Orbi LBR20 How-To / Megathread

[hazarjast]

Thank you hazerjast for your awesome work and info! I have my LBR20 running the newest Voxel. I'm running T-mobile Magent Max with working magic on the orbi and using the wifi from the orbi. Even with your great instructions I still can't get my TTL working correctly. Still having some leakage. From a command prompt using orbi wifi when I ping DNS 8.8.8.8 I come back with TTL=110. I have tried various mixed rules of TTL 64 and 65 still nothing. When I check the above TTL rules step 11 in telnet I get back Ipv4 = 65, but nothing on the IPv6. The IPv6 script shows the routing just no IPv6=65 at the end.

Does anyone have any ideas about what to try next?

I have an old archer c7 router with golden orb on it setting here unused. Would It be easier/safer to use the wifi from the C7 and set the TTL on it?

Setting this up for my mother in law so would really like to just use the orbi 100% and have one less router to deal with .

Thanks

Pinging Google public DNS is not going to show you anything in regards to your TTL, you have to check this locally using the 'iptables -t mangle -L" to see what POSTROUTING value is active. There seems to be a common misconception that pinging some public IP will show you your mangled TTL value; I think it comes from the fact that many folks think you have to adjust PREROUTING TTL as well as POSTROUTING which isn't the case.

In any case, if your POSTROUTING mangle value isn't showing up in ip6tables output then you're still leaking data which would be the problem. Recheck your scripts for invisible characters (usually entered when copying/pasting formatted text instead of raw text) or other syntax issues and try executing the ip6tables command manually to ensure it doesn't return some syntax error. Once you've got your ip6tables command executing properly from the script your hotspot leak should be plugged

[hazarjast]

Hello, Been using one of these for AT&T. With original orbi firmware. Being AT&T have no use for TTL settings. But would like to create a group of bands. Do I have to switch to this voxel to do that?

No, you can band lock on any firmware but be aware it may not be reboot persistent unless you add it to a startup script. I prefer cell locking myself which is covered in the OP, other posts in this forum cover Quectel band index creation and locking. I believe I may have linked to them in one of my earlier replies to this thread and there should be an Excel/Google Sheets document floating around which helps with the index calculations (they are in hexadecimal).

[hazarjast]

i know its not recommended but i had the same issue the only way i got it to work was to put the ip6 scrip code in with the ip4 code and it worked like a charm so far but either way his guide was a blessing so no complaints here ttl 64 hl64 on reboot (set at 64 seems to be the one for verizon) i cant thank hazarjast enough note...... made the actual code part one long line per command

root@LBR20:~# cat /mnt/circle/overlay/opt/scripts/firewall*
# IPv4 TTL mod
iptables -t mangle -C POSTROUTING -o wwan0 -j TTL --ttl-set 64 > /dev/null 2>&1 || \iptables -t mangle -I POSTROUTING 1 -o wwan0 -j TTL --ttl-set 64

ip6tables -t mangle -C POSTROUTING -o wwan0 -j HL --hl-set 64 > /dev/null 2>&1 || \ip6tabl[/b]es -t mangle -A POSTROUTING -o wwan0 -j HL --hl-set 64

(in the script code is one long line per command delete space between\ ip in red so \ip)

i get 118 when i ping google as well not really sure what to do there but still this is much better then having to change manually evey time so thank you hazarjast i really appreciate your how to guide maybe when you get some time you can q us in on changing the dns also : ) : )

Interesting, I use a combined script too (just a single 'firewall-start.sh') with both iptables and ip6tables commands and it works for me fine as well. Voxel had originally suggested my instruction to everyone for splitting out ip and ip6 commands into separate firewall scripts so it's possible there is some issue there which has not been tested by either of us. Thank you for providing this test data point and maybe others can provide feedback if their ip6tables commands is failing when split out into a separate script. I can provide this info to Voxel in case there is some bug.

There's really no need for the commands to be on one long long though, this is why I have used the '\' to split the lines for readability. The first line checks to see if the rule exists ("-C" means "check"), then uses the logical operator '||' which only executes the insert of the rule ("-I" means "insert") if the rule isn't already present. This prevents accidental duplication of the same POSTROUTING mangle multiple times. For reference mine looks like this:

Code: Select all

root@LBR20:~# cat /opt/scripts/firewall-start.sh
# IPv4 TTL mod
iptables -t mangle -C POSTROUTING -o wwan0 -j TTL --ttl-set 65 > /dev/null 2>&1 || \
iptables -t mangle -I POSTROUTING 1 -o wwan0 -j TTL --ttl-set 65

# IPv6 TTL mod (prevents leaks not covered by IPv4 rules)
ip6tables -t mangle -C POSTROUTING -o wwan0 -j HL --hl-set 65 > /dev/null 2>&1 || \
ip6tables -t mangle -I POSTROUTING 1 -o wwan0 -j HL --hl-set 65

root@LBR20:~#

Again, pinging a public IP isn't going to show you anything in relation to the mangled POSTROUTING value assigned to your wwan0 interface, that is checked by output of 'ip[6]tables -t mangle -L". In regards to DNS, I've covered changing this a few times in both the OP and follow up posts. If something is not clear or does not cover your use case, please let us know what regarding DNS changes is not working for you and we can do our best to provide guidance

[hazarjast]

Magic allows the Orbi to appear as whatever device you told your carrier you were using for their service. Some carriers will remove your plan if you are not connecting with the device you said you were using.

And some plans plain do not work at all if the carrier/MVNO is using a TAC blocklist in which the LBR20 (or other data device) is present.

[hazarjast]

you wouldnt happen to have a link to the software or how to go about this with the orbi not having usb and all ?????????

The command you are looking for is covered in the OP but is obfuscated to keep carriers from taking down this thread. Happy to provide help as my time allows if you are still in need of further explanation (hazarjast at protonmail dot com).

Contrary to popular belief by some, I am not trying to be obtuse or a gatekeeper of knowledge by not spelling things out in plain English in open forum, it's just that doing so ruins things for everyone by incurring the wrath and further interference of the carriers in making our lives difficult when they come across such things and request their takedown and/or ratchet up their eSIM plan locking efforts

[hazarjast]

There's typo in "\ip6tabl[/b]es" should be "\ip6tables".
Here are the correct commands enclosed in code.

Code: Select all

iptables -t mangle -C POSTROUTING -o wwan0 -j TTL --ttl-set 64 > /dev/null 2>&1 || \iptables -t mangle -I POSTROUTING 1 -o wwan0 -j TTL --ttl-set 64
ip6tables -t mangle -C POSTROUTING -o wwan0 -j HL --hl-set 64 > /dev/null 2>&1 || \ip6tables -t mangle -A POSTROUTING -o wwan0 -j HL --hl-set 64

Good catch, thanks for pointing this out

[hazarjast]

Has anyone experienced a speed drop using AT&T? I'm on the $20 Ipad tablet plan using latest Voxel and magic and usually get 75-135 download on speed test but tonight only 25-30. Currently it's connected to band 14 but usually connects to band 66. I've tried rebooting several times hoping to connect to ban 66 to see if that's he problem but no luck. Also has anyone successfully been able to band lock with AT&T and if so how lol! thanks

If it's *only* connected to B14 then that's your problem. B14/B12/B71 are all low band frequency which provide better signal penetration indoors and go for longer distances but don't provide the bandwidth mid and high bands do. If you cell lock to your B66 EARCFN or band lock to B66 as your primary carrier I would wager your faster speeds would return. The issue is that likely B14 has a stronger signal than B66 and is therefore auto-preferred by the modem by default.

This is why there is so much talk of cell/band locking in this thread as the "auto" behavior is sometimes not the desired behavior. I cover cell locking in the OP and band-locking has been covered in a few replies and other threads in this forum for Quectel modems (the kind that is in the LBR20).

[am888]

VOXEL FIRMWARE
--------------
Is there any sort of cron with voxel? (NM - found cron - will see if I can get it to stick)
Will it try and auto-update the firmware if I don't use any sort of DNS block?

One thing I thought would be neat - though outside of my ability - would be being able to send an SMS to the router to reboot or feedback data usage... I assume this would be possible.

Thanks

As an LOL someone at netgear put their auto-update of QoS @ 0420

Meh - can't get it to hold crontab - it mounts the crontab from a different section of ROM than the circle overlay so it continually rewrites it. Any ideas??
----------------------------

UPDATE:
1. created /mnt/circle/overlay/etc/rc.local
2. contents of rc.local

Code: Select all

# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.

#Crontab located at /mnt/circle/overlay/etc/crontabs/root
cat /etc/crontabs/root > /tmp/etc/crontabs/root

exit 0

3. Created /mnt/circle/overlay/etc/crontabs/root (rw/r/r perms) <------- This is your new crontab (for editing/persists)

my root/cron file contents:

Code: Select all

20 04 * * * /TM/QoSControl auto_update
50 03 * * * /usr/share/armor/bdupd_start_schedule.sh
00 02 * * 1,4 /sbin/reboot

I need my router to reboot a couple times a week since I'm not always there.
Voila - I have a working crontab that persists on reboot.

[hazarjast]

VOXEL FIRMWARE
--------------
Is there any sort of cron with voxel? (NM - found cron - will see if I can get it to stick)
Will it try and auto-update the firmware if I don't use any sort of DNS block?

One thing I thought would be neat - though outside of my ability - would be being able to send an SMS to the router to reboot or feedback data usage... I assume this would be possible.

Thanks

As an LOL someone at netgear put their auto-update of QoS @ 0420

Meh - can't get it to hold crontab - it mounts the crontab from a different section of ROM than the circle overlay so it continually rewrites it. Any ideas??
----------------------------

UPDATE:
1. created /mnt/circle/overlay/etc/rc.local
2. contents of rc.local

Code: Select all

# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.

#Crontab located at /mnt/circle/overlay/etc/crontabs/root
cat /etc/crontabs/root > /tmp/etc/crontabs/root

exit 0

3. Created /mnt/circle/overlay/etc/crontabs/root (rw/r/r perms) <------- This is your new crontab (for editing/persists)

my root/cron file contents:

Code: Select all

20 04 * * * /TM/QoSControl auto_update
50 03 * * * /usr/share/armor/bdupd_start_schedule.sh
00 02 * * 1,4 /sbin/reboot

I need my router to reboot a couple times a week since I'm not always there.
Voila - I have a working crontab that persists on reboot.

Fantastic work. Thanks for sharing this, I'm sure many will benefit

[gilbreen]

Thanks for the extensive writeup. I am new to much of this and trying to understand the purpose of the cron jobs. What do QoSControl auto_update and bdupd_start_schedule.sh do?

VOXEL FIRMWARE
--------------
Is there any sort of cron with voxel? (NM - found cron - will see if I can get it to stick)
Will it try and auto-update the firmware if I don't use any sort of DNS block?

One thing I thought would be neat - though outside of my ability - would be being able to send an SMS to the router to reboot or feedback data usage... I assume this would be possible.

Thanks

As an LOL someone at netgear put their auto-update of QoS @ 0420

Meh - can't get it to hold crontab - it mounts the crontab from a different section of ROM than the circle overlay so it continually rewrites it. Any ideas??
----------------------------

UPDATE:
1. created /mnt/circle/overlay/etc/rc.local
2. contents of rc.local

Code: Select all

# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.

#Crontab located at /mnt/circle/overlay/etc/crontabs/root
cat /etc/crontabs/root > /tmp/etc/crontabs/root

exit 0

3. Created /mnt/circle/overlay/etc/crontabs/root (rw/r/r perms) <------- This is your new crontab (for editing/persists)

my root/cron file contents:

Code: Select all

20 04 * * * /TM/QoSControl auto_update
50 03 * * * /usr/share/armor/bdupd_start_schedule.sh
00 02 * * 1,4 /sbin/reboot

I need my router to reboot a couple times a week since I'm not always there.
Voila - I have a working crontab that persists on reboot.

[am888]

They were just defaults from the original orbi firmware... I left them alone, though you could probably delete/comment them out. I assume on is for "AppArmor" which most people are disabling and the other is QoS to divide up your connection between devices essentially. I dont know *exactly* what they do however.


tldr - they were already in the crontab when I modified it, I just left them... I only added my reboot schedule.

[hazarjast]

Due to replies showing that the separate IPv6 script 'firewall6-start.sh' was not applying ip6tables rules I tested myself and found that indeed 'firewall6-start.sh' was not loading the IPv6 TTL rules on reboot/startup so I have updated my instructions below to reflect a single 'firewall-start.sh' script for now until I can test more. At least I know this is tested and working at this time (I also removed the update to the OP with the instruction to use separate script files for IPv6 and IPv4). Once I can go back and do some more debugging to figure out why the IPv6 script isn't working I will go back and update OP again:

1. SSH into your LBR20 using Putty.
2. Issue the following commands:

   Code: Select all

   mkdir -p /mnt/circle/overlay/opt/scripts
   touch /mnt/circle/overlay/opt/scripts/firewall-start.sh
   chmod 755 /mnt/circle/overlay/opt/scripts/firewall-start.sh
   

3. Now we will populate the firewall script file we created. To do this, we will use the text editor 'vi'. Let's start by opening the IPv4 firewall script in vi:

   Code: Select all

   vi /mnt/circle/overlay/opt/scripts/firewall-start.sh
   

4. Once the file is open in vi, you have to press the "I" (as in "igloo") key on your keyboard to enter "Insert" mode.
5. Then, select the following text from the code box and copy it to your clipboard ("Ctrl+C"):

   Code: Select all

   # IPv4 TTL mod
   iptables -t mangle -C POSTROUTING -o wwan0 -j TTL --ttl-set 65 > /dev/null 2>&1 || \
   iptables -t mangle -I POSTROUTING 1 -o wwan0 -j TTL --ttl-set 65
   # IPv6 TTL mod (prevents leaks not covered by IPv4 rules)
   ip6tables -t mangle -C POSTROUTING -o wwan0 -j HL --hl-set 65 > /dev/null 2>&1 || \
   ip6tables -t mangle -I POSTROUTING 1 -o wwan0 -j HL --hl-set 65
   

6. Now paste the text from your clipboard into the Putty window by right-clicking with your mouse anywhere inside it. You should see the text appear in vi.
7. Hit 'Enter' to add a new line, then press "Esc" (escape key) on your keyboard which will take you out of "Insert" mode. Save and exit vi by typing the following followed by "Enter" on your keyboard:

   Code: Select all

   :wq
   

   (":" = enter vi command mode, "w" = write changes to the file, "q" = quit vi)
8. Check your work by issuing the following command:

   Code: Select all

   cat /mnt/circle/overlay/opt/scripts/firewall-start.sh
   

   The output should show all the iptables commands you've added from the code box above in the previous steps. If it does not, go back into the file and check for mistakes (maybe you didn't paste before saving, maybe you forgot "w" when existing vi and the text was not saved, etc.).
9. Issue the following command to restart the LBR20 to check that your scripts execute properly on startup:

   Code: Select all

   reboot
   

10. Once the unit has rebooted and some minutes have passed to be sure all services have started, issue the following two commands to check that your iptables rules are active:

    Code: Select all

    iptables -t mangle -L
    ip6tables -t mangle -L
    

    The last line of output from each command should show a POSTROUTING rule with a value of "65". If not, then something went wrong and your iptables rules are not active. Check that the 'firewall-start.sh' script file exists where you created it the previous steps above and that it is populated with the necessary iptables text in the code box from previous steps. Also, be sure that you did not miss the "chmod 755" command when creating the file as this makes it executable. Fix any errors you encounter, then reboot and execute the above iptables commands again to re-check.

NOTE: If a TTL value of "65" is not appropriate for your specific carrier/plan (and it isn't for some), you can edit the firewall script file you created by using vi to open the file, going into "Insert" mode by pressing "I" (as in "igloo"), using your arrow keys to move the cursor to the existing "65" entries, back-spacing them out to delete, then replace by entering your desired value. Don't forget to hit escape to exit "Insert" mode and issue ":wq" to write your changes to the file and exit vi and reboot to apply your changes.

[am888]

Hazarjast - have you found /rom/sbin/wlandebug.sh

It's a pretty interesting file. It's literally every setting in the router.

[hazarjast]

Hazarjast - have you found /rom/sbin/wlandebug.sh

It's a pretty interesting file. It's literally every setting in the router.

Yes, it's nifty! Mostly it covers ATH/QCA debug info for the WiFi and what is likely called when log capture package is selected for collection under 'debug.htm' page of the web GUI. Unfortunately nothing in there related to the LTE modem and I don't use the LBR20 WiFi so not super useful to me but for those using the WiFi it may be helpful/interesting

[am888]

I forked a keep-alive script for the Orbi and added it to my cron. Working good so far.
(sorry took this post down ealier cause i ran into some issues)

Will reboot router on failure.

https://github.com/HiDef888/openwrt-lte-keep-alive

Easy to install, just run script in /mnt/circle/overlay/opt/scripts (is what i'd recommend)

Originally had it drop modem and restart on fail - but that was a disaster. Erased many of my settings and so on, so I just went with a simple reboot on x3 fails. Call it as often as you like in cron...

[shinesmart]

I’ve put together this guide to help anyone wishing to Cell Lock to a specific cell. Please use at your own risk and know the pros and cons of cell locking before jumping in.

Netgear Orbi LBR20 Cell Locking
Author: shinesmart

Login using PuTTy:
192.168.1.1
UN: root
PW: your admin password

To query the Serving Cell:

Code: Select all

echo -ne "AT+QENG=\"servingcell\"\r\n" | -X -t 1000 /dev/ttyUSB2

You will get a response like this:
AT+QENG="servingcell"
+QENG: "servingcell","NOCONN","LTE","FDD",311,480,1B29020,245,66636,66,5,5,6F00,-92,-11,-58,11,-,-,-

In this example, the PCID is 245 and the EARCFN is 66636, which is for the Serving Cell you are currently connected to.

Now, to lock to this cell, run this command replacing the EARCFN and PCID with the values from above:
echo -ne "AT+QNWLOCK=\"common/4g\",1,EARCFN,PCID\r\n" | microcom -X -t 1000 /dev/ttyUSB2

Example:

Code: Select all

echo -ne "AT+QNWLOCK=\"common/4g\",1,66636,245\r\n" | microcom -X -t 1000 /dev/ttyUSB2

You will get a response like this:
AT+QNWLOCK="common/4g",1,66636,245
OK

Alternatively, you can query the Neighbouring Cell, then use the same lock command once you have its respective EARCFN and PCID:

To query the Neighbouring Cell:

Code: Select all

echo -ne "AT+QENG=\"neighbourcell\"\r\n" | microcom -X -t 1000 /dev/ttyUSB2

To lock the Neighbouring Cell:

Code: Select all

echo -ne "AT+QNWLOCK=\"common/4g\",1,EARCFN,PCID\r\n" | microcom -X -t 1000 /dev/ttyUSB2

* Note: Cell locking does not persist on this device, so these steps will need to be performed following each reboot.

Please feel free to proof check this guide.

[shinesmart]

Here are some additional useful commands:

To disable Cell Lock:

Code: Select all

echo -ne "AT+QNWLOCK=\"common/4g\",0\r\n" | microcom -X -t 1000 /dev/ttyUSB2

To query Cell Lock status:

Code: Select all

echo -ne "AT+QNWLOCK=\"common/4g\"\r\n" | microcom -X -t 1000 /dev/ttyUSB2

You can also lock multiple cells using the following commands replacing EARCFN# and PCID# with the pair or values for each additional cell(s) you wish to lock.

To lock 2 Cells:

Code: Select all

echo -ne "AT+QNWLOCK=\"common/4g\",2,EARCFN1,PCID1,EARCFN2,PCID2\r\n" | microcom -X -t 1000 /dev/ttyUSB2

To lock 3 Cells:

Code: Select all

echo -ne "AT+QNWLOCK=\"common/4g\",3,EARCFN1,PCID1,EARCFN2,PCID2,EARCFN3,PCID3\r\n" | microcom -X -t 1000 /dev/ttyUSB2

[hazarjast]

I forked a keep-alive script for the Orbi and added it to my cron. Working good so far.
(sorry took this post down ealier cause i ran into some issues)

Will reboot router on failure.

https://github.com/HiDef888/openwrt-lte-keep-alive

Easy to install, just run script in /mnt/circle/overlay/opt/scripts (is what i'd recommend)

Originally had it drop modem and restart on fail - but that was a disaster. Erased many of my settings and so on, so I just went with a simple reboot on x3 fails. Call it as often as you like in cron...

Great stuff, thanks for sharing! I've been working on something similar myself but specifically related to checking connectivity when locking to a specific cell (and unlocking if that cell is not providing Internet connectivity, meaning it is down for maintenance etc.). I will post a link to my script as well shortly, in a reply to another post that has given great cell locking info.

You could probably roll the keep alive scripts into a single one for simplicity if you created each of them as a function instead of an external script call but ultimately if yours is currently working great then no need to mess with it

[hazarjast]

I’ve put together this guide to help anyone wishing to Cell Lock to a specific cell. Please use at your own risk and know the pros and cons of cell locking before jumping in.

Netgear Orbi LBR20 Cell Locking
Author: shinesmart

Login using PuTTy:
192.168.1.1
UN: root
PW: your admin password

To query the Serving Cell:
echo -ne "AT+QENG=\"servingcell\"\r\n" | microcom -X -t 1000 /dev/ttyUSB2

You will get a response like this:
AT+QENG="servingcell"
+QENG: "servingcell","NOCONN","LTE","FDD",311,480,1B29020,245,66636,66,5,5,6F00,-92,-11,-58,11,-,-,-

In this example, the PCID is 245 and the EARCFN is 66636, which is for the Serving Cell you are currently connected to.

Now, to lock to this cell, run this command replacing the EARCFN and PCID with the values from above:
echo -ne "AT+QNWLOCK=\"common/4g\",1,EARCFN,PCID\r\n" | microcom -X -t 1000 /dev/ttyUSB2

Example: echo -ne "AT+QNWLOCK=\"common/4g\",1,66636,245\r\n" | microcom -X -t 1000 /dev/ttyUSB2

You will get a response like this:
AT+QNWLOCK="common/4g",1,66636,245
OK

Alternatively, you can query the Neighbouring Cell, then use the same lock command once you have its respective EARCFN and PCID:

To query the Neighbouring Cell:
echo -ne "AT+QENG=\"neighbourcell\"\r\n" | microcom -X -t 1000 /dev/ttyUSB2

To lock the Neighbouring Cell:
echo -ne "AT+QNWLOCK=\"common/4g\",1,EARCFN,PCID\r\n" | microcom -X -t 1000 /dev/ttyUSB2


* Note: Cell locking does not persist on this device, so these steps will need to be performed following each reboot.

Please feel free to proof check this guide.

This is very valuable and I thank you for taking the time to submit it. My only suggestion would be when posting code or specific commands to the thread, place them in a code box like so:

Code: Select all

echo -ne "AT+QNWLOCK=\"common/4g\",1,66636,245\r\n" | microcom -X -t 1000 /dev/ttyUSB2

This ensures that when folks copy text from your post that they won't inadvertently introduce some formatted text (long dash, curly quotes, invisible characters) when pasting

It is funny you had posted this today because I just finished working on the first version of a script that directly relates to cell locking and checking for connectivity in case the cell stops passing internet traffic for whatever reason (malfunction, maintenance, etc.). For simplicity I threw it up with the CJ scripts on GitHub. Feel free to use if it seems helpful to you but realize I'm still 'beta' testing it

https://github.com/hazarjast/circle_jer ... ailsafe.sh

The workflow of the script is thus: on execution it runs the following in an infinite loop at the set $INVERVAL:

- Pings hosts defined in $ALLDEST until one succeeds ($CONNECTED=1).
- If Internet connectivity is confirmed, the script checks if a cell is locked.
- If a cell is locked, nothing is done and the script sleeps until the next $INTERVAL has passed.
- If internet connectivity is present and no cell is locked it will lock to the cell values defined in $LOCKCELL.
- Once a cell is locked it will check for internet connectivity again.
- If original test for internet connectivity fails or check after cell lock fails, the script will remove the cell lock.
- The script waits the length of $INVERAL then performs all of the above again (checking connectivity, locking to a cell if not already locked, etc.).

[shinesmart]

Nice……It’s great that everyone keeps adding more cool stuff to do with the LBR20.

FYI: Added the code boxes…..good point!

[gilbreen]

hazerjast,

Another awesome addition. Thanks! Where do you recommend that this script be placed in order for it to run each time on bootup of the Orbi?

It is funny you had posted this today because I just finished working on the first version of a script that directly relates to cell locking and checking for connectivity in case the cell stops passing internet traffic for whatever reason (malfunction, maintenance, etc.). For simplicity I threw it up with the CJ scripts on GitHub. Feel free to use if it seems helpful to you but realize I'm still 'beta' testing it

https://github.com/hazarjast/circle_jer ... ailsafe.sh

The workflow of the script is thus: on execution it runs the following in an infinite loop at the set $INVERVAL:

- Pings hosts defined in $ALLDEST until one succeeds ($CONNECTED=1).
- If Internet connectivity is confirmed, the script checks if a cell is locked.
- If a cell is locked, nothing is done and the script sleeps until the next $INTERVAL has passed.
- If internet connectivity is present and no cell is locked it will lock to the cell values defined in $LOCKCELL.
- Once a cell is locked it will check for internet connectivity again.
- If original test for internet connectivity fails or check after cell lock fails, the script will remove the cell lock.
- The script waits the length of $INVERAL then performs all of the above again (checking connectivity, locking to a cell if not already locked, etc.).

[hazarjast]

hazerjast,

Another awesome addition. Thanks! Where do you recommend that this script be placed in order for it to run each time on bootup of the Orbi?

I would store it on the overlay filesystem under '/mnt/circle/overlay/opt/scripts' where the 'firewall-start.sh' script is located. That way it can easily be called from '/opt/scripts' after restart.

If you have not already created an overlay filesystem copy of 'rc.local' you will need to do that first so we can add our own scripts to run on startup:

Code: Select all

mkdir -p /mnt/circle/overlay/etc
cp -p /etc/rc.local /mnt/circle/overlay/etc

Then, just add a line to the custom '/mnt/circle/overlay/etc/rc.local' to have it call the script in background ('&'):

Code: Select all

# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.

/opt/scripts/cell_lock_failsafe.sh &

exit 0

I updated the script on GitHub to add a two minute sleep since most folks will probably want to run this on startup the same as yourself. This allows the modem time to connect normally before the first run of the main 'while' loop so that no cell unlocking/locking commands are issued to it while it's trying to initiate the carrier connection. It might not necessarily harm anything without the sleep command but I've added it just for insurance. If you test without the sleep command and find the modem still connects fine on restart then feel free to remove it.

[gilbreen]

hazarjast,

Does one also need to add a line to the rc.local file to call the firewall-start.sh or does it start on its own? Just trying to understand better.

I would store it on the overlay filesystem under '/mnt/circle/overlay/opt/scripts' where the 'firewall-start.sh' script is located. That way it can easily be called from '/opt/scripts' after restart.

If you have not already created an overlay filesystem copy of 'rc.local' you will need to do that first so we can add our own scripts to run on startup:

Code: Select all

mkdir -p /mnt/circle/overlay/etc
cp -p /etc/rc.local /mnt/circle/overlay/etc

Then, just add a line to the custom '/mnt/circle/overlay/etc/rc.local' to have it call the script in background ('&'):

Code: Select all

# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.

/opt/scripts/cell_lock_failsafe.sh &

exit 0

I updated the script on GitHub to add a two minute sleep since most folks will probably want to run this on startup the same as yourself. This allows the modem time to connect normally before the first run of the main 'while' loop so that no cell unlocking/locking commands are issued to it while it's trying to initiate the carrier connection. It might not necessarily harm anything without the sleep command but I've added it just for insurance. If you test without the sleep command and find the modem still connects fine on restart then feel free to remove it.

[hazarjast]

hazarjast,

Does one also need to add a line to the rc.local file to call the firewall-start.sh or does it start on its own? Just trying to understand better.

No sir, that is called by Voxel's modified 'net-wall' script that replaces the original Netgear binary. The script calls whatever is in 'firewall-start.sh' whenever there is a firewall reload (interface state changes etc.). We only have to concern ourselves with adding our own scripts to 'rc.local' because the Voxel firmware does not know about them like it does 'firewall-start.sh' (it is special).

[hazarjast]

Updated version of Voxel firmware is out (V9.2.5.2.25SF-HW):

https://voxel-firmware.com/Downloads/Vo ... 5SF-HW.zip

I have updated the OP to reflect this as well. Release notes can be found here:

https://www.snbforums.com/threads/custo ... -hw.74426/

[hazarjast]

Updated my 'cell_lock_failsafe.sh' script adding logic to pause cell locking attempts until the next day if locking to the preferred cell twice in an hour results in no internet connectivity both times. This prevents continuous internet connectivity disruption at $INTERVAL when cell is down for an extended period (maintenance etc.):

https://github.com/hazarjast/circle_jer ... ailsafe.sh

[gscheb]

gscheb wrote: ↑
Thu Aug 05, 2021 9:45 am
Hello, Been using one of these for AT&T. With original orbi firmware. Being AT&T have no use for TTL settings. But would like to create a group of bands. Do I have to switch to this voxel to do that?

No, you can band lock on any firmware but be aware it may not be reboot persistent unless you add it to a startup script. I prefer cell locking myself which is covered in the OP, other posts in this forum cover Quectel band index creation and locking. I believe I may have linked to them in one of my earlier replies to this thread and there should be an Excel/Google Sheets document floating around which helps with the index calculations (they are in hexadecimal).

Having issues using putty telnet on this. Seen a post where you got to enable telnet on the LBR20. But when I go to do that there is no enable telnet box to check.
LBR20
Router Firmware Version
V2.6.5.2

[am888]

gscheb wrote: ↑
Thu Aug 05, 2021 9:45 am
Hello, Been using one of these for AT&T. With original orbi firmware. Being AT&T have no use for TTL settings. But would like to create a group of bands. Do I have to switch to this voxel to do that?



Having issues using putty telnet on this. Seen a post where you got to enable telnet on the LBR20. But when I go to do that there is no enable telnet box to check.
LBR20
Router Firmware Version
V2.6.5.2

From what I understand, they removed the telnet option from later firmware versions. You'll be doing yourself a big favor to use voxel or circle_jerk to 'unlock' your routers potential & communicate with the modem directly. Your second worst option (besides leaving it as is) is probably to flash back to original netgear firmare, but your modem will likely erase all your setting everytime it reboots (so you gotta start all over). Just switch to circlejerk or voxel and save yourself a lot of headaches.

[gscheb]

From what I understand, they removed the telnet option from later firmware versions. You'll be doing yourself a big favor to use voxel or circle_jerk to 'unlock' your routers potential & communicate with the modem directly. Your second worst option (besides leaving it as is) is probably to flash back to original netgear firmare, but your modem will likely erase all your setting everytime it reboots (so you gotta start all over). Just switch to circlejerk or voxel and save yourself a lot of headaches.

Have used rooter in the past. Want to use this instead since have had some issues with AT&T on rooter for some reason.
Haven't modified one of these LBR20 before.
Thought that the Circle_Jerk was something running on Voxel. All I want to do is block out band 30 on AT&T. Keeps connecting as my primary band and making my upload speeds terrible. What is by best path for this and can I get some assistance maybe?
Have read the whole post from start to finish. Think you need some knowledge on it to understand this thread.
Also don't plan on using WiFi from the device just as a modem. Have another router plugged into it as a access point.

[hazarjast]

Have used rooter in the past. Want to use this instead since have had some issues with AT&T on rooter for some reason.
Haven't modified one of these LBR20 before.
Thought that the Circle_Jerk was something running on Voxel. All I want to do is block out band 30 on AT&T. Keeps connecting as my primary band and making my upload speeds terrible. What is by best path for this and can I get some assistance maybe?
Have read the whole post from start to finish. Think you need some knowledge on it to understand this thread.
Also don't plan on using WiFi from the device just as a modem. Have another router plugged into it as a access point.

Your most user-friendly path forward is to downgrade your firmware to Netgear 2.5.2.20 (first link below), then flash Voxel (second link below):
https://www.downloads.netgear.com/files ... 5.2.20.zip
https://voxel-firmware.com/Downloads/Vo ... 5SF-HW.zip

If you want to run on the latest Netgear firmware then your option is to use Circle_Jerk or at least the telnet-enable2 exe or Python script from it to enable telnet as Netgear has removed 'Enable telnet' option from 'debug.htm' on the newer firmware releases. Some folks prefer this option to keep on the latest Netgear firmware but given Netgear takes so long to patch security vulnerabilities etc. I prefer running Voxel myself (and I'll be the first to admit CJ install is typically a lot more effort for the uninitiated than simply downgrading and flashing Voxel).

[gscheb]

Your most user-friendly path forward is to downgrade your firmware to Netgear 2.5.2.20 (first link below), then flash Voxel (second link below):
https://www.downloads.netgear.com/files ... 5.2.20.zip
https://voxel-firmware.com/Downloads/Vo ... 5SF-HW.zip

If you want to run on the latest Netgear firmware then your option is to use Circle_Jerk or at least the telnet-enable2 exe or Python script from it to enable telnet as Netgear has removed 'Enable telnet' option from 'debug.htm' on the newer firmware releases. Some folks prefer this option to keep on the latest Netgear firmware but given Netgear takes so long to patch security vulnerabilities etc. I prefer running Voxel myself (and I'll be the first to admit CJ install is typically a lot more effort for the uninitiated than simply downgrading and flashing Voxel).

Thanks for the advice. Have a couple of questions.
1. If someone decides Voxel isn't for them is it easy enough to go back to Netgear Firmware?
2. Once you get Voxel loaded do you communicate to the modem thru telnet?
3. Once band 30 is locked out will it stay thru reboots of the device?

[hazarjast]

Thanks for the advice. Have a couple of questions.
1. If someone decides Voxel isn't for them is it easy enough to go back to Netgear Firmware?
2. Once you get Voxel loaded do you communicate to the modem thru telnet?
3. Once band 30 is locked out will it stay thru reboots of the device?

1. Yes, you can just flash Netgear firmware again if you dislike Voxel for whatever reason. If you do, I would recommend the same procedure of flashing 2.5.2.20 Netgear stock firmware then whatever Netgear stock version you want to upgrade to after that. This should ensure a clean slate when going back to Netgear stock firmware.
2. No telnet required, Voxel uses SSH which is superior from both usability and security perspectives. Just use Putty (or your other favorite SSH client) to connect to the LBR20 device IP on port 22 (instead of 23 which would be used for Telnet). Username is 'root' and password is whatever you setup for the webgui access when you complete the initial setup.
3. Cell cell locking is not reboot persistent in my experience; I cannot speak for band locking since I don't use it but based on my reading other posts I don't believe it is. For reboot persistence, please see my instructions in recent, previous replies for steps on how to create scripts and call from the overlay filesystem copy of 'rc.local'. Feel free to use my cell locking failsafe script if it is useful to you and/or you do not wish to create your own from scratch: https://github.com/hazarjast/circle_jer ... ailsafe.sh

[MattB29]

Would someone that has a Orbi LBR20 do a IMEI check at Cricket https://www.cricketwireless.com/cell-ph ... your-phone to see if it is compatible? If not likely AT&T is also going to turn these off come Feb. 2022 as being 3G devices.

[gscheb]

Would someone that has a Orbi LBR20 do a IMEI check at Cricket https://www.cricketwireless.com/cell-ph ... your-phone to see if it is compatible? If not likely AT&T is also going to turn these off come Feb. 2022 as being 3G devices.

Check your device's compatibility
Apologies! This LBR20 is not compatible with the Cricket Network due to network changes. Please visit cricketwireless.com/3Gnetworkshutdown for more details or see your Cricket store rep.
Why is my device incompatible?
Shop our selection of smartphones from brands you love and join the Cricket network.
Check another device for compatibility

[MattB29]

Thanks, about what I figured since it is not on AT&T whitelist.

[Keaton85]

Edit: figured it out

Does Voxel firmware have auto-update patch already applied?

[gilbreen]

What do you mean by auto-update patch? Do you mean does the Voxel firmware prevent Netgear from auto-updating the device? If so, then yes, the Voxel firmware blocks updates from Netgear.

Edit: figured it out

Does Voxel firmware have auto-update patch already applied?

[Largition]

Has this been a Windows only experience thus far? A non-chromebook laptop on the cheap seems essential here.

[hazarjast]

Has this been a Windows only experience thus far? A non-chromebook laptop on the cheap seems essential here.

Whut?

Anything on their thread can be accomplished OS agnostic. Maybe you refer to the powershell script for CJ auto deployment? The same can be accomplished in *nix flavors using the Python script source for telnetenable2 and a simple TFTP client.

Regardless, Voxel will be better for most and literally anything with a web browser and local storage for the firmware files can be used (doesn’t require any special scripts or binaries to flash from the webgui interface).

[Crasoum]

So questions am888, I've followed your notes:

mkdir -p /mnt/circle/overlay/etc/
cp -p /etc/rc.local /mnt/circle/overlay/etc

vim /mnt/circle/overlay/etc/rc.local
pasted into /mnt/circle/overlay/etc/rc.local:

# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.

#Crontab located at /mnt/circle/overlay/etc/crontabs/root
cat /etc/crontabs/root > /tmp/etc/crontabs/root

exit 0

then

mkdir -p /mnt/circle/overlay/etc/crontabs/
vim /mnt/circle/overlay/etc/crontabs/root (since I'm root it automatically had 644 permissions.)
paste:
*/15 * * * * /mnt/circle/overlay/opt/scripts/internet-keep-alive.sh (This sets it to 15 minutes, right?)

And I installed your script from https://github.com/HiDef888/openwrt-lte-keep-alive inside my /mnt/circle/overlay/opt/scripts directory.

Would those be the proper steps? It's been a few long years since I hammered on cli *nix on the reg.

(Yep, they be the steps.)*

[am888]

Sorry Crasoum,

I've been out sick. Did it work for you??
I would check logs to verify it's making a connection and, if so, you're good.

-am

[Time-Pilot]

Trying to decide between an LBR20 and a GL-B1300 with a modem in an external enclosure.

I full-time RV and frequently need to lock different bands depending on where I am.

With the Voxel software, is band locking easier with the LBR20, or is everything still done via scripts and command line?

[ajipro]

Hello. I have the LBR20 running Voxel's V9.2.5.2.25SF-HW. I'm trying to lock my bands to the best Verizon ones in my area, but I'm a bit lost.
1; How do I see what bands I'm currently on?
2: What's the telnet command for changing the bands?

[Crasoum]

Sorry Crasoum,

I've been out sick. Did it work for you??
I would check logs to verify it's making a connection and, if so, you're good.

-am

Yep it worked, thus the edit before you replied.

And I understand being out sick, I had 2 bad weeks as a birthday present myself just recently.

Thanks!

[hazarjast]

In case anyone needed yet another reason to switch to Voxel and completely disable Circle, it looks like security researchers finally started exploiting ‘circled’ much as I did for my CJ implementation. Only difference being the remote attack vector of uploading malicious code into the unencrypted Circle update database files as opposed to hijacking the daemon scripts themselves:

https://www.tomsguide.com/uk/amp/news/n ... le-patches

The LBR20 isn’t listed as affected yet which could mean Circle updates were transmitted in a more secure method than the other product lines but I would be surprised if they didn’t issue an advisory update to include Orbi products at some later date.

As a side note, from the article it seems Netgear has switched back to in-house parental control so those still on Netgear firmware be warned that Circle functionality and framework, including the ‘/mnt/circle’ writeable file system could be removed by a future firmware update. In reality completely removing it from the LBR20 seems like a lower chance given the extensive print and box marketing Circle is given. But, caveat emptor to those using and updating stock firmware that I do not plan to spend time finding a new way to exploit future stock firmware since we have Voxel now.

[dhare72]

Can anyone post a video tutorial on accessing ORBI LRB20 shell using a Mac (terminal)?
I want to change TTL allowing me past the 5MB limit and I am stuck on how to access the shell.

[IronBorg]

Hello and thank you for the awesome firmware. I'm currently running V9.2.5.2.25SF-HW and have successfully connected to the router using SSH. Can someone please help me with enabling bridge mode please?

[little-endian]

1; How do I see what bands I'm currently on?

Code: Select all

echo -ne "AT+QCAINFO?\r\n" | microcom -X -t 1000 /dev/ttyUSB2

2: What's the telnet command for changing the bands?

Since the access method depends on your firmware and settings (telnet OR ssh), not a "telnet" command per se, but rather one of the device itself, but it seems to have been already covered here.

Can anyone post a video tutorial on accessing ORBI LRB20 shell using a Mac (terminal)?

Maybe I'm missing something, but a video tutorial for the following one-liner would be a bit gushy:

Code: Select all

ssh -l root 192.168.1.1

I also have a few points on my own to all of you:

Somehow, the cell lock behaviour is quite strange in my case. When I lock it to one only, I partly still end up with CA enabled (as far as I can tell):

root@LBR20:~# echo -ne "AT+QNWLOCK=\"common/4g\",1,1600,292\r\n" | microcom -X -t 1000 /dev/ttyUSB2
root@LBR20:~#
root@LBR20:~#
root@LBR20:~# echo -ne "AT+QCAINFO?\r\n" | microcom -X -t 1000 /dev/ttyUSB2
AT+QCAINFO?
+QCAINFO: "pcc",1600,75,"LTE BAND 3",1,264,-99,-20,-60,12
+QCAINFO: "scc",6200,50,"LTE BAND 20",1,38,-91,-18,-62,-5,DL

Furthermore, at some point, the LBR20 decided to only use Band 1, even after rebooting or entering the command

Code: Select all

echo -ne "AT+QNWLOCK=\"common/4g\",0\r\n" | microcom -X -t 1000 /dev/ttyUSB2

Not only should the cell locking be persistent after a reboot, nor should it have any effect at latest after entering the command above, should it?

The only way to restore the usual B3+B7+B20 combination however for me was to perform a factory reset, hardly convenient for any testing or tuning.

Independently of that - has anyone managed to route the guest wifi over a VPN with "kill switch" functionality yet? My goal is to run the OpenVPN client according to the readme provided by the Voxel firmware, however only for traffic passing the guest SSID and nothing else. If anyone happens to have some working iptables or ebtables or whatnot script, I would greatly appreciate any help, thanks.

[am888]

Hello and thank you for the awesome firmware. I'm currently running V9.2.5.2.25SF-HW and have successfully connected to the router using SSH. Can someone please help me with enabling bridge mode please?

There is no bridge mode, for all practical purposes, on the LBR20.

[Dman1049]

Ive got the most recent voxel on the lbr20... I'm not understanding how to lock bands and modify ttl settings. As in remove the 5gb limit. I don't understand how to send commands. Is there any video tutorials on how to do any of this?

[Klockwork77]

Is there an error log somewhere after getting error sending AT commands?

[hazarjast]

Code: Select all

echo -ne "AT+QCAINFO?\r\n" | microcom -X -t 1000 /dev/ttyUSB2

...

I also have a few points on my own to all of you:

Somehow, the cell lock behaviour is quite strange in my case. When I lock it to one only, I partly still end up with CA enabled (as far as I can tell):

root@LBR20:~# echo -ne "AT+QNWLOCK=\"common/4g\",1,1600,292\r\n" | microcom -X -t 1000 /dev/ttyUSB2
root@LBR20:~#
root@LBR20:~#
root@LBR20:~# echo -ne "AT+QCAINFO?\r\n" | microcom -X -t 1000 /dev/ttyUSB2
AT+QCAINFO?
+QCAINFO: "pcc",1600,75,"LTE BAND 3",1,264,-99,-20,-60,12
+QCAINFO: "scc",6200,50,"LTE BAND 20",1,38,-91,-18,-62,-5,DL

Furthermore, at some point, the LBR20 decided to only use Band 1, even after rebooting or entering the command

Code: Select all

echo -ne "AT+QNWLOCK=\"common/4g\",0\r\n" | microcom -X -t 1000 /dev/ttyUSB2

Not only should the cell locking be persistent after a reboot, nor should it have any effect at latest after entering the command above, should it?

The only way to restore the usual B3+B7+B20 combination however for me was to perform a factory reset, hardly convenient for any testing or tuning.

Independently of that - has anyone managed to route the guest wifi over a VPN with "kill switch" functionality yet? My goal is to run the OpenVPN client according to the readme provided by the Voxel firmware, however only for traffic passing the guest SSID and nothing else. If anyone happens to have some working iptables or ebtables or whatnot script, I would greatly appreciate any help, thanks.

'AT+QCAINFO?' can give you band info but it is specifically used for showing info about carrier aggregation status. I think mostly Netgear and folks interactively querying the modem are using 'AT+QENG="servingcell" to check the currently connected cell and its associated band info.

In regards to cell lock, you are correct, CA will still function when locked to a specific cell; this is one reason I prefer cell locking over band locking given you don't have to play 'guess what's in the carrier's head' when it comes to CA band index creation. But, if this behavior is undesirable then band locking would be the alternative where you can more precisely define exactly what bands it is directed to connect to. As mentioned in the previous point 'AT+QCAINFO' will give you the last reported carrier aggregation status of the modem, which is not necessarily the same as the current connected cell and band info (i.e. 'AT+QENG="servingcell"').

Cell locking is definitely not reboot persistent so either there is a specific bug with B1 locking in the Quectel firmware you are on, or (more likely) the firmware algorithm, which is mostly based on preferring the strongest signal available, has preferred B1 even after the lock was removed. I see this behavior frequently in my area when locking B66/B4. It is possible a factory reset cleared something 'stuck' but equally it is possible that RF signal composition/signal changed in relation to the unit in the time period between when the modem was restarted multiple times causing it to 'settle' on the desired band combo once again. Unfortunately B1 is not available in my area to perform any testing to validate whether a specific bug exists or not.

In regards to your OpenVPN query, what you are after is referred to as 'split-tunneling' (aka 'split-tunnel routing') which involves creating two separate networks/gateways to route traffic out of. Since the LBR20 is based on OpenWRT you should be able to find a decent amount of high level instructions and info by searching for something like "OpenVPN split-tunnel on OpenWRT". One such example of this type of guide: https://medium.com/@ingamedeo/openvpn-s ... 302a1a4e12

One challenge you will face with following any of these guides on the LBR20 is that, since the device isn't a typical 'full' install of OpenWRT with accompanying LuCI GUI interface, creating the required separate interfaces and gateways for the routing piece will likely have to be done with 'uci' at the command line. The LBR20 by default bridges the WiFi radios with physical interface 'eth0' creating the bridged interface 'br0'. I'm honestly not sure offhand how one would create a new bridge interface with only the 'guest' SSID and the OpenVPN tunnel interface leaving only the 'non-guest' LAN bridge ('br0') intact.

There's a lot of Netgear 'baked-in' configuration governing interfaces, WLAN bridging, and firewalling which you would have to reverse engineer a bit else risk borking something by just jumping in and starting to reconfigure the logical interfaces and network routing. If you were able to get the split-tunnel setup working as desired you would then likely need to capture all the configuration changes into a script which could run on each reboot (after all Netgear boot config completes) as I believe such changes would typically revert when a restart or power loss occurs since we are only modifying firmware running in RAM and not base config on the ROM itself.

Given the configuration complexities required for split-tunnel routing, I have personally let the LBR20 stick to what it does best, which is act as an LTE modem for my Internet connection, leaving the VPN and split-tunnel routing to my upstream router/firewall (pfSense). However, if you put the time in and are able to successfully configure the LBR20 for split-tunnel VPN routing, I'm certain more than a few other LBR20 owners would be indebted to you for posting your configuration detail/tutorial for the same

[hazarjast]

There is no bridge mode, for all practical purposes, on the LBR20.

This is true. The real question becomes 'Why do you require a bridge?'. For most folks, the answer is usually "Because I need open NAT for gaming / running a server / torrenting.' In that case, bridging 'wwan0' from the modem to your LAN interface won't really help you since the IP it gets assigned by the cellular carrier is not publicly routable in practice nine times out of ten. This is because addresses assigned to the modem interface, even if in pubic address space, will be behind carrier grade NAT (CGNAT).

There are ways to work around CGNAT with proxies/VPNs/etc. but layer 2 bridging of the modem and LAN, even if technically possible, would typically not be helpful in this scenario. If you are just using the LBR20 LTE connection as WAN on another router device and want to be sure all traffic is passed unimpeded out of the unit, you can use the DMZ function which will mostly accomplish the same end goals as bridging in this scenario (yes, a layer 3 solution is not equivalent to layer 2 bridging but achieves what is required for most which is bypassing the LBR20's firewall etc. when another router is in play).

[hazarjast]

Is there an error log somewhere after getting error sending AT commands?

Unfortunately, no; at least not easily accessible outside of the modem's internal logging. But, even if such a log existed that we could access from the LBR20 itself, it would likely not provide anything more verbose than the "ERROR" message you already see echoed to the terminal. In most cases "ERROR" indicates that either the AT command does not exist *or* the syntax/options passed were incorrect (typos, etc.).

"ERROR" can also occur if the modem is busy and your command is trying to execute in the middle of something like a status query or connection sequence of commands already being issued to the modem by the LBR20 itself. For this reason it is best to run some more 'sensitive' commands when there is no SIM inserted to lower the chances of this happening

Is there a specific command you are trying to issue to the modem which is resulting in "ERROR" being returned? If you are able to post the exact command and/or a screenshot we may be able to tell you whether the command exists for this particular Quectel modem and whether it is syntactically sound.

[Klockwork77]

Is there a specific command you are trying to issue to the modem which is resulting in "ERROR" being returned? If you are able to post the exact command and/or a screenshot we may be able to tell you whether the command exists for this particular Quectel modem and whether it is syntactically sound.

I'm trying to send AT command using what you posted through ssh.

Code: Select all

cat /dev/ttyUSB2` echo -e "AT +EMGR=1,7,\"012345678911121\"\r\n" > /dev/ttyUSB2`

You can ignore the proton email I sent you about this topic if you reply here.

[hazarjast]

I'm trying to send AT command using what you posted through ssh.

Code: Select all

cat /dev/ttyUSB2` echo -e "AT +EMGR=1,7,\"012345678911121\"\r\n" > /dev/ttyUSB2`

You can ignore the proton email I sent you about this topic if you reply here.

Sorry, just realized I wasn't getting email alerts due to a phone update. Just replied to your email

[hazarjast]

Thought I would share something useful/fun that I thought I shared before but don't see it posted here so guess it slipped my mind. Netgear has a ~1400 line shell script which the LBR20 uses as a wrapper for some of the raw AT commands it issues to the modem. The script is 'mbctrl.sh' and can be called simply as that without full path since it is in '/usr/sbin'. Usage is below:

Code: Select all

/usr/sbin/mbctrl.sh: is a simple tool
        --get-revision                  get the mobile FW version
        --get-sim-status                get the mobile sim status
        --get-network-registration      get the mobile network registration
        --get-signal-strength           get the mobile signal strength
        --pin-verify pincode            sim pin code verify
        --puk-verify puk                sim puk code verify
        power-on                        lte power on
        power-off                       lte power off
        --set-hot-swap                  set hot swap pin in high level
        --get-iccid                     get sim iccid
        --hot-swap-status               get hot swap status
        --software-restart              software restart the module
        --show-message                  show sim card msg
        --get-adv-info                  get adv_info
        --get-support-operator          get network available operator
        --get-current-operator          get current network operator
        --set-operator-selection        set operator selections
        --def                           factory default the module
        --get-imei                      get lte module imei
        --get-imsi                      get sim card imsi
        --get-roamstate                 get lte module roam setup
        --set-roamstate                 setup lte module roam on off
        --get-pin-mode                  get sim card in lock or unlock mode
        --set-pin-mode                  set sim card in lock or unlock mode
        --get-pinpuk-count <get pin|puk>get pin or puk less verify count
        --change-passwd                 change pin code when pin mode is lock
        --set-mbscanmode                set lte module scan network mode lte wcdma umts...
        --del-sms                       del the sms through index save in lte module
        --get-sim-number                get the sim card own phone number
        --get-pa-temp                   get the lte module pa temperature
        --get-band-freq                 get LTE band and frequency
        --eg18-upgrade  <file path>     do the eg18 upgrade
        --get-current-roaming           get current module is in roaming status or not

        option:
                get  item               output the item

Obviously one should wield this script carefully since it can really bork up your modem if you don't know what the commands you are calling actually do. But in the same vein, it can help create pretty useful one-liners that otherwise would be longer/uglier to issue through raw AT calls. An example I whipped up tonight at an LBR20 owner's request refreshes band/signal details every 10 seconds in an SSH terminal session to help with external antenna aiming and/or unit placement if you're not using external, directional antennas:

Code: Select all

while true; do date ; mbctrl.sh --get-adv-info ; sleep 10 ; clear ; done

Just swap out 'sleep 10' above with whatever interval you want it refreshed at ('sleep 5' for 5 second refreshes, etc.) and use 'CTRL+C' to break out of it when you're done. The output looks like the following which is also nicely formatted/interpreted for you:

Code: Select all

Tue Oct  5 21:18:13 GMT 2021
{
        psservice:      1
        pdp_addr:       xxx.xxx.xxx.xxx
        networkselectmode:      "FDD LTE"
        plmn:   "xxxxxx"
        radioband:      "LTE BAND 66"
        channelid:      xxxxx
        state:  "NOCONN"
        mcc:    xxx
        mnc:    xxx
        cellid: xxx
        lac:    XXXX
        rsrp:   -85
        rsrq:   -9
        rssi:   -56
        sinr:   20
        cqi:    -
        rscp:
        ecio:
}

In case you already guessed, this is the same info that is used by the 'Connection Info' page in the web interface but checking in over SSH allows for a cleaner/faster way of accessing with the bonus of not having to worry about web session timeout.

[am888]

Nice find!

[little-endian]

@hazarjast: Thanks a lot for your elaborate reply.

'AT+QCAINFO?' can give you band info but it is specifically used for showing info about carrier aggregation status. I think mostly Netgear and folks interactively querying the modem are using 'AT+QENG="servingcell" to check the currently connected cell and its associated band info.

Hmm, however, the command

Code: Select all

echo -ne "AT+QENG=\"servingcell\"\r\n" | microcom -X -t 1000 /dev/ttyUSB2

only gives me the main band I'm connected to whereas the QCAINFO variant shows the pcc and the scc(s).

As mentioned in the previous point 'AT+QCAINFO' will give you the last reported carrier aggregation status of the modem, which is not necessarily the same as the current connected cell and band info (i.e. 'AT+QENG="servingcell"').

Good hint which however raises the question for me, whether the QCAINFO's report is then somewhat delayed or based on some outdated CA status in general.

Cell locking is definitely not reboot persistent so either there is a specific bug with B1 locking in the Quectel firmware you are on, or (more likely) the firmware algorithm, which is mostly based on preferring the strongest signal available, has preferred B1 even after the lock was removed.

Well, the potentially strongest band in my case is the 20 around 800 MHz which of course compared to the others (B1, B3, B7) tends to have the higher chances to reach the antennas, given the same distance.

However, if you put the time in and are able to successfully configure the LBR20 for split-tunnel VPN routing, I'm certain more than a few other LBR20 owners would be indebted to you for posting your configuration detail/tutorial for the same

From a purely technical and functional point of view, I already partly succeeded because what works for instance is to only direct the traffic via the established OpenVPN-connection for certain hosts. That, one can achieve by setting up the connection according to the guide included by the Voxel firmware, adding --pull-filter ignore redirect-gateway to the .ovpn config file in order not to have the default routes for the main routing table and adding the following manually:

ip route add 0.0.0.0/0 dev tun21 table <any name or id>
ip rule add from 192.168.1.2/32 table <any name or id>

That for example will have the traffic going through the VPN only for the host 192.168.1.2 and none else.

While this works technically, it isn't exactly "waterproof" to run an unencrypted guest wifi as users could assign other IP addresses manually and go directly via the ISP again.

Although it seems to be a decent approach according to several guides, I fail to have the traffic directed for a certain interface, such as

ip rule add iif wifi2 table <any name or id>

I tried iif for incoming, oif for outgoing, wifi0, wifi1, ath02, ath12, ath21 (the latter show up in conjunction with the guest wifi ssid under /etc/config/wireless so I thought it might be suitable to use one of those), but no avail, this doesn't seem to have any effect at all. So I am a bit lost on how to grab on that damn guest wifi which somehow has to be distinguished on an interface level, given the fact that it is isolated from the other out of the box and hence not just a second ssid terminating at the same AP.

Another (in relation rather minor) thing seems to be that DNS doesn't work when the VPN is running (having to assign one manually at the client side) for whatever reason.

[am888]

You may find solution to DNS issues by searching "DNS leaks openvpn". Maybe you can point your traffic to the VPNs DNS server instead of provider. This is just a hint, not sure if it will work...

*script-security 2* addition to ovpn config file - and reloading resolv.conf
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Bear in mind file paths are crazy on LBR...

Maybe somsething along these lines
https://github.com/alfredopalhares/open ... esolv-conf

[little-endian]

Thanks for pointing me into that direction. I've tested it again and strangely, this time the DNS resolving worked via the VPN route, although I didn't change the DNS settings (still manually pointed to three different ones in the regular internet connection GUI setup).

Adding the up/down commands in the ovpn config file doesn't seem to work, however I discovered that the voxel firmware already comes with such scripts under /etc/openvpn

So added the following lines to the ovpnclient-up.sh there and this works, also after a reboot:

ip route add 0.0.0.0/0 dev tun21 table 30
ip rule add from 192.168.1.128/25 table 30

Major issues with that setup: Although clients which for instance get assigned addresses 192.168.1.129 and up through the guest wifi SSID run fine via the VPN, they could easily get assigned different ones manually of course as mentioned before. So not really safe yet to run an unencrypted guest wifi this way.

Even worse, when connected to the guest network, I still see other devices MAC addresses on a LAN scan, so it seems that although ip traffic is filtered on a transparent L3 kinda level, it still mirrors the broadcasting stuff between the networks. However, there I am not knowledgable enough yet when in comes to ebtables' functions so maybe someone can shed some light into how well the Netgear guys implemented this. At least they set the following on the LBR20 by default:

root@LBR20:/etc/openvpn# ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 4, policy: ACCEPT
-p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type ! echo-request -j ACCEPT
-i ath02 -j GUEST_IN
-i ath12 -j GUEST_IN
-i ath21 -j GUEST_IN

Bridge chain: FORWARD, entries: 10, policy: ACCEPT
-i ath02 -j GUEST_FWD_IN
-o ath02 -j GUEST_FWD_OUT
-i ath12 -j GUEST_FWD_IN
-o ath12 -j GUEST_FWD_OUT
-i ath21 -j GUEST_FWD_IN
-o ath21 -j GUEST_FWD_OUT
-d BGA -i ath01 -j DROP
-d BGA -o ath01 -j DROP
-d BGA -i ath11 -j DROP
-d BGA -o ath11 -j DROP

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: GUEST_IN, entries: 11, policy: RETURN
-p ARP -j ACCEPT
-p 0x8035 -j ACCEPT
-p IPv6 --ip6-proto udp --ip6-sport 53 -j ACCEPT
-p IPv6 --ip6-proto udp --ip6-dport 53 -j ACCEPT
-p IPv6 --ip6-proto udp --ip6-dport 546:547 -j ACCEPT
-p IPv4 --ip-proto udp --ip-sport 53 -j ACCEPT
-p IPv4 --ip-proto udp --ip-dport 53 -j ACCEPT
-p IPv4 --ip-proto udp --ip-dport 67:68 -j ACCEPT
-p IPv4 --ip-dst 192.168.1.0/24 -j DROP
-p IPv6 --ip6-dst fe80::/ffff:ffff:ffff:ffff:: -j DROP
-p IPv6 --ip6-dst 2a02410:6041::/ffff:ffff:ffff:ffff:: -j DROP

Bridge chain: GUEST_FWD_IN, entries: 15, policy: RETURN
-p ARP -j ACCEPT
-p 0x8035 -j ACCEPT
-p IPv6 --ip6-proto udp --ip6-sport 53 -j ACCEPT
-p IPv6 --ip6-proto udp --ip6-dport 53 -j ACCEPT
-p IPv6 --ip6-proto udp --ip6-dport 546:547 -j ACCEPT
-p IPv4 --ip-proto udp --ip-sport 53 -j ACCEPT
-p IPv4 --ip-proto udp --ip-dport 53 -j ACCEPT
-p IPv4 --ip-proto udp --ip-dport 67:68 -j ACCEPT
-p IPv4 --ip-dst 192.168.1.0/24 -j DROP
-p IPv6 --ip6-dst fe80::/ffff:ffff:ffff:ffff:: -j DROP
-p IPv6 --ip6-dst 2a02410:6041::/ffff:ffff:ffff:ffff:: -j DROP
-p IPv4 --ip-dst 224.0.0.0/4 -j DROP
-p IPv4 --ip-dst 255.255.255.255 -j DROP
-p IPv6 --ip6-dst ff00::/ff00:: -j DROP
-d Multicast -j DROP

Bridge chain: GUEST_FWD_OUT, entries: 15, policy: RETURN
-p ARP -j ACCEPT
-p 0x8035 -j ACCEPT
-p IPv6 --ip6-proto udp --ip6-sport 53 -j ACCEPT
-p IPv6 --ip6-proto udp --ip6-dport 53 -j ACCEPT
-p IPv6 --ip6-proto udp --ip6-dport 546:547 -j ACCEPT
-p IPv4 --ip-proto udp --ip-sport 53 -j ACCEPT
-p IPv4 --ip-proto udp --ip-dport 53 -j ACCEPT
-p IPv4 --ip-proto udp --ip-dport 67:68 -j ACCEPT
-p IPv4 --ip-src 192.168.1.0/24 -j DROP
-p IPv6 --ip6-dst fe80::/ffff:ffff:ffff:ffff:: -j DROP
-p IPv6 --ip6-dst 2a02410:6041::/ffff:ffff:ffff:ffff:: -j DROP
-p IPv4 --ip-dst 224.0.0.0/4 -j DROP
-p IPv4 --ip-dst 255.255.255.255 -j DROP
-p IPv6 --ip6-dst ff00::/ff00:: -j DROP
-d Multicast -j DROP

[am888]

Orbi doesn't really do a true VLAN network segmentation. That's just a different price category all together I suppose. I guess Voxel could try & address it like openwrt but I think we're lucky to have what we do with it the way nvram handles everything.

https://community.netgear.com/t5/Orbi/B ... -p/1808711

[little-endian]

Yeah, unfortunately it looks like that. While I can't get rid of the impression that most of such missing features are rather caused by suboptimal software than hardware constraints, maybe one eventually simply also pays for exactly that kind of better software when buying more expensive devices.

On the other hand, even when willing to spend more, it would still be a challenge to get the modem functionality of a LBR20 (the comparably performant Huawei B818 is even worse when it comes to routing features) so it would again mean several devices and more power consumption, sigh.

Well, maybe Voxel has an idea here. I would already be glad if one could somehow set the routing based on the interface as rather than the subnet, something which should work via the iif / oif condition checks.

[PunyGod]

I think my connection is more stable, and download speed increases when I use my directional 2x2 mimo external antenna, however my upload speed is cut in half.

I think this is happening because the orbi has 4x4, but when it detects external antenna it switches to only 2x2... (I actually have a decent signal here even without external antenna, my previous location required them.)

Is there a way I can make it use 4x4? Like use the two external antenna and two internal antenna at the same time? I want the download speed I get with external without having lower upload speeds.

I considered opening it up and getting adapters and two more external antenna to make it 4x4 external but I think even if I do that it will still disable the two that it thinks are internal.

[das1996]

I've been out of touch for a while. Glad to see more progress made.

Question; there is no option in the GUI to disable wifi. Is it possible to do so through console? Negative side effects?

[little-endian]

It depends on "which wifi?", but assuming that you probably rather mean the "fronthaul" connections with their broadcasted SSIDs (opposed to the hidden ones when using additional satellites):

While it would be far too easy and also convenient to be able to do that via the official GUI (so Netgear thinks apparently), it is at least possible via the CLI.

Of course, disabling it might prevent connecting certain devices or break any intelligent band steering (although I would yet have to witness such a thing actually existing and working). I disabled the 2.4 GHz band for instance as not a few clients (or their programmers respectively) are simply too retarded to stick to the 5 GHz one whenever possible so one has to teach those with a sledgehammer I guess.

One can also use different SSIDs for the two bands by the way, which is another way to steer stubborn devices into the wanted one.

[das1996]

Sorry, let me clarify. Disable wifi meaning turn wifi off entirely. No backhaul, no 2.4, 5ghz, etc. No wifi period

The person using this only wants to use the lte modem/router function, nothing else.

[hazarjast]

I've been out of touch for a while. Glad to see more progress made.

Question; there is no option in the GUI to disable wifi. Is it possible to do so through console? Negative side effects?

No GUI option. CLI can easily issue “wifi down” which will take down the radios. It’s a bit of spaghetti mess to try and kill all the Orbi related Wifi services completely to regain resources though since there’s watcher scripts which call Wifi related stuff that Netgear expects to be running at all times. 90% of the time I just issue “wifi down” and call it good. I need actually spend some time looking at how to kill all the extra crap that still runs after the radios are off if you look in the “call once” script commands from the CJ repository but is haven’t really bothered with it much since then.

[hazarjast]

Voxel firmware V9.2.5.2.26SF has been released. Mostly package updates with some fixes as well. OP updated with download and release notes links.

Also, the successor to the LBR20 with WiFi 6 (though not the newer 6e standard) and 5G is now being sold by Netgear: https://www.netgear.com/home/wifi/mesh/nbk752/
(NBR750 is the actual model number of the router unit; FCC ID PY320400511)

Unfortunately they force you to buy it in a pack with an additional Orbi satellite and the package price is an eye-watering $1100 USD on pre-order. The good news is that it appears they stuck with Quectel for the modem (specifically the RM502Q-AE) so much of the same stuff in this thread should likely apply to it as well. I will definitely not be purchasing one at the astronomical MSRP though so I do not plan on posting anymore about it in this thread.

For those curious...
User manual can be found here: https://www.downloads.netgear.com/files ... _UM_EN.pdf
FCC filing docs on the router itself can be found here (no good pics until December though, it appears): https://fcc.report/FCC-ID/PY320400511
FCC filing docs on the Quectel modem used by the router can be found here: https://fcc.report/FCC-ID/XMR2020RM502QAE
Quectel Hardware Guide for the modem can be found here: https://fcc.report/FCC-ID/XMR2020RM502QAE/5019309

[das1996]

@hazarjast How do i send you a private message?

[Didneywhorl]

@hazarjast How do i send you a private message?

Ask for him on the Facebook group. https://www.facebook.com/groups/LTE.Hacks

[hazarjast]

@hazarjast How do i send you a private message?

Best to reach out via email: hazarjast at protonmail dot com

[hazarjast]

While working on a friend's LBR20 I finally figured out the cause and solution of the ip6tables mangle randomly not taking effect on startup in Voxel's firmware when called using either 'firewall-start.sh' or 'firewall6-start.sh'. It helped that I actually went back and read the man page for the source package that is used for iptables on the LBR20, 'xtables-legacy':
https://manpages.debian.org/testing/ipt ... .8.en.html

Code: Select all

LIMITATIONS
When inserting a rule using iptables -A or iptables -I, iptables first needs to retrieve the current active ruleset,
change it to include the new rule, and then commit back the result.
This means that if two instances of iptables are running concurrently, one of the updates might be lost.
This can be worked around partially with the --wait option.

After reading that I updated my iptables/ip6tables rules to include '-w' ('--wait') switches and now the ip6tables mangle appears to work on startup as desired. Also realized that for the rare few that have plans provisioned with public IPv4 IPs it would be best to have the iptables rules I was using from the CJ scripts which secure SSH on the WAN interface. Generally not necessary for most since almost all plans are CGNAT'ed these days but still including them for reference below. They all reflect the '-w' switch as indicated:

firewall-start.sh

Code: Select all

# Secure SSH daemon by ensuring any WAN traffic is blocked
iptables -w -C net2loc -p tcp --dport 22 -m state --state NEW -m recent --set > /dev/null 2>&1 || \
iptables -w -I net2loc 1 -p tcp --dport 22 -m state --state NEW -m recent --set

# Secure SSH daemon against bruteforce attacks
iptables -w -C net2loc -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP > /dev/null 2>&1 || \
iptables -w -I net2loc 1 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

# IPv4 TTL mod
iptables -w -t mangle -C POSTROUTING -o wwan0 -j TTL --ttl-set 65 > /dev/null 2>&1 || \
iptables -w -t mangle -I POSTROUTING 1 -o wwan0 -j TTL --ttl-set 65

firewall6-start.sh

Code: Select all

# IPv6 TTL mod (prevents leaks not covered by IPv4 rules)
# Sleep added for good measure
sleep 5
ip6tables -w -t mangle -C POSTROUTING -o wwan0 -j HL --hl-set 65 > /dev/null 2>&1 || \
ip6tables -w -t mangle -I POSTROUTING 1 -o wwan0 -j HL --hl-set 65

[Didneywhorl]

I wonder if this would help in general with IP tables TTL/HL rules used on openWRT

[hazarjast]

I wonder if this would help in general with IP tables TTL/HL rules used on openWRT

Would not hurt to add '-w' (--wait) switch for anything using iptables based on the xtables-legacy* packages, IMHO.