What's new

Release Asuswrt-Merlin 386.7 is now available for all models

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
Isn't the end result the same as @dave14305's idea.
not really since it stops redirection of packets that are actually properly being redirected. Instead of redirect, all packets not destined for the "Router" would be dropped, when it seems it is a specifically marked packet that is causing the problem. I imagine the issue could be resolved with a simple wireshark inspection of packet markings, and firewall blocking the bad packet type.
 
would it be possible to prevent the type of packet with the firewall since it seems to result in NXdomain any ways?
No.

1) The firewall cannot tell ahead of time that a query is going to result in an NXDOMAIN
2) NXDOMAIN is a valid response, and is not the same as not getting any response at all.

The only possibilities are either to resolve the checksum issue, or to stop redirecting queries to the router. Since the first one seems impossible to do, then the only solution is the latter.
 
tested again, full reset. 2x Ax86u AImesh ethernet backhaul. on 2.4, certain older wifi devices wouldnt connect or stuggle to connect / stay on. back down to 5_2 again and everything is perfect. same issue with official asus firmware.
 
No.

1) The firewall cannot tell ahead of time that a query is going to result in an NXDOMAIN
2) NXDOMAIN is a valid response, and is not the same as not getting any response at all.

The only possibilities are either to resolve the checksum issue, or to stop redirecting queries to the router. Since the first one seems impossible to do, then the only solution is the latter.
I am not talking about blocking it by NXdomain status. I am talking about blocking it by hex string
 
I am not talking about blocking it by NXdomain status. I am talking about blocking it by hex string
What do you think you know about what to block? I feel like you’re misunderstanding the problem. The individual domain name doesn’t matter. I even reproduced it with router.asus.com.
 
What do you think you know about what to block? I feel like you’re misunderstanding the problem. The individual domain name doesn’t matter.
explain why some redirects clearly work no problem, and some don't? are we looking at an issue of packet size, query type, or what? I am inviting you to break out the ol'@dave14305 chalk board and break it down instead of us creating a party of destructive criticism. I pulled out wireshark and I am literally inspecting packets that are working with redirect, and no kernel arguements. And I am also examining the one that clearly breaks on checksum.

1656536592174.png
 
Last edited:
explain why some redirects clearly work no problem, and some don't? are we looking at an issue of packet size, query type, or what? I am inviting you to break out the ol'@dave14305 chalk board and break it down instead of us creating a party of destructive criticism. I pulled out wireshark and I am literally inspecting packets that are working with redirect, and no kernel arguements. And I am also examining the one that clearly breaks on checksum.
Give me a query you have run without any kernel messages, and the output of ip6tables -t nat -nvL

I will run the same one.
 
Give me a query you have run without any kernel messages, and the output of ip6tables -t nat -nvL

I will run the same one.


this is what I was at before
Code:
Chain INPUT (policy ACCEPT 48812 packets, 5767K bytes)
pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 122K packets, 15M bytes)
pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 311K packets, 36M bytes)
pkts bytes target     prot opt in     out     source               destination

Chain DNSFILTER (2 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all      *      *       ::/0                 ::/0                 MAC E4:5F:01:45:57:9F
60773 6015K RETURN     all      *      *       ::/0                 ::/0                 MAC E4:5F:01:45:57:9D
    0     0 RETURN     all      *      *       ::/0                 ::/0                 MAC DC:A6:32:D1:17:E3
60448 5983K RETURN     all      *      *       ::/0                 ::/0                 MAC DC:A6:32:D1:17:E2
    0     0 RETURN     all      *      *       ::/0                 ::/0                 MAC DC:A6:32:23:32:57
62172 6147K RETURN     all      *      *       ::/0                 ::/0                 MAC DC:A6:32:23:32:56
  127 11057 DNAT       all      *      *      !2601:348:300:292b::1 !2601:348:300:292b::1  to:2601:348:300:292b::1

This is what I am at after.

Code:
Chain INPUT (policy ACCEPT 49161 packets, 5810K bytes)
pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 123K packets, 15M bytes)
pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 314K packets, 37M bytes)
pkts bytes target     prot opt in     out     source               destination

Chain DNSFILTER (2 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all      *      *       ::/0                 ::/0                 MAC E4:5F:01:45:57:9F
61195 6056K RETURN     all      *      *       ::/0                 ::/0                 MAC E4:5F:01:45:57:9D
    0     0 RETURN     all      *      *       ::/0                 ::/0                 MAC DC:A6:32:D1:17:E3
60928 6030K RETURN     all      *      *       ::/0                 ::/0                 MAC DC:A6:32:D1:17:E2
    0     0 RETURN     all      *      *       ::/0                 ::/0                 MAC DC:A6:32:23:32:57
62756 6203K RETURN     all      *      *       ::/0                 ::/0                 MAC DC:A6:32:23:32:56
  128 11168 DNAT       all      *      *      !2601:348:300:292b::1 !2601:348:300:292b::1  to:2601:348:300:292b::1

Chain VSERVER (0 references)
pkts bytes target     prot opt in     out     source               destination

i ran

1656537124280.png


Note I have modified catch all rule over the traditional one Merlin uses. I already mentioned this fact to him.

Here is wireshark

1656537293537.png


I have No kernel logs.

here is the same one done over ipv4 using identical dnsfilter rules with LAN ipv4

1656537529069.png


Note these are client side wiresharks. I imagine a pcap on the router might look slightly different.
 
Last edited:
Note I have modified catch all rule over the traditional one Merlin uses. I already mentioned this fact to him.
So you’re not testing the same thing.

I did note an interesting difference in my testing. If I run nslookup interactively, manually setting the server and entering the query at the nslookup “prompt”, I don’t get the kernel messages. If I put it all on one line, I do get the kernel messages. Using PowerShell Resolve-DnsName works fine.

Will think about it more after dinner.
 
So you’re not testing the same thing.

I did note an interesting difference in my testing. If I run nslookup interactively, manually setting the server and entering the query at the nslookup “prompt”, I don’t get the kernel messages. If I put it all on one line, I do get the kernel messages. Using PowerShell Resolve-DnsName works fine.

Will think about it more after dinner.
I do get the same kernel message when dig testing the address you used in your original nslookup test.

I am in away I will send you my modification script after dinner and see if you notice any improvements.
 
Last edited:
So you’re not testing the same thing.

I did note an interesting difference in my testing. If I run nslookup interactively, manually setting the server and entering the query at the nslookup “prompt”, I don’t get the kernel messages. If I put it all on one line, I do get the kernel messages. Using PowerShell Resolve-DnsName works fine.

Will think about it more after dinner.
So the script is only modified to account for the dnsfilter set to router mode, and the clients on the client list set to no-filter.

Code:
#!/bin/sh
iptables -t nat -F DNSFILTER && iptables -t nat -X DNSFILTER
iptables -t nat -N DNSFILTER
ip6tables -t nat -F DNSFILTER && iptables -t nat -X DNSFILTER
ip6tables -t nat -N DNSFILTER
for filter in DNSFILTER_DOT; do
iptables -F $filter && iptables -X $filter
iptables -N $filter
ip6tables -F $filter && ip6tables -X $filter
ip6tables -N $filter
done
for filter in DNSFILTERF DNSFILTERI DNSFILTER_DOT; do
ip6tables -t mangle -F $filter && ip6tables -t mangle -X $filter
done
for i in 0 1 2 3 4 5; do
[ "$i" = "0" ] && NVARS="$(nvram get dnsfilter_rulelist | sed 's/>0/<>/g;s/<>/ /g;s/^[ \t]*//;s/[ \t]*$//')"
[ "$i" != "0" ] && NEXT_NVARS="$(nvram get dnsfilter_rulelist${i} | sed 's/>0/<>/g;s/<>/ /g;s/^[ \t]*//;s/[ \t]*$//')"
[ -n "$NEXT_NVARS" ] && NVARS="$NVARS $NEXT_NVARS"
done
for VAR in -D -I; do
iptables -t nat $VAR PREROUTING -i br+ -p tcp -m tcp --dport 53 -j DNSFILTER
iptables -t nat $VAR PREROUTING -i br+ -p udp -m udp --dport 53 -j DNSFILTER
ip6tables -t nat $VAR PREROUTING -i br+ -p tcp -m tcp --dport 53 -j DNSFILTER
ip6tables -t nat $VAR PREROUTING -i br+ -p udp -m udp --dport 53 -j DNSFILTER
iptables $VAR FORWARD -i br+ -p tcp -m tcp --dport 853 -j DNSFILTER_DOT
ip6tables $VAR FORWARD -i br+ -p tcp -m tcp --dport 853 -j DNSFILTER_DOT
iptables -t nat $VAR DNSFILTER ! -s $(nvram get lan_ipaddr)/32 ! -d $(nvram get lan_ipaddr)/32 -j DNAT --to-destination $(nvram get lan_ipaddr)
ip6tables -t nat $VAR DNSFILTER ! -s $(nvram get ipv6_rtr_addr)/128 ! -d $(nvram get ipv6_rtr_addr)/128 -j DNAT --to-destination $(nvram get ipv6_rtr_addr)
iptables $VAR DNSFILTER_DOT ! -d $(nvram get lan_ipaddr)/32 -j REJECT --reject-with icmp-port-unreachable
ip6tables $VAR DNSFILTER_DOT ! -d $(nvram get ipv6_rtr_addr)/128 -j REJECT --reject-with icmp6-port-unreachable
if [ -n "$NVARS" ]; then
for MAC_ADDR in $NVARS; do
iptables -t nat $VAR DNSFILTER -m mac --mac-source $MAC_ADDR -j RETURN
iptables $VAR DNSFILTER_DOT -m mac --mac-source $MAC_ADDR -j RETURN
ip6tables -t nat $VAR DNSFILTER -m mac --mac-source $MAC_ADDR -j RETURN
ip6tables $VAR DNSFILTER_DOT -m mac --mac-source $MAC_ADDR -j RETURN
done
fi
further adaptation would have to be made to account for clients set to use any other option than no filter.
 
Just IPv4. I've disabled IPv6 on my network. Zero need for it.
I'm curious as to what "zero need for it" means in the context of IPv4 v. IPv6 means. Assuming one can get IPv4 addresses from an available IPv4 pool, why would anyone need IPv6? In other words, if someone has no need for it, why would anyone have need for it unless they're in some extremely unique environment?
 
So you’re not testing the same thing.

I did note an interesting difference in my testing. If I run nslookup interactively, manually setting the server and entering the query at the nslookup “prompt”, I don’t get the kernel messages. If I put it all on one line, I do get the kernel messages. Using PowerShell Resolve-DnsName works fine.

Will think about it more after dinner.
Here is an interesting find. Atleast I didn't have the wrong thought when assuming the checksum errors were from unnecessary padding.

similar issues:
cause of problem to those issues:

---- similar to Asus's ----

some solutions to those issues:

Unless someone feels like tackling patches for @RMerlin's kernel 4 and up SDK's (and Asus's), I image the easiest thing to do is what @dave14305 did in this post https://www.snbforums.com/threads/a...able-for-all-models.79450/page-23#post-772610
 
Last edited:
Now you know why many Indian folks pack their bags and arrive in Canada. They want an IPv4 address too.
Hahaha!
 
Here is an interesting find. Atleast I didn't have the wrong thought when assuming the checksum errors were from unnecessary padding.

similar issues:
cause of problem to those issues:

---- similar to Asus's ----

some solutions to those issues:

Unless someone feels like tackling patches for @RMerlin's kernel 4 and up SDK's (and Asus's), I image the easiest thing to do is what @dave14305 did in this post https://www.snbforums.com/threads/a...able-for-all-models.79450/page-23#post-772610
Did I mention... I really "Hate" IPv6... ;-)
 
Status
Not open for further replies.

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top