1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Custom firmware build for R7800 v. 1.0.2.72SF

Discussion in 'NETGEAR AC Wireless' started by Voxel, Oct 25, 2019.

Tags:
  1. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,296
    Well. I have similar necessity. I have to block a lot of IPs from China, Netherlands, Korea, German, Ukraine and Russia (of course) who are trying to hack my R7800… Also time-to-time changes in my Parental Control rules (e.g. blocking youtube). I do use iptables rules for that. So I need these rules are applied immediately.

    Unfortunately I cannot control the firewall made by NG forcing it to apply my iptabes rules immediately and automatically after changing my script. But what I do:

    1. (optional) Hint for you: change your /root/firewall-start.sh to /opt/scripts/firewall-start.sh. The same script but other location. More natural and /opt is existing, used by ReadyCLOUD.

    2. When you change this script just run the following commands from telnet/ssh console:
    Code:
    net-wall rule
    net-wall start
    
    These commands will force this firewall from NG to apply your rules immediately. Check it if you want:
    Code:
    iptables –L –n | more
    
    Or for example
    Code:
    iptables –L –n –t nas | more
    
    3. If you are using USB dongle it is possible to start these rules immediately and automatically after reboot, w/o necessity in manual startup.
    Script in /mnt/sda1/autorun/scripts/post-mount.sh:
    Code:
    #!/bin/sh
    
    # Start firewall rules after boot if optional script exists
    if [ -x /opt/scripts/firewall-start.sh ] || [ -x /root/firewall-start.sh ]; then
        /usr/sbin/net-wall rule
        /usr/sbin/net-wall start
    fi
    
    Voxel.
     
    darkv and kamoj like this.
  2. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,296
    P.S. to post above.

    After that no any manual movements are needed of course.

    Voxel.
     
  3. microchip

    microchip Very Senior Member

    Joined:
    Sep 19, 2014
    Messages:
    565
    Location:
    Belgium
    Actually, this only works for IPv4 rules. I have IPv6 rules that I want to add to the existing ones. If you call net-wall -6 start, the rules are not applied. If you call net-wall start they are applied but the existing default IPv6 rules from NETGEAR are completely wiped out

    So it seems something in the system is calling "net-wall -6 start" so my IPv6 rules are not applied
     
    kamoj likes this.
  4. microchip

    microchip Very Senior Member

    Joined:
    Sep 19, 2014
    Messages:
    565
    Location:
    Belgium
    Ok, so I had to modify the following file

    /etc/scripts/firewall.sh

    and at the bottom, the case statement that starts/stops, I added /root/firewall-start.sh

    and it works when doing "net-wall -6 start". My rules are added and the original NETGEAR IPv6 rules are there too

    Also, changing stuff in the GUI that affects FW rules works as well (my IPv6 rules are applied). So maybe you'd want to take a look and improve it :)
     
    Last edited: Nov 4, 2019
    Ziki, kamoj and Voxel like this.
  5. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,296
    I use the trick with replacement of /usr/sbin/net-wall binary by my own script. I am not sure if /etc/scripts/firewall.sh will cover the all possible problems.

    In general it you check this script /usr/sbin/net-wall you can see how it works now (IPv4). Unfortunately my ISP does not support IPv6 (so I cannot test myself)

    In general if you change the line

    Code:
    . . .
    elif [ "$1" = "start" ] || [ "$1" = "restart" ]; then
    . . .
    
    by something related to additional "-6" options you should get what you need i.e. call of your own script.

    i.e. logic should be if ("$1" == "start" or "$1" == "restart") or ("$1" == "-6" and if "$2" == "start" or "$2" == "restart") then etc.

    Usually net-wall for IPv4 calls look as:

    net-wall restart

    or

    net-wall rule
    net-wall start


    for IPv6

    net-wall -6 restart

    or

    net-wall -6 rule
    net-wall -6 start


    Voxel.
     
    Last edited: Nov 4, 2019
    kamoj likes this.
  6. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,296
    I mean that the script /etc/scripts/firewall.sh was introduced by NG only recently. After they added their own ( a bit strange for me) OpenVPN client.

    This script is called from net-wall (stock firmware an thus my version too), but I cannot see its logic...

    Voxel.
     
  7. microchip

    microchip Very Senior Member

    Joined:
    Sep 19, 2014
    Messages:
    565
    Location:
    Belgium
    Thanks, I had a similar thought. Maybe you can add this logic to your net-wall script so I don't have to modify it each time I upgrade firmware. For now, /etc/scripts/firewall.sh is reliable as I took a look at net-wall-bin (the original) and at the bottom it calls /etc/scripts/firewall.sh (see below)

    net-wall-bin is binary but if you "cat" it, you can see through the binary "garbage output" at the bottom that it calls the mentioned script

     
    Voxel likes this.
  8. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,296
    Yes sure. I just have to do that. Especially if somebody was able to test this. Thanks for your research.

    More easy is to call e.g.

    Code:
    net-wall --help
    
    /usr/sbin/net-wall-bin: unrecognized option `--help'
    Firewall configuration util v2.0 (Delta Networks Inc.)
    Usage: net-wall [OPTIONS] [ start | restart | stop | rule ]
    Options:
            -w  --wan-interface     WAN interface name
            -l  --lan-interface     LAN interface name
            -6  --ipv6     no_argument
    
    I had to perform a lot of investigations with this net-wall in the past... To understand when it generated its /tmp/netwall-rules file and how to overcome the restrictions... So I am aware of net-wall logic. A bit :)

    Voxel.
     
    kamoj likes this.
  9. microchip

    microchip Very Senior Member

    Joined:
    Sep 19, 2014
    Messages:
    565
    Location:
    Belgium
    Yes i know you can call --help. But that doesn't tell you it calls /etc/scripts/firewall.sh. I had to "cat" the bin and only then I saw it calls that script
     
  10. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,296
    Well. But I can check where from and how (arguments) any script or binary is called. Anyway thanks for letting me know.

    ((I’ll say you my top secret but please do not share it :D. I do not use ALL the binaries from the latest stock firmware. For example I did not use net-wall binary from 1.0.2.62 (stock) nor from 1.0.2.63 (“hot-fix” stock). And as it happens this was useful for Pi-Hole owners… ))

    So maybe this call of /etc/scripts/firewall.sh will be removed in the future. I am not sure...

    OK. Now w/o joking. I appreciate your investigations with IPv6 firewall/own script. Added into my 2do list for a next release. Thank you.


    Voxel.
     
    kamoj and microchip like this.
  11. kamoj

    kamoj Senior Member

    Joined:
    May 12, 2017
    Messages:
    399
    Good technical discussion!
    Thank you very much for your community contributions.

    @Voxel I have this script (/usr/sbin/net-wall) changed this way since "long" time ago,
    while doing some ipv6 tests:
    Code:
    #elif [ "$1" = "start" ] || [ "$1" = "restart" ]; then
    else
       [ "$1" = "-6" ] && shift
    fi
    if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
    
    https://www.snbforums.com/threads/doubts-about-r7800-firmware-ipv6-support.55215/#post-468410

    @microchip
    instead of:
    Code:
    cat /usr/sbin/net-wall-bin
    you can use:
    Code:
    strings /usr/sbin/net-wall-bin
    PS
    I also have "secret" fix to net-wall... ;)
     
    Voxel likes this.
  12. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,296
    Good point. Sorry I am not always attentive... Thank you.

    Voxel.
     
    kamoj likes this.
  13. Wigster

    Wigster New Around Here

    Joined:
    Apr 14, 2009
    Messages:
    5
    Great. I've managed to get it to work by forcing it on the client side. Now I'll just follow your instructions for server side!
     
    kamoj and Voxel like this.
  14. microchip

    microchip Very Senior Member

    Joined:
    Sep 19, 2014
    Messages:
    565
    Location:
    Belgium
    @kamoj

    I wasn't aware strings was included so I did a cat as I often use it
     
    kamoj likes this.
  15. NoMoreFudgicles

    NoMoreFudgicles New Around Here

    Joined:
    Nov 3, 2019
    Messages:
    1
    Voxel and kamoj like this.
  16. kokishin

    kokishin Occasional Visitor

    Joined:
    Nov 16, 2013
    Messages:
    40
    Location:
    Silicon Valley
    @Voxel

    I just made a donation to your PP account. It's not going to put you in another tax bracket although it may help fund a few Bulgarian beers . ;)

    I'm not a power user like some of the folks here. I just use the 7800 as a router; no DNS Crypt nor VPN. (I do have a paid VPN app on my desktop computer).

    You impress me because you're constantly improving the firmware and you take the time to help and answer the questions of your constituents on SNB forums.

    Thanks and all the best!
     
  17. microchip

    microchip Very Senior Member

    Joined:
    Sep 19, 2014
    Messages:
    565
    Location:
    Belgium
    @kamoj

    would it be possible to add a link in the GUI to debug.htm in Advanced -> Advanced Setup when your add-on is installed?

    thanks
     
    kamoj likes this.
  18. kamoj

    kamoj Senior Member

    Joined:
    May 12, 2017
    Messages:
    399
    Yes of course, but just now it's added to the Advanced menu tab.
    At the moment it looks like this:
    kamoj_menu.jpg
    kamoj_hidden_menu2.jpg
    PS
    "Debug info" is the new add-on info view,
    "Netgear Debug Info" is the stock untouched page.
     
    Last edited: Nov 6, 2019 at 2:43 AM
    Bendon, tommytqt, Voxel and 3 others like this.
  19. Wigster

    Wigster New Around Here

    Joined:
    Apr 14, 2009
    Messages:
    5
    Hi

    My router's R7800 with Voxel's 1.0.2.72. I also run pihole with DHCP on my LAN to block tracking.

    I would like to set up stubby on the router to CloudFlare and then manually point the pihole at the router for DNS. The other clients would connect to the router, and get sent for DNS/DHCP to pihole as they do currently.

    I have just tried using the router as DNS using nslookup and it looks like it forwards the query to the pihole. Can stubby override this for DNS queries sent directly to the router, but still allow the router to register the pihole as the DNS for the clients?
     
  20. Killhippie

    Killhippie Senior Member

    Joined:
    Mar 20, 2016
    Messages:
    372
    Location:
    UK
    @kamoj

    Are you aware of the issues with Nord VPN this year? Its made some people question them a bit. Seems as bad actors had access to remote management on in a server in Finland for a while.. and kept very quite about it.
    https://www.theregister.co.uk/2019/10/21/nordvpn_security_issue/

    "Here's what we know: miscreants were able to exploit a poorly secured remote-management system, built into the server and understood to be iLO or iDRAC, to gain control of the box in March 2018. They were able to gain access to the LXC containers running on the machine, and its OpenVPN software files and cryptography keys, it is claimed. The TLS certificate, since expired, for the nordvpn.com website was also stolen from the system."
     
    tommytqt and Voxel like this.