Ipq806x NSS build (Netgear R7800 / TP-Link C2600 / Linksys EA8500)

My own. @ACwifidude's sources + rebase with current master. For the AP I disabled some packages like openvpn, ad blocker and so on.

1 Like

1.) This is when you're in AP mode, and firewall is completely disabled?
2.) Are you using fw4 or fw3?
3.) When your firewall is enabled, what does your ruleset look like? iptables-nft-save for fw4, iptables-legacy-save for fw3.
4.) With your firewall enabled can you remove all your rules and test if it persists?
5.) Have you used/tested with 5.10 NSS builds?

1 Like

@qosmio

  1. That's correct. Reboots happen if firewall is disabled in services and wireless is enabled and wireless client(s) is connected.
    driver - ath10k non-ct, dawn is installed for the better roaming between APs
  2. Firewall - fw4
  3. iptables-nft-save not found. Here is another command:
    # nft list ruleset
table inet fw4 {
        chain input {
                type filter hook input priority filter; policy accept;
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
                ct state established,related accept comment "!fw4: Allow inbound established and related flows"
                tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
                iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
        }

        chain forward {
                type filter hook forward priority filter; policy drop;
                ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
                iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
                jump handle_reject
        }

        chain output {
                type filter hook output priority filter; policy accept;
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
                ct state established,related accept comment "!fw4: Allow outbound established and related flows"
                oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
        }

        chain prerouting {
                type filter hook prerouting priority filter; policy accept;
                iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
        }

        chain handle_reject {
                meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
                reject comment "!fw4: Reject any other traffic"
        }

        chain syn_flood {
                limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
                drop comment "!fw4: Drop excess packets"
        }

        chain input_lan {
                jump accept_from_lan
        }

        chain output_lan {
                jump accept_to_lan
        }

        chain forward_lan {
                jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
                jump accept_to_lan
        }

        chain helper_lan {
        }

        chain accept_from_lan {
                iifname "br-lan" counter packets 1552625 bytes 291660268 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain accept_to_lan {
                oifname "br-lan" counter packets 6259010 bytes 1041107182 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain input_wan {
                meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
                icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
                meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
                meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
                ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listene                                                   r-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limi                                                   t rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-ne                                                   ighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Al                                                   low-ICMPv6-Input"
                jump reject_from_wan
        }

        chain output_wan {
                jump accept_to_wan
        }

        chain forward_wan {
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0                                                    bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited                                                    } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
                udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
                jump reject_to_wan
        }

        chain accept_to_wan {
        }

        chain reject_from_wan {
        }

        chain reject_to_wan {
        }

        chain dstnat {
                type nat hook prerouting priority dstnat; policy accept;
        }

        chain srcnat {
                type nat hook postrouting priority srcnat; policy accept;
        }

        chain srcnat_wan {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
        }

        chain raw_prerouting {
                type filter hook prerouting priority raw; policy accept;
        }

        chain raw_output {
                type filter hook output priority raw; policy accept;
        }

        chain mangle_prerouting {
                type filter hook prerouting priority mangle; policy accept;
        }

        chain mangle_postrouting {
                type filter hook postrouting priority mangle; policy accept;
        }

        chain mangle_input {
                type filter hook input priority mangle; policy accept;
        }

        chain mangle_output {
                type route hook output priority mangle; policy accept;
        }

        chain mangle_forward {
                type filter hook forward priority mangle; policy accept;
        }
}
  1. I get reboot after nft flush ruleset command if the wireless client is connected.
  2. Yes. I used 5.10 NSS builds (22.03) with disabled firewall. All is ok.
2 Likes

Thanks. I'm not sure how best to mitigate this as I'm fairly limited in understanding the linux networking stack and ECM codebase. I know NSS in general will hook into nf stack and take over, so even with a basic firewall, it shouldn't add any overhead.

@quarky thoughts?

1 Like

Tbh, I have yet to try the QCA NSS drivers on fw4, but in theory it should work similarly to fw3. AFAIK fw3 to fw4 changes mainly the userland tools to configure the netfilter rules. As the drivers hooks into netfilter directly, it shouldn't matter how netfilter is configured.

@csharper2005 do you happen to have any kernel panic stack trace when the reboot occurs?

1 Like

I have only ramoops logs: Ipq806x NSS build (Netgear R7800 / TP-Link C2600 / Linksys EA8500) - #3365 by csharper2005

Looks like the way fw4 setup the netfilter rules is not compatible with the NSS ECM driver. The ECM driver is crashing due to null pointer exception. Will have to dig into the ecm_nss_ported_ipv4_connection_accelerate() function in the driver to find out what's wrong.

7 Likes

@ACwifidude and others. Are there any known problems getting VLANs to work with NSS builds?

I'm trying to setup VLANS on one of the ports on the R7800-switch, where I'm connecting a trunk cable coming from my main Cisco switch.No matter how much I try, it seems like the VLAN information is not properly handled by the R7800-switch, or I'm doing something very wrong.

No difference between NSS builds and non-NSS builds. Vlan’s work as expected on NSS-builds.

1 Like

oh well i have vlan tagging vs WAN and also an internal VLAN for IOT devices (passing through some netgear managed switches).
I'd say it works :slight_smile:
and honestly i did everything through LUCI (yes, i'm soooooooooo lazy)
as @D43m0n says, i saw no differences at all between nss and non nss builds (passing through 5.4, 5.10 and 5.15 kernels)

1 Like

Thanks @D43m0n and @pattagghiu for the answers. In that case, it is quite clear I'm not configuring VLANs properly.

@pattagghiu I'm actually doing the configuration through Luci as well, as I found some good guides at this forum. I'll give it another go.

I've been running ACwifidude's kernel 5.15-nss-qsdk11 branch with my patches for over a week.
pppoe, ds-lite, l2tp, ipsec work fine.
it is stable my usage.
@ACwifidude, I created PR. please review it.

5 Likes

Hi, can you please upload this image somewhere, to your google drive or something? It's very hard to find stable images in this thread.

Hello friend, I think it is this, I always have problems to identify the file with the installed version.

R7800-20220904-Stable2203NSS-sysupgrade.bin

Download

Thank you, but it's not correct. You uploaded the image for "OpenWrt 22.03-SNAPSHOT r19691+28-39c115028a / LuCI openwrt-22.03 branch git-22.245.77528-487e58a" which is older than the one in your screenshots.

EDIT: I appreciate your effort, but the person below posted a stable build with ath10k, so please don't bother with further search.

If you want try this version. It's latest that was provided by ACwifidude based on master with kernel 5.10. It has been stable on four R7800s (no reboots) for as long as the power is not cut.

1 Like

Excellent it's also ath10k, which I prefer. Thank you. Do you have any startup entries to scale CPU usage/governors or whatnot, or is it working without them?

i.e. stuff like this:

echo ondemand > /sys/devices/system/cpu/cpufreq/policy0/scaling_governor
echo ondemand > /sys/devices/system/cpu/cpufreq/policy1/scaling_governor
echo 800000 > /sys/devices/system/cpu/cpufreq/policy0/scaling_min_freq
echo 800000 > /sys/devices/system/cpu/cpufreq/policy1/scaling_min_freq
echo 75 > /sys/devices/system/cpu/cpufreq/ondemand/up_threshold
echo 10 > /sys/devices/system/cpu/cpufreq/ondemand/sampling_down_factor
1 Like

No startup entries of this kind at all. Using the default build settings which are.

echo ondemand > /sys/devices/system/cpu/cpufreq/policy0/scaling_governor
echo ondemand > /sys/devices/system/cpu/cpufreq/policy1/scaling_governor
echo 600000 > /sys/devices/system/cpu/cpufreq/policy0/scaling_min_freq
echo 600000 > /sys/devices/system/cpu/cpufreq/policy1/scaling_min_freq
echo 25 > /sys/devices/system/cpu/cpufreq/ondemand/up_threshold
echo 10 > /sys/devices/system/cpu/cpufreq/ondemand/sampling_down_factor
1 Like

Please forgive my stupid follow-up, but does this mean I leave the startup box empty, or do I paste the above script in there?

Just leave it empty or you can have other entries serving different purposes. You can use SSH to access the console and check/confirm your current settings. Even simply using htop you can see a lot if you are not familiar enough.

1 Like