Asuswrt-Merlin - custom build of the Asus RT-N66U firmware

[diyguy]

DHCP reservations are stored in nvram, in the dhcp_staticlist variable.

thanks for this, If I set this from the command line will it show up in the web gui? I don't have any to set at the moment so I can't test.

 

[RMerlin]

thanks for this, If I set this from the command line will it show up in the web gui? I don't have any to set at the moment so I can't test.

nvram dhcp_staticlist="....."
nvram commit

After you commit it, it should become accessible through the webui.

 

[RMerlin]

i googled a lot already, but could not find a solution (yet).
i'll go for separate names, thanks.
keeping the same name is useful only for fallback connection, or is there some kind of channel bonding?

There is no performance improvement from reusing the same name, only simplicity if you don't care about which radio you are going to connect to.

 

[diyguy]

I'm trying to adapt a dnsmasq script for ad blocking which I found here

http://www.dd-wrt.com/wiki/index.php/Ad_blocking

before attempting, I wanted to know if anyone here has done this already ?

just wanted to bump this in case anyone has anything. I am working on that script in the link, but getting some errors, but it seems to work, need to figure out some particulars.

 

[lordaskym]

ok i am back after sending my glitchy asus back to newegg and got a new one. first thing i did was flash the newest stable build of merlins everything seems fine now except i want to block facebook but none of the filtering seems to work. am i missing something?

 

[MySeLf]

Is anyone using Dual wan Load balancing?

I can't seem to make it work. Using 3.0.0.3.162.14b, and 2 Cable Modems connected to the same ISP I am only able to access only 1 CM's webgui. I allways have the same external IP and speedtesting with a torrent with 50 active connections (its suposed to max out both modem's BW) I can clearly see that is only using 1 modem, not both.

Also, the internet's tab in Traffic Monitor only shows "residual traffic" (1.5 KB/s) during heavy torrenting wich indicates that it's monitoring the Modem that is not downloading. Both with QOS on and off I have the same results.

Fail over works.

sugestions?

 

[RMerlin]

Dual WAN is an experimental feature, so it's possible that some functions might not be fully working yet.

 

[richto]

The EU power restrictions under Adminstration / Performance Tuning seem to be enabled again - please could that be removed again.

It's annoying to have to load an older version of your firmware just to change my power settings...

 

[RMerlin]

I haven't changed anything.

Just change your router's region if you really want to bypass restrictions, since it goes beyond just the webui:

nvram wl0_country_code=US
nvram wl_country_code=US
nvram wl0_country=US
nvram wl1_country=US
nvram wl1_country_code=US
nvram regulation_domain=US
nvram regulation_domain_5G=US
nvram commit

 

[MySeLf]

Dual WAN is an experimental feature, so it's possible that some functions might not be fully working yet.

@RMerlin lets wait for the next official firmware release then. Maybe Asus finishes developing it meantime. If not, did you consider implementing that yourself?

Thanks in advance,
MySeLf

 

[diyguy]

I haven't changed anything.

Just change your router's region if you really want to bypass restrictions, since it goes beyond just the webui:

What does this allow you to do ? Pick a different frequency ?

 

[MySeLf]

What does this allow you to do ? Pick a different frequency ?

This allows you to increase the output power of the signal amplifier beyond the European legal limit (100 mw) and give you better WiFi coverage.

To change the frequency you have to change the WiFi channels, channels from 2.4 Ghz go from 1 to 13. 5 Ghz gives way more non overlapping channels at the cost of range. Also, in 5 Ghz you can change the channel width giving you more bandwidth from 20 Mhz to 40 Mhz.

But I guess this is way more information then you were asking. I hope I am not confusing you.

 

[RMerlin]

@RMerlin lets wait for the next official firmware release then. Maybe Asus finishes developing it meantime. If not, did you consider implementing that yourself?

Unlikely. Already got too much work on my plate, and this would require two real separate connections to properly debug.

 

[MySeLf]

Dual WAN is an experimental feature, so it's possible that some functions might not be fully working yet.

Would SSH access to my router (with both modems connected) help? I could even add a 3rd and 4th Modem's.
I'll anything at my reach to help you if you are interested in developing that feature.

 

[uncle.f]

I have encountered a problem with opening ports on the WAN interface (running 3.0.0.3.162.14).

All I wanted to do originally was to enable SSH access from WAN.

So I enabled SSH in the "System" page on port 22. I checked it from home LAN, it was accessible and allowed me to log in.

Then I tested it from outside using the WAN IP address and port 22. By "outside" I mean "from completely different Internet host that is not a part of my home LAN", so nothing to do with the NAT loopback, etc. There was no access (which I sort of expected).

Then I added an entry in the "Virtual Server" page to map port 443 (my choice for certain reasons) to my router's internal LAN IP, port 22. After applying the change my router rebooted and then I tried accessing SSH from outside on port 443 but it still did not work.

Then I checked the "iptables -L -t nat" rules and saw the newly added NAT rule which I created (outside:443 -> internal:22) but I cannot see the rule to accept incoming connections on port 443 with the "iptables -L" command.

There are lots of other allowed 'accepts' (coming from uPNP and 'transmission' client running on the router) but port 443 is nowhere to be found in the INPUT chain.

I created a couple of more mappings on the 'Virtual Server' page with some random ports and IP addresses and every time there was an entry in the iptables NAT table, but no external port was listed in the INPUT chain.

Am I looking for those ports in the wrong place ? (iptables -L) ? Is this a bug? Or is port opening for the entries in the "Virtual Server" page realised differently?

 

[avp]

External access to SSH

I tried unblock external access to ssh.

First one, i add:

iptables -i ppp0 -I INPUT -p tcp --dport <UNSTANDARD SSH PORT> -j ACCEPT

to firewall-start script. Result was very stange. This command fully block NAS access from internal network after reboot.

Next one I add this command to post-mount script. It works but after several hours access was blocked. May be ppp connection was restarted or firewall was reexecuted....

How I can add external access to SSH and may be other application?

 

[RMerlin]

The nat table is only for port forwarding. For services directly running on the router, you need to adjust the INPUT chain in the default filter table.

Virtual Servers only relate to NAT, so it does not apply for the router's own ssh access.

Try inserting it in the middle of the chain rather than at the end.

Opening router ports should be done in the firewall-start script.

 

[avp]

Opening router ports should be done in the firewall-start script.

But if I add rule for opening ssh port it block all NAT connections. Why?

I'll try to see full iptables rules at evening.

 

[uncle.f]

The nat table is only for port forwarding. For services directly running on the router, you need to adjust the INPUT chain in the default filter table.

I will assume this was the answer to both me and avp. Do I need to adjust the INPUT chain myself for services NOT running directly on the router?
Because at the moment this does not work as expected. I create simple "Virtual Server" entry for a service running on my PC and the INPUT chain is not being modified! Only the NAT table is.

Virtual Servers only relate to NAT, so it does not apply for the router's own ssh access.

And what If I wanted to do NAT the following way: access SSH internally on port 22 but externally on port 443, for instance. Then I would still need a NAT rule even for the router itself (which is what I did in the Virtual Server page but still there was no corresponding INPUT chain modification to accept connections on port 443).

So, for the moment let's forget the whole "service running on the router thing" (this is how it all started) but now it seems that any entry in the Virtual Server page does not open an incoming port on the WAN interface, at least on my router. I tested this several times, cleared config and disabled "Download Master" software.

In other words I am trying to say that the "Virtual Server" feature is broken, at least for me. The ports are forwarded OK but incoming connections are not allowed on those ports if you use standard web interface to configure it.

 

[RMerlin]

I will assume this was the answer to both me and avp. Do I need to adjust the INPUT chain myself for services NOT running directly on the router?
Because at the moment this does not work as expected. I create simple "Virtual Server" entry for a service running on my PC and the INPUT chain is not being modified! Only the NAT table is.

That is correct behaviour. The INPUT table is only needed for connection attempts that are terminated on the router. The NAT table is traversed before the INPUT table. See this website for more details on the traversal order.

And what If I wanted to do NAT the following way: access SSH internally on port 22 but externally on port 443, for instance. Then I would still need a NAT rule even for the router itself (which is what I did in the Virtual Server page but still there was no corresponding INPUT chain modification to accept connections on port 443).

No, just the entry in the VSERVER chain on the nat table would be enough to let your outside connections on port 443 get forwarded to port 22. LAN connections don't need to be NAT'ed, and the INPUT table accepts all connections coming from the LAN by default.

In other words I am trying to say that the "Virtual Server" feature is broken, at least for me. The ports are forwarded OK but incoming connections are not allowed on those ports if you use standard web interface to configure it.

It's working for me. If you have any custom rule, make sure none of them are breaking the route through the various chains.

You could also try forcing HW acceleration off (Lan -> Switch Control) as this makes the router use a proprietary (closed-sourced) kernel module that does some unknown things in relation to the packet filtering. It's possible that one of your custom rules might be incompatible with that option.