Router/Version: Netgear R7800
File/Kernel: DD-WRT v3.0-r47090 std (07/26/21)
Previous/Reset: DD-WRT v3.0-r47086 std (07/22/21) / No
Mode/Status: Gateway / Working with QoS Disabled
Issues/Errors: Firewall Rules Not Applied When QoS and OpenVPN Server Enabled at the Same Time
SFE and STP: Disabled
After some more testing, I discovered that if I disable the OpenVPN Server/Daemon, the QoS functions correctly and all clients can access the Internet. So I tried upgrading the firmware to DD-WRT v3.0-r47090 std (07/26/21), with the same result. If either OpenVPN or QoS is enabled, but not both, the respective feature works correctly. If both are enabled, QoS does not work, clients cannot access the Internet and the firewall rules are not applied correctly, however, the OpenVPN server allows outside connections from the Internet. Both OpenVPN and QoS will work correctly if the firewall service is manually restarted via ssh. Erasing the nvram and manually reconfiguring is next on the to-do.
Anyone using an R7800 with OpenVPN and QoS enabled at the same time?
OpenVPN Configuration:
Code:
OpenVPN: Enable
CVE-2019-14899 Mitigation: Disable
Start Type: WAN Up
Inbound Firewall on TUN: Unchecked
Config as: GUI(server)
Server mode: Router(TUN)
Network: 10.8.0.0
Netmask: 255.255.255.0
Port: 1194
Tunnel Protocol: udp
Encryption Cipher: AES-256-GCM
Hash Algorithm: SHA512
First Data Cipher: AES-256-GCM
Second Data Cipher: AES-256-CBC
Third Data Cipher: AES-128-CBC
Advanced Options: Enable
TLS Cipher: TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
Compression: Adaptive
Redirect default Gateway: Disable
Allow Client to Client: Disable
Allow duplicate Clients: Disable
Allow Clients WAN access (internet): Disable
Tunnel MTU setting: 1500
Tunnel UDP Fragment: Blank
Tunnel UDP MSS-Fix: Disable
Use ECDH instead of DH.PEM: Disable
Samba hostname is actually being taken from Setup -> Basic setup -> Optional Setting -> host name. Changing host name there reflects in samba. I am able to change host name which is shown in network in windows (I use Windows laptop)
Did not work. Will keep checking in the mean time, but as it stands right now, It does not work.
Did that. The routers "hostname" does not show up in windows explorer.
Did another "nvram erase && reboot" and it did not fix it.
I did try to connect to the share by typing in the routers IP address in the address bar of windows explorer
Code:
\\192.168.1.1
and then it takes me over to the shares on the drive.
It is not "discoverable" in network section of windows explorer. I believe the same would also go for linuxs own "network explorer". If I am not mistaken, I believe you would open the "files" program and click on network in the left pane in order for linux distros like ubuntu or linux mint to "discover" shares on the network. _________________ For people who are new to the dd-wrt forums >> http://www.catb.org/~esr/faqs/smart-questions.html#rtfm
barryware wrote:
It takes a "community" to raise a router..
Internet Connection 1
Some Techicolor modem > Linksys WRT3200ACM
Internet connection 2
Ubiquiti Powerbeam Gen 2 > Netgear R9000
Official (but not really) dd-wrt General Discussion element/matrix chat
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Tue Jul 27, 2021 8:14 Post subject:
mickelalloy wrote:
Router/Version: Netgear R7800
File/Kernel: DD-WRT v3.0-r47090 std (07/26/21)
Previous/Reset: DD-WRT v3.0-r47086 std (07/22/21) / No
Mode/Status: Gateway / Working with QoS Disabled
Issues/Errors: Firewall Rules Not Applied When QoS and OpenVPN Server Enabled at the Same Time
SFE and STP: Disabled
After some more testing, I discovered that if I disable the OpenVPN Server/Daemon, the QoS functions correctly and all clients can access the Internet. So I tried upgrading the firmware to DD-WRT v3.0-r47090 std (07/26/21), with the same result. If either OpenVPN or QoS is enabled, but not both, the respective feature works correctly. If both are enabled, QoS does not work, clients cannot access the Internet and the firewall rules are not applied correctly, however, the OpenVPN server allows outside connections from the Internet. Both OpenVPN and QoS will work correctly if the firewall service is manually restarted via ssh. Erasing the nvram and manually reconfiguring is next on the to-do.
Anyone using an R7800 with OpenVPN and QoS enabled at the same time?
OpenVPN Configuration:
Code:
OpenVPN: Enable
CVE-2019-14899 Mitigation: Disable
Start Type: WAN Up
Inbound Firewall on TUN: Unchecked
Config as: GUI(server)
Server mode: Router(TUN)
Network: 10.8.0.0
Netmask: 255.255.255.0
Port: 1194
Tunnel Protocol: udp
Encryption Cipher: AES-256-GCM
Hash Algorithm: SHA512
First Data Cipher: AES-256-GCM
Second Data Cipher: AES-256-CBC
Third Data Cipher: AES-128-CBC
Advanced Options: Enable
TLS Cipher: TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
Compression: Adaptive
Redirect default Gateway: Disable
Allow Client to Client: Disable
Allow duplicate Clients: Disable
Allow Clients WAN access (internet): Disable
Tunnel MTU setting: 1500
Tunnel UDP Fragment: Blank
Tunnel UDP MSS-Fix: Disable
Use ECDH instead of DH.PEM: Disable
How do you test this configuration ?
Do you wait enough or do a restart and test again, those rules need time to be recreated...
just for the record, read the sticky's about OpenVPN
also
Inbound Firewall on TUN - strongly recommended to be enabled...
Compression: Adaptive - and this as disabled...
if i have a time i will test to try recreate those errors on my R7800 today...but i doubt you do something wrong....instead _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
How do you test this configuration ?
Do you wait enough or do a restart and test again, those rules need time to be recreated...
just for the record, read the sticky's about OpenVPN
also
Inbound Firewall on TUN - strongly recommended to be enabled...
Compression: Adaptive - and this as disabled...
if i have a time i will test to try recreate those errors on my R7800 today...but i doubt you do something wrong....instead
At least 5 minutes after rebooting or cycling the power. But I have also waited 15 minutes or more just to be sure.
If I uncheck Inbound Firewall on TUN, the clients are unable to access any of the local network resources. Is there a better way to handle this?
Agreed on setting Compression to Disabled. I have updated the configuration.
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Tue Jul 27, 2021 12:36 Post subject:
There seems some kind of miscommunication.
The Inbound firewall on TUN is surely recommended when using OpenVPN Client, on the server it will block connections from outside so that is not recommended for a Server setup
Note most Openvpn Server firewall settings are done by the firewall.
If the OpenVPN server is disabled when you boot, the firewall will not be opened up for the OpenVPN server of course not because it is disabled.
When you enable the OpenVPN server the firewall is not restarted automatically that is why the old advice is still valid, after you changed settings reboot
The Inbound firewall on TUN is surely recommended when using OpenVPN Client, on the server it will block connections from outside so that is not recommended for a Server setup
Note most Openvpn Server firewall settings are done by the firewall.
If the OpenVPN server is disabled when you boot, the firewall will not be opened up for the OpenVPN server of course not because it is disabled.
When you enable the OpenVPN server the firewall is not restarted automatically that is why the old advice is still valid, after you changed settings reboot
(Above has probably nothing to do with your problem of QoS)
Thanks for the clarification on the TUN firewall option, egc.
Not sure why some have trouble with the OVPN server setup.
If this will help here is my configs. There is a bit of NOTE I put in middle of page explaining a bit.
https://mrjcd.com/junk/dd-wrt/ovpn-config.html
Hope this helps some you guys.
AND I am NOT saying it is perfect and egc may see some iffy stuff but this works fine for me
yea this is getting way off main post subject topic
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Tue Jul 27, 2021 14:43 Post subject:
mrjcd wrote:
Not sure why some have trouble with the OVPN server setup.
If this will help here is my configs. There is a bit of NOTE I put in middle of page explaining a bit.
https://mrjcd.com/junk/dd-wrt/ovpn-config.html
Hope this helps some you guys.
AND I am NOT saying it is perfect and egc may see some iffy stuff but this works fine for me
yea this is getting way off main post subject topic
Router/Version: R7800
File/Kernel: DD-WRT v3.0-r47090 std (07/26/21)
Kernel Version: Linux 4.9.276 #336 SMP Mon Jul 26 01:18:52 +07 2021 armv7l
Previous/Reset: r47086 / No, CLI Update
Mode/Status: GW(double-nat) & AP / Working Well
Issues/Errors: none / none
Services Used: Static WAN,IPv6 6to4,WiFi Vannilla,NTP,2xWG Clients,VAPx,VLANx,BRx,SSH,Syslog,Cron,USB Storage,Entware DNSCrypt v2.0.45
Services Disabled: QoS,ttraff,SFE,Telnet,NAS,Samba
All running for over 30hours
Thank-you BrianSlyer for your Great Work and everyone else who makes DD-WRT Great on the Forum! _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Wed Jul 28, 2021 4:47 Post subject:
mickelalloy wrote:
Router/Version: Netgear R7800
File/Kernel: DD-WRT v3.0-r47090 std (07/26/21)
Previous/Reset: DD-WRT v3.0-r47086 std (07/22/21) / No
Mode/Status: Gateway / Working with QoS Disabled
Issues/Errors: Firewall Rules Not Applied When QoS and OpenVPN Server Enabled at the Same Time
SFE and STP: Disabled
yep i can confirm after enabling QoS ...the output of iptables -t mangle -vnL
shows funny stuff...there is some rules duplication as well..those remain on restart...
otherwise router is functional...
i haven tested full scenario with VPN and QoS...
iptables -t mangle before QoS is applied Chain PREROUTING (policy ACCEPT 917 packets, 199K bytes)
pkts bytes target prot opt in out source destination
7 280 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcpmss match !536:65535
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 ctstate NEW
2 180 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
261 121K MARK all -- eth0 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x100000
0 0 DROP all -- * * 224.0.0.0/3 0.0.0.0/0
0 0 DROP all -- * * 169.254.0.0/16 0.0.0.0/0
0 0 DROP all -- * * 172.16.0.0/12 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.0/8 0.0.0.0/0
0 0 DROP all -- * * 240.0.0.0/5 0.0.0.0/0
Chain INPUT (policy ACCEPT 664 packets, 109K bytes)
pkts bytes target prot opt in out source destination
664 109K RRDIPT_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 495 packets, 686K bytes)
pkts bytes target prot opt in out source destination
495 686K RRDIPT_OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 651 packets, 768K bytes)
pkts bytes target prot opt in out source destination
179 18398 MARK all -- * eth0 0.0.0.0/0 0.0.0.0/0 MARK set 0x100000
257 92570 TOS all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x100000 TOS set 0x00/0xff
Chain RRDIPT_FORWARD (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * x 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 x
Chain RRDIPT_INPUT (1 references)
pkts bytes target prot opt in out source destination
86 39661 RETURN all -- eth0 * 0.0.0.0/0 0.0.0.0/0
Chain RRDIPT_OUTPUT (1 references)
pkts bytes target prot opt in out source destination
101 9717 RETURN all -- * eth0 0.0.0.0/0 0.0.0.0/0
after QoS is enabled
Chain PREROUTING (policy ACCEPT 730 packets, 103K bytes)
pkts bytes target prot opt in out source destination
4 160 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcpmss match !536:65535
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 ctstate NEW
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
730 103K FILTER_IN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcpmss match !536:65535
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 ctstate NEW
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
144 40657 MARK all -- eth0 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x100000
0 0 DROP all -- * * 224.0.0.0/3 0.0.0.0/0
0 0 DROP all -- * * 169.254.0.0/16 0.0.0.0/0
0 0 DROP all -- * * 172.16.0.0/12 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.0/8 0.0.0.0/0
0 0 DROP all -- * * 240.0.0.0/5 0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/3 0.0.0.0/0
0 0 DROP all -- * * 169.254.0.0/16 0.0.0.0/0
0 0 DROP all -- * * 172.16.0.0/12 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.0/8 0.0.0.0/0
0 0 DROP all -- * * 240.0.0.0/5 0.0.0.0/0
Chain INPUT (policy ACCEPT 638 packets, 91963 bytes)
pkts bytes target prot opt in out source destination
638 91963 RRDIPT_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
75 32072 IMQ all -- eth0 * 0.0.0.0/0 0.0.0.0/0 IMQ: todev 0
Chain OUTPUT (policy ACCEPT 725 packets, 149K bytes)
pkts bytes target prot opt in out source destination
725 149K RRDIPT_OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 769 packets, 157K bytes)
pkts bytes target prot opt in out source destination
769 157K FILTER_OUT all -- * * 0.0.0.0/0 0.0.0.0/0
104 11581 MARK all -- * eth0 0.0.0.0/0 0.0.0.0/0 MARK set 0x100000
104 11581 TOS all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x100000 TOS set 0x00/0xff
Chain FILTER_IN (1 references)
pkts bytes target prot opt in out source destination
730 103K CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
730 103K SVQOS_SVCS all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x7ffc00
730 103K CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save
730 103K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FILTER_OUT (1 references)
pkts bytes target prot opt in out source destination
769 157K CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
769 157K SVQOS_SVCS all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x7ffc00
769 157K CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save
769 157K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain RRDIPT_FORWARD (1 references)
pkts bytes target prot opt in out source destination
4 276 RETURN all -- * * 192.168.9.102 0.0.0.0/0
3 207 RETURN all -- * * 0.0.0.0/0 192.168.9.102
19 2448 RETURN all -- * * 192.168.7.101 0.0.0.0/0
18 4946 RETURN all -- * * 0.0.0.0/0 192.168.7.101
0 0 RETURN all -- * * x 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 x
Chain RRDIPT_INPUT (1 references)
pkts bytes target prot opt in out source destination
75 32072 RETURN all -- eth0 * 0.0.0.0/0 0.0.0.0/0
Chain RRDIPT_OUTPUT (1 references)
pkts bytes target prot opt in out source destination
80 8788 RETURN all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain SVQOS_SVCS (2 references)
pkts bytes target prot opt in out source destination
1499 261K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
_________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913