[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

john9527 · Mar 27, 2018

il2 said:

After /usr/bin/killall -s USR1 dnsmasq:

Code:

Mar 27 23:43:22 dnsmasq[552]: time 89079
Mar 27 23:43:22 dnsmasq[552]: cache size 1500, 0/19 cache insertions re-used unexpired cache entries.
Mar 27 23:43:22 dnsmasq[552]: queries forwarded 11209, queries answered locally 390
Mar 27 23:43:22 dnsmasq[552]: DNSSEC memory in use 88, max 88, allocated 149996
Mar 27 23:43:22 dnsmasq[552]: server 127.0.0.1#65053: queries sent 11209, retried or failed 3872

with

Code:

# cat /etc/dnscrypt-proxy1.conf
Daemonize yes
LocalAddress 127.0.0.1:65053
LogLevel 6
ResolversList /jffs/etc/dnscrypt-resolvers.csv
ResolverName cisco-familyshield
SyslogPrefix dnscrypt-proxy1
PidFile /var/run/dnscrypt-proxy1.pid
IgnoreTimestamps no
BlockIPv6 no

Btw, applying settings after enabling both dnscrypt servers doesn't add new server option to /etc/dnsmasq.conf
Reboot is still needed to rebuild dnsmasq.conf

Where do I start.....
Caching isn't working and you are getting a 35% failure rate. I don't know if this is an artifact of using a 'familyshield' filtering resolver?

But first thing to try...cisco-familyshield is NOT a dnssec enabled server, yet you have dnssec enabled. So disable dnssec (if you have dnssec enabled you should choose a server that has 'w/DNSSEC' in its name).

I enabled cisco-family shield as my server, and I could never use it. It blocks about half of some pages (foxnews.com for example), and it sporadically resolves my VPN provider as 'hit-adult.opendns.com'?????

I can't recreate any problems with changing/adding resolvers. I've been adding and removing them for testing without any problem.

If turning off dnssec doesn't help, you may have something corrupted in nvram and need to do a factory reset and reconfigure.

Deadbrah11 · Mar 29, 2018

I have 2 Ac66u routers. One is my router the other set up as an access point. I have had this firmware on them for years and sort of kept them up to date. One was 23E and the other I think was 27E.

I recently updated both of them to the latest firmware 31E and have been having a couple issues.

The WiFi seems to be getting locked up and my wired devices show “no internet access” yet I DO have internet access.

Should I do a factory reset on both router and access point?

john9527 · Mar 29, 2018

Deadbrah11 said:
my wired devices show “no internet access” yet I DO have internet access.

Let's start with this one.....you get the 'no internet access' message if you are unable to ping dns.msftncsi.com

So check your DNS servers. Also, do you have any 'Windows telemetry/privacy blocking' addons installed? Those will often incorrectly block some microsoft domains.

Deadbrah11 · Mar 29, 2018

john9527 said:
Let's start with this one.....you get the 'no internet access' message if you are unable to ping dns.msftncsi.com

So check your DNS servers. Also, do you have any 'Windows telemetry/privacy blocking' addons installed? Those will often incorrectly block some microsoft domains.

I used the program O&O ShutUp 10 and use the recommended settings on that which turns off the windows telemetry. However, I was using that before with the old firmware and never had this issue.

I am at work right now and cannot run the ping command, but I did the first time it happened and it couldn’t reach dns.msftncsi.com, nor could I load the msftncsi.com webpage.

A little more background information:

I merged these two routers from different locations. The main router has been on the network since I bought it. The access point came from my girlfriends apartment with a different provider. I had to change the IP address and SSID on the access point for it to work on my new network and is set up in AP mode. Setting up in AP mode doesn’t let me set a DNS server on the AP. And I didn’t specify a DNS server on the router.

Neither router had any issue on their separate networks and that’s why I was wondering if a factory reset might clear things us.

Thanks for your response.

Flipmode11 · Mar 29, 2018

john9527 said:
The following routers were released after the base code used for this fork was available, and are NOT supported.

AC87U, AC3100, AC3200, AC88U, AC5300 (and the retail R versions)

Don't forget the AC86U too. Perhaps put 'NOT' in Red.

Also I've been on 380 w/ AC66U without any issues. What are the benefits of this fork for that device? (not B1)

Wisiwyg · Mar 29, 2018

Deadbrah11 said:
Setting up in AP mode doesn’t let me set a DNS server on the AP.

That's normal...

Deadbrah11 said:
And I didn’t specify a DNS server on the router.

Not normal.... unless you left the Connect Automatically button checked. In that case, it is using ASUS DNS providers.

Set up a DNS server on your WAN settings page. Select the Connect Automatically button to NO.
Then in DNS1 input IBM's Quad9 DNS service 9.9.9.9 (this is also DNS-SEC compliant)
Or, you can try Google's DNS service 8.8.8.8

Quad9 is a robust, secure DNS provider. Check it out: https://quad9.net/

Deadbrah11 · Mar 29, 2018

Wisiwyg said:
That's normal...

Not normal.... unless you left the Connect Automatically button checked. In that case, it is using ASUS DNS providers.

Set up a DNS server on your WAN settings page. Select the Connect Automatically button to NO.
Then in DNS1 input IBM's Quad9 DNS service 9.9.9.9 (this is also DNS-SEC compliant)
Or, you can try Google's DNS service 8.8.8.8

Quad9 is a robust, secure DNS provider. Check it out: https://quad9.net/

I changed my DNS1 on the router to 9.9.9.9 and DNS2 to 8.8.8.8. I reserved the IP I wanted for the AP from the router. Selected auto detect for IP and DNS on the AP. and tried to ping dns.msftncsi.com from all computers, all timed out. However, the yellow triangle is gone now.

also it looks like dns.msftncsi.com might be down: https://downforeveryoneorjustme.com/dns.msftncsi.com

ColinTaylor · Mar 29, 2018

Wisiwyg said:
Not normal.... unless you left the Connect Automatically button checked. In that case, it is using ASUS DNS providers.

I think you meant to say "...it is using your ISP's DNS servers".

Wisiwyg · Mar 31, 2018

ColinTaylor said:
I think you meant to say "...it is using your ISP's DNS servers".

Yep, that!

il2 · Mar 31, 2018

Code:

Mar 31 11:41:21 dnsmasq[577]: time 133361
Mar 31 11:41:21 dnsmasq[577]: cache size 1500, 0/29680 cache insertions re-used unexpired cache entries.
Mar 31 11:41:21 dnsmasq[577]: queries forwarded 15905, queries answered locally 959
Mar 31 11:41:21 dnsmasq[577]: DNSSEC memory in use 88, max 88, allocated 149996
Mar 31 11:41:21 dnsmasq[577]: server 127.0.0.1#65053: queries sent 13382, retried or failed 1951
Mar 31 11:41:21 dnsmasq[577]: server 127.0.0.1#65054: queries sent 10973, retried or failed 3065

These are for cisco and cisco-familyshield both enabled. Is that unnormal?
"Strict DNSSEC enforcement" AND "Enable DNSSEC support" are both enabled.
Somewhat rare Chrome can't resolve hostnames.
Anyway I'll try other servers.

il2 · Mar 31, 2018

john9527 said:
Where do I start.....

But first thing to try...cisco-familyshield is NOT a dnssec enabled server, yet you have dnssec enabled. So disable dnssec (if you have dnssec enabled you should choose a server that has 'w/DNSSEC' in its name).

Should I try turning off "Strict DNSSEC enforcement", or "Enable DNSSEC support" or both?

john9527 · Mar 31, 2018

il2 said:
Should I try turning off "Strict DNSSEC enforcement", or "Enable DNSSEC support" or both?

Enable DNSSEC support = No, Strict enforcement = not checked

il2 · Mar 31, 2018

john9527 said:
Enable DNSSEC support = No, Strict enforcement = not checked

Thanks that worked. I wonder how it worked with both DNSSEC settings ON for cisco servers, which don't support DNSSEC.

trisk · Apr 1, 2018

I've been losing IPv6 again on V30E2 and it persists after upgrading to V31E6.

The device is sending DHCPv6 solicits but not responding to neighbour solicitations from my upstream router even though "Filter neighbor solicitations" is unset. As a result it's not getting a DHCPv6 response.

Sometimes toggling the option would fix the problem but it doesn't seem to work any more.

Code:

admin@router:/tmp/home/root# nvram show | grep neigh
size: 44119 bytes (21417 left)
ipv6_neighsol_drop=0
admin@router:/tmp/home/root# /mnt/sda1/tcpdump.sh -i vlan2 ip6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan2, link-type EN10MB (Ethernet), capture size 262144 bytes
05:06:06.935582 IP6 fe80::16dd:a9ff:fe8d:4838.546 > ff02::1:2.547: dhcp6 solicit
        0x0000:  6000 0000 0059 1101 fe80 0000 0000 0000  `....Y..........
        0x0010:  16dd a9ff fe8d 4838 ff02 0000 0000 0000  ......H8........
        0x0020:  0000 0000 0001 0002 0222 0223 0059 63ae  .........".#.Yc.
        0x0030:  013a 9ebc 0001 000a 0003 0001 14dd a98d  .:..............
        0x0040:  4838 000e 0000 0008 0002 626b 0006 0004  H8........bk....
        0x0050:  0017 0018 0019 0029 000d 4838 0000 0000  .......)..H8....
        0x0060:  0000 0000 001a 0019 ffff ffff ffff ffff  ................
        0x0070:  4000 0000 0000 0000 0000 0000 0000 0000  @...............
        0x0080:  00                                       .
05:06:06.968107 IP6 fe80::2e95:69ff:fe3c:8a30 > ff02::1:ff8d:4838: ICMP6, neighbor solicitation, who has fe80::16dd:a9ff:fe8d:4838, length 32
        0x0000:  6000 0000 0020 3aff fe80 0000 0000 0000  `.....:.........
        0x0010:  2e95 69ff fe3c 8a30 ff02 0000 0000 0000  ..i..<.0........
        0x0020:  0000 0001 ff8d 4838 8700 eb30 0000 0000  ......H8...0....
        0x0030:  fe80 0000 0000 0000 16dd a9ff fe8d 4838  ..............H8
        0x0040:  0101 2c95 693c 8a30                      ..,.i<.0
05:06:07.970057 IP6 fe80::2e95:69ff:fe3c:8a30 > ff02::1:ff8d:4838: ICMP6, neighbor solicitation, who has fe80::16dd:a9ff:fe8d:4838, length 32
        0x0000:  6000 0000 0020 3aff fe80 0000 0000 0000  `.....:.........
        0x0010:  2e95 69ff fe3c 8a30 ff02 0000 0000 0000  ..i..<.0........
        0x0020:  0000 0001 ff8d 4838 8700 eb30 0000 0000  ......H8...0....
        0x0030:  fe80 0000 0000 0000 16dd a9ff fe8d 4838  ..............H8
        0x0040:  0101 2c95 693c 8a30                      ..,.i<.0
05:06:08.972136 IP6 fe80::2e95:69ff:fe3c:8a30 > ff02::1:ff8d:4838: ICMP6, neighbor solicitation, who has fe80::16dd:a9ff:fe8d:4838, length 32
        0x0000:  6000 0000 0020 3aff fe80 0000 0000 0000  `.....:.........
        0x0010:  2e95 69ff fe3c 8a30 ff02 0000 0000 0000  ..i..<.0........
        0x0020:  0000 0001 ff8d 4838 8700 eb30 0000 0000  ......H8...0....
        0x0030:  fe80 0000 0000 0000 16dd a9ff fe8d 4838  ..............H8
        0x0040:  0101 2c95 693c 8a30                      ..,.i<.0
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel

trisk · Apr 1, 2018

I have located the problem that causes the device to be unable to get an IPv6 prefix (or address for that matter), and found a temporary fix, which is to toggle ipv6_fw_enable after each reboot.
For some reason the netfilter INPUT chain for IPv6 is completely messed up at boot with ipv6_fw_enable=1 and this causes neighbour solicitations to be dropped since the default policy is DROP:

Code:

admin@router:/tmp/home/root# nvram get ipv6_fw_enable
1
admin@router:/tmp/home/root# ip6tables -L
Chain INPUT (policy DROP)
target     prot opt source               destination        
ACCEPT     all      anywhere             anywhere             state RELATED,ESTABLISHED
DROP       all      anywhere             anywhere             state INVALID
ACCEPT     all      anywhere             anywhere             state NEW
ACCEPT     all      anywhere             anywhere             state NEW

Chain FORWARD (policy DROP)
target     prot opt source               destination        
ACCEPT     all      anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all      anywhere             anywhere          
ACCEPT     all      anywhere             anywhere          

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain logaccept (0 references)
target     prot opt source               destination        
LOG        all      anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT     all      anywhere             anywhere          

Chain logdrop (0 references)
target     prot opt source               destination        
LOG        all      anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "
DROP       all      anywhere             anywhere

If I turn off "IPv6 firewall" I get neighbour solications working again, and very different entries in the INPUT and other chains:

Code:

admin@router:/tmp/home/root# nvram get ipv6_fw_enable
0
admin@router:/tmp/home/root# ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     ipv6-nonxt    anywhere             anywhere             length 40
ACCEPT     all      anywhere             anywhere          
ACCEPT     all      anywhere             anywhere          
ACCEPT     udp      anywhere             anywhere             udp spt:547 dpt:546
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp destination-unreachable
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp packet-too-big
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp time-exceeded
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp parameter-problem
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp echo-request
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp echo-reply
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 130
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 131
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 132
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp router-solicitation
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp router-advertisement
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp neighbour-solicitation
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp neighbour-advertisement
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 141
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 142
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 143
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 148
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 149
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 151
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 152
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 153
DROP       all      anywhere             anywhere          

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
DROP       all      anywhere             anywhere             rt type:0 segsleft:0
DROP       all      anywhere             anywhere          
ACCEPT     all      anywhere             anywhere          
ACCEPT     ipv6-nonxt    anywhere             anywhere             length 40
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp destination-unreachable
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp packet-too-big
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp time-exceeded
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp parameter-problem
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp echo-request
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp echo-reply

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
DROP       all      anywhere             anywhere             rt type:0 segsleft:0

Chain PControls (0 references)
target     prot opt source               destination        

Chain logaccept (0 references)
target     prot opt source               destination        
LOG        all      anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT     all      anywhere             anywhere          

Chain logdrop (0 references)
target     prot opt source               destination        
LOG        all      anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "
DROP       all      anywhere             anywhere

The correct settings stick after I turn "IPv6 firewall" back on, until I reboot the device.

john9527 · Apr 1, 2018

trisk said:
I have located the problem that causes the device to be unable to get an IPv6 prefix (or address for that matter), and found a temporary fix, which is to toggle ipv6_fw_enable after each reboot.
For some reason the netfilter INPUT chain for IPv6 is completely messed up at boot with ipv6_fw_enable=1 and this causes neighbour solicitations to be dropped since the default policy is DROP:

I can't recreate what you are seeing. When the system first comes up, it loads a basic set of rules that allow for lan communications (what you see in the 'short' set of rules), then replaces them later with the complete set of rules. For some reason, the replace of the rules isn't happening. Also, when the firewall is correctly enabled, the default policy for the FORWARD chain should be DROP

What type of ipv6 service are you using and what settings?

Also, when it fails, please append the output of

cat /tmp/filter_rules_ipv6

EDIT: Also, what router? And please check the syslog for any 'ip6tables-restore failed' messages.

trisk · Apr 1, 2018

john9527 said:
I can't recreate what you are seeing. When the system first comes up, it loads a basic set of rules that allow for lan communications (what you see in the 'short' set of rules), then replaces them later with the complete set of rules. For some reason, the replace of the rules isn't happening. Also, when the firewall is correctly enabled, the default policy for the FORWARD chain should be DROP

What type of ipv6 service are you using and what settings?

Also, when it fails, please append the output of

cat /tmp/filter_rules_ipv6

EDIT: Also, what router? And please check the syslog for any 'ip6tables-restore failed' messages.

The router is an RT-AC68U and it's connected to an AT&T DSL (U-verse) modem/gateway. The modem/gateway has a DHCPv6 server and delegates a native /64 prefix. I have "Prefix delegation requires address request" set. I have "Enable Firewall" unset for IPv4.

The modem/gateway also assigns an IPv4 address by DHCP. I have an additional IPv4 address for a static subnet which I configure with the following scripts in /jffs/scripts:

Code:

admin@router:/tmp/home/root# cat /jffs/scripts/wan-start
#!/bin/sh
ifconfig br0:0 add 162.228.250.126 netmask 255.255.255.248
admin@router:/tmp/home/root# cat /jffs/scripts/firewall-start
#!/bin/sh
iptables -I FORWARD 1 -p all -d 162.228.250.120/29 -j ACCEPT
iptables -I FORWARD 1 -p tcp --dport 111 -j DROP
iptables -I FORWARD 1 -p udp --dport 111 -j DROP
admin@router:/tmp/home/root# cat /jffs/scripts/nat-start
#!/bin/sh
# don't masquerade (NAT) for 162.228.250.120/29
iptables -t nat -I POSTROUTING 1 -o vlan2 -p all -s 162.228.250.120/29 -j ACCEPT
# masquerade from NAT loopback
iptables -t nat -A POSTROUTING -o br0 -p all -s 192.168.4.0/24 -d 162.228.250.120/29 -j MASQUERADE

I just rebooted the RT-AC68U and see the following:

Code:

admin@router:/tmp/home/root# cat /tmp/filter_rules_ipv6
*filter                                                                                                                                                        
:INPUT ACCEPT [0:0]                  
:FORWARD DROP [0:0]                  
:OUTPUT ACCEPT [0:0]                
:PControls - [0:0]
:logaccept - [0:0]                  
:logdrop - [0:0]
-A FORWARD -i vlan2 -m state --state INVALID -j DROP
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m rt --rt-type 0 -j DROP
-A FORWARD -o vlan2 -i br0 -j ACCEPT
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -p ipv6-nonxt -m length --length 40 -j ACCEPT
-A FORWARD -p ipv6-icmp --icmpv6-type 1 -j ACCEPT
-A FORWARD -p ipv6-icmp --icmpv6-type 2 -j ACCEPT
-A FORWARD -p ipv6-icmp --icmpv6-type 3 -j ACCEPT
-A FORWARD -p ipv6-icmp --icmpv6-type 4 -j ACCEPT
-A FORWARD -p ipv6-icmp --icmpv6-type 128 -j ACCEPT
-A FORWARD -p ipv6-icmp --icmpv6-type 129 -j ACCEPT
-A INPUT -p ipv6-nonxt -m length --length 40 -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp --sport 547 --dport 546 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 1 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 2 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 3 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 4 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 128 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 129 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 130 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 131 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 132 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 133 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 134 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 135 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 136 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 141 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 142 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 143 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 148 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 149 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 151 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 152 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 153 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -m rt --rt-type 0 -j DROP
-A FORWARD -m state --state NEW -p tcp -m tcp  -d ::/0/::ffff:ffff:ffff:ffff --dport 22 -j ACCEPT
-A FORWARD -m state --state NEW -p tcp -m tcp  -d ::/0/::ffff:ffff:ffff:ffff --dport 53 -j ACCEPT
-A FORWARD -m state --state NEW -p udp -m udp  -d ::/0/::ffff:ffff:ffff:ffff --dport 53 -j ACCEPT
-A FORWARD -m state --state NEW -p tcp -m tcp  -d ::/0/::ffff:ffff:ffff:ffff --dport 80 -j ACCEPT
-A FORWARD -m state --state NEW -p tcp -m tcp  -d ::/0/::ffff:ffff:ffff:ffff --dport 443 -j ACCEPT
-A FORWARD -m state --state NEW -p tcp -m tcp  -d ::/0/::ffff:ffff:ffff:ffff --dport 8080 -j ACCEPT
-A FORWARD -m state --state NEW -p tcp -m tcp  -d ::/0/::ffff:ffff:ffff:ffff --dport 8081 -j ACCEPT
-A FORWARD -m state --state NEW -p tcp -m tcp  -d ::/0/::ffff:ffff:ffff:ffff --dport 6667 -j ACCEPT
-A FORWARD -m state --state NEW -p tcp -m tcp  -d ::/0/::ffff:ffff:ffff:ffff --dport 7000 -j ACCEPT
-A FORWARD -m state --state NEW -p tcp -m tcp  -d ::/0/::ffff:ffff:ffff:ffff --dport 9001 -j ACCEPT
-A FORWARD -m state --state NEW -p tcp -m tcp  -d ::/0/::ffff:ffff:ffff:ffff --dport 8384 -j ACCEPT
-A FORWARD -m state --state NEW -p tcp -m tcp  -d ::/0/::ffff:ffff:ffff:ffff --dport 22000 -j ACCEPT
-A FORWARD -m state --state NEW -p tcp -m tcp  -d ::/0/::ffff:ffff:ffff:ffff --dport 32400 -j ACCEPT
-A FORWARD -m state --state NEW -p tcp -m tcp  -d ::/0/::ffff:ffff:ffff:ffff --dport 51413 -j ACCEPT
-A FORWARD -m state --state NEW -p udp -m udp  -d ::/0/::ffff:ffff:ffff:ffff --dport 51413 -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW  -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
-A FORWARD -j DROP
COMMIT

admin@router:/tmp/home/root# cat /tmp/filter_ipv6.default
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i lo -o lo -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT

admin@router:/tmp/home/root# ip6tables -L -v                                
Chain INPUT (policy DROP 388 packets, 28000 bytes)                          
 pkts bytes target     prot opt in     out     source               destination                                                                              
   0     0 ACCEPT     all      any    any     anywhere             anywhere             state RELATED,ESTABLISHED                                            
   0     0 DROP       all      any    any     anywhere             anywhere             state INVALID                                                        
   0     0 ACCEPT     all      br0    any     anywhere             anywhere             state NEW                                                            
   93  4557 ACCEPT     all      lo     any     anywhere             anywhere             state NEW                                                            

Chain FORWARD (policy DROP 0 packets, 0 bytes)                              
 pkts bytes target     prot opt in     out     source               destination                                                                              
   0     0 ACCEPT     all      any    any     anywhere             anywhere             state RELATED,ESTABLISHED                                            
   0     0 ACCEPT     all      br0    br0     anywhere             anywhere                                                                                  
   0     0 ACCEPT     all      lo     lo      anywhere             anywhere                                                                                  

Chain OUTPUT (policy ACCEPT 106 packets, 6234 bytes)                        
 pkts bytes target     prot opt in     out     source               destination                                                                              

Chain logaccept (0 references)    
 pkts bytes target     prot opt in     out     source               destination                                                                              
   0     0 LOG        all      any    any     anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "                            
   0     0 ACCEPT     all      any    any     anywhere             anywhere                                                                                  

Chain logdrop (0 references)      
 pkts bytes target     prot opt in     out     source               destination                                                                              
   0     0 LOG        all      any    any     anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "                              
   0     0 DROP       all      any    any     anywhere             anywhere

There's no messages in syslog about ip6tables (other than the copyright message for the ip6_tables module).

trisk · Apr 1, 2018

Just a guess, maybe it doesn't like my ip6tables rules applying to ::/0?

Code:

admin@router:/tmp/home/root# nvram get ipv6_fw_rulelist
<SSH>>::/0>22>TCP<DNS Server>>::/0>53>BOTH<HTTP Server>>::/0>80,443,8080>TCP<SOCKS>>::/0>8081>TCP<IRC>>::/0>6667,7000>TCP<WeeChat>>::/0>9001>TCP<Syncthing>>::/0>8384,22000>TCP<PLEX>>::/0>32400>TCP<Transmission>>::/0>51413>BOTH

john9527 · Apr 1, 2018

trisk said:
Just a guess, maybe it doesn't like my ip6tables rules applying to ::/0?

Good guess
/tmp/home/root# ip6tables -A FORWARD -m state --state NEW -p tcp -m tcp -d
::/0/::ffff:ffff:ffff:ffff --dport 22 -j ACCEPT
ip6tables v1.4.14: host/network `::/0' not found
Try `ip6tables -h' or 'ip6tables --help' for more information.

EDIT: Don't use ::/0, try just :: instead

/tmp/home/root# ip6tables -A FORWARD -d ::/::ffff:ffff:ffff:ffff -p tcp -m s
tate --state NEW -m tcp --dport 22 -j ACCEPT
/tmp/home/root#

trisk · Apr 1, 2018

john9527 said:
Good guess
/tmp/home/root# ip6tables -A FORWARD -m state --state NEW -p tcp -m tcp -d
::/0/::ffff:ffff:ffff:ffff --dport 22 -j ACCEPT
ip6tables v1.4.14: host/network `::/0' not found
Try `ip6tables -h' or 'ip6tables --help' for more information.

EDIT: Don't use ::/0, try just :: instead

/tmp/home/root# ip6tables -A FORWARD -d ::/::ffff:ffff:ffff:ffff -p tcp -m s
tate --state NEW -m tcp --dport 22 -j ACCEPT
/tmp/home/root#

Thanks, that was accepted by the router and after rebooting it with the new rules I now have working IPv6.

But from what I understand of IPv6 mask notation the /::ffff:ffff:ffff:ffff mask requires the last 64 bits to match exactly, and since it's masking the address :: (i.e., 0:0:0:0:0:0:0:0), this means those bits have to be all zeroes in the actual address. So this wouldn't work as intended for matching "any" address.

I don't know why it's appending that mask, but if it's being applied when the user wants to match specific IPv6 address rather than a network, the result would also be wrong since it's ignoring the first 64 bits.

Thread starter	Title	Forum	Replies	Date
D	Release GNUton [Official Fork] 388.8_2 Release	Asuswrt-Merlin	31	Aug 11, 2024
D	Release GNUTON- 388.7_1 release [Official FORK]	Asuswrt-Merlin	4	Jun 10, 2024
J	How do I use GNUton's fork for my DSL-AX82U please.	Asuswrt-Merlin	6	Feb 15, 2024
Z	Sudden network issues, looking to fully reset my TUF-AX5400 router running Gnuton's Merlin fork	Asuswrt-Merlin	1	Nov 24, 2023
	Release Asuswrt-Merlin 3004.388.8_4 is now available	Asuswrt-Merlin	72	Sunday at 3:41 PM
	Release Asuswrt-Merlin 3006.102.2 is now available for Wifi 7 devices	Asuswrt-Merlin	62	Nov 3, 2024
B	Unable to establish VPN connection to my PiVPN (ovpn) from my Asus RT-AC86U running Asuswrt-Merlin 386.14	Asuswrt-Merlin	1	Oct 27, 2024
F	Several Questions Re:Asuswrt-Merlin Feature Implementation	Asuswrt-Merlin	2	Oct 16, 2024
	How to enable port randomization in Asuswrt-Merlin?	Asuswrt-Merlin	4	Oct 12, 2024
	Beta Asuswrt-Merlin 3006.102.2 Beta is now available for Wifi 7 devices	Asuswrt-Merlin	70	Oct 12, 2024

[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

Part of the Furniture

New Around Here

Part of the Furniture

New Around Here

Regular Contributor

Senior Member

New Around Here

Part of the Furniture

Senior Member

Occasional Visitor

Occasional Visitor

Part of the Furniture

Occasional Visitor

Occasional Visitor

Occasional Visitor

Part of the Furniture

Occasional Visitor

Occasional Visitor

Part of the Furniture

Occasional Visitor

Similar threads

Similar threads

Support SNBForums w/ Amazon

Sign Up For SNBForums Daily Digest