"How Do I?" from a DD-WRT User

[djtech2k]

I am brand new to RMerlin so I have a couple questions. I have been using DD-WRT for years on a Asus RT-N16. I upgraded to an Asus RT-AC68U with RMerlin based on some feedback on this forum. I have a couple of specific things that I used to do in DD-WRT that I am not sure how to do on RMerlin.

1) I used to run come custom startup & firewall scripts/commands on DD-WRT. In DD-WRT there is a box for putting in the commands for things like startup. How do I do that in RMerlin?

2) I run a Domain inside of my home and lab so I have an internal DNS server that hosts name resolution for my internal domain. I needed my local DNS requests to go to my internal DNS server and all other requests to go out to my standard ISP DNS. In DD-WRT, I pout commands in my start scripts that modified DNSMasq with "stop-DNS-Rebind" and by adding an option to DNSMasq for a DNS forwarder like "server=/domain.com/IP". How can I do this in RMerlin?

 

[Ronv42]

I am brand new to RMerlin so I have a couple questions. I have been using DD-WRT for years on a Asus RT-N16. I upgraded to an Asus RT-AC68U with RMerlin based on some feedback on this forum. I have a couple of specific things that I used to do in DD-WRT that I am not sure how to do on RMerlin.

1) I used to run come custom startup & firewall scripts/commands on DD-WRT. In DD-WRT there is a box for putting in the commands for things like startup. How do I do that in RMerlin?

2) I run a Domain inside of my home and lab so I have an internal DNS server that hosts name resolution for my internal domain. I needed my local DNS requests to go to my internal DNS server and all other requests to go out to my standard ISP DNS. In DD-WRT, I pout commands in my start scripts that modified DNSMasq with "stop-DNS-Rebind" and by adding an option to DNSMasq for a DNS forwarder like "server=/domain.com/IP". How can I do this in RMerlin?

Here is the first place to look on configuring scripts:

Merlin's wiki


Look under user scripts.

 

[djtech2k]

Ok I have tried setting up some scripts, but I cannot figure it out.

For example, I have a bunch of iptables commands. The Wiki does not tell you what to name the file. So I tried firewall-start.sh and firewall-start. I then made it executable, but after reboot I dont see the entries in iptables.

Also, using vi is a nightmare, so I would like to be able to create the script and upload it somehow. SFTP isnt working.

 

[Ronv42]

I would suggest you ssh into the server to create the scripts. Here is the section in the Wiki that talks about scripts:

https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

 

[john9527]

Also look in the README file packaged with the firmware. There are sections in there describing what scripts and config files are available, what to name them and where to place them.

For editing the files, if you are a Windows user, do a google search for WinSCP. And as a reminder, remember that if you edit outside of the router environment you need to be concerned with unix vs dos formatted files (WinSCP takes care of this if you use their built in editor).

 

[djtech2k]

Thanks for the tip. I had already tried WinSCP, but it refuses to connect because it says sftp is not running on the router. I tried several times.

I will check out the readme, but creating and editing files in Linux sucks. The ability to do some of that in DD-WRT was nice. If I can find a better editor or a way to transfer a file up, then it'll work fine.

 

[john9527]

Thanks for the tip. I had already tried WinSCP, but it refuses to connect because it says sftp is not running on the router. I tried several times.

I will check out the readme, but creating and editing files in Linux sucks. The ability to do some of that in DD-WRT was nice. If I can find a better editor or a way to transfer a file up, then it'll work fine.

For WinSCP use file protocol SCP...it will work fine.

 

[djtech2k]

Ok cool I will try that.

I read the readme. Here is that I dont understand..

In /jffs/scripts I created anew file called firewall-start. Inside of that file, I have the following as a test:

#!/bin/sh
touch /tmp/000wanstarted
logger "Starting Firewall Script"

/usr/sbin/iptables -I INPUT -s 116.10.191.182 -j logdrop


It is formatted in notepad++ as a Unix script file. If I save the file and reboot, then check iptables, nothing is there. As a test, I renamed the file to a ".sh" and executed manually and the settings showed up in iptables, so I know the commands work.

What am I missing?

 

[john9527]

I seem to remember that depending on the rest of your configuration, sometimes the script can try to run before everything is up....try putting a

sleep 10

command after the shebang....

(10 sec is probably too long, you can shorten it if this proves to be the problem)


EDIT: If this doesn't work, please post some of the syslog following the logger output line you added.

 

[RMerlin]

Make sure the script is executable:

chmod a+rx /jffs/scripts/firewall-start

 

[djtech2k]

I ran the chmod again just to be sure.

I have a file called firewall-start in the /jffs/scripts directory.

The file is encoded to 1252 ANSI.

Here is the contents of the file:

#!/bin/sh
sleep 10
logger "Beginning Firewall Script"
/usr/sbin/iptables -I INPUT -s 116.10.191.182 -j logdrop

I looked in the system log inside of /jffs and searched for "firewall" and did not find the string from my script. Not sure what the heck is going on.

 

[john9527]

So the script isn't executing at all. This has all the symptoms of a file in the wrong format. I know you don't like 'vi', but open the file with vi on the router and double check there are no control characters in the file (commonly ^M).

As another double check, do an

ls -l /jffs/scripts/firewall-start (those are small letter 'L')

and make sure the correct permissions are set...(-rwxr-xr-x)

 

[djtech2k]

I verified permissions are 777.

Here is a screenshot of the vi output. I don't see what you described. All I see are a bunch of ~.

So just to check, I created a new file with echo '' > newfile

Then I copied the text into that file with tail oldfile >> newfile.

Then I renamed the file and set 0777 to permissions.

 

[john9527]

That vi screenshot looks fine.....I must admit, I'm running out of ideas here.

For a test.....rename the file from firewall-start to wan-start and then see if you can see the logger line in the syslog.

 

[djtech2k]

I also just noticed that the system time is way off. Its Dec 31, 2013. I have not connected this thing to the internet, so it cannot reach a NTP. How can I set it manually?

I set the script to wan-start and got the same thing. No trace of my test string in the system log.

 

[djtech2k]

Any other ideas?

 

[ColinTaylor]

I also just noticed that the system time is way off. Its Dec 31, 2013. I have not connected this thing to the internet, so it cannot reach a NTP. How can I set it manually?

I set the script to wan-start and got the same thing. No trace of my test string in the system log.

I don't think the wan-start and firewall scripts run until the WAN interface comes up.

 

[john9527]

I don't think the wan-start and firewall scripts run until the WAN interface comes up.

Good catch!

 

[djtech2k]

I think I may have it working now. I connected the router to my internet connection and set the last few settings. I also set the script back to firewall-start.

After a reboot, I now see the iptables listings present. So it must have been something like the ntp/time or whatever.