OpenWrt Forum Archive

Topic: Update on Linksys WRT1900AC support

The content of this topic has been archived between 16 Sep 2014 and 7 May 2018. Unfortunately there are posts – most likely complete pages – missing.

On a reboot of the router the rules are there but I have "Chain rate_limit (References: 0)"  The only way I can get it
to work is to restart the firewall then then it reads "Chain rate_limit (References: 2)".
I have even put this in startup "/etc/init.d/firewall restart"  I have also tried using reload. What's the trick to have it running on a reboot of the router? I even tried to make an executable with the restart in it.

#!/bin/sh

/etc/init.d/firewall restart

I created a file called fwuser.sh in ./etc and made it executable with no effect.
I know it is probably something I am doing wrong but I can't make it work.

(Last edited by northbound on 3 Aug 2015, 22:22)

'I'm haveing problems with firewall.user starting/staying loaded too sad

(Last edited by gufus on 3 Aug 2015, 23:32)

gufus wrote:

'I'm haveing problems with firewall.user starting/staying loaded too sad

what process name?

davidc502 wrote:
gufus wrote:

'I'm haveing problems with firewall.user starting/staying loaded too sad

what process name?

My setup

Using username "root".
Authenticating with public key "rsa-key-20120810"


BusyBox v1.23.2 (2015-06-18 06:39:10 CEST) built-in shell (ash)

Linksys WRT1900AC (Mamba)
Security is enabled, and your IP address has been logged.

root@AC1900M:~# ps
  PID USER       VSZ STAT COMMAND
    1 root      1368 S    /sbin/procd
    2 root         0 SW   [kthreadd]
    3 root         0 SW   [ksoftirqd/0]
    5 root         0 SW<  [kworker/0:0H]
    7 root         0 SW   [rcu_sched]
    8 root         0 SW   [rcu_bh]
    9 root         0 SW   [migration/0]
   10 root         0 SW   [migration/1]
   11 root         0 SW   [ksoftirqd/1]
   13 root         0 SW<  [kworker/1:0H]
   14 root         0 SW<  [khelper]
  114 root         0 SW<  [writeback]
  116 root         0 SW<  [bioset]
  120 root         0 SW<  [kblockd]
  157 root         0 SW   [kswapd0]
  159 root         0 SW   [fsnotify_mark]
  261 root         0 SW   [spi0]
  327 root         0 SW<  [deferwq]
  331 root         0 SW   [ubi_bgt0d]
  366 root         0 SW<  [ata_sff]
  375 root         0 SW   [scsi_eh_0]
  376 root         0 SW<  [scsi_tmf_0]
  399 root         0 SW   [scsi_eh_1]
  401 root         0 SW<  [scsi_tmf_1]
  402 root         0 SW   [usb-storage]
  407 root         0 SW   [scsi_eh_2]
  408 root         0 SW<  [scsi_tmf_2]
  409 root         0 SW   [usb-storage]
  432 root         0 SW<  [kworker/1:1H]
  477 root         0 SW   [ubifs_bgt0_1]
  490 root         0 SW   [ubi_bgt1d]
  496 root         0 SW   [ubifs_bgt1_0]
  613 root       792 S    /sbin/ubusd
  614 root         0 SW   [jbd2/sda1-8]
  615 root         0 SW<  [ext4-rsv-conver]
  620 root         0 SW   [jbd2/sdb1-8]
  621 root         0 SW<  [ext4-rsv-conver]
  666 root       668 S    /sbin/askfirst /bin/ash --login
  882 root         0 SW<  [ipv6_addrconf]
  901 root         0 SW<  [cfg80211]
1104 root       940 S    /sbin/logd -S 16
1113 root      1444 S    /sbin/rpcd
1174 root      1132 S    /usr/sbin/odhcpd
1202 root      1316 S    /usr/sbin/crond -f -c /etc/crontabs -l 8
1208 nobody    1240 S    /usr/sbin/dnscrypt-proxy -d -a 127.0.0.1:5353 -u nob
1288 root      2200 S    /usr/sbin/uhttpd -f -h /www -r AC1900M -x /cgi-bin -
1382 root      2812 S    /usr/sbin/smbd -D
1409 root      2852 S    /usr/sbin/nmbd -D
1547 root      1312 S    /usr/sbin/ntpd -n -S /usr/sbin/ntpd-hotplug -p 0.ope
1608 root       864 S    /usr/sbin/vnstatd -d
5488 root      1320 S    {fan_monitor} /bin/sh /usr/sbin/fan_monitor
6623 root      3176 S    /usr/sbin/openvpn --syslog openvpn(IPredator) --stat
11436 root         0 SW   [kworker/0:0]
11446 root      1036 S    /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p
12702 root     19336 S    /usr/sbin/collectd
13741 root         0 SW   [kworker/1:0]
15678 root         0 SW   [kworker/u4:1]
22258 root         0 SW   [kworker/0:1]
22337 root         0 SW   [kworker/1:1]
24036 root      1300 S    sleep 300
24041 root      1300 S    sleep 300
24046 root      1300 S    sleep 300
25156 root      1104 R    /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p
25157 root      1312 S    -ash
25223 root      1300 S    sleep 5
25224 root      1308 R    ps
28547 root         0 SW   [kworker/u4:0]
31773 root      1488 S    /sbin/netifd
32112 root      1632 S    /usr/sbin/hostapd -P /var/run/wifi-phy0.pid -B /var/
32146 root      1308 S    udhcpc -p /var/run/udhcpc-eth1.pid -s /lib/netifd/dh
32149 root      1632 S    /usr/sbin/hostapd -P /var/run/wifi-phy1.pid -B /var/
32162 root       700 S    odhcp6c -s /lib/netifd/dhcpv6.script -P0 -t120 eth1
32289 nobody    1824 S    /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf -k -x /va
32302 root      1448 S    {dynamic_dns_upd} /bin/sh /usr/lib/ddns/dynamic_dns_
32303 root      1448 S    {dynamic_dns_upd} /bin/sh /usr/lib/ddns/dynamic_dns_
32304 root      1448 S    {dynamic_dns_upd} /bin/sh /usr/lib/ddns/dynamic_dns_
root@AC1900M:~#

this is what I have running... still, which is iptables/firewall?

root@OpenWrt:~# ps
  PID USER       VSZ STAT COMMAND
    1 root      1304 S    /sbin/procd
    2 root         0 SW   [kthreadd]
    3 root         0 SW   [ksoftirqd/0]
    5 root         0 SW<  [kworker/0:0H]
    7 root         0 SW   [rcu_sched]
    8 root         0 SW   [rcu_bh]
    9 root         0 SW   [migration/0]
   10 root         0 SW   [migration/1]
   11 root         0 SW   [ksoftirqd/1]
   13 root         0 SW<  [kworker/1:0H]
   14 root         0 SW<  [khelper]
   15 root         0 SW   [kworker/u4:1]
  114 root         0 SW<  [writeback]
  116 root         0 SW<  [bioset]
  117 root         0 SW   [kworker/0:1]
  120 root         0 SW<  [kblockd]
  157 root         0 SW   [kswapd0]
  159 root         0 SW   [fsnotify_mark]
  261 root         0 SW   [spi0]
  327 root         0 SW<  [deferwq]
  331 root         0 SW   [ubi_bgt0d]
  364 root         0 SW<  [ata_sff]
  373 root         0 SW   [scsi_eh_0]
  375 root         0 SW<  [scsi_tmf_0]
  399 root         0 SW   [kworker/0:2]
  402 root         0 SW   [scsi_eh_1]
  403 root         0 SW<  [scsi_tmf_1]
  404 root         0 SW   [usb-storage]
  426 root         0 SW<  [kworker/1:1H]
  462 root         0 SW   [ubifs_bgt0_1]
  475 root         0 SW   [ubi_bgt1d]
  481 root         0 SW   [ubifs_bgt1_0]
  601 root       792 S    /sbin/ubusd
  634 root       668 S    /sbin/askfirst /bin/ash --login
  784 root         0 SW<  [ipv6_addrconf]
  806 root         0 SW<  [cfg80211]
  999 root       940 S    /sbin/logd -S 16
1008 root      1444 S    /sbin/rpcd
1042 root      1488 S    /sbin/netifd
1065 root      1076 S    /usr/sbin/odhcpd
1097 root      1316 S    /usr/sbin/crond -f -c /etc/crontabs -l 8
1172 root      1308 S    udhcpc -p /var/run/udhcpc-br-wan.pid -s /lib/netifd/dhcp.script -f -t 0 -i br-wan -C
1186 root      1036 S    /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p INTERNAL:22 -K 300
1227 root      2636 S    /usr/sbin/snmpd -Lf /dev/null -f
1316 root      1464 S    /usr/sbin/uhttpd -f -h /www -r OpenWrt -x /cgi-bin -u /ubus -t 60 -T 30 -k 20 -A 1 -n 3 -N 100 -R -p 0.0.0.0:80 -p [::]:80
1337 root     11656 S    /usr/sbin/collectd
1503 nobody     872 S    /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf -k -x /var/run/dnsmasq/dnsmasq.pid
1581 root      1084 S    logread -f
1604 root      1312 S    /usr/sbin/ntpd -n -S /usr/sbin/ntpd-hotplug -p 0.openwrt.pool.ntp.org -p 1.openwrt.pool.ntp.org -p 2.openwrt.pool.ntp.org -p 3.openwrt
1607 root      1636 S    /usr/sbin/hostapd -P /var/run/wifi-phy0.pid -B /var/run/hostapd-phy0.conf
13968 root      1128 R    /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p INTERNAL:22 -K 300
13969 root      1320 S    -ash
14874 root         0 SW   [kworker/1:3]
14937 root         0 SW   [kworker/1:0]
15006 root         0 SW   [kworker/1:1]
15007 root      1308 R    ps
25574 root         0 SW   [kworker/u4:0]
25575 root      1632 S    /usr/sbin/hostapd -P /var/run/wifi-phy1.pid -B /var/run/hostapd-phy1.conf
30318 root      1104 S    /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p INTERNAL:22 -K 300
30320 root      1328 S    -ash
32522 root      1104 S    /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p INTERNAL:22 -K 300
32524 root      1328 S    -ash

(Last edited by davidc502 on 4 Aug 2015, 00:09)

davidc502 wrote:

this is what I have running... still, which is iptables/firewall?

Don't know.

iptables is part of the kernel, it's not a separate process.

dlang wrote:

iptables is part of the kernel, it's not a separate process.

I thought nftables was part of the kernel and iptables was in user-space

(Last edited by lifehacksback on 4 Aug 2015, 02:44)

gufus,

I use /ect/firewall.user for my fwbuilder script with only occasional drops. Try using 777 (wide open) security for best results. Once my script stops working I use fwbuilder to reload it and it works again. I have the fwbuilder test commands enabled so it is 791 lines out for 12 fwbuilder lines in. It would be much shorter if I just ran the iptables commands. WinSCP can do the editing and security settings with out knowing much linux stuff for anyone not aware of it.

hi@all
i have enough
i will sell my wrt1900ac v1
somebody interested?
pls e-mail piphone@hotmail.de
thanks
p.

dlang wrote:

iptables is part of the kernel, it's not a separate process.

The iptables logging shows "Kernel Warn" for each logged event. So, I guess it makes sense.

Hi everybody,

I'm considering to buy a Linksys WRT1900AC, but only if it supports TPC and DFS. Both is not the case with the Linksys stock firmware. Is this functionality available in the OpenWrt build for this router? I've been trying for days to find some reliable information on this topic, but it doesn't seem to be covered in detail anywhere on the web, hence I'd like to kindly ask the community.

Unfortunately, I'm heavily dependent on both TPC and DFS because without them, the law in Germany won't allow me to use the 5GHz band above channel 48. I live in a crowded area with many wifi networks around, so if can't get this to work with the WRT1900AC, the router will be pretty useless for me.

Thanks in advance for your help!
kaffeeundsalz

(Last edited by kaffeeundsalz on 4 Aug 2015, 15:16)

How would you drop all from and log 221.0.0.0 - 221.255.255.255 there will be many others involving Asia Pacific Network Information Centre (APNIC)

Or better yet anyone have a link to fw3 layout I have found some scattered instructions but some seem obsolete.
TIA.

northbound wrote:

How would you drop all from and log 221.0.0.0 - 221.255.255.255

To drop everything coming in from 221.x.x.x, use CIDR formatted address in an iptables command like so;
iptables -I <CHAIN_NAME> -s 221.0.0.0/8 -j DROP

Looking at the comments in /etc/firewall.user

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

Then, it seems reasonable that <CHAIN_NAME> would be;
INPUT
input_wan_rule

(Last edited by wrtpat on 4 Aug 2015, 17:42)

lifehacksback wrote:
dlang wrote:

iptables is part of the kernel, it's not a separate process.

I thought nftables was part of the kernel and iptables was in user-space

the iptables binary is a tool to set the in-kernel filtering.

That may be implemented with the nftables code in the kernel, but the filtering is still all done in the kernel.

Tue Aug  4 12:42:44 2015 user.notice firewall: Reloading firewall due to ifup of IPredator (tun1337)

It says "Reloading firewall" when I ifup my VPN tunnel but firewall.user doesn't start.

I've tryed a few times now, it won't load. sad

FYI

I use up/down scripts for routing before I ifup my vpn tunnel.

I ONLY had to modify my up script, this worked ...



#!/bin/sh

/sbin/route add -net 64.59.136.142 netmask 255.255.255.255 gw 68.146.56.1
/sbin/route add -net 194.132.32.32 netmask 255.255.255.255 gw 68.146.56.1
/sbin/route add -net 205.178.146.50 netmask 255.255.255.255 gw 68.146.56.1
/sbin/route add -net 206.188.193.110 netmask 255.255.255.255 gw 68.146.56.1
/sbin/route add -net 76.74.254.123 netmask 255.255.255.255 gw 68.146.56.1
sleep 15
/etc/init.d/firewall restart
exit 0

TPC and DFS are both supported on the WRT1900AC. If I run "iw phy" on my WRT1900ACv1, I see:

        Frequencies:
            * 5180 MHz [36] (17.0 dBm)
            * 5200 MHz [40] (17.0 dBm)
            * 5220 MHz [44] (17.0 dBm)
            * 5240 MHz [48] (17.0 dBm)
            * 5260 MHz [52] (23.0 dBm) (radar detection)
              DFS state: usable (for 145058 sec)
              DFS CAC time: 60000 ms
            * 5280 MHz [56] (23.0 dBm) (radar detection)
              DFS state: usable (for 145058 sec)
              DFS CAC time: 60000 ms
            * 5300 MHz [60] (23.0 dBm) (radar detection)
              DFS state: usable (for 145058 sec)
              DFS CAC time: 60000 ms
            * 5320 MHz [64] (23.0 dBm) (radar detection)
              DFS state: usable (for 145058 sec)
              DFS CAC time: 60000 ms
            * 5500 MHz [100] (disabled)
            * 5520 MHz [104] (disabled)
            * 5540 MHz [108] (disabled)
            * 5560 MHz [112] (disabled)
            * 5580 MHz [116] (disabled)
            * 5600 MHz [120] (disabled)
            * 5620 MHz [124] (disabled)
            * 5640 MHz [128] (disabled)
            * 5660 MHz [132] (disabled)
            * 5680 MHz [136] (disabled)
            * 5700 MHz [140] (disabled)
            * 5720 MHz [144] (disabled)
            * 5745 MHz [149] (30.0 dBm)
            * 5765 MHz [153] (30.0 dBm)
            * 5785 MHz [157] (30.0 dBm)
            * 5805 MHz [161] (30.0 dBm)


kaffeeundsalz wrote:

Hi everybody,

I'm considering to buy a Linksys WRT1900AC, but only if it supports TPC and DFS. Both is not the case with the Linksys stock firmware. Is this functionality available in the OpenWrt build for this router? I've been trying for days to find some reliable information on this topic, but it doesn't seem to be covered in detail anywhere on the web, hence I'd like to kindly ask the community.

Unfortunately, I'm heavily dependent on both TPC and DFS because without them, the law in Germany won't allow me to use the 5GHz band above channel 48. I live in a crowded area with many wifi networks around, so if can't get this to work with the WRT1900AC, the router will be pretty useless for me.

Thanks in advance for your help!
kaffeeundsalz

wrtpat wrote:
northbound wrote:

How would you drop all from and log 221.0.0.0 - 221.255.255.255

To drop everything coming in from 221.x.x.x, use CIDR formatted address in an iptables command like so;
iptables -I <CHAIN_NAME> -s 221.0.0.0/8 -j DROP

Looking at the comments in /etc/firewall.user

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

Then, it seems reasonable that <CHAIN_NAME> would be;
INPUT
input_wan_rule

This appears to work thanks much.
Any idea of what this means?
Tue Aug  4 20:20:37 2015 daemon.err uhttpd[1185]:  * Flushing IPv4 filter table
Tue Aug  4 20:20:37 2015 daemon.err uhttpd[1185]:  * Flushing IPv4 nat table
I can't seem to find this error listed anywhere. This happens on a firewall restart from luci.

northbound wrote:

Any idea of what this means?
Tue Aug  4 20:20:37 2015 daemon.err uhttpd[1185]:  * Flushing IPv4 filter table
Tue Aug  4 20:20:37 2015 daemon.err uhttpd[1185]:  * Flushing IPv4 nat table
I can't seem to find this error listed anywhere. This happens on a firewall restart from luci.

That is luci logging that it's clearing the old firewall rules to load the new ones.

Hi @dansneddon,

dansneddon wrote:

TPC and DFS are both supported on the WRT1900AC.

thank you so much for looking this up for me! This is going to make my choice a lot easier smile

All the best
kaffeeundsalz

Hi, I've also tried to enable DFS but failed, although iw phy does  indeed report that the radio is DFS capable I've never managed to enable beacon transmission in the DFS bands (allowing for the wait period) , either via LuCi or  using UCI commands; so I'd also be interested to know if anyone has successfully enabled beacon transmission on the WRT1900AC v1 anywhere between channels 52 and 140. This is with cc14.07 or 15.05-RC2 builds (not had chance to try with RC3 yet)

dansneddon wrote:

TPC and DFS are both supported on the WRT1900AC. If I run "iw phy" on my WRT1900ACv1, I see:

        Frequencies:
            * 5180 MHz [36] (17.0 dBm)
            * 5200 MHz [40] (17.0 dBm)
            * 5220 MHz [44] (17.0 dBm)
            * 5240 MHz [48] (17.0 dBm)
            * 5260 MHz [52] (23.0 dBm) (radar detection)
              DFS state: usable (for 145058 sec)
              DFS CAC time: 60000 ms
            * 5280 MHz [56] (23.0 dBm) (radar detection)
              DFS state: usable (for 145058 sec)
              DFS CAC time: 60000 ms
            * 5300 MHz [60] (23.0 dBm) (radar detection)
              DFS state: usable (for 145058 sec)
              DFS CAC time: 60000 ms
            * 5320 MHz [64] (23.0 dBm) (radar detection)
              DFS state: usable (for 145058 sec)
              DFS CAC time: 60000 ms
            * 5500 MHz [100] (disabled)
            * 5520 MHz [104] (disabled)
            * 5540 MHz [108] (disabled)
            * 5560 MHz [112] (disabled)
            * 5580 MHz [116] (disabled)
            * 5600 MHz [120] (disabled)
            * 5620 MHz [124] (disabled)
            * 5640 MHz [128] (disabled)
            * 5660 MHz [132] (disabled)
            * 5680 MHz [136] (disabled)
            * 5700 MHz [140] (disabled)
            * 5720 MHz [144] (disabled)
            * 5745 MHz [149] (30.0 dBm)
            * 5765 MHz [153] (30.0 dBm)
            * 5785 MHz [157] (30.0 dBm)
            * 5805 MHz [161] (30.0 dBm)


kaffeeundsalz wrote:

Hi everybody,

I'm considering to buy a Linksys WRT1900AC, but only if it supports TPC and DFS. Both is not the case with the Linksys stock firmware. Is this functionality available in the OpenWrt build for this router? I've been trying for days to find some reliable information on this topic, but it doesn't seem to be covered in detail anywhere on the web, hence I'd like to kindly ask the community.

Unfortunately, I'm heavily dependent on both TPC and DFS because without them, the law in Germany won't allow me to use the 5GHz band above channel 48. I live in a crowded area with many wifi networks around, so if can't get this to work with the WRT1900AC, the router will be pretty useless for me.

Thanks in advance for your help!
kaffeeundsalz

dlang wrote:
northbound wrote:

Any idea of what this means?
Tue Aug  4 20:20:37 2015 daemon.err uhttpd[1185]:  * Flushing IPv4 filter table
Tue Aug  4 20:20:37 2015 daemon.err uhttpd[1185]:  * Flushing IPv4 nat table
I can't seem to find this error listed anywhere. This happens on a firewall restart from luci.

That is luci logging that it's clearing the old firewall rules to load the new ones.

Thanks for the info.

Now If I can find out why when I have
iptables -I input_wan_rule -s 91.0.0.0/8 -j DROP
I am still seeing this on some but not all blocked ip's.
IPTables-Dropped: IN=pppoe-wan OUT= MAC= SRC=91.122.167.50 DST=00.00.00.00 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=7258 DF PROTO=TCP SPT=48020 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0
I zeroed out the above DST. I have moved these rules to the top of firewall.user before the 22,23 drop and log. It would seem that I should not see it in my log. Other blocked ip's show in luci firewall packets but not in the log which I think is the right result.
Also one big problem is on grc.com scanning 22,23 it shows as closed not stealth I thought DROP meant no reply to scan?
Oh well time for work will see what happens during the day when I get back.

All to this talk about firewall rules is all but over my head, but is there anything a normal home user can or should implement to improve their security? I'm running a pretty vanilla CC RC3 image aside from a few forwarded ports (21, 80, 443, and a high port for torrents) for some services I need externally accessible.

@kaloz,

Is there a 4.1 patch tree for mvebu? Given that 4.0 was just EOL'd are the existing 4.0 patches going to be migrated to a 4.1 version?

Incidentally, last time I tried to build a 4.1 image it compiled successfully but the image would not boot up - VFS panic'd with unable to mount root ( https://forum.openwrt.org/viewtopic.php … 73#p284973 )

Sorry, posts 6801 to 6800 are missing from our archive.