Optware on R7800 / traffic control / firewall to fast

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Author Message
drnorton
DD-WRT User


Joined: 08 Dec 2009
Posts: 137

PostPosted: Mon Jun 07, 2021 14:44    Post subject: Optware on R7800 / traffic control / firewall to fast Reply with quote
I like to make higher latency for some Ip adresses in my network. Router R7800 with 46733.

So I wrote this in my Administration commands startup:

Code:

/bin/sh -c 'until [ -f /opt/etc/init.d/rc.unslung ]; do sleep 1 ; done'
/opt/etc/init.d/rc.unslung start
/opt/myStartup.sh


In myStartup.sh I put this inside:

Code:

#!/bin/sh
# setup a ~/.profile file
OUTFILE=/tmp/root/.profile

#new profile
rm -f $OUTFILE
#echo "export PATH=\$PATH:." >> $OUTFILE
echo "alias la='ls -lahrt'" >> $OUTFILE
echo "alias h='history'" >> $OUTFILE
echo "export PATH=/opt/bin:/opt/sbin:/opt/usr/sbin:/opt/usr/bin:/bin:/usr/bin:/sbin:/usr/sbin:/jffs/sbin:/jffs/bin:/jffs/usr/sbin:/jffs/usr/bin:/mmc/sbin:/mmc/bin:/mmc/usr/sbin:/mmc/usr/bin" >> $OUTFILE
echo "export LD_LIBRARY_PATH=/lib:/usr/lib:/jffs/lib:/jffs/usr/lib:/jffs/usr/local/lib:/mmc/lib:/mmc/usr/lib:/opt/lib:/opt/usr/lib" >> $OUTFILE
echo "export PS1='\u@\h:\w\$ '" >> $OUTFILE[/size]


So traffic control is running. But the commands in Administration commands firewall starts to early. So they have no chance to run.

This is my firewall:

Code:


#Time Control
sleep10
#tc qdisc add dev eth0 root netem delay 113ms
tc qdisc del dev br0 root
tc qdisc add dev br0 root handle 1: prio
tc qdisc add dev br0 parent 1:3 handle 30: netem  delay 145ms
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.11 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.12 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.13 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.14 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.15 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.16 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.17 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.18 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.19 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.33 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.34 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.20 flowid 1:3
#tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.21 flowid 1:3


iptables -A INPUT -s 193.238.60.65 -j DROP
iptables -A INPUT -s 139.129.188.227 -j DROP
#iptables -A INPUT -s 185.102.219.107 -j DROP
iptables -A OUTPUT -s 193.238.60.65 -j DROP
iptables -A OUTPUT -s 139.129.188.227 -j DROP
#iptables -A OUTPUT -s 185.102.219.107 -j DROP
iptables -A FORWARD -s 203.205.0.0/16 -j DROP
iptables -A FORWARD -s 139.129.0.0/16 -j DROP

#Akzeptieren eingehende Anfragen am Port TCP 990 VPN TAP über RemoteProxy
iptables -I INPUT 1 -p tcp --dport 990 -j ACCEPT

#Akzeptieren eingehende Anfragen am Port TCP 993 VPN TAP über Tunnel
iptables -I INPUT 1 -p tcp --dport 993 -j ACCEPT

#Akzeptieren eingehende Anfragen am Port TCP 994 Shadowsocks Router über Tunnel
iptables -I INPUT 1 -p tcp --dport 994 -j ACCEPT

#Akzeptieren eingehende Anfragen am Port TCP 995 Shadowsocks Router direkt
iptables -I INPUT 1 -p tcp --dport 995 -j ACCEPT

#Akzeptieren eingehende Anfragen am Port TCP 996 VPN TUN über Tunnel an Router 2
iptables -I INPUT 1 -p tcp --dport 996 -j ACCEPT

#Erlaubt den VPN Clients den Zugriff auf routerinterne Prozesse
iptables -I INPUT 3 -i tap2 -j ACCEPT

#Erlaubt Verbindungen zwischen VPN Clients
iptables -I FORWARD 3 -i tap2 -o tap2 -j ACCEPT

#Erlaubt Verbinungen von LAN ins VPN Netz und umgekehrt
iptables -I FORWARD -i br0 -o tap2 -j ACCEPT
iptables -I FORWARD -i tap2 -o br0 -j ACCEPT

#LAN2WAN
iptables -D FORWARD 1 -j lan2wan
iptables -I FORWARD 1 -j lan2wan



When I run the commands in ssh terminal it runs perfect.
How can I change this that my firewall will start after the path from myStartup.sh is active ?

Thanks..
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Jun 07, 2021 16:36    Post subject: Reply with quote
First some remarks, I would use -I instead of -A for the DROP rules.

You are running an OpenVPN TAP server presumably, OpenVPN should make the necessary firewall rules for TAP2 so those should not be necessary on recent builds.

The INPUT rules for shadowsocks etc are missing in in interface maybe you do want it on all interfaces but if not consider adding the interface.

The problem, I think, is that the firewall rules are executed before the rules in startup so adding sleep does not help.
What you can do is spawn a process e.g. put the firewall rules in a script (including the necessary sleep).
Call that script from the Firewall and add &
The & behind the script means start in own process so the firewall will continue and then the startup will be executed while the spawned process is still waiting.
Of course you can make it somewhat more sophisticated e.g. let the startup script make a file when done and have your spawned process sleeping until that file is made Smile

Just a thought

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Mon Jun 07, 2021 17:32    Post subject: Reply with quote
I'm failing to see why none of this is entered in the box and "Add Firewall" is not clicked versus "Add startup". Perhaps putting things in the proper place might help? Not sure QoS (tc) lines can be added to the firewall, so that may need to be put in the startup...

Also, not sure why you would use Optware/Entware for tc on R7800, either.

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
drnorton
DD-WRT User


Joined: 08 Dec 2009
Posts: 137

PostPosted: Tue Jun 08, 2021 5:04    Post subject: Reply with quote
@kernel-panic69
I use Optware for traffic Control.
The function for change the latency is not in qos.
And I had it in my old Router R7000 running with dd-wrt in this way. And ... Yes the iptables roules and so on are in Firewall not in startup.

@edc
thanks...
Yes I use a TAp Server. Ok So i will change the roules for it. I use this roules in my old Router R7000 with a older DD-wrt version. so I thought I use it in this too.

So I will test it with -I in my Drop rules.

I will use Shadowsocks. So I wrote inside. I will install it later. Was also running in my old Router R7000

Can you tell me how I must do it ?

You mean I wrote it in the gui ? Administration commands firewall ? like /opt/myFirewall.sh
And my script myFirewall.sh with all rules for this in /opt directory ?
In this script I use a sleep command.


thanks in advanced... Smile
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Jun 08, 2021 9:08    Post subject: Reply with quote
drnorton wrote:
@kernel-panic69

You mean I wrote it in the gui ? Administration commands firewall ? like /opt/myFirewall.sh
And my script myFirewall.sh with all rules for this in /opt directory ?
In this script I use a sleep command.


thanks in advanced... Smile


Yes exactly put all the commands (including the sleep) in /opt/myfirewall.sh and call that script from the firewall with:
Code:
/opt/myfirewall.sh &

one tip /opt is on your USB stick and that might not be up so use this to wait for the USB stick to be up:
Code:
is-mounted.sh /opt/myfirewall.sh  #wait for file to become available
/opt/myfirewall.sh &


Make sure you have made the script executable

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
drnorton
DD-WRT User


Joined: 08 Dec 2009
Posts: 137

PostPosted: Sat Jun 12, 2021 15:11    Post subject: Reply with quote
Hi..

I have test it but the second script for the firewall will not start at right time. I think USB need to much time.Only when I start it by myself with then it will run.

This are now in my Commands Startup:

Code:

#IP Adressen fuer VPN
echo '192.168.6.210    VPN-x' >> /etc/hosts
echo '192.168.6.211    VPN-y' >> /etc/hosts
echo '192.168.6.212    VPN-z' >> /etc/hosts
echo "ifconfig-push 192.168.6.210 255.255.255.0" > /jffs/etc/openvpn/ccd/'x'
echo "ifconfig-push 192.168.6.211 255.255.255.0" > /jffs/etc/openvpn/ccd/'y'
echo "ifconfig-push 192.168.6.212 255.255.255.0" > /jffs/etc/openvpn/ccd/'z'
killall -HUP dnsmasq
/bin/sh -c 'until [ -f /opt/etc/init.d/rc.unslung ]; do sleep 1 ; done'
/opt/etc/init.d/rc.unslung start


/opt/etc/init.d/S22shadowsocks start
/opt/bin/stunnel&

is-mounted.sh /opt/myStartup.sh
/opt/myStartup.sh&

is-mounted.sh /opt/myFirewall.sh 
/opt/myFirewall.sh&


this is my myStartup.sh script:

Code:

#!/bin/sh
OUTFILE=/tmp/root/.profile

#new profile
rm -f $OUTFILE
echo "alias la='ls -lahrt'" >> $OUTFILE
echo "alias h='history'" >> $OUTFILE
echo "export PATH=/opt/bin:/opt/sbin:/opt/usr/sbin:/opt/usr/bin:/bin:/usr/bin:/sbin:/usr/sbin:/jffs/sbin:/jffs/bin:/jffs/usr/sbin:/jffs/usr/bin:/mmc/sbin:/mmc/bin:/mmc/usr/sbin:/mmc/usr/bin" >> $OUTFILE
#echo "export LD_LIBRARY_PATH=/lib:/usr/lib:/jffs/lib:/jffs/usr/lib:/jffs/usr/local/lib:/mmc/lib:/mmc/usr/lib:/opt/lib:/opt/usr/lib" >> $OUTFILE


and thats in my myFirewall.sh script

Code:

#!/bin/sh

#Time Control
sleep 5

#tc qdisc add dev eth0 root netem delay 113ms
tc qdisc del dev br0 root
tc qdisc add dev br0 root handle 1: prio
tc qdisc add dev br0 parent 1:3 handle 30: netem  delay 145ms
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.11 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.12 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.13 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.14 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.15 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.16 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.17 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.18 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.19 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.20 flowid 1:3
tc filter add dev br0 protocol ip parent 1:0 prio 3 u32 match ip dst 192.168.6.36 flowid 1:3


iptables -I INPUT -s 193.238.60.65 -j DROP
iptables -I INPUT -s 139.129.188.227 -j DROP
iptables -I OUTPUT -s 193.238.60.65 -j DROP
iptables -I OUTPUT -s 139.129.188.227 -j DROP
iptables -I FORWARD -s 203.205.0.0/16 -j DROP
iptables -I FORWARD -s 139.129.0.0/16 -j DROP

#Akzeptieren eingehende Anfragen am Port TCP 990 VPN TAP über RemoteProxy
iptables -I INPUT 1 -p tcp --dport 990 -j ACCEPT

#Akzeptieren eingehende Anfragen am Port TCP 993 VPN TAP über Tunnel
iptables -I INPUT 1 -p tcp --dport 993 -j ACCEPT

#Akzeptieren eingehende Anfragen am Port TCP 994 Shadowsocks Router über Tunnel
iptables -I INPUT 1 -p tcp --dport 994 -j ACCEPT

#Akzeptieren eingehende Anfragen am Port TCP 995 Shadowsocks Router direkt
iptables -I INPUT 1 -p tcp --dport 995 -j ACCEPT

#Akzeptieren eingehende Anfragen am Port TCP 996 VPN TUN über Tunnel an Router 2
iptables -I INPUT 1 -p tcp --dport 996 -j ACCEPT

#Erlaubt den VPN Clients den Zugriff auf routerinterne Prozesse
iptables -I INPUT 3 -i tap2 -j ACCEPT

#Erlaubt Verbindungen zwischen VPN Clients
iptables -I FORWARD 3 -i tap2 -o tap2 -j ACCEPT

#Erlaubt Verbinungen von LAN ins VPN Netz und umgekehrt
iptables -I FORWARD -i br0 -o tap2 -j ACCEPT
iptables -I FORWARD -i tap2 -o br0 -j ACCEPT

#LAN2WANC
#iptables -D FORWARD 1 -j lan2wan
#iptables -I FORWARD 1 -j lan2wan


Maybe some idea to manage this ?

Thanks
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum