Hi Kamoj
Many thanks for the update version and the speed with which you produced it. It is much appreciated.
I can confirm that it worls and has solved the problem
PS I had custom settings in the main Internet Setup (Voxel) page but had not put anything in your Settings: DHCP DNS Options: Custom DNS. I have added those custom settings in your settings page (not sure if it does anything extra to the custom DNS on the main internet settings) but can confirm it does not cause any problems with 5.5b16
Regards
PS I had custom settings in the main Internet Setup (Voxel) page but had not put anything in your Settings: DHCP DNS Options: Custom DNS. I have added those custom settings in your settings page (not sure if it does anything extra to the custom DNS on the main internet settings) but can confirm it does not cause any problems with 5.5b16
Hello,Changes in kamoj-addon beta version 2022-01-17 5.5b16
---------------------------------------------------------------
- VPN supervision fails when "Router it-self bypass VPN" is set. (@Panner)
Hello, I should add to my last post that the only devices having a problem accessing the internet are those connected to the Guest wifi network. All other network connected devices (Lan and non-guest wifi) work normally. So I don't see this as a defect in the addon, but something I have done with how I have it setup.Hello,
Thank you for the latest update to 5.5b16. I haven't had any more issues on my R9000 since reinstalling the addon and using my normal settings.
Howerver, initially with addon 5.5b I didn't have router itself set to bypass VPN. Doing that on 5.5b15, I can confirm the same issue on my R9000 as reported by Panner. I will try it with 5.5b16 as well.
I also found that I only have what my Android phones will call a "limited connection" to the internet when I switch my Guest network 2.4 and 5 GHz wifi to bypass the VPN. It seems they cannot access DNS so they can't use the internet. This is with addon set for the router to go through VPN.
The Netgear Guest network setup page also has the selection checked to block Guests from accessing other devices on the network. Perhaps the problem is that my DNS servers are local network devices (Adguard Home on the router and DNSCrypt/PiHole on a RaspberryPi)? These devices are listed under the optional DNS servers in the addon. I tried adding dhcp-option=ath11,3,192.168.1.10 and dhcp-option=ath01,3,192.168.1.10 in the DNSMasq configuration to point to a server but that didn't help. If I manually add internet DNS servers like 8.8.8.8 to my devices, they can use the internet. Deselecting the Guest network VPN bypass also gives guest devices full access to the internet. I didn't try it when I had the router itself set to bypass VPN, nor did I try it with the Netgear Guest setup check box for blocking access to other network devices deselected . I will look at this more when I am home in a few days.
Also as information, I have not noticed the same GUI delay issues reported by Primitivo, but I have only been using OpenVPN - and I may have missed it because I haven't been home much lately.
Best wishes,
BL
I also found that I only have what my Android phones will call a "limited connection" to the internet when I switch my Guest network 2.4 and 5 GHz wifi to bypass the VPN. It seems they cannot access DNS so they can't use the internet. This is with addon set for the router to go through VPN.
ebtables -L
Hello,Could you have a look at the output of:
Code:ebtables -L
it should have rules to accept all traffic to port 53 -> so it even should allow DNS traffic to a locally run Pihole / AdGuard instance.
are you sure Android is using plain DNS? and doesn't try to use DoH? because that might be blocked if you run DoH/DoT on your local network
What is the upstream DNS for your Pi-hole ? your router or some servers on the internet.Finally, I switched off the Router bypassing - so the router was set to go through the VPN and the Guest network was still bypassing the VPN. In this case I lost internet connection and was not able to run the leaktest.
Hello,What is the upstream DNS for your Pi-hole ? your router or some servers on the internet.
If the latter, how is Pi-Hole connecting to internet? Direct or via VPN?
If the first, which DNS is your router using?
My suspicion is that somehow in your DNS chain, you are using the DNS servers from your ISP.
if Router (or Pi-hole) goes via VPN, then those might not be reachable.
If that is the case, you could add some ip rule statements to force traffic to those ISP DNS servers to always go direct.
(but that would mean editing /usr/bin/addon_bypassvpnip.sh)
You could try that manually via: (replace 1.2.3.4 with the IP of your ISP DNS)
ip rule add to 1.2.3.4 table novpn
(or if you add it in it the script ip rule add to 1.2.3.4 table $NOVPN_TABLE
for instance add it just before the section
#---------------------------------------------
# Bypass VPN for router itself:
)
What is the upstream DNS for your Pi-hole ? your router or some servers on the internet.
If the latter, how is Pi-Hole connecting to internet? Direct or via VPN?
If the first, which DNS is your router using?
My suspicion is that somehow in your DNS chain, you are using the DNS servers from your ISP.
if Router (or Pi-hole) goes via VPN, then those might not be reachable.
If that is the case, you could add some ip rule statements to force traffic to those ISP DNS servers to always go direct.
(but that would mean editing /usr/bin/addon_bypassvpnip.sh)
You could try that manually via: (replace 1.2.3.4 with the IP of your ISP DNS)
ip rule add to 1.2.3.4 table novpn
(or if you add it in it the script ip rule add to 1.2.3.4 table $NOVPN_TABLE
for instance add it just before the section
#---------------------------------------------
# Bypass VPN for router itself:
)
nvram set NO_VPN_LST_ALWAYS="192.168.1.201 192.168.1.202"
nvram commit
addon_bypassvpnip.sh force
Hello,
R. Gerrits, thank you for taking the time to help me look into this. My Netgear Internet setup servers had all three spaces filled with public DNS (ControlID, DNSwatch, Freenom as those seem fastest for me). My R9000 Adguard uses ControlID. I started running AdGuard to test it in the Addon and never turned it off. PiHole runs on a RaspberryPi that is set to bypass the router VPN (and not running its own VPN). It uses a local instance of DNSCrypt-proxy for its DNS. The various public DNSCrypt servers are accessed via DNSCrypt's anonymous relays. PiHole is set to use only the DNSCrypt server and Cloudflared tunnel DOH servers as secondary DNS. I do not have anything listing my isp DNS that I know of unless it is pulled into something like /etc/resolv.conf somehow (but I don't see it there) and I have never seen the isp DNS show up on a leaktest when using the Addon.
I did change the Netgear Internet setup DNS to those of my isp and then I had to leave for a couple hours. I hate to admit it but I forgot to check if the Guest devices had internet or not. Anyway I went ahead modified the ip rules when I got back...
I took your suggestion to place: ip rule add to 1.2.3.4 table $NOVPN_TABLE into the script before
#---------------------------------------------
# Bypass VPN for router itself:
I then rebooted the router and checked my Guest wifi access. It worked when setting the Guest network to bypass and not to bypass the VPN! It also worked whether or not the router itself was set to bypass the VPN! I switched my Netgear Internet setup DNS back to the three I had originally used and everything still works. And at least the one VPN leaktest I ran for the router showed only my VPN DNS.
I am not going to pretend that I understand this, but I am just going to say WOW and THANK YOU, and keep my fingers crossed!
I will post a follow-up when I update the Add-on or if anything changes with this.
Best wishes,
BL
Thank you Kamoj. I did not know about this.There is an easy way to add IP's to bypass VPN. The add-on always had this support:
# - Enable Telnet in web GUI: http://www.routerlogin.net/debug.htm
# - Start a command window or your telnet client and connect to the router, e.g:
# - telnet www.routerlogin.net and login with your normal router password
# Create a setting in the router flash-memory with e.g. the following commands:
# You can add several ip-addresses to bypass the VPN.Code:nvram set NO_VPN_LST_ALWAYS="192.168.1.201 192.168.1.202" nvram commit addon_bypassvpnip.sh force
# Separate each IP using a single space between them, as in the example above.
# This even survives a firmware and addon update!
Great, thank you very much for the report!Hi there,
I would like to thank you all, Kamoj, and the team of ppl supporting him for this great add-on, as well as Voxel for making it possible to have a (properly working?) Netgear product.
Before updating to the current box I have been using Linksys box(es) with Tomato installed (WRTg54 and E4200).
I have been using this Netgear R9000 with VPN (and VPN-passthrough), and found them different (and sometimes better) than Tomato setup.
The combination of Voxel (entware) and Kamoj add-on make a strong set of tools to play with.
As speeds have gone up (I have a 1000 Mbit(down)/500 Mbit (up)) connection through a coaxial connection to the ISP, I am interested in investigating the performance and stability of the Voxel/Kamoj add-on.
I have been using the Kamoj V5.4b35, and I have been noticing that Adguard, add-on kept starting on 192.168.1.1 recently. (and making it impossible to use the internet, i.e. I had to shutdown Adguard, and couldn't reconfigure)
The setup was working until ca. 1 week ago.
My box and current FW are:
R9000
Voxel V1.0.4.53HF
Kamoj Add-on V5.4b35
I will update to newest FW (Voxel and Kamoj) and issue if the issue continues.
BR
I thought this option would only add bypass rules for all traffic FROM the specified IPs.There is an easy way to add IP's to bypass VPN. The add-on always had this support:
# You can add several ip-addresses to bypass the VPN.Code:nvram set NO_VPN_LST_ALWAYS="192.168.1.201 192.168.1.202" nvram commit addon_bypassvpnip.sh force
I thought this option would only add bypass rules for all traffic FROM the specified IPs.
The solution that blueliner needed, was to add bypass rules for all traffic TO the specified IPs.
didn't yet look at b17 though, to see how you changed it.
Thread starter | Title | Forum | Replies | Date |
---|---|---|---|---|
M | Kamoj Kamoj Addon 5.5 Beta for Netgear R7800/R8900/R9000 with Voxel FW - Continuation | NETGEAR AC Routers and Adapters (Wi-Fi 5) | 5 |
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!