Joined: 18 Mar 2014 Posts: 12908 Location: Netherlands
Posted: Wed Mar 25, 2020 13:30 Post subject: New Build - 03/25/2020 - r42803
This thread is for feedback on beta build r42803 for developers and users (configuration, status, errors & logs).
Avoid discussions, create a new thread for specific problems, questions or use search as this is not for support.
Please report hardware model, version, operating & wireless modes along with file name (factory, webflash).
Important: if reporting issues, provide applicable info (syslog output, 'dmesg', 'cat /var/log/messages', etc.)
or place into an SVN ticket. For firewall issues, also provide iptables info ('iptables -L', 'iptables -t nat -L', & the /tmp/.ipt file).
Be sure to include operating and wireless modes (Gateway, AP, CB, etc.) along with any relevant configuration information.
Flashing any beta build assumes you are responsible, have researched, know the risks and recovery methods.
If you don't understand your router, which file or recovery methods do NOT flash this experimental test build.
Notes: 1. CVE-2019-14899 VPN fix from December, since then various revisions including recently 7024.
2. In-kernel Samba has been implemented this year and default min/max versions have changed, WSD now supported.
Firmware Version: DD-WRT v3.0-r42803 std (03/25/20)
Kernel Version: Linux 4.4.217 #1196 SMP Wed Mar 25 08:38:04 +04 2020 armv7l
Upgraded from: DD-WRT v3.0-r42729 std (03/18/20)
Reset: No, not this time
Status: Up and running for 1 hour, basic setup as Gateway, static leases, OpenVPN client (on PIA) with Policy Based Routing up and running, 2,4GHz, 5Ghz USB storage NAS working, OpenVPN server and WireGuard working.
Resolved: 1. Pushed DNS servers from VPN provider are used starting with build 41120, if you do not want that, add the following to the Additional Config of the VPN client:
pull-filter ignore "dhcp-option DNS"
2. Build 41174 has an improved VPN Policy Based Routing, it is now possible to use the VPN route command i.e. to route a DNS server via the VPN (in this way you will get rid of the DNS leak), see: https://svn.dd-wrt.com/ticket/6815#comment:1 , and for DNS leaks the second posting of this thread: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662 3. Another improvement on PBR is that local routes are now copied over to the alternate routing table so there is communication if you have unbridged VAP's and you can set the router's IP on PBR.
See: https://svn.dd-wrt.com/ticket/6821#comment:3 4. Starting with build 41174, the PBR has become more versatile, you can now use " from [IP address] to [IP address] ", so if you enter the following in the PBR field:
192.168.1.124 to 95.85.16.212 #ipleak.net, it will only route IP address 95.85.16.212 (which is ip leak.net) from my IP address 192.168.1.124 via the VPN everything else from this IP address will route via the WAN (this is just an example).
See: https://svn.dd-wrt.com/ticket/6822
Although this command itself supports routing per port this is however only available starting from K 4.17 so we have to rely on scripting for per port routing until then.
5. New OpenVPN TLS ciphers are added in 41308 see: https://svn.dd-wrt.com/changeset/41308 6. Starting with build 41304 you can now choose which TLS Key you want to use: TLS Auth or the newer/better TLS Crypt. See https://svn.dd-wrt.com/ticket/6845#comment:17 7. Builds from 41786 onwards, when using an OVPN server to connect to your local LAN clients, access might be prevented because of a patch which should solve a recent vulnerability ( see: https://svn.dd-wrt.com/ticket/6928)
This can be mitigated with the following firewall rule:
Code:
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j MASQUERADE
When using WireGuard you can run into the same trouble,i.e. not being able to access your local LAN clients. For WireGuard this is the workaround:
Code:
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get oet1_ipaddr)/$(nvram get oet1_netmask) -j MASQUERADE
This method described above also has security and logging concerns as all traffic has the same source address (your router)
An alternate method is using the following rule but it only works if the VPN or Wireguard interface is up and if your VPN or Wireguard interface goes down you have to reapply or run a continuous script checking/applying:
OpenVPN server:
Code:
iptables -t raw -I PREROUTING -i br0 -d $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j ACCEPT
WireGuard:
Code:
iptables -t raw -I PREROUTING -i br0 -d $(nvram get oet1_ipaddr)/$(nvram get oet1_netmask) -j ACCEPT
This rule can expose your LAN side to the CVE attack, but if you have your IOT things separated and tight control over your LAN you should be good, if your LAN is hacked you have got bigger problems.
Builds starting with 41813 have an option button in OpenVPN and Wireguard for disabling the CVE-patch 14899
Posted: Wed Mar 25, 2020 15:24 Post subject: Netgear Nighthawk R7000
Router/Version: Netgear R7000 Firmware: DD-WRT v3.0-r42803 std (03/25/20) Kernel: Linux 4.4.217 #1196 SMP Wed Mar 25 08:38:04 +04 2020 armv7l Mode: Gateway Reset: No Previous: 03-20-2020-r42747 Status: Working
grep -i err /var/log/messages
Dec 31 16:00:09 R7000 kern.err kernel: bcmsflash: found no supported devices
Dec 31 16:00:09 R7000 daemon.info mstpd[616]: error, CTL_set_cist_bridge_config: Couldn't find bridge with index 8
Dec 31 16:00:09 R7000 daemon.info mstpd[616]: error, CTL_set_cist_bridge_config: Couldn't find bridge with index 8
Dec 31 16:00:09 R7000 daemon.info mstpd[616]: error, CTL_set_msti_bridge_config: Couldn't find bridge with index 8
Dec 31 16:00:09 R7000 daemon.info mstpd[616]: error, CTL_set_cist_bridge_config: Couldn't find bridge with index 8
Dec 31 16:00:09 R7000 daemon.info mstpd[616]: error, CTL_set_cist_bridge_config: Couldn't find bridge with index 8
Dec 31 16:00:12 R7000 local5.err ksmbd: [ksmbd-worker/998]: ERROR: Can't open `/tmp/smb.db': No such file or directory
Dec 31 16:00:12 R7000 local5.err ksmbd: [ksmbd-worker/998]: ERROR: User database file does not exist. Only guest sessions (if permitted) will work.
Dec 31 16:00:12 R7000 user.err wsdd2[989]: error: wsdd-mcast-v4: wsd_send_soap_msg: send
Dec 31 16:00:21 R7000 daemon.err ntpclient[1140]: Failed resolving address to hostname 2.pool.ntp.org: Try again
Dec 31 16:00:21 R7000 daemon.err ntpclient[1140]: Failed resolving server 2.pool.ntp.org: Network is down
Mar 25 07:54:01 R7000 daemon.err httpd[1036]: httpd : Request Error Code 408: Unexpected connection close in intitial request
Mar 25 07:54:07 R7000 kern.err kernel: hub 3-0:1.0: config failed, hub doesn't have any ports! (err -19)
Mar 25 07:54:16 R7000 daemon.err dnscrypt-proxy[1236]: Unable to retrieve server certificates
Mar 25 07:54:32 R7000 daemon.err dnscrypt-proxy[1236]: Unable to retrieve server certificates
Mar 25 07:54:50 R7000 daemon.err dnscrypt-proxy[1236]: Unable to retrieve server certificates
Mar 25 07:55:11 R7000 daemon.err dnscrypt-proxy[1236]: Unable to retrieve server certificates
Router/Version: ASUS RT-AC68U (TM-AC1900 Converted)
Version: DD-WRT v3.0-r42803 std (03/25/20)
Mode: Client Bridge
Status: OK
Errors: None
File: asus_rt-ac68u-firmware.trx
Previous Version: 40270M kongac
Kernel: Linux 4.4.217 #1196 SMP Wed Mar 25 08:38:04 +04 2020 armv7l
Reset: No
I'll play along. I had some weird issues with r42747, so I reloaded 40270M Kong and did an nvram reset. Then this morning, loaded r42803 right over the top. Seems to be working. I am currently on WFH status, so it will get a workout. _________________ ASUS RT-AC3100 AP Merlin 386.12_4
ASUS RT-AC68U Media Bridge/Merlin 386.12_4 (x2)
ASUS RT-AC68U AP r54604
ASUS RT-AC68U Gateway/AP r54604
Edgerouter-4, v2.0.9-hotfix7
Router/Version: ASUS RT-AC68U rev A1
Version: DD-WRT v3.0-r42803 std (03/25/20)
Mode: Gateway / AP
Status: OK
Errors: Nothing significant
File: asus_rt-ac68u-firmware.trx
Previous Version: 42747
Kernel: Linux 4.4.217 #1196 SMP Wed Mar 25 08:38:04 +04 2020 armv7l
Reset: No, flashed from CLI
Seems to work quite well! _________________ Netgear R7000 on Build 55109
Asus AC-AC68U rev. C1 (AP) on Build 55109
Asus AC-68U rev. A1 on Build 54604
Asus AC-68U rev. A1 on Build 53339
Router/Version: Netgear R7000
Firmware: DD-WRT v3.0-r42803 std (03/25/20)
Kernel: Linux 4.4.217 #1196 SMP Wed Mar 25 08:38:04 +04 2020 armv7l
Previous: r42729
Mode/Status: Gateway / working
Reset: no
Issues/Errors: Working well so far**
**that said, I initially lost internet immediately after the upgrade (router WAN grabbed an IP, WiFi devices connected, but no DNS resolution, failed DNS connection attempts filled connection table). Not ascribing this to the new firmware because I'm on a new ISP connection, and it eventually resolved (pun intended), but noting it regardless.
Uptime: 3hrs 53min
Temperatures: CPU 59.7 °C / WL0 44.0 °C / WL1 50.1 °C
Router/Version: Asus RT-AC87U Mode: AP, WG client, DHCP server Status: reverted to r42681 Errors: see below File: f t p...asus_rt-ac87u-firmware.trx Previous: r42681 Kernel: Linux 4.4.217 #1203 SMP Wed Mar 25 09:26:20 +04 2020 armv7l Reset: no
1. 5GHz does NOT work, same as r42747, r42729. No device can connect (SSID not shown on iPhone, Buffalo D1300 on r42803).
2. High load, does not come down: 1.11, 1.02, 0.55
3. syslog shows crashes (endlsessly repeating):
Mar 25 21:08:16 home user.err : Caught SIGSEGV (11) in strlen
Mar 25 21:08:16 home user.err : Fault at memory location 0x00000000 due to address not mapped to object (1).
Mar 25 21:08:16 home user.err : Thread 1701: qtn_monitor
Mar 25 21:08:16 home user.err : === Context:
Mar 25 21:08:16 home user.err : TRAPNO:0000000e ERRCODE:00000017 OLDMASK:00000000 R0:00000000
Mar 25 21:08:16 home user.err : R1:76f7f080 R2:00000000 R3:76f7ef4c R4:00000001
Mar 25 21:08:16 home user.err : R5:00000000 R6:76f7f080 R7:76eac000 R8:76e91ae2
Mar 25 21:08:16 home user.err : R9:76e8fb5b R10:76e8fbaf FP:76ead3f4 IP:76eac3d0
Mar 25 21:08:16 home user.err : SP:7efe3bb4 LR:0000feff PC:76f50ce0 CPSR:60000010
Mar 25 21:08:16 home user.err : FAULTADDR:00000000
Mar 25 21:08:16 home user.err : === Backtrace:
Mar 25 21:08:16 home user.err : # Searching frame 0 (FP=0x76ead3f4, PC=0x76f50ce0)
Mar 25 21:08:16 home user.err : # PC-d70[0x76f4ff70]: 0xe92d4ff0 stmfd sp!
Mar 25 21:08:16 home user.err : # FP-00[0x76ead3f4]: 0x2e393631 {LR}
Mar 25 21:08:16 home user.err : # FP-04[0x76ead3f0]: 0x00000000 {FP}
Mar 25 21:08:16 home user.err : # FP-08[0x76ead3ec]: 0x00000000 {R10}
Mar 25 21:08:16 home user.err : # FP-0c[0x76ead3e8]: 0x00000000 {R9}
Mar 25 21:08:16 home user.err : # FP-10[0x76ead3e4]: 0x00000000 {R8}
Mar 25 21:08:16 home user.err : # FP-14[0x76ead3e0]: 0x00000000 {R7}
Mar 25 21:08:16 home user.err : # FP-18[0x76ead3dc]: 0x00000000 {R6}
Mar 25 21:08:16 home user.err : # FP-1c[0x76ead3d8]: 0x00000000 {R5}
Mar 25 21:08:16 home user.err : # FP-20[0x76ead3d4]: 0x00000000 {R4}
Mar 25 21:08:16 home user.err : # Crashed at /lib/ld-musl-arm.so.1[0x76efd000](strlen+0x00000044)[0x76f50ce0]
Mar 25 21:08:16 home user.err : # Searching frame 1 (FP=0x00000000, PC=0x2e393631)
Mar 25 21:08:16 home user.err : # Instruction at 0x2e393631 is not mapped; terminating backtrace.
Mar 25 21:08:16 home user.err : /lib/ld-musl-arm.so.1[0x76efd000](strlen+0x00000044)[0x76f50ce0]
Mar 25 21:08:16 home user.err : ???(+0)[0x2e393631]
Mar 25 21:08:16 home user.err : === Code:
Mar 25 21:08:16 home user.err : 76f50ca0: 0a00000b e1a01000 ea000001 e3110003 0a000008 e1a03001 e2811001 e5d3c000
Mar 25 21:08:16 home user.err : 76f50cc0: e1a02001 e35c0000 1afffff7 e0430000 e12fff1e e1a02000 e52de004 e30feeff
Mar 25 21:08:16 home user.err : 76f50ce0: >e5923000 e34feefe e308c080 e348c080 e083100e e1c11003 e111000c 1a000004
Mar 25 21:08:16 home user.err : 76f50d00: e5b23004 e083100e e1c11003 e111000c 0afffffa e5d21000 e3510000 0a000002 _________________ 3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xAsus RT-AC87U
1xAsus RT-AC88U
1xTP710
Joined: 08 May 2018 Posts: 14242 Location: Texas, USA
Posted: Wed Mar 25, 2020 21:57 Post subject:
tinkeruntilitworks wrote:
assuming its known but getting this warning on firefox on the svn site
Websites prove their identity via certificates, which are valid for a set time period. The certificate for svn.dd-wrt.com expired on Wednesday, March 25, 2020.
Error code: SEC_ERROR_EXPIRED_CERTIFICATE
Off-topic, but you should've seen the re-opened ticket:
Router/Version: TP-Link Archer C9 v1 Firmware: DD-WRT v3.0-r42803 std (03/25/20) Previous: 02-25-2020-r42514 Kernel: Linux 4.4.217 #1198 SMP Wed Mar 25 08:54:03 +04 2020 armv7l Mode: Gateway (plus AP for some legacy devices) Status: Working Errors: None Reset: No
Working just fine with an uptime of just under 9 hrs. The build-in speed checker grossly underestimated the BW -- testing from a browser on my laptop, I'm getting 57Mbps up / 57Mbps down, and ping times are sub-10ms.
Only issue I've seen on this and the previous build is that my USB disk isn't mounted and so optware / my APCUPSd don't start until I log in and run those scripts manually.