[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[mobileman88]

@john9527 After I upgraded to E4 from E2, my client list keeps showing as "0" even after 30 minutes. Is there a command line or something to reset the list?

 

[Santiago C]

Hi @john9527. I have just updated to 22E4 and for some reason in the System Log page the WAN Uptime is 0 (even showing the legend "WAN is down"). I am accessing my router from a remote location right now, so obviously my connection is up and running... What can I do to help out debugging what's behind that?

S

 

[john9527]

@john9527 After I upgraded to E4 from E2, my client list keeps showing as "0" even after 30 minutes. Is there a command line or something to reset the list?

I didn't change anything in networkmap between those levels. The only time I've seen this happen is when there's a misbehaving client creating an 'arp storm' that drives networkmap crazy (I have a SD HDHomeRun that likes to do this about every 6 months for some reason...a reboot of the HDHR fixes it).

To try and narrow it down, login to the router and enter
nvram set nmp_debug=1

then in the syslog, you'll see the arp entries and ip addresses being processed by networkmap.

afterwards
nvram unset nmp_debug
nvram commit

 

[john9527]

Hi @john9527. I have just updated to 22E4 and for some reason in the System Log page the WAN Uptime is 0 (even showing the legend "WAN is down"). I am accessing my router from a remote location right now, so obviously my connection is up and running... What can I do to help out debugging what's behind that?

S

Probably the 'fix' I tried to put in for the failure to do a failover in dual wan. It seems as if they may also use that code to recover from a 'false' WAN down detection. I'll take another look and see if there is something better I can do. (Now I know why Merlin never touches dual WAN ).

 

[octopus]

The state isn't updated until all the scripts are finished. So you can't check for state=2 from vpnclient1-route-up. Just run your script from route-up.
And back to my original comment.....make sure you undo anything you do in ip_vpn.sh that may affect the restart (added routes, iptables adds, etc) in a down script.
Here's a merge of a short bash script I wrote that polls the state along with a couple of lines from my syslog taken during a restart.

admin@AC68P-XXXXX:/tmp/home/root# /jffs/scripts/vpnstate.sh
vpn_client1_state=2 Mon Jan 16 03:57:52 GMT 2017
vpn_client1_state=0 Mon Jan 16 03:58:22 GMT 2017
vpn_client1_state=1 Mon Jan 16 03:58:22 GMT 2017
Jan 16 03:58:29 custom script: Running /jffs/scripts/openvpn-event (args: tun11 1500 1558 10.1.xxx.xxx 10.1.xxx.xxx)
Jan 16 03:58:29 vpnclient1-route-up: start
Jan 16 03:58:33 vpnclient1-route-up: end
vpn_client1_state=2 Mon Jan 16 03:58:33 GMT 2017

After some testings a have new findings.
If I use:

route-up /jffs/configs/ip_vpn.sh

then updown.sh script not execute and introduce more trouble.
I must maually delete this rules to get intenet vpntunnel up: (vpn provider)

ip route delete 128.0.0.0/1
ip route delete 0.0.0.0/1

I don't know what to test now.

 

[john9527]

@octopus

That's because if you specify a route-up script you have to handle everything that is done by the scripts we include as part of the firmware (including a default route-up that gets called before the custom scripts).
What are you trying to accomplish with ip_vpn.sh? You shouldn't need to do anything with routes....it's all handled automatically by default (including deleting the two routes you said).

 

[René Buijs]

How do i know if i have a cloned mac adress and more important, how do i change it? and with everything off you mean everything... all computers and even routers and modem?

 

[octopus]

@john9527
The goal with this is: When openvpn1 is up and working, conected to vpnprovider.
Get end point ip-number with canufrank script nslookup.
Get ip and send it with my gmail program.
Must be a way to detect when openvpn1 is up and working, I do not know how.

#    this function and 3 vars are normally defined elsewhere (in a library )
    logerror(){ echo "$*"; }
    tun_if=tun11
    tun_p2p=10.105.1.5
    debugme=y

    curl11(){
        curl11=
        if [ -z "$tun_p2p" ]; then
            if ! get_ifip $tun_if tun_ip tun_pub tun_p2p; then
                logerror "Unable to send request"
                return 1
            fi
        fi
    
        local url="$1"
        local srv="$(echo "$1" |cut -d: -f2)"
        [ "${srv:0:2}" = // ] && srv="${srv:2}"
        srv="${srv%%/*}"

        local fn=/tmp/11-curl
        rm -f $fn

        nslookup "$srv" 2>/dev/null |grep -E "^Address " |while read line; do
            if [ "${line:11:3}" != 127 ]; then
                echo "$line" |cut -d" " -f3 >> $fn
            fi
        done
    
        if [ ! -s $fn ]; then
            logerror "Unable to resolve target address(es)"
            return 1
        fi
    
        local data=
        [ "$2" ] && data="-d \"$2\""

        while read line; do
            [ "$debugme" ] && echo "adding $line via $tun_p2p"
            ip route add "$line" via $tun_p2p dev $tun_if
        done < $fn
    
        [ "$debugme" ] && set -x
        curl11="$(curl --interface $tun_if $data "$1" 2> /dev/null)"
        { set +x; } 2>/dev/null
    
        while read line; do
            ip route del "$line" via $tun_p2p dev $tun_if
        done < $fn
    }

    curl11 checkip.dyndns.com
    echo "rc='$(echo "$curl11" |grep -oE "[0-9][0-9\.]+")'"
 
    curl11 http://ipecho.net/plain
    echo "rc='$curl11'"

 

[john9527]

@octopus
Anything special about your environment.....dual wan or double NAT?

 

[Martineau]

Get end point ip-number with canufrank script nslookup.

FYI.....on the latest RT-N66U firmware is @canufrank's script still required to retrieve the VPN endpoint WAN address?

nvram show | grep -E "productid|buildno|extendno"

buildno=374.43
productid=RT-N66U
extendno=2-22E4j9527

./VPN_Client_Switch.sh status

(VPN_Client_Switch.sh): 928 Request..... [status]
(VPN_Client_Switch.sh): 928 VPN Client Status:
(VPN_Client_Switch.sh): 928 Client 1 connected via 10.200.195.219 (VPN WAN I/P 212.38.xxx.xxx) (ovpnc1)

curl http://ipecho.net/plain;echo
92.xxx.xxx.xxx

curl --interface tun11 http://ipecho.net/plain;echo
212.38.xxx.xxx

 

[octopus]

@octopus
Anything special about your environment.....dual wan or double NAT?

No, Single Wan and Nat.

FYI.....on the latest RT-N66U firmware is @canufrank's script still required to retrieve the VPN endpoint WAN address?

nvram show | grep -E "productid|buildno|extendno"
buildno=374.43
productid=RT-N66U
extendno=2-22E4j9527

./VPN_Client_Switch.sh status

(VPN_Client_Switch.sh): 928 Request..... [status]
(VPN_Client_Switch.sh): 928 VPN Client Status:
(VPN_Client_Switch.sh): 928 Client 1 connected via 10.200.195.219 (VPN WAN I/P 212.38.xxx.xxx) (ovpnc1)
curl http://ipecho.net/plain;echo
92.xxx.xxx.xxx
curl --interface tun11 http://ipecho.net/plain;echo
212.38.xxx.xxx

Thank you @Martineau
I must admit i don't have tested: curl --interface tun11 http://ipecho.net/plain;echo
But it seems to work. I must test and se if I can get everything to work now.
I let you know later on.

Octopus

 

[john9527]

FYI.....on the latest RT-N66U firmware is @canufrank's script still required to retrieve the VPN endpoint WAN address?

That's why I asked about his environment. In a basic setup you can get the VPN IP address with

- a command
ip route show table ovpnc1 | grep "via `nvram get wan0_gateway`" | awk -F' ' '{ print $1 }'

- if you are running within a script started by OpenVPN (like openvpn-event) from the environment var set by OpenVPN
$trusted_ip

and finally, I also tried your curl command which also works. I think this used to fail, but I can't think of what may changed to make it work now.
curl --interface tun11 http://ipecho.net/plain;echo

IIRC there was some special requirement that led to the canufrank script.

 

[sbailey4]

How do i know if i have a cloned mac adress and more important, how do i change it? and with everything off you mean everything... all computers and even routers and modem?

See Collins reply just below yours Here. You look whats there and see if that is your workstations mac. Then clone it if you wish using the button there. If you hover your mouse over the setting description you can see more info about it. Oh and router and modem is what he is referring to turning off but certainly all workstations is ok too.

 

[octopus]

That's why I asked about his environment. In a basic setup you can get the VPN IP address with

- a command
ip route show table ovpnc1 | grep "via `nvram get wan0_gateway`" | awk -F' ' '{ print $1 }'

- if you are running within a script started by OpenVPN (like openvpn-event) from the environment var set by OpenVPN
$trusted_ip

and finally, I also tried your curl command which also works. I think this used to fail, but I can't think of what may changed to make it work now.
curl --interface tun11 http://ipecho.net/plain;echo

IIRC there was some special requirement that led to the canufrank script.

This doesn't get same output in my environment.
Therefore I tried to use canufrank script.
When I tested at same time that scripts creates its not working.
Probably curl several updates fixes that.

ip route show table ovpnc1 | grep "via `nvram get wan0_gateway`" | awk -F' ' '{ print $1 }'
curl --interface tun11 http://ipecho.net/plain;echo

 

[john9527]

This doesn't get same output in my environment.
Therefore I tried to use canufrank script.

What do you get? I just tested all three methods and get the same result for all three. I'm sorry, but there is something unusual in your environment that I don't know.

EDIT: Are you using policy based routing?

 

[Martineau]

@john9527
The goal with this is: When openvpn1 is up and working, conected to vpnprovider.
Get end point ip-number with canufrank script nslookup.
Get ip and send it with my gmail program.
Must be a way to detect when openvpn1 is up and working, I do not know how.

Do these fragments of my scripts help?

VPNClient1_route-up.sh

#!#bin/sh

Say(){
   logger -st "($(basename $0))" $$ $@
}

Say "Requesting 'ip_vpn.sh' script for" $dev
/jffs/scripts/ip_vpn.sh $dev &

ip_vpn.sh

#!/bin/sh

Say(){
   logger -st "($(basename $0))" $$ $@
}

Send_Mail(){
 Say "Send e-mail: VPN Client" $1 "WAN IP address is" $2
}

Check_VPNState(){

   local i=0
   local OK=0
   local VPNTAG=`grep -i "11"$1 /etc/iproute2/rt_tables | awk '{print $2}'`
 
   if [ "$2" = "2" ]; then
      local WSTATE="connect"
   fi
   if [ "$2" = "0" ]; then
      local WSTATE="disconnect"
   fi
   Say "Waiting for VPN Client" $1 "("$VPNTAG") to" $WSTATE"....."
   while [ $i -lt 60 ]; do
     sleep 1
     #Say "**DEBUG: Waiting for VPN Client" $1 "to" $WSTATE"....." $i
     if [ "$(nvram get "vpn_client"$1"_state")" = "$2" ];then
        OK="1"
        break
     fi
     i=$(($i + 1))
   done
   if [ "$OK" = "1" ];then
      Say "VPN Client" $1 "("$VPNTAG")" $WSTATE"'d in" $i "secs"
      echo $2          # Return whatever NVRAM state was requested to be matched e.g. '2' ('connected') or '0' ('disconnected')
      return 0
   else
      Say "***ERROR*** VPN Client" $1 "("$VPNTAG") FAILED to" $WSTATE "after" $i "secs"
      echo -e "\a?"    #  Return '?' ('unknown') neither 'connected' nor 'disconnected'
      return 1
   fi
}

DEV=$1
VPN_ID=${DEV:4:1}
CONNECTED=2
DISCONNECTED=0

Say "Identifying VPN Client" $VPN_ID "WAN address and e-mail......."

if [ $(Check_VPNState $VPN_ID $CONNECTED) = $CONNECTED ]; then

 VPN_WANIP=`curl -s --interface "tun1"$VPN_ID "http://ipecho.net/plain"`
 
 Send_Mail $VPN_ID $VPN_WANIP
else
 Say "***ERROR VPN not connected?"
fi

Spoiler: Syslog extract

Jan 16 20:28:05 openvpn[7241]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.200.198.1,ping 9,ping-restart 30,route-gateway 10.200.198.1,topology subnet,redirect-gateway def1,ifconfig-ipv6 2001:db8:123::2/64 2001:db8:123::1,route-ipv6 2000::/3 2001:db8:123::1,explicit-exit-notify 2,ifconfig 10.200.198.220 255.255.255.0'
Jan 16 20:28:05 openvpn[7241]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 16 20:28:05 openvpn[7241]: OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
Jan 16 20:28:05 openvpn[7241]: OPTIONS IMPORT: --ifconfig/up options modified
Jan 16 20:28:05 openvpn[7241]: OPTIONS IMPORT: route options modified
Jan 16 20:28:05 openvpn[7241]: OPTIONS IMPORT: route-related options modified
Jan 16 20:28:05 openvpn[7241]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jan 16 20:28:05 openvpn[7241]: TUN/TAP device tun11 opened
Jan 16 20:28:05 openvpn[7241]: TUN/TAP TX queue length set to 100
Jan 16 20:28:05 openvpn[7241]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=1
Jan 16 20:28:08 openvpn[7241]: /usr/sbin/ip route add 212.38.170.66/32 via xxx.xxx.xxx.xxx
Jan 16 20:28:08 openvpn[7241]: /usr/sbin/ip route add 0.0.0.0/1 via 10.200.198.1
Jan 16 20:28:08 openvpn[7241]: /usr/sbin/ip route add 128.0.0.0/1 via 10.200.198.1
Jan 16 20:28:08 openvpn[7241]: add_route_ipv6(): not adding 2000::/3, no IPv6 on if tun11
Jan 16 20:28:08 openvpn-routing: Configuring policy rules for client 1
Jan 16 20:28:08 openvpn-routing: Creating VPN routing table
Jan 16 20:28:08 openvpn-routing: Removing route for 0.0.0.0/1 to tun11 from VPN table
Jan 16 20:28:08 openvpn-routing: Removing route for 128.0.0.0/1 to tun11 from VPN table
Jan 16 20:28:08 openvpn-routing: Removing route for 0.0.0.0/1 to tun11 from table main
Jan 16 20:28:08 openvpn-routing: Removing route for 128.0.0.0/1 to tun11 from table main
Jan 16 20:28:08 openvpn-routing: Completed routing policy configuration for client 1
Jan 16 20:28:08 custom script: Running /jffs/scripts/openvpn-event (args: tun11 1500 1559 10.200.198.220 )
Jan 16 20:28:08 (openvpn-event): 7308 Trigger for tun11 event=route-up [tun11 1500 1559 10.200.198.220]
Jan 16 20:28:08 (VPNClient1_route-up.sh): 7315 Requesting 'ip_vpn.sh' script for tun11
Jan 16 20:28:08 (openvpn-event): 7308 Complete.
Jan 16 20:28:08 openvpn[7241]: Initialization Sequence Completed
Jan 16 20:28:08 (ip_vpn.sh): 7318 Identifying VPN Client 1 WAN address and e-mail.......
Jan 16 20:28:08 (ip_vpn.sh): 7318 Waiting for VPN Client 1 (ovpnc1) to connect.....
Jan 16 20:28:09 (ip_vpn.sh): 7318 VPN Client 1 (ovpnc1) connect'd in 0 secs
Jan 16 20:28:09 (ip_vpn.sh): 7318 Send e-mail: VPN Client 1 WAN IP address is 212.38.170.113

 

[Trebuin]

John,
I figured I'd give you an update. The power supply actually brought the temps down, but it seems that the instability is still there. I'm going to flash the firmware one more time & if it fails, it's done. I found out that my upgrade to the AC3200 actually covers my house, though I'm forced to put 6 more devices onto the wifi & it's covering around 30+ items. It's holding up, but I'm putting a load on it. I'll end up with one of the Mesh devices in the end, but likely will have to use the 3200 as the USB server as non of the meshes with a backhaul design has a usb 3.0+ port, only 2.0 if they even have one.

 

[octopus]

Thank you @Martineau
Appreciate your script and help. I will testing coming days.
Octopus

Do these fragments of my scripts help?

VPNClient1_route-up.sh

#!#bin/sh

Say(){
   logger -st "($(basename $0))" $$ $@
}

Say "Requesting 'ip_vpn.sh' script for" $dev
/jffs/scripts/ip_vpn.sh $dev &

ip_vpn.sh

#!/bin/sh

Say(){
   logger -st "($(basename $0))" $$ $@
}

Send_Mail(){
 Say "Send e-mail: VPN Client" $1 "WAN IP address is" $2
}

Check_VPNState(){

   local i=0
   local OK=0
   local VPNTAG=`grep -i "11"$1 /etc/iproute2/rt_tables | awk '{print $2}'`
 
   if [ "$2" = "2" ]; then
      local WSTATE="connect"
   fi
   if [ "$2" = "0" ]; then
      local WSTATE="disconnect"
   fi
   Say "Waiting for VPN Client" $1 "("$VPNTAG") to" $WSTATE"....."
   while [ $i -lt 60 ]; do
  sleep 1
  #Say "Waiting for VPN Client" $1 "to" $WSTATE"....." $i
  if [ "$(nvram get "vpn_client"$1"_state")" = "$2" ];then
     OK="1"
     break
  fi
  i=$(($i + 1))
   done
   if [ "$OK" = "1" ];then
   Say "VPN Client" $1 "("$VPNTAG")" $WSTATE"'d in" $i "secs"
   if [ "$WSTATE" == "connect" ]; then
    # Update /jffs/configs/dnsmasq.conf.add with new HMA DNS for any VPNxDomains
    if [ -f /jffs/scripts/VPN_DNS_Update.sh ] && [ -f /jffs/configs/dnsmasq.conf.add ];then
      sh /jffs/scripts/VPN_DNS_Update.sh $1
    else
     Say "**Warning Skipping '/jffs/configs/dnsmasq.conf.add' DNS updates for VPN Client" $1 "("$VPNTAG")"
    fi
   fi
   echo "2"
   else
   echo -e " "
   Say "***ERROR*** VPN Client" $1 "("$VPNTAG") FAILED to" $WSTATE "after" $i "secs"
   echo -e "\a?"
   fi
}

DEV=$1
VPN_ID=${DEV:4:1}
CONNECTED=2
DISCONNECTED=0

Say "Identifying VPN Client" $VPN_ID "WAN address and e-mail......."

if [ $(Check_VPNState $VPN_ID $CONNECTED) = $CONNECTED ]; then

 VPN_WANIP=`curl -s --interface "tun1"$VPN_ID "http://ipecho.net/plain"`
 
 Send_Mail $VPN_ID $VPN_WANIP
else
 Say "***ERROR VPN not connected?"
fi

Spoiler: Syslog extract

Jan 16 20:28:05 openvpn[7241]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.200.198.1,ping 9,ping-restart 30,route-gateway 10.200.198.1,topology subnet,redirect-gateway def1,ifconfig-ipv6 2001:db8:123::2/64 2001:db8:123::1,route-ipv6 2000::/3 2001:db8:123::1,explicit-exit-notify 2,ifconfig 10.200.198.220 255.255.255.0'
Jan 16 20:28:05 openvpn[7241]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 16 20:28:05 openvpn[7241]: OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
Jan 16 20:28:05 openvpn[7241]: OPTIONS IMPORT: --ifconfig/up options modified
Jan 16 20:28:05 openvpn[7241]: OPTIONS IMPORT: route options modified
Jan 16 20:28:05 openvpn[7241]: OPTIONS IMPORT: route-related options modified
Jan 16 20:28:05 openvpn[7241]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jan 16 20:28:05 openvpn[7241]: TUN/TAP device tun11 opened
Jan 16 20:28:05 openvpn[7241]: TUN/TAP TX queue length set to 100
Jan 16 20:28:05 openvpn[7241]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=1
Jan 16 20:28:08 openvpn[7241]: /usr/sbin/ip route add 212.38.170.66/32 via xxx.xxx.xxx.xxx
Jan 16 20:28:08 openvpn[7241]: /usr/sbin/ip route add 0.0.0.0/1 via 10.200.198.1
Jan 16 20:28:08 openvpn[7241]: /usr/sbin/ip route add 128.0.0.0/1 via 10.200.198.1
Jan 16 20:28:08 openvpn[7241]: add_route_ipv6(): not adding 2000::/3, no IPv6 on if tun11
Jan 16 20:28:08 openvpn-routing: Configuring policy rules for client 1
Jan 16 20:28:08 openvpn-routing: Creating VPN routing table
Jan 16 20:28:08 openvpn-routing: Removing route for 0.0.0.0/1 to tun11 from VPN table
Jan 16 20:28:08 openvpn-routing: Removing route for 128.0.0.0/1 to tun11 from VPN table
Jan 16 20:28:08 openvpn-routing: Removing route for 0.0.0.0/1 to tun11 from table main
Jan 16 20:28:08 openvpn-routing: Removing route for 128.0.0.0/1 to tun11 from table main
Jan 16 20:28:08 openvpn-routing: Completed routing policy configuration for client 1
Jan 16 20:28:08 custom script: Running /jffs/scripts/openvpn-event (args: tun11 1500 1559 10.200.198.220 )
Jan 16 20:28:08 (openvpn-event): 7308 Trigger for tun11 event=route-up [tun11 1500 1559 10.200.198.220]
Jan 16 20:28:08 (VPNClient1_route-up.sh): 7315 Requesting 'ip_vpn.sh' script for tun11
Jan 16 20:28:08 (openvpn-event): 7308 Complete.
Jan 16 20:28:08 openvpn[7241]: Initialization Sequence Completed
Jan 16 20:28:08 (ip_vpn.sh): 7318 Identifying VPN Client 1 WAN address and e-mail.......
Jan 16 20:28:08 (ip_vpn.sh): 7318 Waiting for VPN Client 1 (ovpnc1) to connect.....
Jan 16 20:28:09 (ip_vpn.sh): 7318 VPN Client 1 (ovpnc1) connect'd in 0 secs
Jan 16 20:28:09 (ip_vpn.sh): 7318 **Warning Skipping '/jffs/configs/dnsmasq.conf.add' DNS updates for VPN Client 1 (ovpnc1)
Jan 16 20:28:09 (ip_vpn.sh): 7318 Send e-mail: VPN Client 1 WAN IP address is 212.38.170.113

 

[mobileman88]

I didn't change anything in networkmap between those levels. The only time I've seen this happen is when there's a misbehaving client creating an 'arp storm' that drives networkmap crazy (I have a SD HDHomeRun that likes to do this about every 6 months for some reason...a reboot of the HDHR fixes it).

To try and narrow it down, login to the router and enter
nvram set nmp_debug=1

then in the syslog, you'll see the arp entries and ip addresses being processed by networkmap.

afterwards
nvram unset nmp_debug
nvram commit

Thanks. Shall turn on debug and see what's going on. Running the arp command in the shell shows multiple "bogon" lines with MAC and no IP addresses strangely. And this is for my devices like 2 IP cameras and a Windows 10 client. Not sure what might be causing this.

 

[octopus]

What do you get? I just tested all three methods and get the same result for all three. I'm sorry, but there is something unusual in your environment that I don't know.

EDIT: Are you using policy based routing?

@john9527
Thank you for your help.
Yes Im using policy base routing on tun11.
Octopus