@starcms

Thanks!

Hello everyone.

Today tried snapshot r4049-9412fc2 on wrt1200ac-v2 and had issue with strongswan installation:
------------------
root@router:~# opkg install strongswan-default
Package strongswan-default (5.5.2-1) installed in root is up to date.
Configuring kmod-lib-zlib-inflate.
failed to find a module named zlib_inflate
Configuring kmod-lib-zlib-deflate.
failed to find a module named zlib_deflate
Collected errors:
* pkg_run_script: package "kmod-lib-zlib-inflate" postinst script returned status 255.
* opkg_configure: kmod-lib-zlib-inflate.postinst returned 255.
* pkg_run_script: package "kmod-lib-zlib-deflate" postinst script returned status 255.
* opkg_configure: kmod-lib-zlib-deflate.postinst returned 255.

Installed version never success to establish vpn session:
------------
[IKE] remote host is behind NAT
[IKE] DH group CURVE_25519 inacceptable, requesting CURVE_25519
[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
(in a loop)

Is first issue somehow specific to that specific snapshot? Can 1st and second issues be connected (compression is off)?
I was using openwrt 15.01 release without strongswan issues on same configs (i made backup of my ipsec.conf), but wifi and usb-storage are crappy on 15.01.

(Last edited by sleepy-daemon on 1 May 2017, 14:55)

@rpugsley, readme on how to change in your build, but you need to adjust to the latest commit hash.

@starcms, imo checking resolver is best, so as to adjust for locale and desired features. but cisco does have widely distributed servers.

(Last edited by anomeome on 1 May 2017, 15:01)

@davidc502,
My issue reported against ssl\tls dissapered on Reboot (SNAPSHOT, r4049-9412fc2).
I am able to connect with openconnect, but vpnc-script won't work if I run openconnect from shell command. And I can't use luci to add openconnect interface, since I need 2FA (two factor auth) and --juniper option.
So i've simply copied vpnc-script from my ubuntu machine and specify --script to openconnect to use it. Now I am able to connect and all routes get from server are there. Not sure that will work later when I'll run 3200 as main device. Will see later.

Didn't checked yet 5ghz, but I also have to purge 5ghz config and create it again so it's can start.

BTW, who like to have stock firmware on second partition, you have to run sysupgrade with option -F. I've able to replace older LEDE build with stock fimware and flash latest David's build.

root@LINKSYS:/tmp# sysupgrade -n -v /tmp/FW_WRT3200ACM_1.0.5.176416_prod.img 
Image metadata not found
Use sysupgrade -F to override this check when downgrading or flashing to vendor firmware
Image check 'fwtool_check_image' failed.
root@LINKSYS:/tmp# sysupgrade -F -n -v /tmp/FW_WRT3200ACM_1.0.5.176416_prod.img 
Image metadata not found
Image check 'fwtool_check_image' failed but --force given - will update anyway!
killall: watchdog: no process killed
Sending TERM to remaining processes ... logd logread rpcd netifd odhcpd dnscrypt-proxy snmpd uhttpd smbd nmbd dnsmasq ntpd collectd ubusd askfirst 
Sending KILL to remaining processes ... askfirst 
Switching to ramdisk...
Performing system upgrade...
Unlocking kernel2 ...

Writing from <stdin> to kernel2 ...     
Upgrade completed
Rebooting system...

For 1900ac V1 owners --  Kernel 4.4 based on r4049 is now available, and will be a work around until the reboot issue is fixed.

http://davidc502sis.dynamic-dns.net/sna … u/generic/

I was messing around with version 4.9.20 which did indeed have the boot loop for 15 to 30 minute intervals on my WRT1900AC V1. I did the totally unscientific and reflashed the 4.4.61 firmware overtop the 4.9.20-1 using the sysupgrade .bin firmware and voila

7h 47m 20s of uptime

When I look at the the System/Software tab the vast majority of modules are still listed as 4.9
20-1 and the firmware definitely behaves 'snappier' in loading webpages. I did also reboot the ISP cable modem and the router as a DNS outage was encountered. After reboot it has been behaving in a more stable manner.

Thanks for your ongoing efforts, will flash the temp firmware in due course.

Cheers

Hans       

Edit:
Flashed up to the r4049 build for V1 (Mamba), previously listed as r3988 with my unscientific overflash. Living on router's edge!   :0   
After r4049 flash System/Software tab the modules show as 4.4.61 unlike my unscientific procedure to router's outer limits edge! Woot!

Edit2:  Also I should mention that download speeds were significantly off for the r4049 build using the the 4.9.20-1 kernel. I did  a test on www.speedtest.net
My service provides a rated 70 Mbps download

On the 4.9.20-1 kernel the speedtest result was 48.16 Mbps -  50.08 Mbps as compared to the the 70 Mbps std service. (two test runs)

On the 4.4.61 kernel r4049 build download speed came in at  71.59 Mbps as compared to the nominal 70 Mbps service.

I will assume that this is an mwlwifi driver issue, as it is still early days with this particular build...        Keep up the fine work!

(Last edited by hancor on 1 May 2017, 23:35)

Just wanted to say thank you david! The build is fantastic and kernel 4.9 has now been running flawlessly for days on my 1900ACS. I've never even imagined all the things you could do with custom firmware.

Thanks adri,

Currently investigating... I'm a bit concerned about the security reasoning and risks of turning it back on. Appears helpers are prone to spoofing? Reading more about it.

https://home.regit.org/netfilter-en/sec … f-helpers/

Decided to give r4049 another try on my wrt3200 as overall experience was good last time until no DNS/Internet on wireless, both bands last time. I had not removed it so just rolled back to LEDE from Linkys. Looked fine again, but this time after only about 2 hours the 5GHz wireless got very slow. My download Internet speed is 23Mbps and I was getting 3Mbps. Quite obvious when browsing the web, taking forever to load a page. How did we ever put up with 1 to 3Mbps?
So I have now rolled back to Linksys OEM and things are fine again.

My experience does say it looks like Marvell is making headway. Very good transfer speeds on 5GHz wireless in my iperf test, about the same as OEM. Get some more stability from Marvell and should be a good driver.

Good feedback as usual Bill. thanks!

Thanks David,

If you think the security risks are too high, the only alternative is adding CT targets for each helper automatically when installing the helper ipk.
Otherwise installing any helper won't have any effect.
I think there should not be any high external security risk, since helpers are designed to track only connections initiated internally and add firewall states accordingly.

Hi,
I've installed this firmware on a WRT1900ACS. All it seems work ok but I can't open the 5222 port.
I've opened it in Firewall - Port Forwards but it doesn't work.
I've opened another port (8999) for qBittorrent and it works ok.
Any clue about the problem?

Is 5222 being forwarded to the same destination as 8999? Also, what is being used to audit the firewall to make sure the port forwarding is working correctly? What's the service running on 5222 and is it TCP or UDP?

I can't post any image URL :-( but the forward is right:

Match:                                           Forward to:
IPv4-tcp                                         any host, port 5222 in lan
From any host in wan
Via any router IP at port 5222

In that port there isn't any service running? I'm testing a problem with an Android app.

(Last edited by j1simon on 2 May 2017, 14:45)

Sheilds up is a good way to audit your firewall.  https://www.grc.com/x/ne.dll?rh1dkyd2

Any port can be specified and will tell you if it is open, closed or dropping. However, services on the back in are expected to be listening to determine if the port forward is working correctly or not.

Precisely that is the website that I use to check it and tells me that port is in a Stealth status. The port 8999 (that I opened for qBittorrent) is in Closed status when I test it without qBittorrent.

---------------------------

I have used an python program to create a listener for that port:

$ sudo netstat -anlp |grep 5222
tcp        0      0 0.0.0.0:5222            0.0.0.0:*               LISTEN      9843/python

But grc website still says that port is stealth.

---------------------------

In the Firewall Status page of the router there is a line:

....
Chain zone_wan_prerouting (References: 1)
....
50     2.15 KB     REDIRECT     tcp     *     *     0.0.0.0/0     0.0.0.0/0     tcp dpt:5222 /* !fw3: wallapop */ redir ports 5222
....

(Last edited by j1simon on 2 May 2017, 16:45)

Go ahead and set the firewall to log drops, and test the firewall again to verify that's what's happening.  I don't have the rule in front of me, but there are 3 or 4 iptables commands to get it logging.

**EDIT**

What's the order of this rule? If down too far it could be trounced on by a rule above it.

(Last edited by davidc502 on 2 May 2017, 16:50)

I see this line in System log after execute the test:

Tue May  2 17:57:17 2017 kern.warn kernel: [11912.254509] DROP(src wan)IN=eth1.2 OUT= MAC=xxxx SRC=4.79.142.206 DST=xxxxxxx LEN=44 TOS=0x00 PREC=0x00 TTL=226 ID=61440 PROTO=TCP SPT=51438 DPT=5222 WINDOW=8192 RES=0x00 SYN URGP=0 

In the rule can you specify "eth1.2" (sub interface) as opposed to just "wan".

david, if you remember well I was trying to make my IPTV work. It was one hellova bitch but I got it working!

1- Setup two vlans: 35 and 36 and a second lan (3).
2- Setup DHCP server on vlan 3
3- Setup IGMPProxy and the proper firewall rules to allow IGMP (As well as igmpproxy), igmp_snooping on the lan, etc
4- Find the proper TV route -- that was the big stump in my way. For some reason it seems that LEDE set only one default gateway -- the gateway of the last up'd interface (In this case, the PPPoE connection).

So I had to dig up the gateway for the TV by disabling internet and let it set it's gateway. Then everything started working. So I take that gateway and subnet and add it as a static route on vlan 36.

Now everything is working!

....Hmmm except that after 5-10mins the router seems to completely freeze the network and require a total reboot :S

This does not happen when TV isn't on XD

This is really good information.  If you can put together a step by step instructions on setting this up {A-Z}, I would like to put your instructions on the website, and mention your name for credit.

Heck, I have IPTV that I've tried to get working a few times but have failed   If I could get it working and fully understand the process, we might be able to come up with a script that could be added to the root directory of each build, which could help automate this process for people... Just a thought.

Is it doable?

When I tried to set it up, the TV would work for 30 seconds or so then freeze.. However the rest of the network continued to work fine.

Looks like you've made progress by it going 5-10 minutes.

*EDIT*  Still, if you can eventually get it going, and I'm able to duplicate, then we have something.

(Last edited by davidc502 on 2 May 2017, 17:48)

I have no objections. Though I think the actual setup will vary from ISP to ISP. My specific setup would only work for Bell Fibe, and I tried so many things, I'd need someone with a fresh blank setup to work with to set this up.

That and it requires a SFP to Ethernet converter, BTW

Yeah it just did it. TV started pixelating, internet was freezing and then boom. Router reboot.

Is there a way to find why it crashes?