Custom firmware for R7800 to extend its functionality

Does this firmware support Vlan tagging ?

Really?! What's the limit of messages? Come on Netgear, increase PM to have more than just few ;)

How to activate SSH from Windows, kind of Windows newbie tutorial:

1) format USB stick on your Windows computer using EaseUS Partition master
2) use EXT3 file system and "optware" label

3) connect to USB stick to the router (wait 30-60 seconds for stick to be mounted and shared)
4) access the USB stick on the router using normal Windows share "\\Readyshare\USB_Storage\"  (if not please enable share in your router ReadyShare options)
5) unzip and copy files from Voxel "setssh.tar" archive to the root of usb stick (\\Readyshare\USB_Storage\)

6) generate a ssh key using "puttygen.exe" http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
7) select all and copy the key from "puttygen.exe" and paste to "authorized_keys" file from "setssh.tar"
8) in "puttygen.exe" save the private key to the windows computer

9) open the http://routerlogin.net/debug.htm and enable telnet

10) open "putty.exe" http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html and connect to 192.168.1.1 using telnet (port 23)
11) in telnet console use this commands:
"cd tmp/mnt/" --to go to the stick location
"ls" -- to check if the optware stick is mounted (if not reinsert and wait 30-60 sec)
"cd optware" --to go the stick location
"ls" -- to check if files from the "setssh.tar" exist on the stick
"cd .." --to go back one level
"chmod -R 777 optware" -- to give recursive full permissions (including execute)
"cd optware/autorun/scripts" --to go to the script location
"ls -l" --to check the script file permission (to see if is executable)

12) remove the USB stick from the router
13) go to router interface http://routerlogin.net and reboot the router
14) wait 30-60 seconds
15) insert the USB stick, wait 60 seconds (for the usb to be mounted and voxel script to be executed)
16) open "putty.exe", connect to 192.168.1.1 using SSH (port 22)
17) go to putty.exe option in Connection => SSH => Auth and browse the key you saved in step (8)
18) open the ssh connection, when asked use the user "root"

Finish.

Software used: EaseUS Partition master ; 7zip; puttygen; putty

Great job eliz! Thx a lot.

I have installed entware-cortex-a15-3x with hard float support. I made some benchmark tests

cpubench: 3.7s ( the same like Voxel results )

openssl (kong settings): 49863.98k    60882.30k    62309.38k    62972.93k    63829.11k (similar to Kong results on dd-wrt) http://www.dd-wrt.com/phpBB2/viewtopic.php?t=287177

openssl (open-wrt settings):  https://wiki.openwrt.org/doc/howto/benchmark.openssl

Compared to my Asus RT-AC56U

Now the only problem I have is that I have installed the Apache webserver from Entware, and I can't start it ("apachectl start").

I have this error: "httpd: bad user name nobody"

This is default name (specified in "/opt/etc/apache/httpd.conf" ) that Apache is running .

I have checked in \etc\passwd and the user is there "nobody:*:65534:65534:nobody:/var:/bin/false" . so no idea why don't want to run with this user. all directories and files of entware (bin,sbin,etc,var,...) are 755.

I have tried to run Apache with the user root, admin, guest ... the same error.

I have no problem running Apache on my Asus RT-AC56U with Asus WRT Merlin operating system with the same config (with user nobody).

I have tryied to install Nginx using this tutorial https://www.hqt.ro/nginx-web-server-with-php-support-through-entware/

and got a similar error when try to start nginx:

"nginx: [emerg] getpwnam("nobody") failed (2: No such file or directory) in /opt/                        etc/nginx/nginx.conf:1
Started nginx"

The test page don't work.

Voxel any idea ?

- unfortunately i cannot show all the results, that table do not show corectly on this forum. only if you look at this web page source code

- thanks for the tip with ECDSA , i didn't knew that. speeding ssh is a thing i would want because at work i'm using ssh tunneling to my home router for web browsing ;) i'm using bitvise ssh because is more stable than putty for tunneling and have a very nice graphical interface.

- i have used Asus RT-AC56U + Asus Merlin + Entware NG with  777 on the entire usb stick without any problems for 1 year. I will try with 755 permissions. is that i'm accesing the usb stick with SSH, SCP (WinSCP) and samba. seems that on this operating system SSH use "root" , samba use "admin". so if permission of the files are 755 i cant modify any file from samba, because user admin don't have write permission.

- like i said the user nobody is there, but is seem from the Nginx error that this function getpwnam can't access it. i will try what you said

The good news:

Lighttpd and MySQL server both working without any problems (from LAN). But I would really prefer Apache because of more common rewrite rules, I have use'it for 1 year in my Asus Merlin and it was working great.

The bad news:

1) Seems R7800 don't have any power on the eSATA port. I'm amazed by that because Linksys WRT1200AC is half the price and have 5V/500mA power on the eSATA port. I have hoped that I can replace the usb stick with a SSD using a eSATAp to SATA cable. I have tested and it's not working, probably because R7800 dont give any power.

2) If i put my webserver on port 81 , i'm unable to port forward from WAN port 80 to 192.168.1.1 to port 81. Seems Netgear genie dont let me port forward to 192.168.1.1 . I had no problem doing that kind of port forward in Asus Merlin graphical interface.

https://hqt.ro/wp-content/uploads/lighttpd-portfw.png

3) I was unable to move the Netgear genie webserver "uhttpd" from the port 80 to another port. I have try to edit the uhttpd config in two places and move the port to the 880 but it's not working. it seems uhttpd has another config in "/rom/" directory. Voxel any idea if that files from rom can be overwritten ?

4) Seems port 81 and port 22 are unaccesible from outside (wan) , even I have tried to make a script in the "optware/autorun/scripts/firewall-start"

using this iptables rules

#!/bin/sh
iptables -I INPUT -p tcp --destination-port 81 -j ACCEPT

iptables -I INPUT -p tcp --destination-port 22 -j ACCEPT

Arent all fliles from optware/autorun/scripts get executed ?

I will try to modify the dropbear config and set a port for wan acording to this https://wiki.openwrt.org/doc/uci/dropbear

----

P.S.  Hey Voxel would be a good idea to make a topic to snbforums about this firmware? It has a bigger user base and the forum interface is better (I dont even know how to make a quote or code here.

many thanks Voxel for your replays, very helpful.
but let's take it in smaller steps because they are to many things that do not work.
Lighttpd is already working from LAN , I installed using this tutorial:
https://www.hqt.ro/lighttpd-web-server-with-php-support-through-entware-ng/
so I will experiment on it. Let's forget by Nginx and Apache at this point.

The first things I want to make now are:
1) make the SHH (port 22) and WEBSERVER (port 81) accessible from the outside (the internet).
2) move the SSH from port 22 to 443, move the WEBSERVER port from 81 to 80. make them accesible from internet.
-----------
I have added this lines at the end of file in /tmp/mnt/optware/autorun/scripts/post-mount.sh , and restarted the router

iptables -I INPUT -p tcp --destination-port 22 -j ACCEPT
iptables -I INPUT -p tcp --destination-port 81 -j ACCEPT

however this do not work. maybe the script is executed before the iptables service is started ??
if I connect to ssh and execute this lines directly in the SSH console then I can access the from outside (the internet) using wan-ip:22 and http://wan-ip:81 everything is working fine.
-----------
I have edited /etc/config/uhttpd  and moved the ports from 80->880 and 443->8443.
I have edited /www/cgi-bin/uhttpd.sh as you suggested and changed the ports from 80->880 and 443->8443.

Restarted the router. Now is finally working. I access Netgear genie from http://192.168.1.1:880 and it's working. http://192.168.1.1 not working anymore.
-----------
tried to find /etc/config/dropbear but didnt find any file.
edited /etc/init.d/dropbear and changed the port from 22 to 443
So from what I see both uhttpd and dropbear are started with port parameter so any config with port specification will be overwritten.

edited /opt/etc/lighttpd/lighttpd.conf and changed the port from 81 to 80.
Restarted the the router.

Connected to the Lighttpd http://192.168.1.1 from LAN. Working perfect.
Connected to router ssh from LAN using 192.168.1.1:443. Executed this lines:
iptables -I INPUT -p tcp --destination-port 443 -j ACCEPT
iptables -I INPUT -p tcp --destination-port 80 -j ACCEPT

Accesing ssh from internet using wan-ip:443 and working perfect, including tunnelling.
Accesing webserver from the internet with http://wan-ip is not working.
-----------
using "iptables --list" I get this (i only find two lines related to www port)

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh

Chain fw2net (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            state NEW multiport dports nntp,smtp,www,2345,3495,7070,ftp-data,ftp,5050,6060
-----------
Any idea why Lighttpd is working perfect on port 81 for both lan and internet, but for port 80 work from lan but not from internet ?
Should I copy-paste the entire "iptables --list" rules here?
 

now I have read your replays again and saw "Netgear has his own firewall". OK, i saw your readme.docx

so should i try to edit "/root/netwall-rules"

i have created the file "/root/netwall-rules" and add this lines into it:

ACCEPT        net    fw        tcp    443
ACCEPT        net    fw        tcp    80
ACCEPT        net    fw        tcp    81

443 is working from both lan and wan

81 is working from both lan and wan

80 is working only from lan. from wan is not working.

So ... the same problem like using iptables.

"Most probably, port 80 is special because it is used for WebGUI from LAN, thus firewall does not open it." yes, but 443 is also used by Netgear for HTTPS Lan WebGui management. So I cant really understand their logic, why they have blocked only port 80 not also 443. Is there a way to see all netgear firewall rules? Like "iptables --list" command.
-----
Yes, I have read your hack from the precedent posting but I will prefer to not do it like this.
Why? Because on AsusWRT Merlin I had some strange problems with the webserver when I made this. See details here:
http://www.snbforums.com/threads/accesing-webserver-domain-from-router-i...

One of them affected the webserver, I was not able to make CURL or FOPEN request to webserver itself from PHP. From example if you want to show update to Wordpress sidebar with latest updates from a forum or a gallery using some kind of web api (json/rest) you are usualy using CURL from php (so not making direct searches to the database so rather indirect using CURL requests to the same domain). And this was not working.
-----
So on AsusWRT Merlin I ending up removing the port forward rule wan:80 => 192.168.1.1:81 (from the HQT tutorials) , disabled the Router webgui management on port 80 (you can do that from Merlin Webgui), moved the webui https management from port 443 to another port (you can do that from Merlin Webgui), put my webserver (Apache) on port 80, put my SSH on port 443 (from Merlin Webgui) to be able to access from my work, enabled access to port 80 and 443 from internet (wan) using iptables rules in my "firewall-start" file. And after that I made a small custom DDNS script that register my custom domain when wan IP change using this examples: https://github.com/RMerl/asuswrt-merlin/wiki/Custom-DDNS so I could have a custom domain for my webserver. It was quite easy to make i think I finish all in 1 day and make almost all things from a graphical interface (from Merlin webgui) and WinSCP.
-----
I want to do the same thing for this router. But it seems complicated or impossible. I started to be a little pessimistic at this moment and start to believe that compared to my Asus RT-AC56U router now I have a 2,4x more powerful ... brick.

I will probably try to install dd-wrt on R7800 and try this things again. If they don't work I will sold this 200 euro brick and buy myself a real router like Asus or Linksys WRT. I really hope Asus will launch some of more hardware powerful routers in 2017 , with 1.3Ghz+ processor and 512RAM. if they had something like Linksys WRT1200...3200 but with AsusWRT as operating system on it will be close to my ideal router.

P.S.  Even if dd-wrt will work, I will really miss that CPU graph from AsusWRT. That really helped my optimised some of php scripts from my webserver. I use now htop from entware, but is not the same. Is there any other program that can show a time-graph of the CPU not only instant values?

1) if sniffing password in plain text yes, but they can try at least to simple encrypt with some javascript in the page (on the client side) to not make the things so simple. and they can implement some brute force protection, they can block authentification request for that IP after 3 wrong tries.

2) now I have seen that you forward wan:80 to 192.168.1.1:80 . ok, i have follow all the steps and it's not working. tried the second time after restart and after step (5) i have made step (2) again to see if they are any changes to nvram. seems the changes are not commited to the ram.

3) thanks for the info.

4) yes, but some software for routers made the things much simple not to spend 10x more times to do the same things like changing the default ports. in computers software complexity increased when hardware became more powerfull, look at unix and windows, webdesign. seems this guys are making more and more powerfull routers but the software and especialy the interfaces look like year 2005. they can barely patch the security holes like openssl heartbleed. 8 years ago i have used the tomato v1.23 and it was better then this Netgear genie 2016. this guys are expecting for the volunters in the open source comunity to do the job for them. but they know how to ask 450$ for R9000 and not give them a simple ssh server.

5) yes, i know. for hardware nat acceleration i have tried to stay with the original firmware first time, and not install dd-wrt first time.

6) wow, http://london.netdata.rocks that demo looks really nice. that how interfaces for a 220euro router in the 2016 should look like !!! full of ajax, modals windows and svg graphs, responsive css design, etc

Nice , on my router the damn thing just don't work. I tried 4 times, rebooted the router 4 times in the last hour

------

I give the commands nvram set and nvram commit and they dont give any error.

Just if after step (5) i try

nvram show | grep 192.168.1.222

I dont see any changes. If i reboot , again no changes. The value in the ram is like the original one.

Are this quotes “ ” ok ?

I think i found the problem. You made a mistake in your step by step tutorial.

nvram set “forwarding1=Test TCP 80 80 80 80 192.168.1.1 0 1”

must be:

nvram set forwarding1="Test TCP 80 80 80 80 192.168.1.1 0 1"

I made Apache be accesible from the internet on port 80 , with user nobody, with 3 virtual hosts. My Apache and PHP.ini config all running fine exactly like on Asus AC56U. All sites seems to run fine. Victory !! Thanks Voxel for your help.

The user nobody is running fine on Apache if I rename:

"/opt/etc/passwd.1" to "/opt/etc/passwd"

"/opt/etc/group.1" to "/opt/etc/group"

is there any reason why you renamed those files in your entware release ?

Also your first solution works (with symlinks to those files and change the user to admin). I did not tested your second solution.

Now the next thing i want is: how do I execute my custom dynamic DNS script? On merlin I used this tutorials

https://github.com/RMerl/asuswrt-merlin/wiki/Custom-DDNS

My script "\jffs\scripts\firewall-start" looks like this:

AGENT=Custom
USERNAME=eliz
PASSWORD=mypass
SUBDOMAIN=eliz.somedns.com
IP=${1}
URL=http://www.somedns.com/update.php
curl -A "$AGENT" -d "username=$USERNAME&password=$PASSWORD&subdomain=$SUBDOMAIN&ipaddr=$IP&change=Update" $URL

if [ $? -eq 0 ]; then        
  /sbin/ddns_custom_updated 1
else                         
  /sbin/ddns_custom_updated 0
fi

So I basicaly update my IP to my DNS using a CURL request that is filling a <form> on a webpage.

I think Merlin execute \jffs\scripts\firewall-start on every WAN ip change (wan up?) and pass the WAN IP to the script. then report back to the operating system (for updating the WebGui).

So how can I make something automated like this?

Will be great I you make something similar on your next release.

"is not it enough for you to use DDNS from router WebGUI? It supports three providers."

nope, I need to use a custom DDNS provider, from my country (Romania). at the moment i'm using a free subdomain  (something like eliz.somedns.ro), but in the near future I will use a full domain ("www.mydomain.ro" for example) for my router.

Now i know they are some DDNS providers that also allow full domains for free (like afraid.org) but I will prefer to use a DDNS provider in my country , because probably IP changes will propagate faster in my country and 90% of the visitors are from my country.

My DDNS provider has some help how you can use perl an a perl module "www mechanize" to fill that form they provide for dinamic IP registration. But I dont see the point for me, is much simpler to do from a bash script and using a CURL request, then installing perl and modules.

So how do i get my WAN IP in my bash script ? I have tried

nvram show | grep wan_ipaddr
but i only get 0.0.0.0 , so i can't use IP=`nvram get wan_ipaddr` in my bash script

"Or you need some specific actions after changing IP, not only registration of new IP?"

No, I need only  to make that CURL request to that a my DDNS provider server

AGENT=Custom (User define this in the script)

USERNAME=eliz (User define this in the bash script)

PASSWORD=mypass (User define this in the bash script)

SUBDOMAIN=eliz.somedns.com (User define this in the bash script)

IP=${1} (this is passed by the daemon who execute the script on IP change OR take from another place like nvram)

URL=http://www.somedns.ro/update.php(User define this in the bash script)

curl -A "$AGENT" -d "username=$USERNAME&password=$PASSWORD&subdomain=$SUBDOMAIN&ipaddr=$IP&change=Update" $URL (this execute the request with the defined parameters)

That is all the script I want to be executed every time Wan IP of the router changes (or on restart of the router?).