Setting up Netgear R7800 (Nighthawk X4S) with OpenWRT

Product Pages

• https://www.netgear.com/support/product/R7800
• https://kb.netgear.com/30180/R7800-FAQs

Connections

1. Connect to laptop with ethernet - use internal lan port
2. Power up the router
3. Reconfigure ethernet network on the laptop to use DHCP - should get a 192.168.1.x address
4. Factory Netgear firmware is set up to listen on http://192.168.1.1

The factory firmware will require you to set up a password and some security questions. You just need to be able to get to the firmware update page so a secure/complex password isn't really necessary.

Firmware Install

1. Following the Factory Install guide.
2. Pages for R7800 on OpenWRT

• Hardware data
• Table of Hardware page for looking up supported releases

If you are looking for newer releases of the firmware to upgrade, the target arch is ipq806x/generic. The release I used was:

http://downloads.openwrt.org/releases/18.06.1/targets/ipq806x/generic/

And I downloaded the R7800-squashfs-factory.img file. Look at the Supplementary Files section at the bottom for sha256 sums.

Sysupgrade.bin and TFTP recovery

After two months of running the OpenWRT firmware, I tried using the upgrade instructions to upgrade from 17.04 to 18.06. However I ran into the power led blinking after the reboot. 192.168.1.1 was pingable but the LEDE web UI would not load. It was like that for several minutes. It turned out this was a recovery state of the router due to a failed firmware upgrade. By running a TFTP upload with the -squashfs-factory.img file, it was possible to get the router functional again.

$ tftp 192.168.1.1
tftp> binary
tftp> put openwrt.img
Sent 8257665 bytes in 1.6 seconds

The router immediately rebooted after the TFTP upload was done.

Upgrading from 18.06.1 to 18.06.2

Attempting to use the -squashfs-sysupgrade.bin here:

http://downloads.openwrt.org/releases/18.06.2/targets/ipq806x/generic/

Verified the integrity of the downloaded firmware with gpg. First downloaded a backup of the settings on the System -> Backup / Flash Firmware page.

Then uploaded the upgrade firmware. I checked off the "Keep settings" box, assuming that since we're only doing a minor revision bump, the settings should be compatible across versions.

During the process - the power LED went to solid orange, then white blinking, then solid white. Success!

Pinging the router during the upgrade process let me know it came back on the same IP. However I couldn't log in with https, I had to use http://<router_ip> to use the web UI. BUT logging in wouldn't work?

I could log in via ssh though - after doing so I went through the process for installing openssl support of the web UI:

opkg update
opkg install luci-ssl-openssl
/etc/init.d/uhttpd restart

Then I was able to use https://<router_ip> to log in.

Because I was using the root password (unsuccessfully) on a web form thru an insecure http connection, I changed the root pw to a new one with the passwd command.

I did have to go over to "System -> Startup" and disable dnsmasq and firewall again. Other customizations in this doc appeared to have survived the upgrade.

Setup

I have a different box connected to the internet, so I just want a "dumb AP" setup for the R7800:

• no firewall
• no dhcp

Password setup

When the R7800 first boots after installing the OpenWRT firmware it will have a login page - log in with the user root and no password.

Then you can go to the password setup page and add a password for root. Log out and back in again to confirm that the password works.

Network Interface

This page is a good starting point. In the 17.01.4 release for the R7800 the LAN and the wireless radios are already set up in a bridge, so no additional work is needed for that part of the article.

1. Edit the LAN interface of the R7800. "Network -> Interfaces" menu; then click the "Edit" button of the LAN section.
2. Assign a static IP to the LAN interface. Choose one outside of the DHCP range set up on the main router.

• set "IPv4 gateway" to the main router's IP
• set "Use custom DNS Servers" to the main router's IP too - this is so the R7800 can access the internet for NTP

1. At the bottom of the edit page, check off "Disable DHCP for this interface".

• Then select the IPv6 Settings tab, and set all of the following to disabled:
  • Router Advertisement-Service
  • DHCPv6-Service
  • NDP-Proxy

After saving these changes, the R7800 is now on a different IP and network. However as of the 18.06 version it will try to confirm the changes after waiting 30 seconds in the browser. This will fail since the UI is listening on the new IP, so it will revert to the old IP and display a message to retry the changes. Use the "Apply Unchecked config" option to re-do the changes so they don't revert.

When the interface IP is updated, you'll need to reconfigure your laptop's network to be able to connect to the R7800.

The Dumb AP document specifies that you have to disable multicast snooping, but in the 18.06.1 firmware out-of-the-box already has this set to 0.

root@LEDE:~# cat /sys/devices/virtual/net/br-lan/bridge/multicast_snooping
0

Firewall and dnsmasq

Disable these services so they don't run.

1. "System -> Startup"
2. For each of firewall and dnsmasq in the listing:

• Click the "Enabled" button so it shows "Disabled"
• Click the "Stop" button to stop the running instance of the service
• Click "Submit" at the bottom of the page

Wireless setup

These can be found under "Network -> Wireless".

For both radios:

• Under "Device Configuration -> Advanced Settings", change country code to "CA"
• "Device Configuration -> General Setup"
  • 802.11nac radio: Mode AC, Channel 36, Width 80 MHz
  • 802.11bgn radio: Mode N, Channel 7 , Width 20 MHz
• "Interface Configuration -> General Setup" tab:
  • Set up the ESSID; Mode is "Access Point"
• "Interface Configuration -> Wireless Security" tab:
  • Encryption: WPA2-PSK; Cipher is "auto"; key is a secret!
  • Enable KRACK protection on session auto-renegotiation

See also the OpenWRT doc on wifi setup.

Securing LuCI

The web UI for managing the R7800 runs via http only, so it's rather insecure. You should set up https instead - for the purpose of a home router a self-signed certificate for https better than no encryption.

Use ssh to connect to the router using root as the username, and the password you set up initially. The opkg command is used for managing package installation.

opkg update
opkg install luci-ssl-openssl

The luci-ssl-openssl package pulls in other dependencies for the webserver (uhttpd) to support TLS. This forum posting gave a quick overview of the setup.

After installing the package, it generates a private key and certificate for use by uhttpd. Restarting the service afterward Just Worked, because uhttpd was configured out-of-the-box for TLS. Now requests to the http port are redirected to the https port.

/etc/init.d/uhttpd restart

More information on configuring uhttpd is here.

Backing up configuration

"System -> Backup / Flash Firmware" allows you to download an archive of the configuration you worked so hard on. Once you're done setting up the R7800 creating a backup of this configuration would be helpful for future upgrades.

However the sysupgrade documentation says that it's probably a good idea to start over again from defaults for new major releases, so saving the backups might only be useful for reference.

Final Setup

Replace the old wireless router with the R7800. Before disconnecting the old router, change the SSID and password to some nonsense values.

System Info

Hostname	OpenWrt
Model	Netgear Nighthawk X4S R7800
Architecture	ARMv7 Processor rev 0 (v7l)
Firmware Version	OpenWrt 18.06.2 r7676-cddd7b4c77 / LuCI openwrt-18.06 branch (git-19.020.41695-6f6641d)
Kernel Version	4.14.95