Firewall Logged packets causes high usage/ping

[jpdsc]

@ColinTaylor, @Jack Yaz

Thanks both, I will check this ASAP and come back

 

[jpdsc]

Yes, just tested it. If you're port forwarding you need this:

iptables -I FORWARD -i eth0 -p tcp -m tcp --dport 8088 -m state --state NEW -j LOG --log-level 1 --log-prefix "WOL "

If you don't specify your WAN interface (-i eth0) your syslog could become flooded with LAN entries.

Wonderful! This seems to do the trick and now it is showing.
I also change the WOL script to use WOL in the text, just tested and it work perfect!

How can I be sure that this rule is not removed? Every time I add a PORTFWD in the webui it removes this rule again.

Thanks all. I will be creating a FAQ on the page to ensure this is used instead of the other one because logging all ACCEPTED connections make the router use too many resources.

 

[Jack Yaz]

Wonderful! This seems to do the trick and now it is showing.
I also change the WOL script to use WOL in the text, just tested and it work perfect!

How can I be sure that this rule is not removed? Every time I add a PORTFWD in the webui it removes this rule again.

Thanks all. I will be creating a FAQ on the page to ensure this is used instead of the other one because logging all ACCEPTED connections make the router use too many resources.

Put the rule in firewall-start script

 

[jpdsc]

Put the rule in firewall-start script

I added the file and put below in it:
iptables -I FORWARD -i eth0 -p tcp -m tcp --dport 8088 -m state --state NEW -j LOG --log-level 1 --log-prefix "WOL "

However, it does not seem to re-add the rule after reboot or change in PORTFWD.

Thanks.

 

[Jack Yaz]

I added the file and put below in it:
iptables -I FORWARD -i eth0 -p tcp -m tcp --dport 8088 -m state --state NEW -j LOG --log-level 1 --log-prefix "WOL "

However, it does not seem to re-add the rule after reboot or change in PORTFWD.

Thanks.

Did you make the file executable? https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts#creating-scripts

 

[ColinTaylor]

I added the file and put below in it:
iptables -I FORWARD -i eth0 -p tcp -m tcp --dport 8088 -m state --state NEW -j LOG --log-level 1 --log-prefix "WOL "

However, it does not seem to re-add the rule after reboot or change in PORTFWD.

Did you add the mandatory first line?

#!/bin/sh

iptables -I FORWARD -i eth0 -p tcp -m tcp --dport 8088 -m state --state NEW -j LOG --log-level 1 --log-prefix "WOL "

 

[jpdsc]

Did you add the mandatory first line?

#!/bin/sh

iptables -I FORWARD -i eth0 -p tcp -m tcp --dport 8088 -m state --state NEW -j LOG --log-level 1 --log-prefix "WOL "

Thanks. But it's still not adding on reboot or any changes in PORTFWD

#!/bin/sh

iptables -I FORWARD -p tcp -m tcp --dport 8088 -m state --state NEW -j LOG --log-prefix "WOL "

The file is also executable

If I add it manually it shows in the iptables -L

 

[ColinTaylor]

How are you creating the script? If you're using a Windows editor you will have to issue the following command:

dos2unix /jffs/scripts/firewall-start

Have you enabled custom scripts on Administration > System? Do you see the message in the syslog telling you that it is executing the custom script?

PS. Did you see my note about adding -i eth0

 

[jpdsc]

How are you creating the script? If you're using a Windows editor you will have to issue the following command:

dos2unix /jffs/scripts/firewall-start
I was using notepad++, to be sure, I ran the command and checked again, working now... I never had this before; must be because I copied it from my desktop via RDP to the server and than added in terminal.

Have you enabled custom scripts on Administration > System? Do you see the message in the syslog telling you that it is executing the custom script?
Yes, I am also using Wake on Lan script which is loaded through service-start and the option is enabled.
I do however, never see scripts loaded in syslog... Do you know how to enable it?

PS. Did you see my note about adding -i eth0[/QUOTE]
Yes, I removed it so I am able to WOL at home also . 8088 is only for WOL, other ports are FWD to the server ;-).

 

[ColinTaylor]

Well you got it working which is the main thing.

You might want to check what the setting for new files is in Notepad++ just in case is still at the default which is Windows.

It's possible that the syslog message doesn't appear in Merlin's firmware (I'm using John's). I know there is a difference, but I thought there was something similar.

 

[Jack Yaz]

Well you got it working which is the main thing.

You might want to check what the setting for new files is in Notepad++ just in case is still at the default which is Windows.

It's possible that the syslog message doesn't appear in Merlin's firmware (I'm using John's). I know there is a difference, but I thought there was something similar.

I can't recall seeing a message for scripts. Adding

logger "Running XXX script"

to your script will generate an entry however.

 

[jpdsc]

Hey @Jack Yaz and @ColinTaylor, really appreciate your help on this. Everything is running as it should and it will not affect the router performance.

As mentioned, I will add a new FAQ based on WOL with FWD ports to ensure other people don't have the same issue

 

[Jack Yaz]

Out of interest, does this work with Logged packets set to off? If so, I may deploy something similar!

 

[jpdsc]

Out of interest, does this work with Logged packets set to off? If so, I may deploy something similar!

Yep, logged packets is off

 

[Uoppi]

Bump. Does Merlin's script need to be modified somehow, when using it in combination with the firewall-start file described above?

I've got Merlin's script working nicely but it results in an unnecessary amount of logging, as I only need to monitor two specific ports a couple of times a day at max. Adding the firewall-start file and disabling accepted packets logging in the router didn't seem to work.

 

[ColinTaylor]

@Uoppi You need to change the script so that it matches "WOL" instead of "ACCEPT".

 

[Uoppi]

@Uoppi You need to change the script so that it matches "WOL" instead of "ACCEPT".

Argh, I had already tried substituting ACCEPT with both WOL and FORWARD a few hours ago, but something must have gone wrong because testing failed. Main thing is though that now it works! This is an awesome solution: no need for static arps, opened 9 UDP ports or VPN tunnels, when all I want is to get my HTPC awake when I launch BubbleUPnP. Thanks!

 

[Uoppi]

BTW, what do you think, would it compromise the RT-AC86U's performance, if the loop interval was reduced from 5 to, say, 2 seconds (in order to initiate WOL quicker)? Would it be worth it just to shave off a few seconds? With its 1.8GHz dual core, I would assume the router would handle it with ease.

 

[ColinTaylor]

BTW, what do you think, would it compromise the RT-AC86U's performance, if the loop interval was reduced from 5 to, say, 2 seconds (in order to initiate WOL quicker)? Would it be worth it just to shave off a few seconds? With its 1.8GHz dual core, I would assume the router would handle it with ease.

2 seconds should be fine.