Setting up an ASUS RT-N66U running Merlin on an existing network

[dave14305]

There is another option called "Spoof LAN TTL value" but I'm not sure what that does.

Looking at the source code comments:

/* Several ISPs restrict Internet sharing by checking TTL value,
* i.e allow Phones/Tablets only. Fix WAN outgoing packets with
* router's TTL, default is 64  */

https://github.com/RMerl/asuswrt-me...5b2286/release/src/router/rc/firewall.c#L4432

 

[ColinTaylor]

Looking at the source code comments:

/* Several ISPs restrict Internet sharing by checking TTL value,
* i.e allow Phones/Tablets only. Fix WAN outgoing packets with
* router's TTL, default is 64  */

https://github.com/RMerl/asuswrt-me...5b2286/release/src/router/rc/firewall.c#L4432

Yeah, I saw that. But the code that followed didn't seem to match the description. It also effects outgoing packets where we're more interested in incoming packets. I think the code just above with ttl_inc_enable is more relevant but it looks like it's hidden unless you're using a specific ISP.

 

[LighthammerX]

Merlin never implemented that since it was broke....I remember debugging it and adding it to my fork.

@LighthammerX
Since you are running an N66 (and a minimal config right now), you may want to try my fork and that Extend TTL setting.

Do you have a link?

 

[ColinTaylor]

Do you have a link?

https://www.snbforums.com/threads/fork-asuswrt-merlin-374-43-lts-releases-v36ea.18914/

 

[john9527]

I never implemented the Spoof TTL setting (supply and demand )

If it's determined that's needed as well, I can take a look at adding it.

 

[dave14305]

Yeah, I saw that. But the code that followed didn't seem to match the description. It also effects outgoing packets where we're more interested in incoming packets. I think the code just above with ttl_inc_enable is more relevant but it looks like it's hidden unless you're using a specific ISP.

Ok, I see now what you mean. The packets are coming back through the transparent proxy with TTL set to 1 so that the residents can’t use a NAT router on the network. Switching to John’s fork would let him fix the incoming packets at his router so they can make the final hop to the client.

It’s a smart move to switch to John’s fork anyway for an N66U since Merlin 380.70 is the end of the line. I ran the fork on my N66U before upgrading to an AC68U this summer.

 

[dave14305]

What if he just tested the iptables command from Johns fork on his existing firmware?

iptables -t mangle -A PREROUTING -i <wan_if> -m ttl --ttl-eq 1 -j TTL --ttl-set 64

 

[ColinTaylor]

What if he just tested the iptables command from Johns fork on his existing firmware?

I thought about that (and I'd expect it to work) but figured that by the time he read the message he would have already installed John's firmware.

@LighthammerX BTW The option you're looking for is located on the Firewall > General page in John's firmware, not the WAN page.

 

[john9527]

What if he just tested the iptables command from Johns fork on his existing firmware?

It's been a while.....but IIRC at least part of the problem that was breaking that option was that the correct module wasn't being modprobe'd or maybe the module wasn't being built by the firmware.

 

[dave14305]

It's been a while.....but IIRC at least part of the problem that was breaking that option was that the correct module wasn't being modprobe'd or maybe the module wasn't being built by the firmware.

Gotcha. Looks like xt_hl was also related to this option. So upgrading fw is the best course of action.

 

[LighthammerX]

So, I'm running into a problem here getting this firmware installed.

Since its an older version then Merlins (he's at 380.7), it's claiming it can't install it because of a security risk being that's older.

I was going to revert to an earlier version of the OEM Firmware and try that, but I realize it might brick the router going to a custom one after that (manufacturers love forcing their own system on people and all).

At this point I reinstalled Merlin 380.7 hoping there was just some errors in the install. No go on that end.

Any thoughts before I plow ahead?

 

[john9527]

So, I'm running into a problem here getting this firmware installed.

Since its an older version then Merlins (he's at 380.7), it's claiming it can't install it because of a security risk being that's older.

I was going to revert to an earlier version of the OEM Firmware and try that, but I realize it might brick the router going to a custom one after that (manufacturers love forcing their own system on people and all).

At this point I reinstalled Merlin 380.7 hoping there was just some errors in the install. No go on that end.

Any thoughts before I plow ahead?

Read through the first post in the thread where you downloaded the firmware. You need to use the Recovery tool or CFE mini server to downgrade from the current Merlin builds.

 

[LighthammerX]

Read through the first post in the thread where you downloaded the firmware. You need to use the Recovery tool or CFE mini server to downgrade from the current Merlin builds.

Gah, never done that before.

Oh well, time to learn.

I'll figure that out today and see where I stand.

 

[LighthammerX]

I've been exploring other options I might have --- I think before I play with router firmware, I'm going to see if I can setup a Linux Server in between my connection and the router and see if that will give me the results I need. Frankly, I'd prefer a Windows Server just because of my familiarity with Windows Server, but have found in the past that setting up these sorts of things, especially on a small ATOM computer have less then desirable results. I'll use the opportunity to get more familiar with Linux.

With a little luck, I'll have feedback on that result and bared that working, the suggestions for moving to John's firmware.

I'll report back when I have time to work through these two resolutions. It will be before the end of the weekend.

Thanks a lot for the help so far guys and thanks for sticking with me. It's much appreciated.

 

[LighthammerX]

I figured I'd stop by and give an aftermath of the happenings.

Things work now --- but I am very confused why and how --- I suspect I will never actually get the answer.

As I had mentioned, I ended up setting up an Ubuntu Workstation and configured it mostly as a server installing several different network services from a guide I had found that focused on setting Ubuntu up like a router.

That didn't ultimately work, so I tried creating a bridge between the two connections instead of setting up a connection sharing.

That didn't work and that's about where I stopped for a while. I decided to hammer down legal options for a while because, truthfully, I was dragging my feat on the prospects of reinstalling the original firmware to use the fork.

Thats where everything sat for about 2 weeks or so.

With the legal options being long and complicated, I decided to give a few more things a try. Low and behold, things MAGICALLY started working.

I don't know if Ubuntu grabbed a patch that resolved things, if my apartment complex changed something or updated something on their side or what, but through no additional troubleshooting on my side things were now resolved. I'd be inclined to think it was more of the later then the former, but the former could be possible too.

As it stands right now, I have my connection running from the jack into the Ubuntu Server then into the RT-N66U with the latest version of Merlin for many of the connections with it in Router Mode and the connection plugged into the WAN port.

I'm mystified what actually fixed it, but I'm glad its done.

Thanks very much for help in resolving the issue.