tsunami2311
Senior Member
what WAN disconnects? I have never had them in all this time short of the modem it self resting or connection to it droping
what WAN disconnects? I have never had them in all this time short of the modem it self resting or connection to it droping
As mentioned with Tomato this problem is gone.
commit fa41424345ce1f1ecaad2309a625d9c6b9749a75
Author: Fedor <fedork@ubuntu.(none)>
Date: Thu Jun 24 01:59:22 2010 -0400
Accept DHCP responses from WAN by default.
With some broken ISPs, the dhcp server reply to RENEW may come from an
unexpected source and get blocked by the firewall. Accept DHCP responses
from any source (OpenWRT does the same) by default, but allow to disable
this via nvram variable.
Ref:
http://www.dd-wrt.com/wiki/index.php/Iptables_command#Firewall_blocks_DHCP_renewal_responses
https://dev.openwrt.org/browser/trunk/package/firewall/files/firewall.config
https://dev.openwrt.org/ticket/4108
@primitivo Didn't we have a conversation about this just a while back? Quite clear that the Asus rant was a bit unfounded, wouldn't you say?The real problem here is that AT&T's DHCP servers are broken. The iptables filter is there for a reason: to prevent a rogue server from sending bogus DHCP replies when it sees requests on the LAN, potentially allowing it to hijack your connection. Here's the actual patch from Tomato's commit log:
Code:commit fa41424345ce1f1ecaad2309a625d9c6b9749a75 Author: Fedor <fedork@ubuntu.(none)> Date: Thu Jun 24 01:59:22 2010 -0400 Accept DHCP responses from WAN by default. With some broken ISPs, the dhcp server reply to RENEW may come from an unexpected source and get blocked by the firewall. Accept DHCP responses from any source (OpenWRT does the same) by default, but allow to disable this via nvram variable. Ref: http://www.dd-wrt.com/wiki/index.php/Iptables_command#Firewall_blocks_DHCP_renewal_responses https://dev.openwrt.org/browser/trunk/package/firewall/files/firewall.config https://dev.openwrt.org/ticket/4108
So Tomato didn't "fix anything", they are reducing their firewall security to accommodate such broken DHCP servers.
Now the interesting bit: Asuswrt has the exact same patch. Only difference is Asus chose to ONLY allow it if obtaining your initial lease (when the IP is 0.0.0.0). I suspect AT&T might have the issue on renewals, not just on initial lease.
I can easily reproduce Tomato's behavior, however I really feel that broken ISPs need to fix their broken sh*t, and stop relying on router developers for dealing with that kind of stuff on their behalf.
Does this patch introduce security issues for non-AT&T users?Since the code was already there, I extended it to also apply on renewals, not just on the initial lease request.
Does this patch introduce security issues for non-AT&T users?
Since the code was already there, I extended it to also apply on renewals, not just on the initial lease request.
Good idea to apply the patch on renewals too - I think this is where the issue was actually, with DHCP renewals and not initial leases. Will you include it in the current 380.62 alpha version?
ASUSWRT-Merlin RT-N66U 380.59-0 Tue May 10 15:44:44 UTC 2016
admin@RT-N66U:/tmp/home/root# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3805 200K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
2184K 228M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
166K 10M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
442K 32M ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
3806 1253K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
Lease time 5 days 20 hours 39 minute(s) 24 seconds
Lease expires 1 days 1 hours 3 minute(s) 28 seconds
Sep 10 21:14:14 kernel: NAT: no longer support implicit source local NAT
Sep 10 21:14:14 kernel: NAT: packet src 255.255.255.255 -> dst 62.253.131.43
I don't understand the patch, the accept rule is already there on 380.59 N66U, its just an OR with 0.0.0.0?
[edit2] I think BusyBox udhcpc is the problem - does not implement the T2 timer specified in RFC2132 to revert to renew at 7/8 timer
The change is in the code, not in the rule. The rule was only being added to the firewall if the WAN interface didn't have a lease yet. Restarting the firewall after obtaining a lease would remove the rule.
That was fixed months ago.
Next build.
Is this change to the code in the 380.62_1 build?
When I was on .59 things seemed to be fine, and now I have random drops with the same error message on 380.62_1 build. I am on Comcast, and never had this issue before on AC87U. This is the first release that seems kind of unstable ever. I am wondering if there was a change between .59 and .62_1?
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!