OpenWrt Forum Archive

Topic: Update on Linksys WRT1900AC support

The content of this topic has been archived between 16 Sep 2014 and 7 May 2018. Unfortunately there are posts – most likely complete pages – missing.

Appreciate the pointers.... I ended up putting a script to restart logging and mount the usb, but I did it a little differently.

Because I don't want to restart the router... lol because of great uptime, I've just manually run the script, and it works fine.

Point /etc/rc.local to the below script, and it automatically runs at reboot.

#!/bin/sh
# log firewall drops on the outside interface, and then monitor those drops for reporting 7-31-2015
#Setup script to auto mount USB and set up firewall logging to the USB drive.
ping 192.168.1.1 -c 6
# Setup the firewall logging
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -I zone_wan_src_DROP  -j LOG --log-prefix "IPTables-Dropped: " --log-level 4

# mount the USB stick
mount /dev/sda /mnt/usb

# Start the log over fresh
> /mnt/usb/firewallLog.log

# Lastly re-direct logging to usb stick
logread -f >> /mnt/usb/firewallLog.log &

@kaloz

RC3

I'm using iptables in firewall.user

I use this for brute force attacks, works fine

iptables -N rate_limit
iptables -A rate_limit -p tcp --dport 22 -m limit --limit 3/min --limit-burst 3 -j DROP
iptables -A rate_limit -p tcp --dport 23 -m limit --limit 3/min --limit-burst 3 -j DROP
iptables -A rate_limit -p tcp -j REJECT --reject-with tcp-reset
iptables -A rate_limit -j DROP
#
iptables -I delegate_input -p tcp --dport 22 -m state --state NEW -j rate_limit
iptables -I delegate_input -p tcp --dport 23 -m state --state NEW -j rate_limit
iptables -I rate_limit -j LOG --log-prefix "IPTables-Dropped: " --log-level 4

But when I restart my VPN tunnel it stops working and I have to restart the firewall.

Swithing from wifi to wired, same thing firewall.user stops working.

Is this normal behaviour?

davidc502 wrote:

Appreciate the pointers.... I ended up putting a script to restart logging and mount the usb, but I did it a little differently.

Because I don't want to restart the router... lol because of great uptime, I've just manually run the script, and it works fine.

Point /etc/rc.local to the below script, and it automatically runs at reboot.

#!/bin/sh
# log firewall drops on the outside interface, and then monitor those drops for reporting 7-31-2015
#Setup script to auto mount USB and set up firewall logging to the USB drive.
ping 192.168.1.1 -c 6
# Setup the firewall logging
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -I zone_wan_src_DROP  -j LOG --log-prefix "IPTables-Dropped: " --log-level 4

# mount the USB stick
mount /dev/sda /mnt/usb

# Start the log over fresh
> /mnt/usb/firewallLog.log

# Lastly re-direct logging to usb stick
logread -f >> /mnt/usb/firewallLog.log &

WAN

Sat Aug  1 13:10:34 2015 kern.warn kernel: [416733.175153] IPTables-Dropped: IN=eth1 OUT= MAC=b6:75:0e:5d:e1:f6:a4:4c:11:8a:e8:d9:08:00 SRC=188.79.146.121 DST=68.146.58.136 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=8236 DF PROTO=TCP SPT=56145 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0

My VPN tunnel

Sat Aug  1 13:06:39 2015 kern.warn kernel: [416497.586052] IPTables-Dropped: IN=tun1337 OUT= MAC= SRC=49.116.225.205 DST=46.246.42.31 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=302 DF PROTO=TCP SPT=35684 DPT=23 WINDOW=5440 RES=0x00 SYN URGP=0

DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='15.05-rc3'
DISTRIB_REVISION='r46163'
DISTRIB_CODENAME='chaos_calmer'
DISTRIB_TARGET='mvebu/generic'
DISTRIB_DESCRIPTION='OpenWrt Chaos Calmer 15.05-rc3'
DISTRIB_TAINTS=''


Using username "root".
Authenticating with public key "rsa-key-20120810"


BusyBox v1.23.2 (2015-06-18 06:39:10 CEST) built-in shell (ash)

Linksys WRT1900AC (Mamba)
Security is enabled, and your IP address has been logged.

root@AC1900M:~# uptime
13:35:32 up 4 days, 20:10,  load average: 0.07, 0.04, 0.11
root@AC1900M:~#

Golden wrote:

i am using stock firmware on my mamba. but i need multi wan activated on my router.
so i tried to flash chaos calmer rc1 to rc3 via web browser and then serial tftpd64 but in both ways i am getting stuck :

kernel panic-not syncing: VFS: unable to mount root fs on unknown block(0,0)

getting back to stock is working perfect either its 1.1.8 or 1.1.10
how can i be able to sort out the said issue ?

anybody here can provide support ?

Hi - I have RC-3 loaded and like to keep up-to-date, so am wondering if it's safe to do weekly sys-upgrades from trunk (will stuff break) or is it better to just wait for the next RC? Trying to find a routine that works for me and my updates.

I just noticed on the Status->Overview page that in the Network section for IPv4 WAN Status, my DNS servers are displaying my ISP servers as I believe from my cable modem. Yet I specifically set in Network->"DHCP and DNS" in DNS forwardings to use other DNS servers.

I was expecting the DNS servers that I set to be used. Are they? Or am I misunderstanding how this works?

Thanks,

This is a common question, and one I was asking not but 2 months ago smile

To change DNS servers... This also bypasses the router forwarding dhcp requests

/etc/dnsmasq.conf

dhcp-option=6,8.8.8.8,8.8.4.4    ####<<< Example using google dns

/etc/init.d/dnsmasq restart

(Last edited by davidc502 on 2 Aug 2015, 14:50)

Good Morning. Would anyone know why I see this error in my log? And which one should be deleted or changed?
This is one of the best trunk builds I have ran and I would rather not screw it up since everything is the way I want it.
I did copy the new driver into this install.

Hostname  OpenWrt
Model Linksys WRT1900AC
Firmware VersionOpenWrt Chaos Calmer r46514 / LuCI (git-15.208.34629-ec170d6)
Kernel Version 3.18.19
Local TimeSun Aug 2 10:26:32 2015
Uptime 4d 11h 14m 24s
Load Average0.00, 0.01, 0.05

Sun Aug  2 09:40:06 2015 daemon.err uhttpd[1163]: Collected errors:
Sun Aug  2 09:40:06 2015 daemon.err uhttpd[1163]:  * opkg_conf_parse_file: Duplicate src declaration (chaos_calmer_base http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/base). Skipping.
Sun Aug  2 09:40:06 2015 daemon.err uhttpd[1163]:  * opkg_conf_parse_file: Duplicate src declaration (chaos_calmer_luci http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/luci). Skipping.
Sun Aug  2 09:40:06 2015 daemon.err uhttpd[1163]:  * opkg_conf_parse_file: Duplicate src declaration (chaos_calmer_management http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/management). Skipping.
Sun Aug  2 09:40:06 2015 daemon.err uhttpd[1163]:  * opkg_conf_parse_file: Duplicate src declaration (chaos_calmer_packages http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/packages). Skipping.
Sun Aug  2 09:40:06 2015 daemon.err uhttpd[1163]:  * opkg_conf_parse_file: Duplicate src declaration (chaos_calmer_routing http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/routing). Skipping.
Sun Aug  2 09:40:06 2015 daemon.err uhttpd[1163]:  * opkg_conf_parse_file: Duplicate src declaration (chaos_calmer_telephony http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/telephony). Skipping.
Sun Aug  2 09:45:00 2015 cron.info crond[1107]: USER root pid 29055 cmd /sbin/fan_ctrl.sh


(./etc/)
dest root /
dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /overlay
src/gz chaos_calmer_base http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/base
src/gz chaos_calmer_luci http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/luci
src/gz chaos_calmer_management http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/management
src/gz chaos_calmer_packages http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/packages
src/gz chaos_calmer_routing http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/routing
src/gz chaos_calmer_telephony http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/telephony
# src/gz chaos_calmer_targets http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/targets
option check_signature 1

(./overlay/upper/etc/)
dest root /
dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /overlay
src/gz chaos_calmer_base http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/base
src/gz chaos_calmer_luci http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/luci
src/gz chaos_calmer_management http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/management
src/gz chaos_calmer_packages http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/packages
src/gz chaos_calmer_routing http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/routing
src/gz chaos_calmer_telephony http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/telephony
# src/gz chaos_calmer_targets http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/targets
option check_signature 1

(./rom/etc/)
dest root /
dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /overlay
option check_signature 1

northbound wrote:

Good Morning. Would anyone know why I see this error in my log? And which one should be deleted or changed?

...
Sun Aug  2 09:40:06 2015 daemon.err uhttpd[1163]: Collected errors:
Sun Aug  2 09:40:06 2015 daemon.err uhttpd[1163]:  * opkg_conf_parse_file: Duplicate src declaration (chaos_calmer_base http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/base). Skipping.
...



Try this to reset everything:

cp /rom/etc/opkg.conf /etc/opkg.conf
opkg update

(Last edited by DavidMcWRT on 2 Aug 2015, 15:47)

wizumwalt wrote:

Hi - I have RC-3 loaded and like to keep up-to-date, so am wondering if it's safe to do weekly sys-upgrades from trunk (will stuff break) or is it better to just wait for the next RC? Trying to find a routine that works for me and my updates.

Trunk is constantly changing, and after CC branched Trunk was going through a lot of breakage.

You are also right in that the CC RCs are not kept up to date.

So neither option is perfect right now, but then both are "development" builds (at least until CC hits Final).

There may also be an issue from going from CC to Trunk as some of the kernel paths have changed in more recent kernels.  So would probably advise if migrating to Trunk that you DON'T keep settings when you sysupgrade.

And even if you did go to Trunk, I wouldn't set "weekly" in stone.  Rather wait until significant new features, bug fixes or security updates are pushed.  You can track changes here: http://dev.openwrt.org/timeline?changeset=on

Ultimately it's your call to weigh up stability vs. security.

DavidMcWRT wrote:
northbound wrote:

Good Morning. Would anyone know why I see this error in my log? And which one should be deleted or changed?

...
Sun Aug  2 09:40:06 2015 daemon.err uhttpd[1163]: Collected errors:
Sun Aug  2 09:40:06 2015 daemon.err uhttpd[1163]:  * opkg_conf_parse_file: Duplicate src declaration (chaos_calmer_base http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/base). Skipping.
...



Try this to reset everything:

cp /rom/etc/opkg.conf /etc/opkg.conf
opkg update

Thank you, now all 3 read. With no errors.

dest root /
dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /overlay
option check_signature 1


Any idea of what caused this? Was it a restore from a previous trunk build? One last question since none have a path how does it know the path? I know the last question sounds stupid but I am still trying to get the hang of this.
Thanks again for your time.

(Last edited by northbound on 2 Aug 2015, 16:06)

I guess I should have read the putty log before asking the last question. smile
Thanks again.

davidc502 wrote:

/etc/dnsmasq.conf

dhcp-option=6,8.8.8.8,8.8.4.4    ####<<< Example using google dns

/etc/init.d/dnsmasq restart

Thanks for your reply. Unfortunately, this stopped all my lookups from working. I run OpenVPN where the router connects to a VPN provider, thatway I don't have to put vpn clients on all my individual devices. So I added the VPN ISP's DNS servers expecting those to be used, but was confused when I saw the others still appearing, can't tell which are being used. I'll have to chase that down some more.

(Last edited by wizumwalt on 2 Aug 2015, 21:15)

wizumwalt wrote:
davidc502 wrote:

/etc/dnsmasq.conf

dhcp-option=6,8.8.8.8,8.8.4.4    ####<<< Example using google dns

/etc/init.d/dnsmasq restart

Thanks for your reply. Unfortunately, this stopped all my lookups from working. I run OpenVPN where the router connects to a VPN provider, thatway I don't have to put vpn clients on all my individual devices. So I added DNS servers expecting those to be used. I'll have to chase that down some more.

FYI

Setup your custom DNS(s) from the WAN interface.

wizumwalt wrote:
davidc502 wrote:

/etc/dnsmasq.conf

dhcp-option=6,8.8.8.8,8.8.4.4    ####<<< Example using google dns

/etc/init.d/dnsmasq restart

Thanks for your reply. Unfortunately, this stopped all my lookups from working. I run OpenVPN where the router connects to a VPN provider, thatway I don't have to put vpn clients on all my individual devices. So I added the VPN ISP's DNS servers expecting those to be used, but was confused when I saw the others still appearing, can't tell which are being used. I'll have to chase that down some more.

You may need to restart all of the devices, and let it talk to DHCP to get the new DNS servers?

davidc502 wrote:
wizumwalt wrote:
davidc502 wrote:

/etc/dnsmasq.conf

dhcp-option=6,8.8.8.8,8.8.4.4    ####<<< Example using google dns

/etc/init.d/dnsmasq restart

Thanks for your reply. Unfortunately, this stopped all my lookups from working. I run OpenVPN where the router connects to a VPN provider, thatway I don't have to put vpn clients on all my individual devices. So I added the VPN ISP's DNS servers expecting those to be used, but was confused when I saw the others still appearing, can't tell which are being used. I'll have to chase that down some more.

You may need to restart all of the devices, and let it talk to DHCP to get the new DNS servers?

BTY

/tmp/resolv.conf.auto file instructs dnsmasq to use your ISP's DNS.

/etc/resolv.conf file is for similar reason.

FYI

If you start using /etc/dnsmasq.conf you need to understand how to use it.

see here
http://www.networksorcery.com/enp/protocol/bootp/options.htm

dhcp-option=6,8.8.8.8,8.8.4.4    ####<<< Example using google dns

Thats code "6"

(Last edited by gufus on 2 Aug 2015, 22:08)

gufus wrote:

@kaloz

RC3

I'm using iptables in firewall.user

I use this for brute force attacks, works fine

iptables -N rate_limit
iptables -A rate_limit -p tcp --dport 22 -m limit --limit 3/min --limit-burst 3 -j DROP
iptables -A rate_limit -p tcp --dport 23 -m limit --limit 3/min --limit-burst 3 -j DROP
iptables -A rate_limit -p tcp -j REJECT --reject-with tcp-reset
iptables -A rate_limit -j DROP
#
iptables -I delegate_input -p tcp --dport 22 -m state --state NEW -j rate_limit
iptables -I delegate_input -p tcp --dport 23 -m state --state NEW -j rate_limit
iptables -I rate_limit -j LOG --log-prefix "IPTables-Dropped: " --log-level 4

But when I restart my VPN tunnel it stops working and I have to restart the firewall.

Swithing from wifi to wired, same thing firewall.user stops working.

Is this normal behaviour?

That's not normal at all... I use the exact same commands for brute force prevention (albeit mine cover 10 or so ports) and I've never experienced that.

Does the System Log show any errors after restarting the firewall/VPN Server (I assume server... Is it a client)?

@kaloz

RC3

Sun Aug  2 15:27:32 2015 daemon.err uhttpd[1288]: sh: write error: Broken pipe

JW0914 wrote:
gufus wrote:

@kaloz

RC3

I'm using iptables in firewall.user

I use this for brute force attacks, works fine

iptables -N rate_limit
iptables -A rate_limit -p tcp --dport 22 -m limit --limit 3/min --limit-burst 3 -j DROP
iptables -A rate_limit -p tcp --dport 23 -m limit --limit 3/min --limit-burst 3 -j DROP
iptables -A rate_limit -p tcp -j REJECT --reject-with tcp-reset
iptables -A rate_limit -j DROP
#
iptables -I delegate_input -p tcp --dport 22 -m state --state NEW -j rate_limit
iptables -I delegate_input -p tcp --dport 23 -m state --state NEW -j rate_limit
iptables -I rate_limit -j LOG --log-prefix "IPTables-Dropped: " --log-level 4

But when I restart my VPN tunnel it stops working and I have to restart the firewall.

Swithing from wifi to wired, same thing firewall.user stops working.

Is this normal behaviour?

That's not normal at all... I use the exact same commands for brute force prevention (albeit mine cover 10 or so ports) and I've never experienced that.

Does the System Log show any errors after restarting the firewall/VPN Server (I assume server... Is it a client)?

Yes, my router is just a vpn client

No error msg in the syslog

BTY

firewall.user does work
https://forum.openwrt.org/viewtopic.php?pid=285909#p285909

DAM!

Now it's NOT doing it.. (I don't know)

(Last edited by gufus on 3 Aug 2015, 00:32)

I've made a new thread about it here https://forum.openwrt.org/viewtopic.php?id=58753, but has anyone else experienced a kernel panic when a monitor mode interface is created on the 2.4 GHz radio? I have one interface for AP mode and one for monitor mode.

gufus wrote:

I'm using iptables in firewall.user

I use this for brute force attacks, works fine

iptables -N rate_limit
iptables -A rate_limit -p tcp --dport 22 -m limit --limit 3/min --limit-burst 3 -j DROP
iptables -A rate_limit -p tcp --dport 23 -m limit --limit 3/min --limit-burst 3 -j DROP
iptables -A rate_limit -p tcp -j REJECT --reject-with tcp-reset
iptables -A rate_limit -j DROP
#
iptables -I delegate_input -p tcp --dport 22 -m state --state NEW -j rate_limit
iptables -I delegate_input -p tcp --dport 23 -m state --state NEW -j rate_limit
iptables -I rate_limit -j LOG --log-prefix "IPTables-Dropped: " --log-level 4

@gufus
Thanks for the above example
I've just implemented same.  It's working for me.  Very illuminating results.
There are some folks in other lands who are very persistently trying to access my router :-/

Question for you... now that this is in place, I can no longer SSH into my own router (not even from an workstation connected to LAN).  What do you do to enable SSH into your router?  Are you configuring dropbear to use some port other than the default?  Is that the idea?

wrtpat wrote:
gufus wrote:

I'm using iptables in firewall.user

I use this for brute force attacks, works fine

iptables -N rate_limit
iptables -A rate_limit -p tcp --dport 22 -m limit --limit 3/min --limit-burst 3 -j DROP
iptables -A rate_limit -p tcp --dport 23 -m limit --limit 3/min --limit-burst 3 -j DROP
iptables -A rate_limit -p tcp -j REJECT --reject-with tcp-reset
iptables -A rate_limit -j DROP
#
iptables -I delegate_input -p tcp --dport 22 -m state --state NEW -j rate_limit
iptables -I delegate_input -p tcp --dport 23 -m state --state NEW -j rate_limit
iptables -I rate_limit -j LOG --log-prefix "IPTables-Dropped: " --log-level 4

@gufus
Thanks for the above example
I've just implemented same.  It's working for me.  Very illuminating results.
There are some folks in other lands who are very persistently trying to access my router :-/

Question for you... now that this is in place, I can no longer SSH into my own router (not even from an workstation connected to LAN).  What do you do to enable SSH into your router?  Are you configuring dropbear to use some port other than the default?  Is that the idea?

Restarting firewall after enabling the rules did the same thing here but a router reboot fixed it. At least I think so since it is now showing in the firewall rules.

wrtpat wrote:
gufus wrote:

I'm using iptables in firewall.user

I use this for brute force attacks, works fine

iptables -N rate_limit
iptables -A rate_limit -p tcp --dport 22 -m limit --limit 3/min --limit-burst 3 -j DROP
iptables -A rate_limit -p tcp --dport 23 -m limit --limit 3/min --limit-burst 3 -j DROP
iptables -A rate_limit -p tcp -j REJECT --reject-with tcp-reset
iptables -A rate_limit -j DROP
#
iptables -I delegate_input -p tcp --dport 22 -m state --state NEW -j rate_limit
iptables -I delegate_input -p tcp --dport 23 -m state --state NEW -j rate_limit
iptables -I rate_limit -j LOG --log-prefix "IPTables-Dropped: " --log-level 4

@gufus
Thanks for the above example
I've just implemented same.  It's working for me.  Very illuminating results.
There are some folks in other lands who are very persistently trying to access my router :-/

Question for you... now that this is in place, I can no longer SSH into my own router (not even from an workstation connected to LAN).  What do you do to enable SSH into your router?  Are you configuring dropbear to use some port other than the default?  Is that the idea?

Yes

Use a non-standard port number for ssh, I use something between 4000 - 5000.