GoldenOrb NFT TTL settings

[biorchang]

Hi all.

I am running pre-release build GO2023-04-05-AB22 and received a message that I had legacy iptable rules and nftable rules in conflict. (Sorry did not take a screenshot)

The Custom Rules tab for the firewall no longer has the text box for iptable rules, but instead has a TTL value. I set mine to a value of 65 and see the following in the modem log:

Fri Apr 7 15:32:40 2023 : TTL Settings 1 Setting TTL 65 on interface wwan0
Fri Apr 7 15:32:40 2023 : TTL Settings 1 iptables -t mangle -I POSTROUTING -o wwan0 -j TTL --ttl-set 65
Fri Apr 7 15:32:40 2023 : TTL Settings 1 iptables -t mangle -I PREROUTING -i wwan0 -j TTL --ttl-set 65

Couple of questions:

1. Will this set TTL for both IPv4 and IPv6?
2. Any concern with the iptable vs. nftables conflict message?

Thanks!

[Didneywhorl]

There is some debate on this. The only way to tell is to have the ping6 utility/app on a pc and ping the routers ipv6 address, if there is one available. regular ping for ipv4.

[BillA]

Hi all.

Couple of questions:

1. Will this set TTL for both IPv4 and IPv6?
2. Any concern with the iptable vs. nftables conflict message?

Thanks!

Normally you'd want to include the TTL rules for both IPv4+v6.
The global rules below covers all interfaces, no need to specify each interface separately (like wwan0, etc).

iptables -t mangle -I PREROUTING -j TTL --ttl-set 65
iptables -t mangle -I POSTROUTING -j TTL --ttl-set 65
ip6tables -t mangle -I PREROUTING -j HL --hl-set 65
ip6tables -t mangle -I POSTROUTING -j HL --hl-set 65

Just because your modem log is only showing "TTL --ttl-set 65" but not "HL --hl-set 65", that doesn't mean that IPv6 is not handled too.
That also depends on the carrier, some use IPv4 only like Verizon, or IPv4+v6 like Tmobile and ATT.
Also, if you have the IPv6 driver disabled on your computer, then the router will always use IPv4 for that device.
The true test is once you have used up your monthly hotspot allowance (usually 5-10 gigs), if it keeps working then the TTL is handled properly and the TTL value is set correctly. If the internet stops working, then either IPv6 is not handled properly or the TTL value is wrong.
Which router are your using, and have your tried the latest 2024 firmware yet?

Since the latest OpenWRT v22 has removed IPTables completely in some routers like from GLINet (Flint/AX1800 or Flint2/MT6000), does anyone know how to convert the above IPTable into the equivalent NFTable rules?

[Didneywhorl]

Best explanation I've seen: https://www.maroonmed.com/ttl-modificat ... firewall4/

[BillA]

Best explanation I've seen: https://www.maroonmed.com/ttl-modificat ... firewall4/

F*ckin' ayy! They always have to mess with stuff which ain't broken.
No more nice Custom Rules GUI, but silly command line config.
Seriously, what were they thinking when dropping the Custom Rules GUI, instead average users SSH-ing into routers?! smh

[Didneywhorl]

Just takes a new open sourcer to add a luci package

[BillA]

Just takes a new open sourcer to add a luci package

Well it's easy for you and me, but for the average user using SSH may be challenging.
Does the InvisaGig perform TTL internally, or it has to be done on the router?

[Didneywhorl]

Does the InvisaGig perform TTL internally, or it has to be done on the router?

It handles TTL and HL itself

[BillA]

Does the InvisaGig perform TTL internally, or it has to be done on the router?

It handles TTL and HL itself

Would you know of a GUI based NFTables editor package? That'd be helpful.

[Didneywhorl]

Nope