Custom firmware build for R7800 v. 1.0.2.53SF/1.0.2.53SF-KF [Updated]

[Gouzmalix]

I am new to R7800 custom firmware, I am currently on 1.0.2.44SF, can I upgrade my router to this version straight away?

Also, does this version has "VPNFilter" router malware fixed?
https://www.theregister.co.uk/2018/06/07/vpnfilter_is_much_worse_than_everyone_thought

Yes, but because your version is a few iterations behind, it is recommended to factory reset. However, this is optional, and you can be the judge of that when you flash. Once flashed, do you have any issues? If so, and you can't seem to fix, a factory reset could fix them.

 

[RogerSC]

Ah, I see that when I hover my mouse over the devices in the "Attached Devices" page, the MAC Addresses do magically appear. What do you know? Better than nothing, I guess *smile*.

 

[Killhippie]

I am new to R7800 custom firmware, I am currently on 1.0.2.44SF, can I upgrade my router to this version straight away?

Also, does this version has "VPNFilter" router malware fixed?
https://www.theregister.co.uk/2018/06/07/vpnfilter_is_much_worse_than_everyone_thought

R7800 was not vulnerable to the VPNFilter malware, it was a small subset of Netgear routers. These are listed below.

• Netgear DG834
  
• Netgear DGN1000
  
• Netgear DGN2200
• Netgear DGN3500
  
• Netgear FVS318N
  
• Netgear MBRN3000
  
• Netgear R6400
• Netgear R7000
• Netgear R8000
• Netgear WNR1000
• Netgear WNR2000
• Netgear WNR2200
  
• Netgear WNR4000
  
• Netgear WNDR3700
  
• Netgear WNDR4000
  
• Netgear WNDR4300
  
• Netgear WNDR4300-TN
  
• Netgear UTM50

 

[Voxel]

How is Smart Connect working for you all?

Since the WiFi driver was updated as well, I'd be interested in seeing some numbers versus the previous version.

I hope kamoj will share his Smart Connect testing results

Voxel.

 

[Voxel]

Info for Entware users: Entware is upgraded. It is enough to run:

/opt/bin/opkg update
/opt/bin/opkg upgrade

to upgrade your version.

Voxel.

 

[kamoj]

Since the WiFi driver was updated as well, I'd be interested in seeing some numbers versus the previous version.

Well, here are some numbers (output from the not yet public "kamoj-add-on" GUI):

Before:

Temperatures CPU / WiFi0 / WiFi1 56 / 57 / 52 (Turbo Max Temp=65) °C          132 / 134 / 125 (Turbo Max Temp=149) °F
WiFi0 ath0 ESSID:MYNET-5G, CH:36, Frequency:5.18 GHz Rate:1.7333 Gb/s, Tx-Power:24 dBm (251 mW), RSSI:-85 dBm
WiFi1 ath1 ESSID:MYNET, CH:7, Frequency:2.442 GHz Rate:800 Mb/s, Tx-Power:29 dBm (794 mW), RSSI:-56 -70 -60 dBm

After with Smart Connect enabled:

Temperatures CPU / WiFi0 / WiFi1 55 / 57 / 52 (Turbo Max Temp=65) °C          131 / 134 / 125 (Turbo Max Temp=149) °F
WiFi0 ath0  ESSID:MYNET, CH:36, Frequency:5.18 GHz Rate:1.7333 Gb/s, Tx-Power:29 dBm (794 mW), RSSI:-50  dBm
WiFi1 ath1 ESSID:MYNET, CH:7, Frequency:2.442 GHz Rate:800 Mb/s, Tx-Power:29 dBm (794 mW), RSSI:-56 -76 -76 -63 dBm

The 2.4 GHz net is "unaffected" by the change, but...
The power output of the 5 GHz band has increased from 251 to 794 mW. Also the (5 GHz) RSSI from my phone has jumped from -85 to -50 dBm.
The chips temperatures seems to be same as before, so cooling is not an issue.

 

[Mooternutz]

A couple of questions I have: Is your fw similiar to what I would get by using LEDE? I want to be able to use wireguard and not sure which fw to use.

Thanks!

 

[kamoj]

A couple of questions I have: Is your fw similiar to what I would get by using LEDE? I want to be able to use wireguard and not sure which fw to use.
Thanks!

No, sorry, my add-ons are based on Voxel FW.

It is correct that you need a newer kernel (like LEDE) for WireGuard.
I don't think Netgear will update the kernel in their firmware.

PS
You can get WireGuard service for free here: https://www.azirevpn.com/wireguard

 

[Mooternutz]

No, sorry, my add-ons are based on Voxel FW.

It is correct that you need a newer kernel (like LEDE) for WireGuard.
I don't think Netgear will update the kernel in their firmware.

PS
You can get WireGuard service for free here: https://www.azirevpn.com/wireguard

Thanks. Yeah I have been using them for a bit, the speeds are great most of the day.

 

[Gouzmalix]

The power output of the 5 GHz band has increased from 251 to 794 mW. Also the (5 GHz) RSSI from my phone has jumped from -85 to -50 dBm.

Interesting. It must be because of the updated FCC guidelines. I recall reading that they've increased legal power output for certain channels. That could explain the power increase. Thanks for the information!

I will say WiFi performance—subjectively—seems better than previous firmwares using older drivers.

 

[ablatt]

Well, here are some numbers (output from the not yet public "kamoj-add-on" GUI):

Before:

Temperatures CPU / WiFi0 / WiFi1 56 / 57 / 52 (Turbo Max Temp=65) °C          132 / 134 / 125 (Turbo Max Temp=149) °F
WiFi0 ath0 ESSID:MYNET-5G, CH:36, Frequency:5.18 GHz Rate:1.7333 Gb/s, Tx-Power:24 dBm (251 mW), RSSI:-85 dBm
WiFi1 ath1 ESSID:MYNET, CH:7, Frequency:2.442 GHz Rate:800 Mb/s, Tx-Power:29 dBm (794 mW), RSSI:-56 -70 -60 dBm

After with Smart Connect enabled:

Temperatures CPU / WiFi0 / WiFi1 55 / 57 / 52 (Turbo Max Temp=65) °C          131 / 134 / 125 (Turbo Max Temp=149) °F
WiFi0 ath0  ESSID:MYNET, CH:36, Frequency:5.18 GHz Rate:1.7333 Gb/s, Tx-Power:29 dBm (794 mW), RSSI:-50  dBm
WiFi1 ath1 ESSID:MYNET, CH:7, Frequency:2.442 GHz Rate:800 Mb/s, Tx-Power:29 dBm (794 mW), RSSI:-56 -76 -76 -63 dBm

The 2.4 GHz net is "unaffected" by the change, but...
The power output of the 5 GHz band has increased from 251 to 794 mW. Also the (5 GHz) RSSI from my phone has jumped from -85 to -50 dBm.
The chips temperatures seems to be same as before, so cooling is not an issue.

This seems surprising given https://fccid.io/PY315200310, which I downloaded two years ago, shows the power on the lower 5GHz channels equal to the higher ones from the start. I also see no signal difference in WIFI Explorer on my MAC between 1.0.2.52 and prior firmwares.

 

[kamoj]

This seems surprising given https://fccid.io/PY315200310, which I downloaded two years ago, shows the power on the lower 5GHz channels equal to the higher ones from the start. I also see no signal difference in WIFI Explorer on my MAC between 1.0.2.52 and prior firmwares.

Hi, I don't know why you are surprised.
This is Netgear based FW...
This thread is for Voxel FW.
The change I described is between Voxel 1.0.2.50SF and 1.0.2.53SF. Sorry I was not clear with that!
But I read in many forum reports about better 5 GHz performance even for 1.0.2.52.
PS
What is your RSSI in your MAC for 1.0.2.52 and prior firmwares?

 

[ablatt]

Currently I'm at -49dBm (5 Ghz, channel 44) on my MAC which is a floor away from the R7800. From my recollection, in the same location, it's been around that signal strenth for a while.

If I revert to 1.0.2.44, or some earlier version, I will check again to compare.

Thanks for your input about this. I would never know how to obtain those values from the router.

 

[kamoj]

Currently I'm at -49dBm (5 Ghz, channel 44) on my MAC which is a floor away from the R7800. From my recollection, in the same location, it's been around that signal strenth for a while.
If I revert to 1.0.2.44, or some earlier version, I will check again to compare.
Thanks for your input about this. I would never know how to obtain those values from the router.

Thank you too! (And I get the same power even without Smart Connect enabled!)

Log in to router and issue commands:
wlanconfig ath0 list | grep -v RSSI | awk '{print $6-95}' | xargs
iwlist ath0 txpower

 

[Easy Rhino]

Voxel, when you list "several NG bugs fixed", do you have an listing anywhere of what those bugs are? It might be useful if I see or expect changes from stock firmware on anything.

It would also help reduce expectations for the other netgear bugs not listed to be fixed.

 

[Voxel]

Voxel, when you list "several NG bugs fixed", do you have an listing anywhere of what those bugs are? It might be useful if I see or expect changes from stock firmware on anything.

It would also help reduce expectations for the other netgear bugs not listed to be fixed.

You know, I had to stop the maintenance of such a list. Unfortunately my bug reports are ignored by NG engineering. So...

I do integration of the stock firmware adding their changes to my version but not vice versa i.e. not my changes to new stock. It allows to avoid repeated bugs. And some parts of this process is semi automated. E.g. finding scripts with lost "executable" attribute (i.e. they just could not be executed when called). New 1.0.2.52 introduced several such bugs and some missing binary executable files such as aws-iot (it is called from init script but binary is not included into firmware). I already reported this having the same for R9000. Not fixed by NG unfortunately even for R9000 and the same bug is now in R7800 (stock).

Voxel.

 

[jsmiddleton4]

Gotta tell you if ASUS had the same hardware combo/price point I’d have left NG and its ever growing LOUSY firmware engineering long ago. There is just no other piece of hardware at the price/performance point as the X4S.

 

[Matte]

@Voxel - first of all, thanks for the great job you are doing here - I was stuck into weird loops with DD-WRT after using it for years, and developing several scripts for it, and I had decided to go back to NG's original FW and sacrifice the cool features...and then your custom firmware appeared as a great saviour!!

I have some questions as I'm struggling with dnscrypt - I've enabled it with the config file, and the five processes seem to be running correctly on 64001-64005 ports towards the selected servers - ace there!
However, the router seems to be using my ISP's DNS first, as per https://www.perfect-privacy.com/dns-leaktest/ . I have figured dnsmasq settings in resolv.conf change if you change them in the GUI (as expected), however, while dnsmasq runs with -r /etc/resolv.conf, in the dnsmasq.conf you have set it to discard those by the no-resolv option, right? That seems OK, however the Man page states

-r, --resolv-file=<file>
Read the IP addresses of the upstream nameservers from <file>, instead of /etc/resolv.conf. For the format of this file see resolv.conf(5). The only lines relevant to dnsmasq are nameserver ones. Dnsmasq can be told to poll more than one resolv.conf file, the first file name specified overrides the default, subsequent ones add to the list. This is only allowed when polling; the file with the currently latest modification time is the one used.
-R, --no-resolv
Don't read /etc/resolv.conf. Get upstream servers only from the command line or the dnsmasq configuration file.

and, to me, this is not too clear - if you see what I mean..will it read resolv.conf as it's in the command line?!? It might, but I would not count on that. Now, my related questions:

1. Are we sure this setup does what we want it to, excluding any DNS but the crypted ones?
2. If it does, can you wonder why the test still states the router is using as my primary DNS the one of my ISP?
3. I can see the option try-ns-all is there, is this the same of all-servers? I am experiencing many DNS slow-downs after I enabled 5 different servers that I used to use before with no issues - this might be because that option is not known by dnsmasq binary 2.78, as it's not in the Man page, maybe? Might 2.79 be fixing this? Not sure, I can't see anything really related in the changelog, but we never know
4. To avoid any machine to use customised DNS (many software do), what rule can we add for the firewall to catch all the DNS traffic and use the internal DNS?
5. As I would have a list of blocked servers for dnsmasq, how would you suggest I add my conf to your one?
6. Isn't the dhcp-authoritative option needed as well, if we want the router to take over any request? Maybe that's why I experience my ISP's DNS to be used?

Thanks a lot - and sorry for the army of questions

 

[Voxel]

@Voxel - first of all, thanks for the great job you are doing here - I was stuck into weird loops with DD-WRT after using it for years, and developing several scripts for it, and I had decided to go back to NG's original FW and sacrifice the cool features...and then your custom firmware appeared as a great saviour!!

I have some questions as I'm struggling with dnscrypt - I've enabled it with the config file, and the five processes seem to be running correctly on 64001-64005 ports towards the selected servers - ace there!
However, the router seems to be using my ISP's DNS first, as per https://www.perfect-privacy.com/dns-leaktest/ . I have figured dnsmasq settings in resolv.conf change if you change them in the GUI (as expected), however, while dnsmasq runs with -r /etc/resolv.conf, in the dnsmasq.conf you have set it to discard those by the no-resolv option, right? That seems OK, however the Man page states

and, to me, this is not too clear - if you see what I mean..will it read resolv.conf as it's in the command line?!? It might, but I would not count on that. Now, my related questions:

1. Are we sure this setup does what we want it to, excluding any DNS but the crypted ones?
2. If it does, can you wonder why the test still states the router is using as my primary DNS the one of my ISP?
3. I can see the option try-ns-all is there, is this the same of all-servers? I am experiencing many DNS slow-downs after I enabled 5 different servers that I used to use before with no issues - this might be because that option is not known by dnsmasq binary 2.78, as it's not in the Man page, maybe? Might 2.79 be fixing this? Not sure, I can't see anything really related in the changelog, but we never know
4. To avoid any machine to use customised DNS (many software do), what rule can we add for the firewall to catch all the DNS traffic and use the internal DNS?
5. As I would have a list of blocked servers for dnsmasq, how would you suggest I add my conf to your one?
6. Isn't the dhcp-authoritative option needed as well, if we want the router to take over any request? Maybe that's why I experience my ISP's DNS to be used?

Thanks a lot - and sorry for the army of questions

Well, you know, I've upgraded dnsmasq to version 2.78. So maybe not options are OK (as it was for 2.39). I checked briefly after upgrade. dnsleak test displayed for me only crypt DNS servers. OK, thanks for report.

I am far away from my home now (abroad). Will check after my arrival. You can add your IP tables rules for safety (see my README re: how to use custom iptables rules with your custom script). Rules are something like (example):

#!/bin/sh

lan_ip=192.168.1.1

iptables -t nat -I PREROUTING -p udp -m udp --dport 53 -j DNAT --to-destination $lan_ip:65053
iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j DNAT --to-destination $lan_ip:65053

I cannot check now, but I hope it is OK.

Voxel.

 

[Matte]

Thanks a lot - with your suggestions, I have fixed most of the bits and am very close to my wanted config, I just need to do some more work now that I managed to have SSH up and running
First of all, the wrong DNS' showing on the website were mainly due to caching I think, as the WiFi devices showed them as expected. Clearing the caching on the LAN PC did not work, though, which was weird. It might have been IPv6, so I have disabled it as I do not use the tunnel offered by the ISP anyway, then set the web GUI to have all DNS' pointing at the router IP only, and it all works right now! Not sure I unveiled the culprit or not, this might need some more testing.

About the iptables you suggested, dnsmasq seems to listen on 53 and not 65053, unless I miss something

QQ] How do you make SSH accessible via internet? I have been unable to do so, and the modem part has been OK as it is with DMZ set on the router.

p.s. Consider adding an option to enable DNSSEC with the proxy-dnssec option in DNSMasq - I have added to the startup script a link to my own dnsmasq.custom file for that and it works well and gives positive result here https://dnssec.vs.uni-due.de/