Questions regarding migration from OpenWRT to NethSecurity

Hello,
Here is the configuration:

config dnsmasq 'ns_dnsmasq'
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'hgs.name'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        option logqueries '0'
        option noresolv '1'
        list server '1.1.1.1'
        list server '8.8.8.8'
        list server '1.0.0.1'
        list server '8.8.4.4'
        option confdir '/tmp/dnsmasq.d'


config boot
        option filename 'pxelinux.0'
        option servername 'msrv'
        option serveraddress '192.168.198.7'
        list dhcp_option 'option:root-path,192.168.198.7:/'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option instance 'ns_dnsmasq'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'LAN'
        option dhcpv4 'server'
        option limit '150'
        option start '100'
        option leasetime '12h'
        option interface 'LAN'
        option force '1'
        option instance 'ns_dnsmasq'
        option ns_binding '0'
        option ignore '0'
        list dhcp_option 'option:router,192.168.198.254'
        list dhcp_option 'option:dns-server,192.168.198.254'
        list dhcp_option 'option:ntp-server,192.168.198.254'
        list dhcp_option 'option:netmask,255.255.254.0'

config dhcp 'guest'
        option dhcpv4 'server'
        option limit '150'
        option start '100'
        option leasetime '12h'
        option interface 'guest'
        option force '1'
        option instance 'ns_dnsmasq'
        option ns_binding '0'
        option ignore '0'
        list dhcp_option 'option:dns-server,192.168.13.254'
        list dhcp_option 'option:ntp-server,192.168.13.254'
        list dhcp_option 'option:router,192.168.13.254'
        list dhcp_option 'option:netmask,255.255.255.0'

config dhcp 'MNG'
        option dhcpv4 'disabled'
        option limit '150'
        option start '100'
        option leasetime '12h'
        option interface 'MNG'
        option force '0'
        option instance 'ns_dnsmasq'
        option ns_binding '0'
        option ignore '1'

The “config boot” has been added manually.

Later today, I will try to add the MNG interface to the LAN policies and see if it will assign IP addresses again.

You have 2 running dhcp servers on on LAN and one on guest.

I thought so too, until I saw the requests in the log file, how dhcp responds to eth1 (MNG), I gave an example a little above.
Last night I changed the policy from MNG to LAN, and now dhcp is distributing via LAN, but via the web it still shows that IP addresses have been distributed via MNG.

Hello everyone.

I’ve finalized my migration. I’ll try to summarize everything so far. These are my settings, so what I describe is just a suggestion.

It took me longer than expected due to a strange issue. I use IPTV. When starting with snort active, the TV stream would occasionally drop. After many experiments and tests on two different hardware platforms, I finally managed to reduce stream interruptions to 2-3 per day.

I’m using NethSecurity on a VM. VM OS: Proxmox. Primary VM router on a dedicated machine just for this purpose, backup VM router on my main hypervisor.

Initially, I started with Qotom Q20332G9 S20, CPU Intel(R) Atom™ CPU C3758 @ 2.20GHz (8 cores), 32GB ECC RAM. I wanted to get the C3758R, but it wasn’t available at the time. Currently testing on Beelink AZW SER8 with AMD Ryzen 7 8745HS w/ Radeon 780M Graphics (8 physical cores, 16 threads), 32GB RAM. VM for primary router - 14 cores, 8GB RAM.

Final Settings

Manual settings in /etc/config/network

Solution for ISP DHCP and MAC address issue

Set custom MAC address on network interface:

config device 'ns_NAME'  
    ...  
    option macaddr 'AA:BB:CC:DD:EE:FF'

This setting prevents automatic interface activation when the backup router restarts. They are actually managed by keepalived using an external script /etc/keepalived/scripts/primary-backup.sh

Set interface to not come up after boot:

config interface 'NAME'  
    ...
    option auto '0'

The Script

#!/bin/sh

# Logging function
log_msg() {
    logger -t "keepalive-script" "$1"
    echo "$(date '+%Y-%m-%d %H:%M:%S') - $1"
}

# Service management function
services() {
    local action="$1"
    case "$action" in
        start)
            log_msg "Services start: starting odhcpd, dnsmasq, adblock"
            /etc/init.d/odhcpd start
            sleep 1
            /etc/init.d/dnsmasq start
            sleep 1
            /etc/init.d/adblock start
            ;;
        stop)
            log_msg "Services stop: stopping adblock, dnsmasq, odhcpd"
            /etc/init.d/adblock stop
            sleep 1
            /etc/init.d/dnsmasq stop
            sleep 1
            # Kill any remaining dnsmasq processes
            killall dnsmasq 2>/dev/null
            sleep 1
            /etc/init.d/odhcpd stop
            ;;
    esac
}

# Update resolv.conf with lock to prevent overwrites
update_resolv() {
    local nameserver="$1"
    log_msg "Updating /etc/resolv.conf with nameserver $nameserver"
    
    # Remove immutable flag if exists
    chattr -i /etc/resolv.conf 2>/dev/null
    
    # Update resolv.conf
    echo "nameserver $nameserver" > /etc/resolv.conf
    
    # Make it immutable to prevent other services from changing it
    chattr +i /etc/resolv.conf 2>/dev/null
    
    # Verify the change
    if grep -q "$nameserver" /etc/resolv.conf; then
        log_msg "resolv.conf successfully updated and locked"
    else
        log_msg "ERROR: Failed to update resolv.conf"
    fi
}

# Restore resolv.conf to normal state
restore_resolv() {
    log_msg "Restoring resolv.conf to normal state"
    chattr -i /etc/resolv.conf 2>/dev/null
    log_msg "resolv.conf unlocked"
}

case "$1" in
    primary)
        log_msg "=== Transitioning to PRIMARY mode ==="
        
        # Remove default route via gateway
        log_msg "Removing default route via VR_IP_ADDRESS"
        ip r d default via VR_IP_ADDRESS dev br0 2>/dev/null
        
        # Restore resolv.conf (unlock it)
        restore_resolv
        
        # Bring up WAN interfaces
        log_msg "Bringing up ISP1 and ISP2 interfaces"
        ifup ISP1
        ifup ISP2
        
        # Start services
        services start
        
        log_msg "=== PRIMARY mode activated ==="
        ;;
        
    backup)
        log_msg "=== Transitioning to BACKUP mode ==="
        
        # Bring down WAN interfaces
        log_msg "Bringing down ISP1 and ISP2 interfaces"
        ifdown ISP1
        ifdown ISP2
        
        # Stop services
        services stop
        
        # Add default route via gateway
        log_msg "Adding default route via VR_IP_ADDRESS"
        ip r a default via VR_IP_ADDRESS dev br0 2>/dev/null
        
        # Update and lock DNS resolver
        update_resolv "VR_IP_ADDRESS"
        
        log_msg "=== BACKUP mode activated ==="
        log_msg "Note: snort and banip are managed by NethSecurity HA system"
        ;;
        
    *)
        log_msg "ERROR: unknown state transition - received parameter: $1"
        echo "Usage: $0 {primary|backup}"
        exit 1
        ;;
esac

log_msg "Script execution completed with status: $?"
exit 0

Script Management in /etc/keepalived.user

Added the following:

state=$(grep state /tmp/keepalived.conf 2>/dev/null | awk '{print $2}')
ADMIN_EMAIL="user@domain.com"
MAIL_SUBJECT_PREFIX="$HOSTNAME [$state] keepalived"

case "$ACTION" in
    NOTIFY_MASTER)
        MSG="[$NAME] switched to MASTER – executing primary script"
        logger -t keepalived "$MSG"
        echo "$MSG" | mailx -s "$MAIL_SUBJECT_PREFIX MASTER" "$ADMIN_EMAIL"
        /etc/keepalived/scripts/primary-backup.sh primary
        ;;
    NOTIFY_BACKUP)
        MSG="[$NAME] switched to BACKUP – executing backup script"
        logger -t keepalived "$MSG"
        echo "$MSG" | mailx -s "$MAIL_SUBJECT_PREFIX BACKUP" "$ADMIN_EMAIL"
        /etc/keepalived/scripts/primary-backup.sh backup
        ;;
    NOTIFY_FAULT)
        MSG="[$NAME] entered FAULT state – forcing backup mode"
        logger -t keepalived "$MSG"
        echo "$MSG" | mailx -s "$MAIL_SUBJECT_PREFIX FAULT" "$ADMIN_EMAIL"
        /etc/keepalived/scripts/primary-backup.sh backup
        ;;
    NOTIFY_STOP)
        MSG="[$NAME] STOP – keepalived stopped, switching to backup mode"
        logger -t keepalived "$MSG"
        echo "$MSG" | mailx -s "$MAIL_SUBJECT_PREFIX STOP" "$ADMIN_EMAIL"
        /etc/keepalived/scripts/primary-backup.sh backup
        ;;
    *)
        # Ignore other events (e.g. NOTIFY)
        ;;
esac

/etc/config/nginx

Adding http2 to list listen '443 ssl', with a caveat - this method of adding http2 is deprecated. The warning: “the “listen … http2” directive is deprecated, use the “http2” directive instead in /etc/nginx/nginx.conf”

Should change from:

listen 443 ssl http2;

to:

listen 443 ssl;
http2 on;

Syntax:

...
list listen '443 ssl'
list listen '[::]:443 ssl'
option http2 'on'
...

This could really be a checkbox option for adding http2 on in the config file.

/etc/config/snort

I have several suggestions here (these are the changes I made):

option home_net - by default it’s 192.168.1.0/24, but it should be the LAN network.

In the current version 8-24.10.0-ns.1.6.0, an interface is specified, but snort is configured for nfq and listens to the forward chain. The interface parameter is actually redundant.

In version 8.7.0, snort is configured for pcap - if you have two active ISPs, how do you configure snort for two interfaces?

/etc/config/dhcp

config boot
    option filename 'pxelinux.0'
    option servername 'myserver'
    option serveraddress '192.168.0.XX'
    list dhcp_option 'option:root-path,192.168.0.XX:/'

/etc/rc.local

echo haltpoll | sudo tee /sys/devices/system/cpu/cpuidle/current_governor
printf "%x\n" $(( (1 << $(nproc)) - 1 )) | sudo tee /sys/class/net/eth0/queues/rx-*/rps_cpus

# RFS
echo 2048 | tee /sys/class/net/eth*/queues/rx-*/rps_flow_cnt

First setting: CPU governor optimization.

Second setting: This is important because all rps_cpus interrupts on the NIC are handled by a single CPU and can become saturated under heavy traffic. With this setting, I’m telling the OS to balance rps_cpus automatically.

Third setting: This sets how many network flows the kernel should remember for Receive Flow Steering (RFS) purposes - a mechanism that directs packets to the CPU core where the application is running for better performance.

/etc/sysctl.d/99-main-tweaks.conf

# Main options

net.netfilter.nf_conntrack_buckets = 524288
net.netfilter.nf_conntrack_max = 2097152

# Network buffer sizes
# 134217728 - 128MB
net.core.rmem_max = 134217728
net.core.wmem_max = 134217728
# 16777216 - 16MB
net.core.rmem_default = 16777216
net.core.wmem_default = 16777216

# Softirq budget
net.core.netdev_max_backlog = 30000
net.core.netdev_budget = 600
net.core.netdev_budget_usecs = 8000

# RFS global
net.core.rps_sock_flow_entries = 32768

# TCP tuning
net.ipv4.tcp_rmem = 4096 87380 134217728
net.ipv4.tcp_wmem = 4096 65536 134217728
#net.ipv4.tcp_congestion_control = bbr

# Maintains high throughput after brief pauses when set to 1
net.ipv4.tcp_slow_start_after_idle = 0
# Frees memory and conntrack slots faster, default is 30
net.ipv4.tcp_fin_timeout = 15

/etc/init.d/conntrackd

After: procd_set_param command $PROG -C /etc/conntrackd/conntrackd.conf
Add: procd_set_param nice -20

home_net is set to the lan networks when you save the settings in the IPS page.

No, it’s in nfq as in 8.6. Could you share your config?

Second and third settings are handled by default by packet_steering:

uci set network.globals=globals
uci set network.globals.packet_steering=2

Luci offers a user interface to adjust values.

What are the benefits of adjusting conntrack prio?

Also, did you debug IPTV and snort? What are the symptoms? Did you correlate disconnections to alerts? What snort stats say? I have a similar setup, I think I’ve never had disconnections, but I don’t watch tv a lot.

I tried on two installations and it was always 192.168.1.0/24 For me, when setting up the router, the LAN interface network was not applied. During the router configuration, the private network I use was not configured in /etc/config/snort A possible reason for this is that I’m using a single eth0 with vlans on top, which may be preventing proper configuration.

Here I was wrong (for which I apologize). Before configuring Snort through the web, the default configuration is “pcap”. After activating Snort, the configuration is “nfq”.

I’m not sure if I understood correctly. Please forgive me if I misunderstood, but I assume you’re suggesting the classic luci interface? I thought about this, but according to the nethsecurity documentation, this is not recommended.

I’ve been using this setting for many years and it’s also related to television. When I was on openwrt, what I was trying to do, when switching traffic from primary to secondary and back, was to avoid television interruption. And this was one of the things that helped.

Thank you for this, I hadn’t thought of it. But unfortunately I didn’t find a solution for this:

```
# RFS
echo 2048 | tee /sys/class/net/eth*/queues/rx-*/rps_flow_cnt
```

It’s possible I’m doing the rps_flow_cnt setting incorrectly, I don’t know uci that deeply.

The causes turned out to be several and of different origin cron -a on adblock restarts dnsmasq and this leads to interruption, but since it’s a bit random it took me time to catch it. Snort as protection doesn’t block the traffic. In the end I ran snort in max-detect mode, you have one rule that snort triggers on. After that I made a bypass of the tvbox and the IPs of the TV server stream. As far as I can understand, the problem is not snort stopping the traffic, but if I activate snort, packet loss begins. It’s not load, load is between 0.5 and 0.1. It’s possible the physical network card on the HV is causing the problem. Beelink AZW SER8 belongs to a friend who helped me out to check how it would work. Beelink AZW SER8 has a network card Realtek RTL8125. Soon I’ll order a similar one but with 2 Intel cards and then I’ll have clarity. After configuring qosify, things improved significantly, but there’s a problem 2 or 3 times a day. It’s not that much of a problem, but it just annoys me.

Hello,
Thank you @filippo_carletti.
I found how to configure it:

uci set network.globals.steering_flows='2048'

I figured out what the problem was with my TV (at least I think so).
I forgot to describe the IP address of one of the stream servers.
I finished the migration, everything works great.
I may have missed explaining something, I’ll be happy to answer.
NethSecurity is incredible. Great work, team!

Only to set the RPS count, see Luci → Network →Interfaces →Global network options.

Here’s the English translation for the NethSecurity forum:

Hello, Yes, I saw the documentation and found the setting. After that, I found how to enable it through uci. After a restart, everything works. As for my TV interruptions, I added the stream servers to qosify with the +video parameter. Then I mark the traffic from the stream servers with iptables using this rule:

iptables -t mangle -A PREROUTING -s ip_stream_server -j DSCP --set-dscp-class AF41

After these settings, everything works. What I assume is that with many Snort rules, there is packet delay. Both the stream server and the set-top box are added as bypass. Over the past few days, I’ve had 2 or 3 interruptions.

You can create a similar rule using UCI. Example rule export:

config rule
option src ‘wan’
option dest ‘lan’
option name ‘stream’
list src_ip ‘ip_stream_server’
option target ‘DSCP’
option set_dscp ‘AF41’

Correct, but it should be unnoticeable. Could you measure it with ping? Both when snort is active and is stopped.

Hello @filippo_carletti

I know about the one with uci, but I want to work with iptables, to monitor, and then I’ll try nftables Actually the interruptions are 2 or 3 per day.
And they’re very difficult to observe.
I’m planning next Saturday/Sunday to switch to nftables

ping -c 10000 -i 0.02 -s 1440 IP

--- gw ping statistics ---
10000 packets transmitted, 10000 received, 0% packet loss, time 215927ms
rtt min/avg/max/mdev = 0.133/0.158/0.604/0.021 ms

gw - virt IP - main local gateway ns_policy ‘security’

--- IP_GW_ISP ping statistics ---
10000 packets transmitted, 9879 received, 1.21% packet loss, time 216699ms
rtt min/avg/max/mdev = 0.427/0.530/2.133/0.055 ms
--- IP_GW_ISP ping statistics ---
10000 packets transmitted, 9859 received, 1.41% packet loss, time 215865ms
rtt min/avg/max/mdev = 0.441/0.546/2.294/0.060 ms
--- IP_GW_ISP ping statistics ---
10000 packets transmitted, 9971 received, 0.29% packet loss, time 216140ms
rtt min/avg/max/mdev = 0.441/0.540/18.179/0.190 ms

snort stop

--- IP_GW_ISP ping statistics ---
10000 packets transmitted, 9863 received, 1.37% packet loss, time 216123ms
rtt min/avg/max/mdev = 0.398/0.478/12.918/0.157 ms
--- IP_GW_ISP ping statistics ---
10000 packets transmitted, 9880 received, 1.2% packet loss, time 215812ms
rtt min/avg/max/mdev = 0.401/0.481/15.303/0.197 ms
--- IP_GW_ISP ping statistics ---
10000 packets transmitted, 9882 received, 1.18% packet loss, time 216109ms
rtt min/avg/max/mdev = 0.408/0.474/3.381/0.111 ms

During the tests I was watching TV and there were no interruptions. With ping 0.02, the router might drop the ping

load router

image1723×402 97.3 KB

The load-a graph is during the test.
At first glance there are visibly no reasons for the interruptions, but after marking the traffic + qosity everything works normally.

It seems that @francio87 reproduced your issue: