Joined: 01 Dec 2021 Posts: 289 Location: Maryland, United States
Posted: Sat May 20, 2023 15:20 Post subject:
Router/Version: Netgear R7000P
Firmware Version: DD-WRT v3.0-r52596 std (05/18/23)
Kernel Version: Linux 4.4.302-st40 #9366 SMP Thu May 18 06:05:46 +06 2023 armv7l
Previous/Reset: r52569 / No Reset
Mode/Status: Gateway / Working
Issues/Errors: None
FiOS upload now back to full speed! Using Speedtest app on Windows 11 CTF upload speeds become halting. If I use SFE with Speedtest it works properly. Same problem using Google Chrome and accessing the Speedtest website.
Router Model: Netgear R7000
Firmware Version: DD-WRT v3.0-r52596 std (05/18/23)
Kernel Version: Linux 4.4.302-st40 #9360 SMP Mon May 15 17:46:07 +06 2023 armv7l DD-WRT
Previous/Reset: DD-WRT v3.0-r51275 / No
Mode/Status: 2.4 AP - 5GHz AP - OpenVPN
Issues/Errors: After a couple of days of running fine, the OpenVPN process dies; I've seen this same behaviour in the last several versions (pretty much since the release of OpenVPN 2.6.1). However, unlike in r52459, the other services appear to still be functional. Reverted to DD-WRT v3.0-r51275.
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Mon May 22, 2023 13:45 Post subject:
thawk wrote:
After a couple of days of running fine, the OpenVPN process dies; I've seen this same behaviour in the last several versions (pretty much since the release of OpenVPN 2.6.1). However, unlike in r52459, the other services appear to still be functional. Reverted to DD-WRT v3.0-r51275.
Don't have issues with it..OpenVPN is rock solid on my R7000...
do you use watchdog or any lines to keep connection alive..
provide more details about your set up, otherwise report is not helping much...pic's worth a thousands words...
there is new build already 52651 _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
do you use watchdog or any lines to keep connection alive..
provide more details about your set up, otherwise report is not helping much...pic's worth a thousands words...
I don't maintain active connections to the VPN. The OpenVPN process just dies without any error logs -- after running for two days, consistently. The same configuration ran for weeks in r51275 (OpenVPN 2.5.7) without issue. Here's the config:
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Mon May 22, 2023 15:07 Post subject:
well...there are lot of changes on the new OenVPN 2.6.+ and some of the settings are obsolete...
moreover tun-mtu 1500 should be 1400.. but you know what you want better than me...
running old builds exposes you, to a security flaws...and some are in active expl... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 06 Jun 2006 Posts: 7492 Location: Dresden, Germany
Posted: Wed May 24, 2023 18:19 Post subject:
Alozaros wrote:
Router Model Netgear R7000
Firmware Version DD-WRT v3.0-r52596 std (05/18/23)
Kernel Version Linux 4.4.302-st40 #9360 SMP Mon May 15 17:46:07 +06 2023 armv7l
In order to test the updated ndpi service, i decided to use long list to block ndpi, l7 and risk rules...not seeing any performance draw backs...
On this unit, Im also heaving PBR VPN x3 VLAN's...along with SmartDNS, Ad-block and long list of other firewall rules..so far so good running smooth...I also checked firewall rules at cat /tmp/.ipt iptables -t mangle -vnL, or cat /tmp/.rule to see if there are any changes, as im using all those service blocking rules...but haven't seen any change..so, where to look at...is my silly question... ...
p.s.
R7000 lsmod output
root@R7000:/tmp# lsmod
Module Size Used by
ip6_tables 9661 0
xt_DSCP 1518 1
tun 16385 2
wl 4472842 0
b5301x_srab 1778 0
b5301x_common 10655 1 b5301x_srab
et 64696 0
ctf 51086 0
softdog 1711 1
dont see :
insmod("ipt_layer7");
insmod("xt_layer7");
insmod("xt_ndpi");
insmod("xt_ndpi")
but root@R7000:~# ls -l /lib/modules/$(uname -r) | grep xt_
-rw-r--r-- 1 root root 3248 May 18 00:31 xt_DSCP.ko
-rw-r--r-- 1 root root 2360 May 18 00:31 xt_IMQ.ko
-rw-r--r-- 1 root root 5200 May 18 00:31 xt_WGOBFS.ko
-rw-r--r-- 1 root root 4272 May 18 00:31 xt_addrtype.ko
-rw-r--r-- 1 root root 1956 May 18 00:31 xt_cpu.ko
-rw-r--r-- 1 root root 2112 May 18 00:31 xt_devgroup.ko
-rw-r--r-- 1 root root 2688 May 18 00:31 xt_dscp.ko
-rw-r--r-- 1 root root 3384 May 18 00:31 xt_ipvs.ko
-rw-r--r-- 1 root root 901792 May 18 00:31 xt_ndpi.ko
-rw-r--r-- 1 root root 2992 May 18 00:31 xt_physdev.ko
nor anything positive at
iptables -t mangle -vnL
so...is the new ndip,l7,risk section is actually working on R7000 ??
but still able to ping windows-telemetry from router side...
I can see https://svn.dd-wrt.com/browser/src/router/ndpi-netfilter/ndpi-netfilter/INSTALL?rev=49984
is available for Kernel 4.4 but not functioning on R7000
tried to fiddle with some commands from the link above and if i add
modprobe xt_ndpi to firewall rules, than i can see the output of
lsmod - xt_ndpi 713132 0 ...but GUI rules still done work..
or not present anywhere i looked at...
so, yep to make those ndpi/l7/risk service blocking rules to work, I guess something is still missing on R7000 ...looking forward...to see those in action...BS could you have a look at those ??
sure you can ping it. windows-telemetry is a dns and iptables filter. how can you ping it. did you really ping all 100 filteres ip's individual and all the 200 dns entries related to windows-telemetry. so what? its not even related to ndpi. and what else did you test and how did you check it? i use it as bittorrent filter and it works as expected
sorry. your description sounds bogus to me. pinging windows-telemetry alone is a wrong description
i also dont see that you even setup access restrictins correct. adding these services isnt enough. you need to enable the rule of course and you need to specify the ip range or mac addresses the rules need to apply. this screenshot shows nothing. i can assure that ndpi is working with access restrictions. in your lsmod its not even loaded. i assume you did not set it up. you just added some services without taking care about to setup the access restrictions correct _________________ "So you tried to use the computer and it started smoking? Sounds like a Mac to me.." - Louis Rossmann https://www.youtube.com/watch?v=eL_5YDRWqGE&t=60s
Last edited by BrainSlayer on Wed May 24, 2023 18:29; edited 1 time in total
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Wed May 24, 2023 18:27 Post subject:
Im more after the ndpi and risk services...and i test ndpi mostly, as those like Facebook, Youtube, Amazon and ect. are not showing any results...if i select and try to use them...as far as L7 rules windows-telemetry ..some of the sites do not exist, but i do have long list of Win in my block list..so L7 Win-tel results are not in my scope at the moment...anyway..i'll stick to IPset for now...once ndpi works ill give those a try...again Thanks anyway...! _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 06 Jun 2006 Posts: 7492 Location: Dresden, Germany
Posted: Wed May 24, 2023 18:32 Post subject:
ndpi works. so i assume nothing todo here. i just checked it on a r7000 2 minutes ago. its loaded and and rules are applied. for windows telementry. again. this is not a ndpi rule. this is a big set of pre defined ips and dnsnames which are added as filter to dnsmasq and to iptables ip based filters. thats all. since you havent clarified what you tested here i assume this is working too. since i see that these filters are added to iptables and dnsmasq too in my test on a r7000. the risk services is something you havent described in deeper detail. i dont know what you tested here. these risk services are checking for certain risks like invalid certificates etc and are only related to specific protocols. you did not specify what you tested here and how you tested it. so again. bogus. and finally you did not test the current version, but a older one _________________ "So you tried to use the computer and it started smoking? Sounds like a Mac to me.." - Louis Rossmann https://www.youtube.com/watch?v=eL_5YDRWqGE&t=60s
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Wed May 24, 2023 18:44 Post subject:
I selected Facebook, Youtube, Amazon, Ebay and ect...all ndpi rules and than reboot and...
i suppose those should prevent from those web sites.. to be reached...that's what i tested..
I also did some other tests to look for specific insmod and ect. I can see the ndpi but cannot see the
xt_layer7 ..may be its not incorporated or it is, but not showing off...under lsmod or ls -l /lib/modules/$(uname -r) | grep xt_
I can try again on the new 52671 in a bit...
p.s. there is another thread with more people involved..for example R9000 it went to boot loop..
another guy with R7800 also posted there...
P.S. Ok, i just tested some ndpi and one L7 rules...on 52761 R7000 and those do not restrict access to those web sites...this is the simplest test i can do...if you have anything else i could try or test, please let me know...
You can see there how the policy look like, also do notice filtered packets count is 0
and the all websites i can open
tested with or without VPN, Im also using SmartDNS (DNSmasq is turned on too) tried with DNSmasq only too...
What i haven't done yet, is reset and manual rebuild...will do that too, in a bit and will post back the results... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
i also dont see that you even setup access restrictins correct. adding these services isnt enough. you need to enable the rule of course and you need to specify the ip range or mac addresses the rules need to apply.
Did you specify application to the entire LAN (LANs)? Show us your selected client list for the rule(s). Also, in the thread you linked, it was already explained that the Layer 7 module is probably built into the kernel. _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Joined: 24 Feb 2013 Posts: 1634 Location: Belgrade
Posted: Wed May 24, 2023 20:44 Post subject:
I was courious so I checked it myself too.
I entered MAC of my PC:
I checked two filters (youtube and github)
When I do lsmod I have xt_ndpi loaded
And I see dropped packets on adv_gropup1
I can't access github, but I can access Youtube... So, some filters works and other don't... and I want to add that I have dual stack and youtube uses ipv6... and if there are no ip6tables rules with ndpi it is normal not to work....
Joined: 24 Feb 2013 Posts: 1634 Location: Belgrade
Posted: Thu May 25, 2023 5:13 Post subject:
@Alozaros
don't know what to say to you about these l7 filters... I wouldn't advice you to use them... they are like 20 years old... nDPI is way to go since ssl replaced plain http... but nDPI don't fit on low budget routers so BS kept them (l7 filters) for those low memory targets...
...
Thanks anyway...!
