Implements : Perimeter Router, Mobile Router

Hostname : router0, router1

Make : TP-Link

Model : WDR3600

Hardware Version : 1.4

Replaces : WRT54GL

Software : OpenWRT 14.07, 15.05.1

Purchased : 2014-05-02 £49 from Amazon, 2014-05-21 £47 from eBuyer

Arrived : 2014-05-07, 2014-05-24

Table of Contents

[OpenWRT][17][?][17]

  • Blocked by version conflicts

  • Needs a new image flashed

    config 'interface' 'wan6' option proto '6in4' option ip6addr '2001:470:1f08:xxxx::2/64' # the IPv6 tunnel option mtu '1424' # the IPv6 tunnel MTU (optional) option peeraddr '216.66.80.26' # the IPv4 tunnel endpoint option ip6prefix '2001:470:xxxx::/48' # routed prefix (required!) ## configuration options below are only valid for HEnet tunnels. ignore them ## for other tunnel providers. option tunnelid '123456' # HE.net tunnel id option username 'username' # HE.net username, which you use to login into tunnelbroker, not the User ID shows after you have login in. option password 'password' # HE.net password if there is no updatekey for tunnel option updatekey 'updatekey' # HE.net updatekey instead of password, default for new tunnels

IPv6 local

# Alternative to tunnel broker
config interface wan6
    option proto 'static'
    option ip6prefix '2001:470:xxxx::/48'

config interface lan
    option proto 'static'
    option ip6assign '64'
    option ip6hint 'c0a8'

Ad Block

Link : http://homepage.ruhr-uni-bochum.de/Jan.Holthuis/misc/adblock-on-your-openwrt-router/

GitHub : https://gist.github.com/Holzhaus/ed4ac1675a57f11c3057

Allow googleadservices.

VPN Troubleshooting

VPN concentrator sees multiple (NATted) IPs for a client so kicks it off.

Conntrack Monitoring

while ((true)) ; do cat /proc/net/nf_conntrack | grep -o  'ESTABLISHED.*${SRC_IP}.*${DEST_IP}.*packets=' ; sleep 2 ; echo '--' ; done

$[Get Code]22

Force connections over a single interface

/etc/config/mwan3: 

config rule 'vpn'
    option dest_ip 'vpn.BLAH.BLAH'
    option proto 'all'
    option use_policy 'adsl_only'

conntrack tuning

net.netfilter.nf_conntrack_max : 32768

net.netfilter.nf_conntrack_tcp_timeout_established : 7440

nf_conntrack_max and hashsize

Mainline kernel nf_conntrack_max default derives from the amount of system RAM but OpenWRT (15.05) uses a fixed 16384.

Doubling nf_conntrack_max requires also doubling the nf_conntrack hashsize parameter.

The sysctl is readonly:

sysctl net.netfilter.nf_conntrack_buckets

$[Get Code]23

Hashsize can be set dynamically in /sys/module/nf_conntrack/parameters/hashsize

Persist it in /etc/modules.d/nf-conntrack by appending the parameters to the module name: 

nf_conntrack hashsize=4096

nf_conntrack_tcp_timeout_established

OpenWRT default is 7440s ~=2 hours, derived from rfc-5382 NAT Behavioral Requirements for TCP.

Generally best to leave this as 2h4m.

sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=7440

$[Get Code]26

DoS Attack Mitigation

Attack filled up the conntrack table. Reduce conntrack timeout.

sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=600

$[Get Code]28

And block the whole of MTN Nigeria

/etc/config/firewall 

config rule
    option enabled '1'
    option src 'wan'
    option dest 'lan'
    option name 'block nigerian dos'
    option src_ip '197.210.0.0/16'
    option target 'DROP'

Just remember to unblock in later.

SideBar