Implements : Perimeter Router, Mobile Router
Hostname : router0, router1
Make : TP-Link
Model : WDR3600
Hardware Version : 1.4
Replaces : WRT54GL
Software : OpenWRT 14.07, 15.05.1
Purchased : 2014-05-02 £49 from Amazon, 2014-05-21 £47 from eBuyer
Arrived : 2014-05-07, 2014-05-24
OpenWRT 23
- on the limit for the WDR3600 flash size
-
custom image built using OpenWRT Firmware Selector
base-files busybox ca-bundle collectd collectd-mod-conntrack collectd-mod-cpu collectd-mod-interface collectd-mod-memory collectd-mod-network dnsmasq-full dropbear firewall4 fstools kmod-gpio-button-hotplug kmod-nft-offload libc libgcc libustream-mbedtls logd mtd mwan3 netifd nftables nut-server nut-driver-usbhid-ups odhcp6c odhcpd-ipv6only opkg ppp ppp-mod-pppoe procd procd-seccomp procd-ujail sqm-scripts swconfig uboot-envtools uci uclient-fetch urandom-seed urngd wireguard-tools kmod-usb2 kmod-usb-ledtrig-usbport luci luci-app-mwan3 luci-app-nut luci-app-sqm luci-proto-wireguard
moved to nftables
- policy-based routing with mwan3
- WireGuard VPN support
- nfsets populated by dnsmasq are synced to ipsets for mwan3 with a script
OpenWRT 19
- reconfigured from clean etc
OpenWRT 17
- Blocked by version conflicts
- Needs a new image flashed
config 'interface' 'wan6'
option proto '6in4'
option ip6addr '2001:470:1f08:xxxx::2/64' # the IPv6 tunnel
option mtu '1424' # the IPv6 tunnel MTU (optional)
option peeraddr '216.66.80.26' # the IPv4 tunnel endpoint
option ip6prefix '2001:470:xxxx::/48' # routed prefix (required!)
## configuration options below are only valid for HEnet tunnels. ignore them
## for other tunnel providers.
option tunnelid '123456' # HE.net tunnel id
option username 'username' # HE.net username, which you use to login into tunnelbroker, not the User ID shows after you have login in.
option password 'password' # HE.net password if there is no updatekey for tunnel
option updatekey 'updatekey' # HE.net updatekey instead of password, default for new tunnelsIPv6 local
# Alternative to tunnel broker
config interface wan6
option proto 'static'
option ip6prefix '2001:470:xxxx::/48'
config interface lan
option proto 'static'
option ip6assign '64'
option ip6hint 'c0a8'
Ad Block
Link : http://homepage.ruhr-uni-bochum.de/Jan.Holthuis/misc/adblock-on-your-openwrt-router/
GitHub : https://gist.github.com/Holzhaus/ed4ac1675a57f11c3057
Allow googleadservices.
VPN Troubleshooting
VPN concentrator sees multiple (NATted) IPs for a client so kicks it off.
Conntrack Monitoring
while ((true)) ; do cat /proc/net/nf_conntrack | grep -o 'ESTABLISHED.\*${SRC\_IP}.\*${DEST\_IP}.*packets=' ; sleep 2 ; echo '--' ; done
Force connections over a single interface
/etc/config/mwan3:
config rule 'vpn'
option dest_ip 'vpn.BLAH.BLAH'
option proto 'all'
option use_policy 'adsl_only'
conntrack tuning
net.netfilter.nf_conntrack_max
: 32768
net.netfilter.nf_conntrack_tcp_timeout_established
: 7440
nf_conntrack_max and hashsize
Mainline kernel nf_conntrack_max default derives from the amount of system RAM but OpenWRT (15.05) uses a fixed 16384.
Doubling nf_conntrack_max requires also doubling the nf_conntrack hashsize parameter.
The sysctl is readonly:
sysctl net.netfilter.nf_conntrack_buckets
Hashsize can be set dynamically in /sys/module/nf_conntrack/parameters/hashsize
Persist it in /etc/modules.d/nf-conntrack by appending the parameters to the module name:
nf_conntrack hashsize=4096
nf_conntrack_tcp_timeout_established
OpenWRT default is 7440s ~=2 hours, derived from rfc-5382 NAT Behavioral Requirements for TCP.
Generally best to leave this as 2h4m.
sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=7440
DoS Attack Mitigation
Attack filled up the conntrack table. Reduce conntrack timeout.
sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=600
And block the whole of MTN Nigeria
/etc/config/firewall
config rule
option enabled '1'
option src 'wan'
option dest 'lan'
option name 'block nigerian dos'
option src_ip '197.210.0.0/16'
option target 'DROP'
Just remember to unblock in later.