cpe210 - how to drop invalid packets?
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
cpe210 - how to drop invalid packets?
Posts: 6
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2016-07-26
2016-08-16 06:41:51
Posts: 6
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2016-07-26
cpe210 - how to drop invalid packets?
2016-08-16 06:41:51
Tags:
Model :
Hardware Version : Not Clear
Firmware Version :
ISP :
I use my CPE210 in the operation mode "AP Client Router". Due to the specific limitation of my WISP provider I need to drop invalid packets when communication with it since otherwise it will disconnect me upon receiving of such a packet. This often happens when (invalid) IP packets with local addresses "leak" over WLAN port to the WISP provider. The solution is given here: http://www.smythies.com/~doug/network/iptables_notes/.
Therefore, to drop invalid packets, I just need to add the following line to the iptables rules:
"iptables -I FORWARD 3 -m state --state INVALID -j DROP". When I add this live over ssh the CPE210 device works until reboot. Is it possible to make this iptables change permanent or add this feature to the firmware? E.g. OpenWRT has this feature as a checkbox in the web interface.
Hardware Version : Not Clear
Firmware Version :
ISP :
I use my CPE210 in the operation mode "AP Client Router". Due to the specific limitation of my WISP provider I need to drop invalid packets when communication with it since otherwise it will disconnect me upon receiving of such a packet. This often happens when (invalid) IP packets with local addresses "leak" over WLAN port to the WISP provider. The solution is given here: http://www.smythies.com/~doug/network/iptables_notes/.
Therefore, to drop invalid packets, I just need to add the following line to the iptables rules:
"iptables -I FORWARD 3 -m state --state INVALID -j DROP". When I add this live over ssh the CPE210 device works until reboot. Is it possible to make this iptables change permanent or add this feature to the firmware? E.g. OpenWRT has this feature as a checkbox in the web interface.
#1
Options
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Thread Manage
Announcement Manage
5 Reply
Posts: 981
Helpful: 10
Solutions: 0
Stories: 0
Registered: 2013-01-07
Re:cpe210 - how to drop invalid packets?
2016-08-17 15:15:10
In the mean time, flash OpenWrt, use a Trunk image, then OPKG LuCi
Or flash LEDE
But Before, make sure you can do this
How to use firmware recovery function of Pharos CPE
http://forum.tp-link.com/showthread.php?81684-How-to-use-firmware-recovery-function-of-Pharos-CPE
In case of issues and wanting to revert to stock, it's the only way
Share the commands to get to iptables and add the line
Reboot is the only command I use with SSH on Pharos
Or flash LEDE
But Before, make sure you can do this
How to use firmware recovery function of Pharos CPE
http://forum.tp-link.com/showthread.php?81684-How-to-use-firmware-recovery-function-of-Pharos-CPE
In case of issues and wanting to revert to stock, it's the only way
Share the commands to get to iptables and add the line
Reboot is the only command I use with SSH on Pharos
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#2
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 6
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2016-07-26
Re:cpe210 - how to drop invalid packets?
2016-08-17 15:56:42
I have already tried OpenWRT, but I was completely dissapointed with the output tx power. It was 11dbm, given by iwinfo, although luci web interface offered 23dbm. It seems that OpenWRT limits the value of tx output power. That is why I am back to the stock firmware.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#3
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 981
Helpful: 10
Solutions: 0
Stories: 0
Registered: 2013-01-07
Re:cpe210 - how to drop invalid packets?
2016-08-17 19:51:17
priponne wrote
I have already tried OpenWRT, but I was completely dissapointed with the output tx power. It was 11dbm, given by iwinfo, although luci web interface offered 23dbm. It seems that OpenWRT limits the value of tx output power. That is why I am back to the stock firmware.
Your never answered my request, quoted below
Share the commands to get to iptables and add the line
TL & OpenWrt use one Bin for Pharos 210 & 510
LEDE separated the frequencies, LEDE has 2 Bins
did you try LEDE
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#4
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 6
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2016-07-26
Re:cpe210 - how to drop invalid packets?
2016-08-23 17:39:22
danymarc wrote
Your never answered my request, quoted below
First, you need to open a ssh connection to the router. Second, you need to call the following command.
# iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
INPUT_LAN_HTTP_CLIENT tcp -- anywhere 192.168.0.254
ACCEPT !icmp -- 192.168.0.0/24 !172.16.3.254
ACCEPT all -- anywhere anywhere /* loop back */
INPUT_LAN_PING_REQ icmp -- anywhere anywhere icmp echo-request
INPUT_WAN_PING_REQ icmp -- anywhere 172.16.3.254 icmp echo-request
INPUT_WAN_PING_REQ icmp -- anywhere 0.0.0.0 icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
INPUT_WAN_HTTP_CLIENT tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
INPUT_SNMP udp -- anywhere anywhere udp dpt:snmp
ACCEPT udp -- anywhere anywhere udp dpt:20002
INPUT_DROPBEAR tcp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:5001
ACCEPT tcp -- anywhere anywhere tcp dpt:6001
Chain FORWARD (policy DROP)
target prot opt source destination
FORWARD_MSS all -- anywhere anywhere
FORWARD_SETMARK all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
FORWARD_VPN_PASSTHROUGH all -- anywhere anywhere
FORWARD_ACL all -- anywhere anywhere
FORWARD_ADVSEC all -- anywhere anywhere
FORWARD_LAN_PING_REQ icmp -- anywhere anywhere icmp echo-request
FORWARD_VS all -- anywhere anywhere
FORWARD_PT all -- anywhere anywhere
FORWARD_UPNP all -- anywhere anywhere
FORWARD_DMZ all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
FORWARD_SPI all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD_ACL (1 references)
target prot opt source destination
Chain FORWARD_ADVSEC (1 references)
target prot opt source destination
Chain FORWARD_DMZ (1 references)
target prot opt source destination
Chain FORWARD_LAN_PING_REQ (1 references)
target prot opt source destination
Chain FORWARD_MSS (1 references)
target prot opt source destination
Chain FORWARD_PT (1 references)
target prot opt source destination
Chain FORWARD_SETMARK (1 references)
target prot opt source destination
Chain FORWARD_SPI (1 references)
target prot opt source destination
DROP all -- anywhere anywhere state NEW
Chain FORWARD_UPNP (1 references)
target prot opt source destination
Chain FORWARD_VPN_PASSTHROUGH (1 references)
target prot opt source destination
RETURN udp -- anywhere anywhere udp dpt:500
RETURN udp -- anywhere anywhere udp dpt:1701
RETURN tcp -- anywhere anywhere tcp dpt:1723
Chain FORWARD_VS (1 references)
target prot opt source destination
Chain INPUT_DROPBEAR (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Chain INPUT_LAN_HTTP_CLIENT (1 references)
target prot opt source destination
INPUT_MAC tcp -- anywhere anywhere tcp dpt:www
DROP tcp -- anywhere anywhere tcp dpt:443
Chain INPUT_LAN_PING_REQ (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain INPUT_MAC (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain INPUT_SNMP (1 references)
target prot opt source destination
Chain INPUT_WAN_HTTP_CLIENT (1 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:443
ACCEPT tcp -- 0.0.0.0 anywhere tcp dpt:www
Chain INPUT_WAN_PING_REQ (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Third, you can see (in bold) that there is no "drop invalid packets" in the forward chain. Fourth, to add this rule and insert it above the bold rule (i.e. to the third position in the forward chain) you need to run the following command:
# iptables -I FORWARD 3 -m state --state INVALID -j DROP
Fifth, you can check the resulting iptables rules as follows:
# iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
INPUT_LAN_HTTP_CLIENT tcp -- anywhere 192.168.0.254
ACCEPT !icmp -- 192.168.0.0/24 !172.16.3.254
ACCEPT all -- anywhere anywhere /* loop back */
INPUT_LAN_PING_REQ icmp -- anywhere anywhere icmp echo-request
INPUT_WAN_PING_REQ icmp -- anywhere 172.16.3.254 icmp echo-request
INPUT_WAN_PING_REQ icmp -- anywhere 0.0.0.0 icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
INPUT_WAN_HTTP_CLIENT tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
INPUT_SNMP udp -- anywhere anywhere udp dpt:snmp
ACCEPT udp -- anywhere anywhere udp dpt:20002
INPUT_DROPBEAR tcp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:5001
ACCEPT tcp -- anywhere anywhere tcp dpt:6001
Chain FORWARD (policy DROP)
target prot opt source destination
FORWARD_MSS all -- anywhere anywhere
FORWARD_SETMARK all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
FORWARD_VPN_PASSTHROUGH all -- anywhere anywhere
FORWARD_ACL all -- anywhere anywhere
FORWARD_ADVSEC all -- anywhere anywhere
FORWARD_LAN_PING_REQ icmp -- anywhere anywhere icmp echo-request
FORWARD_VS all -- anywhere anywhere
FORWARD_PT all -- anywhere anywhere
FORWARD_UPNP all -- anywhere anywhere
FORWARD_DMZ all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
FORWARD_SPI all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD_ACL (1 references)
target prot opt source destination
Chain FORWARD_ADVSEC (1 references)
target prot opt source destination
Chain FORWARD_DMZ (1 references)
target prot opt source destination
Chain FORWARD_LAN_PING_REQ (1 references)
target prot opt source destination
Chain FORWARD_MSS (1 references)
target prot opt source destination
Chain FORWARD_PT (1 references)
target prot opt source destination
Chain FORWARD_SETMARK (1 references)
target prot opt source destination
Chain FORWARD_SPI (1 references)
target prot opt source destination
DROP all -- anywhere anywhere state NEW
Chain FORWARD_UPNP (1 references)
target prot opt source destination
Chain FORWARD_VPN_PASSTHROUGH (1 references)
target prot opt source destination
RETURN udp -- anywhere anywhere udp dpt:500
RETURN udp -- anywhere anywhere udp dpt:1701
RETURN tcp -- anywhere anywhere tcp dpt:1723
Chain FORWARD_VS (1 references)
target prot opt source destination
Chain INPUT_DROPBEAR (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Chain INPUT_LAN_HTTP_CLIENT (1 references)
target prot opt source destination
INPUT_MAC tcp -- anywhere anywhere tcp dpt:www
DROP tcp -- anywhere anywhere tcp dpt:443
Chain INPUT_LAN_PING_REQ (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain INPUT_MAC (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain INPUT_SNMP (1 references)
target prot opt source destination
Chain INPUT_WAN_HTTP_CLIENT (1 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:443
ACCEPT tcp -- 0.0.0.0 anywhere tcp dpt:www
Chain INPUT_WAN_PING_REQ (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#5
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 6
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2016-07-26
Re:cpe210 - how to drop invalid packets?
2016-08-23 17:49:44
Anyway, something is really wrong with the tx power output of openwrt (and lede). When I select US or GY as a region, iwconfig shows 23dbm when I select 23dbm using the luci web interface. When I select HR (Croatia) or NZ (New Zealand), I cannot get more than 11dbm (shown by iwconfig) despite a higher output power is selected using the luci interface.
However, 11dbm is a much lower power than the regulatory domain restriction for 2.4 GHz frequencies which is 20dbm for Croatia and 30dbm for New Zaeland.
However, 11dbm is a much lower power than the regulatory domain restriction for 2.4 GHz frequencies which is 20dbm for Croatia and 30dbm for New Zaeland.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#6
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 6
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2016-07-26
2016-08-16 06:41:51
Posts: 6
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2016-07-26
Information
Helpful: 0
Views: 1459
Replies: 5
Voters 0
No one has voted for it yet.
Tags
Report Inappropriate Content
Transfer Module
New message