Joined: 08 May 2018 Posts: 14217 Location: Texas, USA
Posted: Thu Mar 05, 2020 12:47 Post subject:
WARNING:DO NOT flash this experimental test build unless you know the risks and recovery methods. Report here to provide important info for developers and users. Always state your hardware model & version, mode (e.g. Repeater) and SPECIFIC build (e.g. netgear-r7000-webflash). Avoid discussions and create a new thread for specific problems or questions as this thread is not for support, and posts may be deleted or moved.
Important: if reporting any issues, provide applicable info (GUI syslog, `dmesg`, `cat /var/log/messages`, etc.)
Or put into SVN ticket. For firewall issues, also provide "iptables" info (`iptables -L`, `iptables -t nat -L`, & the /tmp/.ipt file).
Issues, observations, and/or workarounds reported: 1. DNScrypt is mostly only using v2 protocols now, but requires Golang that DD can't use (without entware):6246
Notes: 1. SFE accelerated NAT is in 33006+ builds but only in kernel 3.2 and newer 2. 'KRACK' vulnerability fixes were completed in r33555 for non-Broadcom.
3. PBR/UDP with SFE working again since r40513 (see 6729)
4. CAKE scheduler changes "completed" with r41057 (see 5796) & FQ_CODEL_FAST with r41027 (reset first!)
5. Reset button was broken in 40571; fixed in build 40750.
6. CVE-2019-14899 VPN fix (r41784: applicability depends on VPN setup) and GUI toggle (r41812): ticket 6920, 6928, 6931, 6932
7. In-kernel samba now used and default min/max versions have changed, so change them if needed: 6954, 6957 8. EA8500 w/u-boot 1.0.12 switch reset/network failure on soft reboot fixed: 6467
Template example to copy (after "Code:") for posting issues, be sure to include the mode in use (gateway, AP, CB, etc.):
Linksys EA8500
DD-WRT v3.0-r42617 std (03/05/20)
Linux 4.9.215 #521 SMP Mon Mar 2 11:53:59 +03 2020 armv7l
GUI installed over r42607
all I use is good on this main gateway router
uptime 10:50
You EA8500 people with U-Boot ver 1.0.12 and have the problem with switch
not worky after simple reboot this build is reported to have FIXED that ...YaY!!!
#
Netgear WNDR3700 V4
DD-WRT v3.0-r42617 std (03/05/20)
Linux 3.18.140-d4 #72410 Thu Mar 5 04:42:04 +04 2020 mips
GUI installed over r42607
all I use is good
uptime 12:11
Router: Netgear R7800
Firmware: DD-WRT v3.0-r42617 std (03/05/20)
Kernel: Linux 4.9.215 #521 SMP Mon Mar 2 11:53:59 +03 2020 armv7l
Status: Working
Reset: No
Previous: 42602
Errors: No
Temperatures : CPU 54.178 °C / ath0 50 °C / ath1 48 °C
Working very well :
Router mode : DHCP
SFE Enable STP Enable
DNSMasq
Cache DNSSEC data
Validate DNS Replies (DNSSEC)
Check unsigned DNS replies
Local DNS
No DNS Rebind
ath0, ath1
Vpn (OpenVPN Client)
without VPN
with VPN
Last edited by Bernadoe on Sun Mar 08, 2020 7:25; edited 3 times in total
[quote="mrjcd"]Linksys EA8500
DD-WRT v3.0-r42617 std (03/05/20)
Linux 4.9.215 #521 SMP Mon Mar 2 11:53:59 +03 2020 armv7l
GUI installed over r42607
all I use is good on this main gateway router
uptime 10:50
You EA8500 people with U-Boot ver 1.0.12 and have the problem with switch
not worky after simple reboot this build is reported to have FIXED that ...YaY!!!
Confirmed!!! Three warm reboots in a row worked. At last I don't have to go downstairs 75% of the time to switch the EA8500 on and off because the warm reboot failed.
Thanks to all who contributed to the resolution of this minor, but very annoying, issue.
Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Posted: Thu Mar 05, 2020 17:29 Post subject:
Router Model: Netgear R7800
Firmware Version: DD-WRT v3.0-r42617 std (03/05/20)
Kernel Version: Linux 4.9.215 #521 SMP Mon Mar 2 11:53:59 +03 2020 armv7l
Upgraded from: OpenWRT (my own build with 19.07.1 )
Reset: Yes, nvram erase && reboot
Status: Up and running for 6 hours, basic setup as Gateway, static leases, OpenVPN client (on PIA) with Policy Based Routing up and running, 2,4GHz, 5Ghz, USB storage NAS and OpenVPN server working, Wireguard working.
Resolved: 1. Pushed DNS servers from VPN provider are used starting with build 41120, if you do not want that, add the following to the Additional Config of the VPN client:
pull-filter ignore "dhcp-option DNS"
2. Build 41174 has an improved VPN Policy Based Routing, it is now possible to use the VPN route command i.e. to route a DNS server via the VPN (in this way you will get rid of the DNS leak), see: https://svn.dd-wrt.com/ticket/6815#comment:1 , and for DNS leaks the second posting of this thread: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662 3. Another improvement on PBR is that local routes are now copied over to the alternate routing table so there is communication if you have unbridged VAP's and you can set the router's IP on PBR.
See: https://svn.dd-wrt.com/ticket/6821#comment:3 4. Starting with build 41174, the PBR has become more versatile, you can now use " from [IP address] to [IP address] ", so if you enter the following in the PBR field:
192.168.1.124 to 95.85.16.212 #ipleak.net, it will only route IP address 95.85.16.212 (which is ip leak.net) from my IP address 192.168.1.124 via the VPN everything else from this IP address will route via the WAN (this is just an example).
See: https://svn.dd-wrt.com/ticket/6822
Although this command itself supports routing per port this is however only available starting from K 4.17 so we have to rely on scripting for per port routing until then.
5. New OpenVPN TLS ciphers are added in 41308 see: https://svn.dd-wrt.com/changeset/41308 6. Starting with build 41304 you can now choose which TLS Key you want to use: TLS Auth or the newer/better TLS Crypt. See https://svn.dd-wrt.com/ticket/6845#comment:17 7. Builds from 41786 onwards, when using an OVPN server to connect to your local LAN clients, access might be prevented because of a patch which should solve a recent vulnerability ( see: https://svn.dd-wrt.com/ticket/6928)
This can be mitigated with the following firewall rule:
Code:
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j MASQUERADE
When using WireGuard you can run into the same trouble,i.e. not being able to access your local LAN clients. For WireGuard this is the workaround:
Code:
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get oet1_ipaddr)/$(nvram get oet1_netmask) -j MASQUERADE
This method described above also has security and logging concerns as all traffic has the same source address (your router)
An alternate method is using the following rule but it only works if the VPN or Wireguard interface is up and if your VPN or Wireguard interface goes down you have to reapply or run a continuous script checking/applying:
OpenVPN server:
Code:
iptables -t raw -I PREROUTING -i br0 -d $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j ACCEPT
WireGuard:
Code:
iptables -t raw -I PREROUTING -i br0 -d $(nvram get oet1_ipaddr)/$(nvram get oet1_netmask) -j ACCEPT
This rule can expose your LAN side to the CVE attack, but if you have your IOT things separated and tight control over your LAN you should be good, if your LAN is hacked you have got bigger problems.
Builds starting with 41813 have an option button in OpenVPN and Wireguard for disabling the CVE-patch 14899
1) Gateway Router R7800
-DHCP WAN
-ISP IPv6 - Prefix Delegation for 5xVLANs via Dnsmasq
-7xVLANs + 7xBridges
-SSH -Custom Port & Key
-Telnet
-Syslog
-NTP server left blank
-QoS - Disabled
-TCP Congestion - bbr
-DDNS - Custom Script
-1xWireGuard
-Cron Jobs
-USB w/32GB USB3 Thumb Drive
-Entware DNSCrypt-Proxy V2 - IPv4/v6 Cisco Servers w/filtering
-YAMon3.4.6 w/Entware's ip-full for IPv6
-Custom Scripts
-Custom Startup,Shutdown,Firewall Scripts
-WiFi Disabled
-ttraff Disabled
-SFE Disabled
2) WiFi Router R7800
-Static WAN (double-NAT for 2xWireGuard & DNSCrypt-Proxy V2)
-8xVLANs + 8xBridges
-5xSSIDs-2xAPs+3xVAPs
-SSH -Custom Port & Key
-Telnet
-Syslog
-NTP server left blank
-TCP Congestion - bbr
-2xWireGuard
-Cron Job
-USB w/32GB USB3 Thumb Drive
-Entware DNSCrypt-Proxy V2 - IPv4 Quad9 Servers
-Custom Scripts
-Custom Startup,Shutdown,Firewall Scripts
-ttraff Disabled
-SFE Disabled
3) WireGuard Router R7800
-Static WAN (double-NAT for 3xWireGuard)
-5xVLANs + 5xBridges
-SSH -Custom Port & Key
-Telnet
-Syslog
-NTP server left blank
-TCP Congestion - bbr
-3xWireGuard
-Cron Job
-USB w/32GB USB3 Thumb Drive
-Custom Scripts
-Custom Startup,Firewall Scripts
-WiFi Disabled
-ttraff Disabled
-SFE Disabled
Firmware: DD-WRT v3.0-r42617 std (03/05/20) [from: DD-WRT v3.0-r42602 std (03/03/20)]
Linux Rel: Linux 4.9.215 #521 SMP Mon Mar 2 [from: same]
Reset: NO
Status & Uptime: Working over 4 hours
Issues/Fixes: High CPU Usage with QoS / Disabled
UPDATE Uptime: Over 91 Hours & Installed YAMon3.4.6 to Gateway Router over 38 Hours ago.
UPDATE2: Tweaking - Enabled 3rd R7800. Disabled QoS and testing ironstaff's tuning with changes to the Networking TX Queue Length from 1000 to 2. Uptimes have been reset after tweaking and manual reboot. _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531
The broadcom repeater won't connect to this 2.4GHZ.
R7500v2 WDS STATION
GUI upgrade
Will not connect to R7800 WDS AP.
Flash both back to 42478 for continued enjoyment.
fix your config. wds ap and wds sta is working. guaranteed
R7800 WDS AP
DD-WRT v3.0-r42617 std (03/05/20)
Linux 4.9.215 #521 SMP Mon Mar 2 11:53:59 +03 2020 armv7l
GUI upgrade over 42478
nvram erase+ manual config
R7500V2 WDS STA
CLI upgrade over 42478
nvram erase + manual config
WZR-HP-AG300H WDS STATION
CLI upgrade over 42287
No reset
WNDR3700V4 WDS STA
DD-WRT v3.0-r42617 std (03/05/20)
Linux 3.18.140-d4 #72410 Thu Mar 5 04:42:04 +04 2020 mips
CLI upgrade over 42078
No reset
BS is right wds ap and wds sta is working for everything except R7500V2.
All builds up to and including Feb-22 work fine. Feb-29 and later R7500 WDS STA will not connect to R7800 WDS AP with AC/N-Mixed 149 UU VHT80.
Tried NA-Mixed on all routers all connect except 7500V2.
)