Kong pro firmware for IPQ806x (R7500, R7800, EA8500, ...)

kiss81 · October 24, 2024, 7:05am

Thank you. These are the entries:

chain dstnat_lan {
ip saddr 10.42.0.0/16 ip daddr ::my external ip:: tcp dport 80 dnat ip to 10.42.43.239:80 comment "!fw4: web (reflection)"

chain srcnat_lan {
ip saddr 10.42.0.0/16 ip daddr 10.42.43.239 tcp dport 80 snat ip to 10.42.43.1 comment "!fw4: web (reflection)"

Maybe I'm wrong, but shouldn't the srcnat_lan entry look like this:

chain srcnat_lan {
ip saddr 10.42.0.0/16 ip daddr ::my external ip:: tcp dport 80 snat ip to 10.42.43.1 comment "!fw4: web (reflection)"

or

chain srcnat_lan {
ip saddr 10.42.0.0/16 ip daddr ::my external ip:: tcp dport 80 snat ip to 10.42.43.239 comment "!fw4: web (reflection)"

egc · October 24, 2024, 7:20am

That looks good your reflection rules are in place.
The only thing which is somewhat extraordinary is your very large /16 subnet.
But unless it overlaps with other subnets I assume it should work

kiss81 · October 24, 2024, 7:20am

I just made an edit to my post. Is the srcnat_lan entry ok?

egc · October 24, 2024, 7:23am

If 10.42.43.1 is your routers address then it is correct

kiss81 · October 24, 2024, 7:34am

Yes It is. Anything else that can be the culprit / I can try?
I am ok to add some custom rules in my startup file if needed.

I did a wget : http://::my external ip:: / from the ssh shell of my router and it returns the luci webinterface... that should be forwarded to 10.42.43.239 right?

egc · October 24, 2024, 8:27am

If you have other rules port forwarding port 80 e.g. for remote administration then that could interfere of course.

You can use port forwarding of e.g. port 81 to port 10.42.43.239:80 to see if that works.

But otherwise I do not know

kiss81 · October 24, 2024, 9:47pm

Thank you for trying to help out. No luck on external port 81 either. Not sure why it doesn't work. Would be interesting if one got it working and could share it's (firewall) config!

kiss81 · October 25, 2024, 3:17pm

I finally have a lead! (edit: see next post)

kiss81 · October 26, 2024, 9:05am

When connecting as client to the WiFi on the main router it works. When I use a physical lan port to connect as client (directly to the main router), the reflection / nat loopback doesn;t work. My Wifi networks are connected to the "lan" network.
When I look at the lan interface on the luci webinterface I see the phy-ap and eth1.1 connected to the lan interface (see switch picture) I don't get it why it doesn't work using the ethernet ports.

using the physical ethernet to connect a client:

root@OpenWrtMain:~# tcpdump -n -i br-lan host 10.42.43.239 and port 81
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:25:57.349796 IP 10.42.0.96.61702 > 10.42.43.239.81: Flags [S], seq 3489717918, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:25:57.349288 IP 10.42.0.96.61702 > 10.42.43.239.81: Flags [S], seq 3489717918, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:25:57.349937 IP 10.42.0.96.61702 > 10.42.43.239.81: Flags [S], seq 3489717918, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:25:57.610938 IP 10.42.0.96.61703 > 10.42.43.239.81: Flags [S], seq 1734845036, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:25:57.611087 IP 10.42.0.96.61703 > 10.42.43.239.81: Flags [S], seq 1734845036, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:25:58.353640 IP 10.42.0.96.61702 > 10.42.43.239.81: Flags [S], seq 3489717918, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:25:58.353706 IP 10.42.0.96.61702 > 10.42.43.239.81: Flags [S], seq 3489717918, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
etc....

using WiFi (it works):

root@OpenWrtMain:~# tcpdump -n -i br-lan host 10.42.43.239 and port 81
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:27:53.633778 IP 10.42.0.194.61786 > 10.42.43.239.81: Flags [S], seq 1158666687, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:27:53.633737 IP 10.42.0.194.61786 > 10.42.43.239.81: Flags [S], seq 1158666687, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:27:53.633967 IP 10.42.0.194.61786 > 10.42.43.239.81: Flags [S], seq 1158666687, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:27:53.634391 IP 10.42.43.239.81 > 10.42.0.194.61786: Flags [S.], seq 1123461590, ack 1158666688, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
11:27:53.634476 IP 10.42.43.239.81 > 10.42.0.194.61786: Flags [S.], seq 1123461590, ack 1158666688, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
11:27:53.641457 IP 10.42.0.194.61786 > 10.42.43.239.81: Flags [.], ack 1, win 255, length 0
11:27:53.641435 IP 10.42.0.194.61786 > 10.42.43.239.81: Flags [.], ack 1, win 255, length 0
11:27:53.641517 IP 10.42.0.194.61786 > 10.42.43.239.81: Flags [.], ack 1, win 255, length 0
11:27:53.644568 IP 10.42.0.194.61786 > 10.42.43.239.81: Flags [P.], seq 1:394, ack 1, win 255, length 393
11:27:53.644548 IP 10.42.0.194.61786 > 10.42.43.239.81: Flags [P.], seq 1:394, ack 1, win 255, length 393
11:27:53.644615 IP 10.42.0.194.61786 > 10.42.43.239.81: Flags [P.], seq 1:394, ack 1, win 255, length 393
11:27:53.644875 IP 10.42.43.239.81 > 10.42.0.194.61786: Flags [.], ack 394, win 501, length 0
11:27:53.644958 IP 10.42.43.239.81 > 10.42.0.194.61786: Flags [.], ack 394, win 501, length 0
11:27:53.645040 IP 10.42.43.239.81 > 10.42.0.194.61786: Flags [P.], seq 1:668, ack 394, win 501, length 667
11:27:53.645113 IP 10.42.43.239.81 > 10.42.0.194.61786: Flags [P.], seq 1:668, ack 394, win 501, length 667
11:27:53.708305 IP 10.42.0.194.61786 > 10.42.43.239.81: Flags [.], ack 668, win 253, length 0
11:27:53.708284 IP 10.42.0.194.61786 > 10.42.43.239.81: Flags [.], ack 668, win 253, length 0
11:27:53.708364 IP 10.42.0.194.61786 > 10.42.43.239.81: Flags [.], ack 668, win 253, length 0
11:27:53.756300 IP 10.42.43.239.81 > 10.42.0.194.61786: Flags [S.], seq 1955549092, ack 1158666688, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
11:27:53.756300 IP 10.42.43.239.81 > 10.42.0.194.61786: Flags [R], seq 1123461591, win 0, length 0
11:27:53.756300 IP 10.42.43.239.81 > 10.42.0.194.61786: Flags [R], seq 1123461591, win 0, length 0
11:27:53.756301 IP 10.42.43.239.81 > 10.42.0.194.61786: Flags [R], seq 1123462258, win 0, length 0
11:27:54.657578 IP 10.42.43.239.81 > 10.42.0.194.61786: Flags [S.], seq 1955549092, ack 1158666688, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
11:27:56.706547 IP 10.42.43.239.81 > 10.42.0.194.61786: Flags [S.], seq 1955549092, ack 1158666688, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
11:28:00.747982 IP 10.42.43.239.81 > 10.42.0.194.61786: Flags [S.], seq 1955549092, ack 1158666688, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
11:28:03.660568 IP 10.42.0.194.61786 > 10.42.43.239.81: Flags [.], seq 393:394, ack 3462880462, win 253, length 1
11:28:03.660644 IP 10.42.0.194.61786 > 10.42.43.239.81: Flags [.], seq 393:394, ack 3462880462, win 253, length 1
11:28:03.660888 IP 10.42.43.239.81 > 10.42.0.194.61786: Flags [.], ack 394, win 501, options [nop,nop,sack 1 {393:394}], length 0
11:28:03.660959 IP 10.42.43.239.81 > 10.42.0.194.61786: Flags [.], ack 394, win 501, options [nop,nop,sack 1 {393:394}], length 0
11:28:03.660888 IP 10.42.43.239.81 > 10.42.0.194.61786: Flags [R], seq 1123462258, win 0, length 0

Seems that we need the promiscous mode on the br-lan to make this work. On the latest kong build this doesn't seem to work properly. When I use the "ACwifidude" build it does work. (but it's 9 months old...)

egc · October 26, 2024, 12:59pm

What ATH10 firmware are you using?
The CT firmware could be the problem and might need

option promisc '1'

on the device.

I use the standard ATH10 firmware.
I have enable port forward from 8080 to port 80 for management (this router is an internal test router).
I can connect from inside to the external IP:8080 but it is slightly different from your situation.

kiss81 · October 26, 2024, 3:38pm

https://www.desipro.de/openwrt/23.05/ipq806x-nss/

This one have the issues... is there another one I could try?

You build the firmware yourself?

option promisc '1'

Where do I put this?

egc · October 26, 2024, 4:31pm

Like this

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'
    option promisc '1'

Sure you can try my build but doubt that will work as it is based on Kongs repo, so should be the same.
Just uploaded: https://github.com/egc112/OpenWRT-egc-add-on/tree/main/R7800

Scope · October 26, 2024, 8:16pm

Im currently running DD-WRT on my R7800 (running as AP) and have a couple of questions before I make the switch to OpenWRT:

What is the max 5Ghz speed I can expect with OpenWRT? For reference, running DD-WRT I get 600-650Mpbs using my S24.
Can somebody link me to the best firmware to use on the R7800? I've seen different versions, so not sure which one is the best, etc.
Whats the best way to switch (upgrade) from DD-WRT to OpenWRT? (I should probably look it up, but ask anyway in case has a link handy for me)

The DD-WRT runs just fine, but I have switched using OpenWRT on my main router and like it very much, so would like to switch the R7800 aswell.

egc · October 27, 2024, 7:06am

How did you measure that, the PHY rate is max 866 Mb/s under ideal circumstances (2 stream 80 MHz) real throughput measured with iperf3 WLAN<>LAN is max 2/3 so 650 Mb/s is on the upper side what is possible
(The PCI bus by which the radio is connected maxes out at 750 Mb/s)

I am currently running a build based on Kongs NSS build which does somewhat over 600 Mb/s iperf3 WLAN<>LAN

(My DL-WRX36 which is an AX router will do 800 Mb/s on wifi and gigabit LAN<>WAN without any offloading)

My Main router is running a regular non NSS build as I need the utmost stability as I am often away for longer periods and I need the main router to connect to my home so cannot afford crashes and reboots like I had with DDWRT 6.X. But I am sure it will improve over time unfortunately I could not wait any longer so switched to OpenWRT as I also had more AX routers running OpenWRT.

Kongs NSS build does seem good and stable but I only need 600 Mb/s LAN<>WAN for the main router so do not need NSS acceleration.

Best build DDWRT K4.9, 600 Mb/s wifi and 900 Mb/s LAN<>WAN without any offloading and rock solid but K4.9 is EOL and no longer supported

To get OpenWRT on your R7800 go back to stock first see:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Second post has the file to go back to stock (from Kong)

See OpenWRT instructions: https://openwrt.org/toh/netgear/r7800?s[]=r7800&s[]=install

Scope · October 27, 2024, 9:08pm

Thanks for your answers.. I am up and running with Kong's NSS build - and I am happy to report the WIFI speed is the same as when I was using DD-WRT, around 650Mbps. (I too have been on the 4.9 Kernel of DD-WRT up to now, all recent builds have had some sort of issues which has stopped me from installing them.. Well, I guess thats all in the past now.. Onwards and Upwards with OpenWRT )

Quick question: Some of the packages I use on my main router is not available to install on Kongs build. Can I add additional package URLs in the distfeeds.conf file? Or can I only use the packages added to that file by Kong?

egc · October 28, 2024, 6:26am

Packages are meant for the same build with the same kernel. some might need NSS dependency so the short answer is you can only use packages added by Kong.
But his build is based on release 23.05.5 so packages for the R7800 for the regular non NSS release will probably work if you can install them.

Scope · October 28, 2024, 5:25pm

Im trying to learn how to set up VLAN between 2 routers, however I am slightly confused with this build..

Does this firmware/router support DSA?

From what I can see the "Bridge VLAN Filtering" (DSA?) exist, as well as the Switch (Pre DSA?).. The Switch page is pre-populated with VLAN 1+2, where as the VLAN filtering page is empty..

Which one do I use? And if the answer if "VLAN Filtering", what do I do with the entries in the Switch page?

Bridge VLAN Filtering:

Switch:

This probably comes down to my understanding - I have tried reading up on it + view youtube videos, but I am still confused.

egc · October 29, 2024, 2:46pm

This is not DSA (unfortunately DSA is not compatible (yet?) with NSS)
Maybe start here: https://openwrt.org/docs/guide-user/network/vlan/start

Eyerex · November 6, 2024, 2:58pm

Looks like a new build has just been posted

nickant · November 7, 2024, 12:46am

New build, but same kernel version.
Is there a changelog for Kong NSS?