Orbi LBR20 How-To / Megathread

How To Tutorials related to Routers and Firmware
Forum rules
This forum is for tutorials only--not for help or assistance.
hazarjast
Posts: 134
Joined: Wed Dec 11, 2019 8:38 am
Has thanked: 16 times
Been thanked: 36 times

Re: Orbi LBR20 How-To / Megathread

Post by hazarjast »

FYI, I noticed at some point I broke the OP by accidentally truncating some of the earliest entries in one of my last few updates. Luckily I had a backup so I went back and restored the truncated info. The truncated info was all old stuff which is pretty deprecated by the newer updates but I figured for context and posterity it should be restored.
grelm01
Posts: 0
Joined: Fri Jan 14, 2022 2:59 pm
Has thanked: 0
Been thanked: 0

Re: Orbi LBR20 How-To / Megathread

Post by grelm01 »

Has anyone cracked this Orbi open and replaced the U.FL internal LTE antenna's with short U.FL to SMA Fremale to use with a 4x4 mimo antenna?
hazarjast
Posts: 134
Joined: Wed Dec 11, 2019 8:38 am
Has thanked: 16 times
Been thanked: 36 times

Re: Orbi LBR20 How-To / Megathread

Post by hazarjast »

Updated OP with links to latest available Voxel firmware and its release notes.
gilbreen
Posts: 10
Joined: Mon Aug 31, 2020 4:26 pm
Has thanked: 0
Been thanked: 0

Re: Orbi LBR20 How-To / Megathread

Post by gilbreen »

hazarjast,

Would one implement one or both of these scripts? I use both T-Mobile and AT&T plans with my Orbi LBR20. Is it possible to combine them into one script or is that not recommended?

Thanks!
hazarjast wrote: Sun Nov 21, 2021 1:37 am While working on a friend's LBR20 I finally figured out the cause and solution of the ip6tables mangle randomly not taking effect on startup in Voxel's firmware when called using either 'firewall-start.sh' or 'firewall6-start.sh'. It helped that I actually went back and read the man page for the source package that is used for iptables on the LBR20, 'xtables-legacy':
https://manpages.debian.org/testing/ipt ... .8.en.html

Code: Select all

LIMITATIONS
When inserting a rule using iptables -A or iptables -I, iptables first needs to retrieve the current active ruleset,
change it to include the new rule, and then commit back the result.
This means that if two instances of iptables are running concurrently, one of the updates might be lost.
This can be worked around partially with the --wait option.
After reading that I updated my iptables/ip6tables rules to include '-w' ('--wait') switches and now the ip6tables mangle appears to work on startup as desired. Also realized that for the rare few that have plans provisioned with public IPv4 IPs it would be best to have the iptables rules I was using from the CJ scripts which secure SSH on the WAN interface. Generally not necessary for most since almost all plans are CGNAT'ed these days but still including them for reference below. They all reflect the '-w' switch as indicated:

firewall-start.sh

Code: Select all

# Secure SSH daemon by ensuring any WAN traffic is blocked
iptables -w -C net2loc -p tcp --dport 22 -m state --state NEW -m recent --set > /dev/null 2>&1 || \
iptables -w -I net2loc 1 -p tcp --dport 22 -m state --state NEW -m recent --set

# Secure SSH daemon against bruteforce attacks
iptables -w -C net2loc -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP > /dev/null 2>&1 || \
iptables -w -I net2loc 1 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

# IPv4 TTL mod
iptables -w -t mangle -C POSTROUTING -o wwan0 -j TTL --ttl-set 65 > /dev/null 2>&1 || \
iptables -w -t mangle -I POSTROUTING 1 -o wwan0 -j TTL --ttl-set 65
firewall6-start.sh

Code: Select all

# IPv6 TTL mod (prevents leaks not covered by IPv4 rules)
# Sleep added for good measure
sleep 5
ip6tables -w -t mangle -C POSTROUTING -o wwan0 -j HL --hl-set 65 > /dev/null 2>&1 || \
ip6tables -w -t mangle -I POSTROUTING 1 -o wwan0 -j HL --hl-set 65
Post Reply