firewall-start script is not called at router startup

[ryandesign]

I'm running asuswrt merlin 382.1_2 on my ASUS RT-AC3100 router, and I'm trying to write the scripts that will configure my vlans and ports the way I want.

I'm a little unclear on which commands should go in services-start and which belong in firewall-start but I've done my best to separate them correctly, following the advice in many other threads on this forum.

The problem is that when the router boots up, it never runs the firewall-start script, so that part of the configuration is not loaded. It does run the services-start script and it works correctly. If I manually run the firewall-start script it works correctly.

The contents of my scripts is not the problem, because the problem persists if I replace my scripts with one-liners that just log what they were invoked with. A log is created for services-start, and no log is created for firewall-start. The fact that services-start is being run is mentioned in syslog.log ("custom_script: Running /jffs/scripts/services-start"); firewall-start is not mentioned there.

In the web interface, under Advanced Settings, Firewall, it says the firewall is enabled. If I use the web interface to disable the firewall, the firewall-start script runs. If I use the web interface to enable the firewall again, the firewall-start script runs. It just doesn't run at startup.

 

[thelonelycoder]

I'm running asuswrt merlin 382.1_2 on my ASUS RT-AC3100 router, and I'm trying to write the scripts that will configure my vlans and ports the way I want.

I'm a little unclear on which commands should go in services-start and which belong in firewall-start but I've done my best to separate them correctly, following the advice in many other threads on this forum.

The problem is that when the router boots up, it never runs the firewall-start script, so that part of the configuration is not loaded. It does run the services-start script and it works correctly. If I manually run the firewall-start script it works correctly.

The contents of my scripts is not the problem, because the problem persists if I replace my scripts with one-liners that just log what they were invoked with. A log is created for services-start, and no log is created for firewall-start. The fact that services-start is being run is mentioned in syslog.log ("custom_script: Running /jffs/scripts/services-start"); firewall-start is not mentioned there.

In the web interface, under Advanced Settings, Firewall, it says the firewall is enabled. If I use the web interface to disable the firewall, the firewall-start script runs. If I use the web interface to enable the firewall again, the firewall-start script runs. It just doesn't run at startup.

How do you manually run it? with sh /jffs/scripts/firewall-start?
Then maybe the permissions are not set to be executable for services-start.
To set it for all scripts run the first, else the second command:

chmod a+rx /jffs/scripts/*
chmod a+rx /jffs/scripts/firewall-start

 

[ryandesign]

The executable bit is set.

 

[john9527]

Did you forget the shebang?

 

[thelonelycoder]

Did you forget the shebang?

Then this would not work:

If I manually run the firewall-start script it works correctly.

Maybe run:

dos2unix /jffs/scripts/firewall-start

 

[thelonelycoder]

And shebang is #!/bin/sh, unless you have bash installed.

 

[Adamm]

I once ran into an issue because of the way I was silencing stderr and stdout in a script called from firewall-start. Firewall-start would be executed leading to the custom script referenced inside being also executed, but once it reached the line with the code in question everything silently stopped and no further execution happened. Running the script manually never resulted in an issue but only when the system called the firewall-start script.

So its possible you may be running into a similar issue. I suggest commenting out everything and have some dummy code inside like a logger command, that way you can see if firewall-start is being executed in the first place or something else is causing it to fail.

 

[ryandesign]

The shebang line is correct. The scripts have UNIX line endings. The contents of the firewall-start script doesn't matter; the router does not run it at startup. The router does run it if I stop or start the firewall using the web interface.

I would post my sanity check script setup, but snbforums' cloudflare setup blocks my attempt to do so.

 

[Jack Yaz]

The shebang line is correct. The scripts have UNIX line endings. The contents of the firewall-start script doesn't matter; the router does not run it at startup. The router does run it if I stop or start the firewall using the web interface.

I would post my sanity check script setup, but snbforums' cloudflare setup blocks my attempt to do so.

Upload it to pastebin and post the url

 

[ryandesign]

The problem was that I had not connected the router's WAN port to anything. Now that I've connected the WAN port to the Internet, the wan-start, nat-start and finally firewall-start scripts are running at startup.

The configuration I was working on had to do with local vlans and subnets and properly isolating them from each other. I had not expected to need to connect the WAN port to get the startup scripts to run. And it confused the issue that firewall-start does run if the firewall is stopped or started from the web interface, even when there is no WAN connection. And it's confusing that the web interface reports that the firewall is started, when apparently it is not. I'd like to add some information to the User-scripts wiki page about exactly when the firewall-start and nat-start scripts get run, but I don't know what to put.

Now that I understand that firewall-start doesn't happen at startup until after wan-start, maybe I need to rethink what's firewall-start. I don't want the configuration of my local networks to be wrong if someday my Internet connection is not working.

As I said earlier, it has been somewhat unclear to me what to put in which script. What I settled on was to put iptables commands into firewall-start and everything else into services-start. But now I'm wanting to put the iptables commands that relate to the interconnections of my local networks into services-start. Is that acceptable / will that work? Or will the subsequent starting of the firewall overwrite those settings? If the latter, should I have services-start call firewall-start?

 

[thelonelycoder]

The problem was that I had not connected the router's WAN port to anything. Now that I've connected the WAN port to the Internet, the wan-start, nat-start and finally firewall-start scripts are running at startup.

The configuration I was working on had to do with local vlans and subnets and properly isolating them from each other. I had not expected to need to connect the WAN port to get the startup scripts to run. And it confused the issue that firewall-start does run if the firewall is stopped or started from the web interface, even when there is no WAN connection. And it's confusing that the web interface reports that the firewall is started, when apparently it is not. I'd like to add some information to the User-scripts wiki page about exactly when the firewall-start and nat-start scripts get run, but I don't know what to put.

Now that I understand that firewall-start doesn't happen at startup until after wan-start, maybe I need to rethink what's firewall-start. I don't want the configuration of my local networks to be wrong if someday my Internet connection is not working.

As I said earlier, it has been somewhat unclear to me what to put in which script. What I settled on was to put iptables commands into firewall-start and everything else into services-start. But now I'm wanting to put the iptables commands that relate to the interconnections of my local networks into services-start. Is that acceptable / will that work? Or will the subsequent starting of the firewall overwrite those settings? If the latter, should I have services-start call firewall-start?

I don't know the details about the scripts not starting when no WAN is detected.
But I know that all user scripts except services-start only run at certain events and do so again if the status changes. services-start only runs once, at boot when services are ready.
post-mount or firewall-start run when devices are detected or the firewall is restarted respectively.

In my ad-blocker I issue a "service restart_dnsmasq" in the post-mount script. This runs dnsmasq.postconf which has a link to a file on the mounted device to start the ad-blocking.
That linked file might not be available at the time the boot process runs dnsmasq.postconf, but the dnsmasq restart guarantees that the files content get processed.
You could do something similar.

 

[ryandesign]

Some clarification might be needed on the definition of the term "services". The User-scripts wiki page says services-start is called "after all other system services have been started"; I had assumed that the firewall was a service, but apparently it's not. What else on the router is "not a service" and might not be ready by the time services-start is called?

What is the firewall—what specific process or processes implement it? How can I tell if the firewall is running—can I just check whether those processes are running? Which postconf scripts would relate to the firewall?

 

[DonnyJohnny]

https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

The running sequence of scripts is as per the wiki. Start with services-start and end with update-notification.

Depending on what u do.

 

[RMerlin]

What else on the router is "not a service" and might not be ready by the time services-start is called?

It's whatever Asus decides to put in the start_services() function, which contains a lot of calls.

Basically treat services-start as something that gets run once at boot time, after the initial router start has completed (so near the end of the boot process). The specifics will tend to change from version to version, so I can't be more precise.