How to Download and Upload Custom Script Firmware in UBNT AirOS 5 and AirOS 6

How to Download and Upload Custom Script Firmware in UBNT AirOS 5 and AirOS  6 - YouTube

via IFTTT

I would like to share how to lock MAC address on LAN port and block other unwanted user traffic. Why to do that? I maintain wireless network where all  stations are in bridge mode and users receive public IP address from "central" DHCP server. Sometimes we have difficulties when users  connect switch and multiple PC on this switch or some unwanted devices to LAN port of station. They spend us a lot of public IP address. Second problem was users which accidentally connect CPE on LAN port and their DHCP start to deliver IP addresses to other users.

 

I solve this problem with custom script. I ASK a lot on forum but nobody give me right solution (I don't understand UBNT support but never mind...).

 

First connect to your station - use SSH

 

Then type

 

vi /etc/persistent/rc.poststart

 

press letter i (to insert text)

 

Copy this (before replace xx:xx:xx:xx:xx:xx with MAC address you would like to be locked on LAN port)

 

ebtables -F FORWARD

ebtables -A FORWARD -s xx:xx:xx:xx:xx:xx -i eth0 -j ACCEPT

ebtables -A FORWARD -i eth0 -j DROP

ebtables -t filter -A FORWARD -p IPv4 --out-interface ath0 --ip-proto udp --ip-dport 68 -j DROP

ebtables -t filter -A FORWARD -p IPv4 --ip-src 172.16.0.0/12 -j DROP

ebtables -t filter -A FORWARD -p IPv4 --ip-dst 172.16.0.0/12 -j DROP

ebtables -t filter -A FORWARD -p IPv4 --ip-src 192.168.0.0/16 -j DROP

ebtables -t filter -A FORWARD -p IPv4 --ip-dst 192.168.0.0/16 -j DROP

ebtables -t filter -A FORWARD -p IPv4 --ip-src 169.254.0.0/16 -j DROP

ebtables -t filter -A FORWARD -p IPv4 --ip-dst 169.254.0.0/16 -j DROP

ebtables -t filter -A FORWARD -j FIREWALL

 

and paste in editor . Next step , press Escape, then type w, then type q, then type ! and press ENTER. You should be in prompt where you start. Type SAVE (small letters) and reboot.

 

You should see something like that:

XM.v5.6.3# save

Found  Active on[1] ...

Found Backup1 on[2] ...

Storing Active[2] ... [%100]

Active->Backup[1] ... [%100]

 

XM.v5.6.3#reboot

 

After reboot you can check if rules was inserted in your ebtables. Type in

 

ebtables -L

 

You should see something like that:

XM.v5.6.3# ebtables -LBridge table: filter

Bridge chain: INPUT, entries: 1, policy: ACCEPT-j FIREWALL

Bridge chain: FORWARD, entries: 10, policy: ACCEPT-s aa:bb:c:cc:e5:a1 -i eth0 -j ACCEPT-i eth0 -j DROP-p IPv4 -o ath0 --ip-proto udp --ip-dport 68 -j DROP-p IPv4 --ip-src 172.16.0.0/12 -j DROP-p IPv4 --ip-dst 172.16.0.0/12 -j DROP-p IPv4 --ip-src 192.168.0.0/16 -j DROP-p IPv4 --ip-dst 192.168.0.0/16 -j DROP-p IPv4 --ip-src 169.254.0.0/16 -j DROP-p IPv4 --ip-dst 169.254.0.0/16 -j DROP-j FIREWALL

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: FIREWALL, entries: 0, policy: ACCEPTXM.v5.6.3#

 

You can also check if access list work like you expect. To check counters type in

 

ebtables -L --Lc

 

XM.v5.6.3# ebtables -L --LcBridge table: filter

Bridge chain: INPUT, entries: 1, policy: ACCEPT-j FIREWALL, pcnt = 1816356 -- bcnt = 106872059

Bridge chain: FORWARD, entries: 10, policy: ACCEPT-s aa:bb:c:cc:e5:a1 -i eth0 -j ACCEPT , pcnt = 222989 -- bcnt = 33630440-i eth0 -j DROP , pcnt = 0 -- bcnt = 0-p IPv4 -o ath0 --ip-proto udp --ip-dport 68 -j DROP , pcnt = 0 -- bcnt = 0-p IPv4 --ip-src 172.16.0.0/12 -j DROP , pcnt = 0 -- bcnt = 0-p IPv4 --ip-dst 172.16.0.0/12 -j DROP , pcnt = 0 -- bcnt = 0-p IPv4 --ip-src 192.168.0.0/16 -j DROP , pcnt = 809 -- bcnt = 37232-p IPv4 --ip-dst 192.168.0.0/16 -j DROP , pcnt = 0 -- bcnt = 0-p IPv4 --ip-src 169.254.0.0/16 -j DROP , pcnt = 40 -- bcnt = 4089-p IPv4 --ip-dst 169.254.0.0/16 -j DROP , pcnt = 0 -- bcnt = 0-j FIREWALL, pcnt = 2123462 -- bcnt = 436597110

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: FIREWALL, entries: 0, policy: ACCEPT

 

I hope this will help for someone.

 

I would like to invite others if they also could share some usefull scripts.

 

Credit : Boris

 

_____________________________________________________________________________


You can find airOS M builds that support custom (rc) scripts here. Moving forward all builds with "cs" in the name (custom script) will have support for custom scripts. If using a previous with -CS support, you can upgrade via Check for update function and maintain -CS support.

Custom scripts allow for users to add functionality to airOS, but also allow for persistence of malicious software. "cs" versions of airOS should be considered slightly less secure vs non-cs releases found on https://download.ubnt.com.

6.3.2

TI.v6.3.2-cs.33267.200715.1557.bin

XM.v6.3.2-cs.33267.200715.1657.bin

XW.v6.3.2-cs.33267.200715.1627.bin

You can find airMAX AC custom script builds HERE.

Previous Versions:

6.3.0

TI.v6.3.0-cs.33226.200428.1749.bin

XM.v6.3.0-cs.33226.200428.1849.bin

XW.v6.3.0-cs.33226.200428.1819.bin

6.2.0

TI.v6.2.0-cs.33033.190703.1047.bin

XM.v6.2.0-cs.33033.190703.1147.bin

XW.v6.2.0-cs.33033.190703.1117.bin

6.1.12

TI.v6.1.12-cs.33003.190523.1224.bin

XM.v6.1.12-cs.33003.190523.1323.bin

XW.v6.1.12-cs.33003.190523.1253.bin

 6.1.11: 

TI.v6.1.11-cs.32949.190328.1056.bin

XM.v6.1.11-cs.32949.190328.1126.bin

XW.v6.1.11-cs.32949.190328.1111.bin

 6.1.9: 

TI.v6.1.9-cs.32918.190108.1723.bin

XM.v6.1.9-cs.32918.190108.1752.bin

XW.v6.1.9-cs.32918.190108.1737.bin

 6.1.8: 

TI.v6.1.8-cs.32774.180921.1503.bin

XM.v6.1.8-cs.32774.180921.1533.bin

XW.v6.1.8-cs.32774.180921.1518.bin

 6.1.7: 

TI.v6.1.7-cs.32555.180523.1740.bin

XM.v6.1.7-cs.32555.180523.1809.bin

XW.v6.1.7-cs.32555.180523.1754.bin

 6.1.6: 

TI.v6.1.6-cs.32290.180307.1621.bin

XM.v6.1.6-cs.32290.180307.1650.bin

XW.v6.1.6-cs.32290.180307.1635.bin

 6.1.4: 

TI.v6.1.4-cs.32113.180112.0903.bin

XM.v6.1.4-cs.32113.180112.0932.bin

XW.v6.1.4-cs.32113.180112.0918.bin

 6.1.3: 

TI.v6.1.3-cs.31939.171117.1209.bin

XM.v6.1.3-cs.31939.171117.1238.bin

XW.v6.1.3-cs.31939.171117.1223.bin

 6.1.2: 

TI.v6.1.2-cs.31825.171017.1618.bin

XM.v6.1.2-cs.31825.171017.1648.bin

XW.v6.1.2-cs.31825.171017.1633.bin

6.1.1:

TI.v6.1.1-cs.31776.171010.0919.bin

XM.v6.1.1-cs.31776.171010.0940.bin

XW.v6.1.1-cs.31776.171006.1138.bin

6.1.0:

XW.v6.1.0-cs.31741.170929.1213.bin

 

6.0.7: 

TI.v6.0.7-cs.31601.170908.1216.bin

XM.v6.0.7-cs.31601.170908.1247.bin

XW.v6.0.7-cs.31601.170908.1232.bin

6.0.4 

TI.v6.0.4-cs.30805.170505.1456.bin

XM.v6.0.4-cs.30805.170505.1525.bin

XW.v6.0.4-cs.30805.170505.1510.bin

 

 

 

5.6.15 

TI.v5.6.15-cs.30572.170328.1038.bin

XM.v5.6.15-cs.30572.170328.1107.bin

XM.v5.6.15-cpu400-cs.30572.170328.1107.bin

XW.v5.6.15-cs.30572.170328.1052.bin

 

 

6.0.3

TI.v6.0.3-cs.30600.170329.1803.bin

XM.v6.0.3-cs.30600.170329.1831.bin

XW.v6.0.3-cs.30600.170329.1817.bin

 

6.0.2

TI.v6.0.2-cs.30552.170327.1921.bin

XM.v6.0.2-cs.30552.170327.1950.bin

XW.v6.0.2-cs.30552.170327.1935.bin

 

 6.0.1

https://dl.ubnt.com/custom/XW.v6.0.1-cs.30382.170317.1751.binhttps://dl.ubnt.com/custom/TI.v6.0.1-cs.30382.170317.1737.binhttps://dl.ubnt.com/custom/XM.v6.0.1-cs.30382.170317.1806.bin

https://dl.ubnt.com/custom/XM.v6.0.1-cpu400-cs.30382.170317.1806.bin

   

 6.0

https://dl.ubnt.com/XN-fw-internal/v6.0/TI.v6.0-cs.30097.161219.1655.binhttps://dl.ubnt.com/XN-fw-internal/v6.0/XW.v6.0-cs.30097.161219.1705.binhttps://dl.ubnt.com/XN-fw-internal/v6.0/XM.v6.0-cs.30097.161219.1716.bin

 

5.6.9

https://dl.ubnt.com/XN-fw-internal/v5.6.9/TI.v5.6.9-cs.29546.160819.1135.binhttps://dl.ubnt.com/XN-fw-internal/v5.6.9/XM.v5.6.9-cpu400-cs.29546.160819.1157.binhttps://dl.ubnt.com/XN-fw-internal/v5.6.9/XM.v5.6.9-cpu400.29546.160819.1157.binhttps://dl.ubnt.com/XN-fw-internal/v5.6.9/XM.v5.6.9-cs.29546.160819.1157.binhttps://dl.ubnt.com/XN-fw-internal/v5.6.9/XW.v5.6.9-cs.29546.160819.1146.bin

 

5.6.8

http://www.ubnt.com/downloads/XN-fw-internal/v5.6.8/TI.v5.6.8-cs.29413.160715.1551.binhttp://www.ubnt.com/downloads/XN-fw-internal/v5.6.8/XM.v5.6.8-cpu400-cs.29413.160715.1613.binhttp://www.ubnt.com/downloads/XN-fw-internal/v5.6.8/XW.v5.6.8-cs.29413.160715.1602.binhttp://www.ubnt.com/downloads/XN-fw-internal/v5.6.8/XM.v5.6.8-cs.29413.160715.1613.bin

Signed Versions of previous releases 5.6.15/6.0.3/6.0.4 w/ CS support HERE

Post a Comment

0 Comments