Changes in 9ff434a: OpenWRT23 formatting

				Network/WDR3600.md
			
          @@ -3,56 +3,71 @@ title: WDR3600

           ---

           Implements

          -:   [Perimeter Router][1], [Mobile Router][2] 

          +:   [Perimeter Router][1], [Mobile Router][2]

           Hostname

          -:   router0, router1 

          +:   router0, router1

           Make

          -:   TP-Link 

          +:   TP-Link

           Model

          -:   [WDR3600][3] 

          +:   [WDR3600][3]

           Hardware Version

          -:   1.4 

          +:   1.4

           Replaces

          -:   [WRT54GL][4] 

          +:   [WRT54GL][4]

           Software

          -:   [OpenWRT][5] [14.07][6], 15.05.1 

          +:   [OpenWRT][5] [14.07][6], 15.05.1

           Purchased

          -:   2014-05-02 [£49 from Amazon][7], 2014-05-21 £47 from eBuyer 

          +:   2014-05-02 [£49 from Amazon][7], 2014-05-21 £47 from eBuyer

           Arrived

          -:   2014-05-07, 2014-05-24 

          +:   2014-05-07, 2014-05-24

           [[_TOC_]]

          -# [OpenWRT][17][?][17]

          +# OpenWRT 23

          -*   Blocked by version conflicts 

          -*   Needs a new image flashed 

          +* on the limit for the WDR3600 flash size

          +* custom image built using [OpenWRT Firmware Selector](https://firmware-selector.openwrt.org/)

          +    > base-files busybox ca-bundle collectd collectd-mod-conntrack collectd-mod-cpu collectd-mod-interface collectd-mod-memory collectd-mod-network dnsmasq-full dropbear firewall4 fstools kmod-gpio-button-hotplug kmod-nft-offload libc libgcc libustream-mbedtls logd mtd mwan3 netifd nftables nut-server nut-driver-usbhid-ups odhcp6c odhcpd-ipv6only opkg ppp ppp-mod-pppoe procd procd-seccomp procd-ujail sqm-scripts swconfig uboot-envtools uci uclient-fetch urandom-seed urngd wireguard-tools kmod-usb2 kmod-usb-ledtrig-usbport luci luci-app-mwan3 luci-app-nut luci-app-sqm luci-proto-wireguard 

          +* moved to nftables

          +* policy-based routing with mwan3

          +* [WireGuard](https://www.wireguard.com/) VPN support

          +* nfsets populated by dnsmasq are synced to ipsets for mwan3 with a script

          -    config 'interface' 'wan6'

          -    	option proto '6in4'

          -    	option ip6addr '2001:470:1f08:xxxx::2/64'  # the IPv6 tunnel 

          -    	option mtu '1424'  # the IPv6 tunnel MTU (optional)

          -    	option peeraddr '216.66.80.26'  # the IPv4 tunnel endpoint

          -    	option ip6prefix '2001:470:xxxx::/48'  # routed prefix (required!)

          -    	## configuration options below are only valid for HEnet tunnels. ignore them

          -    	## for other tunnel providers.

          -    	option tunnelid '123456'  # HE.net tunnel id

          -    	option username 'username'  # HE.net username, which you use to login into tunnelbroker, not the User ID shows after you have login in.

          -    	option password 'password'  # HE.net password if there is no updatekey for tunnel

          -    	option updatekey 'updatekey'  # HE.net updatekey instead of password, default for new tunnels

          -    

          +# OpenWRT 19

          +

          +* reconfigured from clean etc

          +

          +# OpenWRT 17

          +

          +*   Blocked by version conflicts

          +*   Needs a new image flashed

          +

          +```

          +config 'interface' 'wan6'

          +	option proto '6in4'

          +	option ip6addr '2001:470:1f08:xxxx::2/64'  # the IPv6 tunnel

          +	option mtu '1424'  # the IPv6 tunnel MTU (optional)

          +	option peeraddr '216.66.80.26'  # the IPv4 tunnel endpoint

          +	option ip6prefix '2001:470:xxxx::/48'  # routed prefix (required!)

          +	## configuration options below are only valid for HEnet tunnels. ignore them

          +	## for other tunnel providers.

          +	option tunnelid '123456'  # HE.net tunnel id

          +	option username 'username'  # HE.net username, which you use to login into tunnelbroker, not the User ID shows after you have login in.

          +	option password 'password'  # HE.net password if there is no updatekey for tunnel

          +	option updatekey 'updatekey'  # HE.net updatekey instead of password, default for new tunnels

          +```

          @@ -62,109 +77,99 @@ Arrived

               config interface wan6

               	option proto 'static'

               	option ip6prefix '2001:470:xxxx::/48'

          -    

          +

               config interface lan

               	option proto 'static'

               	option ip6assign '64'

               	option ip6hint 'c0a8'

          -    

          +

           ## Ad Block

           Link

          -:   <http://homepage.ruhr-uni-bochum.de/Jan.Holthuis/misc/adblock-on-your-openwrt-router/> 

          +:   <http://homepage.ruhr-uni-bochum.de/Jan.Holthuis/misc/adblock-on-your-openwrt-router/>

           GitHub

          -:   <https://gist.github.com/Holzhaus/ed4ac1675a57f11c3057> 

          +:   <https://gist.github.com/Holzhaus/ed4ac1675a57f11c3057>

          -Allow googleadservices. 

          +Allow googleadservices.

           ## VPN Troubleshooting

          -VPN concentrator sees multiple (NATted) IPs for a client so kicks it off. 

          +VPN concentrator sees multiple (NATted) IPs for a client so kicks it off.

           ### Conntrack Monitoring

          -while ((true)) ; do cat /proc/net/nf_conntrack | grep -o  'ESTABLISHED.\*${SRC\_IP}.\*${DEST\_IP}.*packets=' ; sleep 2 ; echo '--' ; done

          -

          -[[$[Get Code]]][22]

          +    while ((true)) ; do cat /proc/net/nf_conntrack | grep -o  'ESTABLISHED.\*${SRC\_IP}.\*${DEST\_IP}.*packets=' ; sleep 2 ; echo '--' ; done

           ### Force connections over a single interface

          -`/etc/config/mwan3`: 

          +`/etc/config/mwan3`:

               config rule 'vpn'

                   option dest_ip 'vpn.BLAH.BLAH'

                   option proto 'all'

                   option use_policy 'adsl_only'

          -    

          +

           ## conntrack tuning

           `net.netfilter.nf_conntrack_max`

          -:   32768 

          +:   32768

           `net.netfilter.nf_conntrack_tcp_timeout_established`

          -:   7440 

          +:   7440

           ### nf\_conntrack\_max and hashsize

          -Mainline kernel `nf_conntrack_max` default derives from the amount of system RAM but OpenWRT (15.05) uses a fixed 16384. 

          +Mainline kernel `nf_conntrack_max` default derives from the amount of system RAM but OpenWRT (15.05) uses a fixed 16384.

          -Doubling `nf_conntrack_max` requires also doubling the nf_conntrack hashsize parameter. 

          +Doubling `nf_conntrack_max` requires also doubling the `nf_conntrack` hashsize parameter.

          -The sysctl is readonly: 

          +The sysctl is readonly:

          -sysctl net.netfilter.nf\_conntrack\_buckets

          +    sysctl net.netfilter.nf_conntrack_buckets

          -[[$[Get Code]]][23]

          -Hashsize can be set dynamically in `/sys/module/nf_conntrack/parameters/hashsize` 

          +Hashsize can be set dynamically in `/sys/module/nf_conntrack/parameters/hashsize`

          -Persist it in `/etc/modules.d/nf-conntrack` by appending the parameters to the module name: 

          +Persist it in `/etc/modules.d/nf-conntrack` by appending the parameters to the module name:

               nf_conntrack hashsize=4096

          -    

          -### nf\_conntrack\_tcp\_timeout\_established

          -

          -OpenWRT default is [7440s ~=2 hours][24], derived from [rfc-5382 NAT Behavioral Requirements for TCP][25]. 

          -

          -Generally best to leave this as 2h4m. 

          +### nf\_conntrack\_tcp\_timeout\_established

          +OpenWRT default is [7440s ~=2 hours][24], derived from [rfc-5382 NAT Behavioral Requirements for TCP][25].

          -sysctl -w net.netfilter.nf\_conntrack\_tcp\_timeout\_established=7440

          +Generally best to leave this as 2h4m.

          -[[$[Get Code]]][26]

          +    sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=7440

           ## DoS Attack Mitigation

          -Attack filled up the conntrack table. Reduce conntrack timeout. 

          +Attack filled up the conntrack table. Reduce conntrack timeout.

          +    sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=600

          -# sysctl -w net.netfilter.nf\_conntrack\_tcp\_timeout\_established=600

          +And block the whole of MTN Nigeria

          -[[$[Get Code]]][28]

          -

          -And block the whole of MTN Nigeria 

          -

          -`/etc/config/firewall` 

          +`/etc/config/firewall`

               config rule

               	option enabled '1'

          @@ -173,8 +178,8 @@ And block the whole of MTN Nigeria

               	option name 'block nigerian dos'

               	option src_ip '197.210.0.0/16'

               	option target 'DROP'

          -    

          -    

          +

          +

           Just remember to unblock in later.

          @@ -186,12 +191,8 @@ Just remember to unblock in later.

            [6]: http://wiki.openwrt.org/toh/tp-link/tl-wdr3600

            [7]: http://www.amazon.co.uk/TP-Link-TL-WDR3600-Wireless-Gigabit-300Mbps/dp/B008QBAXI4/

            [18]: IPv6

          - [22]: WDR3600?action=sourceblock&num=1

          - [23]: WDR3600?action=sourceblock&num=2

            [24]: https://github.com/openwrt-mirror/openwrt/blob/master/package/base-files/files/etc/sysctl.conf

            [25]: https://tools.ietf.org/html/rfc5382#section-5

          - [26]: WDR3600?action=sourceblock&num=3

          - [28]: WDR3600?action=sourceblock&num=4

           <!--

           vim: filetype=markdown

...	...	@@ -3,56 +3,71 @@ title: WDR3600
3	3	---
4	4
5	5	Implements
6		-: [Perimeter Router][1], [Mobile Router][2]
	6	+: [Perimeter Router][1], [Mobile Router][2]
7	7
8	8	Hostname
9		-: router0, router1
	9	+: router0, router1
10	10
11	11	Make
12		-: TP-Link
	12	+: TP-Link
13	13
14	14	Model
15		-: [WDR3600][3]
	15	+: [WDR3600][3]
16	16
17	17	Hardware Version
18		-: 1.4
	18	+: 1.4
19	19
20	20	Replaces
21		-: [WRT54GL][4]
	21	+: [WRT54GL][4]
22	22
23	23	Software
24		-: [OpenWRT][5] [14.07][6], 15.05.1
	24	+: [OpenWRT][5] [14.07][6], 15.05.1
25	25
26	26	Purchased
27		-: 2014-05-02 [£49 from Amazon][7], 2014-05-21 £47 from eBuyer
	27	+: 2014-05-02 [£49 from Amazon][7], 2014-05-21 £47 from eBuyer
28	28
29	29	Arrived
30		-: 2014-05-07, 2014-05-24
	30	+: 2014-05-07, 2014-05-24
31	31
32	32
33	33
34	34	[[_TOC_]]
35	35
36		-# [OpenWRT][17][?][17]
	36	+# OpenWRT 23
37	37
38		-* Blocked by version conflicts
39		-* Needs a new image flashed
	38	+* on the limit for the WDR3600 flash size
	39	+* custom image built using [OpenWRT Firmware Selector](https://firmware-selector.openwrt.org/)
40	40
	41	+ > base-files busybox ca-bundle collectd collectd-mod-conntrack collectd-mod-cpu collectd-mod-interface collectd-mod-memory collectd-mod-network dnsmasq-full dropbear firewall4 fstools kmod-gpio-button-hotplug kmod-nft-offload libc libgcc libustream-mbedtls logd mtd mwan3 netifd nftables nut-server nut-driver-usbhid-ups odhcp6c odhcpd-ipv6only opkg ppp ppp-mod-pppoe procd procd-seccomp procd-ujail sqm-scripts swconfig uboot-envtools uci uclient-fetch urandom-seed urngd wireguard-tools kmod-usb2 kmod-usb-ledtrig-usbport luci luci-app-mwan3 luci-app-nut luci-app-sqm luci-proto-wireguard
41	42
	43	+* moved to nftables
	44	+* policy-based routing with mwan3
	45	+* [WireGuard](https://www.wireguard.com/) VPN support
	46	+* nfsets populated by dnsmasq are synced to ipsets for mwan3 with a script
42	47
43		- config 'interface' 'wan6'
44		- option proto '6in4'
45		- option ip6addr '2001:470:1f08:xxxx::2/64' # the IPv6 tunnel
46		- option mtu '1424' # the IPv6 tunnel MTU (optional)
47		- option peeraddr '216.66.80.26' # the IPv4 tunnel endpoint
48		- option ip6prefix '2001:470:xxxx::/48' # routed prefix (required!)
49		- ## configuration options below are only valid for HEnet tunnels. ignore them
50		- ## for other tunnel providers.
51		- option tunnelid '123456' # HE.net tunnel id
52		- option username 'username' # HE.net username, which you use to login into tunnelbroker, not the User ID shows after you have login in.
53		- option password 'password' # HE.net password if there is no updatekey for tunnel
54		- option updatekey 'updatekey' # HE.net updatekey instead of password, default for new tunnels
55		-
	48	+# OpenWRT 19
	49	+
	50	+* reconfigured from clean etc
	51	+
	52	+# OpenWRT 17
	53	+
	54	+* Blocked by version conflicts
	55	+* Needs a new image flashed
	56	+
	57	+```
	58	+config 'interface' 'wan6'
	59	+ option proto '6in4'
	60	+ option ip6addr '2001:470:1f08:xxxx::2/64' # the IPv6 tunnel
	61	+ option mtu '1424' # the IPv6 tunnel MTU (optional)
	62	+ option peeraddr '216.66.80.26' # the IPv4 tunnel endpoint
	63	+ option ip6prefix '2001:470:xxxx::/48' # routed prefix (required!)
	64	+ ## configuration options below are only valid for HEnet tunnels. ignore them
	65	+ ## for other tunnel providers.
	66	+ option tunnelid '123456' # HE.net tunnel id
	67	+ option username 'username' # HE.net username, which you use to login into tunnelbroker, not the User ID shows after you have login in.
	68	+ option password 'password' # HE.net password if there is no updatekey for tunnel
	69	+ option updatekey 'updatekey' # HE.net updatekey instead of password, default for new tunnels
	70	+```
56	71
57	72
58	73
...	...	@@ -62,109 +77,99 @@ Arrived
62	77	config interface wan6
63	78	option proto 'static'
64	79	option ip6prefix '2001:470:xxxx::/48'
65		-
	80	+
66	81	config interface lan
67	82	option proto 'static'
68	83	option ip6assign '64'
69	84	option ip6hint 'c0a8'
70		-
	85	+
71	86
72	87
73	88
74	89	## Ad Block
75	90
76	91	Link
77		-: <http://homepage.ruhr-uni-bochum.de/Jan.Holthuis/misc/adblock-on-your-openwrt-router/>
	92	+: <http://homepage.ruhr-uni-bochum.de/Jan.Holthuis/misc/adblock-on-your-openwrt-router/>
78	93
79	94	GitHub
80		-: <https://gist.github.com/Holzhaus/ed4ac1675a57f11c3057>
	95	+: <https://gist.github.com/Holzhaus/ed4ac1675a57f11c3057>
81	96
82		-Allow googleadservices.
	97	+Allow googleadservices.
83	98
84	99
85	100
86	101	## VPN Troubleshooting
87	102
88		-VPN concentrator sees multiple (NATted) IPs for a client so kicks it off.
	103	+VPN concentrator sees multiple (NATted) IPs for a client so kicks it off.
89	104
90	105	### Conntrack Monitoring
91	106
92		-while ((true)) ; do cat /proc/net/nf_conntrack \| grep -o 'ESTABLISHED.\${SRC\_IP}.\${DEST\_IP}.*packets=' ; sleep 2 ; echo '--' ; done
93		-
94		-[[$[Get Code]]][22]
	107	+ while ((true)) ; do cat /proc/net/nf_conntrack \| grep -o 'ESTABLISHED.\${SRC\_IP}.\${DEST\_IP}.*packets=' ; sleep 2 ; echo '--' ; done
95	108
96	109
97	110
98	111	### Force connections over a single interface
99	112
100		-`/etc/config/mwan3`:
	113	+`/etc/config/mwan3`:
101	114
102	115	config rule 'vpn'
103	116	option dest_ip 'vpn.BLAH.BLAH'
104	117	option proto 'all'
105	118	option use_policy 'adsl_only'
106		-
	119	+
107	120
108	121
109	122
110	123	## conntrack tuning
111	124
112	125	`net.netfilter.nf_conntrack_max`
113		-: 32768
	126	+: 32768
114	127
115	128	`net.netfilter.nf_conntrack_tcp_timeout_established`
116		-: 7440
	129	+: 7440
117	130
118	131
119	132
120	133	### nf\_conntrack\_max and hashsize
121	134
122		-Mainline kernel `nf_conntrack_max` default derives from the amount of system RAM but OpenWRT (15.05) uses a fixed 16384.
	135	+Mainline kernel `nf_conntrack_max` default derives from the amount of system RAM but OpenWRT (15.05) uses a fixed 16384.
123	136
124		-Doubling `nf_conntrack_max` requires also doubling the nf_conntrack hashsize parameter.
	137	+Doubling `nf_conntrack_max` requires also doubling the `nf_conntrack` hashsize parameter.
125	138
126		-The sysctl is readonly:
	139	+The sysctl is readonly:
127	140
128		-sysctl net.netfilter.nf\_conntrack\_buckets
	141	+ sysctl net.netfilter.nf_conntrack_buckets
129	142
130		-[[$[Get Code]]][23]
131	143
132		-Hashsize can be set dynamically in `/sys/module/nf_conntrack/parameters/hashsize`
	144	+Hashsize can be set dynamically in `/sys/module/nf_conntrack/parameters/hashsize`
133	145
134		-Persist it in `/etc/modules.d/nf-conntrack` by appending the parameters to the module name:
	146	+Persist it in `/etc/modules.d/nf-conntrack` by appending the parameters to the module name:
135	147
136	148	nf_conntrack hashsize=4096
137		-
138	149
139	150
140	151
141		-### nf\_conntrack\_tcp\_timeout\_established
142		-
143		-OpenWRT default is [7440s ~=2 hours][24], derived from [rfc-5382 NAT Behavioral Requirements for TCP][25].
144		-
145		-Generally best to leave this as 2h4m.
146	152
	153	+### nf\_conntrack\_tcp\_timeout\_established
147	154
	155	+OpenWRT default is [7440s ~=2 hours][24], derived from [rfc-5382 NAT Behavioral Requirements for TCP][25].
148	156
149		-sysctl -w net.netfilter.nf\_conntrack\_tcp\_timeout\_established=7440
	157	+Generally best to leave this as 2h4m.
150	158
151		-[[$[Get Code]]][26]
152	159
	160	+ sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=7440
153	161
154	162
155	163	## DoS Attack Mitigation
156	164
157		-Attack filled up the conntrack table. Reduce conntrack timeout.
	165	+Attack filled up the conntrack table. Reduce conntrack timeout.
158	166
	167	+ sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=600
159	168
160	169
161		-# sysctl -w net.netfilter.nf\_conntrack\_tcp\_timeout\_established=600
	170	+And block the whole of MTN Nigeria
162	171
163		-[[$[Get Code]]][28]
164		-
165		-And block the whole of MTN Nigeria
166		-
167		-`/etc/config/firewall`
	172	+`/etc/config/firewall`
168	173
169	174	config rule
170	175	option enabled '1'
...	...	@@ -173,8 +178,8 @@ And block the whole of MTN Nigeria
173	178	option name 'block nigerian dos'
174	179	option src_ip '197.210.0.0/16'
175	180	option target 'DROP'
176		-
177		-
	181	+
	182	+
178	183
179	184	Just remember to unblock in later.
180	185
...	...	@@ -186,12 +191,8 @@ Just remember to unblock in later.
186	191	[6]: http://wiki.openwrt.org/toh/tp-link/tl-wdr3600
187	192	[7]: http://www.amazon.co.uk/TP-Link-TL-WDR3600-Wireless-Gigabit-300Mbps/dp/B008QBAXI4/
188	193	[18]: IPv6
189		- [22]: WDR3600?action=sourceblock&num=1
190		- [23]: WDR3600?action=sourceblock&num=2
191	194	[24]: https://github.com/openwrt-mirror/openwrt/blob/master/package/base-files/files/etc/sysctl.conf
192	195	[25]: https://tools.ietf.org/html/rfc5382#section-5
193		- [26]: WDR3600?action=sourceblock&num=3
194		- [28]: WDR3600?action=sourceblock&num=4
195	196
196	197	<!--
197	198	vim: filetype=markdown