Voxel [R7800] Voxel OpenVPN connection and msftncsi issues

[NoFish]

Hi everybody, first of all big up for the community and all the hard work that's being done here. Really cool to see.

I decided to switch from DD-WRT to Voxel after reading many good things. However, after a day of tinkering and reading, I'm a bit stuck. My main use case is OpenVPN running directly from the R7800, so this has been my focus when starting.

For some context: I run a pihole on a dedicated Pi, have an Ubuntu server, some audio, a macbook and some streaming devices.

Two issues:

1. After starting OpenVPN, I can't connect to the web anymore. Seems like a DNS issue (it's always DNS), but I'm not knowledgeable enough yet to debug it.

2022-04-09 20:24:29 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
2022-04-09 20:24:29 OpenVPN 2.5.6 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2022-04-09 20:24:29 library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
2022-04-09 20:24:29 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2022-04-09 20:24:29 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-04-09 20:24:29 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-04-09 20:24:29 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-04-09 20:24:29 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-04-09 20:24:29 nice -20 succeeded
2022-04-09 20:24:29 TCP/UDP: Preserving recently used remote address: [AF_INET]217.138.206.106:1198
2022-04-09 20:24:29 Socket Buffers: R=[212992->425984] S=[212992->425984]
2022-04-09 20:24:29 UDP link local: (not bound)
2022-04-09 20:24:29 UDP link remote: [AF_INET]217.138.206.106:1198
2022-04-09 20:24:30 TLS: Initial packet from [AF_INET]217.138.206.106:1198, sid=cd3defa8 babed181
2022-04-09 20:24:30 VERIFY OK: depth=1, CN=ChangeMe
2022-04-09 20:24:30 VERIFY KU OK
2022-04-09 20:24:30 Validating certificate extended key usage
2022-04-09 20:24:30 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-04-09 20:24:30 VERIFY EKU OK
2022-04-09 20:24:30 VERIFY OK: depth=0, CN=server
2022-04-09 20:24:30 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 36034'
2022-04-09 20:24:30 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 36000'
2022-04-09 20:24:30 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2022-04-09 20:24:30 [server] Peer Connection Initiated with [AF_INET]217.138.206.106:1198
2022-04-09 20:24:31 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2022-04-09 20:24:31 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.255.0.4,route-gateway 10.10.1.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.10.1.5 255.255.255.0,peer-id 3,auth-tokenSESS_ID,cipher AES-256-GCM'
2022-04-09 20:24:31 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
2022-04-09 20:24:31 OPTIONS IMPORT: timers and/or timeouts modified
2022-04-09 20:24:31 OPTIONS IMPORT: --ifconfig/up options modified
2022-04-09 20:24:31 OPTIONS IMPORT: route options modified
2022-04-09 20:24:31 OPTIONS IMPORT: route-related options modified
2022-04-09 20:24:31 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2022-04-09 20:24:31 OPTIONS IMPORT: peer-id set
2022-04-09 20:24:31 OPTIONS IMPORT: adjusting link_mtu to 1624
2022-04-09 20:24:31 OPTIONS IMPORT: data channel crypto options modified
2022-04-09 20:24:31 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-04-09 20:24:31 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-04-09 20:24:31 net_route_v4_best_gw query: dst 0.0.0.0
2022-04-09 20:24:31 net_route_v4_best_gw result: via <GATEWAY_IP> dev brwan
2022-04-09 20:24:31 TUN/TAP device tun21 opened
2022-04-09 20:24:31 TUN/TAP TX queue length set to 1000
2022-04-09 20:24:31 net_iface_mtu_set: mtu 1500 for tun21
2022-04-09 20:24:31 net_iface_up: set tun21 up
2022-04-09 20:24:31 net_addr_v4_add: 10.10.1.5/24 dev tun21
2022-04-09 20:24:31 /etc/openvpn/ovpnclient-up.sh tun21 1500 1624 10.10.1.5 255.255.255.0 init
2022-04-09 20:24:31 net_route_v4_add: 217.138.206.106/32 via <GATEWAY_IP> dev [NULL] table 0 metric -1
2022-04-09 20:24:31 net_route_v4_add: 0.0.0.0/1 via 10.10.1.1 dev [NULL] table 0 metric -1
2022-04-09 20:24:31 net_route_v4_add: 128.0.0.0/1 via 10.10.1.1 dev [NULL] table 0 metric -1
2022-04-09 20:24:31 Initialization Sequence Completed
/opt/xagent/run-xagent.sh: /opt/xagent/run-xagent.sh: 3: system: not found
/opt/xagent/run-xagent.sh: /opt/xagent/run-xagent.sh: 4: system: not found
Please specify hardware_id (by --hardware_id option) to run xagent.
It should contain only upper latin letters and numbers and have 13 symbols
/opt/xagent/xagent:    [-d|--daemon] [-c|--config_file <file name>]
        [--disable_console] [--disable_log_file] [--model_id]
        [--ca_path <path to CA folder>] [--ca_file <path to cert file>]
        [--log_debug|--log_info|--log_warning|--log_error|--log_silent]
        [-w|--watchdog] [-v|--version] [--log_file <filename>]
        [-s|--service_id <service_id>] [--discovery_time <discovery time>]
        [--discovery_id <id>] [--carrier_id <id>] [--discovery_data <data>]
        [--start_paused] [--log_file_cnt <count of files in rotation>]
        [--log_file_size <max size of log file before rotation in human format: nK|nM where n in 1-9999>]
        [--pid_file <pid_file>] [--watchdog_pid_file <pid_file>]
        [--broker_keepalive <time>,<probes>,<intv>] [--agent_keepalive <time>,<probes>,<intv>]
        [--agent_heartbeat <time>]
        --hardware_id <hardware id> [--model_id <model_id>]
Content-type:text/html

2. After trying to get OpenVPN working I got flood with log entries on my pihole. I read this is a Microsoft service, but I have no Microsoft gear in my setup. I think either OpenVPN, DNScrypt or the adguard-dns addition in /etc/dnscrypt.con/. somehow caused this. However, reverting these options, or even installing from scratch hasn't solved it. It's poluting the logs, so it would be nice to get rid of it.

Curious for your advice!

 

[NoFish]

For others facing the same issue.

Resetting the device and NVRAM as instructed by @kamoj in this post seems to have solved the msftncsi flood.

mtd erase netgear
nvram default
nvram commit
reboot

Now all there is left is the OpenVPN part.

EDIT: This seems not the case.

 

[HELLO_wORLD]

For the OpenVPN issue, have you tried to connect directly to an IP adresse instead of a domain name? Just to confirm it is DNS related.
If it is not DNS related, you might want to check the route on the router ip route

 

[NoFish]

For others facing the same issue.

Resetting the device and NVRAM as instructed by @kamoj in this post seems to have solved the msftncsi flood.

mtd erase netgear
nvram default
nvram commit
reboot

Now all there is left is the OpenVPN part.

As it turns out it's something else: the moment I remove the Entware USB from the R7800, it stops contacting msftncsi.

@HELLO_wORLD good suggestion and will get back to you after reformatting the USB with a fresh install of Entware.

 

[HELLO_wORLD]

Are you using expressvpn?
If so, it could be the problem: look at the comments

https://www.reddit.com/r/pihole/comments/e2x046

 

[NoFish]

Are you using expressvpn?
If so, it could be the problem: look at the comments

https://www.reddit.com/r/pihole/comments/e2x046

I use WeVPN, but it's similar behaviour indeed. Thanks for the link.

 

[NoFish]

Are you using expressvpn?
If so, it could be the problem: look at the comments

https://www.reddit.com/r/pihole/comments/e2x046

So I tried to netstat, as described in your link

sudo netstat -ptc | grep ip.addr

but functions seem to be limited in netstat on the router:

Options:
        -l      Display listening server sockets
        -a      Display all sockets (default: connected)
        -e      Display other/more information
        -n      Don't resolve names
        -r      Display routing table
        -t      Tcp sockets
        -u      Udp sockets
        -w      Raw sockets
        -x      Unix sockets

Do you have suggestions? If I understand correctly I'm looking to identify the processes which try to connect to www.msftncsi.com.

 

[HELLO_wORLD]

So I tried to netstat, as described in your link

sudo netstat -ptc | grep ip.addr

but functions seem to be limited in netstat on the router:

Options:
        -l      Display listening server sockets
        -a      Display all sockets (default: connected)
        -e      Display other/more information
        -n      Don't resolve names
        -r      Display routing table
        -t      Tcp sockets
        -u      Udp sockets
        -w      Raw sockets
        -x      Unix sockets

Do you have suggestions? If I understand correctly I'm looking to identify the processes which try to connect to www.msftncsi.com.

You should install netstat from Entware (opkg update && opkg install net-tools):

root@HERMES:~$ netstat --help
usage: netstat [-vWeenNcCF] [<Af>] -r         netstat {-V|--version|-h|--help}
       netstat [-vWnNcaeol] [<Socket> ...]
       netstat { [-vWeenNac] -i | [-cnNe] -M | -s [-6tuw] }

        -r, --route              display routing table
        -i, --interfaces         display interface table
        -g, --groups             display multicast group memberships
        -s, --statistics         display networking statistics (like SNMP)
        -M, --masquerade         display masqueraded connections

        -v, --verbose            be verbose
        -W, --wide               don't truncate IP addresses
        -n, --numeric            don't resolve names
        --numeric-hosts          don't resolve host names
        --numeric-ports          don't resolve port names
        --numeric-users          don't resolve user names
        -N, --symbolic           resolve hardware names
        -e, --extend             display other/more information
        -p, --programs           display PID/Program name for sockets
        -o, --timers             display timers
        -c, --continuous         continuous listing

        -l, --listening          display listening server sockets
        -a, --all                display all sockets (default: connected)
        -F, --fib                display Forwarding Information Base (default)
        -C, --cache              display routing cache instead of FIB

  <Socket>={-t|--tcp} {-u|--udp} {-U|--udplite} {-S|--sctp} {-w|--raw}
           {-x|--unix} --ax25 --ipx --netrom
  <AF>=Use '-6|-4' or '-A <af>' or '--<af>'; default: inet
  List of possible address families (which support routing):
    inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25)
    netrom (AMPR NET/ROM) rose (AMPR ROSE) ipx (Novell IPX)
    ddp (Appletalk DDP) x25 (CCITT X.25)

EDIT: the Entware package to install is net-tools, not netstat (netstat is part of net-tools)

 

[NoFish]

It doesn't recognise Netstat for me, only Dstat, is that possible?

/opt/bin/opkg install netstat
Unknown package 'netstat'.
Collected errors:
* opkg_install_cmd: Cannot install package netstat.

You should install netstat from Entware (opkg update && opkg install netstat):

root@HERMES:~$ netstat --help
usage: netstat [-vWeenNcCF] [<Af>] -r         netstat {-V|--version|-h|--help}
       netstat [-vWnNcaeol] [<Socket> ...]
       netstat { [-vWeenNac] -i | [-cnNe] -M | -s [-6tuw] }

        -r, --route              display routing table
        -i, --interfaces         display interface table
        -g, --groups             display multicast group memberships
        -s, --statistics         display networking statistics (like SNMP)
        -M, --masquerade         display masqueraded connections

        -v, --verbose            be verbose
        -W, --wide               don't truncate IP addresses
        -n, --numeric            don't resolve names
        --numeric-hosts          don't resolve host names
        --numeric-ports          don't resolve port names
        --numeric-users          don't resolve user names
        -N, --symbolic           resolve hardware names
        -e, --extend             display other/more information
        -p, --programs           display PID/Program name for sockets
        -o, --timers             display timers
        -c, --continuous         continuous listing

        -l, --listening          display listening server sockets
        -a, --all                display all sockets (default: connected)
        -F, --fib                display Forwarding Information Base (default)
        -C, --cache              display routing cache instead of FIB

  <Socket>={-t|--tcp} {-u|--udp} {-U|--udplite} {-S|--sctp} {-w|--raw}
           {-x|--unix} --ax25 --ipx --netrom
  <AF>=Use '-6|-4' or '-A <af>' or '--<af>'; default: inet
  List of possible address families (which support routing):
    inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25)
    netrom (AMPR NET/ROM) rose (AMPR ROSE) ipx (Novell IPX)
    ddp (Appletalk DDP) x25 (CCITT X.25)

 

[HELLO_wORLD]

It doesn't recognise Netstat for me, only Dstat, is that possible?

/opt/bin/opkg install netstat
Unknown package 'netstat'.
Collected errors:
* opkg_install_cmd: Cannot install package netstat.

My apologies, netstat is part of net-tools, you need to install net-tools:
opkg install net-tools

Then you will have the correct netstat installed.

 

[NoFish]

Thanks for your help, Netstat works now! However, I don't get desired results when using the commands used in the reddit post. All of this is new to me, but I'm learning as we go. Any thoughts?

1.

nslookup www.msftncsi.com

Non-authoritative answer:
www.msftncsi.com    canonical name = www.msftncsi.com.edgesuite.net.
www.msftncsi.com.edgesuite.net    canonical name = a1961.g2.akamai.net.
Name:    a1961.g2.akamai.net
Address: 104.110.240.233
Name:    a1961.g2.akamai.net
Address: 104.110.240.218

2.

netstat -ptc | grep 104.110.240

This returns nothing, the CLI simply keeps hanging.

However, whenever running the command it see the following entries in my PiHole log:

Running netstat -ptc withouth grep returns:

root@R7800:/tmp/mnt/sda2/entware/bin$ /opt/bin/netstat -ptc
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0    145 R7800:telnet            192.168.1.XXX:52984     ESTABLISHED 12121/utelnetd
tcp6       0      0 localhost:www           localhost:50065         TIME_WAIT   -
tcp6       0      0 localhost:www           localhost:50066         TIME_WAIT   -
tcp6       0      0 localhost:www           localhost:50067         TIME_WAIT   -
tcp6       0      0 localhost:www           localhost:50064         TIME_WAIT   -
tcp6       0      0 localhost:www           localhost:50063         TIME_WAIT   -
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0    145 R7800:telnet            192.168.1.XXX:52984     ESTABLISHED 12121/utelnetd
tcp        0      0 localhost:www           localhost:39939         TIME_WAIT   -
tcp6       0      0 localhost:www           localhost:50065         TIME_WAIT   -
tcp6       0      0 localhost:www           localhost:50066         TIME_WAIT   -
tcp6       0      0 localhost:www           localhost:50067         TIME_WAIT   -
tcp6       0      0 localhost:www           localhost:50064         TIME_WAIT   -
tcp6       0      0 localhost:www           localhost:50063         TIME_WAIT   -

My apologies, netstat is part of net-tools, you need to install net-tools:
opkg install net-tools

Then you will have the correct netstat installed.

 

[HELLO_wORLD]

What you see in the pihole is IPv6 related…

Maybe try this : netstat -4ptcl or netstat -4ptca
-4 to filter ony IPv4 and -l to see the server connections (or -a to see all the connections) on the router?

 

[NoFish]

That worked, I found at least one microsoft proces, but killing them didn't stop the msftncsi calls. Do you see anything out of the ordinary here?

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 R7800:49152             0.0.0.0:*               LISTEN      5980/hostapd
tcp        0      0 0.0.0.0:42080           0.0.0.0:*               LISTEN      5964/lighttpd
tcp        0      0 0.0.0.0:33344           0.0.0.0:*               LISTEN      -
tcp        0      0 R7800:49153             0.0.0.0:*               LISTEN      6637/hostapd
tcp        0      0 localhost:14369         0.0.0.0:*               LISTEN      4283/xagent
tcp        0      0 0.0.0.0:9091            0.0.0.0:*               LISTEN      6492/transmission-d
tcp        0      0 0.0.0.0:20005           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:3333            0.0.0.0:*               LISTEN      4774/potval
tcp        0      0 0.0.0.0:8200            0.0.0.0:*               LISTEN      5318/minidlna
tcp        0      0 0.0.0.0:42443           0.0.0.0:*               LISTEN      5964/lighttpd
tcp        0      0 0.0.0.0:netbios-ssn     0.0.0.0:*               LISTEN      5473/smbd
tcp        0      0 0.0.0.0:9100            0.0.0.0:*               LISTEN      4872/KC_PRINT
tcp        0      0 0.0.0.0:bacula-dir      0.0.0.0:*               LISTEN      4872/KC_PRINT
tcp        0      0 0.0.0.0:bacula-fd       0.0.0.0:*               LISTEN      4872/KC_PRINT
tcp        0      0 0.0.0.0:bacula-sd       0.0.0.0:*               LISTEN      4872/KC_PRINT
tcp        0      0 0.0.0.0:9104            0.0.0.0:*               LISTEN      4872/KC_PRINT
tcp        0      0 0.0.0.0:www             0.0.0.0:*               LISTEN      4285/uhttpd
tcp        0      0 0.0.0.0:9105            0.0.0.0:*               LISTEN      4872/KC_PRINT
tcp        0      0 0.0.0.0:9106            0.0.0.0:*               LISTEN      4872/KC_PRINT
tcp        0      0 0.0.0.0:5555            0.0.0.0:*               LISTEN      6972/miniupnpd
tcp        0      0 0.0.0.0:9107            0.0.0.0:*               LISTEN      4872/KC_PRINT
tcp        0      0 0.0.0.0:9108            0.0.0.0:*               LISTEN      4872/KC_PRINT
tcp        0      0 0.0.0.0:51413           0.0.0.0:*               LISTEN      6492/transmission-d
tcp        0      0 0.0.0.0:9109            0.0.0.0:*               LISTEN      4872/KC_PRINT
tcp        0      0 0.0.0.0:domain          0.0.0.0:*               LISTEN      4593/dnsmasq
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      5308/dropbear
tcp        0      0 R7800:telnet            0.0.0.0:*               LISTEN      17317/utelnetd
tcp        0      0 0.0.0.0:ipp             0.0.0.0:*               LISTEN      4872/KC_PRINT
tcp        0      0 0.0.0.0:https           0.0.0.0:*               LISTEN      4285/uhttpd
tcp        0      0 0.0.0.0:microsoft-ds    0.0.0.0:*               LISTEN      5473/smbd

What you see in the pihole is IPv6 related…

Maybe try this : netstat -4ptcl or netstat -4ptca
-4 to filter ony IPv4 and -l to see the server connections (or -a to see all the connections) on the router?

 

[HELLO_wORLD]

That worked, I found at least one microsoft proces, but killing them didn't stop the msftncsi calls. Do you see anything out of the ordinary here?

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 R7800:49152             0.0.0.0:*               LISTEN      5980/hostapd
tcp        0      0 0.0.0.0:42080           0.0.0.0:*               LISTEN      5964/lighttpd
tcp        0      0 0.0.0.0:33344           0.0.0.0:*               LISTEN      -
tcp        0      0 R7800:49153             0.0.0.0:*               LISTEN      6637/hostapd
tcp        0      0 localhost:14369         0.0.0.0:*               LISTEN      4283/xagent
tcp        0      0 0.0.0.0:9091            0.0.0.0:*               LISTEN      6492/transmission-d
tcp        0      0 0.0.0.0:20005           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:3333            0.0.0.0:*               LISTEN      4774/potval
tcp        0      0 0.0.0.0:8200            0.0.0.0:*               LISTEN      5318/minidlna
tcp        0      0 0.0.0.0:42443           0.0.0.0:*               LISTEN      5964/lighttpd
tcp        0      0 0.0.0.0:netbios-ssn     0.0.0.0:*               LISTEN      5473/smbd
tcp        0      0 0.0.0.0:9100            0.0.0.0:*               LISTEN      4872/KC_PRINT
tcp        0      0 0.0.0.0:bacula-dir      0.0.0.0:*               LISTEN      4872/KC_PRINT
tcp        0      0 0.0.0.0:bacula-fd       0.0.0.0:*               LISTEN      4872/KC_PRINT
tcp        0      0 0.0.0.0:bacula-sd       0.0.0.0:*               LISTEN      4872/KC_PRINT
tcp        0      0 0.0.0.0:9104            0.0.0.0:*               LISTEN      4872/KC_PRINT
tcp        0      0 0.0.0.0:www             0.0.0.0:*               LISTEN      4285/uhttpd
tcp        0      0 0.0.0.0:9105            0.0.0.0:*               LISTEN      4872/KC_PRINT
tcp        0      0 0.0.0.0:9106            0.0.0.0:*               LISTEN      4872/KC_PRINT
tcp        0      0 0.0.0.0:5555            0.0.0.0:*               LISTEN      6972/miniupnpd
tcp        0      0 0.0.0.0:9107            0.0.0.0:*               LISTEN      4872/KC_PRINT
tcp        0      0 0.0.0.0:9108            0.0.0.0:*               LISTEN      4872/KC_PRINT
tcp        0      0 0.0.0.0:51413           0.0.0.0:*               LISTEN      6492/transmission-d
tcp        0      0 0.0.0.0:9109            0.0.0.0:*               LISTEN      4872/KC_PRINT
tcp        0      0 0.0.0.0:domain          0.0.0.0:*               LISTEN      4593/dnsmasq
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      5308/dropbear
tcp        0      0 R7800:telnet            0.0.0.0:*               LISTEN      17317/utelnetd
tcp        0      0 0.0.0.0:ipp             0.0.0.0:*               LISTEN      4872/KC_PRINT
tcp        0      0 0.0.0.0:https           0.0.0.0:*               LISTEN      4285/uhttpd
tcp        0      0 0.0.0.0:microsoft-ds    0.0.0.0:*               LISTEN      5473/smbd

The Microsoft one is from the Samba Daemon… Probably not at the origin of your problem.

Did you try to compare with and without VPN enabled to see if it is related to that?

 

[NoFish]

I did, without luck. I guess I'll try with a clean USB stick to see if it makes a difference.

The Microsoft one is from the Samba Daemon… Probably not at the origin of your problem.

Did you try to compare with and without VPN enabled to see if it is related to that?

 

[HELLO_wORLD]

I did, without luck. I guess I'll try with a clean USB stick to see if it makes a difference.

So your problem is probably different from the one in the link I posted as for them it was related to the VPN.

Before reinstalling everything, can you check what you have installed with Entware? It has to be some kind of service you installed that resided in /opt/…
You could use that command to see what is running from Entware:

 

[NoFish]

Sure, the -a switch seems not to work though..

So your problem is probably different from the one in the link I posted as for them it was related to the VPN.

Before reinstalling everything, can you check what you have installed with Entware? It has to be some kind of service you installed that resided in /opt/…
You could use that command to see what is running from Entware:

View attachment 40814

 

[HELLO_wORLD]

Ah yes, ps is not aliased to ps-procps-ng by default, I apologize again…

Just run this command instead:

/usr/bin/ps-procps-ng -aux | grep -e /opt/

 

[NoFish]

No apologies needed, I really appreciate the effort.

Here's the output:

root      4062  0.0  0.0   1712   388 pts/0    S+   18:11   0:00 grep -e /opt/
root      4293  0.0  0.1   8392   708 ?        S    18:08   0:00 /opt/xagent/xagent -w -d --ca_file /opt/xagent/certs/ca-bundle-mega.crt --hardware_id 5K549B51000FD --model_id R7800
root      4299  0.0  0.5  15468  2832 ?        Sl   18:08   0:00 /opt/xagent/xagent -w -d --ca_file /opt/xagent/certs/ca-bundle-mega.crt --hardware_id 5K549B51000FD --model_id R7800

Ah yes, ps is not aliased to ps-procps-ng by default, I apologize again…

Just run this command instead:

/usr/bin/ps-procps-ng -aux | grep -e /opt/

 

[HELLO_wORLD]

No apologies needed, I really appreciate the effort.

Here's the output:

root      4278  0.0  0.1   8392   708 ?        S    14:17   0:00 /opt/xagent/xagent -w -d --ca_file /opt/xagent/certs/ca-bundle-mega.crt --hardware_id 5K549B51000FD --model_id R7800
root      4283  0.0  0.5  15468  2832 ?        Sl   14:17   0:00 /opt/xagent/xagent -w -d --ca_file /opt/xagent/certs/ca-bundle-mega.crt --hardware_id 5K549B51000FD --model_id R7800
root     22548  0.0  0.0   1712   392 pts/0    S+   17:47   0:00 grep -e /opt/

Ok, this is normal…
/opt/xagent/xagent is not from Entware, but it is ReadyCloud in the firmware, so it seems you have nothing running from Entware.

When you don't have the USB plugged, you don't have the msftncsi flood.
I suspect then it is not related to Entware, but to the fact there is a USB drive or not, so something native in the firmware… So maybe Samba after all, or something related to ReadyShare?

I have a USB, so I will see if I have such calls to msftncsi

EDIT: I do have a few requests in the range 104.0.0.0/8, but it seems normal (requests from devices on LAN) and very little… No flood, so I am not sure what is doing that for you…