DD-WRT :: View topic - Optware on R7800 / traffic control / firewall to fast

Optware on R7800 / traffic control / firewall to fast

DD-WRT Forum Index -> Atheros WiSOC based Hardware

View previous topic :: View next topic

Author

Message

drnorton
DD-WRT User

Joined: 08 Dec 2009
Posts: 137

Posted: Mon Jun 07, 2021 14:44 Post subject: Optware on R7800 / traffic control / firewall to fast

I like to make higher latency for some Ip adresses in my network. Router R7800 with 46733.

So I wrote this in my Administration commands startup:

Code:

/bin/sh -c 'until [ -f /opt/etc/init.d/rc.unslung ]; do sleep 1 ; done'
/opt/etc/init.d/rc.unslung start
/opt/myStartup.sh

In myStartup.sh I put this inside:

Code:

#!/bin/sh
# setup a ~/.profile file
OUTFILE=/tmp/root/.profile

#new profile
rm -f $OUTFILE
#echo "export PATH=\$PATH:." >> $OUTFILE
echo "alias la='ls -lahrt'" >> $OUTFILE
echo "alias h='history'" >> $OUTFILE
echo "export PATH=/opt/bin:/opt/sbin:/opt/usr/sbin:/opt/usr/bin:/bin:/usr/bin:/sbin:/usr/sbin:/jffs/sbin:/jffs/bin:/jffs/usr/sbin:/jffs/usr/bin:/mmc/sbin:/mmc/bin:/mmc/usr/sbin:/mmc/usr/bin" >> $OUTFILE
echo "export LD_LIBRARY_PATH=/lib:/usr/lib:/jffs/lib:/jffs/usr/lib:/jffs/usr/local/lib:/mmc/lib:/mmc/usr/lib:/opt/lib:/opt/usr/lib" >> $OUTFILE
echo "export PS1='\u@\h:\w\$ '" >> $OUTFILE[/size]

So traffic control is running. But the commands in Administration commands firewall starts to early. So they have no chance to run.

This is my firewall:

Code:

#Time Control
sleep10
#tc qdisc add dev eth0 root netem delay 113ms
tc qdisc del dev br0 root
tc qdisc add dev br0 root handle 1: prio
tc qdisc add dev br0 parent 1:3 handle 30: netem delay 145ms
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.11 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.12 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.13 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.14 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.15 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.16 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.17 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.18 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.19 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.33 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.34 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.20 flowid 1:3
#tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.21 flowid 1:3

iptables -A INPUT -s 193.238.60.65 -j DROP
iptables -A INPUT -s 139.129.188.227 -j DROP
#iptables -A INPUT -s 185.102.219.107 -j DROP
iptables -A OUTPUT -s 193.238.60.65 -j DROP
iptables -A OUTPUT -s 139.129.188.227 -j DROP
#iptables -A OUTPUT -s 185.102.219.107 -j DROP
iptables -A FORWARD -s 203.205.0.0/16 -j DROP
iptables -A FORWARD -s 139.129.0.0/16 -j DROP

#Akzeptieren eingehende Anfragen am Port TCP 990 VPN TAP über RemoteProxy
iptables -I INPUT 1 -p tcp --dport 990 -j ACCEPT

#Akzeptieren eingehende Anfragen am Port TCP 993 VPN TAP über Tunnel
iptables -I INPUT 1 -p tcp --dport 993 -j ACCEPT

#Akzeptieren eingehende Anfragen am Port TCP 994 Shadowsocks Router über Tunnel
iptables -I INPUT 1 -p tcp --dport 994 -j ACCEPT

#Akzeptieren eingehende Anfragen am Port TCP 995 Shadowsocks Router direkt
iptables -I INPUT 1 -p tcp --dport 995 -j ACCEPT

#Akzeptieren eingehende Anfragen am Port TCP 996 VPN TUN über Tunnel an Router 2
iptables -I INPUT 1 -p tcp --dport 996 -j ACCEPT

#Erlaubt den VPN Clients den Zugriff auf routerinterne Prozesse
iptables -I INPUT 3 -i tap2 -j ACCEPT

#Erlaubt Verbindungen zwischen VPN Clients
iptables -I FORWARD 3 -i tap2 -o tap2 -j ACCEPT

#Erlaubt Verbinungen von LAN ins VPN Netz und umgekehrt
iptables -I FORWARD -i br0 -o tap2 -j ACCEPT
iptables -I FORWARD -i tap2 -o br0 -j ACCEPT

#LAN2WAN
iptables -D FORWARD 1 -j lan2wan
iptables -I FORWARD 1 -j lan2wan

When I run the commands in ssh terminal it runs perfect.
How can I change this that my firewall will start after the path from myStartup.sh is active ?

Thanks..

Sponsor

egc
DD-WRT Guru

Joined: 18 Mar 2014
Posts: 11701
Location: Netherlands

Posted: Mon Jun 07, 2021 16:36 Post subject:

First some remarks, I would use -I instead of -A for the DROP rules.

You are running an OpenVPN TAP server presumably, OpenVPN should make the necessary firewall rules for TAP2 so those should not be necessary on recent builds.

The INPUT rules for shadowsocks etc are missing in in interface maybe you do want it on all interfaces but if not consider adding the interface.

The problem, I think, is that the firewall rules are executed before the rules in startup so adding sleep does not help.
What you can do is spawn a process e.g. put the firewall rules in a script (including the necessary sleep).
Call that script from the Firewall and add &
The & behind the script means start in own process so the firewall will continue and then the startup will be executed while the spawned process is still waiting.
Of course you can make it somewhat more sophisticated e.g. let the startup script make a file when done and have your spawned process sleeping until that file is made Smile

Just a thought
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

kernel-panic69
DD-WRT Guru

Joined: 08 May 2018
Posts: 13435
Location: Texas, USA

Posted: Mon Jun 07, 2021 17:32 Post subject:

I'm failing to see why none of this is entered in the box and "Add Firewall" is not clicked versus "Add startup". Perhaps putting things in the proper place might help? Not sure QoS (tc) lines can be added to the firewall, so that may need to be put in the startup...

Also, not sure why you would use Optware/Entware for tc on R7800, either.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
At some point, people just get plain tired of this place.
Because they are tired of bottom-feeders and the same old hat.
----------------------
Linux User #377467 counter.li.org / linuxcounter.net

drnorton
DD-WRT User

Joined: 08 Dec 2009
Posts: 137

Posted: Tue Jun 08, 2021 5:04 Post subject:

@kernel-panic69
I use Optware for traffic Control.
The function for change the latency is not in qos.
And I had it in my old Router R7000 running with dd-wrt in this way. And ... Yes the iptables roules and so on are in Firewall not in startup.

@edc
thanks...
Yes I use a TAp Server. Ok So i will change the roules for it. I use this roules in my old Router R7000 with a older DD-wrt version. so I thought I use it in this too.

So I will test it with -I in my Drop rules.

I will use Shadowsocks. So I wrote inside. I will install it later. Was also running in my old Router R7000

Can you tell me how I must do it ?

You mean I wrote it in the gui ? Administration commands firewall ? like /opt/myFirewall.sh
And my script myFirewall.sh with all rules for this in /opt directory ?
In this script I use a sleep command.

thanks in advanced... Smile

egc
DD-WRT Guru

Joined: 18 Mar 2014
Posts: 11701
Location: Netherlands

Posted: Tue Jun 08, 2021 9:08 Post subject:

drnorton wrote:

@kernel-panic69

You mean I wrote it in the gui ? Administration commands firewall ? like /opt/myFirewall.sh
And my script myFirewall.sh with all rules for this in /opt directory ?
In this script I use a sleep command.

thanks in advanced... Smile

Yes exactly put all the commands (including the sleep) in /opt/myfirewall.sh and call that script from the firewall with:

Code:

/opt/myfirewall.sh &

one tip /opt is on your USB stick and that might not be up so use this to wait for the USB stick to be up:

Code:

is-mounted.sh /opt/myfirewall.sh #wait for file to become available
/opt/myfirewall.sh &

Make sure you have made the script executable
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

drnorton
DD-WRT User

Joined: 08 Dec 2009
Posts: 137

Posted: Sat Jun 12, 2021 15:11 Post subject:

Hi..

I have test it but the second script for the firewall will not start at right time. I think USB need to much time.Only when I start it by myself with then it will run.

This are now in my Commands Startup:

Code:

#IP Adressen fuer VPN
echo '192.168.6.210 VPN-x' >> /etc/hosts
echo '192.168.6.211 VPN-y' >> /etc/hosts
echo '192.168.6.212 VPN-z' >> /etc/hosts
echo "ifconfig-push 192.168.6.210 255.255.255.0" > /jffs/etc/openvpn/ccd/'x'
echo "ifconfig-push 192.168.6.211 255.255.255.0" > /jffs/etc/openvpn/ccd/'y'
echo "ifconfig-push 192.168.6.212 255.255.255.0" > /jffs/etc/openvpn/ccd/'z'
killall -HUP dnsmasq
/bin/sh -c 'until [ -f /opt/etc/init.d/rc.unslung ]; do sleep 1 ; done'
/opt/etc/init.d/rc.unslung start

/opt/etc/init.d/S22shadowsocks start
/opt/bin/stunnel&

is-mounted.sh /opt/myStartup.sh
/opt/myStartup.sh&

is-mounted.sh /opt/myFirewall.sh
/opt/myFirewall.sh&

this is my myStartup.sh script:

Code:

#!/bin/sh
OUTFILE=/tmp/root/.profile

#new profile
rm -f $OUTFILE
echo "alias la='ls -lahrt'" >> $OUTFILE
echo "alias h='history'" >> $OUTFILE
echo "export PATH=/opt/bin:/opt/sbin:/opt/usr/sbin:/opt/usr/bin:/bin:/usr/bin:/sbin:/usr/sbin:/jffs/sbin:/jffs/bin:/jffs/usr/sbin:/jffs/usr/bin:/mmc/sbin:/mmc/bin:/mmc/usr/sbin:/mmc/usr/bin" >> $OUTFILE
#echo "export LD_LIBRARY_PATH=/lib:/usr/lib:/jffs/lib:/jffs/usr/lib:/jffs/usr/local/lib:/mmc/lib:/mmc/usr/lib:/opt/lib:/opt/usr/lib" >> $OUTFILE

and thats in my myFirewall.sh script

Code:

#!/bin/sh

#Time Control
sleep 5

#tc qdisc add dev eth0 root netem delay 113ms
tc qdisc del dev br0 root
tc qdisc add dev br0 root handle 1: prio
tc qdisc add dev br0 parent 1:3 handle 30: netem delay 145ms
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.11 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.12 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.13 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.14 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.15 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.16 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.17 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.18 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.19 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.20 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.36 flowid 1:3

iptables -I INPUT -s 193.238.60.65 -j DROP
iptables -I INPUT -s 139.129.188.227 -j DROP
iptables -I OUTPUT -s 193.238.60.65 -j DROP
iptables -I OUTPUT -s 139.129.188.227 -j DROP
iptables -I FORWARD -s 203.205.0.0/16 -j DROP
iptables -I FORWARD -s 139.129.0.0/16 -j DROP

#Akzeptieren eingehende Anfragen am Port TCP 990 VPN TAP über RemoteProxy
iptables -I INPUT 1 -p tcp --dport 990 -j ACCEPT

#Akzeptieren eingehende Anfragen am Port TCP 993 VPN TAP über Tunnel
iptables -I INPUT 1 -p tcp --dport 993 -j ACCEPT

#Akzeptieren eingehende Anfragen am Port TCP 994 Shadowsocks Router über Tunnel
iptables -I INPUT 1 -p tcp --dport 994 -j ACCEPT

#Akzeptieren eingehende Anfragen am Port TCP 995 Shadowsocks Router direkt
iptables -I INPUT 1 -p tcp --dport 995 -j ACCEPT

#Akzeptieren eingehende Anfragen am Port TCP 996 VPN TUN über Tunnel an Router 2
iptables -I INPUT 1 -p tcp --dport 996 -j ACCEPT

#Erlaubt den VPN Clients den Zugriff auf routerinterne Prozesse
iptables -I INPUT 3 -i tap2 -j ACCEPT

#Erlaubt Verbindungen zwischen VPN Clients
iptables -I FORWARD 3 -i tap2 -o tap2 -j ACCEPT

#Erlaubt Verbinungen von LAN ins VPN Netz und umgekehrt
iptables -I FORWARD -i br0 -o tap2 -j ACCEPT
iptables -I FORWARD -i tap2 -o br0 -j ACCEPT

#LAN2WANC
#iptables -D FORWARD 1 -j lan2wan
#iptables -I FORWARD 1 -j lan2wan

Maybe some idea to manage this ?

Thanks

Display posts from previous:

Page 1 of 1

DD-WRT Forum Index -> Atheros WiSOC based Hardware

All times are GMT

Navigation

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Log in

Optware on R7800 / traffic control / firewall to fast

Quick Links

Log in