Padavan's Custom Firmware

[gburlingame]

Directions for setting up new built-in OpenVPN server

https://code.google.com/p/rt-n56u/downloads/list

Version 66 has just been released! I been watching the changes, and many of them have been made. Especially, the addition of OpenVPN!

Hi Shikami,

Have you come upon any directions for configuring the new built-in OpenVPN server? Thanks!

Greg

 

[geko53]

Changelog

Can somebody tell me where I can find the changelog for new padavan builds? I wasn't able to discover it at the project home page...

Ciao
Gerald

 

[geko53]

I wasn't able to discover it at the project home page...

Seems that I have to buy new glasses - found the answer at http://code.google.com/p/rt-n56u/source/browse/changes.eng.txt

Tot kijk
Gerald

 

[Nevlever]

IPv6 Firewall?

Using a N56U with Padavan version 3.4.3.6-066. I just exchanged my modem with Comcast to get one that is IPv6 compatible, and everything seems to work fine. I have an IPv6 address and I can access IPv6 sites.

My question is, it seems that the N56U only firewalls IPv4 traffic?

If I run the "Shields Up" firewall test (https://grc.com/x/ne.dll?bh0bkyd2‎) with or without Windows 7 firewall turned on, all of my ports are always "stealthed".

If I run what I assume is a similar test, but for IPv6 (http://ipv6.chappell-family.com/ipv6tcptest/), I am only "stealthed" when I have the Windows firewall on. This leads me to believe the N56U firewall isn't actually doing anything? Is this just an incorrect conclusion I am making?

Assuming I am just not really confused and misunderstanding something, how do I get the N56U to firewall the IPv6 traffic? I'm thinking I just need to set up some ip6tables, which I could probably figure out on my own with some Googling, but I can't figure out where to actually set up ip6tables. I did find /bin/ip6tables, but I don't know how to, or if I even should, try to modify that file.

Thanks in advance for any help.

Edit: Just found the "Custom User Scripts" section and just copy/pasted some stuff in to the "Run after firewall rules restarted:" section:

ip6tables :INPUT ACCEPT [0:0]
ip6tables :FORWARD ACCEPT [0:0]
ip6tables :OUTPUT ACCEPT [0:0]
ip6tables :RH-Firewall-1-INPUT - [0:0]
ip6tables -A INPUT -j RH-Firewall-1-INPUT
ip6tables -A FORWARD -j RH-Firewall-1-INPUT
ip6tables -A RH-Firewall-1-INPUT -i lo -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -i br0 -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -p udp --dport 5353 -d ff02::fb -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -p udp -m udp --dport 32768:61000 -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 32768:61000 ! --syn -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited

This resulted in me losing all IPv6 connectivity =D, even after deleting it and rebooting the modem. I figure I just need to factory reset the router, which I can't do at this moment, but am I at least on the right track here? Just need to figure out what it was that I copy/pasted.

 

[zainday4]

The new release of firmware version 3.4.3.6-068 is ready.

 

[mikee]

Im trying to find a firmware version that has the ability to kick a certain computer/device off at a certain time of day, does padavan have this ability?

My old router had one but since I now have 150/10 internet I have purchased the RT N56U and I can't seem to find access restrictions any where.

BTW I am pretty new when it comes to routers, when people say 'reflash' the stock version what does this mean?

 

[RogerSC]

Using a N56U with Padavan version 3.4.3.6-066. I just exchanged my modem with Comcast to get one that is IPv6 compatible, and everything seems to work fine. I have an IPv6 address and I can access IPv6 sites.

My question is, it seems that the N56U only firewalls IPv4 traffic?

If I run the "Shields Up" firewall test (https://grc.com/x/ne.dll?bh0bkyd2‎) with or without Windows 7 firewall turned on, all of my ports are always "stealthed".

If I run what I assume is a similar test, but for IPv6 (http://ipv6.chappell-family.com/ipv6tcptest/), I am only "stealthed" when I have the Windows firewall on. This leads me to believe the N56U firewall isn't actually doing anything? Is this just an incorrect conclusion I am making?

Assuming I am just not really confused and misunderstanding something, how do I get the N56U to firewall the IPv6 traffic? I'm thinking I just need to set up some ip6tables, which I could probably figure out on my own with some Googling, but I can't figure out where to actually set up ip6tables. I did find /bin/ip6tables, but I don't know how to, or if I even should, try to modify that file.

Thanks in advance for any help.

Edit: Just found the "Custom User Scripts" section and just copy/pasted some stuff in to the "Run after firewall rules restarted:" section:

ip6tables :INPUT ACCEPT [0:0]
ip6tables :FORWARD ACCEPT [0:0]
ip6tables :OUTPUT ACCEPT [0:0]
ip6tables :RH-Firewall-1-INPUT - [0:0]
ip6tables -A INPUT -j RH-Firewall-1-INPUT
ip6tables -A FORWARD -j RH-Firewall-1-INPUT
ip6tables -A RH-Firewall-1-INPUT -i lo -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -i br0 -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -p udp --dport 5353 -d ff02::fb -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -p udp -m udp --dport 32768:61000 -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 32768:61000 ! --syn -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited

This resulted in me losing all IPv6 connectivity =D, even after deleting it and rebooting the modem. I figure I just need to factory reset the router, which I can't do at this moment, but am I at least on the right track here? Just need to figure out what it was that I copy/pasted.

If you log into the router via telnet, you can run this command:

ip6tables -L -v

which will tell you which of the entries is doing all the "DROP"'s and/or "REJECT"'s, and you can make some more educated guesses at what might be wrong.

 

[RMerlin]

Using a N56U with Padavan version 3.4.3.6-066. I just exchanged my modem with Comcast to get one that is IPv6 compatible, and everything seems to work fine. I have an IPv6 address and I can access IPv6 sites.

My question is, it seems that the N56U only firewalls IPv4 traffic?

If I run the "Shields Up" firewall test (https://grc.com/x/ne.dll?bh0bkyd2‎) with or without Windows 7 firewall turned on, all of my ports are always "stealthed".

If I run what I assume is a similar test, but for IPv6 (http://ipv6.chappell-family.com/ipv6tcptest/), I am only "stealthed" when I have the Windows firewall on. This leads me to believe the N56U firewall isn't actually doing anything? Is this just an incorrect conclusion I am making?

Assuming I am just not really confused and misunderstanding something, how do I get the N56U to firewall the IPv6 traffic? I'm thinking I just need to set up some ip6tables, which I could probably figure out on my own with some Googling, but I can't figure out where to actually set up ip6tables. I did find /bin/ip6tables, but I don't know how to, or if I even should, try to modify that file.

Thanks in advance for any help.

Edit: Just found the "Custom User Scripts" section and just copy/pasted some stuff in to the "Run after firewall rules restarted:" section:

ip6tables :INPUT ACCEPT [0:0]
ip6tables :FORWARD ACCEPT [0:0]
ip6tables :OUTPUT ACCEPT [0:0]
ip6tables :RH-Firewall-1-INPUT - [0:0]
ip6tables -A INPUT -j RH-Firewall-1-INPUT
ip6tables -A FORWARD -j RH-Firewall-1-INPUT
ip6tables -A RH-Firewall-1-INPUT -i lo -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -i br0 -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -p udp --dport 5353 -d ff02::fb -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -p udp -m udp --dport 32768:61000 -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 32768:61000 ! --syn -j ACCEPT
ip6tables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited

This resulted in me losing all IPv6 connectivity =D, even after deleting it and rebooting the modem. I figure I just need to factory reset the router, which I can't do at this moment, but am I at least on the right track here? Just need to figure out what it was that I copy/pasted.

Try adding a rule to accept established/related connections to the firewall chain, i.e.:

ip6tables -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

If you want a reference set of ipv6 firewall rules, here is what I use in my FW:

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:PControls - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m rt --rt-type 0 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -m tcp -p tcp --dport 5916 -j DROP
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m rt --rt-type 0 -j DROP
-A FORWARD -o v6in4 -i br0 -j ACCEPT
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -p ipv6-nonxt -m length --length 40 -j ACCEPT
-A FORWARD -p ipv6-icmp --icmpv6-type 1 -j ACCEPT
-A FORWARD -p ipv6-icmp --icmpv6-type 2 -j ACCEPT
-A FORWARD -p ipv6-icmp --icmpv6-type 3 -j ACCEPT
-A FORWARD -p ipv6-icmp --icmpv6-type 4 -j ACCEPT
-A FORWARD -p ipv6-icmp --icmpv6-type 128 -j ACCEPT
-A FORWARD -p ipv6-icmp --icmpv6-type 129 -j ACCEPT
-A INPUT -p ipv6-nonxt -m length --length 40 -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp --dport 546 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 1 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 2 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 3 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 4 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 128 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 129 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 130 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 131 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 132 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 133 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 134 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 135 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 136 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 141 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 142 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 143 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 148 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 149 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 151 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 152 -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type 153 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -m rt --rt-type 0 -j DROP

(replace the v6in4 interface with your WAN interface - these rules are for a tunnel)

 

[Nevlever]

Try adding a rule to accept established/related connections to the firewall chain, i.e.:


If you want a reference set of ipv6 firewall rules, here is what I use in my FW:

/snip

(replace the v6in4 interface with your WAN interface - these rules are for a tunnel)

Thanks. I think I just now managed to get it figured out though. Figured out how to view what rules the router was currently using and compared the iptables rules to the ip6tables rules. I noticed that in iptables, the last rule for "FORWARD" said to drop anything going "out" to br0 (which I believe in this case is the LAN). This rule was missing in ip6tables, so I added it:

ip6tables -A FORWARD -o br0 -j DROP

As far as I can tell, this now seems to be working, at least according to that IPv6 firewall test I linked earlier. I do still seem to respond to the "ICMPv6 ECHO REQUEST", but I think I read this is necessary for IPv6 to function, so maybe there's no way around that? Looks like you have a lot of rules regarding ICMPv6, though, so maybe I just need to do some more research.

My ip6tables rules now look like this:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    2   266 ACCEPT     all      lo     *       ::/0                 ::/0                
   27  2248 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmp !type 128
    0     0 DROP       all      *      *       ::/0                 ::/0                 rt type:0 segsleft:0
    0     0 DROP       all      *      *       ::/0                 ::/0                 state INVALID
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                 state RELATED,ESTABLISHED
    0     0 ACCEPT     all      br0    *       ::/0                 ::/0                
    3   505 ACCEPT     all      *      *       fe80::/10            ::/0                
    0     0 ACCEPT     all      *      *       ::/0                 ff00::/8            
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                 udp dpt:546
    0     0 DROP       all      *      *       ::/0                 ::/0                

Chain FORWARD (policy ACCEPT 69 packets, 12645 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all      br0    br0     ::/0                 ::/0                
   28  1456 ACCEPT     icmpv6    *      *       ::/0                 ::/0                
    0     0 DROP       all      *      *       ::/0                 ::/0                 rt type:0 segsleft:0
   12   830 DROP       all      *      *       ::/0                 ::/0                 state INVALID
    6  1866 ACCEPT     all      *      *       ::/0                 ::/0                 state RELATED,ESTABLISHED
   39  3254 DROP       all      *      br0     ::/0                 ::/0                

Chain OUTPUT (policy ACCEPT 38 packets, 3191 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all      *      *       ::/0                 ::/0                 rt type:0 segsleft:0

Chain logaccept (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all      *      *       ::/0                 ::/0                 state NEW LOG flags 7 level 4 prefix "ACCEPT "
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                

Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all      *      *       ::/0                 ::/0                 state NEW LOG flags 7 level 4 prefix "DROP "
    0     0 DROP       all      *      *       ::/0                 ::/0                

Chain maclist (0 references)
 pkts bytes target     prot opt in     out     source               destination

 

[RMerlin]

As far as I can tell, this now seems to be working, at least according to that IPv6 firewall test I linked earlier. I do still seem to respond to the "ICMPv6 ECHO REQUEST", but I think I read this is necessary for IPv6 to function, so maybe there's no way around that? Looks like you have a lot of rules regarding ICMPv6, though, so maybe I just need to do some more research.

The icmp and rt rules were implemented by Asus, who seem to have followed various RFC recommendations for these. I remember reading an RFC where they said that responding to ICMPv6 Echo Request was required to be compliant, tho it might not be an actual technical requirement. Considering how impractical it would be for a malicious user to ping entire /56 subnets in an attempt to find an host who responds, I don't see this as being a security risk (that was the same rationale used in the RFC to justify their requirement too).

 

[Nevlever]

The icmp and rt rules were implemented by Asus, who seem to have followed various RFC recommendations for these. I remember reading an RFC where they said that responding to ICMPv6 Echo Request was required to be compliant, tho it might not be an actual technical requirement. Considering how impractical it would be for a malicious user to ping entire /56 subnets in an attempt to find an host who responds, I don't see this as being a security risk (that was the same rationale used in the RFC to justify their requirement too).

Does this mean that, since the theoretical hacker can already determine that my system exists due to the ping response, refused connections are okay, as opposed to all my ports being stealthed? Or would there still be an advantage to not sending a response over sending a connection refused response?

Edit: Just noticed that my phone doesn't respond to a ICMPv6 ping when on Verizon's mobile network, so is there a way to respond to some pings to remain compliant but at the same time block other pings?

 

[RMerlin]

Does this mean that, since the theoretical hacker can already determine that my system exists due to the ping response, refused connections are okay, as opposed to all my ports being stealthed? Or would there still be an advantage to not sending a response over sending a connection refused response?

ICMP packets are either replied or ignored. It's not a connection in the same sense as TCP or UDP.

Edit: Just noticed that my phone doesn't respond to a ICMPv6 ping when on Verizon's mobile network, so is there a way to respond to some pings to remain compliant but at the same time block other pings?

Short of accepting/ignoring ICMP packets based on their source IP, there isn't much more control that you can have over them.

I expect general IPv6 implementations to remain a mess for at least quite a few years, as people are still struggling to fully understand them. Some people will follow RFCs to the letter (Asus seems to have been leaning in this general direction), others will will just implement what works based on their IPv4 experiences (which is a bad idea - there are quite a lot of differences between IPv4 and IPv6). For example, some people begged for an IPv6 implementation of NAT in the standards, which means they missed quite a few points there (first, NAT being, IMHO, an ugly kludge to a problem that no longer exists with IPv6).

 

[Nevlever]

Well I thought I had everything working correctly but I guess I didn't. IPv6 connectivity seems to be really hit or miss, sometimes I have it and it seems to work perfectly and sometimes I don't.

The router always looks to me like it is connected properly, but for some reason my computer doesn't seem to always get the Gateway and DNS info. It will even sometimes drop out after having been working just fine. My Windows computer and my Android tablet both seem to be having this problem.

Also, I undid what I did with the ip6tables, and I am still having this problem.

Screenshots of what I think are the relevant router config pages:
http://i.imgur.com/CjvC3NKh.png
http://i.imgur.com/6IShgJMh.png

And Network Connection Details:
http://i.imgur.com/GMSdXk8.png

 

[Gabry89]

Hi,
I have an rt-56u with latest Padavan Firmware ad I want to create a script which reboot the device at 3.00 at night.
I see that with latest version of fw there is a new section "Run after router started", but i can't figure out what to write to make it reboot at the specified time.
Can anyone help me, please?

Thank you!

 

[Adamm]

echo "0 3 * * * reboot" >> /var/spool/cron/crontabs/admin
[ -n "`pidof crond`" ] && killall -q crond
sleep 1
crond

 

[Gabry89]

cut

Thank you!!!

 

[aaronwt]

Why does the router need to be rebooted? I think the only time I've rebooted my two N56Us is when I upload a new Padavan firmware.
Should I be rebooting mine?

 

[Relative]

Holy crap.

I never used this firmware before but it's amazing. What the hell happened wrt the official firmware?

 

[jolu]

When I use padavan the internet stops working from time to time. It's like the connection times out and I have to wait before I get it to work again(approximately between 30s and 2 min).Right now I'm back to the asus .342-firmware. Has someone else experienced this?

 

[RMerlin]

Holy crap.

I never used this firmware before but it's amazing. What the hell happened wrt the official firmware?

Padavan's been doing this for quite some time, and by now he sure knows what he's doing.