Voxel Custom firmware build for Orbi RBK50/RBK53 (RBR50, RBS50) v. 9.2.5.2.10SF-HW

[digital10]

Firstly, I am not familiar with the Netgear interface, Netgear are a reputable company so I imagine it has good basic interface but when you try to squeeze something extra out of it, that is when you see how good it really is - that is where an alternative firmware sometimes pays dividends. I have previously installed a VPN client on my router and used it selectively on my network (policy rules). That router has bitten the dust and did not support wireguard. I see that Voxel's firmware does but I don't know how it is implemented.

My current router also has the ability to have a seperate 2.4Ghz 'Smart' network and it has been transformational for Smart devices - does Netgear/Voxel allow that, even if it is a Guest network?

I have now bought a Netgear RBK (1 router, 1 satellite) so I can answer my own questions in the near future (I'll soon have a router for each room of the house - but it's fun!).

Thanks

Voxel only works with RBK50 models...headsup

 

[digital10]

Any one know if I can block port 853 on Orbi via official or voxel firmware? If so how?

Reason is some pesky devices are forcing their own DNS over my pihole(DNS sinkhole). This will block all DoT or so i have been told

 

[Voxel]

Any one know if I can block port 853 on Orbi via official or voxel firmware? If so how?

Reason is some pesky devices are forcing their own DNS over my pihole(DNS sinkhole). This will block all DoT or so i have been told

You can set your own iptables rules to block 853 port. From my QuickStart.txt:

. . .
Additionally you can use your own custom script to add your own iptables rules. This
script should be named firewall-start.sh and be placed in the /overlay/opt/scripts/
directory, i.e. /overlay/opt/scripts/firewall-start.sh with 755 permission attributes
(i.e. executable).
. . .

You script placed on USB i.e. /mnt/sda1/overlay/opt/scripts/firewall-start.sh should be something like:

#!/bin/sh

iptables -A INPUT -p tcp --destination-port 853 -j DROP
iptables -A INPUT -p udp --destination-port 853 -j DROP

Voxel.

 

[R. Gerrits]

You can set your own iptables rules to block 853 port. From my QuickStart.txt:

. . .
Additionally you can use your own custom script to add your own iptables rules. This
script should be named firewall-start.sh and be placed in the /overlay/opt/scripts/
directory, i.e. /overlay/opt/scripts/firewall-start.sh with 755 permission attributes
(i.e. executable).
. . .

You script placed on USB i.e. /mnt/sda1/overlay/opt/scripts/firewall-start.sh should be something like:

#!/bin/sh

iptables -A INPUT -p tcp --destination-port 853 -j DROP
iptables -A INPUT -p udp --destination-port 853 -j DROP

Voxel.

the way I read the question, some devices are using DoT to some DNS server on the internet, instead of doing plain DNS to his pihole-> to block that DoT, I think the rule should sit in the forward chain:

#!/bin/sh

iptables -A FORWARD -p tcp --destination-port 853 -j DROP
iptables -A FORWARD -p udp --destination-port 853 -j DROP

btw, it is the first that I hear someone saying devices using DoT. More often devices (or certain browsers) use DoH -> this is a lot more difficult to block, as it uses HTTPS

 

[digital10]

the way I read the question, some devices are using DoT to some DNS server on the internet, instead of doing plain DNS to his pihole-> to block that DoT, I think the rule should sit in the forward chain:

#!/bin/sh

iptables -A FORWARD -p tcp --destination-port 853 -j DROP
iptables -A FORWARD -p udp --destination-port 853 -j DROP

btw, it is the first that I hear someone saying devices using DoT. More often devices (or certain browsers) use DoH -> this is a lot more difficult to block, as it uses HTTPS

Yes. I heard you can block DoH by using a blocklist, blocking DNS servers that offer DoH.

The bigger question is, if I block DoT or DoH will the devices lose connectivity or opt to use the set DNS in the router?

Another issue was that some devices force their own DNS, which I heard the solution was to reroute the DNS request to the PiHole via NAT....and if you didn't figure this out, I have no idea what that means or how to do it. Those Android devices and TVs are very sly.

 

[digital10]

You can set your own iptables rules to block 853 port. From my QuickStart.txt:

. . .
Additionally you can use your own custom script to add your own iptables rules. This
script should be named firewall-start.sh and be placed in the /overlay/opt/scripts/
directory, i.e. /overlay/opt/scripts/firewall-start.sh with 755 permission attributes
(i.e. executable).
. . .

You script placed on USB i.e. /mnt/sda1/overlay/opt/scripts/firewall-start.sh should be something like:

#!/bin/sh

iptables -A INPUT -p tcp --destination-port 853 -j DROP
iptables -A INPUT -p udp --destination-port 853 -j DROP

Voxel.

Thanks, just these 2 lines I insert them into that directory on the router? Or do I store it on an external USB? Do I have to turn that script "firewall-start.sh" into executable with "chmod +x"?

 

[Anetho]

Probably it has a sense for you to try to disable Armor, Circle and ReadyCLOUD. On your RBR. See my QuickStart.txt re: how to.

Voxel.

Thanks for the suggestion, disabled everything and ran for 2 days, still getting satellite drops every 1 hour or so.

I dropped the satellite and use the base only to check if there is an issue with it but it runs without a glitch.

I did notice one weird thing while running a continuous ping test from the satellite and from the base I get a weird lag while connected to the satellite so for instance if I ping google.com I would get a weird lag spike every 60 to 80 packets (usually get about 58ms but the spikes go up to 700 ms) and they do not happen when connected to the base without satellite. After as series of those spikes the satellite just drops off (the base is still working, internet is on, the satellite seems to loose its backhaul for some reason) about an hour in or so. Tried to monitor the same with 2 laptops and my mobile just to ensure I eliminate device performance issues.

I am really not sure what happened with the system as it was really running rock steady for the last few months before the latest firmware update...

I am simply thinking to scrap the whole thing, wire up my house and go for the Ubiquiti Pro APs and call it a day...

 

[Voxel]

Thanks, just these 2 lines I insert them into that directory on the router? Or do I store it on an external USB?

If your USB is attached to your ORBI then /mnt/sda1/overlay/opt/scripts/firewall-start.sh it is what you need. It is a directory on your USB and will not disappear after reboot.

Do I have to turn that script "firewall-start.sh" into executable with "chmod +x"?

Either "chmod +x" or "chmod 755" as written in my QuickStart.txt

with 755 permission attributes (i.e. executable).

does not matter.

Voxel.

 

[Voxel]

I am really not sure what happened with the system as it was really running rock steady for the last few months before the latest firmware update.

You know, I had something similar. The remedy for me was to remove both of my satellites from the list and to add them one-by-one again...

FYI: I do use Daisy-Chain. Specific of my environment. Too big distance from RBR to second RBS. From the third level to first.

RBR->RBS1->RBS2

I am simply thinking to scrap the whole thing, wire up my house and go for the Ubiquiti Pro APs and call it a day...

You know... Up to you of course. But in general these RBR/RBS are working quite good. IMO.

Voxel.

 

[Voxel]

You know, I had something similar. The remedy for me was to remove both of my satellites from the list and to add them one-by-one again...

Also for a test: try to run on your satellites (not router) the command from telnet/ssh:

killall -9 repacd-run.sh

Voxel.

 

[R. Gerrits]

Another issue was that some devices force their own DNS, which I heard the solution was to reroute the DNS request to the PiHole via NAT....and if you didn't figure this out, I have no idea what that means or how to do it. Those Android devices and TVs are very sly.

to force all DNS traffic that not comes from your Pihole to go to your pihole, I think you could add these rules to your firewall-start.sh:

iptables -t nat -A PREROUTING -i br0 ! -s <pihole ip> -p udp --dport 53 -j DNAT --to <pihole ip>:53
iptables -t nat -A PREROUTING -i br0 ! -s <pihole ip> -p tcp --dport 53 -j DNAT --to <pihole ip>:53

 

[digital10]

Thanks for the suggestion, disabled everything and ran for 2 days, still getting satellite drops every 1 hour or so.

I dropped the satellite and use the base only to check if there is an issue with it but it runs without a glitch.

I did notice one weird thing while running a continuous ping test from the satellite and from the base I get a weird lag while connected to the satellite so for instance if I ping google.com I would get a weird lag spike every 60 to 80 packets (usually get about 58ms but the spikes go up to 700 ms) and they do not happen when connected to the base without satellite. After as series of those spikes the satellite just drops off (the base is still working, internet is on, the satellite seems to loose its backhaul for some reason) about an hour in or so. Tried to monitor the same with 2 laptops and my mobile just to ensure I eliminate device performance issues.

I am really not sure what happened with the system as it was really running rock steady for the last few months before the latest firmware update...

I am simply thinking to scrap the whole thing, wire up my house and go for the Ubiquiti Pro APs and call it a day...

me too it was rock solid up until about 9.2.5.2.7 I think. Especially with ios. I have assigned my satellite a static IP i wonder if that had any effect

I also enabled daisy chain topology, i wonder if that affects anything

 

[samarth]

Hi Voxel,

I use the Netgear Orbi app. Recently, Anywhere Access stopped working for me. I tried to turn it off and on again from the settings, but now it won't turn on. Do you have any idea about this?

 

[Voxel]

me too it was rock solid up until about 9.2.5.2.7 I think. Especially with ios.

There are two iPhones and one iPad used in my house. Most of time they are connected to RBS-1. And sometimes to RBS-2. No disconnections.

And there are no so specific changes since 9.2.5.2.7 what could be a reason.

I have assigned my satellite a static IP i wonder if that had any effect

It could be. There was something similar with R7800 in AP mode: it did not like static IP.

It is better to make the IP address reservations for your RBS. Like:

Voxel.

 

[Voxel]

Hi Voxel,

I use the Netgear Orbi app. Recently, Anywhere Access stopped working for me. I tried to turn it off and on again from the settings, but now it won't turn on. Do you have any idea about this?

Maybe temporary problem with NG service (maybe servers). Try a bit later. I've checked now with iPhone: it worked for me. I was not connected to ORBI Wi-Fi.

Voxel.

 

[digital10]

There are two iPhones and one iPad used in my house. Most of time they are connected to RBS-1. And sometimes to RBS-2. No disconnections.

And there are no so specific changes since 9.2.5.2.7 what could be a reason.


It could be. There was something similar with R7800 in AP mode: it did not like static IP.

It is better to make the IP address reservations for your RBS. Like:

View attachment 32335

Voxel.

This is what I did, I assigned RBS to 192.168.1.2. This is what meant with static IP.

Yesterday the Orbi went crazy, disconnecting all over the place. Working one minute and disconnecting the other. One of the most confusing things I saw was youtube was working on TV but no signal on windows or mac laptop. All connected wirelessly, albeit the TV is on the guest network.

 

[Voxel]

This is what I did, I assigned RBS to 192.168.1.2. This is what meant with static IP.

Yesterday the Orbi went crazy, disconnecting all over the place. Working one minute and disconnecting the other. One of the most confusing things I saw was youtube was working on TV but no signal on windows or mac laptop. All connected wirelessly, albeit the TV is on the guest network.

Please check with 9.2.5.2.11SF-HW.

Voxel.

 

[digital10]

Please check with 9.2.5.2.11SF-HW.

Voxel.

i dont mean to come out as an ungrateful person but, have you done something specifically to help with the issue in that release?

So far i am on 9.2.5.2.7 , not a single drop yet. At least nothing worth mentioning

 

[R. Gerrits]

i dont mean to come out as an ungrateful person but, have you done something specifically to help with the issue in that release?

my guess would be :
13. Disable ARM/NEON acceleration (kernel crypto AES/SHA1) to avoid conflicts with QCE.

 

[digital10]

my guess would be :
13. Disable ARM/NEON acceleration (kernel crypto AES/SHA1) to avoid conflicts with QCE.

translation?