***HELP*** TTL change for all devices using router

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
cabinfever1932
DD-WRT Novice


Joined: 30 Dec 2019
Posts: 10

PostPosted: Mon Dec 30, 2019 17:41    Post subject: ***HELP*** TTL change for all devices using router Reply with quote
I am attempting to change the TTL for outgoing packets for all devices on the LAN side of my router. I have the following configuration.
tp-link AC1750 (archer c7) v.5 this will be connected to a Netgear LTE modem (LB2120) using a Verizon SIM. I have flashed my tp-link with the latest factory-to-ddwrt.bin I have logged in and established a username and password. The olny other change i have made is to change the ip from 192.168.1.1 to 192.168.2.1

I have found several threads on this but cannot get it working. when i run iptables -t mangle -vnL POSTROUTING i get the following.
Chain POSTROUTING (policy ACCEPT 12438 packets, 6106K bytes)
pkts bytes target prot opt in out source destination

I do not see any packet data after the command has been accepted. I feel like the is something im missing in the router setup maybe firewall related but am not sure.
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14364
Location: Texas, USA

PostPosted: Mon Dec 30, 2019 17:52    Post subject: Reply with quote
Did you try this and save it to your firewall script in Administration->Commands tab?

https://wiki.dd-wrt.com/wiki/index.php/Iptables#Modifying_the_TTL

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
cabinfever1932
DD-WRT Novice


Joined: 30 Dec 2019
Posts: 10

PostPosted: Mon Dec 30, 2019 18:40    Post subject: Reply with quote
kernel-panic69 wrote:
Did you try this and save it to your firewall script in Administration->Commands tab?

https://wiki.dd-wrt.com/wiki/index.php/Iptables#Modifying_the_TTL


yes - and still no change. On all the other examples i have seen when the command iptables -t mangle -vnL POSTROUTING is run there is packet information below. i get noting. I currently have the WAN port connected to my cable modem and its routing packets correctly as I can get online.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14364
Location: Texas, USA

PostPosted: Mon Dec 30, 2019 18:51    Post subject: Reply with quote
I have a PREROUTING set to 10 followed by a POSTROUTING set to incr 1. I think I had to do it in a certain order for it to 'work' and show up correctly when I wanted to list them like that.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
cabinfever1932
DD-WRT Novice


Joined: 30 Dec 2019
Posts: 10

PostPosted: Mon Dec 30, 2019 18:55    Post subject: Reply with quote
kernel-panic69 wrote:
I have a PREROUTING set to 10 followed by a POSTROUTING set to incr 1. I think I had to do it in a certain order for it to 'work' and show up correctly when I wanted to list them like that.


Thanks for the quick reply. I still feel like im missing some other foundational configuration. shouldn't i see something after the command is accepted specific to packet info?

One other piece of information. I am coming into the router via the wireless ap from a win 10 desktop. i have no additional configuration on the AP its currently running in Wireless Mode = AP. I saw a post that indicated i may need to change the Wireless Mode but in my scenario i am not linking routers. I am going from desktop - wifi - router - cable modem.


Last edited by cabinfever1932 on Mon Dec 30, 2019 19:03; edited 1 time in total
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14364
Location: Texas, USA

PostPosted: Mon Dec 30, 2019 18:59    Post subject: Reply with quote
Ok, I have to ask, are you adding firewall rules to the firewall in Administration -> Commands tab, saving firewall, and then issuing the command to list the rules via telnet / ssh or in the Commands window? That webUI commands window is a problematic bitch still and mostly good for adding startup, custom, and firewall scripts, but not much else without figuring out exactly the right syntax and whatnot.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
cabinfever1932
DD-WRT Novice


Joined: 30 Dec 2019
Posts: 10

PostPosted: Mon Dec 30, 2019 19:14    Post subject: Reply with quote
kernel-panic69 wrote:
Ok, I have to ask, are you adding firewall rules to the firewall in Administration -> Commands tab, saving firewall, and then issuing the command to list the rules via telnet / ssh or in the Commands window? That webUI commands window is a problematic bitch still and mostly good for adding startup, custom, and firewall scripts, but not much else without figuring out exactly the right syntax and whatnot.


yes, i added the following and clicked save firewall in the Commands tab.

iptables -t mangle -I PREROUTING -i `get_wanface` -j TTL --ttl-set 10
iptables -t mangle -I POSTROUTING -o `get_wanface` -j TTL --ttl-set 128

Then i executed each command via a telnet session. once the command was issues i got no validation that it was executed.

I then ran the follwing command to see if i would see any packet data but got nothing. as you can see it says "ACCEPT" but nothing below that.

iptables -t mangle -vnL POSTROUTING
Chain POSTROUTING (policy ACCEPT 18065 packets, 9223K bytes)
pkts bytes target prot opt in out source destination
cabinfever1932
DD-WRT Novice


Joined: 30 Dec 2019
Posts: 10

PostPosted: Mon Dec 30, 2019 19:18    Post subject: Reply with quote
cabinfever1932 wrote:
kernel-panic69 wrote:
Ok, I have to ask, are you adding firewall rules to the firewall in Administration -> Commands tab, saving firewall, and then issuing the command to list the rules via telnet / ssh or in the Commands window? That webUI commands window is a problematic bitch still and mostly good for adding startup, custom, and firewall scripts, but not much else without figuring out exactly the right syntax and whatnot.


yes, i added the following and clicked save firewall in the Commands tab.

iptables -t mangle -I PREROUTING -i `get_wanface` -j TTL --ttl-set 10
iptables -t mangle -I POSTROUTING -o `get_wanface` -j TTL --ttl-set 128

Then i executed each command via a telnet session. once the command was issues i got no validation that it was executed.

I then ran the follwing command to see if i would see any packet data but got nothing. as you can see it says "ACCEPT" but nothing below that.

iptables -t mangle -vnL POSTROUTING
Chain POSTROUTING (policy ACCEPT 18065 packets, 9223K bytes)
pkts bytes target prot opt in out source destination


So let me start from the beginning. After i flash with the new firmware. Is there anything i need to do beyond setting a username and password and before WRT is ready to accept the commands to change the TTL value?
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14364
Location: Texas, USA

PostPosted: Mon Dec 30, 2019 19:52    Post subject: Reply with quote
No, nothing special that I recall. Not sure if you can use both of those rules together. I can't recall exactly if it was those two or the 128 rule and the incr 1 rule, but previous trial and error brought me to my current rules in use for TTL.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
cabinfever1932
DD-WRT Novice


Joined: 30 Dec 2019
Posts: 10

PostPosted: Mon Dec 30, 2019 19:57    Post subject: Reply with quote
kernel-panic69 wrote:
No, nothing special that I recall. Not sure if you can use both of those rules together. I can't recall exactly if it was those two or the 128 rule and the incr 1 rule, but previous trial and error brought me to my current rules in use for TTL.


hmmm...

i saw this in another post and just cant get similar results.
root@ddwrt-lab1:~# iptables -t mangle -vnL POSTROUTING
Chain POSTROUTING (policy ACCEPT 218K packets, 36M bytes)
pkts bytes target prot opt in out source destination
1306 287K TTL 0 -- * vlan1 0.0.0.0/0 0.0.0.0/0 TTL set to 65
1396 298K TTL 0 -- * vlan1 0.0.0.0/0 0.0.0.0/0 TTL increment by 1

as you can see there is packet info after the command is issued.

hopefully someone will be able to point me in the right direction. im sure is something very simple that I am overlooking.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14364
Location: Texas, USA

PostPosted: Mon Dec 30, 2019 20:19    Post subject: Reply with quote
I don't think you can use the setting it to 128 and incrementing it by 1. That's what did not work for me, if I recall right. Also, you notice both of those are vlan1 (LAN), not vlan2 (WAN). I haven't implemented anything for vlan1, personally.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
cabinfever1932
DD-WRT Novice


Joined: 30 Dec 2019
Posts: 10

PostPosted: Mon Dec 30, 2019 21:06    Post subject: Reply with quote
kernel-panic69 wrote:
I don't think you can use the setting it to 128 and incrementing it by 1. That's what did not work for me, if I recall right. Also, you notice both of those are vlan1 (LAN), not vlan2 (WAN). I haven't implemented anything for vlan1, personally.


I haven't configured any vlan's is that something I need to do? the only things I have configured are user id / pwd. I haven't made any changes to firewall setting other than inserting the commands then saving them to firewall in the web gui and then running them via telnet
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14364
Location: Texas, USA

PostPosted: Mon Dec 30, 2019 21:31    Post subject: Reply with quote
If those firewall rules are in your firewall script, why are you re-entering the commands via telnet? That is probably not helping. There are default vlans configured in the firmware, dependent on whether the router is pre-802.11n or post-802.11n. You should probably do a little more RTFM ....
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
cabinfever1932
DD-WRT Novice


Joined: 30 Dec 2019
Posts: 10

PostPosted: Mon Dec 30, 2019 23:54    Post subject: Reply with quote
kernel-panic69 wrote:
If those firewall rules are in your firewall script, why are you re-entering the commands via telnet? That is probably not helping. There are default vlans configured in the firmware, dependent on whether the router is pre-802.11n or post-802.11n. You should probably do a little more RTFM ....


Id love to RTFM but there doesn't seem to be clear guidance on this. I may have misunderstood but I thought you or someone else indicated to use the UI to copy the commands and save them for the Firewall but also issue them via telnet.

I'm trying to get some indication that the commands have executed and are working so far I see nothing that indicates that.

Obviously networking is not my forte. I know almost enough to be dangerous but not really.

SO here is my new plan. flash the firmware again back to a base load of WRT. Then only use the UI to save the following command to the firewall.

iptables -t mangle -I POSTROUTING -o `get_wanface` -j TTL --ttl-set 128

I will then restart the router, connect via wireless, ping yahoo.com and hope to see a ttl of 128.

should I expect to see those results?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 13036
Location: Netherlands

PostPosted: Tue Dec 31, 2019 8:49    Post subject: Reply with quote
This rule from telnet should just work:
Code:
iptables -t mangle -I POSTROUTING -o $(get_wanface) -j TTL --ttl-set 128


and then with: iptables -vnL -t mangle you should see:

Code:
root@R7800:~# iptables -vnL -t mangle
Chain PREROUTING (policy ACCEPT 1269K packets, 751M bytes)
 pkts bytes target     prot opt in     out     source               destination
   40  2880 MARK       0    --  !eth0  *       0.0.0.0/0            83.81.159.246        MARK or 0x80000000
1269K  751M CONNMARK   0    --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK save

Chain INPUT (policy ACCEPT 112K packets, 13M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 1244K packets, 787M bytes)
 pkts bytes target     prot opt in     out     source               destination
58913 3291K TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT 99677 packets, 15M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 1354K packets, 807M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TTL        0    --  *      eth0    0.0.0.0/0            0.0.0.0/0           TTL set to 128
root@R7800:~#

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum