Orbi LBR20 How-To / Megathread

How To Tutorials related to Routers and Firmware
Forum rules
This forum is for tutorials only--not for help or assistance.
hazarjast
Posts: 137
Joined: Wed Dec 11, 2019 8:38 am
Has thanked: 17 times
Been thanked: 37 times

Re: Orbi LBR20 How-To / Megathread

Post by hazarjast »

FYI, I noticed at some point I broke the OP by accidentally truncating some of the earliest entries in one of my last few updates. Luckily I had a backup so I went back and restored the truncated info. The truncated info was all old stuff which is pretty deprecated by the newer updates but I figured for context and posterity it should be restored.
hazarjast
Posts: 137
Joined: Wed Dec 11, 2019 8:38 am
Has thanked: 17 times
Been thanked: 37 times

Re: Orbi LBR20 How-To / Megathread

Post by hazarjast »

Updated OP with links to latest available Voxel firmware and its release notes.
gilbreen
Posts: 10
Joined: Mon Aug 31, 2020 4:26 pm
Has thanked: 0
Been thanked: 0

Re: Orbi LBR20 How-To / Megathread

Post by gilbreen »

hazarjast,

Would one implement one or both of these scripts? I use both T-Mobile and AT&T plans with my Orbi LBR20. Is it possible to combine them into one script or is that not recommended?

Thanks!
hazarjast wrote: Sun Nov 21, 2021 1:37 am While working on a friend's LBR20 I finally figured out the cause and solution of the ip6tables mangle randomly not taking effect on startup in Voxel's firmware when called using either 'firewall-start.sh' or 'firewall6-start.sh'. It helped that I actually went back and read the man page for the source package that is used for iptables on the LBR20, 'xtables-legacy':
https://manpages.debian.org/testing/ipt ... .8.en.html

Code: Select all

LIMITATIONS
When inserting a rule using iptables -A or iptables -I, iptables first needs to retrieve the current active ruleset,
change it to include the new rule, and then commit back the result.
This means that if two instances of iptables are running concurrently, one of the updates might be lost.
This can be worked around partially with the --wait option.
After reading that I updated my iptables/ip6tables rules to include '-w' ('--wait') switches and now the ip6tables mangle appears to work on startup as desired. Also realized that for the rare few that have plans provisioned with public IPv4 IPs it would be best to have the iptables rules I was using from the CJ scripts which secure SSH on the WAN interface. Generally not necessary for most since almost all plans are CGNAT'ed these days but still including them for reference below. They all reflect the '-w' switch as indicated:

firewall-start.sh

Code: Select all

# Secure SSH daemon by ensuring any WAN traffic is blocked
iptables -w -C net2loc -p tcp --dport 22 -m state --state NEW -m recent --set > /dev/null 2>&1 || \
iptables -w -I net2loc 1 -p tcp --dport 22 -m state --state NEW -m recent --set

# Secure SSH daemon against bruteforce attacks
iptables -w -C net2loc -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP > /dev/null 2>&1 || \
iptables -w -I net2loc 1 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

# IPv4 TTL mod
iptables -w -t mangle -C POSTROUTING -o wwan0 -j TTL --ttl-set 65 > /dev/null 2>&1 || \
iptables -w -t mangle -I POSTROUTING 1 -o wwan0 -j TTL --ttl-set 65
firewall6-start.sh

Code: Select all

# IPv6 TTL mod (prevents leaks not covered by IPv4 rules)
# Sleep added for good measure
sleep 5
ip6tables -w -t mangle -C POSTROUTING -o wwan0 -j HL --hl-set 65 > /dev/null 2>&1 || \
ip6tables -w -t mangle -I POSTROUTING 1 -o wwan0 -j HL --hl-set 65
TNdave88
Posts: 4
Joined: Wed Dec 23, 2020 9:42 pm
Has thanked: 0
Been thanked: 0

Re: Orbi LBR20 How-To / Megathread

Post by TNdave88 »

Please move or delete if not allowed, I'm not sure where to put this. I have an LBR20 running Voxel with circle jerk and everything running. I also have a Verizon 4G LTE home internet gateway but there is no easy way to add external antennas. I have been trying to just swap sims into the LBR20 but no luck. I have magic done, APN changed, tried changing TTL values in the script but to no avail. I would LOVE for this to work, its showing Band 66 versus Band 2 on ATT that is normally in the Orbi, so its communicating somehow and the signal difference is HUGE... I feel like I'm missing something. It also has a very strange APN and I'm wondering if that is whats causing it. The APN is V5GA01INTERNET, so I first thought it has something to do with the Orbi not being 5G capable, but the Verizon gateway shows "using 4G technology" (or something similar). Am I just missing something? Any help would be great or just a point in the right direction. There is not much info on this Verizon gateway, I wish I could get a 1st gen one because you can add antennas.
TNdave88
Posts: 4
Joined: Wed Dec 23, 2020 9:42 pm
Has thanked: 0
Been thanked: 0

Re: Orbi LBR20 How-To / Megathread

Post by TNdave88 »

grelm01 wrote: Wed Dec 29, 2021 10:22 pm Has anyone cracked this Orbi open and replaced the U.FL internal LTE antenna's with short U.FL to SMA Fremale to use with a 4x4 mimo antenna?
Yes, I have it wasn't hard at all. I put it all in an external enclosure.
hazarjast
Posts: 137
Joined: Wed Dec 11, 2019 8:38 am
Has thanked: 17 times
Been thanked: 37 times

Re: Orbi LBR20 How-To / Megathread

Post by hazarjast »

VOXEL FIRMWARE V9.2.5.2.28SF RELEASED
!!! Please upgrade to this version ASAP as there are many security vulnerabilities patched !!!!
Updated version of Voxel firmware is out and can be downloaded below:
https://www.voxel-firmware.com/Download ... 8SF-HW.zip

Release notes can be found here:
https://www.snbforums.com/threads/custo ... -hw.76775/

Also in this version is 'get-sms.sh' a tool for reading SMS messages. If you can test the tool and report any issues, this would be most appreciated. Usage below:

Code: Select all

get-sms.sh - read all SMS
get-sms.sh #num - read SMS #num
get-sms.sh #start #end - read SMS from #start to #end.
hazarjast
Posts: 137
Joined: Wed Dec 11, 2019 8:38 am
Has thanked: 17 times
Been thanked: 37 times

Re: Orbi LBR20 How-To / Megathread

Post by hazarjast »

gilbreen wrote: Wed Jan 12, 2022 2:55 pm hazarjast,

Would one implement one or both of these scripts? I use both T-Mobile and AT&T plans with my Orbi LBR20. Is it possible to combine them into one script or is that not recommended?

Thanks!
You would use both of the scripts since by default most cellular networks connect with dual stack PDP (IPV4V6) option these days. Voxel recommends splitting them out to segregate iptables commands vs ip6tables commands. Logically I agree with this as it makes sense and easier to troubleshoot later on. Both are called by his netwall script so there's no point in combining them, IMHO.
hazarjast
Posts: 137
Joined: Wed Dec 11, 2019 8:38 am
Has thanked: 17 times
Been thanked: 37 times

Re: Orbi LBR20 How-To / Megathread

Post by hazarjast »

TNdave88 wrote: Thu Jan 20, 2022 9:46 pm Please move or delete if not allowed, I'm not sure where to put this. I have an LBR20 running Voxel with circle jerk and everything running. I also have a Verizon 4G LTE home internet gateway but there is no easy way to add external antennas. I have been trying to just swap sims into the LBR20 but no luck. I have magic done, APN changed, tried changing TTL values in the script but to no avail. I would LOVE for this to work, its showing Band 66 versus Band 2 on ATT that is normally in the Orbi, so its communicating somehow and the signal difference is HUGE... I feel like I'm missing something. It also has a very strange APN and I'm wondering if that is whats causing it. The APN is V5GA01INTERNET, so I first thought it has something to do with the Orbi not being 5G capable, but the Verizon gateway shows "using 4G technology" (or something similar). Am I just missing something? Any help would be great or just a point in the right direction. There is not much info on this Verizon gateway, I wish I could get a 1st gen one because you can add antennas.
Unless the 'magic' that has been done matches the VZ gateway device's identifier exactly (and that device is not connected to the network) then nothing else will matter much as I believe the VZ service is IMEI locked. Depending on the firmware you could try switching your MBN file as well but I don't have verizon and have not messed with changing MBN so YMMV.
Post Reply