davidc502 wrote:

KLit75 wrote:

Sorry if this has been asked...like a month ago, I thought I read more specific instructions for flashing (like revert to an early version first?) Looking on the wiki now I don't see any real prerequisites.
In short--can I just flash version 2 wrt1900ac? I'm coming from stock linksys, the most recent firmware. Thanks a lot.
Btw--if there's anything else I should know please share. I have flashed openwrt to this router around Xmas time and back then it was as simple as just installing it.

Flash to v2 only if you have hardware v2 of the Linksys 1900ac.

We want to make sure that is your understanding before flashing. Because if you flash v2 on v1 hardware, it will brick.

Best Regards,

Thanks. Wow...I really am out of the loop. Wasn't even aware of newer hardware. Bought mine last November so I'd assume version 1? But clearly I should do a little homework. Thanks again.

doitnow wrote:

JW0914 wrote:

Except for the rate limiting applied to ssh, telnet, and openvpn, this is the default firewall for OpenWRT

iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t filter -N delegate_input
iptables -t filter -N delegate_output
iptables -t filter -N delegate_forward
iptables -t filter -N delegate_rate_limit
iptables -t filter -N reject

 
   Hello, I've taken this as a starting point for an ipsec firewall. Unfortunately, the script at "http://wiki.openwrt.org/doc/howto/vpn.i … all_script" is not working with my setup on CC rc3. My IPSEC  site-site tunnel is up, but "routing" is not working on hosts connected to the 1990AC.

The errors that are emitted when the firewall scripts run, are "No chain/target/match by that name"

  The targets that are not found include
     zone_vpn
     zone_vpn_ACCEPT
     zone_vpn_INPUT
     zone_vpn_nat

  The script is configuring targets like
     zone_vpn_forward
     zone_vpn_output
     zone_vpn_input
     zone_vpn_dest_ACCEPT
     zone_vpn_src_REJECT

   This seems like it is very close to working, but not quite.

I have very little experience with editing scripts on Linux, so I can't comment as to where exactly the problem is in the script, however I can share why the problem is occurring:

• OpenWRT uses a custom form of iptables, run by fw3, and because of this, normal chain names won't work.  These include the first set of targets, however the second set is correct for fw3.

My guess is you simply need to edit what your ${zone} variables point to to ensure they point to the second set of targets.

EDIT
I'm curious why you've chosen to manually run a secondary firewall script, and was wondering what you're looking to accomplish by doing so.

• The reason I ask is what you're attempting to accomplish can probably be done far easier by either adding rules directly via LuCI or manually editing the /etc/config/firewall config file.  If you need to manually have iptables commands ran, then /etc/firewall.user would accomplish the job.

Depending on how complex you need the firewall to be, I think you may be making more work for yourself than what's needed for what you're trying to accomplish

JW0914 wrote:

From looking at the script, it would seem like it needs some very minor tweaks:

• Remove zone_${zone}  (This shouldn't be needed, if I'm interpreting this correctly)

• From: zone_${zone}_ACCEPT  to  zone_${zone}_dest_ACCEPT

• From: zone_${zone}_INPUT  to  zone_${zone}_input

• I'm not sure about zone_${zone}_nat

The rest would be:

• zone_${zone}_forward

• zone_${zone}_output

• zone_${zone}_src_REJECT  and/or  zone_${zone}_src_DROP

Also, with the secondary script disabled, if you haven't already, I would run fw3 print so you can get an idea of how fw3 sets up the iptables firewall.  In and of itself, fw3's default firewall is the most secure I've seen on a consumer router.

I run two VPN servers on OpenWRT, one with a very strict firewall, limiting it's access, and this is how fw3 configured my rules via LuCI:

I take it that fw3 was added after the ipsec firewall script was implemented. It would be a shame to get this far only to be stopped from VPN/OpenWrt goodness by an integral script that has fallen out of support.

I've made the changes you suggest below, but I still have errors about zone_vpn_nat and zone_vpn in particular. What were you interpreting  that led to zone_vpn being unneeded?

JW0914 wrote:

A lot of the Wikis on OpenWRT are dated... so I'm guessing it was probably written for Barrier Breaker or earlier.  Could that script still be utilized with some tweaking, absolutely... however I think it would probably be far simpler for you to set up firewall rules via LuCI and add custom iptables commands that cannot be added via firewall rules to /etc/firewall.user

   Fair enough. Thank you  for the suggestion!

JW0914 wrote:

Unless you're setting up a corporate firewall, I think you're making more work for yourself than is needed.  If you can explain what exactly you want to do, I can offer more detailed information.

    This is intended to be a corporate firewall - allowing a remote office to enjoy a site-site VPN into AWS where we have a server running strongswan.

JW0914 wrote:

If you're simply looking to set up firewall rules for a VPN, I wrote a ...

  This is a great document. I have not seen it until now. I've been focusing on the strongswan implimentation, It may be time to consider an alternative in openvpn.

No problem at all, that's why I asked =]

I save a lot of things to OneNote, and I usually edit Wikis and Tutorials slightly to ensure they all have a cohesive look.  In case you're interested: http://1drv.ms/1LLMfih

JW0914 wrote:

No problem at all, that's why I asked =]

I save a lot of things to OneNote, and I usually edit Wikis and Tutorials slightly to ensure they all have a cohesive look.  In case you're interested: http://1drv.ms/1IpsplW

Nicely written. Please update the wiki observing the github location of the files needed for recovery. Thanks.

nitroshift

nitroshift wrote:

JW0914 wrote:

No problem at all, that's why I asked =]

I save a lot of things to OneNote, and I usually edit Wikis and Tutorials slightly to ensure they all have a cohesive look.  In case you're interested: http://1drv.ms/1LLMfih

Nicely written. Please update the wiki observing the github location of the files needed for recovery. Thanks.

nitroshift

Thanks =]

Here's the new link (I also edited the previous post to show the updated link): http://1drv.ms/1exMGho

JW0914 wrote:

nitroshift wrote:

Nicely written. Please update the wiki observing the github location of the files needed for recovery. Thanks.

nitroshift

Thanks =]

Here's the new link (I also edited the previous post to show the updated link): http://1drv.ms/1IpsplW

Again, nice. And again, please update the wiki. Thanks.

nitroshift

@JW0914

I meant this: http://wiki.openwrt.org/toh/linksys/wrt1900ac

nitroshift

@JW0914

I meant this: http://wiki.openwrt.org/toh/linksys/wrt1900ac

nitroshift

Kaloz,

I just wanted to say thanks for the work you've done in development. The new drivers have been working great, and RC3 as a whole has been stable so far.

Can I donate?

davidc502 wrote:

Kaloz,

I just wanted to say thanks for the work you've done in development. The new drivers have been working great, and RC3 as a whole has been stable so far.

Can I donate?

You're welcome You could buy me a beer if we'll meet

Kaloz,

I just wanted to say thanks for the work you've done in development. The new drivers have been working great, and RC3 as a whole has been stable so far.

Can I donate?

davidc502 wrote:

Kaloz,

I just wanted to say thanks for the work you've done in development. The new drivers have been working great, and RC3 as a whole has been stable so far.

Can I donate?

Hi David, Please confirm on the stability. Been on stock for sometime because of the current issues.

Kaloz: Thanks for all the work you did.

Cheers,
Sachin Gopal

sachingopal wrote:

davidc502 wrote:

Kaloz,

I just wanted to say thanks for the work you've done in development. The new drivers have been working great, and RC3 as a whole has been stable so far.

Can I donate?

Hi David, Please confirm on the stability. Been on stock for sometime because of the current issues.

Kaloz: Thanks for all the work you did.

Cheers,
Sachin Gopal

Your mileage may vary, but RC3 has been stable, and the new wifi drivers have been stable as well. RC3 only been around 2 weeks, so time will tell, but it is off to a really good start.

@phantomsfbw

Follow openwrt timeline and look for the corresponding commit. The new driver will be included in the following day build.

nitroshift

@phantomsfbw

Follow openwrt timeline and look for the corresponding commit. The new driver will be included in the following day build.

nitroshift