Gargoyle 1.11.0 Release Candidate 4

Want to share your OpenWrt / Gargoyle knowledge? Implemented a new feature? Let us know here.

Moderator: Moderators

ektus
Posts: 241
Joined: Sun Aug 11, 2013 2:26 am
Location: Germany

Re: Gargoyle 1.11.0 Release Candidate 4

Post by ektus »

Lantis wrote:Your config file sets the country specifically to NL right?
What appears to be happening is the device is reading the country code from EEPROM at boot as US, where channels 12-14 are not allowed. Thus the wifi can’t start.

Normally you would see another line indicating it is overriding the country based on user config.

If you checked a log after restarting the wifi to fix the issue, I think we would see this (happy to look if needed).
A simple solution might be enabling the ping watchdog with a target on the wifi network and issuing the command "wifi" if not reachable, but this requires a client that is always running and will cause trouble if it is not.

Waterspuwer
Posts: 36
Joined: Mon Nov 12, 2018 6:04 am

Re: Gargoyle 1.11.0 Release Candidate 4

Post by Waterspuwer »

Lantis wrote:Your config file sets the country specifically to NL right?
What appears to be happening is the device is reading the country code from EEPROM at boot as US, where channels 12-14 are not allowed. Thus the wifi can’t start.

Normally you would see another line indicating it is overriding the country based on user config.

If you checked a log after restarting the wifi to fix the issue, I think we would see this (happy to look if needed).

I don’t know that I can provide a good solution for this (yet). I don’t have any ath10k devices to test with myself, and I don’t see this behaviour in my own devices. The only thing I could suggest is creating an init script that runs last (or using rc.local) to kick start the wifi after boot to alleviate the issue.
Or switching to channels that would be allowed in the US.
Well, the thing is, I've never set a country. It was on 'auto' I think the first time before saving the settings and then it was unavailable to change. In the config it's specified as NL. Isn't this setting used (somewhere) then?

ispyisail
Moderator
Posts: 5180
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: Gargoyle 1.11.0 Release Candidate 4

Post by ispyisail »

Well, the thing is, I've never set a country.
You need to do it just after your first flash/boot

You set country and Root password.

I understand there is also geo-location check based on your IP address.

If you are using a VPN service I guess that could cause problems.

Its to stop people trying to select the wrong country.

If you actually do change country the only way to switch is re-flash. Its a one hit process.

...from my understanding

bluegravy
Posts: 31
Joined: Mon Jul 10, 2017 12:50 pm
Location: Eastern Panhandle West Virginia, USA

Re: Gargoyle 1.11.0 Release Candidate 4

Post by bluegravy »

Lantis wrote:Please revert to factory defaults, and establish the port forwarding rules via the GUI, and confirm that they work. If they work, please export a copy of /etc/config/firewall & network.

If/when the router stops forwarding between the two ports, please export the same files to check for changes.
Lantis,

I have isolated the trouble.

Under SYSTEM->Router Access->When I activate Remote Web Access to include HTTP (Port 80), this breaks port forwarding from WAN (80) to LAN (3389). If I leave it at HTTPS (443) the port forwarding works.

Firewall Config (Broken):

root@Gargoyle:~# cat /etc/config/firewall

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option enforce_dhcp_assignments '1'
option force_router_dns '1'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'
option reload '1'

config include
option type 'script'
option path '/usr/lib/gargoyle_firewall_util/gargoyle_additions.firewall'
option family 'IPv4'
option reload '1'

config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'

config include 'openvpn_include_file'
option path '/etc/openvpn.firewall'
option reload '1'

config include 'tor_include_file'
option path '/etc/tor.firewall'
option reload '1'

config redirect 'redirect_enabled_number_0'
option name 'RDP'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '80'
option dest_ip '192.168.10.1'
option dest_port '3389'

config redirect 'redirect_enabled_number_1'
option name 'RDP'
option src 'wan'
option dest 'lan'
option proto 'udp'
option src_dport '80'
option dest_ip '192.168.10.1'
option dest_port '3389'

config remote_accept 'ra_443_443'
option local_port '443'
option remote_port '443'
option proto 'tcp'
option zone 'wan'


config remote_accept 'ra_80_80'
option local_port '80'
option remote_port '80'
option proto 'tcp'
option zone 'wan'


config remote_accept 'ra_22_22'
option local_port '22'
option remote_port '22'
option proto 'tcp'
option zone 'wan'

root@Gargoyle:~#

Firewall Config (Working):

root@Gargoyle:~# cat /etc/config/firewall

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option enforce_dhcp_assignments '1'
option force_router_dns '1'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'
option reload '1'

config include
option type 'script'
option path '/usr/lib/gargoyle_firewall_util/gargoyle_additions.firewall'
option family 'IPv4'
option reload '1'

config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'

config include 'openvpn_include_file'
option path '/etc/openvpn.firewall'
option reload '1'

config include 'tor_include_file'
option path '/etc/tor.firewall'
option reload '1'

config redirect 'redirect_enabled_number_0'
option name 'RDP'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '80'
option dest_ip '192.168.10.1'
option dest_port '3389'

config redirect 'redirect_enabled_number_1'
option name 'RDP'
option src 'wan'
option dest 'lan'
option proto 'udp'
option src_dport '80'
option dest_ip '192.168.10.1'
option dest_port '3389'

config remote_accept 'ra_22_22'
option local_port '22'
option remote_port '22'
option proto 'tcp'
option zone 'wan'

config remote_accept 'ra_443_443'
option local_port '443'
option remote_port '443'
option proto 'tcp'
option zone 'wan'

root@Gargoyle:~#


I can live with leaving the remote web access as HTTPS only, however these two configurations used to place nice together.

Thank you.

-Andy

Lantis
Moderator
Posts: 6735
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Gargoyle 1.11.0 Release Candidate 4

Post by Lantis »

Thanks for tracing it. Good pickup.
I’m not sure if they ever played nicely together though? It doesn’t make sense for that to work.

A port forward instructs the router to take all traffic bound for that port, and forward it to the relevant ip (and port).
In the case of allowing external WAN access to the router interface, it needs to steal everything on port 80 for itself.

I’ll look if anything can be done, but not confident!
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

bluegravy
Posts: 31
Joined: Mon Jul 10, 2017 12:50 pm
Location: Eastern Panhandle West Virginia, USA

Re: Gargoyle 1.11.0 Release Candidate 4

Post by bluegravy »

Yes, I completely understand. Almost like a duplicate IP situation...however, as I mentioned I'm not overly concerned with the conflict as I'll just keep the web access via port 80 off and I expect all should be well. Thanks for looking into it though, it is a bit of a unique situation.

Regards,

Andy

Waterspuwer
Posts: 36
Joined: Mon Nov 12, 2018 6:04 am

Re: Gargoyle 1.11.0 Release Candidate 4

Post by Waterspuwer »

ispyisail wrote:
Well, the thing is, I've never set a country.
You need to do it just after your first flash/boot

You set country and Root password.

I understand there is also geo-location check based on your IP address.

If you are using a VPN service I guess that could cause problems.

Its to stop people trying to select the wrong country.

If you actually do change country the only way to switch is re-flash. Its a one hit process.

...from my understanding
I think you can only select time region during first setup. I don't remember setting a country there at least. A country was selectable in Wi-Fi connections view, but I kept it on auto and after save it was no longer available to change. In the config file it is correctly specified as NL.

I'm not using a VPN or anything else. Just have it setup as a router :)

Waterspuwer
Posts: 36
Joined: Mon Nov 12, 2018 6:04 am

Re: Gargoyle 1.11.0 Release Candidate 4

Post by Waterspuwer »

Just wanted to let you guys know that RC4 has otherwise been very stable for me. It's been running 24/7 since early RC4 version without any weird issues.

The bandwidth control is really amazing, wish I discovered Gargoyle a long time ago, it's so great to be able to play a game while the rest of the house downloads :D

Lantis
Moderator
Posts: 6735
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Gargoyle 1.11.0 Release Candidate 4

Post by Lantis »

I’m currently preparing RC5 for testing.
It has a few security vulnerability fixes, kernel updates, and some wireless driver changes.

Once I get good reports from that, I’ll ask Eric to release it as 1.11.0 official.
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

User avatar
apvm
Posts: 102
Joined: Thu Apr 30, 2015 7:30 am

Re: Gargoyle 1.11.0 Release Candidate 4

Post by apvm »

Great news. I always prefer Gargoyle over others.

Post Reply