Recent content by metamul
-
M
Static routes not working as expected in Asuswrt-Merlin?
Merlin, the lightbulb went off. I think I understand exactly what's happening. I'll use a ping request to map it out--specifically, a ping request from an OpenVPN client to a peer of the OpenVPN server. The client sends the ping through the tunnel. That means it's sent as an encrypted UDP...- metamul
- Post #12
- Forum: Asuswrt-Merlin
-
M
Static routes not working as expected in Asuswrt-Merlin?
Yes, I thought about adding a LOG before the DROP to see exactly what was being dropped and why. But the lack of clarity around INVALID gives me pause. By this point I've seen a lot of evidence that people who know a lot more about networking than I do get stumped by this. If they get stumped I...- metamul
- Post #11
- Forum: Asuswrt-Merlin
-
M
Static routes not working as expected in Asuswrt-Merlin?
Well, I withdraw my suggestion for a change. I can find hints about INVALID, but nothing definitive. I don't know enough about the issue myself, and neither does anyone else on this end, so there's no basis for suggesting the change other than "it works for us!". That's not good enough. For...- metamul
- Post #9
- Forum: Asuswrt-Merlin
-
M
Consider disabling UPNP by default
I understand the argument about home users. You could just as easily say, though, that UPnP is especially dangerous in the hands of an average home user who doesn't understand the potential risks or how to defend against them. Here's a list of known MiniUPnPd vulnerabilities from January of...- metamul
- Post #3
- Forum: Asuswrt-Merlin
-
M
Consider disabling UPNP by default
It might be controversial to say this, but I'd like to suggest that Asuswrt-Merlin disable UPNP by default. See, for example: https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play...- metamul
- Thread
- Replies: 5
- Forum: Asuswrt-Merlin
-
M
Static routes not working as expected in Asuswrt-Merlin?
I'll see if I can track down any interesting (and authoritative) info on the topic. Yes, that's what we've done. For anyone else who might be interested, it looks like this: === #!/bin/sh iptables -D FORWARD -m state --state INVALID -j DROP === That's in...- metamul
- Post #8
- Forum: Asuswrt-Merlin
-
M
Static routes not working as expected in Asuswrt-Merlin?
Well, I think I can prove the point now. I deleted that rule (the rule that DROPs INVALID on the FORWARD chain) and everything started working. Any chance of making that change permanent in Asuswrt-Merlin?- metamul
- Post #6
- Forum: Asuswrt-Merlin
-
M
Static routes not working as expected in Asuswrt-Merlin?
Here are side-by-side comparisons of the rules in DD-WRT and Asus. (The first line of each stanza is the command-line. It includes the router's host name so you can tell which stanza is which.) I've included all three chains (FORWARD, INPUT, OUTPUT) for completeness, but our focus is really on...- metamul
- Post #5
- Forum: Asuswrt-Merlin
-
M
Static routes not working as expected in Asuswrt-Merlin?
It's "hit or miss" because some hosts have the static route defined locally. We never did that ourselves; my guess is that DD-WRT was sending (and some hosts were accepting) ICMP REDIRECT packets. That would make sense; the gateway for 10 (the VPN server) is on the same network. We definitely...- metamul
- Post #4
- Forum: Asuswrt-Merlin
-
M
Static routes not working as expected in Asuswrt-Merlin?
Yesterday we replaced a Linksys WRT54GL running DD-WRT v24 sp2 with an Asus RT-AC66U running Asuswrt-Merlin 3.0.0.4.354.29 Beta 1. The transition went fairly smoothly--with one important exception. We run an OpenVPN server inside our network, in "routing" (i.e., not "bridged") mode. The...- metamul
- Thread
- Replies: 36
- Forum: Asuswrt-Merlin