Voxel Custom firmware build for Orbi RBK50/RBK53 (RBR50, RBS50) v. 9.2.5.2.12SF-HW

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

HTBruceM

Regular Contributor
I'll bite on this...

You would be into "uncharted territory" by using different FW versions on the different units. You're probably already in uncharted territory just by using a mix of RBK50 with RBS20 and RBS40. My guess is that the lowest risk scenario would be to stay as close to the same versions as possible. Unfortunately, the version numbering is not synchronized across the different models. I suppose you could download all the open source builds for those units, dig through the changelist and try to understand which releases are somewhat equivalent. But good luck on that.

As of today, Voxel's builds are based on the Netgear 2.5.2.4 open source release of RBK50/RBS50.
The latest open source builds for RBS20 and RBS40 are 2.5.1.x.

My guess is that as long as you're running v2.5.x.x on your satellites, your risk might be relatively low to work with an RBR50 running Voxel's software since his is based on 2.5.2.4.
 

Voxel

Part of the Furniture
Thank you, in this case, can any Orbi component on stock firmware connect to my RBK50 V1 that is using Voxel firmware?
Yes.

My guess is that as long as you're running v2.5.x.x on your satellites, your risk might be relatively low to work with an RBR50 running Voxel's software since his is based on 2.5.2.4.
Does not matter what firmware is flashed. E.g. RBS50 even with 2.7.x should work with Voxel RBR, any version.

Voxel.
 

darkarn

Regular Contributor
I'll bite on this...

You would be into "uncharted territory" by using different FW versions on the different units. You're probably already in uncharted territory just by using a mix of RBK50 with RBS20 and RBS40. My guess is that the lowest risk scenario would be to stay as close to the same versions as possible. Unfortunately, the version numbering is not synchronized across the different models. I suppose you could download all the open source builds for those units, dig through the changelist and try to understand which releases are somewhat equivalent. But good luck on that.

As of today, Voxel's builds are based on the Netgear 2.5.2.4 open source release of RBK50/RBS50.
The latest open source builds for RBS20 and RBS40 are 2.5.1.x.

My guess is that as long as you're running v2.5.x.x on your satellites, your risk might be relatively low to work with an RBR50 running Voxel's software since his is based on 2.5.2.4.
I see, thanks

Yes.


Does not matter what firmware is flashed. E.g. RBS50 even with 2.7.x should work with Voxel RBR, any version.

Voxel.
Thank you, this still keeps the RBS20/RBS40 options open if I need it
 

mith_y2k

Regular Contributor
I just tried enabling dnscrypt-proxy-2 using Telnet. I did the commit and the reboot. By enabling this, is the Orbi no longer using the DNS servers from the web GUI page?
In the Orbi web GUI, I have configured Cloudflare at 1.1.1.1 and 1.0.0.1.

Yes, that's correct. I still keep those configured in case anything gets messed up, but in essence when you make a standard DNS request to your router it redirects the request to the DNScrypt service.

But when I check the status at 1.1.1.1/help, it says that DoH is NOT enabled, (neither is DoT).

Cloudflare only checks that you are using their servers. If you have a configuration with a list of servers DNSCrypt is likely rotating them so hit that page many times and sometimes you might see a YES. Not exactly scientific. Check more below

I made sure I changed my browser back to the OS system default DNS - which points to the Orbi at 192.168.1.1.

When I run the DNS leak test at perfect-privacy.com, it says:
176.56.237.171 resolver1.dnscrypt.eu RamNode IP Space NL​
77.66.84.233 resolver2.dnscrypt.eu Inota DK​
2a00:d880:3:1::a6c1:2e89 resolver1.ipv6.dnscrypt.eu RamNode IP Space​
2001:1448:243::dc2r esolver2.dnscrypt.eu Inota​

So it appears that these are the DNS resolvers being used by the Orbi on behalf of every device connected.
If that is the case, I must be missing some additional configuration to change to Cloudflare at 1.1.1.1 and 1.0.0.1?
Any help?

From what you say it looks like you have the basic configuration. To my recollection Voxel sets Cloudflare as the default, but that might have changed. Here are a couple of things you can do:
  • Check out /etc/dnscrypt-proxy-2.toml this is the configuration file
  • Look for a line that says "server_names" and see the list; if you only want to use Cloudflare edit it
    • Mine looks like this: server_names = ['quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip4-filter-alt', 'cloudflare-security']
  • Check out /var/log/dnscrypt-proxy-2.log and it will tell you the default server used based on the response time; this might give you more clues about the test you ran above
  • If you make changes to the default configuration and if you have a USB drive connected, make sure you save your toml file in the overlay directory
I hope this helps you
 

HTBruceM

Regular Contributor
From what you say it looks like you have the basic configuration. To my recollection Voxel sets Cloudflare as the default, but that might have changed.
Thanks, for the moment I have disabled it and went back to the standard Netgear setup. I figured there were configuration files that I needed to change; I should have known this from the beginning.
 

agneev

Occasional Visitor
It appears that the instructions for loading ash .profile in the zip file is not correct.

This is what I did and it worked:
cd /tmp/mnt/sda1
mkdir -p overlay/root
nano overlay/root/.profile
# Paste the two lines, ctrl-s, ctrl-x
reboot
Creating the file in /overlay/root did not work.
 

Voxel

Part of the Furniture
It appears that the instructions for loading ash .profile in the zip file is not correct.

This is what I did and it worked:

Creating the file in /overlay/root did not work.
No, it works:

1620981389610.png


Check that you are using "-al" option for "ls" command (otherwise .profile and all ".*" are not displayed). Also check that your USB is formatted by ext2/3/4.

Voxel.
 

agneev

Occasional Visitor
I have checked and can confirm that the USB drive is ext4 formatted.
[email protected]:~# ls -la /mnt/sda1/overlay/root/
drwxr-xr-x 2 root root 4096 May 14 10:26 .
drwxr-xr-x 3 root root 4096 May 14 10:20 ..
-rw-r--r-- 1 root root 72 May 14 10:26 .profile
[email protected]:~# ls -la /root
drwxr-xr-x 1 root root 80 May 14 11:32 .
drwxr-xr-x 1 root root 240 Apr 26 00:03 ..
-rw------- 1 root root 83 May 14 16:00 .ash_history
-rw-r--r-- 1 root root 72 May 14 10:26 .profile
drwxr-xr-x 2 root root 3 Apr 25 23:43 .ssh
[email protected]:~# cat /root/.ash_history
echo $PATH
ncdu /tmp/mnt/sda1/overlay/
ls -la /mnt/sda1/overlay/root/
ls -la /root
cat /root/.ash_history
[email protected]:~# cat /mnt/sda1/overlay/root/.ash_history
cat: can't open '/mnt/sda1/overlay/root/.ash_history': No such file or directory

I have 1.1.1.1 set as WAN DNS, and DHCP disabled, yet it seems the router is making queries to my DHCP server's DNS and any query redirected at the router (10.0.0.1) ends up with DHCP server's DNS as well.

Also, is there a way to make sure only the bare minimum ports are accessible from WAN?

Ports 53, 22 is accessible from WAN, but I've created two port forwarding rules to make sure its redirected to an obscure host, but a way to customize this would be nice (I don't have much experience with iptables.)
 

mith_y2k

Regular Contributor
Thanks, for the moment I have disabled it and went back to the standard Netgear setup. I figured there were configuration files that I needed to change; I should have known this from the beginning.
TBH I think you had it working and just weren’t checking the right things. It also depends what you’re trying to achieve, privacy or using a specific DNS? For me for example Cloudflare is rarely the fastest dns so when I check on their site it doesn’t show.
 

crowdme2

Occasional Visitor
Continuation of

https://www.snbforums.com/threads/custom-firmware-build-for-orbi-rbk50-v-2-5-0-42sf-hw.60308/
. . .
https://www.snbforums.com/threads/c...50-rbk53-rbr50-rbs50-v-9-2-5-2-10sf-hw.70690/
https://www.snbforums.com/threads/c...50-rbk53-rbr50-rbs50-v-9-2-5-2-11sf-hw.71395/

New version of my custom firmware build: 9.2.5.2.12SF-HW.

Changes (vs 9.2.5.2.11SF-HW):

1. Toolchain: Go is upgraded 1.16.2->1.16.3.
2. wireguard package is upgraded 1.0.20210219->1.0.20210424.
3. wireguard-tools package is upgraded 1.0.20210315->1.0.20210424.
4. OpenVPN is upgraded 2.5.1->2.5.2.
5. OpenSSL v. 1.1.1 package is upgraded 1.1.1j->1.1.1k (fixing CVE-2021-3449, CVE-2021-3450).
6. curl package is upgraded 7.75.0->7.76.1 (fixing CVE-2021-22876, CVE-2021-22890).
7. dbus package is upgraded 1.13.12->1.13.18 (fixing CVE-2020-12049, CVE-2020-35512).
8. cifs-utils package is upgraded 6.12->6.13 (fixing CVE-2021-20208).
9. haveged package is upgraded 1.9.13->1.9.14.
10. ipset: Kernel modules optimization '-O3'.
11. Kernel: Add BLK_DEV_LOOP and FUSE modules support
12. Toolchain: add optimization patch to uClibc.

The link is:

https://www.voxel-firmware.com (thanks to vladlenas for his help with hosting).

Voxel.
thank you voxel, for all your work.

ive activated dnscrypt, using telnet. whats the next step after that.

Do i put the listening address 127.0.0.1, in dns address in internet setup page ?
 
Last edited:

mith_y2k

Regular Contributor
ive activated dnscrypt, using telnet. whats the next step after that.

Do i put the listening address 127.0.0.1, in dns address in internet setup page ?

Voxel takes care of everything, if you use Orbi's DHCP this should be automatic otherwise manually set the DNS to the Orbi IP and you're done.

There are a few ways to check if you're using DNSCrypt, see my previous post
 

KW.

Regular Contributor
Thank you Voxel!. Im heading back to the city where I was born to help an old friend set up wifi. My knowledge is not good on this stuff. But Im been bragging to much of my router I guess for your work and @kamoj s on my r9000 so they do think Im a router guru. I had to take the bet, so I told him to buy the orbi as I believe the place is a bit to big to be covered by the almighty Voxel/kamoj r9000. The orbi was a ultimatum cause that way I know you got my back:)
 

digital10

Regular Contributor
Hello Voxel and community,
I have previously reported disconnections and Orbi frustrating dead signal. Maybe it had nothing to do with Voxel or Orbi Firmware issues. I have previously blocked netgear.com because it was sending information back to Netgear, which I do not know what exactly.

I think if you block netgear.com, the Orbi malfunctions and gives no internet connection errors. I believe this is a dirty tactic by Netgear, either give us connection to netgear.com(or google.com) or we will disable the router.

I have resorted to whitelist it

Hi, my orbi is calling home every few seconds. Should i block these on my pihole ?


View attachment 33984

no read my post above. This is my findings so far, I can not confirm or deny it. But better safe than sorry.
 

HTBruceM

Regular Contributor
Hi, my orbi is calling home every few seconds. Should i block these on my pihole ?

Just a couple shots in the dark (i.e. guesses).

Any chance you have Disney Circle, NetGear Armor, or remote admin access (via the Orbi app on your phone) enabled? I assume those services need to periodically check in.

Another possibility is that the Orbi is periodically checking in to see if newer FW is available, so that it can show the ! notification on its admin pages.
 

crowdme2

Occasional Visitor
Just a couple shots in the dark (i.e. guesses).

Any chance you have Disney Circle, NetGear Armor, or remote admin access (via the Orbi app on your phone) enabled? I assume those services need to periodically check in.

Another possibility is that the Orbi is periodically checking in to see if newer FW is available, so that it can show the ! notification on its admin pages.
I've reset the router. Seems to be much better. Calling only Netgear.com every 5mins.
I've disabled circle, armor and remote access, previous and now.
 
Last edited:

digital10

Regular Contributor
how do I disable remote access? Is it the remote management in the Advanced tab?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top