Joined: 08 May 2018 Posts: 14126 Location: Texas, USA
Posted: Thu Mar 05, 2020 12:50 Post subject: New Build 42617: 03-05-2020-r42617
WARNING:DO NOT flash this experimental test build unless you know the risks and recovery methods. Report here to provide important info for developers and users. Always state your hardware model & version, mode (e.g. Repeater) and SPECIFIC build (e.g. netgear-r7000-webflash). Avoid discussions and create a new thread for specific problems or questions as this thread is not for support, and posts may be deleted or moved.
Important: if reporting any issues, provide applicable info (GUI syslog, `dmesg`, `cat /var/log/messages`, etc.)
Or put into SVN ticket. For firewall issues, also provide "iptables" info (`iptables -L`, `iptables -t nat -L`, & the /tmp/.ipt file).
Issues, observations, and/or workarounds reported: 1. DNScrypt is mostly only using v2 protocols now, but requires Golang that DD can't use:6246 2. WDS does not work on Broadcom ARM devices (only MIPS<->MIPS) 3. VAPs not working at bootfixed for unbridged VAPs with r40564:40566.Workaround startup command: sleep 10;stopservice nas;stopservice wlconf;startservice wlconf;startservice nas(there are a few alternatives to search)
Notes: 1. SFE accelerated NAT is in 33006+ builds but only in kernel 3.2 and newer 2. 'KRACK' vulnerability fixes were completed in r33678 for Broadcom, including k26 (33655) & k24 (33656); use 33772 or later.
3. Bridge modes on k4.4 devices may sometimes work in some configurations in certain builds but are not supported by the bcmdhd driver. Use client or repeater instead as WDS doesn't work with Broadcom ARM either (see Issues below).
4. PBR/UDP with SFE working again since r40513 (see 6729)
5. CAKE scheduler changes "completed" with r41057 (see 5796) & FQ_CODEL_FAST with r41027 (reset first!)
6. Reset button was broken in 40571; fixed in build 40750.
7. Radio Timer / GTK Renewal issues, syslog spam and wireless issues (BCM MIPS) fixed with r41662 8. New Broadcom build option for 8MB+ K2.x devices (limited currently):
broadcom_K3X_mipsel32r1 [BS has tested on a WRT600N v1.1]
9. CVE-2019-14899 VPN fix (r41784: applicability depends on VPN setup) and GUI toggle (r41812): ticket 6920, 6928, 6931, 6932
10. In-kernel samba now used and default min/max versions have changed, so change them if needed: 6954, 6957
Template example to copy (after "Code:") for posting issues, be sure to include the mode in use (gateway, AP, CB, etc.):
Joined: 14 Sep 2019 Posts: 301 Location: Maine, USA
Posted: Thu Mar 05, 2020 14:34 Post subject:
Router/Version: Asus RT-N66U
File: dd-wrt.v24-42617_NEWD-2_K3.x_mega_RT-N66U.trx
Firmware: DD-WRT v3.0-r42617 mega (03/05/20)
Kernel: Linux 3.10.108-d10 #2784 Thu Mar 5 13:17:43 +04 2020 mips
Mode: AP/USB
Previous: r42602
Reset?: N
Status: Working
Router/Version: Asus RT-N12D
File: dd-wrt.v24-42617_NEWD-2_K3.x_mega.bin
Firmware: DD-WRT v3.0-r42617 mega (03/05/20)
Kernel: Linux 3.10.108-d10 #2784 Thu Mar 5 13:17:43 +04 2020 mips
Mode: Router/OpenVPN client
Previous: r42602
Reset?: N
Status: Working
Router/Version: Asus WL-500G Premium v2
File: dd-wrt.v24_mega_generic.bin
Firmware: DD-WRT v3.0-r42617 mega (03/05/20)
Kernel: Linux 2.4.37 #59410 Thu Mar 5 06:21:26 +04 2020 mips
Mode: Router/USB
Previous: r42602
Reset?: N
Status: Working-USB not mounting
Router/Version: Linksys E2500 V3
File: dd-wrt.v24-42617_NEWD-2_K3.x_mega-e2500.bin
Firmware: DD-WRT v3.0-r42617 mega (03/05/20)
Kernel: Linux 3.10.108-d10 #2784 Thu Mar 5 13:17:43 +04 2020 mips
Mode: Router/USB
Previous: r42602
Reset?: N
Status: Working, had to manually power off/on after flash
Firmware Version: DD-WRT v3.0-r42617 std (03/05/20)
Kernel Version: Linux 4.4.215 #1052 SMP Wed Mar 4 12:16:22 +04 2020 armv7l
Upgraded from: DD-WRT v3.0-r42602 std (03/03/20)
Reset: No, not this time
Status: Up and running for 24 hours, basic setup as Gateway, static leases, OpenVPN client (on PIA) with Policy Based Routing up and running, 2,4GHz, 5Ghz USB storage NAS working, OpenVPN server and WireGuard working.
Resolved: 1. Pushed DNS servers from VPN provider are used starting with build 41120, if you do not want that, add the following to the Additional Config of the VPN client:
pull-filter ignore "dhcp-option DNS"
2. Build 41174 has an improved VPN Policy Based Routing, it is now possible to use the VPN route command i.e. to route a DNS server via the VPN (in this way you will get rid of the DNS leak), see: https://svn.dd-wrt.com/ticket/6815#comment:1 , and for DNS leaks the second posting of this thread: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662 3. Another improvement on PBR is that local routes are now copied over to the alternate routing table so there is communication if you have unbridged VAP's and you can set the router's IP on PBR.
See: https://svn.dd-wrt.com/ticket/6821#comment:3 4. Starting with build 41174, the PBR has become more versatile, you can now use " from [IP address] to [IP address] ", so if you enter the following in the PBR field:
192.168.1.124 to 95.85.16.212 #ipleak.net, it will only route IP address 95.85.16.212 (which is ip leak.net) from my IP address 192.168.1.124 via the VPN everything else from this IP address will route via the WAN (this is just an example).
See: https://svn.dd-wrt.com/ticket/6822
Although this command itself supports routing per port this is however only available starting from K 4.17 so we have to rely on scripting for per port routing until then.
5. New OpenVPN TLS ciphers are added in 41308 see: https://svn.dd-wrt.com/changeset/41308 6. Starting with build 41304 you can now choose which TLS Key you want to use: TLS Auth or the newer/better TLS Crypt. See https://svn.dd-wrt.com/ticket/6845#comment:17 7. Starting with build 41664 no problems with GTK renewal and authenticating problems, unbridged VAP works, for bridged VAP's this is still needed:
sleep 20; stopservice nas; wlconf eth1 down; wlconf eth2 down; wlconf eth1 up; wlconf eth2 up; startservice nas
8. Builds from 41786 onwards, when using an OVPN server to connect to your local LAN clients, access might be prevented because of a patch which should solve a recent vulnerability ( see: https://svn.dd-wrt.com/ticket/6928)
This can be mitigated with the following firewall rule:
Code:
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j MASQUERADE
When using WireGuard you can run into the same trouble,i.e. not being able to access your local LAN clients. For WireGuard this is the workaround:
Code:
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get oet1_ipaddr)/$(nvram get oet1_netmask) -j MASQUERADE
This method described above also has security and logging concerns as all traffic has the same source address (your router)
An alternate method is using the following rule but it only works if the VPN or Wireguard interface is up and if your VPN or Wireguard interface goes down you have to reapply or run a continuous script checking/applying:
OpenVPN server:
Code:
iptables -t raw -I PREROUTING -i br0 -d $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j ACCEPT
WireGuard:
Code:
iptables -t raw -I PREROUTING -i br0 -d $(nvram get oet1_ipaddr)/$(nvram get oet1_netmask) -j ACCEPT
This rule can expose your LAN side to the CVE attack, but if you have your IOT things separated and tight control over your LAN you should be good, if your LAN is hacked you have got bigger problems.
Builds starting with 41813 have an option button in OpenVPN and Wireguard for disabling the CVE-patch 14899
Posted: Thu Mar 05, 2020 17:36 Post subject: Netgear Nighthawk R7000
Router/Version: Netgear R7000 Firmware: DD-WRT v3.0-r42617 std (03/05/20) Kernel: Linux 4.4.215 #1052 SMP Wed Mar 4 12:16:22 +04 2020 armv7l Mode: Gateway Reset: No Previous: 03-03-2020-r42602 Status: Working
grep -i err /var/log/messages
Dec 31 16:00:08 R7000 kern.err kernel: bcmsflash: found no supported devices
Dec 31 16:00:09 R7000 daemon.info mstpd[616]: error, CTL_set_cist_bridge_config: Couldn't find bridge with index 8
Dec 31 16:00:09 R7000 daemon.info mstpd[616]: error, CTL_set_cist_bridge_config: Couldn't find bridge with index 8
Dec 31 16:00:09 R7000 daemon.info mstpd[616]: error, CTL_set_msti_bridge_config: Couldn't find bridge with index 8
Dec 31 16:00:09 R7000 daemon.info mstpd[616]: error, CTL_set_cist_bridge_config: Couldn't find bridge with index 8
Dec 31 16:00:09 R7000 daemon.info mstpd[616]: error, CTL_set_cist_bridge_config: Couldn't find bridge with index 8
Dec 31 16:00:12 R7000 local5.err usmbd: [usmbd-worker/1020]: ERROR: Can't open `/tmp/smb.db': No such file or directory
Dec 31 16:00:12 R7000 local5.err usmbd: [usmbd-worker/1020]: ERROR: User database file does not exist. Only guest sessions (if permitted) will work.
Dec 31 16:00:12 R7000 user.err wsdd2[1007]: error: wsdd-mcast-v4: wsd_send_soap_msg: send
Dec 31 16:00:21 R7000 daemon.err ntpclient[1080]: Failed resolving address to hostname 2.pool.ntp.org: Try again
Dec 31 16:00:21 R7000 daemon.err ntpclient[1080]: Failed resolving server 2.pool.ntp.org: Network is down
Mar 5 09:25:27 R7000 kern.err kernel: hub 3-0:1.0: config failed, hub doesn't have any ports! (err -19)
Mar 5 09:25:36 R7000 daemon.err dnscrypt-proxy[1262]: Unable to retrieve server certificates
Mar 5 09:25:53 R7000 daemon.err dnscrypt-proxy[1262]: Unable to retrieve server certificates
Mar 5 09:26:16 R7000 daemon.err dnscrypt-proxy[1450]: Unable to retrieve server certificates
Mar 5 09:26:32 R7000 daemon.err dnscrypt-proxy[1450]: Unable to retrieve server certificates
Mar 5 09:26:50 R7000 daemon.err dnscrypt-proxy[1450]: Unable to retrieve server certificates
Mar 5 09:27:11 R7000 daemon.err dnscrypt-proxy[1450]: Unable to retrieve server certificates
Mar 5 09:27:35 R7000 daemon.err dnscrypt-proxy[1450]: Unable to retrieve server certificates
Mar 5 09:28:15 R7000 daemon.err dnscrypt-proxy[1493]: Unable to retrieve server certificates
Mar 5 09:28:31 R7000 daemon.err dnscrypt-proxy[1493]: Unable to retrieve server certificates
Mar 5 09:28:49 R7000 daemon.err dnscrypt-proxy[1493]: Unable to retrieve server certificates
Mar 5 09:29:10 R7000 daemon.err dnscrypt-proxy[1493]: Unable to retrieve server certificates
Mar 5 09:29:34 R7000 daemon.err dnscrypt-proxy[1493]: Unable to retrieve server certificates
Mar 5 09:30:15 R7000 daemon.err dnscrypt-proxy[1563]: Unable to retrieve server certificates
Router/Version: Netgear R7000
Firmware: DD-WRT v3.0-r42617 std (03/05/20)
Kernel: Linux 4.4.215 #1052 SMP Wed Mar 4 12:16:22 +04 2020 armv7l
Previous: r42602
Mode/Status: Gateway / working
Reset: no
Issues/Errors: Working well so far
Uptime: 1hrs 32min
Temperatures: CPU 66.9 °C / WL0 47.5 °C / WL1 53.2 °C
Posted: Fri Mar 06, 2020 3:32 Post subject: WRT54GSv1 WNDR4500v2 RT-N66R
Router/Version: WNDR4500v2
Mode: Gateway/AP
File: DD-WRT v3.0-r42617 giga (03/05/20)
Kernel: Linux 3.10.108-d10 #2768 Thu Mar 5 12:50:10 +04 2020 mips
Status: Working
Uptime: 20 min
Temps: WL0 43.4 °C / WL1 43.9 °C
I did a 30-30-30 reset prior to the update. I updated the logon creds then performed the update through the WebUI. This worked without the failed CRC check on boot that normally bricks this router. I re-configured my settings from scratch (saving without applying as I went) then rebooted the router to apply all settings at boot (I found hitting the apply button too fast can freeze the WebUI requiring a reboot or SSH to kill and start httpd)
Router/Version: RT-N66R
Mode: Gateway/AP
File: DD-WRT v3.0-r42617 big (03/05/20)
Kernel: Linux 3.10.108-d10 #2780 Thu Mar 5 13:13:20 +04 2020 mips
Status: Working
Uptime: 12 min
Temps: WL0 52.5 °C / WL1 50.8 °C
Router/Version: WRT54GSv1
Mode: Gateway/AP
File: DD-WRT v3.0-r42617 mega (03/05/20)
Kernel: Linux 2.4.37 #59410 Thu Mar 5 06:21:26 +04 2020 mips
Status: Working
Uptime: 18 min
Temps: Unsupported
Very fast wifi 2,4GHz
VPN working
VAP undbridged working
access restriction working
Samba - don't working - cant access to shared folders _________________ Linksys EA6900
Firmware: DD-WRT v3.0-r44863 std (11/24/20)
Router/Version: ASUS RT-AC66U B1 (H/W B2)
Mode: Gateway
File: asus_rt-ac68u-firmware.trx
Kernel: Linux 4.4.215 #1038 SMP Mon Mar 2 12:46:51 +04 2020 armv7l
Status: WAN Access don't work.
The rules in "Chain "*grp_*" don't work in iptables.
The configured rules in WAN Access, after some time after dd-wrt is started, stop working. If the traffic went through the filter, the filter stops working. Аfter a while all traffic is blocked, even if it is allowed. This occurs on all hosts that are described in WAN Access rules (Chain * grp_*). Other hosts that do not exist in WAN Access rules do not affect this.
Router/Version: Netgear R7000
File: netgear-r7000-webflash.bin
Firmware: DD-WRT v3.0-r42617 std (03/05/20)
Kernel: Linux 4.4.215 #1052 SMP Wed Mar 4 12:16:22 +04 2020 armv7l
Mode: Gateway, Wifi disabled, wireguard endpoint, WAN to DSL
Reset: No
Status: updated a few minutes ago, working!
Does "CVE-2019-14899 Mitigation" (Setup --> Tunnels --> WireGuard) need to be enabled or disabled for accessing local devices?
I think I had to enable it in previous versions, nowadays it needs to be disabled for accessing local devices.
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Sat Mar 07, 2020 10:29 Post subject:
Zyxx wrote:
Router/Version: Netgear R7000
File: netgear-r7000-webflash.bin
Firmware: DD-WRT v3.0-r42617 std (03/05/20)
Kernel: Linux 4.4.215 #1052 SMP Wed Mar 4 12:16:22 +04 2020 armv7l
Mode: Gateway, Wifi disabled, wireguard endpoint, WAN to DSL
Reset: No
Status: updated a few minutes ago, working!
Does "CVE-2019-14899 Mitigation" (Setup --> Tunnels --> WireGuard) need to be enabled or disabled for accessing local devices?
I think I had to enable it in previous versions, nowadays it needs to be disabled for accessing local devices.