simply want to isolate some of the RJ45 ports into separate interfaces which are not part of the generic LAN bridge. For that you wouldn't need any specific VLAN configuration. Removing the corresponding ports (I guess "lan2" for kids and "lan3" for guest) from the br-lan bridge should be sufficient. You can then create two new interfaces (e.g. named "kids" and "guest") and assign "lan2" and "lan3" as physical interface to them respectively.

When reconfiguring the ethernet switch/ports of a device I usually connect via wifi to the unit, this way intermittent ethernet disruptions do not interfere with the apply process.

too easy, thank you.

And to allow cross "switch" traffic, e.g. lan2 (kids) over to static.ip on lan1 (home) this would be achieved through a couple simple firewall rules to cover traffic from each source interface/zone to the other?

Finally, is it then easy to setup multiple DNS (many dnsmasq?) now with DSA? So "kids" are on a filtered DNS provider?

I recall reading it was possible with swconfig to have multiple dnsmasqs however it had to be done via command to bind the dsnmasq instance to the interface - I did try but would get cross DNS leaks (for the lack of a better term) where sometimes my browsing would get incorrectly filtered/blocked.

PS @jow - thank you for your work on the DSA LuCI update.

Yes, exactly. From then on it is ordinary routing/firewalling between separate interfaces/networks.

I think multiple dnsmasq instances are not supported by LuCI, but apart from that it should be doable yes. Have one instance serving br-lan and two more instances serving kids (lan2) and guest (lan3) each. Maybe coupled with some firewall rules forcibly redirecting all TCP/UDP port 53 traffic from lan2/lan3 to the local dnsmasq in order to prevent clients from bypassing it by manually setting another NS.

NB: I am running Divested-WRT 3rd April image with not other software added.

How do I enable DCHP to work for other interfaces?

Using LuCI I have setup a new interface "tamariki" (kids) and assigned to lan2, but DCHP does not assign anything...

This is my /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '<hidden>'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ifname 'lan1 lan3'

config interface 'wan'
	option proto 'dhcp'
	option ifname 'wan.10'

config device 'wan_wan_dev'
	option name 'wan'
	option macaddr '<hidden>'

config interface 'wan6'
	option proto 'dhcpv6'
	option reqprefix 'auto'
	option ifname 'wan.10'
	option auto '0'
	option reqaddress 'none'

config device
	option name 'wan.10'
	option macaddr '<hidden>'

config interface 'tamariki'
	option proto 'static'
	option ifname 'lan2'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

And here is my /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'tamariki'
	option interface 'tamariki'
	option start '100'
	option leasetime '12h'
	option limit '10'

I see there is no "option dchp..." under the 'tamariki'
When I compare this to my 19.07 dhcp config I have these additional lines

	option ra 'server'
	option ra_management '1'

What am I missing please?

Edit: Also, if I bridge a wireless connection to lan2 (tamariki) the port becomes disabled - no light on router

config interface 'tamariki'
	option proto 'static'
	option ifname 'lan2'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option type 'bridge'

This related to the DHCP issue on the interface?

wireless on br-lan is OK

Earlier in this thread you wrote that dnsmasq.conf harcodes interface=br-lan in this firmware. You'd need to remove that to allow the tamariki DHCP pool to work.

thank you @jow
This is why I should not do this so late at night, however the wife gets upset when the innernets are down. Hats off to you and everyone who keeps this project alive; and the many active contributors (looking at you @SkewedZeppelin too)

I am not sure if I should continue this here or move the LuCI testing thread. Let me know if I should move it.

However I am curious if anyone else is having this issue?

I still get the lan2 port becoming disabled when I bridge to 'kid' wifi. I even recreated the interface but as soon as there is a bridge created the interface port is gone. If I bridge the 'kid' wifi to br-lan it was all good.

I type "was" as I then added a couple wireless connections bridged to br-lan and a new interface guest (lan4); router dropped both the ports for 'kids' (lan2) and 'guest' (lan4), but clients could still connect to wifi.

I rebooted the router all ports lit up, then only lan4 remained lit - but I didn't test if it was working as I need to sleep now as I mistyped my wifi p/w connected to lan so I have to reset the config. Maybe I will try 21.02 then slowly work my way back up to this image.

A significant DSA roaming fix went into 21.02 branch yesterday for the MV88 switches in all mvebu routers (along with the new wireguard). It's in the new snapshots and will presumably be in this next build here. I wonder if that'll help some of these less common network setups people have here using external switches. Some really nice polishing is happening on 21.02 branch and it's starting to look like 21.02 will be a very solid release once its done.

@phinn
that patchset has been included since the 20210202-00 build and was merged into master on 2021-02-23.

I rolled a fresh 21.02 image with all defaults, except 'Advanced Reboot' to eliminate as many variables as possible. Issue was still present.

I posted about it here and I think it is best dealt with in that forum.

Hello your link is broken, something about IT stack??

Anyways do you have a new build by any chance, hopefully it has wget-ssl, nano, and tcpdump-mini? A complete build if possible for WRT1900ACS V2. Very intrigued to test.

Thank you

Please take this as a reminder that this topic is intended for questions specific to this community build only.

For other community builds, please open a new topic.

for those struggling w/ bridging lan and wlan using DSA I posted my steps here

Thank you to @InkblotAdmirer for the ./config/network

I am now running No-Nonsense (w/ kernel 5.4.110) - excited to see how she goes

One thing I have immediately noticed is that with kernels 5.4.110 and 5.10.28 SQM w/ cake the throughput is slower for some reason.

My connection is 950/500 (fibre to the house)
kernel 4.14.x : 750-900 / 450-500
kernel 5.4 & 5.10 : 500-600 / 400-450

As soon as I disable SQM my speeds jump back to 880-950 / 450-500+

It does not matter what iface I use, as soon as cake is enabled it slows down. I tried fq_codel and whilst the speed was mostly back I had worse bufferbloat vs SQM disabled.

Is there anything I can do about this?

EDIT: by enabling this in ./network I was able to squeeze 60-80Mbps more on the download

option packet_steering '1'

EDIT2: I am getting this same behaviour on 21.02 so must be a kernel thing. Does cake get updated or has it been left too long and gone stale?

Cake is recommend it over anything else at this point they have even said fq_codel is obsolete, so hopefully cake gets updated/improved within OpenWrt:

Good info about it here:
https://www.bufferbloat.net/projects/codel/wiki/Cake/

Yes - I have cake tuned nicely on 19.07 w/ kernel 4.14.x. It's a shame I lose 200-300+Mbps download on kernel 5.x.

Looking at git it seems there have been changes related to cake made to the 5.x kernel over the past year and a bit ...???? I wish I understood this all better.

Might be worth submitting an OpenWrt bug report with these findings, that's a significant regression. Common understanding is almost no routers can do 800+Mbits with SQM cake and if these are in that category that's amazing. I always placed it around 600Mbtis but since my cable caps out at 500Mbits I never knew for sure.

This is pretty good for 7pm on a Friday night....

image642×504 87.7 KB

Test done on kernel 4.14.224

No-Nonsense w/ kernel 5.4.110 results - appears I am having a good night tonight...

image649×511 93 KB

@pSych0bUNny

If you are compiling from my guide, please make a test build with the defconfig hardening patches disabled:
0002-kernel-generic-5.4-config-hardening.patch
0003-kernel-generic-5.10-config-hardening.patch

they are fully expected to reduce performance at the benefit of security.

Yes, I'll I need to retest as I thought I had rolled a fresh 21.02 with all defaults but then realised if the firmware on the alternate partition does not have SQM then when I go back to my 19.07 it only has fq_codel available as a qdisc shaper. I thought I made another 21.02 image w/ SQM, but I need to improve my naming conventions as I cannot find it now.

@SkewedZeppelin Happy to make a 'soft' config test image. I have followed the steps in your build guide to a 'T' and I am hoping you could be so kind as to advise the best way to un-"git am" patches as it'll save me heaps of time searching the innerwebs. Thank you in advance.

un-"git am" patches

git rebase HEAD~8 -i
change pick to drop on the commits you don't want