Page 5 of 6
Re: Gargoyle 1.11.0 Release Candidate 4
Posted: Mon Nov 26, 2018 12:29 am
by ektus
Lantis wrote:Your config file sets the country specifically to NL right?
What appears to be happening is the device is reading the country code from EEPROM at boot as US, where channels 12-14 are not allowed. Thus the wifi can’t start.
Normally you would see another line indicating it is overriding the country based on user config.
If you checked a log after restarting the wifi to fix the issue, I think we would see this (happy to look if needed).
A simple solution might be enabling the ping watchdog with a target on the wifi network and issuing the command "wifi" if not reachable, but this requires a client that is always running and will cause trouble if it is not.
Re: Gargoyle 1.11.0 Release Candidate 4
Posted: Mon Nov 26, 2018 1:26 pm
by Waterspuwer
Lantis wrote:Your config file sets the country specifically to NL right?
What appears to be happening is the device is reading the country code from EEPROM at boot as US, where channels 12-14 are not allowed. Thus the wifi can’t start.
Normally you would see another line indicating it is overriding the country based on user config.
If you checked a log after restarting the wifi to fix the issue, I think we would see this (happy to look if needed).
I don’t know that I can provide a good solution for this (yet). I don’t have any ath10k devices to test with myself, and I don’t see this behaviour in my own devices. The only thing I could suggest is creating an init script that runs last (or using rc.local) to kick start the wifi after boot to alleviate the issue.
Or switching to channels that would be allowed in the US.
Well, the thing is, I've never set a country. It was on 'auto' I think the first time before saving the settings and then it was unavailable to change. In the config it's specified as NL. Isn't this setting used (somewhere) then?
Re: Gargoyle 1.11.0 Release Candidate 4
Posted: Mon Nov 26, 2018 1:39 pm
by ispyisail
Well, the thing is, I've never set a country.
You need to do it just after your first flash/boot
You set country and Root password.
I understand there is also geo-location check based on your IP address.
If you are using a VPN service I guess that could cause problems.
Its to stop people trying to select the wrong country.
If you actually do change country the only way to switch is re-flash. Its a one hit process.
...from my understanding
Re: Gargoyle 1.11.0 Release Candidate 4
Posted: Mon Nov 26, 2018 4:45 pm
by bluegravy
Lantis wrote:Please revert to factory defaults, and establish the port forwarding rules via the GUI, and confirm that they work. If they work, please export a copy of /etc/config/firewall & network.
If/when the router stops forwarding between the two ports, please export the same files to check for changes.
Lantis,
I have isolated the trouble.
Under SYSTEM->Router Access->When I activate Remote Web Access to include HTTP (Port 80), this breaks port forwarding from WAN (80) to LAN (3389). If I leave it at HTTPS (443) the port forwarding works.
Firewall Config (Broken):
root@Gargoyle:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option enforce_dhcp_assignments '1'
option force_router_dns '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
option reload '1'
config include
option type 'script'
option path '/usr/lib/gargoyle_firewall_util/gargoyle_additions.firewall'
option family 'IPv4'
option reload '1'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config include 'openvpn_include_file'
option path '/etc/openvpn.firewall'
option reload '1'
config include 'tor_include_file'
option path '/etc/tor.firewall'
option reload '1'
config redirect 'redirect_enabled_number_0'
option name 'RDP'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '80'
option dest_ip '192.168.10.1'
option dest_port '3389'
config redirect 'redirect_enabled_number_1'
option name 'RDP'
option src 'wan'
option dest 'lan'
option proto 'udp'
option src_dport '80'
option dest_ip '192.168.10.1'
option dest_port '3389'
config remote_accept 'ra_443_443'
option local_port '443'
option remote_port '443'
option proto 'tcp'
option zone 'wan'
config remote_accept 'ra_80_80'
option local_port '80'
option remote_port '80'
option proto 'tcp'
option zone 'wan'
config remote_accept 'ra_22_22'
option local_port '22'
option remote_port '22'
option proto 'tcp'
option zone 'wan'
root@Gargoyle:~#
Firewall Config (Working):
root@Gargoyle:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option enforce_dhcp_assignments '1'
option force_router_dns '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
option reload '1'
config include
option type 'script'
option path '/usr/lib/gargoyle_firewall_util/gargoyle_additions.firewall'
option family 'IPv4'
option reload '1'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config include 'openvpn_include_file'
option path '/etc/openvpn.firewall'
option reload '1'
config include 'tor_include_file'
option path '/etc/tor.firewall'
option reload '1'
config redirect 'redirect_enabled_number_0'
option name 'RDP'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '80'
option dest_ip '192.168.10.1'
option dest_port '3389'
config redirect 'redirect_enabled_number_1'
option name 'RDP'
option src 'wan'
option dest 'lan'
option proto 'udp'
option src_dport '80'
option dest_ip '192.168.10.1'
option dest_port '3389'
config remote_accept 'ra_22_22'
option local_port '22'
option remote_port '22'
option proto 'tcp'
option zone 'wan'
config remote_accept 'ra_443_443'
option local_port '443'
option remote_port '443'
option proto 'tcp'
option zone 'wan'
root@Gargoyle:~#
I can live with leaving the remote web access as HTTPS only, however these two configurations used to place nice together.
Thank you.
-Andy
Re: Gargoyle 1.11.0 Release Candidate 4
Posted: Mon Nov 26, 2018 8:32 pm
by Lantis
Thanks for tracing it. Good pickup.
I’m not sure if they ever played nicely together though? It doesn’t make sense for that to work.
A port forward instructs the router to take all traffic bound for that port, and forward it to the relevant ip (and port).
In the case of allowing external WAN access to the router interface, it needs to steal everything on port 80 for itself.
I’ll look if anything can be done, but not confident!
Re: Gargoyle 1.11.0 Release Candidate 4
Posted: Tue Nov 27, 2018 2:21 am
by bluegravy
Yes, I completely understand. Almost like a duplicate IP situation...however, as I mentioned I'm not overly concerned with the conflict as I'll just keep the web access via port 80 off and I expect all should be well. Thanks for looking into it though, it is a bit of a unique situation.
Regards,
Andy
Re: Gargoyle 1.11.0 Release Candidate 4
Posted: Tue Nov 27, 2018 6:34 am
by Waterspuwer
ispyisail wrote:Well, the thing is, I've never set a country.
You need to do it just after your first flash/boot
You set country and Root password.
I understand there is also geo-location check based on your IP address.
If you are using a VPN service I guess that could cause problems.
Its to stop people trying to select the wrong country.
If you actually do change country the only way to switch is re-flash. Its a one hit process.
...from my understanding
I think you can only select time region during first setup. I don't remember setting a country there at least. A country was selectable in Wi-Fi connections view, but I kept it on auto and after save it was no longer available to change. In the config file it is correctly specified as NL.
I'm not using a VPN or anything else. Just have it setup as a router
Re: Gargoyle 1.11.0 Release Candidate 4
Posted: Thu Nov 29, 2018 11:34 am
by Waterspuwer
Just wanted to let you guys know that RC4 has otherwise been very stable for me. It's been running 24/7 since early RC4 version without any weird issues.
The bandwidth control is really amazing, wish I discovered Gargoyle a long time ago, it's so great to be able to play a game while the rest of the house downloads
Re: Gargoyle 1.11.0 Release Candidate 4
Posted: Thu Nov 29, 2018 3:52 pm
by Lantis
I’m currently preparing RC5 for testing.
It has a few security vulnerability fixes, kernel updates, and some wireless driver changes.
Once I get good reports from that, I’ll ask Eric to release it as 1.11.0 official.
Re: Gargoyle 1.11.0 Release Candidate 4
Posted: Fri Nov 30, 2018 9:40 pm
by apvm
Great news. I always prefer Gargoyle over others.