[Snap] Fritzbox 7340 iptables

Forums › 2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus) › [Snap] Fritzbox 7340 iptables

mappu

3 posts

Wannabe Geek

#113769 27-Jan-2013 20:57

Hi! I'm trying to count vdsl traffic on a per-user basis for everyone on my lan.

Has anyone managed to get iptables running on the Fritzbox 7340/7390?

I have freetz-trunk installed on my 7340 with the iptables binary, but ip_tables.ko doesn't seem to get built into the firmware image / doesn't appear in lsmod... The iptables binary appears to work correctly, but the counts it gives are inaccurate, far too small, and nothing ever counts on the vdsl interface. The counts in ifconfig seem realistic however.

From a brief chat auf deutsch on ##fritzbox i understand the ikanos fusiv chip in the fritzbox does some hardware accelerated routing that bypasses the kernel stack, but no specific fusiv iptables module exists to make this work properly..

Any ideas?

Worst-case scenario is i have to disable wifi on the fritzbox and put another linux machine (with working iptables) and another wifi router inbetween the vdsl and my lan.. which seems like a lot of hassle..

mercutio

1387 posts

Uber Geek

#751776 28-Jan-2013 10:00

maybe just use the fritzbox as a bridge, then you just need a linux box, set it up as dhcp server, and have all the traffic go through it and forward to the fritzbox.

hardware accelerated routing, and small counters makes me think you're going to struggle to do anything on the router itself, whether you use wifi, ethernet, or vdsl interfaces to monitor, but you should be able to continue to use the wifi on the fritzbox.

TrendMicro

Best TrendMicro deals for antivirus and malware protection(affiliate link).

frizianz

105 posts

Master Geek

#752966 29-Jan-2013 22:51

Could always full bridge it back to a linux box then hack together vlan tagging and use wifi on a different vlan back in?

Haven't tried it myself but im sure its possible.

SamF

1512 posts

Uber Geek

Trusted

#752993 29-Jan-2013 23:59

Save yourself a lot of time and trouble mate, bridge / double NAT it and use another firewall product between the Fritz and the LAN. I use Astaro (now Sophos) which has the best per-IP traffic accounting out there in a free product (& believe you me, I've looked at EVERYTHING). The only down-side is that you won't be able to use the wireless on the fritz unless you do some fancy configuration, but I've looked at this extensively in the past and this is the best setup I've been able to come up with.

quakeguy

111 posts

Master Geek

Trusted

#753088 30-Jan-2013 09:45

I've built Freetz against the 7340 and iptables works, but loading ipt_nat.ko causes the box to lock up every time.

I'm not even sure conntrack loads, so -m state is a no-go.

I did manage to get mine to bridge the VDSL to Ethernet using Freetz, by killing AVM's dsld, unplugging eth1 from the default bridge, and adding both it and the 'vdsl' interface to a new bridge instance.
So the 'vdsl' EFM interface is treated just like Ethernet, and you can even add vlans to it with vconfig; this leads me to believe that NAT is the only hurdle left and we're home and hosed.

If someone donates to me, I might consider building an image to do easy bridging of VDSL to Ethernet on the 7340 :-)

Bridging ADSL to Ethernet is not possible (without arcane wizardry). When connected to an ADSL line, the Fritz creates an ATM interface; when connected to VDSL, the Fritz creates an EFM interface (Ethernet-compatible).

In the meantime, here's something useful for technical-types:

### YOU NEED THE FREETZ FIRMWARE, with vlan and bridge support compiled into the kernel ###
### THIS WON'T DIRECTLY WORK on the 7390 because the internal interface topology is different, there is a switch in the way! ###

# get rid of AVM's 'dsld' proprietary software
killall dsld

# remove eth1 from the LAN bridge
brctl delif lan eth1

# make a new bridge instance called 'dslbr'
brctl addbr dslbr

# add a subinterface representing VLAN 10-tagged traffic to the VDSL interface
vconfig add vdsl 10

# bring both vdsl and vdsl.10 subinterface up
ifconfig vdsl up
ifconfig vdsl.10 up

# add vdsl.10 subinterface and eth1 interface to bridge
brctl addif dslbr vdsl.10
brctl addif dslbr eth1

# bring the bridge up
ifconfig dslbr up

Now you should be able to connect to LAN 2 on the Fritz and see your ISP's PPPoE concentrator.

#todo: replace usage of vconfig and ifconfig with ip to make the elitists happy

“I do not think there is any thrill that can go through the human heart like that felt by the inventor as he sees some creation of the brain unfolding to success... Such emotions make a man forget food, sleep, friends, love, everything.” - Nikola Tesla

Disclaimer: Views expressed in my posts do not necessarily reflect those views of my employer.

sidefx

3639 posts

Uber Geek

Trusted

#753096 30-Jan-2013 09:56

quakeguy:
If someone donates to me, I might consider building an image to do easy bridging of VDSL to Ethernet on the 7340 :-)

Oh yes please! Do you accept digital chocolate fish donations?? :P

"I was born not knowing and have had only a little time to change that here and there." | Electric Kiwi | Sharesies
- Richard Feynman

JaBZ

383 posts

Ultimate Geek

#983786 10-Feb-2014 23:11

I've also managed to build Freetz against my 7340, using a base 05.51 image. Had to remove several packages to ensure the compiled image size remained small enough.
I requested this thread unlocked as I had an issue trying to add the VDSL sub interface with VLAN 10 tagged traffic. However I have managed to solve it.

Thanks to Tim for the original steps.

First you need to ensure VDSL sync is up or the interface won't exist.
I also had to change the order of, getting rid of AVM's 'dsld', if I killed it first the VDSL interface would state it is down.

# remove eth1 from the LAN bridge
brctl delif lan eth1

# make a new bridge instance called 'dslbr'
brctl addbr dslbr

# get rid of AVM's 'dsld' proprietary software
killall dsld

# add a subinterface representing VLAN 10-tagged traffic to the VDSL interface
vconfig add vdsl 10

# bring both vdsl and vdsl.10 subinterface up
ifconfig vdsl up
ifconfig vdsl.10 up

# add vdsl.10 subinterface and eth1 interface to bridge
brctl addif dslbr vdsl.10
brctl addif dslbr eth1

# bring the bridge up
ifconfig dslbr up

Tim any progress is making this persistent across a reset/reboot of the Fritzbox?
My next steps will be to try create a startup script and see if it can be added to the boot process.

My opinions and ideas expressed in posts are solely my own and do not reflect the views of my employer in any way..