Network/Routing and Redirection - you probably want ip-full

When will OpenWRT/LEDE push towards the use of nftables over iptables?

So it looks like there is an issue with the latest mwlwifi (Mamba / fruit device / AC). If downgrading "fixes" it you have a very nice example (like from a school book) for looking into git-bisect if you aren't familiar with it already. You can do the bisect without the serial log but you will eventually want it anyway.

Haven't seen any efforts in that direction yet, anyway, if you seek an answer better ask the mailing list.

now, why do i see some people mention this "fruit device" here. Is there any prohibition on naming the obvious manufacturer?  just curious.

One would think it would have already happened considering nftables boasts significantly more throughput over netfilter.

-- Gonna try some testing with the next build.

(Last edited by davidc502 on 4 Sep 2016, 03:50)

Can anyone help me with configuring a USB stick on my WRT1900 v1 running CC 15.05.1 please? The object is to view files on this stick on my Linux Mint laptop.  (eventually I will set up a NAS drive, so need to understand how to get this working). at present I cannot connect through Network Servers > OpenWRT from my laptop. It prompts for a password and neither my linux pass nor router pass work

I have configured Services > network share in Luci and the fstab is as follows

config global
        option anon_swap '0'
        option anon_mount '0'
        option auto_swap '1'
        option auto_mount '1'
        option delay_root '5'
        option check_fs '0'

config mount
        option uuid 'EA7A-1AC2'
        option enabled '1'
        option target '/mnt/share/sdb1'

--------------------------
Running fdisk - we can see the stick at

Device     Boot Start      End  Sectors  Size Id Type
/dev/sdb1        2048 15728639 15726592  7.5G  b W95 FAT32

and running block info we get

/dev/ubiblock0_0: UUID="d40feda0-03890cd4-a91b93f1-c88d326a" VERSION="1024.0" TYPE="squashfs"
/dev/ubi0_0: UUID="d40feda0-03890cd4-a91b93f1-c88d326a" VERSION="1024.0" TYPE="squashfs"
/dev/ubi0_1: UUID="33eba4cc-a119-4794-8cb3-404731bd9a66" VERSION="w4r0" TYPE="ubifs"
/dev/ubi1_0: UUID="cd12bacc-947d-4eab-88d9-5e526621dbf8" VERSION="w4r0" TYPE="ubifs"
/dev/ubiblock0_0: UUID="d40feda0-03890cd4-a91b93f1-c88d326a" VERSION="1024.0" TYPE="squashfs"
/dev/sdb1: UUID="0000-0000" LABEL="           " VERSION="FAT32" TYPE="vfat" 

Ive tried to manually mount this using the instruction at https://wiki.openwrt.org/doc/howto/usb.storage but get

mount -t vfat /dev/sdb1 /mnt/share
mount: mounting /dev/sdb1 on /mnt/share failed: Invalid argument

so not sure whether it is even mounted correctly

So my question - is this stick correctly set up and mounted within OpenWRT?
If so the problem lies elsewhere (samba config on laptop perhaps).
If anyone can see something obvious Ive missed, please let me know!!  The really irritating thing is that this function worked out of the box on the Linksys firmware!!)

PS - the stick itself works fine - i tested it on my laptop

@wayne1958
df will show if it is mounted.
This may be a stupid question but do you have a /mnt/share and a /mnt/share/sdb1 directory?

ok then - thanks..doesn’t look as if it is mounted

Filesystem           1K-blocks      Used Available Use% Mounted on
rootfs                   24084      1728     21092   8% /
/dev/root                 5632      5632         0 100% /rom
tmpfs                   127716      1448    126268   1% /tmp
/dev/ubi0_1              24084      1728     21092   8% /overlay
overlayfs:/overlay       24084      1728     21092   8% /
ubi1:syscfg              31536       344     29548   1% /tmp/syscfg
tmpfs                      512         0       512   0% /dev

how can i fix this? all the obvious things seem to fail

mount: mounting /dev/sdb1 on /mnt/sdb1 failed: Invalid argument
root@OpenWrt:~# mount -t vfat /dev/sdb1 /mnt/sdb1
mount: mounting /dev/sdb1 on /mnt/sdb1 failed: Invalid argument
root@OpenWrt:~# mount -t vfat /dev/sdb1 /mnt/share
mount: mounting /dev/sdb1 on /mnt/share failed: No such file or directory

on openwrtr I have /mnt/share but not /mnt/share/sdb1
I'll create the latter and retest....
=

(Last edited by wayne1958 on 4 Sep 2016, 16:47)

@wayne1958

You will also need to install the corresponding kernel module for the filesystem used on the USB stick. I wouldn't recommend NTFS.

nitroshift

Thanks Nitroshift - what I'll do is reformat that stick as Ext4,  see if the same issues recur and update.....

@wayne1958

In that case you will have to install kmod-fs-ext4.

nitroshift

this package is already installed. Let's see what happens when I reformat the stick (and test with a few others too).
all the best

Wayne, perhaps set it up like I did?
- Since you are on a linux laptop, then yes, format as ext4.
- Ensure directory you are trying to mount to exists.
- Mount the usb stick.
- opkg install sshfs openssh-sftp-server
- In your laptop: sshfs root@your_router_ip:/mnt/sdb1 /home/waynes/mount/point

Some might say sshfs is overkill for a LAN setup, but its clean and secure. Not to mention easy to do as you've seen.

Hi guys,

how can I find out without opening the box whether I got a V1 or V2 version of WRT1200AC?

Can you tell it from the serial number? I have a "R1" string in it, do the new models have "R2?"

I already had one WRT1200AC before I ordered the new one. On the old box is says s/t about "8830-22484 Rev. A0", while on the new box it say "B0?" Does that mean it's a V2?

Is there a reason to prefer V1 over V2, or the other way round?

Are there any restrictions in the V2 model WRT flashing non-OEM firmware builds?

Sorry for the many questions, but a search here in the forum didn't turn up any answers, and the wiki is also not helpful for these specific questions...

Thanks in advance for any help you can give.

Kind regards,

Ralf

Thank you so much!!! That solves the issue perfectly and I don't have to bother with samba shares either. Thanks again!!!

No problemo amigo!

linux-4.8-rc5 breaks netifd

FYI  WRT3200ACM
http://www.dd-wrt.com/phpBB2/viewtopic. … 61#1045661

(Last edited by gufus on 5 Sep 2016, 21:48)

Wouldn't an SSHFS mount be slower than a Samba or NFS mount?

Also, simply configuring a router with a SSHFS network share on a LAN without some additional configuration is either going to be massively insecure or face a severe performance hit in comparison to Samba or NFS.

• Massively insecure:
  

  • If one doesn't configure SSH access via PKI only, with a recommended bit size of 2048, combined with a password protecting the PKI key

• Performance degradation:
  

  • If one configures it with a 2048bit SSH key, not to mention wholly unnecessary on a LAN.

• Additionally:
  

  • OpenWrt isn't like a desktop OS that has users and groups pre-populated and permissions set accordingly.  By default, root is the only user, with additional users and groups added when specific daemons are installed [base or afterwards]; however, none of these daemons has ownership of any file or folder - everything is owned by root.

    
    

    This means the user will need to manually configure a user and user group, configuring the permissions to only allow the user access to a specified directory and it's children, all of which is quite simple, but necessary. 
    

    • The more difficult part would be in configuring an SSH login for only that user [i.e. removing root from the SSHFS login process].  I don't believe dropbear supports adding two separate users with two separate logins specific to each user [I could very well be wrong], and I'm not sure if OpenSSH does or not.

    • If one is using SSHFS locally, logged in as root, the user is begging on their hands and knees to be exploited.  Since most users [in general] do not have great, let alone good, IPsec habits, it's a disaster waiting to happen.

    
    

    While routers have a different policy since a login will only occur on an administrator level for troubleshooting, maintenance, or performance monitoring (less likely if using netdata), the rule of thumb for OS users is the daily user account should be configured as a non-admin, non-system account. 
    

    • For Windows, this would mean a user account that may be an administrator, but all requests requiring to be ran as administrator either require a password, or for superusers, at the minimum have a secure desktop approval.

    • For nix/bsd, this would be a user account that has sudo privileges, along with a password requirement for sudo.

The intended purpose of SSHFS is to mount a remote filesystem locally [such as a sysadmin mounting a server filesystem locally], and while there's nothing wrong with using it on a LAN to access a router's internal directory as a network share, it's not simply a plug and play process with router firmware (not to mention far better options exist). 

All in all, Samba does everything SSHFS can do and more; from encrypting the share directory itself, to allowing only certain MACs or IPs to connect to the share, configuring multiple users for the same share, or allowing one full access and the others only read privileges, etc.  SSHFS has a purpose of use, but one creates more of a headache than it's worth by utilizing it on a LAN.

(Last edited by JW0914 on 6 Sep 2016, 02:53)

JW0914
I appreciate the time you took to write all that, but its mostly incorrect unfortunately.
Massively insecure? Thats a big overstatement.
Performance? What about the fancy openssl benches the WRT1900xx owners like to show? Btw I have an IPQ806x based router, no fancy crypto engines and I use sshfs full time here. I do have a normal user setup for it though. So on that point I do agree if one wants to have a proper setup then a normal user should be used.

On the "additionally" section, I stopped reading when I saw you mentioned IPSec habits. What are we talking about here?
Remember the mount command I gave to Wayne?
sshfs /path/to/usb/stick /mount/point/on/laptop
Granted he's using the root account, but exactly hows that a disaster waiting to happen given he's mounting it over LAN? heck even doing it over WAN (after doing in over lan first) will only allow it if the signatures match.

@james04  You've obviously taken what I stated personally for some reason, so I'll simply say this... please re-read what was written because what you're addressing is missing some key details mentioned.

For example:

• "...Massively insecure? Thats a big overstatement..."
  

  • Yes, connecting via SSH without PKI is massively insecure

• "...Performance? What about the fancy openssl benches the WRT1900xx owners like to show?..."
  

  • I only mentioned performance twice, one a question, a second an obvious bit of common sense
    

    • 1: "Wouldn't an SSHFS mount be slower than a Samba or NFS mount?"

    • 2: "Performance degradation if one configures it with a 2048bit SSH key, not to mention wholly unnecessary on a LAN." [in comparison to Samba or NFS]

  • The openssl benchmarks aren't with SSHFS, or at least none that I could find via searching this thread via google, or searching this site's index for *sshfs*, or *sshfs* AND *openssl*

• "...Remember the mount command I gave to Wayne?..."

  "...sshfs root@your_router_ip:/mnt/sdb1 /home/waynes/mount/point..." 
  

  • If one doesn't understand why that's massively insecure, one has some research to do.

A LAN SSHFS creates more problems than it solves on OpenWrt... by no means take my word for it, take the NAS industry's.  When has anyone seen FreeNAS/TrueNAS offer SSHFS for LAN shares?  What OEM builds NAS's & routers utilizing SSHFS for LAN shares?

SSHFS was created to allow network admins the ability to mount a remote server's filesystem locally for maintenance, not as a NAS share replacement (WinSCP or a nix equivalent would be the ideal way of garnishing an explorer-like GUI, as they keep the remote filesystem separate from the client device).

• SSHFS utilizes SFTP, but directly exposes the remote filesystem to the client device, allowing access not through a single terminal or sandboxed application, but from anything running on the client device.

SSHFS on OpenWrt, without additional configuration, is a security risk due to being operated as root - you seem to both acknowledge this in one sentence ["..proper setup... a normal user should be used.."], then claim it doesn't matter in the next ["...hows that a disaster waiting to happen given he's mounting it over LAN.."], of which goes back to my first sentence... please go back and take the time to fully read what was written.

• "Secure" isn't just defined as the connection encryption,as a PKI of at least 2048 is secure. Mounting a filesystem locally introduces that filesystem to the client OS, thus anything running on it now or in the future, including any malware (network shares are generally meant for long term use); thus the statement regarding IPsec.
  

  • How many: have Android devices as part of a LAN? install apks outside of the PlayStore?  run a quality antivirus with HIPS using granular controls?  run a granularly controlled firewall?  utilize unique passwords for every login, and create complex passwords in excess of 20 characters?

  All the above matter when mounting something as sensitive as a router's filesystem locally utilizing root.  This isn't about whether it's right or wrong to utilize SSHFS, as it's neither wrong nor right, simply user preference.  The main point I'm making is it's ill-advised to utilize SSHFS as root due to the security risk, along with better existing tools for LAN shares on OpenWrt.

(Last edited by JW0914 on 6 Sep 2016, 07:05)

Hi JW0914

As I don't even own a linksys router I feel out of place here and also I don't think its appropriate to discuss security in this thread. However given the time you've taken to write your appreciated reply, I will try to be brief.

PKI with passphrase protected keys is surely more secure. But saying a password protected ssh server is "massively insecure" is only true if you use a dictionary word for a password (and the server is exposed on WAN, context). So again, I disagree with your statement. And yet again I repeat, I am talking about mounting a file system in ones own LAN. There's no exposure to outside world. Did you want me to suggest to the user to generate a public key and copy it over, then protect it with passphrase ...etc. That is grossly overdone and completely unjustified.

1. Indeed it is slower, on my box (which has no crypto hw) I get 10MByte consistent speeds when transferring from my HDD, thats enough for me to stream HD content with absolutely no buffering. SSHFS is designed to be user controlled (not root), notice if you use sshfs jw@router_IP /home/jw/mntpoint then you wont need to provide root password, sshfs is designed with the end user in mind, not quite like how you described it (ie tool for sysadmins for maintenance..etc etc).

sshfs uses openssh-sftp-server, which uses openssl for crypto, which would utilize a crypto hw engine if available.

But of course they wouldn't dear, those "NAS industry" companies need to cater for the masses, ie the windows customers. Our friend Wayne however is using linux on his laptop, sshfs is precisely designed for this purpose, mount a user's files on a remote host. Linux protocols, running on Linux hosts. No samba or stuff with windows heritage.

Again, my mount command was sshfs root@/his/usb/stick/path /his/local/path
it will only "expose" his usb stick. Whats massively insecure about this?

I guess we can agree to disagree then? If a user asked me now how do I access my USB stick/hdd connected to router, I'd still say sshfs. The better tools you mention are windows designed tools, so for a windows user you are right, for wayne sshfs is native.
Openwrt runs everything as root, including samba. That seems to be a "massive security" risk, doesn't it? What I'm trying to get across is you must look at context, where is the software running?, for what purpose?, don't just dismiss a solution completely. I hope you see the big picture. I will not argue further on whats better. As they say, to each his own.
You have a good one. Cheers all.

This is the news I've been waiting for.

Note the "everything works except for wireless" because... wait for it... no drivers yet.  Is it jaded of me to not expect much?

I'll get excited about this when there's a stable driver.

I seem to recall 12 months before we had a stable driver that didn't cause a crash, the last go around

There was a stable branch, but had really bad issues with dlna broadcasts, so I couldn't use it.