Voxel Custom firmware build for Orbi RBK50/RBK53 (RBR50, RBS50) v. 9.2.5.2.11SF-HW

[Framedtrash]

Signed up to today to say thanks @Voxel
I only flashed it a few hours ago but so far so good.
One thing I have noticed that my orbi app is not working once I leave the network.
It's showing my router is offline? Does the orbi app still work with the new firmware loaded??

 

[Skippy Bosco]

One thing I have noticed that my orbi app is not working once I leave the network.
It's showing my router is offline? Does the orbi app still work with the new firmware loaded??

The Orbi app only works when you are connected to your home network, either locally or via a VPN.

 

[Framedtrash]

Thanks @Skippy Bosco

 

[Techdude99]

Continuation of

https://www.snbforums.com/threads/custom-firmware-build-for-orbi-rbk50-v-2-5-0-42sf-hw.60308/
. . .
https://www.snbforums.com/threads/c...k50-rbk53-rbr50-rbs50-v-9-2-5-2-9sf-hw.69689/
https://www.snbforums.com/threads/c...50-rbk53-rbr50-rbs50-v-9-2-5-2-10sf-hw.70690/

New version of my custom firmware build: 9.2.5.2.11SF-HW.

Changes (vs 9.2.5.2.10SF-HW):

1. Toolchain: Go is upgraded 1.16->1.16.2.
2. iptables: add iptables-mod-rpfilter plugin (HELLO_wORLD).
3. wireguard-tools package is upgraded 1.0.20210223->1.0.20210315.
4. cifs-utils package is upgraded 6.11->6.12.
5. libpcap package is upgraded 1.9.1->1.10.0.
6. e2fsprogs package is upgraded 1.45.6->1.46.2.
7. tar package is upgraded 1.32->1.34.
8. nano package is upgraded 5.6->5.6.1.
9. sysstat package is upgraded 12.4.2->12.4.3.
10. gdbm package is upgraded 1.18.1->1.19.
11. unzip: add security patches.
12. Kernel config: Add IP_NF_MATCH_RPFILTER/IP6_NF_MATCH_RPFILTER (iptables-mod-rpfilter).
13. Disable ARM/NEON acceleration (kernel crypto AES/SHA1) to avoid conflicts with QCE.
14. Host tools (e2fsprogs): is upgraded to 1.46.2.

The link is:

https://www.voxel-firmware.com (thanks to vladlenas for his help with hosting).

Voxel.

I'll be updating tonight. Thank you!

@Voxel Are there any plans to incorporate VLAN's similar to the Orbi Pro models in future builds?

Thanks

 

[mith_y2k]

@Voxel Are there any plans to incorporate VLAN's similar to the Orbi Pro models in future builds?

I haven’t used VLANs so far because I’ve been reading they weren’t working well and even the guest network seems to have a number of limitations. I would be curious to know more both what’s the use case and also how it could be achieved maybe with Entware or specific package builds

 

[Techdude99]

I haven’t used VLANs so far because I’ve been reading they weren’t working well and even the guest network seems to have a number of limitations. I would be curious to know more both what’s the use case and also how it could be achieved maybe with Entware or specific package builds

I can think of a few use cases. The most prominent for home users in my opinion would be segregating IoT, Guest, PC's/Servers, Security Cams, and Smart Phones/Tablets.

I'm testing VLAN's on a RT-N66U with DD-WRT and haven't reached a point that has caused an issue...yet. I have Gigabit Fiber and the Orbi SpeedTest on Ookla reaches 950Mbps from the ISP and the Rt-N66U maxes out at 680Mbps.

I can't speak to the implementation strategy but I would be happy to Beta test if you decide to investigate. The RBK50 is a great piece of hardware and your firmware is a breath of fresh air. Thank you!

 

[mith_y2k]

I can think of a few use cases. The most prominent for home users in my opinion would be segregating IoT, Guest, PC's/Servers, Security Cams, and Smart Phones/Tablets.

I'm testing VLAN's on a RT-N66U with DD-WRT and haven't reached a point that has caused an issue...yet. I have Gigabit Fiber and the Orbi SpeedTest on Ookla reaches 950Mbps from the ISP and the Rt-N66U maxes out at 680Mbps.

I can't speak to the implementation strategy but I would be happy to Beta test if you decide to investigate. The RBK50 is a great piece of hardware and your firmware is a breath of fresh air. Thank you!

Did you see http://www.snbforums.com/threads/ho...ed-wlan-lan-to-iot-devices-r9000-r7800.71742/ ? It looks like you’re trying to do the same thing. To be honest I would be very happy to create a similar setup where I have three VLANs, one for guests, one for IoT and one from my regular devices. I would be happy to have the guest VLAN the same as the “trusted” VLAN, but just with different credentials.

I am not sure this is work for Voxel though as opposed to simply knowing how to configure your router. I don’t know how to do it, but I can follow instructions

 

[Techdude99]

Did you see http://www.snbforums.com/threads/ho...ed-wlan-lan-to-iot-devices-r9000-r7800.71742/ ? It looks like you’re trying to do the same thing. To be honest I would be very happy to create a similar setup where I have three VLANs, one for guests, one for IoT and one from my regular devices. I would be happy to have the guest VLAN the same as the “trusted” VLAN, but just with different credentials.

I am not sure this is work for Voxel though as opposed to simply knowing how to configure your router. I don’t know how to do it, but I can follow instructions

Thanks for the link. I read it and tried Double NAT a while ago with the Orbi and a Samsung Connect Pro. There were random issues that made it unreliable and not as secure as a true VLAN. I found that the approach is generally discouraged. I'm not enthusiastic about running more cables to isolate physical ports when the goal is 3 or 4 WiFi VLAN's.

Maybe I'm missing something from the discussion or I still need to learn more about VLAN's. I never thought I would have so many WiFi devices in my home and the more I read about security breaches, the more I want groups of network devices isolated.

 

[agneev]

I just realized that the Orbi is listening on port 22 on WAN. How can I disable this without disrupting SSH access in the LAN?

 

[Skippy Bosco]

I just realized that the Orbi is listening on port 22 on WAN.

Strange. I don't see that on my Orbi.

Do you have remote management enabled?

Orbi Web Admin -> Advanced Tab -> Advanced Setup -> Remote Management

Do you have any debug options enabled?

Orbi Login & Setup | NETGEAR

The Orbi Web Interface and Orbi Admin App makes it easy to login and configure your Orbi WiFi System.

orbilogin.com

How can I disable this without disrupting SSH access in the LAN?

You should only be enabling SSH at the point you need it, are you keeping it enabled indefinitely?

 

[agneev]

Do you have remote management enabled?

No, I just checked; its disabled.

Do you have any debug options enabled?

I don't remember turning on anything explicitly, so probably no.

You should only be enabling SSH at the point you need it, are you keeping it enabled indefinitely?

I have scripts that retrieve data via SSH every 5 secs or so, so I need to keep it on all the time.

I set up a port forwarding rule from port 22 to some obscure port on an unutilized IP address for the time being, but a way to prevent it from listening on WAN would be nice.

 

[Voxel]

I just realized that the Orbi is listening on port 22 on WAN. How can I disable this without disrupting SSH access in the LAN?

It should be disable by default if you did not open it as it is described in my QuickStart.txt.

Try to check from telnet/ssh console:

net-wall rule
cat /tmp/netwall-rules

it should display all your accepted ports.

Voxel.

 

[digital10]

@Voxel

I have reported disconnects before. I since have changed the ethernet cable with the one that originally came with Orbi. Its goes from ISP router into WAN port of Orbi.

I have it up few days now I see more solid performance. I dont know why this makes me lose Wifi signal though, even if the previous ethernet cable was faulty. It was supposed to be a higher quality one that is CAT6.

Just reporting my experience

 

[agneev]

it should display all your accepted ports.

These say:

#Accept Rules Begin:
ACCEPT net fw udp 520,5050
ACCEPT fw net udp 520,5050,53,123,6060,67,68
ACCEPT fw net tcp 119,25,80,2345,3495,7070,20,21,5050,6060
ACCEPT net fw udp 161,162
#Drop Rules Begin:
DROP net fw tcp 7,19,135
DROP net loc tcp 135
DROP net fw udp 7,9,19,137,138,139,445
DROP net loc udp 137,138,139,445
DROP loc fw udp 161,162

(I guess it no longer shows port 22 because I forwarded it. Also I seem to be running an open DNS resolver??)

Also, I cannot seem to get entware working. I followed the instructions... formatted a connected pen drive into ext4 using mkfs (w/ metadata_csum), downloaded and extracted the tarball, ran the nvram commands, created .profile and rebooted.

root@Orbi:~# ls -l /opt/
drwxr-xr-x 2 root root 4096 Mar 17 18:59 bin
lrwxrwxrwx 1 root root 16 Apr 16 09:39 bitdefender -> /mnt/bitdefender
drwxr-xr-x 4 root root 4096 Mar 17 18:59 etc
drwxr-xr-x 2 root root 4096 Feb 26 18:48 home
drwxr-xr-x 3 root root 4096 Feb 26 18:48 lib
lrwxrwxrwx 1 root root 8 Apr 16 09:39 opt -> /tmp/opt
drwxr-xr-x 2 root root 4096 Mar 17 18:59 root
drwxr-xr-x 2 root root 4096 Mar 17 18:59 sbin
drwxr-xr-x 4 root root 4096 Feb 26 18:48 share
drwxrwxrwx 3 root root 4096 Mar 17 19:00 tmp
drwxr-xr-x 4 root root 4096 Feb 26 18:48 usr
drwxr-xr-x 6 root root 4096 Mar 17 18:59 var

root@Orbi:~# ls -lh /mnt/sda1/
drwxr-xr-x 3 root root 4.0K Aug 2 2017 autorun
drwxr-xr-x 12 root root 4.0K Apr 16 09:39 entware
-rw-r--r-- 1 root root 4.2M Mar 17 19:07 entware-cortex-a15-3x-initial-generic.tar.gz
drwx------ 2 root root 16.0K Apr 15 21:32 lost+found

 

[andlid1377]

Hello!

Yesterday I installed the firmware on my ORBI system, mainly I had an issue that I thought maybe this custom firmware could adress. Firstly I didn't read the notes properly so started off by soft bricking the ORBI *I didn't have a firmware lower then the recommended so did not think I needed to adjust my firmware to a lower version (I was wrong...) Anyway all good running the latest Voxel firmware on my router and satelite. My issue or what I would like to get around is the VPN server authentication functionallity and the firewall policy once authenticated. I tried to adress this with the factory firmware but have given that up obviously running this custom firmware.

Background is that I would like to authenticate my VPN users with a username and password not just the use of certificate that's bundled into the configuration. I would also like to be able to have a policy for the authenticated and connected users.

Say the VPN network is 192.168.2.x/24 and my home network is a flat 192.168.1.x/24

Is there anyway I could push certain IP's of the TUN interface to only allowed destinations, ports? Best would be if I could have certain usernames, groups applied to certain firewall policys

Any help pointing me into the solution would be greatly appriciated even if it's not what described above but solves my issue somehow.

Linux RBR50 3.14.77 #1 SMP PREEMPT Tue Mar 23 10:59:55 UTC 2021 armv7l IPQ4019 GNU/Linux

The first attempt has been described here:

Re: Orbi IPTABLES and TUN interface

Could you please describe the intended result in more general terms? Such as: When a remote device joins my Orbi LAN through OpenVPN, I want this device to be able to (a) only do certain things, or (b) not be able to do certain things, (1) on the local LAN or (2) when it accesses the internet...

community.netgear.com

 

[CrimpOn]

Just discovered today that all versions of Orbi firmware more recent than 2.5.2.4 and 2.7.0.70 do not appear to support a USB stick. (at least, not for me, and I formatted it ext2 for Linux).

This brought up what is probably a silly question: Has anyone attempted to connect multiple USB sticks to an Orbi using a USB hub?

 

[andlid1377]

Just discovered today that all versions of Orbi firmware more recent than 2.5.2.4 and 2.7.0.70 do not appear to support a USB stick. (at least, not for me, and I formatted it ext2 for Linux).

This brought up what is probably a silly question: Has anyone attempted to connect multiple USB sticks to an Orbi using a USB hub?

Are you running the custom firmware ? I don't see that Voxel has a custom firmware later then the one I installed above. Which is based on the 2.5.2.4.

 

[CrimpOn]

Sorry I was not clear. All of the newer Netgear firmware appears to have disabled the USB port, which makes collecting LAN/WAN data almost useless because system memory is so small.
I am currently on 2.7.2.104. I go back and forth between Netgear and Voxel. When someone posts a question about Orbi in the Netgear community forum, it seems inconsistent to begin every response with, "I don't actually use Netgear firmware, my Orbi with Voxel acts like this..."

The question was more idle curiosity. I have used a USB hub to attach multiple 5G WiFi ports to my old Linux machine which does not have 5G, but have never tried multiple USB sticks. (The hub is back in my "box of stuff".)

 

[Voxel]

These say:


(I guess it no longer shows port 22 because I forwarded it. Also I seem to be running an open DNS resolver??)

Also, I cannot seem to get entware working. I followed the instructions... formatted a connected pen drive into ext4 using mkfs (w/ metadata_csum), downloaded and extracted the tarball, ran the nvram commands, created .profile and rebooted.

Looks as Entware is working.

Voxel.

 

[Voxel]

Has anyone attempted to connect multiple USB sticks to an Orbi using a USB hub?

Yes. It should work. I tried USB hub (active) with USB stick and USB HDD.

Voxel.