Posted: Mon May 31, 2021 6:51 Post subject: Locking up ?
Hey Guys
Having a problem with the router locking up - after a few days I can’t log into the router the internet is still on and everything is running ok apart from logging into it - the router is a TP Link Archer C9 v3 running r46301 - I have also tried a v2 router with the same results - My family have the same router running the same firmware on a couple of their routers that don’t lock up - tried different firmwares with no luck- this has been happening for months now - I have keep awake set on the router tried that for everyday and every week but it still locks up at some point - Hope someone could help as Im a bit lost now to why this is happening
Joined: 16 Nov 2015 Posts: 6439 Location: UK, London, just across the river..
Posted: Mon May 31, 2021 12:23 Post subject:
depends from the settings you use, but yep it happens on some unstable set ups or a bad build regarding your router in particular...best bet.. reset, flash to a newer build, reset, rebuild settings manually, do not load them from save file from a different builds...
otherwise to diagnose the problem provide more details..
provide those outputs or syslog while it happens on the router side...
dmesg
cat /tmp/var/log/messages
if you have a telnet/ssh access to the router you can try those commands via CLI
stopservice httpd
startservice httpd _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 16 Nov 2015 Posts: 6439 Location: UK, London, just across the river..
Posted: Tue Jun 01, 2021 9:40 Post subject:
and what is the amount of devices ?
yes and no...it could eat a lots of ram and than router will become slow and funny...but i had 50+ and never had a complains...than again it depends form the way how the unit is set up, scripts running, activity, CPU amount of ram and ect... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
I have everything wired with 3 switches of 8 - routing to all devices only phones, tablets and Alexa's are WiFi - Approximately 43 devices - I have a enabled Syslog as it wasn't enabled - I don’t have any scripts running it's quite standard default - have some ports open - web GUI enabled - 2 clients for WOL - that’s about it - It can be running for 3 weeks or more before the GUI lockup and sometimes only a couple of days it’s very random
Joined: 16 Nov 2015 Posts: 6439 Location: UK, London, just across the river..
Posted: Tue Jun 01, 2021 16:55 Post subject:
web GUI enabled and ports open sounds scary....very scary...!!
do you mean GUI is exposed over the WAN ?
If, so make sure its very secured, at least use a very long and complex password...if there are a lot of attempts to break in that may lock in the GUI...
Otherwise, your router has a decent CPU and Memory to sustain that many devices, i guess...in the past i had 50+ on R7000 with same CPU and bit more ram...
To improve your set up, if you have that many devices and you use DNSmsaq for DNS...as it should... you may need to increase the size of the concurrent queries..
add this line to advanced DNSmasq
if you can collect the log it will be more useful...
you can forward it to a syslogger either online or over the LAN if you have a PC that can run it...
otherwise if locks up try to use those 2 commands i gave you via ssh... stopservice httpsd && startservice httpd
Finally, since your build is old, there are a lot of new builds around, some of them contain critical security fixes... so its not bad idea to update...bear in mind, if you use VLan set up(switched ports), on the new builds Vlans are using different approach on Broadcom devices...all set up via GUI or its using same command line commands as Atheros devices, if you prefer setting it via CLI...still WIP..but working...
No idea, what kind of devices are you running, but i would ve separate my devices on a different VLan segments related to a different router ports (4 ports behind), so you can isolate those, that do not need to communicate with the others, in order to prevent inter network spam...as some of the IoT and Smart devices can really spam the LAN segment... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Thanks for the info - I have to use the web GUI over WAN as I use WOL a lot - My password is 20 random digits - Didn't have the wifi set like that all - I've altered Mode, Channel and Width used it like that for years with no problems - I have 4 other routers the same in the family their’s don’t have a problem but they don’t have many devices connected – The devices I run are TVs – Media players – NAS – CCTV – Alarm system – Alexa’s – Harmony elite Remote – Vera Plus automation – Hue bridge – Amplifier/Receiver – Apple AirPort – Tablets – Phones – laptops – Desktop PC -
Joined: 16 Nov 2015 Posts: 6439 Location: UK, London, just across the river..
Posted: Wed Jun 02, 2021 14:26 Post subject:
There you go...GUI over WAN...!!
If your GUI has https access, than you must use a different certificate, as i guess that one that comes with DDWRT is self signed...and probably not that secure...
The thing with exposing it, if you see your firewall log you will find its a heavy abused subject, either via script based attacks or individual attackers and this takes resources and causes DDoS at some point...and your router locks up GUI...
If i remember correctly, BS the main developer, imposed a rule on the last builds, to time out those trys, if they are wrong attempts, but that is not a solution....as the attackers will continue..
In general WAN GUI is bad idea, as an alternative people use SSh key cyphered and no password, or VPN to connect to GUI...as the best option
In the forum there are few guides here and there, about it..or if you need more info create a new thread in advanced networking forum section...How to access securely GUI via WAN...
As, far as a big number of devices...I used to run my R7000 in very heavy used environment and never had that issue, but I used SSh over the WAN instead of GUI..with secure key only access only, password was disabled... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
could you please confirm that when the "GUI locks up" that the router is still running and that you can SSH or Telnet into the router and kill and restart the httpd process and the GUI will come back?
There's a longtime bug in dd-wrt on this. It does not affect a lot of routers but it does affect some. Refer to
https://svn.dd-wrt.com/ticket/6873
and IF your device matches the symptoms, please add to this bug.
Please ALSO note my item #2 in the last post to this bug. And read the discussion on remote attackers "hanging" on the http port in the bug.
Joined: 16 Nov 2015 Posts: 6439 Location: UK, London, just across the river..
Posted: Thu Jun 03, 2021 7:28 Post subject:
tedm wrote:
woto,
could you please confirm that when the "GUI locks up" that the router is still running and that you can SSH or Telnet into the router and kill and restart the httpd process and the GUI will come back?
There's a longtime bug in dd-wrt on this. It does not affect a lot of routers but it does affect some. Refer to
https://svn.dd-wrt.com/ticket/6873
and IF your device matches the symptoms, please add to this bug.
Please ALSO note my item #2 in the last post to this bug. And read the discussion on remote attackers "hanging" on the http port in the bug.
tedm if you have a problem with WAN address is showing your GUI, when no WAN access is activated, there is a mitigation for it...
iptables -I INPUT -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d `nvram get wan_ipaddr` -j DROP
As far as GUI is locking on you as well, have you even looked at your firewall log, when GUI over WAN is turned on...??
Same will happen, if i expose my low grade routers on WAN, as they don't have a capacity to handle those attacks....DDoS in other words...but it will happen eventually on the high grade routers too...so the answer is... either secure your WAN GUI or don't use it...
To be honest, i do agree on some builds, some routers have a buggy GUI...sadly/luckily non of my routers had the same issue for a long time...and as i read your statements...no prove, or any back up data was provided, just the classics "it was working before but now its not" i also want to learn and find why this is happening?
It could be a due to a bad config...or memleak or BS typo...what the standard config will do...try to eliminate any reason for it...services used and ect...as well provide kernel logs and any valuable output + what's running router model/firmware to BS...directly... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913