Different problems with different 3rd party firmwares?

Discussion in 'General Discussion' started by SiCN, Jan 22, 2006.

  1. SiCN

    SiCN Network Guru Member

    Since one week I'm also proud owner of a WRT54GS (had to purchase GS since all standard G's were v5). Well, anyways... I of course installed a 3rd party firmware as soon as the device was connected to a network cable and anything went just fine.

    However, I've been experiencing some problems with different firmwares:

    First I installed DD-WRT v23:
    * Worked fine (except some glitch with the DHCP-server), however, felt that there were many unnecessary options so I reflashed to

    HyperWRT Thibor 12 release:
    * All machines on the LAN-side seem to receive traffic on all kinds of parts even though the firewall is activated which makes me suspect that the firewall-code is broken.

    I then installed

    DD-WRT v23 SP1:
    * WPA2-PSK doesn't seem to work. Activating it renders my WLAN unusable. Only turning of security makes my AP accessible.
    * Bittorrent-traffic basically forces this router to it's knees. Having two concurrent downloads with very moderate download/upload-settings will make all other traffic basically impossible (even when activating QoS).

    Now my question. What can I do to have the firewall working, the WPA2-PSK working and being able to use Bittorrent without the router crashing every couple of seconds (sometimes minutes) and/or slowing down so much that all other traffic is grinding to a halt.

    Appreciate your tips,
    thanks in advance!
  2. Thibor

    Thibor Super Moderator Staff Member Member

    actually, the firewall isn't broken in any way. i've port tested repeatedly and there are NO ports open. check your upnp settings if there are ports open that you haven't opened. also check your firewall config. post your /tmp/.ipt here and i'll tell you where the issue lays. also post your firewall options
  3. SiCN

    SiCN Network Guru Member

    I am sporting Thibor 14 now and after installing Avast I constantly get messages about the netbios-port being attacked. Eventually I decided to switch to Norton Anti Virus since I thought that Avast may be overreacting but Norton says exactly the same:

    Intrusion: MS ASN1 Integer Overflow TCP
    Protocol: TCP
    Risk Level: High
    Attacked IP:
    Attacked Port: netbios-ssn(139)

    My settings in Thibors firewall-tab are as following:

    Firewall Protection: Enabled
    Block Portscans: Yes
    Block Anonymous Internet Requests: Yes
    Filter Multicast: Yes
    Filter IDENT(Port 113): Yes

    The ports opened in the UPnP-tab are:
    16881 tcp Azureus UPnP 16881 TCP
    16881 udp Azureus UPnP 16881 UDP

    DMZ of course is disabled.
    Also, I've got no port redirections but I have manually opened port 16381 in the port forward tab.

    Sorry in advance, but here is my 128-line .ipt-file following:

    :OUTPUT ACCEPT [0:0]
    -I PREROUTING -i br0 -j MARK --set-mark 256
    -I PREROUTING -i br0 -p tcp --destination-port 27030:27039 -j DSCP --set-dscp-class EF
    -I PREROUTING -i br0 -p tcp --destination-port 6073 -j DSCP --set-dscp-class EF
    -I PREROUTING -i br0 -p tcp --destination-port 2302:2400 -j DSCP --set-dscp-class EF
    -I PREROUTING -i br0 -p tcp --destination-port 4000 -j DSCP --set-dscp-class EF
    -I PREROUTING -i br0 -p tcp --destination-port 6112:6119 -j DSCP --set-dscp-class EF
    -I PREROUTING -i br0 -p tcp --destination-port 7000 -j DSCP --set-dscp-class EF
    -I PREROUTING -i br0 -p tcp --destination-port 1024:6000 -j DSCP --set-dscp-class EF
    -I PREROUTING -i br0 -p tcp --destination-port 6003 -j DSCP --set-dscp-class EF
    -I PREROUTING -i br0 -p tcp --destination-port 7002 -j DSCP --set-dscp-class EF
    -I PREROUTING -i br0 -p tcp --destination-port 27910 -j DSCP --set-dscp-class EF
    -I PREROUTING -i br0 -p tcp --destination-port 27660 -j DSCP --set-dscp-class EF
    -I PREROUTING -i br0 -p tcp --destination-port 8080 -j DSCP --set-dscp-class EF
    -I PREROUTING -i br0 -p tcp --destination-port 27900 -j DSCP --set-dscp-class EF
    -I PREROUTING -i br0 -p tcp --destination-port 7777:7783 -j DSCP --set-dscp-class EF
    -A PREROUTING -j CONNMARK --restore-mark
    -A PREROUTING -i br0 -m mark ! --mark 0 -j ACCEPT
    -A PREROUTING -i br0 -m ipp2p --ipp2p -j MARK --set-mark 240
    -A PREROUTING -i br0 -m ipp2p --bit -j MARK --set-mark 240
    -A PREROUTING -i br0 -m ipp2p --edk -j MARK --set-mark 240
    -A PREROUTING -i br0 -m ipp2p --gnu -j MARK --set-mark 240
    -A PREROUTING -i br0 -m ipp2p --kaz -j MARK --set-mark 240
    -A PREROUTING -i br0 -p tcp -m ipp2p --winmx -j MARK --set-mark 240
    -A PREROUTING -i br0 -p tcp -m ipp2p --soul -j MARK --set-mark 240
    -A PREROUTING -i br0 -p tcp -m ipp2p --apple -j MARK --set-mark 240
    -A PREROUTING -i br0 -p tcp -m ipp2p --dc -j MARK --set-mark 240
    -A PREROUTING -i br0 -p tcp -m mark --mark 210 -j CONNMARK --save-mark
    -A PREROUTING -i br0 -p tcp -m mark --mark 220 -j CONNMARK --save-mark
    -A PREROUTING -i br0 -p tcp -m mark --mark 230 -j CONNMARK --save-mark
    -A PREROUTING -i br0 -p tcp -m mark --mark 240 -j CONNMARK --save-mark
    -A PREROUTING -j CONNMARK --save-mark
    -A POSTROUTING -o vlan1 -m mark --mark 210 -j DSCP --set-dscp-class EF
    -A POSTROUTING -o vlan1 -m mark --mark 220 -j DSCP --set-dscp-class AF11
    -A POSTROUTING -o vlan1 -m mark --mark 230 -j DSCP --set-dscp-class AF21
    -A POSTROUTING -o vlan1 -m mark --mark 240 -j DSCP --set-dscp-class AF41
    :OUTPUT ACCEPT [0:0]
    -A PREROUTING -i vlan1 -d -j DROP
    -A PREROUTING -p icmp -d 82.182.59.xxx -j DNAT --to-destination
    -A PREROUTING -i vlan1 -p udp -m udp -d 82.182.59.xxx --dport 16881 -j DNAT --to-destination
    -A PREROUTING -i vlan1 -p tcp -m tcp -d 82.182.59.xxx --dport 16881 -j DNAT --to-destination
    -A PREROUTING -p tcp -m tcp -d 82.182.59.xxx --dport 16384:16389 -j DNAT --to-destination
    -A PREROUTING -d 82.182.59.xxx -j TRIGGER --trigger-type dnat
    -A POSTROUTING -o br0 -s -d -j MASQUERADE
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :logaccept - [0:0]
    :logdrop - [0:0]
    :logreject - [0:0]
    :trigger_out - [0:0]
    :lan2wan - [0:0]
    :grp_1 - [0:0]
    :advgrp_1 - [0:0]
    :grp_2 - [0:0]
    :advgrp_2 - [0:0]
    :grp_3 - [0:0]
    :advgrp_3 - [0:0]
    :grp_4 - [0:0]
    :advgrp_4 - [0:0]
    :grp_5 - [0:0]
    :advgrp_5 - [0:0]
    :grp_6 - [0:0]
    :advgrp_6 - [0:0]
    :grp_7 - [0:0]
    :advgrp_7 - [0:0]
    :grp_8 - [0:0]
    :advgrp_8 - [0:0]
    :grp_9 - [0:0]
    :advgrp_9 - [0:0]
    :grp_10 - [0:0]
    :advgrp_10 - [0:0]
    :grp_11 - [0:0]
    :advgrp_11 - [0:0]
    :grp_12 - [0:0]
    :advgrp_12 - [0:0]
    :grp_13 - [0:0]
    :advgrp_13 - [0:0]
    :grp_14 - [0:0]
    :advgrp_14 - [0:0]
    :grp_15 - [0:0]
    :advgrp_15 - [0:0]
    :grp_16 - [0:0]
    :advgrp_16 - [0:0]
    :grp_17 - [0:0]
    :advgrp_17 - [0:0]
    :grp_18 - [0:0]
    :advgrp_18 - [0:0]
    :grp_19 - [0:0]
    :advgrp_19 - [0:0]
    :grp_20 - [0:0]
    :advgrp_20 - [0:0]
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -i lo -m state --state NEW -j ACCEPT
    -A INPUT -i br0 -m state --state NEW -j ACCEPT
    -A INPUT -m psd -j DROP
    -A INPUT -p icmp -j DROP
    -A INPUT -p igmp -j DROP
    -A INPUT -j DROP
    -A FORWARD -i br0 -o br0 -j ACCEPT
    -A FORWARD -m state --state INVALID -j DROP
    -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1453: -j TCPMSS --set-mss 1452
    -A FORWARD -i vlan1 -o br0 -j TRIGGER --trigger-type in
    -A FORWARD -i br0 -j trigger_out
    -A FORWARD -i br0 -j lan2wan
    -A FORWARD -p udp -m udp -d --dport 16881 -j ACCEPT
    -A FORWARD -p tcp -m tcp -d --dport 16881 -j ACCEPT
    -A FORWARD -p tcp -m tcp -d --dport 16384:16389 -j ACCEPT
    -A FORWARD -i br0 -m state --state NEW -j ACCEPT
    -A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
    -A logaccept -j ACCEPT
    -A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
    -A logdrop -j DROP
    -A logreject -j LOG --log-prefix "WEBDROP " --log-tcp-sequence --log-tcp-options --log-ip-options
    -A logreject -p tcp -m tcp -j REJECT --reject-with tcp-reset
  4. SiCN

    SiCN Network Guru Member

    Hehe :) Does the lack of response mean I uncovered a bug? :D
  5. NateHoy

    NateHoy Network Guru Member

    Well, if you've uncovered a bug, you're the only one experiencing it, at least. I'm running several computers behind my WRT54G V4 running HyperWRT Thibor 14, and all of my computers also run software firewalls (ZoneAlarm), and I've never had such an alert.

    Oh, and a simple Google search on that threat description you posted indicates that it is a malady that exists in a large number of SOFTWARE packages, so this is not, repeat, not an anonymous outside attack on the firewall. The firewall does not inspect packets for malware, it only inspects packets to make sure they are coming in to a computer that requested them.

    This is an attack on a software package installed on your computer that is opening ports and is vulnerable to attack through the ports it has validly opened. Which is PRECISELY why I run software firewalls in addition to the SPI firewall on the WRT54G.


    Your software firewall did its job, a job for which it is uniquely qualified.
  6. NateHoy

    NateHoy Network Guru Member

    WPA2/SPK is dependent on the client software supporting it.

    BitTorrent is known for filling up the router's iptable, especially with the Linksys defaults. HyperWRT Thibor has an automatic fix for that, and adjustments that allow you to further refine the numbers.

    The two factors are:

    1. Number of connections in the iptable (Linksys default: 2,048 Thibor default: 2,048 Realistic max: 4,096)

    This indicates the number of entries that are available in the connections table. Each entry takes up memory, so you want to minimize this, but when you run out of entries, the router will "crash" (existing connections work fine, but new connections are not allowed).

    2. Time until active connections become idle ones (Linksys default: 5 DAYS Thibor default: 600 sec (10 minutes))

    This one is the real gem. Connections that are marked as active, but have not received any traffic in a long time, are eventually marked as "IDLE" so the router can re-use the connection. Set this too low, and established connections (like Telnet) get dropped on you if they sit idle for a while. Set this too high, and your connections table fills up.

    So, for best P2P stability under very heavy P2P loads, set the connections table size to 4,096 and the timeout to 600 seconds. That way, your table will never fill up.

    Of course, such a large table and such a low timeout will cost you overall performance, because that's a lot of memory chewed up by the table and a lot of processor chewed up by the constant maintenance.

    Mine is set to 4,096 entries and 14,400 seconds (4 hours). This is primarily because I also use my router to connect to work, and I use a lot of Telnet, and I can't stand having my connections drop if I don't visit each one every 10 minutes. ;)
  7. Toxic

    Toxic Administrator Staff Member

    I thought the Firewall stops incomming data on the WAN and not the LAN ports?

    sorry WPA2 works here and so does bittorent. are you sure the rest of your Wireless devices support WPA2? if you say you cna only connect when WPA2 is disabled then i would suggest the problem with compatability with the other wireless devices not supporting WPA2, did you install the WPA2 Patch from Microsoft for XP?

    Bittorent opens so many connections on the same port it chokes the bandwidth. make sure you have limited the amount of connections that BT uses, and you enable QoS and configure it for BT to have the lowest priority.

    did you do a hard reset once you had upgraded your firmwares?

    DDWRT and Thibor both work for me .
  8. SiCN

    SiCN Network Guru Member

    Thanks for all the responses.

    WPA-PSK2 works fine for me if I use HyperWRT, however, in DD-WRT it didnt't work well at all.

    Anyways, thta is no longer my problem.

    The problem is mostly the firewall issue and according to you guys it's some client side software that has gone haywire. That is perhaps true, I guess I gotta investigate. The funny thing is that I never had this kind of messages when I was running my old PC as Linux-Firewall.

    Well well, I'll have to check next time I get the message.

    Thanks again!
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice