Asuswrt-Merlin 380.60 Firewall - AC68U

[buddwm]

I am attempting to implement a wake-on-lan script which monitors the firewall log. I have the script in place, but I am finding that if I set the firewall logging to ACCEPT, it appears to only be logging WAN to LAN or vise versa. How do I get firewall logging to show up between two local machines over the LAN network?

 

[RMerlin]

You can't. LAN traffic is switched, not routed. It never reaches iptables/netfilter.

 

[buddwm]

You can't. LAN traffic is switched, not routed. It never reaches iptables/netfilter.

Ah that makes sense...then is there any way to see connection requests over the LAN network from one machine to another in some way?

EDIT: And by this I mean on the router itself, like in a log file or something.

 

[RMerlin]

Ah that makes sense...then is there any way to see connection requests over the LAN network from one machine to another in some way?

EDIT: And by this I mean on the router itself, like in a log file or something.

No. The traffic goes through the switch, and never reaches the firmrware code. It's all handled by the kernel and the switch driver.

 

[buddwm]

Ok - so even if I were to enable QoS, there'd be no way to see the LAN traffic in any way?

 

[RMerlin]

Ok - so even if I were to enable QoS, there'd be no way to see the LAN traffic in any way?

Correct.

 

[s_Fanous]

tcpdump?

 

[buddwm]

So then I guess I will derail my own thread and ask this question. I have a Plex server on my LAN network. I also have an Amazon Fire TV with the Plex client app. I had an older WNDR3800 with DD-WRT, and on that router I implemented a script that would watch for any requests to the Plex server over port 32400. Whenever a request was seen, I would have the script execute a wake-on-lan to the Plex server in case it was asleep.

So with that said...is there any way I can implement something similar with this router on the merlin firmware? I have already written a bash script on jffs and have it running on services-start - I just need to modify it to work with this router in some way. I tried looking at ebtables, but that doesn't seem to catch the request I'm looking for either, even if I have it capture all requests to log.

 

[buddwm]

Bringing this back up to pose another question. If I have a client on Wifi and am sending traffic to a wired LAN PC, is there a way to capture it then? If not, then I will probably try installing a utility like tcpdump via entware on the router unless anyone else has ideas. I can't imagine I'm the only person trying to get something like this working...

 

[buddwm]

Since others might be interested, here's what I ended up doing. Feel free to make suggestions - I'll probably improve on this solution over time.

Anyway, I ended up installing tcpdump via optware. I've heard entware was better maintained, but since I'm only using this for tcpdump, I figure optware will suffice.

My Plex client will try to reach my Plex server on port 32400, so I have tcpdump monitor this port. I could probably add a source and destination host to be more specific with what it is I want to observe, but for now, this is how I have it:

tcpdump -i any -q 'port 32400' | tee /tmp/mnt/ROUTER_DISK/plex.log&

/tmp/mnt/ROUTER_DISK is an external USB drive that I have plugged into the router.

I then have script which monitors the plex.log file for any changes (x's are my MAC and IP of the Plex server):

#!/bin/sh

INTERVAL=2
NUMP=1
TARGET=xxxxxxxx
MAC=xxxxxxxxx
WOL=/usr/bin/ether-wake

OLD_LC=`wc -l /tmp/mnt/ROUTER_DISK/plex.log | awk '{print $1}'`

while sleep $INTERVAL;do
    NEW_LC=`wc -l /tmp/mnt/ROUTER_DISK/plex.log | awk '{print $1}'`
    NEWLINES=`expr $NEW_LC - $OLD_LC`
    if [ "$NEW_LC" -ne "$OLD_LC" ]; then
        RET=`ping -c $NUMP -W 1 $TARGET 2> /dev/null | awk '/packets received/ {print $4}'`
        if [ "$RET" -ne "$NUMP" ]; then
            /usr/bin/ether-wake -i br0 $MAC
            sleep 20
        fi
    fi
    OLD_LC=`wc -l /tmp/mnt/ROUTER_DISK/plex.log | awk '{print $1}'`
done

Pretty basic. I also have a script for cleaning the log file every so often.

#!/bin/sh
> /tmp/mnt/ROUTER_DISK/plex.log
sleep 36000

The only issue I see with this approach is that when I clean my log file, my script will cause my Plex server to wake up. I should probably add some logic that says if word count is equal to 0, then do nothing.

Anyway, it seems to be working great. I will monitor over the next few weeks and see if it affects performance of the router, but so far so good.

 

[buddwm]

Just an update in case someone else ends up trying this and reads this:

I noticed that tcpdump, when active on port 32400, causes issues with my Plex server (which is using the same port to stream) when attempting to stream to a client. Seems that tcpdump is saturating the network on this particular port to the point that it is degrading LAN performance. So I ended up expanding the script into this:

#!/bin/sh

INTERVAL=2
NUMP=1
TARGET=xxxxxxxxx
MAC=xxxxxxxxx
WOL=/usr/bin/ether-wake

OLD_LC=`wc -l /tmp/mnt/ROUTER_DISK/plex.log | awk '{print $1}'`

while sleep $INTERVAL;do
    NEW_LC=`wc -l /tmp/mnt/ROUTER_DISK/plex.log | awk '{print $1}'`
    NEWLINES=`expr $NEW_LC - $OLD_LC`
    if [ "$NEW_LC" -eq 0 ]; then
        sleep 2
    elif [ "$NEW_LC" -ne 0 ]; then
        if [ "$NEW_LC" -ne "$OLD_LC" ]; then
            RET=`ping -c $NUMP -W 1 $TARGET 2> /dev/null | awk '/packets received/ {print $4}'`
            if [ "$RET" -ne "$NUMP" ]; then
                /usr/bin/ether-wake -i br0 $MAC
                TDUMP=`ps -T | grep "[t]cpdump" | awk '{print $1}'`
                kill $TDUMP
                sleep 20
            elif [ "$RET" -eq "$NUMP" ]; then
                TDUMP=`ps -T | grep "[t]cpdump" | awk '{print $1}'`
                if [ -n "$TDUMP" ]; then
                    kill $TDUMP
                fi
            fi
        fi
    fi
    RET=`ping -c $NUMP -W 1 $TARGET 2> /dev/null | awk '/packets received/ {print $4}'`
    if [ "$RET" -ne "$NUMP" ]; then
        TDUMP=`ps -T | grep "[t]cpdump" | awk '{print $1}'`
        if [ -z "$TDUMP" ]; then
            tcpdump -i any -q 'port 32400' | tee /tmp/mnt/ROUTER_DISK/plex.log&
        fi
    elif [ "$RET" -eq "$NUMP" ]; then
        TDUMP=`ps -T | grep "[t]cpdump" | awk '{print $1}'`
        if [ -n "$TDUMP" ]; then
            kill $TDUMP
        fi
    fi
    OLD_LC=`wc -l /tmp/mnt/ROUTER_DISK/plex.log | awk '{print $1}'`
done

Basically, I have written this in a way where whenever my Plex server is turned on (in other words is pingable), the script will kill the existing tcpdump process if one exists. As soon as my Plex server goes back to sleep, then the script will launch tcpdump and have it listen on port 32400. There's probably a simpler, more elegant way to write it (and some parts are redundant - I just wanted to make sure to cover all possible scenarios), but it appears to be working fine and I have no issues streaming from my Plex server now. The wake on lan to the Plex server is nearly immediate as soon as I launch a Plex client, so is working out well.

I also put in a check where if the word count of the plex.log file is equal to 0, I simply tell the script to sleep and then repeat. This way when the log file is automatically cleaned, I don't get a WoL request.

 

[cybrnook]

Just make sure to not put another "Dumb" swith or anything between your plex server and your router. (I know mine sits behind 2 switches off the router).

Because if you have your plex server, and lets say a PC connected to the switch after the router, technically you could unplug your router from the switch and the PC and Plex server would still be able to talk (until they were rebooted). Thus, never hitting the router at all (or the routers switch).

 

[sfx2000]

I noticed that tcpdump, when active on port 32400, causes issues with my Plex server (which is using the same port to stream) when attempting to stream to a client. Seems that tcpdump is saturating the network on this particular port to the point that it is degrading LAN performance. So I ended up expanding the script into this:

TCPDUMP cannot saturate any ports - as it's a monitor, it doesn't transmit...

 

[sfx2000]

Since others might be interested, here's what I ended up doing. Feel free to make suggestions - I'll probably improve on this solution over time.

Anyway, I ended up installing tcpdump via optware. I've heard entware was better maintained, but since I'm only using this for tcpdump, I figure optware will suffice.

Should only run tcpdump while checking/debugging traffic - I'm not sure why you're running it in the first place, but this isn't something that should be running on an ongoing basis - that data has to go somewhere... normally to a log file (and it's quite large).

 

[buddwm]

Should only run tcpdump while checking/debugging traffic - I'm not sure why you're running it in the first place, but this isn't something that should be running on an ongoing basis - that data has to go somewhere... normally to a log file (and it's quite large).

Yep - if you read my script, it does go to a log file, which I clean every so often. Hasn't caused any issues yet. If tcpdump doesn't "saturate" traffic on the port it is monitoring, then how do you explain why I can't stream from my Plex server to a client over the same port while it is running, yet all is well when I turn it off? It's not a sirq issue, nor a load issue with the router.

In any case, the script has been running solid for nearly two weeks without a router reboot. Will update if I see any change.