Joined: 07 Apr 2018 Posts: 66 Location: Calgary, AB Canada
Posted: Tue Jun 12, 2018 18:40 Post subject:
ok found place to put the following (Administration/Commands/Firewall Command):
Quote:
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
iptables -t mangle -F PREROUTING
ip route add default table 200 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 200
ip route flush cache
iptables -t mangle -I PREROUTING -i br0 -s 192.168.0.105 -j MARK --set-mark 1
iptables -t mangle -I PREROUTING -i br0 -s 192.168.0.106 -j MARK --set-mark 1
iptables -t mangle -I PREROUTING -i br0 -s 192.168.0.107 -j MARK --set-mark 1
Unfortunately it did not work as intended. Instead of the 3 devices associated with the 192.168.0.105-107 ips bypassing the VPN, they have lost all connectivity to the WAN. While it seems they have access to LAN, no access to WAN.
I am guessing it is a typo or something in the above code?
to make it real simple and easy to follow this is EXACTLY what I did, just so you have lowest chances of bricking.
Used PuTTy to SSH to 192.168.1.1
this is exactly the commands I used and in exact order
root@OpenWrt:~# cd
root@OpenWrt:~# fw_printenv silent
silent=1
root@OpenWrt:~# fw_setenv silent
root@OpenWrt:~# fw_printenv silent
## Error: "silent" not defined
root@OpenWrt:~# wget https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2018/06-10-2018-r36104/linksys-wrt32x/FW_WRT32X_1.0.666_DDWRT.img
<Wait for Wget Download to complete 100%>
root@OpenWrt:~# fw_printenv boot_part
boot_part=1
root@OpenWrt:~# fw_setenv boot_part 2
root@OpenWrt:~# sysupgrade -i -n -v FW_WRT32X_1.0.666_DDWRT.img
Keep config files over reflash (y/N): N
A number of verboise terminal output will display such as killall etc, wait for it to say: "sysupgrade successful" and you can flip the power switch on the back of your WRT32x off and back on. (NOTE: I waited several minutes after the sysupgrade successful message came up before I did anything). At first I thought I had bricked it cause it took a long time to boot up and finally assign an ip to my PC. I power cycled the router several times and hit the reset button once before I just decided to let it boot up for several minutes and when I came back I was able to get a dd-wrt gui at 192.168.1.1
NOTE: The Internet LED and the ESATA Led are swapped for some reason. So the Internet LED Will not light up but the ESATA LED will when there is a WAN ip registered.
Hope this helps
Dude thats awesome! Thank you so much for that, really appreciate the step by step.
2 questions:
1 - Do those steps assume I am on openwrt or can I do this being on a brand new stock firmware router?
2 - I need to be connect by the uart to usb cable by opening the router or can I do this through an ethernet cable directly?
Joined: 07 Apr 2018 Posts: 66 Location: Calgary, AB Canada
Posted: Tue Jun 12, 2018 20:55 Post subject:
Ok to summarize my current status.
I have my OpenVPN working on : DD-WRT v3.0-r36104 std (06/10/1 on my WRT32x running w/ AES-256 CBC / SHA512 / UDP. Unfortunately Policy Based Routing (at least via the DD-WRT Gui) Is broken in this build which means I cannot use it to specify which IPs or IP Ranges to allow for use on VPN. So it is a blanket VPN situation for all 22 DHCP Clients on my router which just wont do at all.
So I have decided to try and use iptables to solve the issue, as I need 3 specific devices to be direct to WAN with no VPN. I have tried 2 seperate iptables settings through the Admin/Commands Firewall commands window in DD-WRT.
Quote:
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
iptables -t mangle -F PREROUTING
ip route add default table 200 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 200
ip route flush cache
iptables -t mangle -I PREROUTING -i br0 -s 192.168.0.105 -j MARK --set-mark 1
iptables -t mangle -I PREROUTING -i br0 -s 192.168.0.106 -j MARK --set-mark 1
iptables -t mangle -I PREROUTING -i br0 -s 192.168.0.107 -j MARK --set-mark 1
and
Quote:
WAN_GTWY="$(nvram get wan_gateway)"
WAN_IF="$(nvram get wan_iface)"
ip route add default via $WAN_GTWY dev $WAN_IF table 10
ip rule add from 192.168.0.105 table 10
ip rule add from 192.168.0.106 table 10
ip rule add from 192.168.0.107 table 10
#----------------------------------------------------
i've spent a number of hours over the past two weeks trying to get dd-wrt on and off a wrt32x. to summarize:
stock -> ddwrt works by gui (flashes other partition) AND by mtd write (summarized above; pick your partition)
stock-> openwrt/lede works by ssh and sysupgrade (probably works by gui but i didnt try)
openwrt -> stock works by ssh/mtd write.
ddwrt -> stock: i had to enable ssh, then flash both mtd5 and mtd7 partions with stock flat firmware file, AND erase nvram partition (mtd erase nvram), then power cycle router. i cant completely explain why, but i think the ddwrt nvram values make openwrt or stock firmware hang, and issing the 'reboot' command at the ddwrt command line re-writes nvram. anyway, only by completely getting rid od ddwrt could i get back to stock.
so: from stock, you can get lede on one partition and dd-wrt on the other.
from dd-wrt: you have to get rid of dd-wrt remanants everywhere to get back to stock or lede.
the quick way to get back to a 'clean' setup is from serial, using the 'run update_both_images' uboot command. i think by flashing both mtd5 and mtd7 with stock, and earsing nvram, this accomplishes the same thing, without serial access.
short story - it's currently hard to get from dd-wrt back to stock, but it can be done without serial access.
Posted: Wed Jun 13, 2018 18:57 Post subject: try this
Skoda Zek wrote:
Ok to summarize my current status.
I have my OpenVPN working on : DD-WRT v3.0-r36104 std (06/10/1 on my WRT32x running w/ AES-256 CBC / SHA512 / UDP. Unfortunately Policy Based Routing (at least via the DD-WRT Gui) Is broken in this build which means I cannot use it to specify which IPs or IP Ranges to allow for use on VPN. So it is a blanket VPN situation for all 22 DHCP Clients on my router which just wont do at all.
So I have decided to try and use iptables to solve the issue, as I need 3 specific devices to be direct to WAN with no VPN. I have tried 2 seperate iptables settings through the Admin/Commands Firewall commands window in DD-WRT.
Quote:
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
iptables -t mangle -F PREROUTING
ip route add default table 200 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 200
ip route flush cache
iptables -t mangle -I PREROUTING -i br0 -s 192.168.0.105 -j MARK --set-mark 1
iptables -t mangle -I PREROUTING -i br0 -s 192.168.0.106 -j MARK --set-mark 1
iptables -t mangle -I PREROUTING -i br0 -s 192.168.0.107 -j MARK --set-mark 1
and
Quote:
WAN_GTWY="$(nvram get wan_gateway)"
WAN_IF="$(nvram get wan_iface)"
ip route add default via $WAN_GTWY dev $WAN_IF table 10
ip rule add from 192.168.0.105 table 10
ip rule add from 192.168.0.106 table 10
ip rule add from 192.168.0.107 table 10
#----------------------------------------------------
Unfortunately in both cases the result was loss of internet access for the 3 static IP's specified (192.168.0.105/106/107).
I am at a loss, I have spent many hours troubleshooting trying to break the trend and I really do need you folks help now.
On the set up page, disable SFE and then leave everything else as you did. That should fix the problem and policy routing should work. Just did mine now.
Joined: 07 Apr 2018 Posts: 66 Location: Calgary, AB Canada
Posted: Wed Jun 13, 2018 19:00 Post subject:
yep disabling SFE fixed all my PBR issues.
Only thing I need to do now is assign custom primary/secondary DNS Servers to 3 clients on my router (they are not behind the VPN).
These clients are Roku's and thus due to roku software the user is unable to modify the dns servers so I must find a way to do it from within DD-WRT, furthermore these DNS have to be specific to these devices so I cannot assign them as global DNS
Anyone who can help me figure this out? its my final issue =)
i've spent a number of hours over the past two weeks trying to get dd-wrt on and off a wrt32x. to summarize:
stock -> ddwrt works by gui (flashes other partition) AND by mtd write (summarized above; pick your partition)
stock-> openwrt/lede works by ssh and sysupgrade (probably works by gui but i didnt try)
openwrt -> stock works by ssh/mtd write.
ddwrt -> stock: i had to enable ssh, then flash both mtd5 and mtd7 partions with stock flat firmware file, AND erase nvram partition (mtd erase nvram), then power cycle router. i cant completely explain why, but i think the ddwrt nvram values make openwrt or stock firmware hang, and issing the 'reboot' command at the ddwrt command line re-writes nvram. anyway, only by completely getting rid od ddwrt could i get back to stock.
so: from stock, you can get lede on one partition and dd-wrt on the other.
from dd-wrt: you have to get rid of dd-wrt remanants everywhere to get back to stock or lede.
the quick way to get back to a 'clean' setup is from serial, using the 'run update_both_images' uboot command. i think by flashing both mtd5 and mtd7 with stock, and earsing nvram, this accomplishes the same thing, without serial access.
short story - it's currently hard to get from dd-wrt back to stock, but it can be done without serial access.
@ghoffman I have some questions regarding the different scenarios.
stock -> ddwrt - Which DD-WRT image worked via Venom GUI? I was not successful with FW_WRT32X_1.0.666_DDWRT.img however it worked without any issues using SSH/sysupgrade
stock-> openwrt/lede - I don't remember if I was successful in upgrading from Venom to OpenWRT. I should go back and try and report back.
ddwrt -> stock - This sounds like some voodoo was involved! I believe this is something similar to what the sysupgrade shell script is doing, but I haven't investigated in analyzing the script. I did spend some quality time with the mtd utility trying to do something similar as to what attempted. Unfortunately, I was unsuccessful in my testing.
All in all, I'm anxious to get a repeatable and successful process to revert back DD-WRT back to Venom and/or OpenWRT. I just don't have any solution other than opening up the WRT32X unit and using a USB to TTL/serial cable/UART method. Obviously, this method is not intended for anyone other than a hobbyist.
ddwrt -> stock - This sounds like some voodoo was involved! I believe this is something similar to what the sysupgrade shell script is doing, but I haven't investigated in analyzing the script. I did spend some quality time with the mtd utility trying to do something similar as to what attempted. Unfortunately, I was unsuccessful in my testing.[/list] All in all, I'm anxious to get a repeatable and successful process to revert back DD-WRT back to Venom and/or OpenWRT. I just don't have any solution other than opening up the WRT32X unit and using a USB to TTL/serial cable/UART method. Obviously, this method is not intended for anyone other than a hobbyist.
what i found was: if dd-wrt is on one partition, it will boot, even if nvram was reset and bootPart set to toher partition. i *think* there is a check on nvram and possible rewriting of it in the early boot process. also i think that the 'reboot' command (maps to busybox) does something to nvram.
of course sysupgrade is not a dd-wrt command. i think this is what flash_both_images does.
note - i did not use a serial cable. the mtd write commands were from the ddwrt shell.
i'll check all this out again when i have time to mess up my network and not incur wrath....
Can you confirm me the process to come back on venom firmware from DDWRT?
1- Enable SSH from DDWRT GUI
2- Use a flat (non-sysuprade) image
You have posted the process, so it is ok
3- Use scp to copy flat image to /tmp/
4- From DDWRT CLI (enable SSH) enter these commands:
Joined: 05 Apr 2017 Posts: 981 Location: Louisiana, USA
Posted: Sat Sep 01, 2018 11:19 Post subject:
Renji wrote:
Hi,
Can you confirm me the process to come back on venom firmware from DDWRT?
1- Enable SSH from DDWRT GUI
2- Use a flat (non-sysuprade) image
You have posted the process, so it is ok
3- Use scp to copy flat image to /tmp/
4- From DDWRT CLI (enable SSH) enter these commands:
FIRMWARE:OpenWrt SNAPSHOT r8217-2cc821e / LuCI Master (git-18.276.41146-280dd33) MODEM:ARRIS SURFBoard SB8200 ROUTER:Linksys WRT32X USB NAS:Western Digital BLACK 1 TB Hardrive + Startech USB 3.0 External SATA III Enclosure
Posted: Thu Sep 24, 2020 18:18 Post subject: WRT32x router was on DD-WRT now unable to boot
I have WRT32X from Linksys. I installed the DD-WRT on it. Now I was trying to revert it back to original firmware following the steps mentioned on page 3. Now router does not boot properly. I just see a solid blue light for power and the port light 1, which is connected to router. I also purchased a USB TTL cable and works fine.
When I cycle the power on router it boots and stuck. Below is the snippet after which I do not see anything happening.
thats all. we have a image that can be flashed to new partition layout (new env vars must be set) from u-boot or from dd-wrt/lede using "mtd -f write" command.
#mtd erase mtd5
#mtd -f write wrt32x.img mtd5
#mtd erase mtd7
#mtd -f write wrt32x.img mtd7
#reboot
on my WRT32x running w/ AES-256 CBC / SHA512 / UDP. Unfortunately Policy Based Routing (at least via the DD-WRT Gui) Is broken in this build which means I cannot use it to specify which IPs or IP Ranges to allow for use on VPN. So it is a blanket VPN situation for all 22 DHCP Clients on my router which just wont do at all.
I believe this is something similar to what the sysupgrade shell script is doing, but I haven't investigated in analyzing the script. I did spend some quality time with the mtd utility trying to do something similar as to what attempted. Unfortunately, I was unsuccessful in my testing.