1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Help with changing outgoing TTL on Asus WRT

Discussion in 'Asuswrt-Merlin' started by Ozzmodiar, Mar 17, 2018.

  1. Ozzmodiar

    Ozzmodiar Guest

    I've been trying to get this to work for hours! I just want to change the outgoing packet TTL on the USB0 WAN interface. The "extend TTL" option apparently does exactly that but it's not doing what it's supposed to do (I've read in a few places it doesn't work and never has...not sure how much truth is in that)

    I've tried this:

    iptables -t mangle -I usb0 POSTROUTING -o -j TTL --ttl-set 65

    but I can't seem to get the syntax correct, any help would be greatly appreciated!

    I've made this work with DD-WRT in the past with this command:

    iptables -t mangle -I POSTROUTING -o `get_wanface` -j TTL --ttl-set 65

    but I assume the 'get_wanface' is proprietary to the DD-WRT kernel.

    Thanks!
     
    Last edited by a moderator: Mar 18, 2018
  2. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,866
    Location:
    UK
    Not sure if this is what you are after, but on the WAN GUI page, if you enable the following:

    upload_2018-3-18_7-30-56.png

    resulting in
    Code:
    1      292 61994 TTL        all  --  *      eth0    0.0.0.0/0            0.0.0.0/0            TTL match TTL > 30 TTL match TTL < 254 TTL set to 64
    2        0     0 TTL        all  --  *      eth0    0.0.0.0/0            0.0.0.0/0            TTL match TTL == 254 TTL set to 255
    but at least you can see the syntax used ;)
    Code:
    iptables -t mangle -A FORWARD -o eth0 -m ttl --ttl-gt 30 -m ttl --ttl-lt 254 -j TTL --ttl-set 64
    iptables -A FORWARD -o eth0 -m ttl --ttl-eq 254 -j TTL --ttl-set 255
    Usually this NVRAM variable works (except for PPoE interfaces) to identify the WAN interface
    e.g.
    Code:
    iptables -t $TABLE -A $CHAIN -o $(nvram get wan0_ifname) -j TTL --ttl-set 64
     
    Last edited: Mar 18, 2018
  3. Ozzmodiar

    Ozzmodiar Guest

    Excellent, that helps a ton! I can knock some syntax using that and the man page. I'll post back when I have it working.

    Thanks!
     
  4. Ozzmodiar

    Ozzmodiar Guest

    For anyone stumbling onto this page looking for the same thing, the syntax is:

    iptables -t mangle -A POSTROUTING -o usb0 -j TTL --ttl-set 65

    This will change the TTL of all packets being routed through the usb attached android phone to 65.
     
  5. Ozzmodiar

    Ozzmodiar Guest

    So this is working a dream, the only thing left is to get it automated. I can't seem to find the right place to put it. Any ideas?

    From this list (https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts) I've tried:

    firewall-start
    post-mount
    dhcpc-event

    None of those seem to fire AFTER the WAN link has been established through usb0.

    If I manually execute any of those scripts through bash everything comes up fine. Is there any script that will run when I need it? Will it be a postconf script?

    Thanks in advance.
     
  6. Jack Yaz

    Jack Yaz Part of the Furniture

    Joined:
    Apr 20, 2017
    Messages:
    2,940
    Have you tried wan-start? I also wonder if the USB device would trigger post-mount
     
  7. Ozzmodiar

    Ozzmodiar Guest


    Yes, I probably should have mentioned that one as well...as it's the logical place it would go. I'm quite certain that the problem is it's executing too early. I've added a sleep 60 in there and still no luck.
     
  8. Ozzmodiar

    Ozzmodiar Guest

    Further to this, Here is the log output when the USB device is plugged in, you can see the 'wan-start' script does indeed get called, but it doesn't actually do anything. I've included the contents of my wan-start script as well; All it is doing now is writing some data into the log, just to simplify things, yet it's still not doing anything. Screenshot from 2018-03-18 18-17-36.png Screenshot from 2018-03-18 18-19-12.png
     
  9. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    10,951
    Location:
    UK
    As per the instructions, your script must start with the following:

    #!/bin/sh
     
  10. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,409
    Location:
    Canada
    Anything that touches the filter chain must go in firewall-start, otherwise it will get overwritten every time the firewall gets restarted. Likewise for mangle/nat chain changes, these must go in nat-start.
     
  11. Ozzmodiar

    Ozzmodiar Guest

    Adding the shebang as per ColinTaylor's comment go tit working, but I am curious why I wouldn't want this specific rule in the wan-start script?

    RMerlin:

    From a logical standpoint the wan start script is going to run each time i plug the phone into the usb port, but you know better than anyone where my iptables command should go. How often does the firewall get restarted? and why?

    Thanks in advance!
     
  12. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,409
    Location:
    Canada
    Because you can't tell for sure if wan-start will run before or after the firewall gets restarted. Or any time you make a change to the firewall configuration, your changes will be lost.
     
  13. FreshJR

    FreshJR Very Senior Member

    Joined:
    Oct 8, 2016
    Messages:
    1,327
    Put it into both places.

    WanStart will trigger when you plug the USB device in
    FirewallStart will prevent the settings from getting wiped due to various triggers


    To avoid duplicate commands, delete and reissue the iptables rule each time wan/firewall is called
     
  14. Pete Runyan

    Pete Runyan New Around Here

    Joined:
    Sep 14, 2015
    Messages:
    6
    Ozzmodiar, may I ask why you're looking to make the TTL 65? I have recently switched over to using an android phone tether with T-mobile and hotspot on my RT-AC68u, and have had some not-so-great behavior with certain internet functions. So I've been looking at the TTL issue, and I went ahead and enabled both the "Extend the TTL" and the "Spoof LAN TTL" option on my router, and I have to say that most of those issues (web pages not loading, Citrix ICA sessions freezing, etc. etc.) seem to have improved. But in researching the issue, it seems that maybe T-mobile is identifying non-mobile devices via the TTL.
     
  15. Ozzmodiar

    Ozzmodiar Guest


    You're correct. I was doing this to get around T-Mobile tethering restrictions. Just grab that iptables code above and you should be good to go!
     
  16. Pete Runyan

    Pete Runyan New Around Here

    Joined:
    Sep 14, 2015
    Messages:
    6
    How did you determine that your router was transmitting with a TTL of 65? If I use the PING command from the router network tools and PING the WAN IP address, I receive replies with a TTL of 64. Since the router's WAN IP address is one hop away, and I expect TTL to get decremented by one for each hop, so a PING reply of TTL=64 would be correct if my router is transmitting with TTL of 65. If this is correct, then simply turning on the router WAN option of "Extend the TTL value" seems to do the job making the router transmit with a TTL of 65.
     
  17. Ozzmodiar

    Ozzmodiar Guest

    Extend was not working for me, if I tethered my phone, I would not get any internet. As soon as I added the iptables rule it started to work.
     
  18. ferox

    ferox New Around Here

    Joined:
    Feb 3, 2019
    Messages:
    1
    This doesn't work for me on an AC68U (Merlin 384.9) with an Android phone connected to USB3 port along with any combination of:

    Extend the TTL value
    Spoof LAN TTL value

    I can browse the internet, but when I ping the WAN ip, I get a TTL of either 44/43
    Anyone have any insights?
     
    Last edited: Feb 4, 2019
  19. Clinton Cochrane

    Clinton Cochrane New Around Here

    Joined:
    Apr 24, 2019
    Messages:
    1
    This works perfectly.

    If anyone is happening upon this thread here is what I did:
    1. install merlin
      1. download the right one from the website
      2. extract it
      3. go to your router.asus.com page
      4. in administration>firmware upgrade, upload your file and flash
    2. enable etend the ttl value and spoof lan ttl value in usb modem settings on your router.asus.com page
    3. enable ssh at administration>system in router.asus.com
    4. ssh in (I used router.asus.com) and my password
    5. run chmod a+rx /jffs/scripts/*
    6. navigate to jffs/scripts
    7. type nano firewall-start
    8. edit the script to be:
      #!/bin/sh
      iptables -t mangle -A POSTROUTING -o -usb0 -j TTL --ttl-set 65

    9. ctrl+x and save it
    10. reboot the router

    I also set up tasker on my phone to turn on usb tethering, I used the power/usb in the state list then used secure settings to turn on usb tethering. Working like a charm.
     
    Last edited: Apr 30, 2019
    DonnyO likes this.
  20. davidh44

    davidh44 Occasional Visitor

    Joined:
    Apr 15, 2018
    Messages:
    13
    Would this work with an LTE modem (I use a Netgear LB1120) connected to WAN network port?