OpenWrt 23.05.2 - Service Release

{
	"kernel": "5.15.137",
	"hostname": "HomeRouter",
	"system": "ARMv7 Processor rev 1 (v7l)",
	"model": "Linksys WRT3200ACM",
	"board_name": "linksys,wrt3200acm",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "mvebu/cortexa9",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}
---- network ---
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'   # set to 64 when ipv6 to auto
	option ipaddr 'xxx.xxx.xxx.xxx'
	list dns '208.67.222.222'
	list dns '208.67.220.220'
	option ipv6 'off'
	option delegate '0'

config device
	option name 'wan'
	option macaddr ''
	option mtu '1500'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option username 'myusername'
	option password 'mypassword'
	option ipv6 '1'

config interface 'wan6'
	option device '@wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config device
	option name 'pppoe-wan'
	option mtu '1492'

---- wireless -------
config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option legacy_rates '0'
	option country 'GB'
	option channel '64'
	option htmode 'VHT40'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option legacy_rates '1'
	option country 'GB'
	option cell_density '1'
	option channel '6'
	option disabled '1'

config wifi-device 'radio2'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option macaddr ''

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option encryption 'psk2'
	option key 'mypassword'
	option network 'lan'
	option ssid 'myssid'
	option macaddr ''
	option disabled '1'


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option boguspriv '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option confdir '/tmp/dnsmasq.d'
	option cachesize '1000'
	option quietdhcp '1'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	list server '208.67.222.222'
	list server '208.67.220.220'
	list server '8.8.8.8'
	list server '62.6.38.125'
	list notinterface 'wan'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option leasetime '12h'
	option limit '140'
	list dhcp_option '4,xxx.xxx.xxx.xxx'
	list dhcp_option '6,xxx.xxx.xxx.xxx'
	list dhcp_option '42,xxx.xxx.xxx.xxx'
	list dhcp_option '3,xxx.xxx.xxx.xxx'
	list ra_flags 'none'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

# static host dhcp definitions deleted

---- firewall



config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option dest_port '22'
	option src 'wan'
	option name 'external ssh'
	option target 'DROP'
	list proto 'tcp'

config rule
	option dest_port '443'
	option src 'wan'
	option name 'external ssh 443'
	option target 'DROP'
	list proto 'tcp'

config rule
	option dest_port '80'
	option src 'wan'
	option target 'DROP'
	list proto 'tcp'
	option name 'external openwrtweb access'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'


You do not need to add a "notinterface" option to ignore WAN, if you later configure it as "ignore 1". And you also do not need to block ports 22, 80, 443, because all connections from WAN are blocked.

Those errors, do you see then always? Or only while the device boots?

The messages appear very frequently:

Mon Feb 19 14:49:45 2024 daemon.warn dnsmasq-dhcp[1]: DHCP packet received on wan which has no address
Mon Feb 19 14:49:53 2024 daemon.warn dnsmasq-dhcp[1]: DHCP packet received on wan which has no address
Mon Feb 19 14:53:33 2024 daemon.warn dnsmasq-dhcp[1]: DHCP packet received on wan which has no address
Mon Feb 19 14:53:34 2024 daemon.warn dnsmasq-dhcp[1]: DHCP packet received on wan which has no address
Mon Feb 19 14:57:00 2024 daemon.warn dnsmasq-dhcp[1]: DHCP packet received on wan which has no address
Mon Feb 19 14:57:29 2024 daemon.warn dnsmasq-dhcp[1]: DHCP packet received on wan which has no address
Mon Feb 19 14:57:56 2024 daemon.warn dnsmasq-dhcp[1]: DHCP packet received on wan which has no address
Mon Feb 19 14:58:03 2024 daemon.warn dnsmasq-dhcp[1]: DHCP packet received on wan which has no address
Mon Feb 19 14:58:07 2024 daemon.warn dnsmasq-dhcp[1]: DHCP packet received on wan which has no address
Mon Feb 19 14:58:44 2024 daemon.warn dnsmasq-dhcp[1]: DHCP packet received on wan which has no address
Mon Feb 19 14:58:45 2024 daemon.warn dnsmasq-dhcp[1]: DHCP packet received on wan which has no address
Mon Feb 19 14:58:47 2024 daemon.warn dnsmasq-dhcp[1]: DHCP packet received on wan which has no address
Mon Feb 19 14:59:28 2024 daemon.warn dnsmasq-dhcp[1]: DHCP packet received on wan which has no address
Mon Feb 19 15:00:07 2024 daemon.warn dnsmasq-dhcp[1]: DHCP packet received on wan which has no address
Mon Feb 19 15:00:22 2024 daemon.warn dnsmasq-dhcp[1]: DHCP packet received on wan which has no address
Mon Feb 19 15:01:31 2024 daemon.warn dnsmasq-dhcp[1]: DHCP packet received on wan which has no address
Mon Feb 19 15:01:59 2024 daemon.warn dnsmasq-dhcp[1]: DHCP packet received on wan which has no address
Mon Feb 19 15:02:15 2024 daemon.warn dnsmasq-dhcp[1]: DHCP packet received on wan which has no address
Mon Feb 19 15:02:20 2024 daemon.warn dnsmasq-dhcp[1]: DHCP packet received on wan which has no address
Mon Feb 19 15:03:29 2024 daemon.warn dnsmasq-dhcp[1]: DHCP packet received on wan which has no address

Can you please execute this command, to check that DNSMASQ is receiving the info about the WAN interface?

cat /var/etc/dnsmasq.conf.* | grep -f "no-dhcp-interface"

cat /var/etc/dnsmasq.conf.* | grep -i "no-dhcp-inte
rface"
no-dhcp-interface=pppoe-wan

I removed the items under DHCP and DNS ; forwards ; DNS forwarding.Messages seem to be less frequent now but have not stopped

How much for the glasses?

So I assume this is your first day?

but really I don't like where this discussion is going, and you DO realize it's you who sends ridiculous posts and insult others, not the other way around?

maybe some mod should step in here.

also this statement looks pretty clear to me, so if there is no branche the devs havn't decided it's needed yet.

what do you expect from the next 23.x branch actually? AFAIK there are never big changes without a main release, only bug fixes, so unles you have an important issue, you probably should't expect to much from it.

5 Likes

we have some device broken and some security updates to apply. They are not massive CVE but still some app that it's better to keep updated. And also kernel update.

3 Likes

I'm a bit lost here... I cannot see what could be happening...

Indeed puzzling. Got quite a bit of those messages over the last two days again. Don't see a pattern in the time of these messages.

Try to capture such DHCP packets:

tcpdump -w /tmp/dhcp.pcap -i wan udp port 67 or 68

In particular, the UDP destination port would be interesting: 67=server, 68=client.

Hi!
After upgrade I see kernel 5.15.137 in luci overview. But when executing opkg list-installed kernel I get "kernel - 5.15.134-1-2f29f5d52148751b163e722c9eaead1e". When I try to install kmod packages, I get dependency failure.

What went wrong? Do you guys have the correct kernel installed?

From my main router, installed 23.05.2 some months ago...

$ opkg list-installed kernel
kernel - 5.15.137-1-47964456485559d992fe6f536131fc64

What does ubus call system board tell you? Here's mine with all the junk cut out.

{
        "kernel": "5.15.137",
        "release": {
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}

I went back to original firmware, and now everything works. But I guess there is an issue updating the kernel when doing upgrade via luci for some devices (pi 3b+ squashfs).

Version 23.05.2 (stable)
While editing a firewall rule I happened to notice this when I made a typo in the time area. Whereas I would expect the valid hours to be 0:00:00 through 23:59:59, the box allows the hour to be set above 23: without error.

Entries for hour can be entered all the way up to 69: until it generates an error at 70+
image

I tested to see if the firewall rule would be allowed to be saved. It was. I saved, but did not apply.

Obviously I then reverted and set the proper time for the rule.
I don't know what the outcome would be if a typo like this were actually mistakenly saved, beyond possibly the rule just not working. Even if minor, I just wanted to report this. Apologies if this is duplicate or already reported. I searched but didn't find any similar post. Thanks and regards.

EDIT / UPDATE: I am a user, not developer, so I don't normally report bugs. I found where to report this on Github and created #14756

https://github.com/openwrt/openwrt/issues/14756

1 Like

Nice find! I've created a fix at https://github.com/openwrt/luci/pull/6953 which solves this.

2 Likes
this.value.match(/^[0-2][0-3]:[0-6][0-9]:[0-6][0-9]$/),

Shouldn’t minutes and seconds not also get limited to 0-5 on the first digit? 00-59

Correct, I actually had this change in my working directory but forgot to commit it, you can see in the screenshot I provided only allows 0-5 in the first digit.

Thank you. I think it’s even more complicated because we have 12 hours clock countries and 24 hours clock countries.

So

this.value.match(/^[0-2][0-3]:[0-5][0-9]:[0-5][0-9]$/)

16:xx:xx in a 24 hours clock country should not be possible to set, because the second hour digit is higher than 3.

Or is 12 or 24 hours clock converted somewhere?

Very good question, I don't think LuCI handles 12 hour and 24 hour clocks in a good way (locale handling overall doesn't seem to be well supported). The timehhmmss validator I updated doesn't accept AM/PM as input (11:00:00 AM is rejected as an example), so by that simple reasoning it must be 24 hour clock it was intended for since otherwise you wouldn't have been able to insert values for the second half of a day.

I'm from a 24 hour country myself (Sweden) so I've never tried to use LuCI with 12 hour clock values. I would guess there's no conversion and simply the value you specify in textfields in sent directly to UCI without any transformation, but unsure, I've only been developing in LuCI for a few weeks.

3 Likes