Firmware padovan asus. Firmware for Xiaomi Mini router with Padovan firmware. Connecting an additional configuration file to dnsmasq

We recently reviewed the wonderful WiFi router from Xiaomi Mi Mini. The access point is great, but it has one unpleasant nuance.

The fact is that Xiaomi produces goods only for the domestic market. At least that was the case until recently. This means that all software is in Chinese. And if in English you can understand everything without problems, then with Chinese it is much worse.

In the review, we saw that to connect Xiaomi Mini WiFi, it is enough to turn on the access point and enter your data to connect to the Internet. This is enough for the vast majority of users. But what if you want to get new features and have completely Russian firmware? It remains only to flash our Xiaomi Mini WiFi to an alternative firmware.

So, we stock up on patience, since the Xiaomi firmware is different from most firmware, and let's start.

Step One - Prepare Xiaomi Mini WiFi for Firmware

Flashing a Xiaomi hotspot is not as easy as most devices. There is an auto-firmware, but only for the Chinese version. And we need a Russian one with additional features that are not in the initial Xiaomi Mini WiFi firmware. Therefore, it is necessary to prepare an access point for the firmware.

First of all, we need to go to the official website. On the page that opens, which, of course, is in Chinese, we select ROM, in the list we find our access point and download the firmware for developers. We need this firmware for finer tuning.

After that, we connect to our Xiaomi at 192.168.31.1 , select first the second tab, then the last one. You can find out the place by the presence of a new firmware. You will be told that the firmware has been released, and its size is written. The first hieroglyph means "download and flash". Therefore, click on the second hieroglyph, and select the downloaded firmware.

The firmware of the router starts. At this point, the power cannot be turned off.

After the end of the firmware, you may notice a new, more interesting interface with added features.

Step two - download the necessary files and programs

Our Xiaomi Mini WiFi hotspot has been updated to developer firmware. However, this firmware, although interesting, is in Chinese, and there are no some functions, because of which we decided to flash Xiaomi.

Now we need to install the firmware pandora box. However, it won’t be possible to do it just like that, so we need additional manipulations, or, more simply, “dancing with a tambourine”.

We go to the Router Club repository, scroll to the very bottom, to the latest date. By selecting it, we need a folder xrm_base. This folder is where our final goal is stored - the Padavan firmware. Download the firmware to the computer. If you are too lazy to look, then the latest firmware on 04/12/2016 can be downloaded.

Given that I have a lot of Xiaomi devices, I didn’t have to register. Next to your profile photo is your userid. He is what we need.

Attention!!! Rollback to stock firmware.

The topic of Xiaomi Mi Router firmware is very relevant for several reasons. The main thing is that its entire interface is in Chinese without any alternative. Therefore, in order to more or less understand what is written in the stock firmware, you need to install an additional translation extension in the browser. You can use it, but it's inconvenient. It would seem, why these troubles? Buy yourself another router with Russian localization and use it. But the low cost captivates with high technical indicators and functionality of the router. Analogues from other manufacturers sold here cost a thousand or more rubles more.

What are the options?

It is impossible to constantly use the Chinese version, as you understand. Therefore, I decided to make this guide, in which I will talk about two possibilities for router firmware:

to official English
For Padavan or Asus version

This instruction is suitable for all models with a USB port - the Xiaomi Mi Router 3 firmware is exactly the same as the Mini.

The official firmware of the Xiaomi Mi WiFi 3 router in English

So - how to translate Xiaomi Router 3 into English and no longer bother with the constant with these endless spiders.

The procedure is simple:

Download Xiaomi English Firmware
Upload it to the router
Reconfigure already in the English version

Firmware for Xiaomi Mi WiFi Router from Padavan for Asus

Another Chinese language solution in the control panel is to install a custom version of the firmware on the Xiaomi router. The most successful today is the Padavan firmware, or as it is also called from Asus by the name of the company for which it was originally made. The installation process is not the easiest, but if everything is done correctly, it will turn out without problems if you know at least a little how to use a computer. Therefore, in this article I tried to describe in as much detail as possible the entire process of updating the router software using the example of the Xiaomi Mini model for your convenience.

To achieve the final result, we need to flash Xiaomi Mi Router several times:

Install original XiaoMi developer firmware
Install Pandora Firmware
Install Asus Firmware

Firmware for developers

Let's start. First of all, go to the Xiaomi download page in the "ROM" tab and download the "ROM for" package for your model (Mini, 3, 3C, 3G, etc.) from the right column - this is the official version of the software for developers. With its help, we can manage the deep firmware of the router.

Next, go to the admin panel of the router at the address, in the section "General settings> System status" and select the downloaded file for firmware. In my screenshots, you will see the translated interface pages through the built-in Google translator in Chrome - this is the most convenient way to use the stock firmware. When working, for convenience, use the cable connection of the computer to the Xiaomi router - you will not need to reconnect to it every time you reboot.

The router is being flashed - at this time it cannot be turned off from the power supply.

Download the necessary files and programs

After rebooting the router, we again configure it to connect to the Internet from your provider and go to the Router Club repository, where craftsmen regularly upload fresh Padavan firmware and not only to several different routers. Scroll down the page and go to the folder with the latest date.

In this folder we find another one - xrm_base, it contains the necessary firmware from Asus, download it to our computer.

In the personal account of Xiaomi Mi Router we find the number of our account - it is to the right of the menu next to the profile photo.

Everyone's login will be "root" - the password is individual.

We click on the button with hieroglyphs to the right of the password and then again in the pop-up window, also the right button - and download the file for connecting via SSH protocol to Xiaomi Mi Router.

It must be placed on a clean, FAT32-formatted USB flash drive with a size of 4 to 8 GB.

And finally, the last thing is to download the software package from our repository for Asus firmware.

Firmware from Pandora

Let's get down to the actual firmware. We take out the power cable from our router, take a USB flash drive and insert it into the USB connector on the Xiaomi router.
Next, we pinch the “Reset” button with a pin and insert the power cable. We wait until the LED blinks yellow and release the "Reset" button. If everything is normal, then the LED will change color to blue. If it turns red, then repeat all the manipulations with the flash drive and router from the beginning.

After that, we run the hfs.exe program from the same archive and add the PandoraBox.bin file to it. This is a virtual server that we run on a computer and from which we upload the firmware to the router.

The next step is to run the putty.exe program from the same archive - this is an SSH client that will allow you to connect to Xiaomi's "innards". We drive in the IP address of the router - 192.168.31.1. Leave the rest of the values as they are and click the "Open" button.

A new dialog box will open, where we will first be asked to enter the username and password from the router - we recall the information that we received in our account on the Xiaomi website. Login - "root"

and the password is the one that the site gave you. When entering a password, characters will not be displayed, so make no mistake. Upon successful connection, a greeting from the Chinese will appear.

Next, enter the command " cd /tmp" - to get into the folder with the temporary files of the router.
After that, we give the command " wget LINK_TO_FILE_FROM_HFS_PROGRAM.EXE". In my case it looks like "wget http://192.168.151.1/PandoraBox.bin"

Next, you need to determine where exactly in your particular device to install the firmware. This is done by the command cat /proc/mtd". After it, a list will appear in which you need to find one of the values \u200b\u200b- "firmware", "OS1" or "FirmwareStub". There will be exactly one of them, which we will use. I rolled "OS1"

Now we execute the command that will flash our router for the version from Pandora:

mtd -r write /tmp/PandoraBox.bin OS1

Instead of OS1, as you understand, you can have firmware or FirmwareStub

The router will start flashing, after which it will reboot.

Xiaomi firmware from Asus (Padavan)

Now that Pandora has rolled up, we launch HFS.EXE again and similarly add the Asus firmware file to it - the one that was downloaded at the very beginning from the RouterClub repository.

Downloaded. Now we restart the PUTTY.EXE program again and connect again to the router, now using the new IP that is set in the new firmware - 192.168.1.1

Here we need to log in again, for this we use the login “root”, the password is “admin”.
Next, go back to the directory with the command " cd /tmp"And fill it with the firmware file from Padavan - Asus -" wget http://192.168.1.151/FILE_NAME.trx"- again we take the link from the HFS program.

After that, we roll the firmware with the command " mtd -r write /tmp/FILE_NAME.trx firmware"- pay attention, here we already use the "firmware" command at the end

And we are waiting for the router to reboot, after which we type its IP in the browser - 192.168.1.1, through which we will get to the admin panel. For authorization, we use a pair of login-password admin-admin. To connect to the router via WiFi to the Router Club network, use the password "1234567890".

The reward of our long work will be a new admin panel with many additional features that were not in the stock firmware. For example, the function of connecting mobile modems and distributing a guest wifi network at a frequency of 5 GHz will now be available, and this is only the very, very minimum of the changes that have occurred.

I hope everything worked out for you too!

For greater clarity, I give two video guides that show the whole process step by step. By the way, installing Podovan firmware on Xiaomi Mi Wi-Fi Router 3 and 3G is different from Mini - pay attention to this!

Padavan for Mi Router 3/3G

For Xiaomi Mini

How to return the official firmware to Xiaomi Mi Router 3?

I used the Xiaomi router for a long time on different firmware, but for many blog readers the process of installing a third-party version of the software is too complicated, so more often I still get questions about how to work with Xiaomi routers in the usual official version of the admin panel. Therefore, I decided to return everything back and roll back the device to the original Chinese version in order to create a series of articles about setting up a router, as they say, “out of the box”.

Of course, I will share with you my experience on how to roll back from custom firmware to the official Xiaomi.
So, for starters, let's go to for Xiaomi routers. Here, too, everything will be in Chinese, so for the last time we will use the browser-based translator built into Google Chrome.

After the page is readable, switch to the "ROM" tab to display a list of routers that have firmware.
We find our model in it and download any of the two presented versions of the software - Stable or Developer

The file will have some name - we will rename it to

Then we drop the miwifi.bin firmware file onto it - to the very root and so that there is nothing else on it.

disconnect the router from the power cable
insert the flash drive into its USB port
press the reset button
and simultaneously with the button pressed, connect the power cord back
after 5-10 seconds, when the orange light flashes, release the reset button

Hello everyone, today the review of the swimsuit is again a router :) But unusual. Let's start with the fact that this router is not sold outside the Chinese market, and I literally forced the store to add it to the assortment. What is so special about it? First of all, I was captivated by his appearance. Further, in the description it was listed as gigabit and, judging by the scanty information obtained from the Chinese forums, it should have been suitable for the requirements of the “from Padawan” firmware. What actually happened and why and what language barriers I had to face - I tell you under the cut, welcome :)

︎ DOSSIER ◀

● Gee Turbo 2.0 signal core technology, promising coverage up to 300 meters
● 3 times faster than ordinary router powder (wifi), 10 times faster than ordinary routers (ethernet).
● 3 dual band antennas, 2.4GHz 2x2 MIMO, 5GHz 2x2 MIMO
● Dual band b/g/n, 802.11 a/n/ac 2.4GHz 2x2 300Mbps, 802.11 a/n/ac 5GHz 2x2 867Mbps
● Gigabit network
● Micro SD slot
●USB 2.0
● 1 WAN, 2 LAN

︎ PHOTOS FROM THE STORE ◀

If you don't mind, I'll include marketing photos from the manufacturer/shop first, then my own.

In my opinion, the appearance pleases the eye.
Now a few slides describing the features:

Additional Information

︎ WHAT IS SO EXPENSIVE?! ◀

Wait, the indignant reader will ask, why is he so expensive, golden, chtoli? No, it's not gold, it's made of anodized aluminum, like iPhones / MacBooks. Moreover, this is not painted aluminum, but just such an alloy, I tried to cut it with a file, the paint does not come off. So why is he so expensive? Let's figure it out:

Product Weight: 0.538 kg
Package Weight: 0.800 kg
Product Size (L x W x H): 11 x 192.6 x 2.3 cm
Package Size (L x W x H): 13 x 21 x 5 cm

First of all, we pay for a parcel weighing 800 grams. Alas, beauty comes at a cost. Further, there are LNAs (amplifiers) on the router, which also increase the cost of production. Well, gigabit, it also needs more expensive chips and transformers. Well, dual-band, where without it. Is it worth it? Let's try to find out.

Well, okay, that's sorted out, now my own photos.

︎ OWN PHOTOS ◀

The router arrived in such a box:

Having slightly torn off the side of the packaging, I saw the logo of the HiWiFi trademark - “Gee”

Box, top view. Girbest threw an adapter into the box of crappy quality, but it's still nice.

She is below.

He took off the cover of the box, the boxes with small things were neatly laid out, the antennas of the router stick out, the router is covered with instructions.

Remove instructions.

Flipping :)

Delivery set (and the patch cord could have been put in gold!):

Chinese instruction

Review hero.

Can stand vertically (lugs for wall mounting - not provided)

The antennas bend 90 degrees and rotate 180 degrees.

Podlyanka from the Chinese - triangular screws.

But nothing is impossible, a slotted screwdriver with a width coinciding with the edge of the triangle coped.

Antennas do not unscrew.

And here is the board, beloved by all of us MT7620 :)

The reverse side of the moon board.

Suggestive comparisons:
1) smartphone

2) xiaomi 10400

Let's weigh:

Console connected.

︎ FIRMWARE FROM THE FACTORY ◀

Note: if in the screenshots English is an auto-translator from Chinese in google chrome.

Welcome screen:

Connect internet to router

Setting the connection type

Suggestion to use the Chinese miracle app for smartphone:

Setting a password for the admin panel:

Success!

After that, the main screen of the router, familiar to many (those who read my past reviews), appears. It seems that the Chinese have some kind of a single axis, it will be necessary to study this issue.

Additional settings:

In general, the firmware is interesting, it can do some applications, but they, for the most part, are intended for the Chinese market and we would still not be given any bonuses. But it was also funny, I really liked the title:

︎ HACK ◀

As it turned out, the router is fenced in full and just like that, the firmware cannot be uploaded to it. Of course, with the help of a programmer, this is done in 10 clicks, but since not everyone on the muse has yet acquired them, we will look for a popular way.
To do this, you need to learn Chinese.
Joke. But almost necessary. For firmware, you need to change the bootloader to breed (preferably) and replace the standard one, but the developers have provided for almost everything: the firmware is either downloaded from the update server or uploaded through the regular web interface, but both the bootloader and the firmware are protected by EDS (digital signature) and left handed I can’t slip it off: (Studying the firmware by enumeration, I found a section with an EDS, but I didn’t figure out how to fake it, here it is:

And here is the ecp itself:

Therefore, we will try to enable developer mode, a mode in which ssh is available to the router.
We go into the router, register a hiwifi account for ourselves, and try to enable developer mode.

But to turn it on, you need to have ...

Additional Information

CHINESE SIM!!!

On which an SMS with an unlock code will already fall. Where can I get it, and even for all Muscovites? And then I decided to try technical support. But technical support is available exclusively through the Chinese analogue program, either Twitter or Viber, called WeChat. Register there and write to HiWiFi technical support (account: jiluyou)
We write a cart:

A skylar support agent joins the chat:
Tell us your mac address and we'll unlock developer mode for you, but void your warranty. Haha, with a guarantee, yes.

A little time passed and I was informed that my developer account was activated.

Next came instructions on how to enable a developer account (a person with brains-gears, this is apparently a developer):

Next, we go where we were sent:

Hooray! Half the job is done.
I hope, after my reviews, everyone already knows how to use ssh ?!
We go via ssh to the router, port 1022, ip 192.168.199.1, admin/admin:

We are in the system! Next, we prepare a usb flash drive with two files - breed and firmware from the Padawan, which I prepared.

By the way, guys, I still decided to try to file the site using routers, I named it no less - :)
I propose to discuss almost all models of routers, firmware from Padavan, OpenWRT, Zyxel, InvizBox (firmware for nexx 3020 out of the box that can tor, a kind of Internet condom).
Also there you can always find daily fresh builds of firmware from Padavan, at the moment the following routers are supported:

Hi-Fi 5681
NEXX WT3020
VONETS all 300 Mbps
TCL-T1
And, exclusive, alpha version of the firmware for NEXX WT1520, wan and usb do not work at the moment, but there are hopes to fix it.

So, we logged in via ssh, using the admin / admin login password, we look at how our flash drive was determined:

Ok, sda1.
Create a directory for the mount point:

We mount the flash drive, look at what kind of files are on the flash drive:

We flash the bootloader, enter the letter-for-letter, otherwise it will be excruciatingly painful.

Flashing firmware from Padawan:

Actually, everything. Turn off the power, remove the USB flash drive, wait for the download. And so:

︎ A BREAK FROM WHERE YOU DID NOT EXPECT ◀

And then a sour bummer awaited me:

WOW-WOW-WOW, what another 100Mbps, we have a gigabit router!
As it turned out, it really is a gigabit router, but ... With one gigabit port. Se la vie.
After drinking a strong alcoholic drink in one gulp, he thought. What to do? Well, it's bad, of course, but on the other hand, if you have a 100Mbps provider, then it's okay, gigabit LAN, everything is fine.
If the provider provides Internet at speeds exceeding 100 Mbps and you do not have a gigabit LAN, then not everything is lost either. However, if you have both a gigabit locale and a gigabit provider - trouble, look for another router, we are waiting for the shaft of new devices in the fall on the 7621 chip.

︎ WHAT IS THE STRENGTH, BROTHER? ◀

So, back to the mega-chip of this router - antenna amplifiers. I compared at work the signal strength of points, Cisco Wifi for a couple of kilodollars and this one. Guess who has the stronger signal? Our network manager was shocked and decided to take this device for himself :) The router beats FURIOUSLY, forgive me for such expressions. Screenshot from android phone:
2.4GHz:

5GHz

Speed test over nat(IPoE):

In my opinion, it's pretty decent, in peaks it downloads at a speed of 51 megabytes per second.

︎ PROS ◀

+ Gigabit (though not entirely honest)
+ Fierce wifi signal strength
+ Appearance
+ Alternative firmware
+ Slot for memory cards (despite the fact that I have not yet figured out how to stick this into the firmware)

︎ CONS ◀

- Not all ports are gigabit
- Complicated way of firmware
- Price, due to the heavy case of the router and the overall box.

︎ CONCLUSIONS ◀

I spent a lot of time persuading the manager to add a router that no one sold outside of the Chinese market and had high hopes for this router. On the one hand, he justified the trust, on the other hand, there are shortcomings.
But in general, I really liked this router, and, with a reservation for the price and inferior gigabit capacity (as well as a rather tricky way to decouple from Chinese firmware), I can safely recommend it to everyone (but put it away from my head).

That's all, I wish everyone a good, stable Internet and I'm waiting for everyone interested in the router club;) See you again, friends!

And yes, if this review helped you, feel free to put a plus to the review, this is the best gratitude.

The Padavan FirmWare firmware for Asus over the long years of its existence in certain circles has become synonymous with the guarantee of stability in the work of a wifi router. Not many factory firmware can boast of ease of configuration and reliability in the operation of all the capabilities embedded in the router. Next, I will show you clearly how to install Padavan firmware on an Asus router.

What is the secret of the Padavan firmware?

Installing and configuring the Padavan firmware fixes these shortcomings, and also often opens up new features in the Asus router that were not in their native software.

Solved many bugs and problems
Improved work stability
Additional software utilities such as torrent client, Aria2 download manager, UPnP/DLNA A/V media server and more
Enhanced diagnostic capabilities
Improved IGMP Snooping mechanism
Built-in NFS server
Added L2TP/OpenVPN server
Improved IPv6/PPTP/L2TP components

How to download Padavan firmware for Asus?

Surprisingly, I was unable to download the firmware from Padavan for the Asus RT-N14U router that I use from the official website of its developer - now only the version for RT-N56U is posted there, although earlier, I remember, it could be found there for a very large number models. But after a little googling, I managed to find one repository where the Padavan firmware for Asus RT-N14U was located - I hope that when you read this article, the link will still be relevant, because you know, everything is changing rapidly in our world ...

We find our model and download the latest current release to our computer by serial number - note that the firmware file for Asus must end with .TRX. I also found that there are several options here - for a full update, select "FULL".

After that, we connect the router to the computer via cable - I want to focus on this, since when updating the software via WiFi, errors may occur and the router will stop working.

Next, go to the "Wireless 2.4 GHz" section (and for someone it may be possible to configure the 5 GHz network if the router is dual-band). Here we activate the “Enable radio module” item, set the SSID of the network, that is, its name, and the “WPA” key, that is, the password for connecting.

Padavan firmware settings are saved with the "Apply" button

Video review of Padavan firmware on Asus

A huge number of instructions with different options for bypassing the blocking of Internet resources have been published. But the topic does not lose relevance. Even more and more often there are initiatives at the legislative level to block articles on methods for bypassing blocking. And there were rumors that Roskomnadzor would receive another wad of taxpayer money for “better” blocking. Experienced users will not learn anything new and useful from the article. But others will receive ready-made step-by-step instructions for a simple and effective selective bypass of blocking on popular routers with Padavan and Keenetic firmware.

Everything was good, but "the best is always the enemy of the good." Firstly, some new programs have become too "smart" and resolve domains using their own methods, bypassing the router's DNS server. This prevents dnsmasq on the router from adding the address to the ipset set for unblocking and leads to the expected result - the resource remains blocked. In Android 9, regular support for DNS-over-TLS appeared in general, i.e. this blocking bypass method stops working (if another device has not previously accessed dnsmasq). Secondly, updating the entire list of domains from antizapret leads to unpredictable results every time. The list may include domains that are not actually blocked, and whose work is important through the main channel. You need to be constantly on the alert and manually edit the generated files. Thirdly, I'm tired of "carrying along" a huge list of domains with tens of thousands of casinos and the like, which are simply not needed. Over time, I realized that I only needed a small, specific list of blocked resources.

So I have been using a slightly modified unlocking method for a year now, which I am completely satisfied with:

Simplicity and ease of management (after setup).
Full control over which resources to unlock.
Minimum CPU and RAM requirements for the router.
Wide coverage of nuances when bypassing blocking.

It is important to note that my variant is not intended for the case when you need to unblock hundreds and thousands of domains. Because at the start of the router, each domain from the specified list is resolved. The more domains in the list, the longer it will take to initialize the ipset set for unlocking.

The basis for bypassing locks is the same - the Tor network. Its use is due to two simple factors - it's free, and the likelihood that Tor will be blocked in Russia is close to zero, unlike any VPN service. Tor is the foundation of drug trafficking in Russia from the middle to the bottom. Blocking Tor will lead to the search for new tools for the market and a decrease in the level of anonymity, which will lead to the successful activation of the work of local law enforcement agencies. Ultimately, this, like a virus, will begin to negatively affect the upper link. Considering the latest surprising news about the connections of top government officials with global drug trafficking to Russia, blocking Tor in Russia is simply taboo, trivial though it is. Neither Roskomnadzor, no matter how many billions are allocated to this department, not a single court in Russia has permission "from above" to block Tor. And this doesn’t even surprise or frighten anyone, even though Russia is simply drowning in drugs (any schoolchild knows what a “ducknet” is, and after 30 minutes has the actual opportunity in any city with a population of 10,000 or more people to get practically any drugs without hindrance in any quantities - such an evil truth of life). Under the current regime, the probability of blocking the Tor network is lower than the probability of blocking the Hermitage Museum website.

The above instructions are easy to adapt for routers with OpenWrt. Also, with a few changes, it's easy to replace Tor with OpenVPN.

How will you manage blocking bypass after configuration?

Everything is very simple. You have a file /opt/etc/unblock.txt - a simple unblock list. You can unblock a domain, IP address, address range or CIDR. One line - one element. Blank lines are allowed, and you can use the # character at the beginning of a line to ignore.

After editing this file, you simply run the command to apply the new configuration:

unblock_update.sh
All resources from unblock.txt are unblocked without the need to restart the router.

Principle of operation

When the router is initialized, an empty set of IP addresses ipset with the name unblock is created.
A rule is added to the firewall to redirect all packets with destinations from unblock to the Tor service.
The Tor service starts in transparent proxy mode.
A special script unblock_ipset.sh is launched, which resolves all domains from unblock.txt and adds their IP addresses to the unblock set. IP addresses, ranges and CIDRs from this file are also added to unblock.
dnsmasq is launched with an additional configuration file unblock.dnsmasq, which specifies adding domain IP addresses from unblock.txt to the unblock set during resolving.
cron runs unblock_ipset.sh at regular intervals to partially compensate for possible nuanced cases.
If necessary, all domains from unblock.txt (and only them) are resolved through dnscrypt-proxy if the provider filters DNS.

Setting up a router with Padavan firmware

You must have a router with the Padavan firmware installed and the Entware package manager already configured. On Windows, you can use the PuTTY client to connect to your router via SSH.

Make sure you are using Entware and not the legacy Entware-ng. Look at the contents of the /opt/var/opkg-lists folder. There will be an entware or entware-ng file present. In the second case, you need to update your router's Padavan firmware to the latest version and reinstall the Entware package manager. Only then proceed to the step-by-step instructions.

As the reviews showed, mostly problems arise for those who have Entware configured incorrectly initially (that is, scripts from init.d are not loaded) in the internal memory of the router. If you have Xiaomi Mi Router 3 or 3G, and you are not sure that Entware in your internal memory is working correctly (automatic start), then just set everything up again. Take PROMETHEUS. Updates the script (1). Update the source code (2). Collect and flash the latest firmware (4). Reset the firmware settings (NVRAM and file storage) - Advanced\u003e Administration\u003e Settings. Set up Internet access on the router and enable SSH. Do it in PROMETHEUS Firmware > Format RWFS. Select Advanced > Administration > Settings > Mount file system on R/W partition > UBIFS. Restart your router. All current Entware startup scripts from internal memory will be written automatically, and everything will work like clockwork.

For tests, I used the popular Xiaomi Mi Router 3G (Entware installed in internal memory) with the latest firmware - 32a93db. Everything will work even on the legendary baby WT3020 AD/F/H for $10.

opkg update opkg install mc tor tor-geoip bind-dig cron
mc
tor- Tor service.
tor-geoip- geo-IP base for Tor.
bind-dig
cron- task Scheduler.

2. Initializing ipset, creating a set of unblock IP addresses (start_script.sh)

Connect the necessary modules and create an empty set of addresses named unblock when loading the router. To do this, open the file in the editor /etc/storage/start_script.sh:

medit /etc/storage/start_script.sh
Add at the end:

modprobe ip_set modprobe ip_set_hash_ip modprobe ip_set_hash_net modprobe ip_set_bitmap_ip modprobe ip_set_list_set modprobe xt_set ipset create unblock hash:net

If you wish, you can edit the start_script.sh file through the router's web interface - "Advanced" > "Personalization" > "Scripts" > "Run before router initialization". After editing, click "Apply".

3. Tor setup

Cat /dev/null > /opt/etc/tor/torrc

Mcedit /opt/etc/tor/torrc

User admin PidFile /opt/var/run/tor.pid ExcludeExitNodes (RU),(UA),(AM),(KG),(BY) StrictNodes 1 TransPort 192.168.0.1:9141 ExitRelay 0 ExitPolicy reject *:* ExitPolicy reject6 *:* GeoIPFile /opt/share/tor/geoip GeoIPv6File /opt/share/tor/geoip6 DataDirectory /opt/var/lib/tor
Replace if necessary 192.168.0.1 Brief description of the configuration:

Forbid to be an exit point.

Create a file /opt/etc/unblock.txt:

Here is an example of my personal file

###Torrent trackers rutracker.org rutor.info rutor.is mega-tor.org kinozal.tv nnm-club.me nnm-club.ws tfile.me tfile-home.org tfile1.cc megatfile.cc megapeer.org megapeer.ru tapochek.net tparser.org tparser.me rustorka.com uniongang.tv fast-torrent.ru ###Media content directories for programs rezka.ag hdrezka.ag hdrezka.me filmix.co filmix.cc seasonvar.ru ## #Books lib.rus.ec flibusta.is flibs.me flisland.net flibusta.site ###Telegram telegram.org tdesktop.com tdesktop.org tdesktop.info tdesktop.net telesco.pe telegram.dog telegram.me t.me telegra.ph web.telegram.org desktop.telegram.org updates.tdesktop.com venus.web.telegram.org flora.web.telegram.org vesta.web.telegram.org pluto.web.telegram.org aurora.web. telegram.org 149.154.160.0/20 91.108.4.0/22 91.108.8.0/22 91.108.12.0/22 91.108.16.0/22 91.108.56.0/22 109.239.140.0/24 67.198.55. 0/24 ###Miscellaneous 7-zip .org edem.tv 4pna.com 2019.vote ###Tor check check.torproject.org ###IP unlock example (remove # at the beginning of the line) #195.82.146.214 ###CIDR unlock example (remove # in at the beginning of the line) #103.21.244.0/22 ###Example of unlocking by range (remove # at the beginning of the line) #100.100.100.200-100.100.100.210

Create a script /opt/bin/unblock_ipset.sh:

Paste (Shift+Insert) content:

#!/bin/sh until ADDRS=$(dig +short google.com @localhost) && [ -n "$ADDRS" ] > /dev/null 2>< /opt/etc/unblock.txt
Give execution rights:

Create a script /opt/bin/unblock_dnsmasq.sh:

Paste (Shift+Insert) content:

The script is quite simple, that's the essence of its work... Consistently read the lines from /opt/etc/unblock.txt. The read lines have spaces and tabs removed automatically at the beginning and at the end. Skip empty lines. Skip lines that start with #. We skip lines that contain an IP address (IP, range, CIDR), i.e. we are only interested in strings with domain names. In the file /opt/etc/unblock.dnsmasq we add lines like "ipset=/domain_name/unblock". This means that after determining the IP addresses of a particular domain, they will be automatically added to the unblock set.

Unblock_dnsmasq.sh

Create a script /opt/bin/unblock_update.sh:

Paste (Shift+Insert) content:

#!/bin/sh ipset flush unblock /opt/bin/unblock_dnsmasq.sh restart_dhcpd sleep 3 /opt/bin/unblock_ipset.sh &
Give execution rights:

Create a script /opt/etc/init.d/S99unblock:

Paste (Shift+Insert) content:

Give execution rights:

9. Redirecting packets with destinations from unblock to Tor (post_iptables_script.sh)

Open the file in the editor /etc/storage/post_iptables_script.sh:

Mcedit /etc/storage/post_iptables_script.sh
Add at the end:

Iptables -t nat -A PREROUTING -i br0 -p tcp -m set --match-set unblock dst -j REDIRECT --to-port 9141

If you wish, you can edit the post_iptables_script.sh file through the router's web interface - "Advanced" > "Personalization" > "Scripts" > "Run after restarting firewall rules". After editing, click "Apply".

In the same file, you can add (this is optional) redirecting all requests to external port 53 to yourself. This is necessary so that clients on the local network do not use third-party DNS services. Requests will go through a regular DNS server.

iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 192.168.0.1 iptables -t nat -I PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 192.168 .0.1
Replace if necessary 192.168.0.1 to the internal address of your router (LAN).

10. Connecting an additional configuration file to dnsmasq

We need to connect the created unblock.dnsmasq file to dnsmasq. To do this, open the file in the editor /etc/storage/dnsmasq/dnsmasq.conf:

medit /etc/storage/dnsmasq/dnsmasq.conf
Add at the end:

conf-file=/opt/etc/unblock.dnsmasq
If you want (this is optional), you can add an additional server for resolving and reliability:

Server=8.8.8.8
If you wish, you can edit the dnsmasq.conf file through the router's web interface - "Advanced" > "LAN" > "DHCP Server" > "Custom configuration file dnsmasq.conf". After editing, click "Apply".

Change the cron configuration file from root to admin:

sed -i "s/root/admin/g" /opt/etc/crontab
Open the file in the editor /opt/etc/crontab:

Mcedit /opt/etc/crontab
Add at the end:

00 06 * * * admin /opt/bin/unblock_ipset.sh

Reboot

Setting up a router with Keenetic OS

You must have a Keenetic/Zyxel router with the Entware Package Manager (OPKG) already configured. For example, here is a list of some routers that support Entware: Keenetic II, Keenetic III, Extra, Extra II, Giga II, Giga III, Omni, Omni II, Viva, Ultra, Ultra II, Omni (KN-1410), Extra (KN -1710), Giga (KN-1010), Ultra (KN-1810), Viva (KN-1910), DSL (KN-2010), Duo (KN-2110). Instructions for setting up Entware can be viewed (up to 10 points).

If you have previously added support for Entware (with firmware prior to 2.07), then make sure that you are using an up-to-date Entware-ng .

Be sure to enable "Netfilter Subsystem Kernel Modules" - General Settings > Change Component Set. If it is not in the list of available ones, then try installing the IPv6 Protocol component first. If it doesn’t appear after that, then try without it, but there is a high probability that range unlocking and CIDR will not work for you (because there will be no hash:net support).

For tests, I used Keenetic Ultra (KN-1810) with the latest firmware - 2.14.C.0.0-4.

Important note. You will have to disable the native DNS server on the system, we will use dnsmasq instead. You will lose the ability to assign DNS services (Yandex.DNS/SkyDNS/AdGuard DNS) individually for clients, but you can easily use them globally through the dnsmasq settings if necessary.

1. Installing the necessary software on the router

opkg update opkg install mc tor tor-geoip bind-dig cron dnsmasq-full ipset iptables
mc- file manager Midnight Commander. It is needed only because of the convenient mcedit editor. If you are used to using another text editor, then mc can not be installed.
tor- Tor service.
tor-geoip- geo-IP base for Tor.
bind-dig- DNS client (similar to nslookup and host).
cron- task Scheduler.
dnsmasq-full- DNS server.
ipset and iptables- console utilities ipset and iptables (perhaps they are already in the system and are not needed, I added them for safety).

2. Initializing ipset, creating a set of unblock IP addresses (100-ipset.sh)

Check that your router system has support for the hash:net set (as it turned out, not all Keenetic routers have it):

ipset create test hash:net
If the command did not give any errors and messages, then there is support, and just follow the instructions further. Otherwise (there is an error) in the following script you need to replace hash:net on hash:ip. In doing so, you will lose the ability to unlock by range and CIDR.

Create an empty address set named unblock when loading the router. To do this, create a file /opt/etc/ndm/fs.d/100-ipset.sh:

Mcedit /opt/etc/ndm/fs.d/100-ipset.sh
Paste (Shift+Insert) content:

#!/bin/sh [ "$1" != "start" ] && exit 0 ipset create unblock hash:net -exist exit 0
To paste from clipboard, use Shift+Insert, save - F2, exit - F10.

Give execution rights:

Chmod +x /opt/etc/ndm/fs.d/100-ipset.sh

3. Tor setup

Delete the contents of the Tor configuration file:

Cat /dev/null > /opt/etc/tor/torrc
Open the Tor configuration file:

Mcedit /opt/etc/tor/torrc
Paste (Shift+Insert) content:

User root PidFile /opt/var/run/tor.pid ExcludeExitNodes (RU),(UA),(AM),(KG),(BY) StrictNodes 1 TransPort 192.168.0.1:9141 ExitRelay 0 ExitPolicy reject *:* ExitPolicy reject6 *:* GeoIPFile /opt/share/tor/geoip GeoIPv6File /opt/share/tor/geoip6 DataDirectory /opt/var/lib/tor
Replace if necessary 192.168.0.1

Exclude exit nodes: Russia, Ukraine, Armenia, Kyrgyzstan, Belarus.
Hang a "transparent" proxy at 192.168.0.1, port 9141.
Forbid to be an exit point.

4. List of domains (and not only) to bypass blocking (unblock.txt)

unblock.txt - a simple unblock list. You can unblock a domain, IP address, range or CIDR. One line - one element. Empty lines (including those with spaces and tabs) are ignored. You can use the # symbol at the beginning of the line to ignore.

Create a file /opt/etc/unblock.txt:

medit /opt/etc/unblock.txt
Each line can contain a domain name, IP address, range, or CIDR. You can use the # symbol to comment lines.

Here is an example of my personal file

5. Script for filling the unblock set with IP addresses of a given list of domains (unblock_ipset.sh)

Create a script /opt/bin/unblock_ipset.sh:

medit /opt/bin/unblock_ipset.sh
Paste (Shift+Insert) content:

#!/bin/sh until ADDRS=$(dig +short google.com @localhost) && [ -n "$ADDRS" ] > /dev/null 2> do sleep 5; done while read line || [ -n "$line" ]; do [ -z "$line" ] && continue [ "$(line:0:1)" = "#" ] && continue cidr=$(echo $line | grep -Eo "(1,3)\.(1 ,3)\.(1,3)\.(1,3)/(1,2)") if [ ! -z "$cidr" ]; then ipset -exist add unblock $cidr continue fi range=$(echo $line | grep -Eo "(1,3)\.(1,3)\.(1,3)\.(1,3)-( 1,3)\.(1,3)\.(1,3)\.(1,3)") if [ ! -z "$range" ]; then ipset -exist add unblock $range continue fi addr=$(echo $line | grep -Eo "(1,3)\.(1,3)\.(1,3)\.(1,3)") if[! -z "$addr" ]; then ipset -exist add unblock $addr continue fi dig +short $line @localhost | grep -Eo "(1,3)\.(1,3)\.(1,3)\.(1,3)" | awk "(system("ipset -exist add unblock "$1))" done< /opt/etc/unblock.txt
Give execution rights:

Chmod +x /opt/bin/unblock_ipset.sh
The script is quite simple, here is the essence of its work... We are waiting for the resolving of the google.com domain to work (if this is not done, then the unblock set will not be filled when the router is loaded, because the router will still be in the process of initialization). We read the lines in the unblock.txt file. The read lines have spaces and tabs removed automatically at the beginning and at the end. Skip empty lines. Skip lines that start with #. We are looking for in the CIDR line. If CIDR is found, then add it to unblock. We are looking for a range in the string. If it is found, then add it to unblock. We are looking for an IP address in the line. If the IP is found, then add it to unblock. Let's resolve the line through dig. We add all IP addresses of the result to unblock.

6. Script for generating an additional dnsmasq configuration file from a given list of domains (unblock_dnsmasq.sh)

Create a script /opt/bin/unblock_dnsmasq.sh:

Mcedit /opt/bin/unblock_dnsmasq.sh
Paste (Shift+Insert) content:

Chmod +x /opt/bin/unblock_dnsmasq.sh
The script is quite simple. We sequentially read the lines from /opt/etc/unblock.txt. The read lines have spaces and tabs removed automatically at the beginning and at the end. Skip empty lines. Skip lines that start with #. We skip lines that contain an IP address (IP or CIDR), i.e. we are only interested in strings with domain names. In the file /opt/etc/unblock.dnsmasq we add lines like "ipset=/domain_name/unblock". This means that after determining the IP addresses of a particular domain, they will be automatically added to the unblock set.

Be sure to run the script to generate the unblock.dnsmasq file:

Unblock_dnsmasq.sh
Check that the unblock.dnsmasq file has been created:

Cat /opt/etc/unblock.dnsmasq

7. Script for manual forced system update after editing the list of domains (unblock_update.sh)

Create a script /opt/bin/unblock_update.sh:

Mcedit /opt/bin/unblock_update.sh
Paste (Shift+Insert) content:

#!/bin/sh ipset flush unblock /opt/bin/unblock_dnsmasq.sh /opt/etc/init.d/S56dnsmasq restart /opt/bin/unblock_ipset.sh &
Give execution rights:

Chmod +x /opt/bin/unblock_update.sh

8. Script to automatically fill the unblock set when the router boots (S99unblock)

Create a script /opt/etc/init.d/S99unblock:

Mcedit /opt/etc/init.d/S99unblock
Paste (Shift+Insert) content:

#!/bin/sh [ "$1" != "start" ] && exit 0 /opt/bin/unblock_ipset.sh &
Give execution rights:

Chmod +x /opt/etc/init.d/S99unblock

9. Redirecting packets with destinations from unblock to Tor (100-redirect.sh)

To do this, create a file /opt/etc/ndm/netfilter.d/100-redirect.sh:

Mcedit /opt/etc/ndm/netfilter.d/100-redirect.sh
Paste (Shift+Insert) content:

#!/bin/sh [ "$type" == "ip6tables" ] && exit 0 if [ -z "$(iptables-save 2>/dev/null | grep unblock)" ]; then ipset create unblock hash:net -exist iptables -w -t nat -A PREROUTING -i br0 -p tcp -m set --match-set unblock dst -j REDIRECT --to-port 9141 fi exit 0
If you used in step 2 hash:ip, but not hash:net, then replace hash:net with hash:ip. In fact, we are additionally duplicating the function of creating the unblock set from step 2. This is necessary for safety, if the scripts from fs.d have not yet started to run, and the netfilter.d scripts are already running. It's okay if unblock has already been created before, the command will simply be ignored.

If [ -z "$(iptables-save 2>/dev/null | grep "udp \-\-dport 53 \-j DNAT")" ]; then iptables -w -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 192.168.0.1 fi if [ -z "$(iptables-save 2>/dev/null | grep "tcp \-\-dport 53 \-j DNAT")" ]; then iptables -w -t nat -I PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 192.168.0.1 fi
Replace if necessary 192.168.0.1 to the internal address of your router (LAN).

Give execution rights:

Chmod +x /opt/etc/ndm/netfilter.d/100-redirect.sh

10. Setting up dnsmasq and connecting an additional configuration file to dnsmasq

Delete the contents of the dnsmasq configuration file:

Cat /dev/null > /opt/etc/dnsmasq.conf
Open the dnsmasq configuration file:

Mcedit /opt/etc/dnsmasq.conf
Paste (Shift+Insert) content:

User=nobody bogus-priv no-negcache clear-on-reload bind-dynamic listen-address=192.168.0.1 listen-address=127.0.0.1 min-port=4096 cache-size=1536 expand-hosts log-async conf-file =/opt/etc/unblock.dnsmasq server=8.8.8.8
Replace if necessary 192.168.0.1 to the internal address of your router (LAN).

11. Adding a task to cron to periodically update the contents of the unblock set

This is additional insurance in case programs / devices use their own resolution method, and the domain IP address has changed. All you need to do is run the unblock_ipset.sh script at the desired frequency. For example, we will run every day at 6 am.

Open the file in the editor /opt/etc/crontab:

Mcedit /opt/etc/crontab
Add at the end:

00 06 * * * root /opt/bin/unblock_ipset.sh
If you wish, you can comment out all other template tasks. Here is what your crontab file will look like:

12. Disabling the regular DNS server and rebooting the router

Connect to the CLI of the Keenetic router (port 23 for Telnet and 22 for SSH if the SSH Server component is added to the system).

Run the command:

opkg dns-override system configuration save system reboot
The DNS server built into the firmware will be disabled, and dnsmasq from Entware will be used instead. When loading, the router checks whether the opt folder is mounted (if there is a flash drive / disk with Entware). If there is, then the regular DNS server is not used. If not, it is used. Those. after removing the flash drive and rebooting the router, everything will work for you, as before (before setting up).

After rebooting, open the check.torproject.org website in your browser (it should be added to unblock.txt). If you did everything right, then you will see the inscription “Congratulations. This browser is configured to use Tor.":

Basic methods for diagnosing errors after tuning

If the check with the site check.torproject.org (it should be added to unblock.txt) passes, but for other resources the stub from the provider continues to open (or does not open), most likely the provider interferes with DNS traffic, replacing the answers - you you need to do an additional bypass of DNS query filtering.

If something does not work as expected after configuration, use simple commands to identify the problematic stage.

Display the contents of the unblock set:

IPset list unblock
If the system reports that there is no such set, then there is an error at step 2 or you did not enable the Netfilter module in the system (in the case of Keenetic).

If the set is empty, then the unblock_ipset.sh script did not work, which, in turn, should be launched by the S99unblock startup script. Run this unblock_ipset.sh script manually. If the set is full, then the error is at step 8. If the script cannot be executed (most likely, it is waiting for google.com to be resolved), then the error is somewhere on the side of the DNS server, perhaps at step 10 or 6.

Check for a redirect in iptables:

iptables-save 2>/dev/null | grep unblock
If it is not there, then the error is at step 9.

If in general all sites do not work, i.e. DNS is not working, the error is somewhere in step 6 or 10. Perhaps at step 9.

If all sites in unblock.txt are down (timed out), but all others are, then the problem is somewhere on the Tor side, error at step 3.

Additional bypass of ISP DNS filtering

If an ISP interferes with DNS traffic by spoofing answers for blocked resources, this is very easy to bypass. For this we will use dnscrypt-proxy. If you wish and experience, you can easily replace dnscrypt with stubby (DNS over TLS).

Dnscrypt will only be used for those domains listed in unblock.txt. All other requests will go through regular DNS servers.

If you are sure that your ISP does not filter DNS requests, then this additional configuration is not necessary.

You should already have the lock bypass described above configured. The following settings are identical for Padavan and Keenetic OS.

Install additional software on the router:

opkg update opkg install dnscrypt-proxy2
Open the dnscrypt-proxy configuration file:

Mcedit /opt/etc/dnscrypt-proxy.toml
Find the listen_addresses, fallback_resolver, cache parameters and change them:

listen_addresses = ["127.0.0.1:9153"] fallback_resolver = "77.88.8.8:1253" cache = false
77.88.8.8:1253 is the Yandex DNS server address with a non-standard port. It is a backup in case dnscrypt-proxy has any problems.

Run dnscrypt-proxy:

/opt/etc/init.d/S09dnscrypt-proxy2 start
Make sure dnscrypt-proxy is working (you should see a list of IP addresses in response):

Dig +short google.com @localhost -p 9153
Open the script in the editor /opt/bin/unblock_ipset.sh:

medit /opt/bin/unblock_ipset.sh
Replace content with:

#!/bin/sh until ADDRS=$(dig +short google.com @localhost -p 9153) && [ -n "$ADDRS" ] > /dev/null 2> do sleep 5; done while read line || [ -n "$line" ]; do [ -z "$line" ] && continue [ "$(line:0:1)" = "#" ] && continue cidr=$(echo $line | grep -Eo "(1,3)\.(1 ,3)\.(1,3)\.(1,3)/(1,2)") if [ ! -z "$cidr" ]; then ipset -exist add unblock $cidr continue fi range=$(echo $line | grep -Eo "(1,3)\.(1,3)\.(1,3)\.(1,3)-( 1,3)\.(1,3)\.(1,3)\.(1,3)") if [ ! -z "$range" ]; then ipset -exist add unblock $range continue fi addr=$(echo $line | grep -Eo "(1,3)\.(1,3)\.(1,3)\.(1,3)") if[! -z "$addr" ]; then ipset -exist add unblock $addr continue fi dig +short $line @localhost -p 9153 | grep -Eo "(1,3)\.(1,3)\.(1,3)\.(1,3)" | awk "(system("ipset -exist add unblock "$1))" done< /opt/etc/unblock.txt
We made a small change - now dig does not use a regular DNS server for resolving, but dnscrypt-proxy with port 9153.

Open the script in the editor /opt/bin/unblock_dnsmasq.sh:

Mcedit /opt/bin/unblock_dnsmasq.sh
Replace content with:

#!/bin/sh cat /dev/null > /opt/etc/unblock.dnsmasq while read line || [ -n "$line" ]; do [ -z "$line" ] && continue [ "$(line:0:1)" = "#" ] && continue echo $line | grep -Eq "(1,3)\.(1,3)\.(1,3)\.(1,3)" && continue echo "ipset=/$line/unblock" >> /opt/etc/ unblock.dnsmasq echo "server=/$line/127.0.0.1#9153" >> /opt/etc/unblock.dnsmasq done< /opt/etc/unblock.txt
We have made a small change - now, when generating the unblock.dnsmasq file, additional lines like "server=/domain_name/127.0.0.1#9153" are added. This means that resolving domains from the list will occur through dnscrypt-proxy.

Execute unblock_update.sh:

unblock_update.sh
Ready. All complex settings behind. Now you will only edit the unblock.txt list if necessary, adding or removing domains or IP addresses from it to unblock, and activate the changes made with the unblock_update.sh command.

UPDATE 04/01/2019. Often personal messages are received on the article with typical questions. I'll answer the most common ones here.

How to make websites available in the .onion domain zone?

Add to torrc:
VirtualAddrNetwork 10.254.0.0/16 DNSPort 127.0.0.1:9053 AutomapHostsOnResolve 1
To access all domains in the onion zone, add to dnsmasq.conf:
server=/onion/127.0.0.1#9053 ipset=/onion/unblock
If you do not want to open access to all domains in the onion zone, but only to certain ones, then add the following entries to dnsmasq.conf:
server=/rutorc6mqdinc4cz.onion/127.0.0.1#9053 ipset=/rutorc6mqdinc4cz.onion/unblock server=/nnmclub5toro7u65.onion/127.0.0.1#9053 ipset=/nnmclub5toro7u65.onion/unblock server=/flibustahezeous3.onion/127 .0.0.1 #9053 ipset=/flibustahezeous3.onion/unblock

How to bypass blocking for clients of a VPN server running on a router?

In torrc, replace the TransPort line with:
TransPort 0.0.0.0:9141
Add an additional redirect with the required interface (INTERFACE - interface of the VPN network):
iptables -t nat -A PREROUTING -i INTERFACE -p tcp -m set --match-set unblock dst -j REDIRECT --to-port 9141