Help with changing outgoing TTL on Asus WRT

[Ozzmodiar]

I've been trying to get this to work for hours! I just want to change the outgoing packet TTL on the USB0 WAN interface. The "extend TTL" option apparently does exactly that but it's not doing what it's supposed to do (I've read in a few places it doesn't work and never has...not sure how much truth is in that)

I've tried this:

iptables -t mangle -I usb0 POSTROUTING -o -j TTL --ttl-set 65

but I can't seem to get the syntax correct, any help would be greatly appreciated!

I've made this work with DD-WRT in the past with this command:

iptables -t mangle -I POSTROUTING -o `get_wanface` -j TTL --ttl-set 65

but I assume the 'get_wanface' is proprietary to the DD-WRT kernel.

Thanks!

 

[Martineau]

I've been trying to get this to work for hours! I just want to change the outgoing packet TTL on the USB0 WAN interface. The "extend TTL" option apparently does exactly that but it's not doing what it's supposed to do (I've read in a few places it doesn't work and never has...not sure how much truth is in that)

I've tried this:

iptables -t mangle -I usb0 POSTROUTING -o -j TTL --ttl-set 65

but I can't seem to get the syntax correct, any help would be greatly appreciated!

I've made this work with DD-WRT in the past with this command:

iptables -t mangle -I POSTROUTING -o `get_wanface` -j TTL --ttl-set 65

but I assume the 'get_wanface' is proprietary to the DD-WRT kernel.

Not sure if this is what you are after, but on the WAN GUI page, if you enable the following:

resulting in

1      292 61994 TTL        all  --  *      eth0    0.0.0.0/0            0.0.0.0/0            TTL match TTL > 30 TTL match TTL < 254 TTL set to 64
2        0     0 TTL        all  --  *      eth0    0.0.0.0/0            0.0.0.0/0            TTL match TTL == 254 TTL set to 255

but at least you can see the syntax used

iptables -t mangle -A FORWARD -o eth0 -m ttl --ttl-gt 30 -m ttl --ttl-lt 254 -j TTL --ttl-set 64
iptables -A FORWARD -o eth0 -m ttl --ttl-eq 254 -j TTL --ttl-set 255

I assume the 'get_wanface' is proprietary to the DD-WRT kernel.

Usually this NVRAM variable works (except for PPoE interfaces) to identify the WAN interface
e.g.

iptables -t $TABLE -A $CHAIN -o $(nvram get wan0_ifname) -j TTL --ttl-set 64

 

[Ozzmodiar]

Excellent, that helps a ton! I can knock some syntax using that and the man page. I'll post back when I have it working.

Thanks!

 

[Ozzmodiar]

For anyone stumbling onto this page looking for the same thing, the syntax is:

iptables -t mangle -A POSTROUTING -o usb0 -j TTL --ttl-set 65

This will change the TTL of all packets being routed through the usb attached android phone to 65.

 

[Ozzmodiar]

So this is working a dream, the only thing left is to get it automated. I can't seem to find the right place to put it. Any ideas?

From this list (https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts) I've tried:

firewall-start
post-mount
dhcpc-event

None of those seem to fire AFTER the WAN link has been established through usb0.

If I manually execute any of those scripts through bash everything comes up fine. Is there any script that will run when I need it? Will it be a postconf script?

Thanks in advance.

 

[Jack Yaz]

So this is working a dream, the only thing left is to get it automated. I can't seem to find the right place to put it. Any ideas?

From this list (https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts) I've tried:

firewall-start
post-mount
dhcpc-event

None of those seem to fire AFTER the WAN link has been established through usb0.

If I manually execute any of those scripts through bash everything comes up fine. Is there any script that will run when I need it? Will it be a postconf script?

Thanks in advance.

Have you tried wan-start? I also wonder if the USB device would trigger post-mount

 

[Ozzmodiar]

Have you tried wan-start? I also wonder if the USB device would trigger post-mount

Yes, I probably should have mentioned that one as well...as it's the logical place it would go. I'm quite certain that the problem is it's executing too early. I've added a sleep 60 in there and still no luck.

 

[Ozzmodiar]

Further to this, Here is the log output when the USB device is plugged in, you can see the 'wan-start' script does indeed get called, but it doesn't actually do anything. I've included the contents of my wan-start script as well; All it is doing now is writing some data into the log, just to simplify things, yet it's still not doing anything.

 

[ColinTaylor]

As per the instructions, your script must start with the following:

#!/bin/sh

 

[RMerlin]

Anything that touches the filter chain must go in firewall-start, otherwise it will get overwritten every time the firewall gets restarted. Likewise for mangle/nat chain changes, these must go in nat-start.

 

[Ozzmodiar]

Anything that touches the filter chain must go in firewall-start, otherwise it will get overwritten every time the firewall gets restarted. Likewise for mangle/nat chain changes, these must go in nat-start.

Adding the shebang as per ColinTaylor's comment go tit working, but I am curious why I wouldn't want this specific rule in the wan-start script?

RMerlin:

From a logical standpoint the wan start script is going to run each time i plug the phone into the usb port, but you know better than anyone where my iptables command should go. How often does the firewall get restarted? and why?

Thanks in advance!

 

[RMerlin]

in the wan-start script?

Because you can't tell for sure if wan-start will run before or after the firewall gets restarted. Or any time you make a change to the firewall configuration, your changes will be lost.

 

[FreshJR]

Put it into both places.

WanStart will trigger when you plug the USB device in
FirewallStart will prevent the settings from getting wiped due to various triggers


To avoid duplicate commands, delete and reissue the iptables rule each time wan/firewall is called

 

[Pete Runyan]

Ozzmodiar, may I ask why you're looking to make the TTL 65? I have recently switched over to using an android phone tether with T-mobile and hotspot on my RT-AC68u, and have had some not-so-great behavior with certain internet functions. So I've been looking at the TTL issue, and I went ahead and enabled both the "Extend the TTL" and the "Spoof LAN TTL" option on my router, and I have to say that most of those issues (web pages not loading, Citrix ICA sessions freezing, etc. etc.) seem to have improved. But in researching the issue, it seems that maybe T-mobile is identifying non-mobile devices via the TTL.

 

[Ozzmodiar]

Ozzmodiar, may I ask why you're looking to make the TTL 65? I have recently switched over to using an android phone tether with T-mobile and hotspot on my RT-AC68u, and have had some not-so-great behavior with certain internet functions. So I've been looking at the TTL issue, and I went ahead and enabled both the "Extend the TTL" and the "Spoof LAN TTL" option on my router, and I have to say that most of those issues (web pages not loading, Citrix ICA sessions freezing, etc. etc.) seem to have improved. But in researching the issue, it seems that maybe T-mobile is identifying non-mobile devices via the TTL.

You're correct. I was doing this to get around T-Mobile tethering restrictions. Just grab that iptables code above and you should be good to go!

 

[Pete Runyan]

How did you determine that your router was transmitting with a TTL of 65? If I use the PING command from the router network tools and PING the WAN IP address, I receive replies with a TTL of 64. Since the router's WAN IP address is one hop away, and I expect TTL to get decremented by one for each hop, so a PING reply of TTL=64 would be correct if my router is transmitting with TTL of 65. If this is correct, then simply turning on the router WAN option of "Extend the TTL value" seems to do the job making the router transmit with a TTL of 65.

 

[Ozzmodiar]

How did you determine that your router was transmitting with a TTL of 65? If I use the PING command from the router network tools and PING the WAN IP address, I receive replies with a TTL of 64. Since the router's WAN IP address is one hop away, and I expect TTL to get decremented by one for each hop, so a PING reply of TTL=64 would be correct if my router is transmitting with TTL of 65. If this is correct, then simply turning on the router WAN option of "Extend the TTL value" seems to do the job making the router transmit with a TTL of 65.

Extend was not working for me, if I tethered my phone, I would not get any internet. As soon as I added the iptables rule it started to work.

 

[ferox]

For anyone stumbling onto this page looking for the same thing, the syntax is:

iptables -t mangle -A POSTROUTING -o usb0 -j TTL --ttl-set 65

This will change the TTL of all packets being routed through the usb attached android phone to 65.

This doesn't work for me on an AC68U (Merlin 384.9) with an Android phone connected to USB3 port along with any combination of:

Extend the TTL value
Spoof LAN TTL value

I can browse the internet, but when I ping the WAN ip, I get a TTL of either 44/43
Anyone have any insights?

 

[Clinton Cochrane]

This works perfectly.

If anyone is happening upon this thread here is what I did:

1. install merlin
   1. download the right one from the website
   2. extract it
   3. go to your router.asus.com page
   4. in administration>firmware upgrade, upload your file and flash
2. enable etend the ttl value and spoof lan ttl value in usb modem settings on your router.asus.com page
3. enable ssh at administration>system in router.asus.com
4. ssh in (I used router.asus.com) and my password
5. run chmod a+rx /jffs/scripts/*
6. navigate to jffs/scripts
7. type nano firewall-start
8. edit the script to be:
   #!/bin/sh
   iptables -t mangle -A POSTROUTING -o -usb0 -j TTL --ttl-set 65
   
   
9. ctrl+x and save it
10. reboot the router

I also set up tasker on my phone to turn on usb tethering, I used the power/usb in the state list then used secure settings to turn on usb tethering. Working like a charm.

 

[davidh44]

This works perfectly.

If anyone is happening upon this thread here is what I did:

1. install merlin
   1. download the right one from the website
   2. extract it
   3. go to your router.asus.com page
   4. in administration>firmware upgrade, upload your file and flash
2. enable etend the ttl value and spoof lan ttl value in usb modem settings on your router.asus.com page
3. enable ssh at administration>system in router.asus.com
4. ssh in (I used router.asus.com) and my password
5. run chmod a+rx /jffs/scripts/*
6. navigate to jffs/scripts
7. type nano firewall-start
8. edit the script to be:
   #!/bin/sh
   iptables -t mangle -A POSTROUTING -o -usb0 -j TTL --ttl-set 65
   
   
9. ctrl+x and save it
10. reboot the router

I also set up tasker on my phone to turn on usb tethering, I used the power/usb in the state list then used secure settings to turn on usb tethering. Working like a charm.

Would this work with an LTE modem (I use a Netgear LB1120) connected to WAN network port?