[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[john9527]

John, i am still using your firm ware. I enabled qos and checked hardware acceleration and it still was enabled. Does ctf work now with qos enabled or should i disable it? Thanks again!

Check the status on the Tools>Sysinfo page. For non-FA capable routers, it may still show as Enabled on the LAN page, even if it is automatically disabled.

 

[ColinTaylor]

John apologies if this is just my router affected, but I noticed that there is no fe80:: ipv6 allow rule in the firewall so basically link local traffic gets blocked on the lan to the router. Also I think icmp6 types 133 to 136 should be added to the ipv6 forward table allow rules.

I'd also be surprised if this was causing problems, although I don't use IPv6 so have no way to test it.

Types 133 to 136 are Router/Neighbour Solicitation/Advertisement. The router uses this on its WAN interface but I can't think of a reason to forward that traffic to the LAN.

As for the link local addresses. There are earlier ip6tables rules which accept everything on the LAN interface so I wouldn't have thought your rule would be necessary.

-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -j ACCEPT

 

[nivek1612]

Sorry, but this doesn't make sense (at least to me ) What are you trying to do that isn't working. I have no trouble accessing clients with the local IPv6 addresses.

John are you saying you can use the fe80 link-local address to access clients ?
I can only access servers on my LAN via their public IPv6 (EUI-64 format is fixed so works well) address.
Trying to use their link-local address fails, but I thought from our conversations on firewalls some posts back that this was as expected

 

[ColinTaylor]

@nivek1612 We are talking about LAN to LAN, are you talking about WAN to LAN?

 

[john9527]

John are you saying you can use the fe80 link-local address to access clients ?
I can only access servers on my LAN via their public IPv6 (EUI-64 format is fixed so works well) address.
Trying to use their link-local address fails, but I thought from our conversations on firewalls some posts back that this was as expected

You can use link-local to access if you are local ....not from the WAN side.

Just as a side comment....the one omission in this IPv6 stack is that it doesn't automatically provide DNS lookup for client IPv6 addresses (either link-local or public). I'm currently playing with a couple of different schemes to add this in future release.

 

[nivek1612]

@nivek1612 We are talking about LAN to LAN, are you talking about WAN to LAN?

I still leaning on the IPv6 stuff so I may be getting it wrong but I think I'm talking LAN to LAN. Let me expand
I have a server on a Mac that controls my IP cameras
It has a IPv6 link local address and a coupe of WAN IPv6 address (privacy extension and EUI-64)

From another machine on my LAN I can access the server using its WAN IPv6 address with port number so
[20cb:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]:1234 works but using the Link-Local address fails

 

[ColinTaylor]

@nivek1612 Can you ping the Mac's link local address? If you can then I'd guess that the server software is only listening on its WAN interface and not the link local interfaces.

 

[nivek1612]

@nivek1612 Can you ping the Mac's link local address? If you can then I'd guess that the server software is only listening on its WAN interface and not the link local interfaces.

No can't ping either
Using ping6 cmd from terminal on a machine on the LAN to the server using its WAN address works

Using its Link Local Address gives me errors see below

$ ping6 fe80::3e07:54ff:fe04:de8c

PING6(56=40+8+8 bytes) fe80::ae87:a3ff:fe21:27d8%en0 --> fe80::3e07:54ff:fe04:de8c

ping6: sendmsg: No route to host

ping6: wrote fe80::3e07:54ff:fe04:de8c 16 chars, ret=-1

ping6: sendmsg: No route to host

ping6: wrote fe80::3e07:54ff:fe04:de8c 16 chars, ret=-1

ping6: sendmsg: No route to host

 

[john9527]

@nivek1612

Every implementation is different, but try including the scope ID on your ping command (the %en0 at the end of the address that can be seen on your source address).

On windows, the scope ID isn't necessary for ping......don't know about the Mac....

 

[ColinTaylor]

@nivek1612 On my Centos box I have to specify the interface otherwise it doesn't work:

[root@micro ~]# ping6 fe80::911d:f2d1:8389:f62f
connect: Invalid argument

[root@micro ~]# ping6 -I eth0 fe80::911d:f2d1:8389:f62f
PING fe80::911d:f2d1:8389:f62f(fe80::911d:f2d1:8389:f62f) from fe80::a2b3:ccff:fedf:1fcb eth0: 56 data bytes
64 bytes from fe80::911d:f2d1:8389:f62f: icmp_seq=1 ttl=128 time=0.978 ms
64 bytes from fe80::911d:f2d1:8389:f62f: icmp_seq=2 ttl=128 time=0.289 ms
64 bytes from fe80::911d:f2d1:8389:f62f: icmp_seq=3 ttl=128 time=0.314 ms
64 bytes from fe80::911d:f2d1:8389:f62f: icmp_seq=4 ttl=128 time=0.276 ms
64 bytes from fe80::911d:f2d1:8389:f62f: icmp_seq=5 ttl=128 time=0.294 ms
64 bytes from fe80::911d:f2d1:8389:f62f: icmp_seq=6 ttl=128 time=0.249 ms
^C
--- fe80::911d:f2d1:8389:f62f ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5734ms
rtt min/avg/max/mdev = 0.249/0.400/0.978/0.259 ms

EDIT: As John said, specifying the scope ID should also work.

[root@micro ~]# ping6 fe80::911d:f2d1:8389:f62f%eth0
PING fe80::911d:f2d1:8389:f62f%eth0(fe80::911d:f2d1:8389:f62f) 56 data bytes
64 bytes from fe80::911d:f2d1:8389:f62f: icmp_seq=1 ttl=128 time=0.598 ms
64 bytes from fe80::911d:f2d1:8389:f62f: icmp_seq=2 ttl=128 time=0.299 ms
64 bytes from fe80::911d:f2d1:8389:f62f: icmp_seq=3 ttl=128 time=0.289 ms
^C
--- fe80::911d:f2d1:8389:f62f%eth0 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2262ms
rtt min/avg/max/mdev = 0.289/0.395/0.598/0.144 ms

 

[nivek1612]

@nivek1612

Every implementation is different, but try including the scope ID on your ping command (the %en0 at the end of the address that can be seen on your source address).

On windows, the scope ID isn't necessary for ping......don't know about the Mac....

You are correct I need the scope ID or use the -I option to specify the interface
Sorry as I said still getting my head around this IPv6 stuff

 

[XSXS]

Check the status on the Tools>Sysinfo page. For non-FA capable routers, it may still show as Enabled on the LAN page, even if it is automatically disabled.

Yes it says disabled due to qos being on. I run ipv6, is your firm ware not optimized for ipv6 usage?
Does anyone know how Merlins is with ipv6 usage? Thanks!

 

[Chrysalis]

You can use link-local to access if you are local ....not from the WAN side.

Just as a side comment....the one omission in this IPv6 stack is that it doesn't automatically provide DNS lookup for client IPv6 addresses (either link-local or public). I'm currently playing with a couple of different schemes to add this in future release.

yeah for me was not working on the lan. I initially noticed with dns lookups timing out on my FreeBSD box. I had to add that iptables rule to get ipv6 local link requests to the router working.

Regarding the icmp types maybe its ok to just have those not forwarded.

To anyone here using the fork who has no issues using local link traffic to the router can you please paste the output of ip6tables -nL? remembering to mask anything that you dont want revealed like wan ip prefix.

Also to note i was able tp ping fine, but it was dns traffic that was blocked, the router has a load of rules added to block dns traffic, on the ipv4 rules there is lan rules to allow lan dns traffic but was nothing for lan ipv6.

 

[ColinTaylor]

Also to note i was able tp ping fine, but it was dns traffic that was blocked, the router has a load of rules added to block dns traffic, on the ipv4 rules there is lan rules to allow lan dns traffic but was nothing for lan ipv6.

So you're saying it's a DNS issue rather then a general IPv6 network problem?

I don't see any rules at all that block DNS requests. Do you use DNS Filtering?

Perhaps it's easier if you post your ip6tables output for us to compare. Remember to include -v otherwise important information will be missing. Or just use ip6tables-save which I find easier to read.

 

[il2]

Updated RT-N16 from 18E3 to 20B7 without losing jffs.

 

[Chrysalis]

So you're saying it's a DNS issue rather then a general IPv6 network problem?

I don't see any rules at all that block DNS requests. Do you use DNS Filtering?

Perhaps it's easier if you post your ip6tables output for us to compare. Remember to include -v otherwise important information will be missing. Or just use ip6tables-save which I find easier to read.

sure, the DNS block rules I did not add. The only rules i added in this list was the 133-136 icmp types and the fe80::/10 allow rule, the rest is automatically generated on my router. Before I added the fe80::/10 rule none of my lan devices were able to connect to dns hosted on the router as the firewall was blocking it.

I am not using DNS filtering or parental controls.

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination        
17468 1326K ACCEPT     all      *      *       fe80::/10            ::/0              
    0     0 DROP       all      *      *       ::/0                 ::/0                 rt type:0 segsleft:0
   10   766 REJECT     udp      br0    *       ::/0                 ::/0                 udp dpt:53 reject-with icmp6-port-unreachable
    0     0 REJECT     tcp      br0    *       ::/0                 ::/0                 tcp dpt:53 reject-with icmp6-port-unreachable
    0     0 REJECT     udp      br0    *       ::/0                 ::/0                 udp dpt:53 reject-with icmp6-port-unreachable
    0     0 REJECT     tcp      br0    *       ::/0                 ::/0                 tcp dpt:53 reject-with icmp6-port-unreachable
    0     0 REJECT     udp      br0    *       ::/0                 ::/0                 udp dpt:53 reject-with icmp6-port-unreachable
    0     0 REJECT     tcp      br0    *       ::/0                 ::/0                 tcp dpt:53 reject-with icmp6-port-unreachable
    0     0 REJECT     udp      br0    *       ::/0                 ::/0                 udp dpt:53 reject-with icmp6-port-unreachable
    0     0 REJECT     tcp      br0    *       ::/0                 ::/0                 tcp dpt:53 reject-with icmp6-port-unreachable
2403K  145M ACCEPT     all      *      *       ::/0                 ::/0                 state RELATED,ESTABLISHED
   99  9040 ACCEPT     all      lo     *       ::/0                 ::/0                 state NEW
    2   112 ACCEPT     all      br0    *       ::/0                 ::/0                 state NEW
    0     0 ACCEPT     59       *      *       ::/0                 ::/0                 length 40
98390 7069K ACCEPT     all      br0    *       ::/0                 ::/0              
    0     0 ACCEPT     all      lo     *       ::/0                 ::/0              
  939  117K ACCEPT     udp      *      *       ::/0                 ::/0                 udp spt:547 dpt:546
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 1
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 2
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 3
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 4
26937 2801K ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 128
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 129
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 130
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 131
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 132
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 133
1311 83904 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 134
19730 1421K ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 135
52508 3781K ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 136
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 141
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 142
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 143
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 148
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 149
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 151
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 152
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 153
    7   560 DROP       all      *      *       ::/0                 ::/0              

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination        
  331 27835 DROP       all      eth0   *       ::/0                 ::/0                 state INVALID
  31M   27G ACCEPT     all      *      *       ::/0                 ::/0                 state RELATED,ESTABLISHED
    0     0 DROP       all      *      *       ::/0                 ::/0                 rt type:0 segsleft:0
25890 1850K ACCEPT     all      br0    eth0    ::/0                 ::/0              
    0     0 ACCEPT     all      br0    br0     ::/0                 ::/0              
    0     0 ACCEPT     59       *      *       ::/0                 ::/0                 length 40
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 1
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 2
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 3
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 4
    2   152 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 128
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 129
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 136
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 135
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 134
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 133
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 130
    8   774 DROP       all      *      *       ::/0                 ::/0              

Chain OUTPUT (policy ACCEPT 141K packets, 9234K bytes)
pkts bytes target     prot opt in     out     source               destination        
    0     0 DROP       all      *      *       ::/0                 ::/0                 rt type:0 segsleft:0

Chain PControls (0 references)
pkts bytes target     prot opt in     out     source               destination        

Chain logaccept (0 references)
pkts bytes target     prot opt in     out     source               destination        
    0     0 LOG        all      *      *       ::/0                 ::/0                 state NEW LOG flags 7 level 4 prefix "ACCEPT "
    0     0 ACCEPT     all      *      *       ::/0                 ::/0              

Chain logdrop (0 references)
pkts bytes target     prot opt in     out     source               destination        
    0     0 LOG        all      *      *       ::/0                 ::/0                 state NEW LOG flags 7 level 4 prefix "DROP "
    0     0 DROP       all      *      *       ::/0                 ::/0

 

[Chrysalis]

I just had a thought what might be the problem.

I remember some versions back john added a feature to prevent ipv6 dns leakage when using VPN, those rules may have been created then.

Also notice I got duplicates of the rules, so I now have an idea whats going on, because whenever I shutdown my VPN the exit script crashes which I assume has not been able to run all of its commands. I did report the crash several months back but both merlin and john said it was something I could ignore.

So I believe when I start my VPN the rules get created, and they are supposed to be removed on VPN shutdown but are not because the exist script crashes.

here is extract of openvpn shutdown error

Oct  5 00:21:42 openvpn[24919]: event_wait : Interrupted system call (code=4)
Oct  5 00:21:42 openvpn[24919]: vpnrouting.sh tun11 1500 1562 192.168.0.2 255.255.255.0 init
Oct  5 00:21:42 openvpn[24919]: WARNING: Failed running command (--up/--down): could not execute external program
Oct  5 00:21:42 openvpn[24919]: Exiting due to fatal error

confirmed its openvpn, this is in the updown.sh script, there is also other stuff in the up code which adds the rules.

                       /usr/sbin/ip6tables -D INPUT -i $lan_if -p tcp -m tcp --dport 53 -j REJECT
                        /usr/sbin/ip6tables -D INPUT -i $lan_if -p udp -m udp --dport 53 -j REJECT

I am trying to look now why the script fails to run when openvpn is shutdown.

Note this is the default updown.sh script I am not using a custom one.

 

[john9527]

Yes it says disabled due to qos being on. I run ipv6, is your firm ware not optimized for ipv6 usage?
Does anyone know how Merlins is with ipv6 usage? Thanks!

The fork works fine for IPv6 (in fact there have been some recent reports that the fork works where the latest ASUS/Merlin doesn't). I'm just not sure if Merlin builds inherently supports IPv6 DNS (I keep forgetting to try it when I occasionally switch to Merlin). For the fork, you can easily add IPv6 DNS with a hosts file for the IPv6 fixed addresses if it's something you really need....I'm just seeing if there is a way to have an option to automate it. In fact I'm not sure the option wouldn't break some apps that are not IPv6 aware.

 

[john9527]

sure, the DNS block rules I did not add. The only rules i added in this list was the 133-136 icmp types and the fe80::/10 allow rule, the rest is automatically generated on my router. Before I added the fe80::/10 rule none of my lan devices were able to connect to dns hosted on the router as the firewall was blocking it.

Take your added rules out and run the same output to see where they are being dropped.

EDIT: and remember to add the -v option so we can see the entire rule.

 

[john9527]

I just had a thought what might be the problem.

I remember some versions back john added a feature to prevent ipv6 dns leakage when using VPN, those rules may have been created then.

Also notice I got duplicates of the rules, so I now have an idea whats going on, because whenever I shutdown my VPN the exit script crashes which I assume has not been able to run all of its commands. I did report the crash several months back but both merlin and john said it was something I could ignore.

So I believe when I start my VPN the rules get created, and they are supposed to be removed on VPN shutdown but are not because the exist script crashes.

here is extract of openvpn shutdown error

Oct  5 00:21:42 openvpn[24919]: event_wait : Interrupted system call (code=4)
Oct  5 00:21:42 openvpn[24919]: vpnrouting.sh tun11 1500 1562 192.168.0.2 255.255.255.0 init
Oct  5 00:21:42 openvpn[24919]: WARNING: Failed running command (--up/--down): could not execute external program
Oct  5 00:21:42 openvpn[24919]: Exiting due to fatal error

confirmed its openvpn, this is in the updown.sh script, there is also other stuff in the up code which adds the rules.

                       /usr/sbin/ip6tables -D INPUT -i $lan_if -p tcp -m tcp --dport 53 -j REJECT
                        /usr/sbin/ip6tables -D INPUT -i $lan_if -p udp -m udp --dport 53 -j REJECT

I am trying to look now why the script fails to run when openvpn is shutdown.

Note this is the default updown.sh script I am not using a custom one.

This make more sense....I added those rules for IPv6 DNS leak protection a while back. If you are running an external DNS I could see where it could interfere.

But the near term problem is why the script is crashing as you said.

EDIT: What DNS mode are you using for your VPN?