Problem with tor client on mikrotek wap ac lte

I followed the instructions at https://openwrt.org/docs/guide-user/services/tor/client to install the tor client on my mikrotek wap ac lte router https://mikrotik.com/product/wap_ac_lte_kit.

My initial guess regarding my issues would be RAM. Here are a few of the router's key specs.

Size of RAM |128 MB|
Storage size |16 MB|
Storage type |FLASH |

16MB storage size just seems really small but is maybe fine for a router. 128MB RAM is fine I believe?

After following the instructions above I started up then ssh'ed into the router and checked that tor, firewall, and dnsmasq are running. I have found I have had to restart the lte modem/internal sim connection (which I have done via the web interface) but I don't think that really matters here.

When I tried to access https://www.google.com from my web browser I get 'problem loading page'/'The connection has timed out' error message.

At this point, although I cannot access https://www.google.com via my browser I am able to successfully ping google.com from the router ssh shell itself. However, after the ping has completed the router freezes. The cursor blinks, until I type anything on my keyboard at which point the blinking stalls, as though it is receiving input, but no command appears on the actual command line. It just hangs when I try to ssh from another shell into the router with the 'ssh root@192.168.1.1' command I just used to connect.

I thought I would try and stop the firewall and dnsmasq, so I did this immediately after rebooting the router but this made no difference.

Here are the results of the troubleshooting steps from: https://openwrt.org/docs/guide-user/services/tor/client

(Sorry if I am using the incorrect formatting here. Please advise and I will orrect it if so.)

root@OpenWrt:~# logread -e Tor; netstat -l -n -p | grep -e tor
Mon Jun 10 12:24:04 2024 daemon.notice Tor[1470]: We compiled with OpenSSL 300000d0: OpenSSL 3.0.13 30 Jan 2024 and we are running with OpenSSL 300000d0: 3.0.13. These two versions should be binary compatible.
Mon Jun 10 12:24:04 2024 daemon.notice Tor[1470]: Tor 0.4.8.10 running on Linux with Libevent 2.1.12-stable, OpenSSL 3.0.13, Zlib 1.2.13, Liblzma N/A, Libzstd N/A and Unknown N/A as libc.
Mon Jun 10 12:24:04 2024 daemon.notice Tor[1470]: Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
Mon Jun 10 12:24:04 2024 daemon.notice Tor[1470]: Read configuration file "/tmp/torrc".
Mon Jun 10 12:24:04 2024 daemon.notice Tor[1470]: Processing configuration path "/etc/tor/torrc" at recursion level 1.
Mon Jun 10 12:24:04 2024 daemon.notice Tor[1470]: Including configuration file "/etc/tor/torrc".
Mon Jun 10 12:24:04 2024 daemon.notice Tor[1470]: Processing configuration path "/etc/tor/custom" at recursion level 1.
Mon Jun 10 12:24:04 2024 daemon.notice Tor[1470]: Including configuration file "/etc/tor/custom".
Mon Jun 10 12:24:04 2024 daemon.warn Tor[1470]: You specified a public address '0.0.0.0:9053' for DNSPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Mon Jun 10 12:24:04 2024 daemon.warn Tor[1470]: You specified a public address '[::]:9053' for DNSPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Mon Jun 10 12:24:04 2024 daemon.warn Tor[1470]: You specified a public address '0.0.0.0:9040' for TransPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Mon Jun 10 12:24:04 2024 daemon.warn Tor[1470]: You specified a public address '[::]:9040' for TransPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Mon Jun 10 12:24:04 2024 daemon.warn Tor[1470]: You specified a public address '0.0.0.0:9053' for DNSPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Mon Jun 10 12:24:04 2024 daemon.warn Tor[1470]: You specified a public address '[::]:9053' for DNSPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Mon Jun 10 12:24:04 2024 daemon.warn Tor[1470]: You specified a public address '0.0.0.0:9040' for TransPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Mon Jun 10 12:24:04 2024 daemon.warn Tor[1470]: You specified a public address '[::]:9040' for TransPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Mon Jun 10 12:24:04 2024 daemon.notice Tor[1470]: Opening Socks listener on 127.0.0.1:9050
Mon Jun 10 12:24:04 2024 daemon.notice Tor[1470]: Opened Socks listener connection (ready) on 127.0.0.1:9050
Mon Jun 10 12:24:04 2024 daemon.notice Tor[1470]: Opening DNS listener on 0.0.0.0:9053
Mon Jun 10 12:24:04 2024 daemon.notice Tor[1470]: Opened DNS listener connection (ready) on 0.0.0.0:9053
Mon Jun 10 12:24:04 2024 daemon.notice Tor[1470]: Opening DNS listener on [::]:9053
Mon Jun 10 12:24:04 2024 daemon.notice Tor[1470]: Opened DNS listener connection (ready) on [::]:9053
Mon Jun 10 12:24:04 2024 daemon.notice Tor[1470]: Opening Transparent pf/netfilter listener on 0.0.0.0:9040
Mon Jun 10 12:24:04 2024 daemon.notice Tor[1470]: Opened Transparent pf/netfilter listener connection (ready) on 0.0.0.0:9040
Mon Jun 10 12:24:04 2024 daemon.notice Tor[1470]: Opening Transparent pf/netfilter listener on [::]:9040
Mon Jun 10 12:24:04 2024 daemon.notice Tor[1470]: Opened Transparent pf/netfilter listener connection (ready) on [::]:9040
Mon Jun 10 12:24:05 2024 daemon.notice Tor[1470]: Bootstrapped 0% (starting): Starting
Mon Jun 10 12:24:05 2024 daemon.notice Tor[1470]: Starting with guard context "default"
Mon Jun 10 12:24:17 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:17 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:17 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:17 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:17 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:17 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:17 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:17 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:18 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:18 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:18 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:18 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:22 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:22 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:22 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:22 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:27 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:27 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:27 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:27 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:32 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:32 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:32 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:33 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:33 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:33 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:33 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:37 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:37 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:37 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:37 2024 daemon.notice Tor[1470]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
Mon Jun 10 12:24:41 2024 daemon.notice Tor[1470]: Catching signal TERM, exiting cleanly.

root@OpenWrt:~# nft list ruleset
table inet fw4 {
	chain input {
		type filter hook input priority filter; policy drop;
		iifname "lo" accept comment "!fw4: Accept traffic from loopback"
		ct state established,related accept comment "!fw4: Allow inbound established and related flows"
		tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
		iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
		jump handle_reject
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
		iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
		jump handle_reject
	}

	chain output {
		type filter hook output priority filter; policy accept;
		oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
		ct state established,related accept comment "!fw4: Allow outbound established and related flows"
		oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
	}

	chain prerouting {
		type filter hook prerouting priority filter; policy accept;
		iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
	}

	chain handle_reject {
		meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
		reject comment "!fw4: Reject any other traffic"
	}

	chain syn_flood {
		limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
		drop comment "!fw4: Drop excess packets"
	}

	chain input_lan {
		ct status dnat accept comment "!fw4: Accept port redirections"
		jump accept_from_lan
	}

	chain output_lan {
		jump accept_to_lan
	}

	chain forward_lan {
		ct status dnat accept comment "!fw4: Accept port forwards"
		jump accept_to_lan
	}

	chain helper_lan {
	}

	chain accept_from_lan {
		iifname "br-lan" counter packets 157 bytes 12536 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	}

	chain accept_to_lan {
		oifname "br-lan" counter packets 53 bytes 5177 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	}

	chain input_wan {
		meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
		icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
		meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
		meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
		ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
		jump reject_from_wan
	}

	chain output_wan {
		jump accept_to_wan
	}

	chain forward_wan {
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
		udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
		jump reject_to_wan
	}

	chain accept_to_wan {
	}

	chain reject_from_wan {
	}

	chain reject_to_wan {
	}

	chain dstnat {
		type nat hook prerouting priority dstnat; policy accept;
		iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
	}

	chain srcnat {
		type nat hook postrouting priority srcnat; policy accept;
	}

	chain dstnat_lan {
		tcp dport 53 counter packets 0 bytes 0 redirect to :53 comment "!fw4: Intercept-DNS"
		udp dport 53 counter packets 83 bytes 6142 redirect to :53 comment "!fw4: Intercept-DNS"
		fib daddr type != { local, broadcast } tcp dport 0-65535 counter packets 134 bytes 8040 redirect to :9040 comment "!fw4: Intercept-TCP"
	}

	chain srcnat_wan {
		meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
	}

	chain raw_prerouting {
		type filter hook prerouting priority raw; policy accept;
	}

	chain raw_output {
		type filter hook output priority raw; policy accept;
	}

	chain mangle_prerouting {
		type filter hook prerouting priority mangle; policy accept;
	}

	chain mangle_postrouting {
		type filter hook postrouting priority mangle; policy accept;
	}

	chain mangle_input {
		type filter hook input priority mangle; policy accept;
	}

	chain mangle_output {
		type route hook output priority mangle; policy accept;
	}

	chain mangle_forward {
		type filter hook forward priority mangle; policy accept;
	}
}

root@OpenWrt:~# pgrep -f -a tor
3984 /usr/sbin/tor --runasdaemon 0 -f /tmp/torrc

16 MB flash would worry me less than 128 MB RAM for a router (and we are talking about ipq40xx here, and two memory hungry ath10k radios; 128 MB are extremely tight under those conditions without even taking anything special into account) that's apparently to be used for a plethora of services, including tor. Not exactly a great starting position, as the hardware is very marginal for the intended purpose.

Hmm ok, I bought the router on the recommendation of somebody on the web who said it was compatible with openwrt. Then after confirming openwrt would run myself.

Obviously it does run openwrt, but if there isn't enough RAM to run tor client alone on a fresh install then it is only technically compatible, and ideally the wiki, or something, would say that.

Having said that i recall 32MB RAM being specified as minimum to run tor client. I might be remembering wrong.

I can try and disable any unused devices in the router.

Maybe I should return it and get something else.

I welcome anybody else chiming in with specific recommendations, thanks!

The stated minimum is 64 MB RAM right now (and it's already announced to be raised to 128 with the next release), however.

Devices using ath10k, ath11k or ath12k are the exception to the rule of thumb above, because ath10k/ ath11k/ ath12k eat RAM for breakfast - they do reserve considerable amounts of RAM to themselves (stealing it from the RAM available to the rest of the system) and need even more for each connected client. A device with one ath10k radio (case in point, archer c7-v2+, one ath9k radio, one ath10k radio) can get along with 128 MB RAM, it doesn't leave that much free RAM to your disposal, but it largely works within expectations. ipq40xx/ ipq806x however comes with two ath10k radios (so twice the memory requirements), this is quite tight with the mere basics already (it already requires a neutered "smallbuffers" ath10k variant to function, the situation is that dire). If you look at ipq50xx/ ipq60xx and ipq807x with their 2+ ath11k radios, the absolute hard minimum of supportable systems need to come with at least 512 MB RAM (and as before, that is already on the tight side, not quite as tight as 128 MB RAM for ipq40xx, but still pretty tight, you really want >=1 GB RAM for a router and additional features). This particular RAM hunger is specific to ath10k, ath11k and ath12k, other wireless drivers are more frugal and the old rule of thumb applies (mt76 does work just fine with 256 MB RAM, even 128 MB are possible there with more AP-like devices, but for a router -especially a device you're going to buy in 2024- you really don't want to go below 256 MB RAM there either; ideally 512+ MB).

The more optional features you want to cram into your router, the more you depend on correspondingly sufficient system resources, CPU performance, flash and RAM - and these days 802.11ax is more attractive than 802.11ac as well.

1 Like

Thanks very much for this detailed reply. I appreciate it. I am going to assume I am encountering a problem with RAM and investigate alternatives.

I don't think this device should be listed as openwrt compatible without a caveat explaining the low RAM issue.