Gargoyle 1.11.0 Release Candidate 4

Want to share your OpenWrt / Gargoyle knowledge? Implemented a new feature? Let us know here.

Moderator: Moderators

Rog66
Posts: 206
Joined: Fri Jan 04, 2013 4:53 pm

Re: Gargoyle 1.11.0 Release Candidate 4

Post by Rog66 »

I had the QOS coming on problem flashing from an old version on a WRT1900ACS - reflashing fixed it.

User avatar
Krog
Posts: 47
Joined: Mon May 06, 2013 4:50 pm

Re: Gargoyle 1.11.0 Release Candidate 4

Post by Krog »

to flash my lynksys wrt1200ac this is the correct file ? :)

any advice who well is working gargoyle whit this firmware?

http://lantisproject.com/gargoyle_1.11. ... actory.img
TL-WR-741ND V4.20 -Version 1.9.X
TL-WA-701ND V1.2 - Version 1.9.X
TL-WA-701ND V2.1 - Version 1.9.X
TL-WR-741ND V4.22 X 3 -Version 1.9.X
TL-WR-841ND V8 -Version 1.9.X
TL-WA-901ND V3 - Version 1.9.X

Lantis
Moderator
Posts: 6735
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Gargoyle 1.11.0 Release Candidate 4

Post by Lantis »

Lantis wrote:
bluegravy wrote:Eric...

Some observations...since x86 1.11_RC3 was released it appears that port forwarding on x86 platform is possibly broken. I cannot reach my LAN devices from remote port 80 to local port 3389--Remote Desktop.
I made a change to try auto configuration of the WAN and LAN devices. It is possible that the roles of the ports has reversed between RC2 and RC3. Have you checked this? The change shouldn’t break port forwarding itself though.
If you have a /etc/config/network file from RC2 and RC3/4 that you could provide for me to compare that would be beneficial. Please be mindful to remove any passwords or identifiable information.
As a follow up to myself, i just spun up Gargoyle on a virtual machine (works quite well! never tried that before), and port forwarding was fine. Would check your network configuration.
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

Waterspuwer
Posts: 36
Joined: Mon Nov 12, 2018 6:04 am

Re: Gargoyle 1.11.0 Release Candidate 4

Post by Waterspuwer »

Lantis wrote:Sure, it might be a bit of a strange assumption to make, and maybe even “lazy coding” but it works. There’s no reason for you to add any repository pointing to the Gargoyle site that isn’t there by default. Openwrt the argument could be made, sure.

Nothing out of the ordinary in your settings.
Could you force the problem with a reboot, and provide a logread and dmesg immediately after the problem occurs please?
Yes, I can force the problem (just put on higher channel and reboot). Where are logread and dmesg located? It already took some effort for me to figure out how to retrieve the other file, but I don't know where this is.

d3fz
Posts: 277
Joined: Sun Aug 28, 2016 7:34 pm

Re: Gargoyle 1.11.0 Release Candidate 4

Post by d3fz »

Waterspuwer wrote: Yes, I can force the problem (just put on higher channel and reboot). Where are logread and dmesg located? It already took some effort for me to figure out how to retrieve the other file, but I don't know where this is.
viewtopic.php?f=8&t=8505

There you go.
TP-Link Archer C7 v2 - Gargoyle 1.12.X
TP-Link WR842ND v2 - Gargoyle 1.10.X
TP-Link RE450 AC v2 - Stock FW 1.0.4
TP-Link WA850RE v1.2 - LEDE 17.01.1

bluegravy
Posts: 31
Joined: Mon Jul 10, 2017 12:50 pm
Location: Eastern Panhandle West Virginia, USA

Re: Gargoyle 1.11.0 Release Candidate 4

Post by bluegravy »

Lantis wrote:
bluegravy wrote:Eric...

Some observations...since x86 1.11_RC3 was released it appears that port forwarding on x86 platform is possibly broken. I cannot reach my LAN devices from remote port 80 to local port 3389--Remote Desktop.
I made a change to try auto configuration of the WAN and LAN devices. It is possible that the roles of the ports has reversed between RC2 and RC3. Have you checked this? The change shouldn’t break port forwarding itself though.
If you have a /etc/config/network file from RC2 and RC3/4 that you could provide for me to compare that would be beneficial. Please be mindful to remove any passwords or identifiable information.
Next, on my Linksys WRT1900AC device. The gargoyle_1.11.x-mvebu-cortexa9-linksys-wrt1900ac-squashfs-sysupgrade. Since RC1, it seems that if I try to change my 5Ghz channel to anything except channel 39, it shuts off. LED turns off and nothing on 5Ghz is being seen by the devices, even though the config page shows it is on and working.

Please advise if you need further documentation, screen shots, etc.

Thanks,

Andy
You shouldn’t be able to select channel 39, it isn’t a channel we make available. Can you confirm exactly what you are setting there? A screenshot should be fine.
I made a typo. I meant to say channel 36. Either way, I reloaded the RC4 release on the WRT1900AC and it works fine now.

bluegravy
Posts: 31
Joined: Mon Jul 10, 2017 12:50 pm
Location: Eastern Panhandle West Virginia, USA

Re: Gargoyle 1.11.0 Release Candidate 4

Post by bluegravy »

Lantis wrote:
Lantis wrote:
bluegravy wrote:Eric...

Some observations...since x86 1.11_RC3 was released it appears that port forwarding on x86 platform is possibly broken. I cannot reach my LAN devices from remote port 80 to local port 3389--Remote Desktop.
I made a change to try auto configuration of the WAN and LAN devices. It is possible that the roles of the ports has reversed between RC2 and RC3. Have you checked this? The change shouldn’t break port forwarding itself though.
If you have a /etc/config/network file from RC2 and RC3/4 that you could provide for me to compare that would be beneficial. Please be mindful to remove any passwords or identifiable information.
As a follow up to myself, i just spun up Gargoyle on a virtual machine (works quite well! never tried that before), and port forwarding was fine. Would check your network configuration.
Happy to check. I've been pulling my hair out on this. Last night (as I mentioned in my other post) I blew everything out and started from scratch on the x86 machine. I realized that I had been restoring the config and that surely was hosing things up. So, I started from scratch, reloaded the RC4 image and set it all back up. Voila! Port forwarding worked--the WAN was receiving my incoming RDP request on port 80 and Gargoyle was sending it out on 3389 and I could establish my remote desktop from the internet. Great. I went to bed, woke up 8 hours later and it stopped working.

I then SSH'ed into the machine and looked at the /etc/config/firewall statements. I found this:

Code: Select all

config redirect 'redirect_enabled_number_0'
	option name 'RDP'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '80'
	option dest_ip '192.168.10.1'
	option dest_port '3389'

config redirect 'redirect_enabled_number_1'
	option name 'RDP'
	option src 'wan'
	option dest 'lan'
	option proto 'udp'
	option src_dport '80'
	option dest_ip '192.168.10.1'
	option dest_port '3389'
Hmmm...something's missing. So, I restarted the firewall and looked for errors...and saw these come in...

Code: Select all

root@Gargoyle:~# /etc/init.d/firewall restart
Warning: Option @defaults[0].force_router_dns is unknown
Warning: Option @defaults[0].enforce_dhcp_assignments is unknown
Warning: Section 'redirect_enabled_number_0' has no target specified, defaulting to DNAT
Warning: Section 'redirect_enabled_number_1' has no target specified, defaulting to DNAT
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Redirect 'RDP'
   * Redirect 'RDP'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 nat table
   * Redirect 'RDP'
   * Redirect 'RDP'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'
 * Running script '/usr/lib/gargoyle_firewall_util/gargoyle_additions.firewall'
iptables: No chain/target/match by that name.
 * Running script '/usr/share/miniupnpd/firewall.include'
 * Running script '/etc/openvpn.firewall'
 * Running script '/etc/tor.firewall'
I then opened vi and added the target DNAT bit, saved the file and restarted the firewall...still no port forwarding. Oh, wait, there's the issue and I think you even mentioned it...the forwarding is reversed...lan->wan...hmmm...but wouldn't the more specific rule override the more general rule? I guess not.

I changed forwarding to the following:

Code: Select all

config forwarding
	option src 'wan'
	option dest 'lan'
Restarted the firewall and tried again...no good.

Something else is broken here. NOTE: If I change the firewall rule from incoming WAN RDP on port 80 to 3389 and forward to LAN 192.168.10.1:3389, it works fine. I would think that rules out the network and point back to this firewall config.

I've hit a wall...any ideas?

Thx,

Andy

bluegravy
Posts: 31
Joined: Mon Jul 10, 2017 12:50 pm
Location: Eastern Panhandle West Virginia, USA

Re: Gargoyle 1.11.0 Release Candidate 4

Post by bluegravy »

This is the full firewall config as it is now (port forwarding is NOT working). Note the errors when the firewall is restarted.

Code: Select all

root@Gargoyle:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option force_router_dns '1'
        option enforce_dhcp_assignments '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'wan'
        option dest 'lan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'
        option reload '1'

config include
        option type 'script'
        option path '/usr/lib/gargoyle_firewall_util/gargoyle_additions.firewall'
        option family 'IPv4'
        option reload '1'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config include 'openvpn_include_file'
        option path '/etc/openvpn.firewall'
        option reload '1'

config include 'tor_include_file'
        option path '/etc/tor.firewall'
        option reload '1'

config remote_accept 'ra_443_443'
        option local_port '443'
        option remote_port '443'
        option proto 'tcp'
        option zone 'wan'

config remote_accept 'ra_80_80'
        option local_port '80'
        option remote_port '80'
        option proto 'tcp'
        option zone 'wan'

config remote_accept 'ra_22_22'
        option local_port '22'
        option remote_port '22'
        option proto 'tcp'
        option zone 'wan'

config redirect 'redirect_enabled_number_0'
        option name 'RDP'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '80'
        option dest_ip '192.168.10.1'
        option dest_port '3389'

config redirect 'redirect_enabled_number_1'
        option name 'RDP'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '80'
        option dest_ip '192.168.10.1'
        option dest_port '3389'

root@Gargoyle:~# 

root@Gargoyle:~# /etc/init.d/firewall restart
Warning: Option @defaults[0].force_router_dns is unknown
Warning: Option @defaults[0].enforce_dhcp_assignments is unknown
Warning: Section 'redirect_enabled_number_0' has no target specified, defaulting to DNAT
Warning: Section 'redirect_enabled_number_1' has no target specified, defaulting to DNAT
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Redirect 'RDP'
   * Redirect 'RDP'
   * Forward 'wan' -> 'lan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 nat table
   * Redirect 'RDP'
   * Redirect 'RDP'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Forward 'wan' -> 'lan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'
 * Running script '/usr/lib/gargoyle_firewall_util/gargoyle_additions.firewall'
iptables: No chain/target/match by that name.
 * Running script '/usr/share/miniupnpd/firewall.include'
 * Running script '/etc/openvpn.firewall'
 * Running script '/etc/tor.firewall'
root@Gargoyle:~#

bluegravy
Posts: 31
Joined: Mon Jul 10, 2017 12:50 pm
Location: Eastern Panhandle West Virginia, USA

Re: Gargoyle 1.11.0 Release Candidate 4

Post by bluegravy »

...and the network config file...

Code: Select all

root@Gargoyle:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde1:61f3:dcab::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.10.27'
        option dns '1.1.1.1 1.0.0.1'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'
        option ipv6 '0'
        option dns '1.1.1.1 1.0.0.1'
        option peerdns '0'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

root@Gargoyle:~#

Lantis
Moderator
Posts: 6735
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Gargoyle 1.11.0 Release Candidate 4

Post by Lantis »

Can you use the proper gargoyle network restarter to make sure all dependencies are loaded and report back?

/usrs/lib/gargoyle/restart_firewall.sh
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

Post Reply