wrote: How would I add the Shalla lists.
The part that confuses me is adding specific categories...
You'll need to be more specific with your question. How about starting by providing a link to the raw blacklist file you would like update-dnsmasq to process, so we can better help you?
Here's example what we need: http://www.hostsfile.org/Downloads/hosts.txt
Feb 25 07:52:39 ERL-Home kernel: skbuff: Gotcha2 8000000419266000 8000000419266142 -4
Feb 25 07:52:39 ERL-Home kernel: CPU: 0 PID: 0 Comm: swapper/0 Tainted: P O 3.10.107-UBNT #1
Feb 25 07:52:39 ERL-Home kernel: Stack : 00000000000002b8 0000000050008ce1 0000000000200000 0000000000000007
Feb 25 07:52:39 ERL-Home kernel: 0000000000000000 0000000000000000 ffffffffc0660000 00000000000002b8
Feb 25 07:52:39 ERL-Home kernel: ffffffffc064ec58 ffffffffc0520000 00000000000002b8 302e3130372d5542
Feb 25 07:52:39 ERL-Home kernel: 0000000000000005 ffffffffc064eed8 ffffffffc0660000 0000000000000000
Feb 25 07:52:39 ERL-Home kernel: 800000041c696300 fffffffffffffffc 800000041cb13000 8000000419266142
Feb 25 07:52:39 ERL-Home kernel: 0000000000000040 0000000000000000 0000000000000001 800000041cb13000
Feb 25 07:52:39 ERL-Home kernel: 0000000000000005 0000000000000001 0000000000000000 0000000000000000
Feb 25 07:52:39 ERL-Home kernel: ffffffffc04dc000 ffffffffc04df790 0000000000000000 ffffffffc032423c
Feb 25 07:52:39 ERL-Home kernel: ffffffffc050ff60 ffffffffc0484d88 0000000000000000 0000000000000000
Feb 25 07:52:39 ERL-Home kernel: 0000000000000000 ffffffffc006f0a4 0000000000000000 0000000000000000
Feb 25 07:52:39 ERL-Home kernel: ...
Feb 25 07:52:39 ERL-Home kernel: Call Trace:
Feb 25 07:52:39 ERL-Home kernel: [<ffffffffc006f0a4>] show_stack+0x6c/0xf8
Feb 25 07:52:39 ERL-Home kernel: [<ffffffffc032423c>] skb_push+0xa4/0xb0
Feb 25 07:52:39 ERL-Home kernel: [<ffffffffc03d93a4>] packet_rcv+0xdc/0x4c0
Feb 25 07:52:39 ERL-Home kernel: [<ffffffffc032e7b0>] __netif_receive_skb_core+0x498/0x8c8
Feb 25 07:52:39 ERL-Home kernel: [<ffffffffc03329b8>] netif_receive_skb+0x28/0xa8
Feb 25 07:52:39 ERL-Home kernel: [<ffffffffc087fac8>] cvm_oct_napi_poll_38+0x4d0/0xa70 [octeon_ethernet]
Feb 25 07:52:39 ERL-Home kernel: [<ffffffffc0333230>] net_rx_action+0x228/0x2b8
Feb 25 07:52:39 ERL-Home kernel: [<ffffffffc0095294>] __do_softirq+0x1dc/0x228
Feb 25 07:52:39 ERL-Home kernel: [<ffffffffc00953b0>] do_softirq+0x68/0x70
Feb 25 07:52:39 ERL-Home kernel: [<ffffffffc0095a80>] irq_exit+0x70/0x80
Feb 25 07:52:39 ERL-Home kernel: [<ffffffffc00073a4>] plat_irq_dispatch+0x4c/0xd8
Feb 25 07:52:39 ERL-Home kernel: [<ffffffffc006a834>] handle_int+0x114/0x11c
Feb 25 07:52:39 ERL-Home kernel:
Hi,
Great package!
I just installed the latest version and saw this error:
post-install: INFO[075]18:31:15.734: set service dns forwarding blacklist hosts source sysctl.org description "This hosts file is a merged collection of hosts from Cameleon"
post-install: INFO[076]18:31:15.917: set service dns forwarding blacklist hosts source sysctl.org prefix 127.0.0.1
post-install: INFO[077]18:31:16.099: set service dns forwarding blacklist hosts source sysctl.org url http://sysctl.org/cameleon/hosts
post-install: INFO[078]18:31:16.316: set system task-scheduler task update_blacklists executable path /config/scripts/blacklist-cronjob.sh
The specified configuration node is not valid
Set failed
post-install: ERRO[079]18:31:16.493: set task update_blacklists executable arguments 10800 failed!
post-install: INFO[07a]18:31:16.682: set system task-scheduler task update_blacklists interval 1d
[ system task-scheduler ]
Restarting periodic command scheduler: cronStopping periodic command scheduler: cron.
Starting periodic command scheduler: cron.
[ service dns forwarding blacklist ]
update-dnsmasq: NOTI[001]18:31:18.606: Starting blacklist update...
update-dnsmasq: INFO[002]18:31:18.607: Removing stale blacklists...
update-dnsmasq: INFO[003]18:31:18.612: includes: downloaded: 2
update-dnsmasq: INFO[004]18:31:18.612: includes: extracted: 2
update-dnsmasq: INFO[005]18:31:18.613: includes: dropped: 0
Everything seems to work so I don't know what it missed.
One general observation when installing the package, why so many default block list sources? A lot can go wrong with any of these sources. My suggestion would be to limit the default and let the user choose what to install on top of it. I now use:
set service dns forwarding blacklist domains source NoBitCoin description 'Blocking Web Browser Bitcoin Mining'
set service dns forwarding blacklist domains source NoBitCoin prefix 0.0.0.0
set service dns forwarding blacklist domains source NoBitCoin url 'https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt'
set service dns forwarding blacklist domains source simple_tracking description 'Basic tracking list by Disconnect'
set service dns forwarding blacklist domains source simple_tracking url 'https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt'
set service dns forwarding blacklist exclude sourceforge.net
set service dns forwarding blacklist hosts source githubSteveBlack description 'Blacklists adware and malware websites'
set service dns forwarding blacklist hosts source githubSteveBlack prefix 0.0.0.0
set service dns forwarding blacklist hosts source githubSteveBlack url 'https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts'
No it should not!
But be aware that issuing iptables --list -vn -t nat will load nf_conntrack!
If you do not have a NOTRACK rule in iptables, your router will skrew up when table gets full!
I also run into that type of issue. My Routers locked up and i was not able to connect to that router via WebIF, SSH via IPv4! But you are able to ssh into that device via IPv6!
Sometimes my employees issue that iptables-command and after some hours the machine is "dead" and our customers start to open tickets "Internet is not working..." - Congratulations!
ssh fe80:xxxxxxxxxxx%eth1 from a direct neighbour gives you access to your router.
If you do not know the link-local address of your router, you can issue a arping to get the mac-address and build the link-local-address via that handy tool: http://www.sput.nl/internet/ipv6/ll-mac.html
rmmod nf_conntrack_ipv4 nf_conntrack_netlink nf_conntrack
and your routing is restored and you do not need to reboot.
PS: If nf_conntrack_ipv4 is loaded and you have 0 flows in your conntrack-table, this is because in RAW-Table there is a -j NOTRACK rule that will prevent a new flow-entry. I think that is new to v.1.10.0 that only natted packets get tracked. If you dont do a full state firewalling (related, established -> accept) then you do not need to know all current active flows!
Thanks for the quick reply. As you said, I did change the internal networks from a 192 range to a 10 range. And no, the class B net mask was just a goofing around config until I sort out the firewall to make this my primary network. The final build will be a simple class c likely.
I hate to be a pain, but just as important as implementing these rules is understanding what they accomplish. Would you be willing to comment on what each of the rules accomplishes?
Either way, that's for all you assistance.
Thanks for the advice wrt the hosts file.
I'll reconfigure using the recommended approach.
Tell me, would this also allow the static host commands to be saved as part of the backup? During this dilemma my backup file didn't help for obvious reasons.
Yeha it is getting better.... Overall-Performance is now so good, that you are not able to do things on ssh-console.
Ghost-Typing, over 700ms delay.... Wow, what a incredible router!
This has impact for all customers having bad internet-connectivity. For us that means potential loss of revenue.
I have ordered a Juniper MX480 because that issue is not longer justifiable for our customers, and Mikrotik (keep that crap out of my datacenters). Over weeks we thougt that this service impact is related to the reordering issue, but as i can see, that issue is bigger than that.
I will send a video after MX480 is installed and running and how i throw ER-Pro8 into trash, give petrol to it and burn that crep router and send him directly to hell!
wrote: Thanks for the advice wrt the hosts file.
I'll reconfigure using the recommended approach.
Tell me, would this also allow the static host commands to be saved as part of the backup? During this dilemma my backup file didn't help for obvious reasons.
It will, as the master router configuration is contained within that backup (as /config/config.boot), and rebuild downstream configuration files (like /etc/hosts) as necessary when the configuration is restored (for instance, during an upgrade).
Today same story happened - port WAN was connected, internet dropped out, no packets at all on eth0.
Private subnet with non-standard IP, all connections to router dropped. Didn't have time to setup other interface tho.
I dropped BOGONS on WAN - didn't help. :-/
Try
$ show ip route
Hi Folks,
I'm quite thrilled to finally have dual stack IPv4 and IPv6 running at home over Comcast with an ER-X. But as I was testing the connection, I discovered the default firewall settings for IPv6 block all ICMPv6 traffic, which breaks path dependent MTU discovery. Unlike IPv4 where all ICMP could be blocked, a few types of packets need to make it through for IPv6 to work.
You can take a look at RFC 4890 and RFC 6092 for all the detail, but basically:
4.3.1. Traffic That Must Not Be Dropped
Practically I believe things will still function, just less efficiently if you only let through Type 2 packets. Maybe? Just skimmed RFC 6092 and there might be cases that need Type 1 packets too. But not letting through Type 2 sets you up for mysterious path dependent failures in the future as routers don't fragment packets if a too small MTU is encountered, it's up to the host to do that.
Here's the code to modify the firewall from the basic setup wizard to follow RFC 4890.
set firewall ipv6-name WANv6_IN rule 12 protocol icmpv6 set firewall ipv6-name WANv6_IN rule 12 icmpv6 type destination-unreachable set firewall ipv6-name WANv6_IN rule 12 description 'RFC 4890 and RFC 6092, needed for ipv6 to work well' set firewall ipv6-name WANv6_IN rule 12 state established enable set firewall ipv6-name WANv6_IN rule 12 state related enable set firewall ipv6-name WANv6_IN rule 12 action accept set firewall ipv6-name WANv6_IN rule 13 protocol icmpv6 set firewall ipv6-name WANv6_IN rule 13 icmpv6 type packet-too-big set firewall ipv6-name WANv6_IN rule 13 description 'Must be allowed or MTU discovery (PDMTU) will break. RFC 4890 and RFC 6092' set firewall ipv6-name WANv6_IN rule 13 state established enable set firewall ipv6-name WANv6_IN rule 13 state related enable set firewall ipv6-name WANv6_IN rule 13 action accept set firewall ipv6-name WANv6_IN rule 14 protocol icmpv6 set firewall ipv6-name WANv6_IN rule 14 icmpv6 type ttl-zero-during-transit set firewall ipv6-name WANv6_IN rule 14 description 'RFC 4890 and RFC 6092, needed for ipv6 to work well' set firewall ipv6-name WANv6_IN rule 14 state established enable set firewall ipv6-name WANv6_IN rule 14 state related enable set firewall ipv6-name WANv6_IN rule 14 action accept set firewall ipv6-name WANv6_IN rule 15 protocol icmpv6 set firewall ipv6-name WANv6_IN rule 15 icmpv6 type unknown-header-type set firewall ipv6-name WANv6_IN rule 15 description 'RFC 4890 and RFC 6092, needed for ipv6 to work well' set firewall ipv6-name WANv6_IN rule 15 state established enable set firewall ipv6-name WANv6_IN rule 15 state related enable set firewall ipv6-name WANv6_IN rule 15 action accept set firewall ipv6-name WANv6_IN rule 16 protocol icmpv6 set firewall ipv6-name WANv6_IN rule 16 icmpv6 type unknown-option set firewall ipv6-name WANv6_IN rule 16 description 'RFC 4890 and RFC 6092, needed for ipv6 to work well' set firewall ipv6-name WANv6_IN rule 16 state established enable set firewall ipv6-name WANv6_IN rule 16 state related enable set firewall ipv6-name WANv6_IN rule 16 action accept
You can test this by using the directions here:
http://test-ipv6.com/faq_pmtud.html
Hope someone else finds this useful,
Chris
This is a new thread addressing getting DNSCrypt-Proxy 2, dnsmasq and DNSSEC running on the Edgerouter Lite (the same technique should work on most of the other router models). Although this is a continuation of “dnscrypt-proxy, DNSSEC and dnsmasq on Edgerouter Lite,” there are some significant differences between DNSCrypt-Proxy 2 and its predecessor that merit a clean slate for discussion.
To get started, first and foremost, the DNSCrypt-Proxy 2 binary is needed, get the MIPS64 binary from the releases directory. The binary comes with some sample configuration files. At a minimum, example-dnscrypt-proxy.toml needs to be renamed to dnscrypt-proxy.toml. By default, the binary expects the configuration files to be in the same directory; however, that can be changed on the command-line. I chose to put the binary in /config/sbin and the configuration files in /config/etc/dnscrypt-proxy directories.
A few support scripts are required:
/config/scripts/post-config.d/dnscrypt.sh
This sets up a persistent directory in the /config filesystem for dnsmasq to save the timestamp created by the dnssec-timestamp option, and then starts the dnscrypt-proxy process:
#!/bin/sh # Check that persistent (/config filesystem) var directory exists, if not, create it and set ownership if [ ! -d /config/var/run/dnsmasq ]; then /bin/mkdir -p /config/var/run/dnsmasq; /bin/chown dnsmasq /config/var/run/dnsmasq; fi; /config/sbin/dnscrypt-proxy \ -config /config/etc/dnscrypt-proxy/dnscrypt-proxy.toml & exit 0
/config/scripts/post-config.d/dnt-hup.sh
This uses ntp's ntp-wait Perl script to HUP dnsmasq when ntp is in a synchronized state (which is useful if the dnssec-no-timecheck option is used for dnsmasq). The ntp-wait command can take quite a while to complete - I clocked it at about 19 minutes on a sample boot - which is why it's forced into the background, otherwise the boot process would block here.
#!/bin/sh
(
# -b # Force the time to be stepped using the settimeofday() system call, rather # than slewed (default) using the adjtime() system call. This option should # be used when called from a startup file at boot time. # -u # Use an unprivileged port to send the packets from. This option is useful # when you are behind a firewall that blocks incoming traffic to privileged # ports, and you want to synchronize with hosts beyond the firewall. The -d # option always uses unprivileged ports. # -s # Log actions by way of the syslog(3C) facility rather than to the standard # output -- a useful option when running the program from cron(1M). /usr/bin/logger -p user.notice Waiting for ntpdate to synchronize time from 0.ubnt.pool.ntp.org... /usr/sbin/ntpdate -bus `/usr/bin/host 0.ubnt.pool.ntp.org 8.8.8.8 | /usr/bin/awk '/has address/ { print $4 ; exit }'`
) &
(
# dnssec-no-timecheck # DNSSEC signatures are only valid for specified time windows, and should # be rejected outside those windows. This generates an interesting # chicken-and-egg problem for machines which don't have a hardware real # time clock. For these machines to determine the correct time typically # requires use of NTP and therefore DNS, but validating DNS requires that # the correct time is already known. Setting this flag removes the # time-window checks (but not other DNSSEC validation.) only until the # dnsmasq process receives SIGHUP. The intention is that dnsmasq should # be started with this flag when the platform determines that reliable # time is not currently available. As soon as reliable time is # established, a SIGHUP should be sent to dnsmasq, which enables time # checking, and purges the cache of DNS records which have not been # throughly checked. # The ntp-wait program blocks until ntpd is in synchronized state. This # can be useful at boot time, to delay the boot sequence until after # "ntpd -g" has set the time. /usr/bin/logger -p user.notice Waiting for ntpd to synchronize... /usr/sbin/ntp-wait -n 1000 -s 6 if [ $? -eq 0 ] then /usr/bin/logger -p user.notice Sending SIGHUP to dnsmasq... /usr/bin/pkill -SIGHUP -e -F /var/run/dnsmasq/dnsmasq.pid 2>&1 | logger -p user.notice exit 0 else /usr/bin/logger -p user.notice Could not synchronize time. Giving up. DNSSEC signatures are not timechecked. exit 1 fi
) &
Lastly, the router configuration, including the dnsmasq configuration (note the delete command that's discussed in this thread to make sure there isn't a server=127.0.0.1 line in /etc/dnsmasq.conf that overrides pointing to the dnscrypt-proxy server we have running on an unprivledged port):
delete service dns forwarding system set service dns forwarding cache-size 1024 set service dns forwarding listen-on switch0 set service dns forwarding listen-on eth0 set service dns forwarding options domain-needed set service dns forwarding options bogus-priv set service dns forwarding options except-interface=eth1 set service dns forwarding options stop-dns-rebind set service dns forwarding options 'server=127.0.0.1#5353' set service dns forwarding options trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 set service dns forwarding options trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D set service dns forwarding options dnssec set service dns forwarding options dnssec-check-unsigned
Choose one of the following (dnssec-timestamp or dnssec-no-timecheck):
set service dns forwarding options dnssec-timestamp=/config/var/run/dnsmasq/dnsmasq.time
OR
set service dns forwarding options dnssec-no-timecheck
Reserved post for TARfile...
I've started a new thread on installing and configuring DNSCrypt-Proxy 2. There's some significant changes between it and v1, so it merited a new thread, in my opnion.
I've made an initial SWAG at a configuration. As soon as I have more time to test and TAR it up, I'll be discontinuing updating this thread and updating that thread instead.
Thanks for the pointer to /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper. That's what I had been looking for. My script is working now.
Any idea would be highly appreciated
When I connect to eth3, which is included in switch0, I can access the edgemax router config screen (172.16.99.3). Without changing what interface I'm connected to, I cannot get to 172.16.99.4, which is the ip defined for eth4. However, if I switch my ethernet cable over to interface eth4, I can get to 172.16.99.4.
Why can't I get to 172.16.99.4 when I'm connected to eth3 yet can access it when I plug into eth4?
eth4 and switch0 address scheme
My switch0 config
My computer's IP config (connected to eth3)
Edit: I'm not really trying to achieve anything other than learning the nuances of routing with this post...
Edit2: Forgot to post routing table. Its all default, so I'm sure there is something here that would explain it.
NAT is just a warning, pppoe interface only exists after succesfull pppoe session setup, but your NAT rules are already activated while interface isn't there yet
error1 also looks like a warning, maybe there's some overlap between ingedients. Do these custom-categorys work as expected?
