Joined: 16 Nov 2015 Posts: 6411 Location: UK, London, just across the river..
Posted: Tue May 16, 2023 22:17 Post subject:
yep... cant wait to try, risk and l7 on the next build...
and lets hope it wont kill the performance...
the other day when i looked at the SVN...there are so many risk rules..and l7's
tempting... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 03 Jan 2010 Posts: 7568 Location: YWG, Canada
Posted: Tue May 16, 2023 22:35 Post subject:
L7 always takes a hit on cpu, no matter how small (unless on x86 as u'd need a ton to have any impact), its intensive _________________ LATEST FIRMWARE(S)
BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers
Joined: 16 Nov 2015 Posts: 6411 Location: UK, London, just across the river..
Posted: Fri May 19, 2023 18:53 Post subject:
AsX wrote:
Confirmed to work with r52596. If windows-telemetry filter is enabled in Access Restictions, all pings to MS telemetry servers are cut short. Nice.
on which router...im struggling to run any of those on R7000(broadcom)... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 16 Nov 2015 Posts: 6411 Location: UK, London, just across the river..
Posted: Fri May 19, 2023 19:38 Post subject:
AsX wrote:
I tested on R7800
curious what is the output of lsmod on your R7800... I cant test my R7800, as i dont have GUI access to enable any of the ndpi/l7/risk rules...on my R7800
But on my R7000 i've no modules related to ndpi/l7/risk rules even if i enable those rules via GUI>access restriction... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
I tried it on my R9000 and it crashed the router. Boot loop until factory reset. Fortunately, I had a nvram backup from this am. Restored that and all is well. Guess I'll avoid windows-telemetry [ l7 ]! _________________ Netgear R9000
DD-WRT v3.0-r55460 std (03/25/24)
Linux 4.9.337 #715 SMP Mon Mar 25 06:15:53 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps
curious what is the output of lsmod on your R7800... I cant test my R7800, as i dont have GUI access to enable any of the ndpi/l7/risk rules...on my R7800
But on my R7000 i've no modules related to ndpi/l7/risk rules even if i enable those rules via GUI>access restriction...
Are you sure you are trying to modprobe / insmod the correct module? Looks as if xt_layer7 (xt_match_layer7) is built-in to the kernel itself, or should be:
You can check also ls -l /lib/modules/$(uname -r) | grep xt_ on the router to see if xt_layer7 is a separate module or not.
Are you sure this doesn't require "Apply" or "Reboot" to work? _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Are you sure this doesn't require "Apply" or "Reboot" to work?
if this is a joke -->> save, apply or reboot doesn't help
MLandi wrote:
I tried it on my R9000 and it crashed the router. Boot loop until factory reset. Fortunately, I had a nvram backup from this am. Restored that and all is well. Guess I'll avoid windows-telemetry [ l7 ]!
Thanks for letting me know MLandi, as my primary target to use those was R9000, as ndpi/l7/risk need CPU power..
Sadly Im away of my R9000 or R7800...and the only testing ground is my R7000 atm..
I hope it didn't cause you big troubles and thanks again MLandi ! _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
It may or may not show up in lsmod, but should show something for modprobe, I would think (?). Sounds like something is definitely askew and awry... _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Joined: 16 Nov 2015 Posts: 6411 Location: UK, London, just across the river..
Posted: Sat May 20, 2023 6:33 Post subject:
if xt_match_layer7 was working, as it should, it would stop the pings to windows-telelmetry from the router side..isn't it..?
Im just out of probes, no idea what else to try, or look at.. I did lots of diggin/reading
posted all my results..in the Broadcom new thread...if there is anything else to try, i can add to the post...later..so far, im done with it..not working for me..or im not looking at the right place...
According to the make northstar all should be there, but its not...no idea where to look at for the risk rules neither...?! _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
there is a filter option at access restrictions named "windows-telemetry" and "ubnt-telemetry" both do not require dpi since they simply filter known ip and hostnames by simple rules. (it uses dnsmasq filter options but also adds iptables filters for the direct ip addresses.
unfortunatly they got lost in a update. i added them now in 52577. again
Thank you BS. I will definitely update to that image and report.
Actually want to take my comment back - it's not working quite correctly. The dnsmasq filters are not being set. Probably there is a mistake with restriction rule strings and related internal nvram variables. It was working in my case because I was messing with and was setting dnsmasq_ms_telemetry to nvram manually.
After setting Restriction Rules (then Apply and even reboot) there is this in nvram:
Joined: 16 Nov 2015 Posts: 6411 Location: UK, London, just across the river..
Posted: Tue May 23, 2023 15:05 Post subject:
yep i also have struggles to identify if those are working or not...in my case on my router
R7000 nothing works as it should be... https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=334560&start=0
i did few tests and keep doing those, on the new builds although i see on the svn nothing is changed yet...
nvram values are there, but if you select Facebook, hotmail, youtube and ect. nothing is blocked..and in my case running SmartDNS and VPN it not working as intended...i dont think those are working in general, despite the fact AsX already reported those work on his R7800 on this thread..
Ive found that some of the ms-telem links listed, do not exist, so if you pinged those it wont respond...indeed...than i decided to try with some known stuff..
I believe it's a some typo..or something small, but meaningful..I've sent an email to the BS, but nothing confirmed yet... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Figured it out. On Access Restriction page, Status also has to set to Enabled (DUH!) Then dnsmasq_ms_telemetry in nvram is set to 1 and filters are engaged.
Internally in firewall.c, function lan2wan_chains checks "STAT" in filter rules and if not zero, in the end calls advgrp_chain, which processes filters. If status is not enabled on the Web, the "STAT" is zero and everything is bypassed.
Ideally, disabling Status on the Web should hide or grey out all other options as they are not used. Right now it's a bit misleading.