Posted: Tue Dec 02, 2025 17:57 Post subject: WR841ND
Router/Version: TP-Link TL-WR841ND v11
Update method: WebUpgrade
File/Kernel: tl-wr841nd-webflash.bin_r62890 / Linux 3.18.140-d6 #252883 Mon Dec 1 07:55:44 +07 2025 mips
Previous/Reset: r62540 / no
Mode/Status: AP wired and wireless / Up and running for 6:28
Issues/Errors: Nothing significant
If your router's light turns red, don't worry. Internet connection is ok.
Incorrect rate of wlan0 - 800 Mbit/s!
Thank you BS and gurus! _________________ Atheros
Netgear XR500 Nighthawk - DD-WRT 59468
Tp-Link TL-WDR4900 v1.3 - DD-WRT 53133
TP-Link WR1043ND v4 - DD-WRT 51838
TP-Link WR1043ND v2 - Gargoyle OS 1.13.0
TP-Link WR841ND v11 - DD-WRT 62032
Broadcom
Asus RT-AC88U - DD-WRT 62032
Asus RT-AC87U R - DD-WRT 62032
Asus RT-N66U - DD-WRT 62032
Linksys WRT54GL v1.1 - DD-WRT 54517M
Linksys WRT54GL v1.1 - FreshTomato 2023.4_MIPS_K26
Linksys WRT54GL v1.1 - Gargoyle OS 1.6.2
Joined: 05 Oct 2008 Posts: 835 Location: Helsinki, Finland / nr. Alkmaar, Netherlands
Posted: Tue Dec 02, 2025 20:20 Post subject:
Took some time to translate iptables rules from the firewall script on my XR500 into nftables rules one by one. After temporarily replacing shell variable references with their values it worked fine as far as I can tell.
Below one of the old rules with its translation:
arjen@NUC10i5:~$ iptables-translate -t nat -I PREROUTING -i br0 -p tcp ! -s 192.168.5.62 --dport 53 -j DNAT --to 192.168.5.62
nft 'insert rule ip nat PREROUTING iifname "br0" ip saddr != 192.168.5.62 tcp dport 53 counter dnat to 192.168.5.62'
Internet sources that I have seen show the nft translation without the single quotes. I dropped them, but not sure.
Another thing that remained uncertain was how to set and use shell variables in the firewall script. Some sources use 'define A = B' and others 'A = B' as it used to be.
With the newly produced translations on file, I then upgraded the router from 62606 to build 62890 and then replaced the firewall script with the nftables version and rebooted.
By and large it seems to work.
However, the rule quoted above seems to have no effect. I can't find a trace of it in the output of 'nft list ruleset'.
What could I be missing?
The purpose of that particular rule is to force any and all DNS requests via port 53 the local PiHole server on 192.168.5.62 (except requests originating from the Pihole server itself); I have used the iptables equivalent until this latest upgrade and it worked as intended. It covers up its tracks, making the requestor believe the request was fulfilled by the original target (instead of e.g. 8.8.8.8 it is actually carried out by the local DNS server, but the requestor is told the answer is from 8.8.8.8).
The other rules in my firewall script are simple ones, allowing access to the local DNS and NTP server from different subnets, like:
nft insert rule ip filter FORWARD iifname "$IoT" ip daddr $DNS_IPv4 tcp dport 53 counter accept
nft insert rule ip filter FORWARD iifname "$IoT" ip daddr $DNS_IPv4 udp dport 53 counter accept
A further problem in transitioning is that the nft translating program doesn't handle -D rules. AFAIK iptables rules need to be deleted in the firewall script before the actual definition so that they don't get added twice when just saving an edited firewall script.
I am pretty sure it would be wrong to delete all rules at the start of the script as the firmware sets up rules of its own outside the script, too.
Router/Version: Asus rt-ax89x
File: DD-WRT v3.0-r62890 (12/01/25)
Kernal: Linux 6.6.116-rt29 #4613 SMP Fri Nov 21 05:09:27 +07 2025 aarch64
Previous: DD-WRT v3.0-r62778 (11/21/2025)
Reset: Yes
Mode/Status: AP/Gateway, 5GHz & 2.4GHz Wifi
Setup:
SFE: Enabled
WAN DNS: Ignore
DDNS Configuration: Enabled
Tunnels: Wireguard - Mullvad VPN
Issues/Errors: Had 3 out of 5 ethernet connected devices not appear. Restarted devices as well as rebooted router and no luck. Reverted back to r62778 and all is well. Didn't have much time to troubleshoot further.
Joined: 05 Oct 2008 Posts: 835 Location: Helsinki, Finland / nr. Alkmaar, Netherlands
Posted: Wed Dec 03, 2025 0:38 Post subject:
Actually it looks like that you cannot change anything in the nft firewall by commands in the firewall script.
E.g. if you have a rule in the script for port 123 and try to look up how it ended up in the ruleset, you get this:
┌─[✓]─[root@XR500:192.168.5.1]─[~]
└─nft list ruleset | grep 123
# Warning: table ip mangle is managed by iptables-nft, do not touch!
# Warning: table ip nat is managed by iptables-nft, do not touch!
# Warning: table ip filter is managed by iptables-nft, do not touch!
The same result for any rule I try in the command script.
I don't know how to proceed from here ...
It is now too late at night to find out what this means in practice.
Posted: Wed Dec 03, 2025 5:40 Post subject: Re: Linksys MR7350
gitto wrote:
Update method: WebUpgrade
Router/Version: Linksys MR7350
File: 62890
Previous/Reset: 62606 / no
Mode/Status: Gateway / ok
Issues/Errors: If you are seeing this post, all is ok
Thank you again BS and friends.
��
how many devices are connected to your wifi? both 2,5 and 5GHz are working and have connected devices? speed on wifi?
thanks in advance!
Router/Version: Netgear R7800
File/Kernel: 12/01/2025 - r62890
Previous/Reset: No / 11-05-2025-r62540
Mode/Status: Gateway
Issues/Errors: actual none, previous: i installed the firmware last night. As soon as it restarted, it went into a loop, restarting continuously (the first LED flashed just before the restart). This morning I was ready to reset and go back to the previous version but now, fortunately, it works normally. I have not done any operations in the meantime.
Found a simple work around for iptables rules in FIREWALL script.
I'm still tinkering with this build chasing a boat load of gremlins.
However, I found a strange simple trick that solved my iptables issues for my LINKSYS MR7500.
I found that the 53 rules I had in my FIREWALL script in the GUI were copied multiple times causing the rules to not work as expected. I then stumbled across an odd predictable behavior that with each reboot the number of copies increased by three. After eight reboots chasing gremlins I found that my firewall was almost 6,561 lines long.
I used iptables -L --line-numbers to examine the rules that were executed from the script. I used the --line-numbers option to help count the copies of the rules.
If this is happening to you try this:
Basically I just moved my Firewall rules to the startup script.
Select and copy your rules in the FIREWALL script in the GUI.
Click EDIT button for the startup script.
Paste your copied rules at the top of the startup script above anything else in the script.
Save the the startup script.
Saving the startup script should have deleted everything in the COMMANDS dialog box.
Now click Save Firewall button to delete the existing firewall script.
Wait 45-60 seconds.
Reboot.
After reboot, check the rules with the iptables -L --line-numbers command again and you will find there is only one copy of your rules and they appear to function as expected.
I have many other gremlins I'm tracking down & trouble shooting, but thought this could help more people sooner.
Posted: Wed Dec 03, 2025 15:47 Post subject: Re: Linksys MR7350
sagia_geo wrote:
gitto wrote:
Update method: WebUpgrade
Router/Version: Linksys MR7350
File: 62890
Previous/Reset: 62606 / no
Mode/Status: Gateway / ok
Issues/Errors: If you are seeing this post, all is ok
Thank you again BS and friends.
��
how many devices are connected to your wifi? both 2,5 and 5GHz are working and have connected devices? speed on wifi?
thanks in advance!
At this moment -
One - cable.
One - 2.4Ghz
Three - 5Ghz (>75 Mbps)
Usually a few others but quiet today - at least 6 other devices - to either 2.4 or 5.
Can update over next couple of days if you like.
Last edited by gitto on Wed Dec 03, 2025 16:01; edited 2 times in total
Joined: 18 Mar 2014 Posts: 13877 Location: Netherlands
Posted: Wed Dec 03, 2025 15:48 Post subject:
Wasp-Ink30 wrote:
Found a simple work around for iptables rules in FIREWALL script.
I'm still tinkering with this build chasing a boat load of gremlins.
However, I found a strange simple trick that solved my iptables issues for my LINKSYS MR7500.
I found that the 53 rules I had in my FIREWALL script in the GUI were copied multiple times causing the rules to not work as expected. I then stumbled across an odd predictable behavior that with each reboot the number of copies increased by three. After eight reboots chasing gremlins I found that my firewall was almost 6,561 lines long.
I used iptables -L --line-numbers to examine the rules that were executed from the script. I used the --line-numbers option to help count the copies of the rules.
If this is happening to you try this:
Basically I just moved my Firewall rules to the startup script.
Select and copy your rules in the FIREWALL script in the GUI.
Click EDIT button for the startup script.
Paste your copied rules at the top of the startup script above anything else in the script.
Save the the startup script.
Saving the startup script should have deleted everything in the COMMANDS dialog box.
Now click Save Firewall button to delete the existing firewall script.
Wait 45-60 seconds.
Reboot.
After reboot, check the rules with the iptables -L --line-numbers command again and you will find there is only one copy of your rules and they appear to function as expected.
I have many other gremlins I'm tracking down & trouble shooting, but thought this could help more people sooner.
Firewall rules should be placed in the Firewall script other wise they only run once at startup and if the firewall is restarted by some process your own rules are not there (at least they should not be).
Joined: 05 Oct 2008 Posts: 835 Location: Helsinki, Finland / nr. Alkmaar, Netherlands
Posted: Wed Dec 03, 2025 15:50 Post subject:
ArjenR49 wrote:
┌─[✓]─[root@XR500:192.168.5.1]─[~]
└─nft list ruleset | grep 123
# Warning: table ip mangle is managed by iptables-nft, do not touch!
# Warning: table ip nat is managed by iptables-nft, do not touch!
# Warning: table ip filter is managed by iptables-nft, do not touch!
SOLVED:
Even though the above warnings seem to sternly tell one off to not touch the nft tables, you can add rules to the nft tables in a command script.
The reason for my firewall script failing to add rules was that I had used variable references, but the assignment statements weren't working.
In converting the script I had prettified the list of assignments with spaces before and after the equal sign. However, A = "123" does not work. This time around I put a comment about that in the script.
It has to be A="123" etc.
The output of nft list ruleset is looking much better now!
Joined: 05 Oct 2008 Posts: 835 Location: Helsinki, Finland / nr. Alkmaar, Netherlands
Posted: Wed Dec 03, 2025 21:01 Post subject:
Wasp-Ink30 wrote:
I found that the 53 rules I had in my FIREWALL script in the GUI were copied multiple times causing the rules to not work as expected.
It may help to delete an iptables rule in the script before you actually define the rule, like so:
# Allow DNS requests from IoT VLAN to DNS server on main LAN
iptables -D FORWARD -i $IoT -d $DNS_IPv4 -p tcp --dport 53 -j ACCEPT >/dev/null 2>&1
iptables -D FORWARD -i $IoT -d $DNS_IPv4 -p udp --dport 53 -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -i $IoT -d $DNS_IPv4 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -i $IoT -d $DNS_IPv4 -p udp --dport 53 -j ACCEPT
Essentially you just duplicate the rule and in the first line change -I or -A to -D.
BTW: In nft syntax this becomes:
nft insert rule ip filter FORWARD iifname "$IoT" ip daddr $DNS_IPv4 tcp dport 53 counter accept
nft insert rule ip filter FORWARD iifname "$IoT" ip daddr $DNS_IPv4 udp dport 53 counter accept
Note that the nft rules are missing the delete part. The iptables-translation function cannot yet handle iptables rules with -D. It seems nft cannot recognize a rule based on its contents in order to delete it like iptables can.
I haven't tried to write a command that deletes a particular nft rule, so for now I just reboot the router after changing the firewall script. Transitioning to nft is a WIP, but today I finally made good progress.
Joined: 18 Mar 2014 Posts: 13877 Location: Netherlands
Posted: Thu Dec 04, 2025 8:41 Post subject:
nft has no ability to directly delete rules.
This is problematic as a lot of scripts and systems which are using scripts e.g. WireGuard, OpenVPN etc. will end up with duplicate rules, sometimes having duplicate rules is no problem but if you are changing the configuration then old rules can still be there so in the end if you are done configuring you need a reboot to sort things out
nft can delete rules by using the handle of the rules.
You can see the handle with
Quote:
nft -a list ruleset
An example (not for DDWRT):
Create rule:
nft 'insert rule inet fw4 output ip daddr 140.238.218.87 counter reject'
Show handle:
nft -a list ruleset | grep 'ip daddr 140.238.218.87' | awk '{print $NF}'
How to delete:
nft delete rule inet fw4 output handle $(nft -a list ruleset | grep 'ip daddr 140.238.218.87' | awk '{print $NF}')
Oh and one pitfallI stumbled upon when I started to use nftables about a year ago:
To execute from command line use single quotes otherwise you have to escape the special characters.
I do not have a DDWRT router using nftables so cannot help you any further at this moment.
