Orbi LBR20 How-To / Megathread

How To Tutorials related to Routers and Firmware
Forum rules
This forum is for tutorials only--not for help or assistance.
hazarjast
Posts: 126
Joined: Wed Dec 11, 2019 8:38 am
Has thanked: 16 times
Been thanked: 30 times

Re: Orbi LBR20 How-To / Megathread

Post by hazarjast » Tue Oct 05, 2021 8:38 pm

Klockwork77 wrote:
Tue Oct 05, 2021 6:07 pm
I'm trying to send AT command using what you posted through ssh.

Code: Select all

cat /dev/ttyUSB2` echo -e "AT +EMGR=1,7,\"012345678911121\"\r\n" > /dev/ttyUSB2`
You can ignore the proton email I sent you about this topic if you reply here.
Sorry, just realized I wasn't getting email alerts due to a phone update. Just replied to your email :)

hazarjast
Posts: 126
Joined: Wed Dec 11, 2019 8:38 am
Has thanked: 16 times
Been thanked: 30 times

Re: Orbi LBR20 How-To / Megathread

Post by hazarjast » Tue Oct 05, 2021 8:52 pm

Thought I would share something useful/fun that I thought I shared before but don't see it posted here so guess it slipped my mind. Netgear has a ~1400 line shell script which the LBR20 uses as a wrapper for some of the raw AT commands it issues to the modem. The script is 'mbctrl.sh' and can be called simply as that without full path since it is in '/usr/sbin'. Usage is below:

Code: Select all

/usr/sbin/mbctrl.sh: is a simple tool
        --get-revision                  get the mobile FW version
        --get-sim-status                get the mobile sim status
        --get-network-registration      get the mobile network registration
        --get-signal-strength           get the mobile signal strength
        --pin-verify pincode            sim pin code verify
        --puk-verify puk                sim puk code verify
        power-on                        lte power on
        power-off                       lte power off
        --set-hot-swap                  set hot swap pin in high level
        --get-iccid                     get sim iccid
        --hot-swap-status               get hot swap status
        --software-restart              software restart the module
        --show-message                  show sim card msg
        --get-adv-info                  get adv_info
        --get-support-operator          get network available operator
        --get-current-operator          get current network operator
        --set-operator-selection        set operator selections
        --def                           factory default the module
        --get-imei                      get lte module imei
        --get-imsi                      get sim card imsi
        --get-roamstate                 get lte module roam setup
        --set-roamstate                 setup lte module roam on off
        --get-pin-mode                  get sim card in lock or unlock mode
        --set-pin-mode                  set sim card in lock or unlock mode
        --get-pinpuk-count <get pin|puk>get pin or puk less verify count
        --change-passwd                 change pin code when pin mode is lock
        --set-mbscanmode                set lte module scan network mode lte wcdma umts...
        --del-sms                       del the sms through index save in lte module
        --get-sim-number                get the sim card own phone number
        --get-pa-temp                   get the lte module pa temperature
        --get-band-freq                 get LTE band and frequency
        --eg18-upgrade  <file path>     do the eg18 upgrade
        --get-current-roaming           get current module is in roaming status or not

        option:
                get  item               output the item
Obviously one should wield this script carefully since it can really bork up your modem if you don't know what the commands you are calling actually do. But in the same vein, it can help create pretty useful one-liners that otherwise would be longer/uglier to issue through raw AT calls. An example I whipped up tonight at an LBR20 owner's request refreshes band/signal details every 10 seconds in an SSH terminal session to help with external antenna aiming and/or unit placement if you're not using external, directional antennas:

Code: Select all

while true; do date ; mbctrl.sh --get-adv-info ; sleep 10 ; clear ; done
Just swap out 'sleep 10' above with whatever interval you want it refreshed at ('sleep 5' for 5 second refreshes, etc.) and use 'CTRL+C' to break out of it when you're done. The output looks like the following which is also nicely formatted/interpreted for you:

Code: Select all

Tue Oct  5 21:18:13 GMT 2021
{
        psservice:      1
        pdp_addr:       xxx.xxx.xxx.xxx
        networkselectmode:      "FDD LTE"
        plmn:   "xxxxxx"
        radioband:      "LTE BAND 66"
        channelid:      xxxxx
        state:  "NOCONN"
        mcc:    xxx
        mnc:    xxx
        cellid: xxx
        lac:    XXXX
        rsrp:   -85
        rsrq:   -9
        rssi:   -56
        sinr:   20
        cqi:    -
        rscp:
        ecio:
}
In case you already guessed, this is the same info that is used by the 'Connection Info' page in the web interface but checking in over SSH allows for a cleaner/faster way of accessing with the bonus of not having to worry about web session timeout.

am888
Posts: 23
Joined: Wed Aug 19, 2020 9:31 am
Has thanked: 4 times
Been thanked: 5 times

Re: Orbi LBR20 How-To / Megathread

Post by am888 » Wed Oct 06, 2021 7:22 am

Nice find!

little-endian
Posts: 4
Joined: Tue Sep 28, 2021 8:46 am
Has thanked: 0
Been thanked: 1 time

Re: Orbi LBR20 How-To / Megathread

Post by little-endian » Thu Oct 07, 2021 8:13 am

@hazarjast: Thanks a lot for your elaborate reply.
hazarjast wrote:
Tue Oct 05, 2021 1:07 pm
'AT+QCAINFO?' can give you band info but it is specifically used for showing info about carrier aggregation status. I think mostly Netgear and folks interactively querying the modem are using 'AT+QENG="servingcell" to check the currently connected cell and its associated band info.
Hmm, however, the command

Code: Select all

echo -ne "AT+QENG=\"servingcell\"\r\n" | microcom -X -t 1000 /dev/ttyUSB2
only gives me the main band I'm connected to whereas the QCAINFO variant shows the pcc and the scc(s).
hazarjast wrote:
Tue Oct 05, 2021 1:07 pm
As mentioned in the previous point 'AT+QCAINFO' will give you the last reported carrier aggregation status of the modem, which is not necessarily the same as the current connected cell and band info (i.e. 'AT+QENG="servingcell"').
Good hint which however raises the question for me, whether the QCAINFO's report is then somewhat delayed or based on some outdated CA status in general.
hazarjast wrote:
Tue Oct 05, 2021 1:07 pm
Cell locking is definitely not reboot persistent so either there is a specific bug with B1 locking in the Quectel firmware you are on, or (more likely) the firmware algorithm, which is mostly based on preferring the strongest signal available, has preferred B1 even after the lock was removed.
Well, the potentially strongest band in my case is the 20 around 800 MHz which of course compared to the others (B1, B3, B7) tends to have the higher chances to reach the antennas, given the same distance.
hazarjast wrote:
Tue Oct 05, 2021 1:07 pm
However, if you put the time in and are able to successfully configure the LBR20 for split-tunnel VPN routing, I'm certain more than a few other LBR20 owners would be indebted to you for posting your configuration detail/tutorial for the same :)
From a purely technical and functional point of view, I already partly succeeded because what works for instance is to only direct the traffic via the established OpenVPN-connection for certain hosts. That, one can achieve by setting up the connection according to the guide included by the Voxel firmware, adding --pull-filter ignore redirect-gateway to the .ovpn config file in order not to have the default routes for the main routing table and adding the following manually:

ip route add 0.0.0.0/0 dev tun21 table <any name or id>
ip rule add from 192.168.1.2/32 table <any name or id>

That for example will have the traffic going through the VPN only for the host 192.168.1.2 and none else.

While this works technically, it isn't exactly "waterproof" to run an unencrypted guest wifi as users could assign other IP addresses manually and go directly via the ISP again.

Although it seems to be a decent approach according to several guides, I fail to have the traffic directed for a certain interface, such as

ip rule add iif wifi2 table <any name or id>

I tried iif for incoming, oif for outgoing, wifi0, wifi1, ath02, ath12, ath21 (the latter show up in conjunction with the guest wifi ssid under /etc/config/wireless so I thought it might be suitable to use one of those), but no avail, this doesn't seem to have any effect at all. So I am a bit lost on how to grab on that damn guest wifi which somehow has to be distinguished on an interface level, given the fact that it is isolated from the other out of the box and hence not just a second ssid terminating at the same AP.

Another (in relation rather minor) thing seems to be that DNS doesn't work when the VPN is running (having to assign one manually at the client side) for whatever reason.

am888
Posts: 23
Joined: Wed Aug 19, 2020 9:31 am
Has thanked: 4 times
Been thanked: 5 times

Re: Orbi LBR20 How-To / Megathread

Post by am888 » Thu Oct 07, 2021 6:00 pm

You may find solution to DNS issues by searching "DNS leaks openvpn". Maybe you can point your traffic to the VPNs DNS server instead of provider. This is just a hint, not sure if it will work...

*script-security 2* addition to ovpn config file - and reloading resolv.conf
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Bear in mind file paths are crazy on LBR...

Maybe somsething along these lines
https://github.com/alfredopalhares/open ... esolv-conf

little-endian
Posts: 4
Joined: Tue Sep 28, 2021 8:46 am
Has thanked: 0
Been thanked: 1 time

Re: Orbi LBR20 How-To / Megathread

Post by little-endian » Sun Oct 10, 2021 7:24 am

Thanks for pointing me into that direction. I've tested it again and strangely, this time the DNS resolving worked via the VPN route, although I didn't change the DNS settings (still manually pointed to three different ones in the regular internet connection GUI setup).

Adding the up/down commands in the ovpn config file doesn't seem to work, however I discovered that the voxel firmware already comes with such scripts under /etc/openvpn

So added the following lines to the ovpnclient-up.sh there and this works, also after a reboot:

ip route add 0.0.0.0/0 dev tun21 table 30
ip rule add from 192.168.1.128/25 table 30

Major issues with that setup: Although clients which for instance get assigned addresses 192.168.1.129 and up through the guest wifi SSID run fine via the VPN, they could easily get assigned different ones manually of course as mentioned before. So not really safe yet to run an unencrypted guest wifi this way.

Even worse, when connected to the guest network, I still see other devices MAC addresses on a LAN scan, so it seems that although ip traffic is filtered on a transparent L3 kinda level, it still mirrors the broadcasting stuff between the networks. However, there I am not knowledgable enough yet when in comes to ebtables' functions so maybe someone can shed some light into how well the Netgear guys implemented this. At least they set the following on the LBR20 by default:

root@LBR20:/etc/openvpn# ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 4, policy: ACCEPT
-p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type ! echo-request -j ACCEPT
-i ath02 -j GUEST_IN
-i ath12 -j GUEST_IN
-i ath21 -j GUEST_IN

Bridge chain: FORWARD, entries: 10, policy: ACCEPT
-i ath02 -j GUEST_FWD_IN
-o ath02 -j GUEST_FWD_OUT
-i ath12 -j GUEST_FWD_IN
-o ath12 -j GUEST_FWD_OUT
-i ath21 -j GUEST_FWD_IN
-o ath21 -j GUEST_FWD_OUT
-d BGA -i ath01 -j DROP
-d BGA -o ath01 -j DROP
-d BGA -i ath11 -j DROP
-d BGA -o ath11 -j DROP

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: GUEST_IN, entries: 11, policy: RETURN
-p ARP -j ACCEPT
-p 0x8035 -j ACCEPT
-p IPv6 --ip6-proto udp --ip6-sport 53 -j ACCEPT
-p IPv6 --ip6-proto udp --ip6-dport 53 -j ACCEPT
-p IPv6 --ip6-proto udp --ip6-dport 546:547 -j ACCEPT
-p IPv4 --ip-proto udp --ip-sport 53 -j ACCEPT
-p IPv4 --ip-proto udp --ip-dport 53 -j ACCEPT
-p IPv4 --ip-proto udp --ip-dport 67:68 -j ACCEPT
-p IPv4 --ip-dst 192.168.1.0/24 -j DROP
-p IPv6 --ip6-dst fe80::/ffff:ffff:ffff:ffff:: -j DROP
-p IPv6 --ip6-dst 2a02:3033:410:6041::/ffff:ffff:ffff:ffff:: -j DROP

Bridge chain: GUEST_FWD_IN, entries: 15, policy: RETURN
-p ARP -j ACCEPT
-p 0x8035 -j ACCEPT
-p IPv6 --ip6-proto udp --ip6-sport 53 -j ACCEPT
-p IPv6 --ip6-proto udp --ip6-dport 53 -j ACCEPT
-p IPv6 --ip6-proto udp --ip6-dport 546:547 -j ACCEPT
-p IPv4 --ip-proto udp --ip-sport 53 -j ACCEPT
-p IPv4 --ip-proto udp --ip-dport 53 -j ACCEPT
-p IPv4 --ip-proto udp --ip-dport 67:68 -j ACCEPT
-p IPv4 --ip-dst 192.168.1.0/24 -j DROP
-p IPv6 --ip6-dst fe80::/ffff:ffff:ffff:ffff:: -j DROP
-p IPv6 --ip6-dst 2a02:3033:410:6041::/ffff:ffff:ffff:ffff:: -j DROP
-p IPv4 --ip-dst 224.0.0.0/4 -j DROP
-p IPv4 --ip-dst 255.255.255.255 -j DROP
-p IPv6 --ip6-dst ff00::/ff00:: -j DROP
-d Multicast -j DROP

Bridge chain: GUEST_FWD_OUT, entries: 15, policy: RETURN
-p ARP -j ACCEPT
-p 0x8035 -j ACCEPT
-p IPv6 --ip6-proto udp --ip6-sport 53 -j ACCEPT
-p IPv6 --ip6-proto udp --ip6-dport 53 -j ACCEPT
-p IPv6 --ip6-proto udp --ip6-dport 546:547 -j ACCEPT
-p IPv4 --ip-proto udp --ip-sport 53 -j ACCEPT
-p IPv4 --ip-proto udp --ip-dport 53 -j ACCEPT
-p IPv4 --ip-proto udp --ip-dport 67:68 -j ACCEPT
-p IPv4 --ip-src 192.168.1.0/24 -j DROP
-p IPv6 --ip6-dst fe80::/ffff:ffff:ffff:ffff:: -j DROP
-p IPv6 --ip6-dst 2a02:3033:410:6041::/ffff:ffff:ffff:ffff:: -j DROP
-p IPv4 --ip-dst 224.0.0.0/4 -j DROP
-p IPv4 --ip-dst 255.255.255.255 -j DROP
-p IPv6 --ip6-dst ff00::/ff00:: -j DROP
-d Multicast -j DROP

am888
Posts: 23
Joined: Wed Aug 19, 2020 9:31 am
Has thanked: 4 times
Been thanked: 5 times

Re: Orbi LBR20 How-To / Megathread

Post by am888 » Sun Oct 10, 2021 1:55 pm

Orbi doesn't really do a true VLAN network segmentation. That's just a different price category all together I suppose. I guess Voxel could try & address it like openwrt but I think we're lucky to have what we do with it the way nvram handles everything.

https://community.netgear.com/t5/Orbi/B ... -p/1808711

little-endian
Posts: 4
Joined: Tue Sep 28, 2021 8:46 am
Has thanked: 0
Been thanked: 1 time

Re: Orbi LBR20 How-To / Megathread

Post by little-endian » Sun Oct 10, 2021 3:09 pm

Yeah, unfortunately it looks like that. While I can't get rid of the impression that most of such missing features are rather caused by suboptimal software than hardware constraints, maybe one eventually simply also pays for exactly that kind of better software when buying more expensive devices.

On the other hand, even when willing to spend more, it would still be a challenge to get the modem functionality of a LBR20 (the comparably performant Huawei B818 is even worse when it comes to routing features) so it would again mean several devices and more power consumption, sigh.

Well, maybe Voxel has an idea here. I would already be glad if one could somehow set the routing based on the interface as rather than the subnet, something which should work via the iif / oif condition checks.

PunyGod
Posts: 4
Joined: Wed Jul 21, 2021 4:46 pm
Has thanked: 0
Been thanked: 0

Re: Orbi LBR20 How-To / Megathread

Post by PunyGod » Mon Oct 18, 2021 2:05 am

I think my connection is more stable, and download speed increases when I use my directional 2x2 mimo external antenna, however my upload speed is cut in half.

I think this is happening because the orbi has 4x4, but when it detects external antenna it switches to only 2x2... (I actually have a decent signal here even without external antenna, my previous location required them.)

Is there a way I can make it use 4x4? Like use the two external antenna and two internal antenna at the same time? I want the download speed I get with external without having lower upload speeds.

I considered opening it up and getting adapters and two more external antenna to make it 4x4 external but I think even if I do that it will still disable the two that it thinks are internal.

Post Reply