Blocking MS telemetry

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Goto page Previous  1, 2, 3  Next
Author Message
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6411
Location: UK, London, just across the river..

PostPosted: Tue May 16, 2023 22:17    Post subject: Reply with quote
yep... cant wait to try, risk and l7 on the next build...
and lets hope it wont kill the performance...
the other day when i looked at the SVN...there are so many risk rules..and l7's Laughing Laughing Cool
tempting... Twisted Evil

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Sponsor
tatsuya46
DD-WRT Guru


Joined: 03 Jan 2010
Posts: 7568
Location: YWG, Canada

PostPosted: Tue May 16, 2023 22:35    Post subject: Reply with quote
L7 always takes a hit on cpu, no matter how small (unless on x86 as u'd need a ton to have any impact), its intensive
_________________
LATEST FIRMWARE(S)

BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

[x86_64] Haswell i3-4150/QCA9984/QCA9882 ------> r55488 std
[QUALCOMM] DIR-862L --------------------------------> r55460 std
▲ ACTIVE / INACTIVE ▼
[QUALCOMM] WNDR4300 v1 --------------------------> r50485 std
[BROADCOM] DIR-860L A1 ----------------------------> r50485 std


Sigh.. why do i exist anyway.. | I love you Anthony.. never forget that.. my other 99% that ill never see again..

AsX
DD-WRT User


Joined: 15 Jun 2010
Posts: 50

PostPosted: Fri May 19, 2023 16:09    Post subject: Reply with quote
Confirmed to work with r52596. If windows-telemetry filter is enabled in Access Restictions, all pings to MS telemetry servers are cut short. Nice.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6411
Location: UK, London, just across the river..

PostPosted: Fri May 19, 2023 18:53    Post subject: Reply with quote
AsX wrote:
Confirmed to work with r52596. If windows-telemetry filter is enabled in Access Restictions, all pings to MS telemetry servers are cut short. Nice.


on which router...im struggling to run any of those on R7000(broadcom)...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
AsX
DD-WRT User


Joined: 15 Jun 2010
Posts: 50

PostPosted: Fri May 19, 2023 19:30    Post subject: Reply with quote
I tested on R7800
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6411
Location: UK, London, just across the river..

PostPosted: Fri May 19, 2023 19:38    Post subject: Reply with quote
AsX wrote:
I tested on R7800


curious what is the output of lsmod on your R7800... I cant test my R7800, as i dont have GUI access to enable any of the ndpi/l7/risk rules...on my R7800

But on my R7000 i've no modules related to ndpi/l7/risk rules even if i enable those rules via GUI>access restriction...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
MLandi
DD-WRT Guru


Joined: 04 Dec 2007
Posts: 1008

PostPosted: Fri May 19, 2023 20:35    Post subject: Reply with quote
I tried it on my R9000 and it crashed the router. Boot loop until factory reset. Fortunately, I had a nvram backup from this am. Restored that and all is well. Guess I'll avoid windows-telemetry [ l7 ]!
_________________
Netgear R9000
DD-WRT v3.0-r55460 std (03/25/24)
Linux 4.9.337 #715 SMP Mon Mar 25 06:15:53 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Fri May 19, 2023 20:59    Post subject: Reply with quote
Alozaros wrote:
AsX wrote:
I tested on R7800


curious what is the output of lsmod on your R7800... I cant test my R7800, as i dont have GUI access to enable any of the ndpi/l7/risk rules...on my R7800

But on my R7000 i've no modules related to ndpi/l7/risk rules even if i enable those rules via GUI>access restriction...

Are you sure you are trying to modprobe / insmod the correct module? Looks as if xt_layer7 (xt_match_layer7) is built-in to the kernel itself, or should be:

https://github.com/mirror/dd-wrt/blob/master/src/linux/universal/linux-4.4/.config_northstar#L744

https://github.com/mirror/dd-wrt/blob/master/src/router/configs/northstar/.config_northstar#L60

https://github.com/mirror/dd-wrt/blob/master/src/router/configs/northstar/.config_northstar#L201

You can check also ls -l /lib/modules/$(uname -r) | grep xt_ on the router to see if xt_layer7 is a separate module or not.

Are you sure this doesn't require "Apply" or "Reboot" to work?

_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6411
Location: UK, London, just across the river..

PostPosted: Fri May 19, 2023 21:40    Post subject: Reply with quote
root@R7000:~# ls -l /lib/modules/$(uname -r) | grep xt_
-rw-r--r-- 1 root root 3248 May 18 00:31 xt_DSCP.ko
-rw-r--r-- 1 root root 2360 May 18 00:31 xt_IMQ.ko
-rw-r--r-- 1 root root 5200 May 18 00:31 xt_WGOBFS.ko
-rw-r--r-- 1 root root 4272 May 18 00:31 xt_addrtype.ko
-rw-r--r-- 1 root root 1956 May 18 00:31 xt_cpu.ko
-rw-r--r-- 1 root root 2112 May 18 00:31 xt_devgroup.ko
-rw-r--r-- 1 root root 2688 May 18 00:31 xt_dscp.ko
-rw-r--r-- 1 root root 3384 May 18 00:31 xt_ipvs.ko
-rw-r--r-- 1 root root 901792 May 18 00:31 xt_ndpi.ko
-rw-r--r-- 1 root root 2992 May 18 00:31 xt_physdev.ko

root@R7000:~# lsmod
Module Size Used by
ip6_tables 9661 0
xt_DSCP 1518 1
tun 16385 2
wl 4472842 0
b5301x_srab 1778 0
b5301x_common 10655 1 b5301x_srab
et 64696 0
ctf 51086 0
softdog 1711 1

i don't see anything L7...anywhere and yes i already looked at config_northstar (my first place to look at)

also see my other post in Broadcom section... >> https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=334560

so, i guess for R7000 its not there yet...

Quote:
Are you sure this doesn't require "Apply" or "Reboot" to work?

if this is a joke -->> save, apply or reboot doesn't help

MLandi wrote:
I tried it on my R9000 and it crashed the router. Boot loop until factory reset. Fortunately, I had a nvram backup from this am. Restored that and all is well. Guess I'll avoid windows-telemetry [ l7 ]!


Thanks for letting me know MLandi, as my primary target to use those was R9000, as ndpi/l7/risk need CPU power..

Sadly Im away of my R9000 or R7800...and the only testing ground is my R7000 atm..

I hope it didn't cause you big troubles and thanks again MLandi !

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Fri May 19, 2023 22:41    Post subject: Reply with quote
I read your post already before my previous comment <lol><roll>

Alozaros wrote:
i don't see anything L7...anywhere and yes i already looked at config_northstar (my first place to look at)

also see my other post in Broadcom section... >> https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=334560

So, the xt_layer7 protocol module *is* internal to the compiled kernel, or should be, as I already stated:
Quote:
Looks as if xt_layer7 (xt_match_layer7) is built-in to the kernel itself, or should be:

https://github.com/mirror/dd-wrt/blob/master/src/linux/universal/linux-4.4/.config_northstar#L744

It may or may not show up in lsmod, but should show something for modprobe, I would think (?). Sounds like something is definitely askew and awry...

_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6411
Location: UK, London, just across the river..

PostPosted: Sat May 20, 2023 6:33    Post subject: Reply with quote
if xt_match_layer7 was working, as it should, it would stop the pings to windows-telelmetry from the router side..isn't it..?

Im just out of probes, no idea what else to try, or look at.. I did lots of diggin/reading
posted all my results..in the Broadcom new thread...if there is anything else to try, i can add to the post...later..so far, im done with it..not working for me..or im not looking at the right place...

According to the make northstar all should be there, but its not...no idea where to look at for the risk rules neither...?!

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
gilius
DD-WRT Novice


Joined: 18 Oct 2022
Posts: 23

PostPosted: Sat May 20, 2023 17:55    Post subject: Reply with quote
BrainSlayer wrote:
there is a filter option at access restrictions named "windows-telemetry" and "ubnt-telemetry" both do not require dpi since they simply filter known ip and hostnames by simple rules. (it uses dnsmasq filter options but also adds iptables filters for the direct ip addresses.

unfortunatly they got lost in a update. i added them now in 52577. again


Thank you BS. I will definitely update to that image and report.
AsX
DD-WRT User


Joined: 15 Jun 2010
Posts: 50

PostPosted: Tue May 23, 2023 14:45    Post subject: Reply with quote
Actually want to take my comment back - it's not working quite correctly. The dnsmasq filters are not being set. Probably there is a mistake with restriction rule strings and related internal nvram variables. It was working in my case because I was messing with and was setting dnsmasq_ms_telemetry to nvram manually.

After setting Restriction Rules (then Apply and even reboot) there is this in nvram:

$ nvram show | grep telemetry
size: 35802 bytes (95270 left)
filter_port_grp1=windows-telemetry<&nbsp;>ubnt-telemetry<&nbsp;>

But for the dnsmasq filters to actually work, "dnsmasq_ms_telemetry" has to be set someplace by the code. But it is not.

I wonder if parsing fails because of <&nbsp;> is used as string separator.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6411
Location: UK, London, just across the river..

PostPosted: Tue May 23, 2023 15:05    Post subject: Reply with quote
yep i also have struggles to identify if those are working or not...in my case on my router
R7000 nothing works as it should be... https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=334560&start=0
i did few tests and keep doing those, on the new builds although i see on the svn nothing is changed yet... Laughing

nvram values are there, but if you select Facebook, hotmail, youtube and ect. nothing is blocked..and in my case running SmartDNS and VPN it not working as intended...i dont think those are working in general, despite the fact AsX already reported those work on his R7800 on this thread..
Ive found that some of the ms-telem links listed, do not exist, so if you pinged those it wont respond...indeed...than i decided to try with some known stuff.. Wink

I believe it's a some typo..or something small, but meaningful..I've sent an email to the BS, but nothing confirmed yet... Rolling Eyes

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
AsX
DD-WRT User


Joined: 15 Jun 2010
Posts: 50

PostPosted: Tue May 23, 2023 16:44    Post subject: Reply with quote
Figured it out. On Access Restriction page, Status also has to set to Enabled (DUH!) Then dnsmasq_ms_telemetry in nvram is set to 1 and filters are engaged.

Internally in firewall.c, function lan2wan_chains checks "STAT" in filter rules and if not zero, in the end calls advgrp_chain, which processes filters. If status is not enabled on the Web, the "STAT" is zero and everything is bypassed.

Ideally, disabling Status on the Web should hide or grey out all other options as they are not used. Right now it's a bit misleading.
Goto page Previous  1, 2, 3  Next Display posts from previous:    Page 2 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum