1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Doubts about R7800 Firmware / IPv6 Support

Discussion in 'NETGEAR AC Wireless' started by WiFiSeeder, Feb 23, 2019.

  1. WiFiSeeder

    WiFiSeeder Occasional Visitor

    Joined:
    Feb 22, 2019
    Messages:
    39
    Hi guys,

    I'm thinking about buying a R7800 to replace my old trusted AC68U.

    Just wondering about a few things:

    1. Are the firmware issues that used to affect wired speeds gone? Can I trust this router to drive 1 Gbps down the wire?
    2. Is there a firmware that allows me to configure simple IPv6 Firewall rules (e.g., allow incoming traffic to 20ab:xxxx port 80 and 443)
    3. What kind of downstream speeds do you get at short range (i.e., 2 to 3 meters, no walls) in the 5ghz band - 80 / 160 MHZ band?
    4. ASUS router owners. Can a ASUS router connect to this Router in Media Bridge mode? If so, what kind of speeds do you get (with clients directly wired to the media bridge)? Is it stable?

    Any info from current / previous owners is very welcome.
     
    Last edited: Feb 23, 2019
  2. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,362
    For part of your 1. questions, there is no consumer router that I have tried that can do true 1Gbps speeds WAN to LAN and vice versa. That is with no extra options configured on the router. With anything turn 'on' within the router, the speeds are much, much less than 1Gbps.
     
  3. WiFiSeeder

    WiFiSeeder Occasional Visitor

    Joined:
    Feb 22, 2019
    Messages:
    39
    Hi L&LD, what kind of speed can I expect with QoS turned off? My AC68U seems to be pretty close to maxing out my 1 Gbps link, at least that's what I'm getting from unscientific peak performance tests. What I mean is, I'm getting 900 / 940 Mbps in Ookla speed tests when client is wired to the router. Unfortunately, WiFi speeds are generally around 300 / 400 Mbps.

    Cheers,
     
    Last edited: Feb 23, 2019
  4. Sachb

    Sachb Occasional Visitor

    Joined:
    May 11, 2016
    Messages:
    27
    If you care about VPN such as open vpn then R7800 may not do this.

    If you want to use this router as a repeater mode, then again R7800 doesn't do it.

    NG R7800 is suited for folks who want shear speed with limited features.

    The best thing about this router is, that it boots in under a minute whereas the asus would easily take upto 2 mins.

    Sent from my LM-G710 using Tapatalk
     
    WiFiSeeder and L&LD like this.
  5. WiFiSeeder

    WiFiSeeder Occasional Visitor

    Joined:
    Feb 22, 2019
    Messages:
    39
    Hi Sachb. I'm not using a VPN Client nor am I thinking about using it as a repeater. However, I really need IPv6 Firewall functionality (other than block all / accept all). Do you know if Stock, Voxel's or DD-WRT firmware can do that?
     
    Last edited: Feb 23, 2019
  6. jsmiddleton4

    jsmiddleton4 Very Senior Member

    Joined:
    Dec 3, 2012
    Messages:
    518
    Only thing Netgear refuses to support with IPv6 is ICMP. Voxel can't do anything about that either.
     
  7. WiFiSeeder

    WiFiSeeder Occasional Visitor

    Joined:
    Feb 22, 2019
    Messages:
    39
    Is there an IPv6 Firewall that allows custom rules? If so, wouldn't something like:

    ip6tables -A INPUT -p ipv6-icmp -j ACCEPT

    Work? Or is NG not even respecting firewall rules? (Not a surprise since they are not even respecting IPv6 RFC...). I doubt that I can get a stable IPv6 connection without MTU control...
     
  8. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,362
    With QoS turned off (and also anything else that may turn off NAT Acceleration) you can expect very, very close to the speeds you're already seeing. See the router charts for an idea of how close the current routers are to each other.

    Even with my RT-AC3100, I am having the same issue(s) right now as I've just jumped to 1Gbps up/down speeds myself.

    Fast.com shows speeds like 1.1Gbps down and 1.4Gbps up. Speedtest.net shows 797Gbps down and 769Gbps up. DSLReports.com shows 587Gbps down and when it hits 389Gbps up, it crashes. ;)

    What we need is the (now old) Asus BRT-AC828 with 2Gbps WAN ports. :)

    https://www.hardwarezone.com.sg/tec...c828-router-comes-dual-wan-ports-2gbps-speeds

    I am hoping Asus updates the BRT to AX standards (not draft) and is actually available for most. :D:D

    The RT-AC3100 was a nice speed bump improvement over my trusty old RT-AC68U. I may need to get an RT-AC86U or RT-AX88U in sooner than I expected to test if they help with the 1Gbps ISP service I now have.
     
    WiFiSeeder likes this.
  9. WiFiSeeder

    WiFiSeeder Occasional Visitor

    Joined:
    Feb 22, 2019
    Messages:
    39
    Thanks L&LD, that's very useful information!

    To be honest, I'm kinda leaning towards the RT-AX88U. Although I'm concerned that I may be heading towards a World of pain as a paying Guinea pig until ASUS finishes ironing out bugs in WiFi version 6 and releases a brand new "RT-AX86U" a couple of years down the road. At the moment the main contender seems to be the RT-AC86U.

    I understand that the R7800 is a powerful router. Faster than the AC86U and even the RT-AX88U (for half the price). However, so far I couldn't confirm if custom firewall rules for IPv6 are supported (I love pfSense, but no thanks... I'm not using it at home).
    Plus the whole ICMP thing is very disappointing. I would have expected something like that from a Junior Sysad that just heard about the dangers of "Ping of death" and insists that we need to "secure the network"... Not from Engineers at a major network supplier! God knows what other unholy things are lurking in their firmware.

    Any other advice or last minute attempt to push a madman towards the path of enlightenment with tried and tested technology like the AC3100 or AC86U?
     
    Last edited: Feb 23, 2019
    L&LD likes this.
  10. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,362
    I love great hardware. I too would be testing the R7800 to see what improvements I can get from it. Maybe, fortunately, I can't get one locally (I don't do 'online'). :)

    However, my research so far shows me that I will be getting a very small gain over what I have now in the LAN/WAN dept. With possibly bigger gains over WiFi and storage options (which I don't use off the router anyway). The cost of switching to the NG means losing RMerlin. Case closed.

    https://www.snbforums.com/threads/n...ison-stock-vs-voxel-performance-issues.54441/

    There are excellent third-party firmware options to test/try with the R7800, but it is still NG based.

    The reasons I want to test the RT-AX88U and the RT-AC86U for my needs would be for OpenVPN performance increases. The LAN/WAN and WAN/LAN speed differences will be negligible (I believe).

    Asus' hardware and RMerlin's firmware contributions make that much of a difference. There is no other manufacturer that can come close with this powerhouse combination.

    Stable, secure, highly configurable/customizable and (sometimes) slightly slower beats fastest but mostly in the shop for service/tuneups, every time! :D
     
    WiFiSeeder likes this.
  11. WiFiSeeder

    WiFiSeeder Occasional Visitor

    Joined:
    Feb 22, 2019
    Messages:
    39
    I hear you :). While I take my hat off to Voxel, there is only so much that you can do when messy upstream policies keep holding you back.
    Ok, so RT-AX88U it is. I heard read that Merlin is already working his magic.
     
    Last edited: Feb 23, 2019
    L&LD likes this.
  12. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,362
    WiFiSeeder likes this.
  13. kamoj

    kamoj Senior Member

    Joined:
    May 12, 2017
    Messages:
    346
    The ip6tables command is included in the Voxel firmware.
    https://www.snbforums.com/threads/c...r-r7800-v-1-0-2-54sf.47947/page-2#post-420955
    Code:
    [email protected]:/$ ip6tables
    ip6tables v1.4.10: no command specified
    Try `ip6tables -h' or 'ip6tables --help' for more information.
    But:
    Netgear use a firewall wrapper net-wall from Delta Networks Inc.

    So to use iptables and ip6tables commands, you should put them in /opt/scripts/firewall-start.sh
    ( In old releases of Voxel firmware: /root/firewall-start.sh)

    From Voxel's readme.docx:
    "5. Open your own firewall ports.
    ...
    Additionally you can use your own custom script to add your own iptables rules.
    This script should be named firewall-start.sh and be placed in the /root directory, i.e. /root/firewall-start.sh."


    References in this forum:
    https://www.snbforums.com/threads/p...to-source-ip-address-range.42821/#post-365354
    https://www.snbforums.com/threads/c...v-1-0-2-42hf-1-0-2-42hf-hw.40688/#post-342246
    https://www.snbforums.com/threads/c...r-r7800-v-1-0-2-49sf.45296/page-2#post-390635
    https://www.snbforums.com/threads/help-with-custom-iptables.44630/
    https://www.snbforums.com/threads/custom-firmware-build-for-r7800-v-1-0-2-59sf.48579/
    https://www.snbforums.com/threads/s...ol-in-my-build-of-firmware.54815/#post-467304

     
    WiFiSeeder likes this.
  14. WiFiSeeder

    WiFiSeeder Occasional Visitor

    Joined:
    Feb 22, 2019
    Messages:
    39
    @kamoj , thank you very much for the info.

    I'm sure that I'm hitting a complex problem with a stick, however, could you run a little experiment for me?

    Could you allow ICMPv6 traffic and run a http://ipv6-test.com tests?

    Code:
    ip6tables -A INPUT   -p IPv6-icmp -j ACCEPT
    ip6tables -I FORWARD -p IPv6-icmp -j ACCEPT
    I'm just trying to understand if I can potentially overcome the ICMP issue.

    For security conscious people arriving here from a search engine:

    Sample script that allows recommended ICMPv6 traffic while tightening security: https://tools.ietf.org/html/rfc4890#page-30
    Extra recommendations for customer devices: https://tools.ietf.org/html/rfc6092#section-3.2.1

    If it works I'm sure that someone more knowledgeable about router firewall security can replicate tried and tested but less spartan default rules from Merlin's Firmware or DD-WRT.
     
    Last edited: Feb 24, 2019
  15. kamoj

    kamoj Senior Member

    Joined:
    May 12, 2017
    Messages:
    346
    Sure, I will do.
    Just now I tried it and discovered an issue in Voxel's net-wall wrapper that is a wrapper to Netgear's net-wall.
    I must resolve this issue before completing your task.
    I'll come back to you!

     
    WiFiSeeder likes this.
  16. WiFiSeeder

    WiFiSeeder Occasional Visitor

    Joined:
    Feb 22, 2019
    Messages:
    39
    @kamoj , thanks a million.
     
  17. kamoj

    kamoj Senior Member

    Joined:
    May 12, 2017
    Messages:
    346
    Ok, here is the first try:
    Code:
    "Advanced, Advanced Setup, IPv6": "Internet Connection Type":  "Auto Detect"
    IPv6 Filtering: Open
    
    ip6tables -A INPUT -p IPv6-icmp -j ACCEPT
    ip6tables -I FORWARD -p IPv6-icmp -j ACCEPT
    
    http://ipv6-test.com/? : 12/20 (ICMP Filtered)
    
    [email protected]:/$ ip6tables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    DROP       ipv6-icmp    anywhere             localhost/128
    DROP       ipv6-icmp    anywhere             localhost/128
    DROP       tcp      anywhere             anywhere            tcp dpt:www
    DROP       tcp      anywhere             anywhere            tcp dpt:domain
    DROP       tcp      anywhere             anywhere            tcp dpt:https
    DROP       tcp      anywhere             anywhere            tcp dpt:afpovertcp
    DROP       tcp      anywhere             anywhere            tcp dpt:zebra
    IPv6-CONE  all      anywhere             anywhere            [8 bytes of unknown target data]
    ACCEPT     ipv6-icmp    anywhere             anywhere
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    ACCEPT     ipv6-icmp    anywhere             anywhere
    DROP       all     !xxxx:xxxx:xxxx::/64  anywhere
    DROP       tcp      localhost/128        ::2/128             tcp spt:1111 dpt:2222 flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN
    ACCEPT     udp      ::3/128              ::4/128             udp spt:3333
    DROP       ipv6-icmp    ::5/128              ::6/128             ipv6-icmp echo-reply limit: avg 5/sec burst 5
    ACCEPT     ipv6-icmp    ::5/128              ::6/128             ipv6-icmp echo-reply
    DROP       all      ::7/128              anywhere
    IPv6-CONE  all      anywhere             anywhere            [8 bytes of unknown target data]
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    [email protected]:/$
    [email protected]:/$ ip6tables -S
    -P INPUT ACCEPT
    -P FORWARD ACCEPT
    -P OUTPUT ACCEPT
    -A INPUT -d ::1/128 -i sit1 -p ipv6-icmp -j DROP
    -A INPUT -d ::1/128 -i br0 -p ipv6-icmp -j DROP
    -A INPUT -i sit1 -p tcp -m tcp --dport 80 -j DROP
    -A INPUT -i sit1 -p tcp -m tcp --dport 53 -j DROP
    -A INPUT -i sit1 -p tcp -m tcp --dport 443 -j DROP
    -A INPUT -i sit1 -p tcp -m tcp --dport 548 -j DROP
    -A INPUT -i sit1 -p tcp -m tcp --dport 2601 -j DROP
    Can't find library for target `IPv6-CONE'
    -A INPUT -i sit1 -j IPv6-CONE
    [email protected]:/$
    
    
    Note this:
    Can't find library for target `IPv6-CONE'
    -A INPUT -i sit1 -j IPv6-CONE

    Also tried to modify your commands to:
    Code:
    ip6tables -I INPUT -p IPv6-icmp -j ACCEPT
    ip6tables -I FORWARD -p IPv6-icmp -j ACCEPT
    But same result.

    If you have the whole list of settings (incl. erasing all Netgear rules..) , I can try that too.
     
    Last edited: Feb 24, 2019
    WiFiSeeder likes this.
  18. WiFiSeeder

    WiFiSeeder Occasional Visitor

    Joined:
    Feb 22, 2019
    Messages:
    39
    Thanks @kamoj. The fact that the two very first lines are blocking ICMPv6 is very encouraging.

    Since the default policy for all chains is ACCEPT, I don't think that we even need custom rules. Deleting some of the default rules should do it.

    I don't want to abuse your good will, but if you are willing to do another test, I think that we can get the ICMP tests to pass.

    First, run the following command:
    Code:
    ip6tables -L --line-numbers
    Output should give you line numbers for each rule. Even the ones that we can't see with -S due to the unloaded / missing custom kernel module.

    Go ahead and delete every line that has anything to do with dropping ICMPv6 traffic. Example (line numbers may vary):

    Code:
    ip6tables -D INPUT 1
    ip6tables -D INPUT 2
    ip6tables -D FORWARD 5
    
    Actually, the FORWARD rule capping ping requests to 5 times per second ain't that bad, but let's nuke it anyway just for the sake of testing.
    Finally, run the IPv6 tests again and, unless NG is blocking ICMP in some other way, my expectation is that everything should work :).
     
    Last edited: Feb 24, 2019
  19. KevTech

    KevTech Very Senior Member

    Joined:
    Feb 27, 2012
    Messages:
    754
    Location:
    United States
    Here is on NG stock firmware:

    Code:
    [email protected]:/# ip6tables -L --line-numbers
    Chain INPUT (policy ACCEPT)
    num  target     prot opt source               destination
    1    DROP       ipv6-icmp    anywhere             localhost/128
    2    DROP       ipv6-icmp    anywhere             localhost/128
    3    DROP       tcp      anywhere             anywhere            tcp dpt:www
    4    DROP       tcp      anywhere             anywhere            tcp dpt:domain
    5    DROP       tcp      anywhere             anywhere            tcp dpt:https
    6    DROP       tcp      anywhere             anywhere            tcp dpt:afpovertcp
    7    DROP       tcp      anywhere             anywhere            tcp dpt:zebra
    8    IPv6-CONE  all      anywhere             anywhere            [8 bytes of unknown target data]
    
    Chain FORWARD (policy ACCEPT)
    num  target     prot opt source               destination
    1    DROP       all     !2601:601:1680:18::/64  anywhere
    2    DROP       tcp      localhost/128        whoartthou/128      tcp spt:1111 dpt:2222 flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN
    3    ACCEPT     udp      ::3/128              ::4/128             udp spt:3333
    4    DROP       ipv6-icmp    ::5/128              ::6/128             ipv6-icmp echo-reply limit: avg 5/sec burst 5
    5    ACCEPT     ipv6-icmp    ::5/128              ::6/128             ipv6-icmp echo-reply
    6    DROP       all      ::7/128              anywhere
    7    IPv6-CONE  all      anywhere             anywhere            [8 bytes of unknown target data]
    
    Chain OUTPUT (policy ACCEPT)
    num  target     prot opt source               destination
     
    WiFiSeeder likes this.
  20. kamoj

    kamoj Senior Member

    Joined:
    May 12, 2017
    Messages:
    346
    Second try:

    Code:
    [email protected]:/$ ip6tables -L --line-numbers
    Chain INPUT (policy ACCEPT)
    num  target     prot opt source               destination
    1    DROP       tcp      anywhere             anywhere            tcp dpt:www
    2    DROP       tcp      anywhere             anywhere            tcp dpt:domain
    3    DROP       tcp      anywhere             anywhere            tcp dpt:https
    4    DROP       tcp      anywhere             anywhere            tcp dpt:afpovertcp
    5    DROP       tcp      anywhere             anywhere            tcp dpt:zebra
    6    IPv6-CONE  all      anywhere             anywhere            [8 bytes of unknown target data]
    
    Chain FORWARD (policy ACCEPT)
    num  target     prot opt source               destination
    1    DROP       all     !xxxx:xxxx:xxxx::/64  anywhere
    2    DROP       tcp      localhost/128        ::2/128             tcp spt:1111 dpt:2222 flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN
    3    ACCEPT     udp      ::3/128              ::4/128             udp spt:3333
    4    ACCEPT     ipv6-icmp    ::5/128              ::6/128             ipv6-icmp echo-reply
    5    DROP       all      ::7/128              anywhere
    6    IPv6-CONE  all      anywhere             anywhere            [8 bytes of unknown target data]
    
    Chain OUTPUT (policy ACCEPT)
    num  target     prot opt source               destination
    [email protected]:/$
    
    I'm running Windows 10 64-bit.
    Have tried 4 different internet browsers with different results.
    The 3 fields Type, ICMP and Hostname are all colored yellow:
    • Microsoft Edge 42.17134.1.0 / Internet Explorer v11.590.17134.0:
      Code:
      http://ipv6-test.com/? : 15/20
      IPv6 connectivity:
      Type    6to4
      ICMP    Filtered
      Hostname    None
      
      Browser:
      Default    IPv4
      Fallback to IPv6 in < 1 second
      
    • Google Chrome Version 72.0.3626.119 (Official Build) (32-bit)
      Code:
      http://ipv6-test.com/? : 14/20
      IPv6 connectivity:
      Type    6to4
      ICMP    Filtered
      Hostname    None
      
      Browser:
      Default    IPv4
      Fallback    to IPv6 in 15 seconds
      
    • Firefox 65.0.1 64-bit
      Code:
      http://ipv6-test.com/? : 12/20
      IPv6 connectivity:
      Type    6to4
      ICMP     Filtered
      Hostname    None
      
      Browser:
      Default    IPv4
      Fallback    No