Doubts about R7800 Firmware / IPv6 Support

[WiFiSeeder]

Hi guys,

I'm thinking about buying a R7800 to replace my old trusted AC68U.

Just wondering about a few things:

1. Are the firmware issues that used to affect wired speeds gone? Can I trust this router to drive 1 Gbps down the wire?
2. Is there a firmware that allows me to configure simple IPv6 Firewall rules (e.g., allow incoming traffic to 20ab:xxxx port 80 and 443)
3. What kind of downstream speeds do you get at short range (i.e., 2 to 3 meters, no walls) in the 5ghz band - 80 / 160 MHZ band?
4. ASUS router owners. Can a ASUS router connect to this Router in Media Bridge mode? If so, what kind of speeds do you get (with clients directly wired to the media bridge)? Is it stable?

Any info from current / previous owners is very welcome.

 

[L&LD]

For part of your 1. questions, there is no consumer router that I have tried that can do true 1Gbps speeds WAN to LAN and vice versa. That is with no extra options configured on the router. With anything turn 'on' within the router, the speeds are much, much less than 1Gbps.

 

[WiFiSeeder]

For part of your 1. questions, there is no consumer router that I have tried that can do true 1Gbps speeds WAN to LAN and vice versa. That is with no extra options configured on the router. With anything turn 'on' within the router, the speeds are much, much less than 1Gbps.

Hi L&LD, what kind of speed can I expect with QoS turned off? My AC68U seems to be pretty close to maxing out my 1 Gbps link, at least that's what I'm getting from unscientific peak performance tests. What I mean is, I'm getting 900 / 940 Mbps in Ookla speed tests when client is wired to the router. Unfortunately, WiFi speeds are generally around 300 / 400 Mbps.

Cheers,

 

[Sachb]

If you care about VPN such as open vpn then R7800 may not do this.

If you want to use this router as a repeater mode, then again R7800 doesn't do it.

NG R7800 is suited for folks who want shear speed with limited features.

The best thing about this router is, that it boots in under a minute whereas the asus would easily take upto 2 mins.

Sent from my LM-G710 using Tapatalk

 

[WiFiSeeder]

If you care about VPN such as open vpn then R7800 may not do this.

If you want to use this router as a repeater mode, then again R7800 doesn't do it.

NG R7800 is suited for folks who want shear speed with limited features.

The best thing about this router is, that it boots in under a minute whereas the asus would easily take upto 2 mins.

Sent from my LM-G710 using Tapatalk

Hi Sachb. I'm not using a VPN Client nor am I thinking about using it as a repeater. However, I really need IPv6 Firewall functionality (other than block all / accept all). Do you know if Stock, Voxel's or DD-WRT firmware can do that?

 

[jsmiddleton4]

Only thing Netgear refuses to support with IPv6 is ICMP. Voxel can't do anything about that either.

 

[WiFiSeeder]

Only thing Netgear refuses to support with IPv6 is ICMP. Voxel can't do anything about that either.

Is there an IPv6 Firewall that allows custom rules? If so, wouldn't something like:

ip6tables -A INPUT -p ipv6-icmp -j ACCEPT

Work? Or is NG not even respecting firewall rules? (Not a surprise since they are not even respecting IPv6 RFC...). I doubt that I can get a stable IPv6 connection without MTU control...

 

[L&LD]

Hi L&LD, what kinds of speed can I expect with QoS turned off? My AC68U seems to be pretty close to maxing out my 1 Gbps link, at least thats what I'm getting feom unscientific peak performance tests. What I mean is, I'm getting 900 / 940 Mbps in Ookla speed tests when I'm wired to the router. Unfortunately, WiFi speeds are generally around 300 / 400 Mbps.

Cheers,

With QoS turned off (and also anything else that may turn off NAT Acceleration) you can expect very, very close to the speeds you're already seeing. See the router charts for an idea of how close the current routers are to each other.

Even with my RT-AC3100, I am having the same issue(s) right now as I've just jumped to 1Gbps up/down speeds myself.

Fast.com shows speeds like 1.1Gbps down and 1.4Gbps up. Speedtest.net shows 797Gbps down and 769Gbps up. DSLReports.com shows 587Gbps down and when it hits 389Gbps up, it crashes.

What we need is the (now old) Asus BRT-AC828 with 2Gbps WAN ports.

https://www.hardwarezone.com.sg/tec...c828-router-comes-dual-wan-ports-2gbps-speeds

I am hoping Asus updates the BRT to AX standards (not draft) and is actually available for most.

The RT-AC3100 was a nice speed bump improvement over my trusty old RT-AC68U. I may need to get an RT-AC86U or RT-AX88U in sooner than I expected to test if they help with the 1Gbps ISP service I now have.

 

[WiFiSeeder]

With QoS turned off (and also anything else that may turn off NAT Acceleration) you can expect very, very close to the speeds you're already seeing. See the router charts for an idea of how close the current routers are to each other.

Even with my RT-AC3100, I am having the same issue(s) right now as I've just jumped to 1Gbps up/down speeds myself.

Fast.com shows speeds like 1.1Gbps down and 1.4Gbps up. Speedtest.net shows 797Gbps down and 769Gbps up. DSLReports.com shows 587Gbps down and when it hits 389Gbps up, it crashes.

What we need is the (now old) Asus BRT-AC828 with 2Gbps WAN ports.

https://www.hardwarezone.com.sg/tec...c828-router-comes-dual-wan-ports-2gbps-speeds

I am hoping Asus updates the BRT to AX standards (not draft) and is actually available for most.

The RT-AC3100 was a nice speed bump improvement over my trusty old RT-AC68U. I may need to get an RT-AC86U or RT-AX88U in sooner than I expected to test if they help with the 1Gbps ISP service I now have.

Thanks L&LD, that's very useful information!

To be honest, I'm kinda leaning towards the RT-AX88U. Although I'm concerned that I may be heading towards a World of pain as a paying Guinea pig until ASUS finishes ironing out bugs in WiFi version 6 and releases a brand new "RT-AX86U" a couple of years down the road. At the moment the main contender seems to be the RT-AC86U.

I understand that the R7800 is a powerful router. Faster than the AC86U and even the RT-AX88U (for half the price). However, so far I couldn't confirm if custom firewall rules for IPv6 are supported (I love pfSense, but no thanks... I'm not using it at home).
Plus the whole ICMP thing is very disappointing. I would have expected something like that from a Junior Sysad that just heard about the dangers of "Ping of death" and insists that we need to "secure the network"... Not from Engineers at a major network supplier! God knows what other unholy things are lurking in their firmware.

Any other advice or last minute attempt to push a madman towards the path of enlightenment with tried and tested technology like the AC3100 or AC86U?

 

[L&LD]

Thanks L&LD, that's very useful information!

To be honest, I'm kinda leaning towards the RT-AX88U. Although I'm concerned that I may be heading towards a World of pain as a paying Guinea pig until ASUS finishes ironing WiFi version 6 and releases a brand new "RT-AX86U" a couple of years down the road. I may be jumping the gun, but at the moment I'm mostly undecided between the RT-AX88U and RT-AC86U.

I understand that the R7800 is a powerful router. Faster than the AC86U and even the RT-AX88U (for half the price). However, so far I couldn't confirm if I can add custom firewall rules to the R7800. Plus the whole ICMP thing is very disappointing (I would have expected something like that from a Junior Sysad that just heard about the dangers of "Ping of death" and insists that we need to "secure the network"... Not from Engineers at a major network supplier! God knows what other unholy things are lurking in their firmware.

Any other advice or last minute attempt to push a madman towards the path of enlightenment with tried and tested technology like the AC3100 or AC86U?

I love great hardware. I too would be testing the R7800 to see what improvements I can get from it. Maybe, fortunately, I can't get one locally (I don't do 'online').

However, my research so far shows me that I will be getting a very small gain over what I have now in the LAN/WAN dept. With possibly bigger gains over WiFi and storage options (which I don't use off the router anyway). The cost of switching to the NG means losing RMerlin. Case closed.

https://www.snbforums.com/threads/n...ison-stock-vs-voxel-performance-issues.54441/

There are excellent third-party firmware options to test/try with the R7800, but it is still NG based.

The reasons I want to test the RT-AX88U and the RT-AC86U for my needs would be for OpenVPN performance increases. The LAN/WAN and WAN/LAN speed differences will be negligible (I believe).

Asus' hardware and RMerlin's firmware contributions make that much of a difference. There is no other manufacturer that can come close with this powerhouse combination.

Stable, secure, highly configurable/customizable and (sometimes) slightly slower beats fastest but mostly in the shop for service/tuneups, every time!

 

[WiFiSeeder]

The cost of switching to the NG means losing RMerlin. Case closed.

I hear you . While I take my hat off to Voxel, there is only so much that you can do when messy upstream policies keep holding you back.
Ok, so RT-AX88U it is. I heard read that Merlin is already working his magic.

 

[L&LD]

I hear you . While I take my hat off to Voxel, there is only so much that you can do when messy upstream policies keeps holding you back.
Ok, so RT-AX88U it is. I heard read that Merlin is already working his magic.

Your link is a little stale!

https://www.snbforums.com/threads/experimental-bcraffy-openssl-1-1-x-builds.55036/

That is what I would be testing an AX with today.

 

[kamoj]

The ip6tables command is included in the Voxel firmware.
https://www.snbforums.com/threads/c...r-r7800-v-1-0-2-54sf.47947/page-2#post-420955

root@R7800:/$ ip6tables
ip6tables v1.4.10: no command specified
Try `ip6tables -h' or 'ip6tables --help' for more information.

But:
Netgear use a firewall wrapper net-wall from Delta Networks Inc.

So to use iptables and ip6tables commands, you should put them in /opt/scripts/firewall-start.sh
( In old releases of Voxel firmware: /root/firewall-start.sh)

From Voxel's readme.docx:
"5. Open your own firewall ports.
...
Additionally you can use your own custom script to add your own iptables rules.
This script should be named firewall-start.sh and be placed in the /root directory, i.e. /root/firewall-start.sh."

References in this forum:
https://www.snbforums.com/threads/p...to-source-ip-address-range.42821/#post-365354
https://www.snbforums.com/threads/c...v-1-0-2-42hf-1-0-2-42hf-hw.40688/#post-342246
https://www.snbforums.com/threads/c...r-r7800-v-1-0-2-49sf.45296/page-2#post-390635
https://www.snbforums.com/threads/help-with-custom-iptables.44630/
https://www.snbforums.com/threads/custom-firmware-build-for-r7800-v-1-0-2-59sf.48579/
https://www.snbforums.com/threads/s...ol-in-my-build-of-firmware.54815/#post-467304

Is there an IPv6 Firewall that allows custom rules? If so, wouldn't something like:

ip6tables -A INPUT -p ipv6-icmp -j ACCEPT

Work? Or is NG not even respecting firewall rules? (Not a surprise since they are not even respecting IPv6 RFC...). I doubt that I can get a stable IPv6 connection without MTU control...

 

[WiFiSeeder]

@kamoj , thank you very much for the info.

I'm sure that I'm hitting a complex problem with a stick, however, could you run a little experiment for me?

Could you allow ICMPv6 traffic and run a http://ipv6-test.com tests?

ip6tables -A INPUT   -p IPv6-icmp -j ACCEPT
ip6tables -I FORWARD -p IPv6-icmp -j ACCEPT

I'm just trying to understand if I can potentially overcome the ICMP issue.

For security conscious people arriving here from a search engine:

Sample script that allows recommended ICMPv6 traffic while tightening security: https://tools.ietf.org/html/rfc4890#page-30
Extra recommendations for customer devices: https://tools.ietf.org/html/rfc6092#section-3.2.1

If it works I'm sure that someone more knowledgeable about router firewall security can replicate tried and tested but less spartan default rules from Merlin's Firmware or DD-WRT.

 

[kamoj]

Sure, I will do.
Just now I tried it and discovered an issue in Voxel's net-wall wrapper that is a wrapper to Netgear's net-wall.
I must resolve this issue before completing your task.
I'll come back to you!

@kamoj , thank you very much for the info.

I'm sure that I'm hitting a complex problem with a stick, however, could you run a little experiment for me?

Could you allow ICMPv6 traffic and run a http://ipv6-test.com tests?

ip6tables -A INPUT   -p IPv6-icmp -j ACCEPT
ip6tables -I FORWARD -p IPv6-icmp -j ACCEPT

I'm just trying to understand if I can potentially overcome the ICMP issue.

For security conscious people arriving here from a search engine:

Sample script that allows recommended ICMPv6 traffic while tightening security: https://tools.ietf.org/html/rfc4890#page-30
Extra recommendations for customer devices: https://tools.ietf.org/html/rfc6092#section-3.2.1

If it works I'm sure that someone more knowledgeable about router firewall security can replicate tried and tested but less spartan default rules from Merlin's Firmware or DD-WRT.

 

[WiFiSeeder]

@kamoj , thanks a million.

 

[kamoj]

Ok, here is the first try:

"Advanced, Advanced Setup, IPv6": "Internet Connection Type":  "Auto Detect"
IPv6 Filtering: Open

ip6tables -A INPUT -p IPv6-icmp -j ACCEPT
ip6tables -I FORWARD -p IPv6-icmp -j ACCEPT

http://ipv6-test.com/? : 12/20 (ICMP Filtered)

root@R7800:/$ ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       ipv6-icmp    anywhere             localhost/128
DROP       ipv6-icmp    anywhere             localhost/128
DROP       tcp      anywhere             anywhere            tcp dpt:www
DROP       tcp      anywhere             anywhere            tcp dpt:domain
DROP       tcp      anywhere             anywhere            tcp dpt:https
DROP       tcp      anywhere             anywhere            tcp dpt:afpovertcp
DROP       tcp      anywhere             anywhere            tcp dpt:zebra
IPv6-CONE  all      anywhere             anywhere            [8 bytes of unknown target data]
ACCEPT     ipv6-icmp    anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     ipv6-icmp    anywhere             anywhere
DROP       all     !xxxx:xxxx:xxxx::/64  anywhere
DROP       tcp      localhost/128        ::2/128             tcp spt:1111 dpt:2222 flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN
ACCEPT     udp      ::3/128              ::4/128             udp spt:3333
DROP       ipv6-icmp    ::5/128              ::6/128             ipv6-icmp echo-reply limit: avg 5/sec burst 5
ACCEPT     ipv6-icmp    ::5/128              ::6/128             ipv6-icmp echo-reply
DROP       all      ::7/128              anywhere
IPv6-CONE  all      anywhere             anywhere            [8 bytes of unknown target data]

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
root@R7800:/$
root@R7800:/$ ip6tables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -d ::1/128 -i sit1 -p ipv6-icmp -j DROP
-A INPUT -d ::1/128 -i br0 -p ipv6-icmp -j DROP
-A INPUT -i sit1 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -i sit1 -p tcp -m tcp --dport 53 -j DROP
-A INPUT -i sit1 -p tcp -m tcp --dport 443 -j DROP
-A INPUT -i sit1 -p tcp -m tcp --dport 548 -j DROP
-A INPUT -i sit1 -p tcp -m tcp --dport 2601 -j DROP
Can't find library for target `IPv6-CONE'
-A INPUT -i sit1 -j IPv6-CONE
root@R7800:/$

Note this:
Can't find library for target `IPv6-CONE'
-A INPUT -i sit1 -j IPv6-CONE

Also tried to modify your commands to:

ip6tables -I INPUT -p IPv6-icmp -j ACCEPT
ip6tables -I FORWARD -p IPv6-icmp -j ACCEPT

But same result.

If you have the whole list of settings (incl. erasing all Netgear rules..) , I can try that too.

 

[WiFiSeeder]

Thanks @kamoj. The fact that the two very first lines are blocking ICMPv6 is very encouraging.

Since the default policy for all chains is ACCEPT, I don't think that we even need custom rules. Deleting some of the default rules should do it.

I don't want to abuse your good will, but if you are willing to do another test, I think that we can get the ICMP tests to pass.

First, run the following command:

ip6tables -L --line-numbers

Output should give you line numbers for each rule. Even the ones that we can't see with -S due to the unloaded / missing custom kernel module.

Go ahead and delete every line that has anything to do with dropping ICMPv6 traffic. Example (line numbers may vary):

ip6tables -D INPUT 1
ip6tables -D INPUT 2
ip6tables -D FORWARD 5

Actually, the FORWARD rule capping ping requests to 5 times per second ain't that bad, but let's nuke it anyway just for the sake of testing.
Finally, run the IPv6 tests again and, unless NG is blocking ICMP in some other way, my expectation is that everything should work .

 

[KevTech]

Here is on NG stock firmware:

root@R7800:/# ip6tables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    DROP       ipv6-icmp    anywhere             localhost/128
2    DROP       ipv6-icmp    anywhere             localhost/128
3    DROP       tcp      anywhere             anywhere            tcp dpt:www
4    DROP       tcp      anywhere             anywhere            tcp dpt:domain
5    DROP       tcp      anywhere             anywhere            tcp dpt:https
6    DROP       tcp      anywhere             anywhere            tcp dpt:afpovertcp
7    DROP       tcp      anywhere             anywhere            tcp dpt:zebra
8    IPv6-CONE  all      anywhere             anywhere            [8 bytes of unknown target data]

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    DROP       all     !2601:601:1680:18::/64  anywhere
2    DROP       tcp      localhost/128        whoartthou/128      tcp spt:1111 dpt:2222 flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN
3    ACCEPT     udp      ::3/128              ::4/128             udp spt:3333
4    DROP       ipv6-icmp    ::5/128              ::6/128             ipv6-icmp echo-reply limit: avg 5/sec burst 5
5    ACCEPT     ipv6-icmp    ::5/128              ::6/128             ipv6-icmp echo-reply
6    DROP       all      ::7/128              anywhere
7    IPv6-CONE  all      anywhere             anywhere            [8 bytes of unknown target data]

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

 

[kamoj]

Second try:

root@R7800:/$ ip6tables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    DROP       tcp      anywhere             anywhere            tcp dpt:www
2    DROP       tcp      anywhere             anywhere            tcp dpt:domain
3    DROP       tcp      anywhere             anywhere            tcp dpt:https
4    DROP       tcp      anywhere             anywhere            tcp dpt:afpovertcp
5    DROP       tcp      anywhere             anywhere            tcp dpt:zebra
6    IPv6-CONE  all      anywhere             anywhere            [8 bytes of unknown target data]

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    DROP       all     !xxxx:xxxx:xxxx::/64  anywhere
2    DROP       tcp      localhost/128        ::2/128             tcp spt:1111 dpt:2222 flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN
3    ACCEPT     udp      ::3/128              ::4/128             udp spt:3333
4    ACCEPT     ipv6-icmp    ::5/128              ::6/128             ipv6-icmp echo-reply
5    DROP       all      ::7/128              anywhere
6    IPv6-CONE  all      anywhere             anywhere            [8 bytes of unknown target data]

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
root@R7800:/$

I'm running Windows 10 64-bit.
Have tried 4 different internet browsers with different results.
The 3 fields Type, ICMP and Hostname are all colored yellow:

• Microsoft Edge 42.17134.1.0 / Internet Explorer v11.590.17134.0:
  

  http://ipv6-test.com/? : 15/20
  IPv6 connectivity:
  Type    6to4
  ICMP    Filtered
  Hostname    None
  
  Browser:
  Default    IPv4
  Fallback to IPv6 in < 1 second

  
  
• Google Chrome Version 72.0.3626.119 (Official Build) (32-bit)
  

  http://ipv6-test.com/? : 14/20
  IPv6 connectivity:
  Type    6to4
  ICMP    Filtered
  Hostname    None
  
  Browser:
  Default    IPv4
  Fallback    to IPv6 in 15 seconds

  
  
• Firefox 65.0.1 64-bit
  

  http://ipv6-test.com/? : 12/20
  IPv6 connectivity:
  Type    6to4
  ICMP     Filtered
  Hostname    None
  
  Browser:
  Default    IPv4
  Fallback    No

  
  

Thanks @kamoj. The fact that the two very first lines are blocking ICMPv6 is very encouraging.

Since the default policy for all chains is ACCEPT, I don't think that we even need custom rules. Deleting some of the default rules should do it.

I don't want to abuse your good will, but if you are willing to do another test, I think that we can get the ICMP tests to pass.

First, run the following command:

ip6tables -L --line-numbers

Output should give you line numbers for each rule. Even the ones that we can't see with -S due to the unloaded / missing custom kernel module.

Go ahead and delete every line that has anything to do with dropping ICMPv6 traffic. Example (line numbers may vary):

ip6tables -D INPUT 1
ip6tables -D INPUT 2
ip6tables -D FORWARD 5

Actually, the FORWARD rule capping ping requests to 5 times per second ain't that bad, but let's nuke it anyway just for the sake of testing.
Finally, run the IPv6 tests again and, unless NG is blocking ICMP in some other way, my expectation is that everything should work .