Hello, i flashed the last tor firmware for this router on it. Didn’t made any change on configuration of firewall, nothing at all.
The problem is that from my pc, I’m not able to ping nothing: this is the result of a simple ping to google .com
~$ ping google .com
PING google .com (172.217.19.238) 56(84) bytes of data.
From 192.168.8.1 (192.168.8.1) icmp_seq=1 Destination Port Unreachable
From 192.168.8.1 (192.168.8.1) icmp_seq=2 Destination Port Unreachable
From 192.168.8.1 (192.168.8.1) icmp_seq=3 Destination Port Unreachable
From 192.168.8.1 (192.168.8.1) icmp_seq=4 Destination Port Unreachable
^C
— google .com ping statistics —
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3004ms
I am able to ping instead from inside the router.
Also i have another problem: dns seems not worling properly. When i try to add a socks proxy in firefox, I am unable to go to any domain, i can only visits sites by ip. If i set instead resolve dns with socks5 proxy on firefox, it works.
here is my cat /etc/config/firewall file
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
option enabled '0'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
option reload '1'
config include 'gls2s'
option type 'script'
option path '/var/etc/gls2s.include'
option reload '1'
config include 'glfw'
option type 'script'
option path '/usr/bin/glfw.sh'
option reload '1'
config include 'glqos'
option type 'script'
option path '/usr/sbin/glqos.sh'
option reload '1'
config zone 'guestzone'
option name 'guestzone'
option network 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
config forwarding 'guestzone_fwd'
option src 'guestzone'
option dest 'wan'
option enabled '0'
config rule 'guestzone_dhcp'
option name 'guestzone_DHCP'
option src 'guestzone'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config rule 'guestzone_dns'
option name 'guestzone_DNS'
option src 'guestzone'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
config rule 'sambasharewan'
option src 'wan'
option dest_port '137 138 139 445'
option dest_proto 'tcpudp'
option target 'DROP'
config rule 'sambasharelan'
option src 'lan'
option dest_port '137 138 139 445'
option dest_proto 'tcpudp'
option target 'ACCEPT'
config rule 'tor_dhcp'
option name 'Allow-Tor-DHCP'
option src 'lan'
option proto 'udp'
option dest_port '67'
option family 'ipv4'
option target 'ACCEPT'
config rule 'tor_dns'
option name 'Allow-Tor-DNS'
option src 'lan'
option proto 'udp'
option dest_port '9053'
option family 'ipv4'
option target 'ACCEPT'
config rule 'tor_tras'
option name 'Allow-Tor-Transparent'
option src 'lan'
option proto 'tcp'
option dest_port '9040'
option family 'ipv4'
option target 'ACCEPT'
config rule 'tor_socks'
option name 'Allow-Tor-SOCKS'
option src 'lan'
option proto 'tcp'
option dest_port '9050'
option family 'ipv4'
option target 'ACCEPT'
config redirect 'tor_allow_http'
option name 'Allow access http'
option src 'lan'
option src_ip '192.168.8.1/24'
option src_dip '192.168.8.1'
option src_dport '80'
option family 'ipv4'
option proto 'tcp'
option target 'ACCEPT'
config redirect 'tor_allow_ssh'
option name 'Allow access ssh'
option src 'lan'
option src_ip '192.168.8.1/24'
option src_dip '192.168.8.1'
option src_dport '22'
option family 'ipv4'
option proto 'tcp'
option target 'ACCEPT'
config redirect 'tor_allow'
option name 'Allow access tor domain'
option src 'lan'
option src_dport '9050'
option family 'ipv4'
option proto 'tcp'
option target 'ACCEPT'
config redirect 'dns_int'
option name 'Intercept-DNS'
option src 'lan'
option src_dport '53'
option dest_port '9053'
option family 'ipv4'
option proto 'udp'
option target 'DNAT'
config redirect 'tcp_int'
option name 'Intercept-TCP'
option src 'lan'
option dest_port '9040'
option family 'ipv4'
option proto 'tcp'
option extra '--syn'
option target 'DNAT'
and finally /etc/firewall.user
root@GL-MT300N-V2:~# cat /etc/firewall.user
force_dns() {
# lanip=$(ifconfig br-lan |sed -n 's/.*dr:\(.*\) Bc.*/\1/p')
lanip=$(uci get network.lan.ipaddr)
tor=$(ps|grep /usr/sbin/tor|grep -v grep)
[ "$1" = "add" ] && {
ip=$(uci get glconfig.general.ipaddr)
[ -z "$ip" ] && ip=$(uci get network.lan.ipaddr)
iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $ip
iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $ip
uci set glconfig.general.ipaddr=$lanip
uci commit glconfig
iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
[ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
[ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
if [ -n "$tor" ];then
iptables -t nat -C PREROUTING -i br-lan -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 9053
[ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-lan -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 9053
iptables -t nat -C PREROUTING -i br-lan -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
[ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-lan -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
fi
}
[ "$1" = "remove" ] && {
lanip=$(uci get glconfig.general.ipaddr)
[ -z "$lanip" ] && lanip=$(uci get network.lan.ipaddr)
iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
[ "$?" = "0" ] && iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
[ "$?" = "0" ] && iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
if [ -n "$tor" ];then
iptables -t nat -D PREROUTING -i br-lan -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 9053
iptables -t nat -D PREROUTING -i br-lan -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
fi
}
}
force=$(uci get glconfig.general.force_dns)
if [ -n "$force" ]; then
force_dns add
else
force_dns remove
fi
gl-firewall
##PPTP Passthrough
iptables -t raw -D OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
iptables -t raw -A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
root@GL-MT300N-V2:~#```