Best and most optimal settings (Voxel & Kamoj)

[pege63]

If ONE want to use the R7800 as the main router, instead of the one from the ISP.

How should the settings be set, to be the best and most optimal for the router?

If someone don't know much about how they should be or what they do for/in the router?

The most important things are - privacy and safety.

Have fiber optic line in with Internet, IPTV, VOIP, services.

The reason for this, is to gather all the data, scripts, codes in one place so a beginner/newbie does not have to look in a lot of other places/posts.

 

[Sizzlechest]

DNS can be configured to use DNS over HTTPS, but not from the GUI. The AdGuard servers have the best performance for me where I live, so those are the ones I use. I configure the router to use the filtered ones, which blocks ads (and hopefully scams and malware) for every device on the network. However, I want to be able to control from my browser what sites get adblocked. Therefore, I configure my browser (Firefox) to use the non-filtered AdGuard servers and use uBlock Origin to block ads instead. I assume Chrome has a similar setting since Edge has it.

I do have a Pi-Hole set to act like a real DNS, but I don't bother with it since the AdGuard servers don't retain your history (they say) and work as well as the blocking in a Pi-Hole.

To restore the DNS settings after an upgrade, you'll need a USB thumb drive with a post-mount.sh bash script to make the mods. Here's mine:

#!/bin/sh

if [ ! -f "/root/firewall-start.sh" ]
then
  cp /tmp/mnt/$1/firewall-start.sh /root/.
fi

if [ ! -f "/root/.ssh/authorized_keys" ]
then
  mkdir -p /root/.ssh
  cp /tmp/mnt/$1/authorized_keys /root/.ssh/authorized_keys
fi


if [ ! -f "/overlay/etc/dnscrypt-proxy-2.toml " ]; then
  sed -i -r "s/^(server_names[[:space:]]*=[[:space:]]*).*/\1['adguard-dns-doh']/" /etc/dnscrypt-proxy-2.toml
fi

The first item in the script copies over an advanced firewall rule script that I need. The second is to restore my ssh keys so I can connect to the router without entering a password. The last one is what modifies the dnscrypt proxy to use AdGuard instead of the default ones.

 

[HELLO_wORLD]

On the router, disable anything you are not using (ReadyCloud, QoS, NG Downloader, Media Server, UPnP...)

As much as possible, use the router for routing and firewall only. Extra services (download, adblocking, media server, VPN, etc.) being set on dedicated external device (NAS, Odroid, Raspberry Pi or other).

For protection, only open ports (NAT) if you need it and for the services you host and should be accessible from WAN (like a webserver open to the public).
Also, if you feel comfortable with it, tweak and adapt your iptables rules; there are several threads here about that.

 

[foo man]

On the router, disable anything you are not using (ReadyCloud, QoS, NG Downloader, Media Server, UPnP...)

As much as possible, use the router for routing and firewall only. Extra services (download, adblocking, media server, VPN, etc.) being set on dedicated external device (NAS, Odroid, Raspberry Pi or other).

For protection, only open ports (NAT) if you need it and for the services you host and should be accessible from WAN (like a webserver open to the public).
Also, if you feel comfortable with it, tweak and adapt your iptables rules; there are several threads here about that.

That's exactly how my R9000 is set up. Disabled everything i could, no open ports and I'm using a Raspberry Pi 4, w/pihole for ad-blocking, DHCP and unbound as recursive DNS server. Also a handful of iptables rules to force all traffic to the pihole.

 

[crowdme2]

That's exactly how my R9000 is set up. Disabled everything i could, no open ports and I'm using a Raspberry Pi 4, w/pihole for ad-blocking, DHCP and unbound as recursive DNS server. Also a handful of iptables rules to force all traffic to the pihole.

Can you please specify what iprules are you using to achieve that? And how do I apply them

 

[foo man]

Can you please specify what iprules are you using to achieve that? And how do I apply them

Sorry haven't been around in a couple of days.
I have a Raspberry Pi4 with pihole running in my setup and I use a few methods to try and force all traffic to go there: for one, I use "block services" under the R9000's security settings to block ports 53 and 853 from all IP's EXCEPT my pihole's IP (192.168.1.2).
The iptable rules I use are to forward any requests from random devices going to googleDNS, cloudflare and openDNS, and force them to use my pihole instead. We have some devices in the house (alexa, roku. chromebook, TVs) that were trying to access google and cloudflare servers. I have a Nvidia Shield tv and I read somewhere that a user said his was constantly calling to the openDNS servers, so I added their addresses to my rules as well. I also added quad9's servers to the mix, well ...just because.
They look like this:

iptables -t nat -A PREROUTING -i br0 -d 8.8.8.8/32 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -d 8.8.4.4/32 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -d 1.1.1.1/32 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -d 1.0.0.1/32 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -d 9.9.9.9/32 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -d 9.9.9.10/32 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -d 9.9.9.11/32 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -d 149.112.112.112/32 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -d 149.112.112.10/32 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -d 149.112.112.11/32 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -d 208.67.222.222/32 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -d 208.67.220.220/32 -j DNAT --to-destination 192.168.1.2

Excessive? Probably, but as far as I can tell, these are working as intended. Thanks to HELLO_wORLD for guidance with the rules. Hopefully he sees this post and can confirm they look ok, because to be honest ... I have no clue what I'm doing LOL

These rules work in conjunction with my raspberry pi/pihole, so unfortunately if you don't have a similar setup, then none of this is going to help you, sorry.

 

[HELLO_wORLD]

Sorry haven't been around in a couple of days.
I have a Raspberry Pi4 with pihole running in my setup and I use a few methods to try and force all traffic to go there: for one, I use "block services" under the R9000's security settings to block ports 53 and 853 from all IP's EXCEPT my pihole's IP (192.168.1.2).
The iptable rules I use are to forward any requests from random devices going to googleDNS, cloudflare and openDNS, and force them to use my pihole instead. We have some devices in the house (alexa, roku. chromebook, TVs) that were trying to access google and cloudflare servers. I have a Nvidia Shield tv and I read somewhere that a user said his was constantly calling to the openDNS servers, so I added their addresses to my rules as well. I also added quad9's servers to the mix, well ...just because.
They look like this:

iptables -t nat -A PREROUTING -i br0 -d 8.8.8.8/32 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -d 8.8.4.4/32 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -d 1.1.1.1/32 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -d 1.0.0.1/32 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -d 9.9.9.9/32 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -d 9.9.9.10/32 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -d 9.9.9.11/32 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -d 149.112.112.112/32 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -d 149.112.112.10/32 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -d 149.112.112.11/32 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -d 208.67.222.222/32 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -d 208.67.220.220/32 -j DNAT --to-destination 192.168.1.2

Excessive? Probably, but as far as I can tell, these are working as intended. Thanks to HELLO_wORLD for guidance with the rules. Hopefully he sees this post and can confirm they look ok, because to be honest ... I have no clue what I'm doing LOL

These rules work in conjunction with my raspberry pi/pihole, so unfortunately if you don't have a similar setup, then none of this is going to help you, sorry.

Yep, I see this post
Rules look fine to me, and if it works, then you know it is fine
You probably could simplify them by detecting the port (53 for DNS).
Something like

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -s ! 192.168.1.2 -d ! 192.168.1.2 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -s ! 192.168.1.2 -d ! 192.168.1.2 -j DNAT --to-destination 192.168.1.2

This would redirect all DNS traffic from LAN to your PiHole, whatever the dns server.

 

[foo man]

Thanks man, I knew you would find a better way! Going to give that a try

Edit: implemented your change and working beautifully! Checking pihole logs I see all traffic being forwarded there. Much cleaner approach, thanks!

 

[HELLO_wORLD]

Thanks man, I knew you would find a better way! Going to give that a try

Edit: implemented your change and working beautifully! Checking pihole logs I see all traffic being forwarded there. Much cleaner approach, thanks!

You are welcome

 

[Sizzlechest]

You probably could simplify them by detecting the port (53 for DNS).
Something like

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -s ! 192.168.1.2 -d ! 192.168.1.2 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -s ! 192.168.1.2 -d ! 192.168.1.2 -j DNAT --to-destination 192.168.1.2

This would redirect all DNS traffic from LAN to your PiHole, whatever the dns server.

I use DNSCrypt2 pointing to the AdGuard filtered DNS. Could I replace the 192.168.1.2 with the IP address of the router to force DNS calls to other IP addresses to use the DNSCrypt DNS? Also, I assume any device configured to do DNS over HTTPS (like Firefox) can "override" this?

 

[HELLO_wORLD]

I use DNSCrypt2 pointing to the AdGuard filtered DNS. Could I replace the 192.168.1.2 with the IP address of the router to force DNS calls to other IP addresses to use the DNSCrypt DNS? Also, I assume any device configured to do DNS over HTTPS (like Firefox) can "override" this?

Yes (LAN interface IP) and yes

 

[LeKeiser]

On the router, disable anything you are not using (ReadyCloud, QoS, NG Downloader, Media Server, UPnP...)

As much as possible, use the router for routing and firewall only. Extra services (download, adblocking, media server, VPN, etc.) being set on dedicated external device (NAS, Odroid, Raspberry Pi or other).

For protection, only open ports (NAT) if you need it and for the services you host and should be accessible from WAN (like a webserver open to the public).
Also, if you feel comfortable with it, tweak and adapt your iptables rules; there are several threads here about that.

Hello HELLO_wORLD

Isn't UPnP useful though? I think many applications rely on it to work, or am I wrong? It doesn't take too much CPU though, right?

 

[HELLO_wORLD]

Hello HELLO_wORLD

Isn't UPnP useful though? I think many applications rely on it to work, or am I wrong? It doesn't take too much CPU though, right?

UPnP on the router is only useful to set up the router using this protocol, or if the router itself is used as a media server.
Any UPnP devices on the LAN should be able to communicate with this protocol between each other, even if not enabled on the router.

 

[crowdme2]

Yep, I see this post
Rules look fine to me, and if it works, then you know it is fine
You probably could simplify them by detecting the port (53 for DNS).
Something like

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -s ! 192.168.1.2 -d ! 192.168.1.2 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -s ! 192.168.1.2 -d ! 192.168.1.2 -j DNAT --to-destination 192.168.1.2

This would redirect all DNS traffic from LAN to your PiHole, whatever the dns server.

Im trying to add these rules.
ive been trying to create /overlay/opt/scripts/firewall-start.sh file using vi command.
But its not saving.
Please help. Will this work without a pen drive ?

 

[R. Gerrits]

Im trying to add these rules.
ive been trying to create /overlay/opt/scripts/firewall-start.sh file using vi command.
But its not saving.
Please help. Will this work without a pen drive ?

I guess it depends which router you have. With R7800 or R9000 you don't need a pen-drive. With Orbi I think you do, if you want the changes to survive a reboot.

do the folders already exist?
if not then first do a mkdir -p /overlay/opt/scripts

(or just do vi /opt/scripts/firewall-start.sh and then when saving, the overlay-fs will handle the storing in the /overlay)

 

[crowdme2]

I have an orbi (RBR50).
Thank you
So i do :x overlay-fs ?

 

[HELLO_wORLD]

I have an orbi (RBR50).
Thank you
So i do :x overlay-fs ?

The Orbi has a slightly different file system, as its fs is loaded in memory at startup from overlay.
So any reboot resets the file system to original. The USB drive allows to overcome that problem.

I have a R7800, so I cannot help with the exact procedure, but other users here have the Orbi and can help you with that.

 

[R. Gerrits]

overlay-fs = overlay filesystem.

i.e. the files in /overlay are "layed over" the readonly filesystem that is in the firmware.
and if you modify a file that is in the readonly fs, then it automatically stores the modified version in the overlay.

in orbi that /overlay is in memory, thus lost at reboot. but with voxel fw that /overlay can also be stored on usb.

 

[ianvajra]

Yep, I see this post
Rules look fine to me, and if it works, then you know it is fine
You probably could simplify them by detecting the port (53 for DNS).
Something like

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -s ! 192.168.1.2 -d ! 192.168.1.2 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -s ! 192.168.1.2 -d ! 192.168.1.2 -j DNAT --to-destination 192.168.1.2

This would redirect all DNS traffic from LAN to your PiHole, whatever the dns server.

Hi HELLO_wORLD

I have an R7800 with another R7800 AP (upstairs by ethernet), and have just set up PiHole on a Raspberry Pi 4 as my DNS server (router is 'doing' DHCP). Latest 86 Voxel on both, of course That has all gone smoothly - so well that I am wondering if I can implement these simple port 53 rules WITHOUT Kamoj being installed, using Port Forwarding or something.

If I DO have to have Kamoj to do something like this, can I just install it on the main router in order to implement these rules, and not the AP as well? I am trying to keep firmware upgrades as simple as possible hence my reluctance to double up on Kamoj...

 

[HELLO_wORLD]

Hi HELLO_wORLD

I have an R7800 with another R7800 AP (upstairs by ethernet), and have just set up PiHole on a Raspberry Pi 4 as my DNS server (router is 'doing' DHCP). Latest 86 Voxel on both, of course That has all gone smoothly - so well that I am wondering if I can implement these simple port 53 rules WITHOUT Kamoj being installed, using Port Forwarding or something.

If I DO have to have Kamoj to do something like this, can I just install it on the main router in order to implement these rules, and not the AP as well? I am trying to keep firmware upgrades as simple as possible hence my reluctance to double up on Kamoj...

Hi @ianvajra

No need to have the @kamoj addon on either router to use these rules, only @Voxel is necessary.