Chadster766 commented 4 years ago

McDebian 5.6.14 Beta

Updates:

Linux Kernel 5.6.14
Implementing nftables flowtable offload which increases the DSA switch wan to lan routing to gigabit speeds for single connections (didn't work in previous kernel versions I tried)

Notes:

I recommend that only users that have TTL access to their WRT routers do McDebian beta testing.

In the WRT1900AC V1 make sure you have the below u-boot envars set to to accommodate the increased kernel size.

#This is what I have my WRT1900AC V1 u-boot kernel size set for
root@MCDEBIAN:~# fw_printenv pri_kern_size
pri_kern_size=0x520000
root@MCDEBIAN:~# fw_printenv alt_kern_size
alt_kern_size=0x520000

Fixes kernel "oops in br_vlan_enabled" Update Testing has shown that the below point doesn't work for the WRT32000ACM V1 but works on the WRT3200ACM V2.
Kernel version brings up interfaces properly so "pre-up ifup --ignore-errors br0" is no longer required in wan config and br0 config can be set to "auto br0".

Edit file "/etc/nftables.conf" to implement nftables flowtable offload

create table inet x
add flowtable inet x f { hook ingress priority 0; devices = { wan, br0 }; }
add chain inet x y { type filter hook forward priority 0; policy accept; }
add rule inet x y ip protocol { udp, tcp } flow offload @f
add rule inet x y counter packets 0 bytes 0

Add "post-up nft -f /etc/nftables.conf" to br0 config to implement nftables flowtable offload (don't enable nftables.service since it fails due to starting before all DSA interfaces are up"

Firmware:

wget --user=mcdebian --password=mcdebian123 http://www.protechs-online.com/downloads/McDebian/firmwares/McDebian-Buster-WRT1900AC-V1-FW_VER1_kernel_5.6.14.img

wget --user=mcdebian --password=mcdebian123 http://www.protechs-online.com/downloads/McDebian/firmwares/McDebian-Buster-WRT1900AC-V2-FW_VER1_kernel_5.6.14.img

wget --user=mcdebian --password=mcdebian123 http://www.protechs-online.com/downloads/McDebian/firmwares/McDebian-Buster-WRT1200AC-V1-FW_VER1_kernel_5.6.14.img

wget --user=mcdebian --password=mcdebian123 http://www.protechs-online.com/downloads/McDebian/firmwares/McDebian-Buster-WRT3200ACM-V1-FW_VER1_kernel_5.6.14.img

wget --user=mcdebian --password=mcdebian123 http://www.protechs-online.com/downloads/McDebian/firmwares/McDebian-Buster-WRT32X-V1-FW_VER1_kernel_5.6.14.img

Root File System Update:

wget --user=mcdebian --password=mcdebian123 http://www.protechs-online.com/downloads/McDebian/rootfs-updates/mcdebian-rootfs-kernel-modules-firmwares-updates-v5.6.14-ver1.gz

rm -rf /lib/modules/*
rm -rf /lib/firmware

tar zxfk mcdebian-rootfs-kernel-modules-firmwares-updates-v5.6.14-ver1.gz

IPv6

To enable IPv6 in this beta release you need to enable radvd:

systemctl enable radvd

Then uncomment the IPv6 config lines in:

vim /etc/default/isc-dhcp-server

After that reboot the router.

sfrost commented 4 years ago

Very cool!!! Thanks for working on this. I'll see about testing it soon.

Chadster766 commented 4 years ago

It's working awesome!

sfrost commented 4 years ago

Wasn't so good for me- got:

NAND read: device 0 offset 0xa00000, size 0x500000 5242880 bytes read: OK

Booting kernel from Legacy Image at 02000000 ...

Image Name: linux Created: 2020-05-26 10:57:42 UTC Image Type: ARM Linux Kernel Image (uncompressed) Data Size: 5324557 Bytes = 5.1 MiB Load Address: 00200000 Entry Point: 00200000 Verifying Checksum ... Bad Data CRC ERROR: can't get kernel image! Marvell>>

Chadster766 commented 4 years ago

Which WRT model do you have?

sfrost commented 4 years ago

It's a WRT1900AC v1

sfrost commented 4 years ago

-rw-r--r-- 1 root root 4935885 Feb 14 02:45 McDebian-Buster-WRT1900AC-V1-FW_VER1_kernel_4.19.91.img -rw-r--r-- 1 root root 5324621 Jun 2 00:26 McDebian-Buster-WRT1900AC-V1-FW_VER1_kernel_5.6.14.img

are the two kernels I've tried, with the first working just fine, but the second throwing the above error.

root@nord:~# sha1sum McDebian-Buster-WRT1900AC-V1-FW_VER1kernel* 0c030806180cf8178666fd679f8afafc160f7b09 McDebian-Buster-WRT1900AC-V1-FW_VER1_kernel_4.19.91.img 434448cad51bc404b26498913a1721a34f0f4090 McDebian-Buster-WRT1900AC-V1-FW_VER1_kernel_5.6.14.img

Chadster766 commented 4 years ago

Thanks I will start troubleshooting this on my WRT1900AC V1.

Chadster766 commented 4 years ago

I checked the checksum and it matches your results.

The update loaded fine on my WRT1900AC V1.

Double check you have the below set in u-boot:

pri_kern_size=0x500000
alt_kern_size=0x500000

ValCher1961 commented 4 years ago

Hello Chad!

I think it was https://github.com/Chadster766/McDebian/issues/7#issuecomment-202169021 The bottom line is that the value of pri_kern_size and alt_kern_size should be larger than the actual size of the kernel.

Chadster766 commented 4 years ago

Hi @ValCher1961 😃

I've had issues with CRC before but it's been intermittent. It would be great if @sfrost could confirm that your solution works for him.

Strange though that 0x500000 works for me.

sfrost commented 4 years ago

I've had them set to 0x500000 for a long time.

root@nord:~# fw_printenv pri_kern_size
pri_kern_size=0x500000
root@nord:~# fw_printenv alt_kern_size
alt_kern_size=0x500000

I can certainly try increasing that... Not sure why it's working for you and not for me.

Chadster766 commented 4 years ago

@sfrost did you try @ValCher1961 suggestion to calculate the kernel size?

Mark-GR73 commented 4 years ago

Greetings ....from Greece The McDebian 5.6.14 beta looks like very stable on WRT 3200 acm. I would like to help your team for this project. The kernel edition looks like more racing and more flexible, i think. Anyway at least 4 days this beta edition i believe for wrt 3200 acm pass the tests. The log was clear without issues ,and of course the switching/routing is fast without conflits.

Chadster766 commented 4 years ago

Hi @Mark-GR73,

I'm glad its working well for you.

Did you implement the nftables flowtable?

I'm not sure were to go with McDebian. At this point everything I wanted to accomplish with this project has been completed with the upcoming release. All I need to do going forward is kernel updates and Debian rootfs updates on a regular basis.

I would have liked to implemented McDebian on some other routers like the EA9500 but they use the Broadcom CFE boot loader which I'm not familiar enough with.

I have created a McDebian-Portable project (not uploaded to Github) which can be cloned to a USB Key or drive that boots Debian on UEFI, MBR, x32 and x64 systems (universal) with some built in IT utilities like Pogostick for resetting Windows user password for service. I've been experimenting with implementing Docker containers, KVM hypervisor and ZFS filesystem (or ZFS Raidz) for open source server deployments but it's a lot of work unless I opt for the unRaid approach which is good as well I suppose.

Mark-GR73 commented 4 years ago

Thanks for your reply. I did exactly as you write above, But i have no rules yet or portforwarding or any myown firewall rules.

You make all this work ,i believe the cfe of broadcom it is a peace of cake for you. You will need cfetool ,frhed (hex program to read/write cfe parameters) and of course the must clis ...if you would like i can send you some examples from Linksys EA 6900 to Asus rt u 68 or for older e3000. It is very simple...

Your job is a wild horse. My opinion if it was better with kali or parrot penetrate distros..we have router and no just a pc, we need dirty ways for solutions !

But you break the rules.. Bravo..

Chadster766 commented 4 years ago

@Mark-GR73 I don't do penetration testing in my IT work. Its only when customers forget their new passwords or admin passwords that I use Pogostick to reset it for them.

Other than that I use McDebian-Portable to repair partitions and drives.

Chadster766 commented 4 years ago

@Mark-GR73 CFE is complicated when it comes to configuring it to boot from usb. Especially since it also requires a initrd packed into the firmware.

Chadster766 commented 4 years ago

@Mark-GR73 yes please send me those CFE samples.

Mark-GR73 commented 4 years ago

On Weekend ,i hope to send you. In other hand i have problem with nftables.. After restart where was not internet. With many tries if remove from br0 the post-up nft -f /etc/nftables.conf Everything OK.

My interface config: ################################################################ auto wan iface wan inet dhcp hwaddress ether 02:e0:96:70:5f:c3 pre-up iptables-restore < /etc/iptables.up.rules pre-up ifup --ignore-errors br0

iface wan inet6 auto pre-up ip6tables-restore < /etc/ip6tables.up.rules auto br0 iface br0 inet static bridge_hw 02:2d:50:bd:ca:13 bridge_ports lan1 lan2 lan3 lan4 address 192.168.1.1 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 pre-up /etc/network/mcdebian-model-check

post-up nft -f /etc/nftables.conf

################################################################

propably something wrong with nftables.conf ,i think -Of course i did not type systemctl enable nftables.service.

Mark-GR73 commented 4 years ago

A typing wrong

################################################################ auto wan iface wan inet dhcp hwaddress ether 02:e0:96:70:5f:c3 pre-up iptables-restore < /etc/iptables.up.rules pre-up ifup --ignore-errors br0

iface wan inet6 auto pre-up ip6tables-restore < /etc/ip6tables.up.rules auto br0 iface br0 inet static bridge_hw 02:2d:50:bd:ca:13 bridge_ports lan1 lan2 lan3 lan4 address 192.168.1.1 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 pre-up /etc/network/mcdebian-model-check (#post-up nft -f /etc/nftables.conf) ----> without ()

Chadster766 commented 4 years ago

Comment out line "pre-up ifup --ignore-errors br0"

Run nft commands to check if it works:

nft -f /etc/nftables.conf

root@MCDEBIAN:~# nft list tables
table ip filter
table ip mangle
table ip nat
table ip6 nat
table ip6 mangle
table ip6 filter
table inet x

If "table inet x" is listed then the flowtable is active.

Chadster766 commented 4 years ago

If you have an older McDebian rootfs you may need to "apt-get install nftables".

Mark-GR73 commented 4 years ago

-With this type of config ,the results for the wan side are OK ...

root@MCDEBIAN:~# apt list --installed | grep -i nftab libnftables0/stable,now 0.9.0-2 armhf [installed,automatic] nftables/stable,now 0.9.0-2 armhf [installed]

root@MCDEBIAN:~# nft list tables table ip filter table ip mangle table ip nat table ip6 nat table ip6 mangle table ip6 filter

root@MCDEBIAN:~# ls /etc/ | grep nfta nftables.conf

Part-of etc/networks/interfaces file.. auto wan iface wan inet dhcp hwaddress ether 02:e0:96:70:5f:c3 pre-up iptables-restore < /etc/iptables.up.rules (# pre-up ifup --ignore-errors br0)

iface wan inet6 auto pre-up ip6tables-restore < /etc/ip6tables.up.rules

auto br0 iface br0 inet static bridge_hw 02:2d:50:bd:ca:13 bridge_ports lan1 lan2 lan3 lan4 address 192.168.1.1 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 pre-up /etc/network/mcdebian-model-check (# post-up nft -f /etc/nftables.conf)

┌─[ote@parrot]─[~] └──╼ $ping github.com PING github.com (140.82.118.4) 56(84) bytes of data. 64 bytes from lb-140-82-118-4-ams.github.com (140.82.118.4): icmp_seq=1 ttl=56 time=54.4 ms 64 bytes from lb-140-82-118-4-ams.github.com (140.82.118.4): icmp_seq=2 ttl=56 time=54.7 ms 64 bytes from lb-140-82-118-4-ams.github.com (140.82.118.4): icmp_seq=3 ttl=56 time=54.8 ms

-But, with /etc/networks/interfaces , like:

auto br0 iface br0 inet static bridge_hw 02:2d:50:bd:ca:13 bridge_ports lan1 lan2 lan3 lan4 address 192.168.1.1 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 pre-up /etc/network/mcdebian-model-check post-up nft -f /etc/nftables.conf

root@MCDEBIAN:~# nft list tables table ip filter table ip mangle table ip nat table ip6 nat table ip6 mangle table ip6 filter table inet x

root@MCDEBIAN:~# ip route default dev ppp0 scope link 80.106.125.100 dev ppp0 proto kernel scope link src 94.65.238.202 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1

root@MCDEBIAN:~# ping github.com PING github.com (140.82.118.3) 56(84) bytes of data. 64 bytes from lb-140-82-118-3-ams.github.com (140.82.118.3): icmp_seq=1 ttl=57 time=59.9 ms 64 bytes from lb-140-82-118-3-ams.github.com (140.82.118.3): icmp_seq=2 ttl=57 time=60.4 ms

┌─[ote@parrot]─[~] └──╼ $ping github.com ping: github.com: Temporary failure in name resolution

And of course if a remove the line post-up nft -f /etc/nftables.conf

root@MCDEBIAN:~# ping github.com PING github.com (140.82.118.3) 56(84) bytes of data. 64 bytes from lb-140-82-118-3-ams.github.com (140.82.118.3): icmp_seq=1 ttl=58 time=51.10 ms 64 bytes from lb-140-82-118-3-ams.github.com (140.82.118.3): icmp_seq=2 ttl=58 time=51.6 ms

┌─[✗]─[ote@parrot]─[~] └──╼ $ping github.com PING github.com (140.82.118.3) 56(84) bytes of data. 64 bytes from lb-140-82-118-3-ams.github.com (140.82.118.3): icmp_seq=1 ttl=56 time=58.9 ms 64 bytes from lb-140-82-118-3-ams.github.com (140.82.118.3): icmp_seq=2 ttl=56 time=58.9 ms

Chadster766 commented 4 years ago

I think whats happening is you have a PPPoe internet connection and haven't updated the firewall files to work with that connection.

In McDebian the wan interface is the wan Ethernet port.

If you have a PPPoe connection you need to update the firewall files as described in this Wiki article: https://github.com/Chadster766/McDebian/wiki/5.-Network-Configuration#configuration-for-a-pppoe-internet-connection

With this beta a third file will need to be updated for the ppp0 interface:

sed -i s/wan/ppp0/g /etc/iptables.up.rules
sed -i s/wan/ppp0/g /etc/ip6tables.up.rules
sed -i s/wan/ppp0/g /etc/nftables.conf

If you didn't do these changes the firewall wouldn't be working on the ppp0 interface.

Chadster766 commented 4 years ago

You can check if the flowtable is working by listing the flowtable. If the counter is going up it's working:

root@MCDEBIAN:/etc# nft list table inet x
table inet x {
        flowtable f {
                hook ingress priority 0
                devices = { wan, br0 }
        }

        chain y {
                type filter hook forward priority 0; policy accept;
                ip protocol { tcp, udp } flow offload @f
                counter packets 587943 bytes 95268611
        }
}

Chadster766 commented 4 years ago

@sfrost any luck getting the firmware running on your WRT1900AC V1?

Mark-GR73 commented 4 years ago

The connection to wan is pppoe .

with sed -i s/wan/ppp0/g /etc/nftables.conf

and wiith configured as must the conf fille /etc/networks/interfaces

auto br0 iface br0 inet static bridge_hw 02:2d:50:bd:ca:13 bridge_ports lan1 lan2 lan3 lan4 address 192.168.1.1 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 pre-up /etc/network/mcdebian-model-check post-up nft -f /etc/nftables.conf

then

┌─[ote@parrot]─[~] └──╼ $ping github.com PING github.com (140.82.118.3) 56(84) bytes of data. 64 bytes from lb-140-82-118-3-ams.github.com (140.82.118.3): icmp_seq=1 ttl=56 time=53.8 ms 64 bytes from lb-140-82-118-3-ams.github.com (140.82.118.3): icmp_seq=2 ttl=56 time=54.0 ms

success responce from client side.

But the results from flowtable are empty..

root@MCDEBIAN:~# /etc/ nft list table inet x Error: No such file or directory; did you mean table ‘nat’ in family ip? list table inet x ^

or,

root@MCDEBIAN:~#/etc/ nft list table inet nat Error: No such file or directory; did you mean table ‘nat’ in family ip? list table inet nat ^^^

and of course as we said before,the connectivity status

root@MCDEBIAN:~#/etc/ ping -c 2 google.com PING google.com (172.217.22.78) 56(84) bytes of data. 64 bytes from fra15s17-in-f78.1e100.net (172.217.22.78): icmp_seq=1 ttl=119 time=52.7 ms 64 bytes from fra15s17-in-f78.1e100.net (172.217.22.78): icmp_seq=2 ttl=119 time=52.7 ms

and ipv6

root@MCDEBIAN:~#/etc/ ping6 -c 2 google.com connect: Network is unreachable

Thanks ....

Chadster766 commented 4 years ago

No the flowtable config is working fine for McDebian.

Did you change wan to ppp0 in the
Iptables restore files as described in that article?

Mark-GR73 commented 4 years ago

Of course i did it and i read it ... For three files..

Chadster766 commented 4 years ago

Wasn't so good for me- got:

NAND read: device 0 offset 0xa00000, size 0x500000 5242880 bytes read: OK

Booting kernel from Legacy Image at 02000000 ...

Image Name: linux Created: 2020-05-26 10:57:42 UTC Image Type: ARM Linux Kernel Image (uncompressed) Data Size: 5324557 Bytes = 5.1 MiB Load Address: 00200000 Entry Point: 00200000 Verifying Checksum ... Bad Data CRC ERROR: can't get kernel image! Marvell>>

@sfrost is did some troubleshooting of this since the same issue started after rebooting my WRT1900AC V1. It passed the CRC check with the below u-boot settings:

pri_kern_size=0x520000
alt_kern_size=0x520000

Chadster766 commented 4 years ago

Of course i did it and i read it ... For three files..

Ok I will try to reproduce the pppoe issue with my WRT3200ACM in my test lab.

Chadster766 commented 4 years ago

@Mark-GR73 I got nftables working on pppoe.

I started with a new rootfs and follow this process.

First I changed the firewall files to work with ppp0 interace:

sed -i s/wan/ppp0/g /etc/iptables.up.rules
sed -i s/wan/ppp0/g /etc/ip6tables.up.rules
sed -i s/wan/ppp0/g /etc/nftables.conf

Then I configured the pppoe connection

pppoeconf wan

I discovered changes were required in interfaces file for the pppoe config:

root@MCDEBIAN:~# cat /etc/network/interfaces
# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual

auto eth1
iface eth1 inet manual

auto lan1
iface lan1 inet manual

auto lan2
iface lan2 inet manual

auto lan3
iface lan3 inet manual

auto lan4
iface lan4 inet manual

iface wlp1s0 inet manual

iface wlp2s0 inet manual

auto wan
iface wan inet dhcp
        hwaddress ether 02:e0:96:70:5f:c3

iface wan inet6 auto

auto br0
iface br0 inet static
        bridge_hw 02:2d:50:bd:ca:13
        bridge_ports lan1 lan2 lan3 lan4
        address 192.168.1.1
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255
        pre-up /etc/network/mcdebian-model-check

iface br0 inet6 static
        address fc00::1
        netmask 64

auto dsl-provider
iface dsl-provider inet ppp
        pre-up /bin/ip link set wan up # line maintained by pppoeconf
        pre-up iptables-restore < /etc/iptables.up.rules
        pre-up ip6tables-restore < /etc/ip6tables.up.rules
        post-up nft -f /etc/nftables.conf
        provider dsl-provider
root@MCDEBIAN:~#

After a reboot everything works and is protected on the pppoe connection:

root@MCDEBIAN:~# nft list table inet x
table inet x {
        flowtable f {
                hook ingress priority 0
                devices = { ppp0, br0 }
        }

        chain y {
                type filter hook forward priority 0; policy accept;
                ip protocol { tcp, udp } flow offload @f
                counter packets 974 bytes 359046
        }
}
root@MCDEBIAN:~#

Mark-GR73 commented 4 years ago

The results are:

root@MCDEBIAN:~/ ping google.com ping: google.com: Temporary failure in name resolution

root@MCDEBIAN:~/ ping6 google.com ping: google.com: Temporary failure in name resolution

root@MCDEBIAN:~/ nft list table inet x Error: No such file or directory; did you mean table ‘nat’ in family ip? list table inet x ^

and the new /etc/networks/interfaces

auto wan iface wan inet dhcp hwaddress ether 02:e0:96:02:46:73 (# pre-up iptables-restore < /etc/iptables.up.rules) (# pre-up ifup --ignore-errors br0)

iface wan inet6 auto (# pre-up ip6tables-restore < /etc/ip6tables.up.rules)

auto br0 iface br0 inet static bridge_hw 02:2d:50:bd:ca:13 bridge_ports lan1 lan2 lan3 lan4 address 192.168.1.2 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 pre-up /etc/network/mcdebian-model-check (# post-up nft -f /etc/nftables.conf)

iface br0 inet6 static address fc00::1 netmask 64

auto dsl-provider iface dsl-provider inet ppp pre-up /bin/ip link set wan up # line maintained by pppoeconf pre-up iptables-restore < /etc/iptables.up.rules pre-up ip6tables-restore < /etc/ip6tables.up.rules post-up nft -f /etc/nftables.conf provider dsl-provider

cat /etc/iptables.up.rules Generated by iptables-save v1.4.21 on Sun Dec 27 19:52:32 2015 filter :INPUT DROP [56:9800] :FORWARD DROP [0:0] :OUTPUT ACCEPT [314:36932] -A INPUT -i lo -j ACCEPT -A INPUT -i br0 -j ACCEPT -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i ppp0 -p icmp -j ACCEPT -A FORWARD -i br0 -j ACCEPT -A FORWARD -i ppp0 -j ACCEPT COMMIT Completed on Sun Dec 27 19:52:32 2015 Generated by iptables-save v1.4.21 on Sun Dec 27 19:52:32 2015 mangle :PREROUTING ACCEPT [270327:10352940] :INPUT ACCEPT [268851:10276858] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2409:423412] :POSTROUTING ACCEPT [2409:423412] COMMIT Completed on Sun Dec 27 19:52:32 2015 Generated by iptables-save v1.4.21 on Sun Dec 27 19:52:32 2015 *nat :PREROUTING ACCEPT [266982:10051378] :INPUT ACCEPT [36:3622] :OUTPUT ACCEPT [197:14752] :POSTROUTING ACCEPT [82:5760] -A POSTROUTING -o ppp0 -j MASQUERADE COMMIT Completed on Sun Dec 27 19:52:32 2015

cat /etc/ip6tables.up.rules Generated by ip6tables-save v1.6.0 on Sun Nov 19 21:49:39 2017 nat :PREROUTING ACCEPT [4:548] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o ppp0 -j MASQUERADE COMMIT Completed on Sun Nov 19 21:49:39 2017 Generated by ip6tables-save v1.6.0 on Sun Nov 19 21:49:39 2017 mangle :PREROUTING ACCEPT [27:2230] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT Completed on Sun Nov 19 21:49:39 2017 Generated by ip6tables-save v1.6.0 on Sun Nov 19 21:49:39 2017 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [43:3554] -A INPUT -i lo -j ACCEPT -A INPUT -i br0 -j ACCEPT -A INPUT -i ppp0 -p ipv6-icmp -j ACCEPT -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i ppp0 -p udp -m state --state NEW -m udp --dport 546 -j ACCEPT -A FORWARD -i br0 -j ACCEPT -A FORWARD -i ppp0 -j ACCEPT COMMIT Completed on Sun Nov 19 21:49:39 2017

cat /etc/nftables.conf create table inet x add flowtable inet x f { hook ingress priority 0; devices = { ppp0, br0 }; } add chain inet x y { type filter hook forward priority 0; policy accept; } add rule inet x y ip protocol { udp, tcp } flow offload @f add rule inet x y counter packets 0 bytes 0

I'm waiting for you....

Chadster766 commented 4 years ago

@Mark-GR73 just to confirm you don't have brackets around the commented lines in the interface file?

Please run the below commads:

lsmod
nft -i
systemctl status networking
ping 8.8.8.8
uname -a

Mark-GR73 commented 4 years ago

The terminal outputs

~/ lsmod Module Size Used by xt_TCPMSS 16384 1 xt_tcpmss 16384 1 sha512_generic 20480 0 cifs 618496 0 dns_resolver 16384 1 cifs fscache 212992 1 cifs pppoe 20480 2 pppox 16384 1 pppoe ppp_generic 32768 6 pppox,pppoe slhc 16384 1 ppp_generic nft_chain_nat 16384 8 xt_MASQUERADE 16384 2 nf_nat 32768 2 xt_MASQUERADE,nft_chain_nat nft_counter 16384 16 xt_state 16384 0 xt_conntrack 16384 3 nf_conntrack 102400 4 xt_state,xt_MASQUERADE,xt_conntrack,nf_nat nf_defrag_ipv4 16384 1 nf_conntrack libcrc32c 16384 2 nf_conntrack,nf_nat nft_compat 20480 9 nf_tables 126976 56 nft_compat,nft_chain_nat,nft_counter nfnetlink 16384 2 nft_compat,nf_tables tag_edsa 16384 1 mwifiex_sdio 32768 0 mwifiex 249856 1 mwifiex_sdio mv88e6xxx 102400 0 mwlwifi 159744 0 dsa_core 45056 2 tag_edsa,mv88e6xxx bridge 159744 1 dsa_core marvell_cesa 36864 0 stp 16384 1 bridge libdes 28672 2 marvell_cesa,cifs llc 16384 2 bridge,stp ip_tables 24576 0 ipv6 417792 41 bridge nf_defrag_ipv6 16384 2 nf_conntrack,ipv6

~/ nft -i nft> nft> nft> -i Error: syntax error, unexpected - -i ^ nft> -info Error: syntax error, unexpected - -info ^ nft> nft> nft> ^C ~/ nft -info internal:0:0-0: Error: Could not open file "o": No such file or directory

systemctl status networking: ● networking.service - Raise network interfaces Loaded: loaded (/lib/systemd/system/networking.service; enabled; vendor preset: enabled) Active: active (exited) since Mon 2020-06-15 16:09:43 EEST; 3h 48min ago Docs: man:interfaces(5) Process: 270 ExecStart=/sbin/ifup -a --read-environment (code=exited, status=0/SUCCESS) Main PID: 270 (code=exited, status=0/SUCCESS)

Jun 15 19:47:45 MCDEBIAN dhclient[550]: No working leases in persistent database - sleeping. Jun 15 19:54:47 MCDEBIAN dhclient[550]: DHCPDISCOVER on wan to 255.255.255.255 port 67 interval 6 Jun 15 19:54:53 MCDEBIAN dhclient[550]: DHCPDISCOVER on wan to 255.255.255.255 port 67 interval 8 Jun 15 19:55:01 MCDEBIAN dhclient[550]: DHCPDISCOVER on wan to 255.255.255.255 port 67 interval 11 Jun 15 19:55:12 MCDEBIAN dhclient[550]: DHCPDISCOVER on wan to 255.255.255.255 port 67 interval 8 Jun 15 19:55:20 MCDEBIAN dhclient[550]: DHCPDISCOVER on wan to 255.255.255.255 port 67 interval 16 Jun 15 19:55:36 MCDEBIAN dhclient[550]: DHCPDISCOVER on wan to 255.255.255.255 port 67 interval 7 Jun 15 19:55:43 MCDEBIAN dhclient[550]: DHCPDISCOVER on wan to 255.255.255.255 port 67 interval 5 Jun 15 19:55:48 MCDEBIAN dhclient[550]: No DHCPOFFERS received. Jun 15 19:55:48 MCDEBIAN dhclient[550]: No working leases in persistent database - sleeping. ~

~/ ping -c10 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=118 time=52.8 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=118 time=52.2 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=118 time=52.5 ms 64 bytes from 8.8.8.8: icmp_seq=4 ttl=118 time=52.2 ms 64 bytes from 8.8.8.8: icmp_seq=5 ttl=118 time=52.5 ms 64 bytes from 8.8.8.8: icmp_seq=6 ttl=118 time=52.2 ms 64 bytes from 8.8.8.8: icmp_seq=7 ttl=118 time=52.5 ms 64 bytes from 8.8.8.8: icmp_seq=8 ttl=118 time=52.10 ms 64 bytes from 8.8.8.8: icmp_seq=9 ttl=118 time=52.7 ms 64 bytes from 8.8.8.8: icmp_seq=10 ttl=118 time=52.5 ms

~/ ping google.com PING google.com (172.217.22.78) 56(84) bytes of data. 64 bytes from fra15s17-in-f14.1e100.net (172.217.22.78): icmp_seq=1 ttl=118 time=53.2 ms 64 bytes from fra15s17-in-f14.1e100.net (172.217.22.78): icmp_seq=2 ttl=118 time=52.9 ms 64 bytes from fra15s17-in-f14.1e100.net (172.217.22.78): icmp_seq=3 ttl=118 time=53.2 ms 64 bytes from fra15s17-in-f14.1e100.net (172.217.22.78): icmp_seq=4 ttl=118 time=53.4 ms ^C

uname -a Linux MCDEBIAN 5.6.14 #1 SMP Tue May 26 05:51:13 CDT 2020 armv7l GNU/Linux

Thanks...,i like your research way..!

Chadster766 commented 4 years ago

@Mark-GR73 just to confirm you don't have brackets around the commented lines in the interface file right?

Mark-GR73 commented 4 years ago

Of course not ,only for typing reasons ,if i left only the # the preview becomes with giant letters. thats why i use (#)

Mark-GR73 commented 4 years ago

Mcdebianboot.txt

Mark-GR73 commented 4 years ago

from reboot upto login serial console output

Somewhere exist a delay on network... For your interesting if you wish ...

Mark-GR73 commented 4 years ago

And do not forget that previous output of your request commands i used this part of /etc/network/interfaces

auto wan iface wan inet dhcp hwaddress ether 02:e0:96:02:46:73 pre-up iptables-restore < /etc/iptables.up.rules (# pre-up ifup --ignore-errors br0

iface wan inet6 auto pre-up ip6tables-restore < /etc/ip6tables.up.rules

auto br0 iface br0 inet static bridge_hw 02:2d:50:bd:ca:13 bridge_ports lan1 lan2 lan3 lan4 address 192.168.1.2 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 pre-up /etc/network/mcdebian-model-check (# post-up nft -f /etc/nftables.conf

iface br0 inet6 static address fc00::1 netmask 64

auto dsl-provider iface dsl-provider inet ppp pre-up /bin/ip link set wan up # line maintained by pppoeconf provider dsl-provider (#pre-up iptables-restore < /etc/iptables.up.rules (#pre-up ip6tables-restore < /etc/ip6tables.up.rules (#post-up nft -f /etc/nftables.conf

-Otherwhise there is no access to to wan.. i dont know if i send you the same orders but with other config...!

Chadster766 commented 4 years ago

Of course not ,only for typing reasons ,if i left only the # the preview becomes with giant letters. thats why i use (#)

I see, I've never see this before since most post use the "Insert Code " <> post menu or use three back quotes for a code block in the post.

Chadster766 commented 4 years ago

from reboot upto login serial console output

Somewhere exist a delay on network... For your interesting if you wish ...

The output has your disk being checked for errors which is causing a significant system start up delay.

Please run commands: systemctl status systemd-fsckd cat /etc/debian_version

Mark-GR73 commented 4 years ago

Thanks for typing comments .. just tried to be more clear on text and i found a fast solution. also you must know my english language is not perfect..!

You must know i work with e-sata port ,on ssd .

// systemctl status systemd-fsckd ● systemd-fsckd.service - File System Check Daemon to report status Loaded: loaded (/lib/systemd/system/systemd-fsckd.service; static; vendor preset: enabled) Active: inactive (dead) since Tue 2020-06-16 14:00:42 EEST; 8h ago TriggeredBy: ● systemd-fsckd.socket Docs: man:systemd-fsckd.service(8) Main PID: 241 (code=exited, status=0/SUCCESS)

Jun 10 11:34:19 MCDEBIAN systemd[1]: Started File System Check Daemon to report status. Jun 16 14:00:42 MCDEBIAN systemd[1]: systemd-fsckd.service: Succeeded.

// cat /etc/debian_version 10.4

Mark-GR73 commented 4 years ago

And the /etc/fstab Is there any reason for the delay ?

~/ cat /etc/fstab

/etc/fstab: static file system information.

#

Use 'blkid' to print the universally unique identifier for a

device; this may be used with UUID= as a more robust way to name devices

that works even if disks are added and removed. See fstab(5).

#

UUID=7415e2fc-4be7-4557-a785-3c8c15f903ca / ext4 errors=remount-ro 0 1

UUID=4e2b0154-7790-49c5-8045-6ab27f06d37b none swap sw 0 0

UUID=1563bf30-508c-47e5-9057-c6521305e1a3 /home ext4 defaults 0 2

Mark-GR73 commented 4 years ago

Μαλακια..... For this reason as we said i use brackets

Chadster766 commented 4 years ago

@Mark-GR73 I'm out of ideas since everything looks good.

I have two WRT3200ACM running this beta with flowtable working.

Mark-GR73 commented 4 years ago

You saw the outputs results. I did exactly the procedure as you advice. Please can you send me your own /etc/networks/interface

Chadster766 commented 4 years ago

You saw the outputs results. I did exactly the procedure as you advice. Please can you send me your own /etc/networks/interface

root@MCDEBIAN:~# cat /etc/network/interfaces
# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual

auto eth1
iface eth1 inet manual

auto lan1
iface lan1 inet manual

auto lan2
iface lan2 inet manual

auto lan3
iface lan3 inet manual

auto lan4
iface lan4 inet manual

iface wlp1s0 inet manual

iface wlp2s0 inet manual

auto wan
iface wan inet dhcp
        hwaddress ether 02:e0:96:70:5f:c3

iface wan inet6 auto

auto br0
iface br0 inet static
        bridge_hw 02:2d:50:bd:ca:13
        bridge_ports lan1 lan2 lan3 lan4
        address 192.168.1.1
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255
        pre-up /etc/network/mcdebian-model-check

iface br0 inet6 static
        address fc00::1
        netmask 64

auto dsl-provider
iface dsl-provider inet ppp
        pre-up /bin/ip link set wan up # line maintained by pppoeconf
        pre-up iptables-restore < /etc/iptables.up.rules
        pre-up ip6tables-restore < /etc/ip6tables.up.rules
        post-up nft -f /etc/nftables.conf
        provider dsl-provider

Chadster766 commented 4 years ago

root@MCDEBIAN:~# cat /etc/network/mcdebian-model-check
#!/bin/sh

MODEL_NUMBER=`strings /dev/mtd3 | grep 'modelNumber='`
HARDWARE_VERSION=`strings /dev/mtd3 | grep 'hw_revision='`

if [ ! $MODEL_NUMBER ]
then
        echo "mcdebian: Devinfo is corrupted, no MODEL_NUMBER found" > /dev/kmsg
else
        echo "mcdebian: $MODEL_NUMBER $HARDWARE_VERSION" > /dev/kmsg
        echo "mcdebian: Resetting u-boot bootcount" > /dev/kmsg
        /etc/network/linksys_bootcount resetbc
        if [ $MODEL_NUMBER = 'modelNumber=WRT1900AC' ] && [ $HARDWARE_VERSION = 'hw_revision=1' ]
        then
                echo "mcdebian: WRT1900AC V1 Detected" > /dev/kmsg
                if [ `systemctl is-enabled fancontrol` = disabled ]
                then
                        echo "mcdebian: Enabling and starting Fancontrol" > /dev/kmsg
                        `systemctl enable fancontrol` >> /dev/null
                        `systemctl start fancontrol` >> /dev/null
                fi
                echo "mcdebian: Changing wireless interfaces for WRT1900AC V1" > /dev/kmsg
                sed -i 's/wlp1s0/wlp3s0/g' /etc/hostapd/wlp1s0.conf
                echo "mcdebian: Changing fw_env.config to match newer WRTxxxx AC\\S\\M models" > /dev/kmsg
                sed -i 's/^\/dev\/mtd1.*/\/dev\/mtd1       0x0        0x40000      0x20000/' /etc/fw_env.config
        else
                echo "mcdebian: Newer WRTxxxx AC\\S\\M model Detected" > /dev/kmsg
                if [ `systemctl is-enabled fancontrol` = enabled ]
                then
                        echo "mcdebian: Stopping and Disabling Fancontrol" > /dev/kmsg
                        `systemctl stop fancontrol` >> /dev/null
                        `systemctl disable fancontrol` >> /dev/null
                fi
                echo "mcdebian: Changing wireless interfaces for newer WRTxxxx AC\\S\\M models" > /dev/kmsg
                sed -i 's/wlp3s0/wlp1s0/g' /etc/hostapd/wlp1s0.conf
                echo "mcdebian: Changing fw_env.config to match newer WRTxxxx AC\\S\\M models" > /dev/kmsg
                sed -i 's/^\/dev\/mtd1.*/\/dev\/mtd1    0x0        0x20000      0x40000/' /etc/fw_env.config
        fi
fi

#The below website is handy to create Random Locally Administered Unicast MAC Addresses
#https://www.hellion.org.uk/cgi-bin/randmac.pl?scope=local&type=unicast

#echo "mcdebian: Setting MAC Address on wan and br0" > /dev/kmsg
#ip link set br0 address 02:2d:50:bd:ca:13
#ip link set wan address 02:e0:96:70:5f:c3

Mark-GR73 commented 4 years ago

-Once more with exacty your config /etc/neworks/interfaces. The etc/network/mcdebian-model-check ,is the same.

And the output as before requested. -Take a look at network and nft......outputs.

Before i make a clean install i suggest to find this strange bug..but it is all ready fresh .... What is your suggestion?

~/ lsmod Module Size Used by sha512_generic 20480 0 cifs 618496 0 dns_resolver 16384 1 cifs fscache 212992 1 cifs nft_flow_offload 16384 0 nf_tables_set 40960 0 nf_flow_table_inet 16384 0 nf_flow_table 32768 2 nft_flow_offload,nf_flow_table_inet pppoe 20480 0 pppox 16384 1 pppoe ppp_generic 32768 2 pppox,pppoe slhc 16384 1 ppp_generic nft_chain_nat 16384 8 xt_MASQUERADE 16384 2 nf_nat 32768 2 xt_MASQUERADE,nft_chain_nat nft_counter 16384 15 xt_state 16384 0 xt_conntrack 16384 3 nf_conntrack 102400 6 xt_state,nf_flow_table,nft_flow_offload,xt_MASQUERADE,xt_conntrack,nf_nat nf_defrag_ipv4 16384 1 nf_conntrack libcrc32c 16384 2 nf_conntrack,nf_nat nft_compat 20480 6 nf_tables 126976 55 nft_compat,nf_tables_set,nft_flow_offload,nf_flow_table_inet,nft_chain_nat,nft_counter nfnetlink 16384 2 nft_compat,nf_tables tag_edsa 16384 1 mv88e6xxx 102400 0 mwifiex_sdio 32768 0 mwlwifi 159744 0 mwifiex 249856 1 mwifiex_sdio dsa_core 45056 2 tag_edsa,mv88e6xxx bridge 159744 1 dsa_core stp 16384 1 bridge llc 16384 2 bridge,stp marvell_cesa 36864 0 libdes 28672 2 marvell_cesa,cifs ip_tables 24576 0 ipv6 417792 41 bridge nf_defrag_ipv6 16384 2 nf_conntrack,ipv6

~/ nft -i nft> nft> ^C ~/ nft -info internal:0:0-0: Error: Could not open file "o": No such file or directory

systemctl status networking ● networking.service - Raise network interfaces Loaded: loaded (/lib/systemd/system/networking.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Wed 2020-06-10 11:35:54 EEST; 11min ago Docs: man:interfaces(5) Process: 278 ExecStart=/sbin/ifup -a --read-environment (code=exited, status=1/FAILURE) Main PID: 278 (code=exited, status=1/FAILURE)

Jun 10 11:35:54 MCDEBIAN pppd[865]: PPP session is 58936 Jun 10 11:35:54 MCDEBIAN pppd[865]: Connected to 00:c1:64:54:dd:a2 via interface wan Jun 10 11:35:54 MCDEBIAN pppd[865]: Using interface ppp0 Jun 10 11:35:54 MCDEBIAN pppd[865]: Connect: ppp0 <--> wan Jun 10 11:35:54 MCDEBIAN pppd[865]: Terminating on signal 15 Jun 10 11:35:54 MCDEBIAN pppd[865]: Connection terminated. Jun 10 11:35:54 MCDEBIAN pppd[865]: Sent PADT Jun 10 11:35:54 MCDEBIAN pppd[865]: Exit. Jun 10 11:35:54 MCDEBIAN systemd[1]: networking.service: Failed with result 'exit-code'. Jun 10 11:35:54 MCDEBIAN systemd[1]: Failed to start Raise network interfaces.

~/ ping 8.8.8.8 connect: Network is unreachable

Chadster766 / McDebian