New oleg firmware version

[DrChair]

I also have some problems with SVN-version 140.

I flashed the firmware succesfully.
Next I noticed the new option to enable SSH in the webinterface, so I enabled that option.

After that, my clients didn't get any ip-adres from DHCP and I was unable to ping the router.

I after serveral attempt to flash the old firmware, I accidentaly discovered that via a static ip-adres I was able to login to SSH (but still no ping).

It seems that enabling SSH from the webinterface, breaks some of the firewall rules, cause if I disable the firewall with "iptables -D INPUT -j DROP" everyting is working again....
However this also leaves my unprotected.

(i'm building r144 atm, to see if that solves the problem)

Edit:
Further tests show that it has nothing to do with enabling SSH.
I went back to factory defaults, and configured the basics -> everthing is fine
Next I do a flashfs enable && reboot -> at first everything seems fine, but after a while I get 'firewalled'
I'll see tomorrow if i can find the exact moment where the firewall is enabled.

[al37919]

DrChair:
If you still have problem with firewall, could you show output of

PHP Code:

iptables-save | grep INPUT 


[lly]

btw, I noticed that the flashfs files have changed over time from the svn builds?

No, this behavior shouldn't be changed.

when I tried reflashing an old flashfs file, the router wouldn't start it's dhcp server anymore... or something else went wrong.

Please, describe more detailed. My assumption:
1. You flashed new firmware. Successful?
2. reboot. router up ok? what about dhcp-server(dnsmasq)?
3. Did you try to execute "flashfs enable" & reboot?
4. Router itself starts? What is in syslog?

[wpte]

No, this behavior shouldn't be changed.

Please, describe more detailed. My assumption:
1. You flashed new firmware. Successful?
2. reboot. router up ok? what about dhcp-server(dnsmasq)?
3. Did you try to execute "flashfs enable" & reboot?
4. Router itself starts? What is in syslog?

1. yes, successful (tried with webpage upload and asus restoration tool)
2. First reboot is good, and after applying the settings to the router it's also rebooting fine. Only after saving something in the flashfs memory it stops working properly.
3. I did, I always execute "flashfs save && flashfs commit && flashfs enable && reboot", I actually have it under a macro on my G15 keyboard
4. The router doesnt respond to anything anymore when something is in the flashfs, not even the reset button, I need to unplug the psu to make it run again.

I do want to note that sometimes the firmware is flashed, but the original memory of the old firmware is still there, even after a factory default.

I just noticed that the stable release has a tar.gz compression and it seems like the beta(or alpha, I dunno) has tar.bz2 compression.
Also I saw that the paths in the flashfs file are different in the older beta release, than the newer one.

[DrChair]

DrChair:
If you still have problem with firewall, could you show output of
iptables-save | grep INPUT

If I have no post-firewall script, everything is working fine
then the output is
:INPUT ACCEPT [288:57716]
:INPUT ACCEPT [288:57716]

If I have the following post-firewall in place:

Code:

#!/bin/sh
## FIREWALL
## set default policy
iptables -D INPUT -j DROP

## Allow access to webserver from WAN
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

## Allow access to SSH (port24) from WAN
iptables -A INPUT -p tcp --dport 24 -j ACCEPT
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 24 -j DNAT --to-destination 192.168.2.1:24

# Allow access to PROFTPD (port 21) from WAN
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 20 -j DNAT --to-destination 192.168.2.1:20
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 21 -j DNAT --to-destination 192.168.2.1:21
iptables -A INPUT -p tcp --dport 65530:65535 -j ACCEPT
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 65530:65535 -j DNAT --to-destination 192.168.2.1

iptables -A INPUT -j DROP

I have a problem and the output of iptables-save |grep INPUT is:
:INPUT ACCEPT [695:224835]
:INPUT ACCEPT [36:11691]
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 24 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 65530:65535 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 24 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 65530:65535 -j ACCEPT
-A INPUT -j DROP

With firmware around r100 this post-firewall was still working.
I guess it has something to do with all the SNAT changes

[preacher@wl500g]

One thin I have to mention is the successful connection of my old printer.
I have a quite old HP Deskjet 720C, which I couldn't use on my notebook running windows vista because of the lack of a parallel port so far.
This printer is a so called GDI-printer, which needs a direct connection and doesn't have an own image processing unit.
A HP Jetdirect I tried didnt' work, it produced only a few lines and then stopped printing, even when trying to print the Windows test-page
Now I bougt a cheap (1€) parallel to usb adapter, which didn't work as expected with my notebook (approx 2/3 of the Windows test-page was printed).
But when connected to the WL500GP's USB-port and used as TCP/IP printer this works perfectly! Even complex pages are printed without any problems.
I am running one of the latest firmware from googlecode and I am really glad to have this functionallity. What a great piece of software on this nice router! Thanks for your work, it keeps my printer working even after 12 years!

[chtr]

I use my WL-500GP mainly as a printer- and fileserver (samba). I had stability issues with oleg's firmware and had to reboot the rooter 6-7 times a day, because samba stopped working.
With this firmware the router is now up and running for 4 days and samba is still working. Thank you very much for this firmware, great work!

[theMIROn]

it stops at booting for me...
it seems, as soon as I actually even create a flashfs (like creating post-boot etc.) and save it, it's enough to make it stop working.
the boot procedure seems normal if I look at the LED's on the front, the same kinda flashing lights and 2 refreshes of the switch... nothing out of the ordinary.

I have to report the same problem - I couldn't connect to router at all after reflashing to lastest firmware, so I had to revert back to previsous version (WL500gp-1.9.2.7-d-20090225.trx) using TFTP.

bug discovered. temporary fix could be done in the several ways before flashing firmware:
1. add "insmod ipt_recent.o" in your /usr/local/sbin/post-boot script
2. set nvram recent_ftp_enable to 1 if you've enabled ftp server via web interface, commit nvram after
3. set both ssh_enable and nvram recent_ssh_enable to 1, commit nvram after. it will cause dropbear to start on boot time without any additional post-boot scripts

sorry for the inconvenience, folks

[wpte]

np man
just a question... does this mean dropbear will be integrated in the firmware?

[al37919]

np man
just a question... does this mean dropbear will be integrated in the firmware?

yes, it already does (including autogeneration and storing of the keys in flashfs when needed, functioning of ssh server even if flashfs is disabled, and brute force attack protection for ssh and ftp servers based on ipt_recent). See System Setup->Services and Internet Firewall->Basic Config

At the moment r156 is commited which (I hope) solves this issue. Reports are welcome.

[theMIROn]

use r160 build from http://wl500g.googlecode.com/
now, even with bruteforce protection is off, firmware should boot as usual

[wpte]

plz, test it
http://themiron.ru/pub/soft/WL500gp-1.9.2.7-d-r157M.trx
now, even with bruteforce protection is off, firmware should boot as usual

I need the wl-500W version

yes, it already does (including autogeneration and storing of the keys in flashfs when needed, functioning of ssh server even if flashfs is disabled, and brute force attack protection for ssh and ftp servers based on ipt_recent). See System Setup->Services and Internet Firewall->Basic Config

At the moment r156 is commited which (I hope) solves this issue. Reports are welcome.

sounds interesting, since I couldn't get that old denyhosts working on mine. eventually I swtiched to a different port.
Would that iprecent also work on openssh or different server like apps?

[al37919]

Would that iprecent also work on openssh or different server like apps?

yes, it is done as a separate chain through which you can pass what you wish

[theMIROn]

I need the wl-500W version

grab r160 builds from http://wl500g.googlecode.com/

yes, it is done as a separate chain through which you can pass what you wish

if bruteforce protection is enabled, you can use the same chain:
iptables -A INPUT -m tcp -p tcp -i <IFACE> -s <SOURCE> --syn -j BRUTE
it means that any new tcp connections from SOURCE ip addr from IFACE interface (ppp0, etc) will be counted and denied on exec food

[wpte]

great work
I'm going to test it somewhere in the weekend, and I'll let you know what I think

btw... are there any simple programming jobs?
maybe it is a nice opportunity for me to learn some linux programming, I'm already known with C# and some ansi C for an embedded usb board.