Custom firmware build for R7800 v. 1.0.2.49SF

[kamoj]

I have a working add-on to Voxel FW that allows selection of different clients and start/stop.
It also comes with supervision and restart of the client if it fails.
Don't know when I have time to package it so it is usable by others though...

Status of the client is shown with the WAN LED on the router: White = Ok, Amber = NOT Ok.

For me Voxel's way of uploading ovpn-files by placing them on a USB-stick is simple enough.
What is your suggestion on how to make it easier?

Something like to start/stop the Openvpn-client. An option to check the status of the client. An easy way to upload the Ovpn-file from the provider to R7800. That sort of things.
I used them in DDwrt but mis them in Voxels (great) firmware.

 

[vmb]

I have a working add-on to Voxel FW that allows selection of different clients and start/stop.
It also comes with supervision and restart of the client if it fails.
Don't know when I have time to package it so it is usable by others though...

Status of the client is shown with the WAN LED on the router: White = Ok, Amber = NOT Ok.

For me Voxel's way of uploading ovpn-files by placing them on a USB-stick is simple enough.
What is your suggestion on how to make it easier?

Kamoj, thank you for answer. I think your doing a great job!

My suggestion regarding the ovpn-files is something like what is possible in DDwrt. In DDwrt you can copy paste the content of the ovpn-file in a text-box and save it in r7800. So no commandline needed.

If IT is possible to add the status of the client in the webgui, that would be really great!

 

[kamoj]

It was easy to show in the GUI which openvpn client that is selected/used. But to show status for it, especially dynamically updated, is difficult for me.

I don't know how to make a GUI, I don't even now how to code HTML/Java,
so I hope someone else can join this forum and help to at least make a template!

If IT is possible to add the status of the client in the webgui, that would be really great!

 

[microchip]

@Voxel

Hi

Can you please remove ICMPv6 packet filtering? If you do, I will immediately load your firmware on my R7800

Thank you very much!

 

[Voxel]

@Voxel

Hi

Can you please remove ICMPv6 packet filtering? If you do, I will immediately load your firmware on my R7800

Thank you very much!

Hi microchip,

Could you explain the reason of this removal? In details.

Voxel.

 

[microchip]

Hi microchip,

Could you explain the reason of this removal? In details.

Voxel.

Hi,

ICMPv6 is crucial to the working of IPv6. If you block it, like NETGEAR does in its firmware, some sites may appear broken or won't load at all, even though these sites may be working just fine when you don't filter ICMPv6

Currently, NETGEAR refuses to stop filtering ICMPv6 on all its routers, siting "security concerns". NETGEAR is the only consumer router manufacturer that does this (all others like ASUS, Linksys, TP-Link, D-Link do NOT filter ICMPv6). I've had many conversations with NG about this, yet their "engineering" still refuses to stop this practice. Also there are others who complain about this, mostly on NG's community forum.

 

[Voxel]

Info for Entware users: it is upgraded. Now it is not Entware-NG/Entware-NG-3x, but just Entware:

https://www.snbforums.com/threads/e...swrt-merlin-firmware.44393/page-5#post-388971

So my version for Cortex-A15 is upgraded too. A lot of packages are upgraded, some packages are added, new compiler (GCC 7.3.0) is used, new GLIBC is used (2.26). It is suggested to re-install Entware from the scratch saving your own configs and restoring them after re-installation.

https://www.voxel-firmware.com/Downloads/Voxel/html/entware.html

Voxel.

 

[Voxel]

Hi,

ICMPv6 is crucial to the working of IPv6. If you block it, like NETGEAR does in its firmware, some sites may appear broken or won't load at all, even though these sites may be working just fine when you don't filter ICMPv6

Currently, NETGEAR refuses to stop filtering ICMPv6 on all its routers, siting "security concerns". NETGEAR is the only consumer router manufacturer that does this (all others like ASUS, Linksys, TP-Link, D-Link do NOT filter ICMPv6). I've had many conversations with NG about this, yet their "engineering" still refuses to stop this practice. Also there are others who complain about this, mostly on NG's community forum.

OK, I'll check this. Thanks for explanation.

Voxel.

 

[Killhippie]

Oddly enough ICMPv6 is I believe filtered in the Windows Firewall. As does Ubiquiti, so there must be some basic reason for this 'security' That I shall leave to those more in the know.

 

[RogerSC]

Oddly enough ICMPv6 is I believe filtered in the Windows Firewall. As does Ubiquiti, so there must be some basic reason for this 'security' That I shall leave to those more in the know.

If you're curious about what the role of ICMPv6 is with IPv6, there are various rfc's out there that you can look at. Here's one:

https://tools.ietf.org/html/rfc4443

Then you to can be in the know *smile*.

 

[Killhippie]

If you're curious about what the role of ICMPv6 is with IPv6, there are various rfc's out there that you can look at. Here's one:

https://tools.ietf.org/html/rfc4443

Then you to can be in the know *smile*.

Believe me I’m well aware of the situation when I had an r7000 I spent so long trying to get netgear to stop filtering this, showing him all the info given them links spending months trying to get through to them and they wouldn’t listen. I was only pointing out oddly enough that the Windows firewall and Ubiquiti filter ICMPv6 too. Some companies seem to think that there is a security issue some companies don’t but at the end of the day I’m just curious as to why Microsoft filter it when it’s known that it’s not needed. There seems to be some strange safety margin that some companies want to cover where as others like Asus don’t. At the end of the day I don’t think you’ll ever get this sorted out properly with Netgear.

 

[RMerlin]

ICMPv6 is crucial to the working of IPv6. If you block it, like NETGEAR does in its firmware, some sites may appear broken or won't load at all, even though these sites may be working just fine when you don't filter ICMPv6

Which specific ICMPv6 packets are they dropping? There are RFCs dictating which should be allowed. If Netgear isn't following the RFC, someone should refer them to RFC-4890, sec. 4.3.1 and 4.4.1.

 

[Sizzlechest]

Do you think the filtering can be overridden using a IPTABLES command?

 

[RMerlin]

Do you think the filtering can be overridden using a IPTABLES command?

Things are tricky with Netgear's firmware as they don't use userspace tools to configure the firewall, they directly access the chains (AFAIK).

 

[microchip]

Which specific ICMPv6 packets are they dropping? There are RFCs dictating which should be allowed. If Netgear isn't following the RFC, someone should refer them to RFC-4890, sec. 4.3.1 and 4.4.1.

I do not know exactly, as when I had my R7000 and tried to look at the ip6tables output, it errors out with a message not being able to find some library. I do not know if I'll get the same on the R7800 (currently on order, so don't have it yet).

That said, every IPv6 test sites that has ICMPv6 testing says it is being filtered. The site I most use is http://ipv6-test.com/ - it nicely reports any issues with ICMPv6. And it correctly reports that other brands like ASUS/TP-Link do not filter, while on NG firmware it reports these packets are being filtered

 

[e38BimmerFN]

Have you tried setting the NAT Filter from Secure to Open and see if there are any differences?

 

[Sizzlechest]

Have you tried setting the NAT Filter from Secure to Open and see if there are any differences?

I played with that myself and it made no difference. BTW, I got two different IP6 test results based on the browser I used. Firefox got me a 12 and Edge yielded a 14.

 

[e38BimmerFN]

Ok, was curious if NAT Filter did anything. I presume it may only effect IPv4.

Seen different results with all the various browsers. IE11, Edge, FF, Chrome and Opera. Even with Speed tests and Buffer Bloat testing.

 

[Voxel]

Things are tricky with Netgear's firmware as they don't use userspace tools to configure the firewall, they directly access the chains (AFAIK).

That's right but there are some possibilities to use iptables:

https://www.snbforums.com/threads/custom-firmware-build-for-r7800-v-1-0-2-44sf.42882/

d. Possibility to use your own iptables rules w/o modification of /usr/sbin/net-wall script. If you have /root/firewall-start.sh script (executable) with your iptable commands it will be called automatically at the end of “net-wall start” command.

Voxel.

 

[cordezz]

Hi,
is it possible to change the label (displayed as "Volume Name" in the WI) of a connected USB device?
e2label or mlabel do not work. There is mkfs.ext4, but I do not want to format the hdd.