Gl-mt300-n2

Technical Support for Routers
1

Hello, i flashed the last tor firmware for this router on it. Didn’t made any change on configuration of firewall, nothing at all.

The problem is that from my pc, I’m not able to ping nothing: this is the result of a simple ping to google .com
~$ ping google .com
PING google .com (172.217.19.238) 56(84) bytes of data.
From 192.168.8.1 (192.168.8.1) icmp_seq=1 Destination Port Unreachable
From 192.168.8.1 (192.168.8.1) icmp_seq=2 Destination Port Unreachable
From 192.168.8.1 (192.168.8.1) icmp_seq=3 Destination Port Unreachable
From 192.168.8.1 (192.168.8.1) icmp_seq=4 Destination Port Unreachable
^C
— google .com ping statistics —
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3004ms

I am able to ping instead from inside the router.

Also i have another problem: dns seems not worling properly. When i try to add a socks proxy in firefox, I am unable to go to any domain, i can only visits sites by ip. If i set instead resolve dns with socks5 proxy on firefox, it works.

here is my cat /etc/config/firewall file

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'
	option enabled '0'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'
	option reload '1'

config include 'gls2s'
	option type 'script'
	option path '/var/etc/gls2s.include'
	option reload '1'

config include 'glfw'
	option type 'script'
	option path '/usr/bin/glfw.sh'
	option reload '1'

config include 'glqos'
	option type 'script'
	option path '/usr/sbin/glqos.sh'
	option reload '1'

config zone 'guestzone'
	option name 'guestzone'
	option network 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding 'guestzone_fwd'
	option src 'guestzone'
	option dest 'wan'
	option enabled '0'

config rule 'guestzone_dhcp'
	option name 'guestzone_DHCP'
	option src 'guestzone'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule 'guestzone_dns'
	option name 'guestzone_DNS'
	option src 'guestzone'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'

config rule 'sambasharewan'
	option src 'wan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'DROP'

config rule 'sambasharelan'
	option src 'lan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'ACCEPT'

config rule 'tor_dhcp'
	option name 'Allow-Tor-DHCP'
	option src 'lan'
	option proto 'udp'
	option dest_port '67'
	option family 'ipv4'
	option target 'ACCEPT'

config rule 'tor_dns'
	option name 'Allow-Tor-DNS'
	option src 'lan'
	option proto 'udp'
	option dest_port '9053'
	option family 'ipv4'
	option target 'ACCEPT'

config rule 'tor_tras'
	option name 'Allow-Tor-Transparent'
	option src 'lan'
	option proto 'tcp'
	option dest_port '9040'
	option family 'ipv4'
	option target 'ACCEPT'

config rule 'tor_socks'
	option name 'Allow-Tor-SOCKS'
	option src 'lan'
	option proto 'tcp'
	option dest_port '9050'
	option family 'ipv4'
	option target 'ACCEPT'

config redirect 'tor_allow_http'
	option name 'Allow access http'
	option src 'lan'
	option src_ip '192.168.8.1/24'
	option src_dip '192.168.8.1'
	option src_dport '80'
	option family 'ipv4'
	option proto 'tcp'
	option target 'ACCEPT'

config redirect 'tor_allow_ssh'
	option name 'Allow access  ssh'
	option src 'lan'
	option src_ip '192.168.8.1/24'
	option src_dip '192.168.8.1'
	option src_dport '22'
	option family 'ipv4'
	option proto 'tcp'
	option target 'ACCEPT'

config redirect 'tor_allow'
	option name 'Allow access tor domain'
	option src 'lan'
	option src_dport '9050'
	option family 'ipv4'
	option proto 'tcp'
	option target 'ACCEPT'

config redirect 'dns_int'
	option name 'Intercept-DNS'
	option src 'lan'
	option src_dport '53'
	option dest_port '9053'
	option family 'ipv4'
	option proto 'udp'
	option target 'DNAT'

config redirect 'tcp_int'
	option name 'Intercept-TCP'
	option src 'lan'
	option dest_port '9040'
	option family 'ipv4'
	option proto 'tcp'
	option extra '--syn'
	option target 'DNAT'

and finally /etc/firewall.user

root@GL-MT300N-V2:~# cat /etc/firewall.user

force_dns() {
	# lanip=$(ifconfig br-lan |sed -n 's/.*dr:\(.*\) Bc.*/\1/p')
	lanip=$(uci get network.lan.ipaddr)
	tor=$(ps|grep /usr/sbin/tor|grep -v grep)
	[ "$1" = "add" ] && {
		ip=$(uci get glconfig.general.ipaddr)
		[ -z "$ip" ] && ip=$(uci get network.lan.ipaddr)
		iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $ip
		iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $ip
		
		uci set glconfig.general.ipaddr=$lanip
		uci commit glconfig
		iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
		[ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
 		iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
 		[ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip

		if [ -n "$tor" ];then
			iptables -t nat -C PREROUTING -i br-lan -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 9053
			[ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-lan -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 9053
			iptables -t nat -C PREROUTING -i br-lan -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
			[ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-lan -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
		fi


 		
	}
	[ "$1" = "remove" ] && {
		lanip=$(uci get glconfig.general.ipaddr)
		[ -z "$lanip" ] && lanip=$(uci get network.lan.ipaddr)
		iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
		[ "$?" = "0" ] && iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
 		iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
 		[ "$?" = "0" ] && iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip

		if [ -n "$tor" ];then
			iptables -t nat -D PREROUTING -i br-lan -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 9053
			iptables -t nat -D PREROUTING -i br-lan -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
		fi
	}
}

force=$(uci get glconfig.general.force_dns)
if [ -n "$force" ]; then
    force_dns add
else
    force_dns remove
fi
gl-firewall

##PPTP Passthrough
iptables -t raw -D OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
iptables -t raw -A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
root@GL-MT300N-V2:~#```
2

Which Tor firmware? The default firmware comes with Tor.

Did you enable Tor?

3

no it doesen’t.
openwrt-mt300n-v2-tor-3.203.bin
from https://dl.gl-inet.com/firmware/mt300n-v2/tor/

yes, this issue only occurs when tor enabled.

4

In the Tor configuration page, does it say Tor connected?
Did you choose a region?

5

it says tor connected, i havent choose any region. random is choosen.

7

I tried Tor firmware for 300N-V2,and it works fine. Here is the download link:
https://dl.gl-inet.com/firmware/mt300n-v2/tor/
Please choose 3.203 Tor firmware.
Here are some screenshots for your information.

tor-firmware
tor-firmware1445×796 85.4 KB
tor-browser
tor-browser1691×881 114 KB