2 routers + Wiregurd + PBR + PPPOE

Installing and Using OpenWrt
21

Hi folks.
Configuring my router and digging that issue further.

7) Get rid (block) these "broadcast messages" from Router 1 (ISP's FrizBox)
Can anybody help me with firewall rule creation please? I'd like to block these broadcast messages from FritzBox

tcpdump -i lan5 -c 100 'ether broadcast' -vvvv
tcpdump: listening on lan5, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:30:12.539633 dc:39:6f:25:f5:ee (oui Unknown) > Broadcast, ethertype Unknown (0x88e1), length 60: 
        0x0000:  0000 a000 b052 1ca2 fbb6 0000 0000 0000  .....R..........
        0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
14:30:12.539673 dc:39:6f:25:f5:ee (oui Unknown) > Broadcast, ethertype Unknown (0x8912), length 60: 
        0x0000:  0170 a000 0000 1f84 a2a3 97a2 5553 bef1  .p..........US..
        0x0010:  fcf9 796b 5214 13e9 e200 0000 0000 0000  ..ykR...........
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............

From what I understood, firewall4 can't help me. I even tried to allow TCP/UDP/ICMP and block everything after this rule. But it didn't help.
Next to it, I tried to implement this rule for nftable

table netdev filter {
    chain ingress {
        type filter hook ingress device lan5 priority 0; policy accept;
        meta protocol {0x8912, 0x88e1} drop
    }
}

but I can't understand where and how to use that rule properly in case of OpenWRT.
I added new rule to /etc/config/firewall

config include
	option	type		'nftables'
	option	path		'/etc/my_custom_firewall_rules.nft'
	option	position	'chain-pre'
	option	chain	'drop_to_wan'

to this file /etc/my_custom_firewall_rules.nft I added
meta protocol {0x8912, 0x88e1} counter drop comment "!fw4: dropping Fritz spam
then restarted FW

service firewall restart && service firewall status

Then checked up rules
fw4 -q check

But there is no new rule in a drop_to_wan chain
fw4 print | grep "chain drop_to_wan {" -A 4
and in LuCI interface too.

After that I created file

#!/usr/sbin/nft -f
table netdev filter {
    chain ingress {
        type filter hook ingress device lan5 priority 0; policy accept;
        meta protocol {0x8912, 0x88e1} drop
    }
}

applied it and now I can see that rule in a LuCI interface

Screenshot 2025-07-20 at 20-34-32 Flint2-1 - LuCI
Screenshot 2025-07-20 at 20-34-32 Flint2-1 - LuCI1106×236 10.8 KB

but tcpdums is showing, that these broadcast packages are here. And quantity of dropped packets is growing.
Don't know how to drop these packets. Any ideas?

Thanks in advance.

22

Thanks - looks like this is the new link:

2 Likes
23

From what I can see it's impossible or I didn't find a way how to do that.

Next to it I gathered ICMP statistic and it looks like ISP has some issues with connectivity to Western Europe. From 12:00 till 00:00 the quantity of lost packets increasing. I created a ticket and waiting for the response from ISP.

screenshot

photo_2025-08-01_11-41-54
photo_2025-08-01_11-41-541280×427 111 KB

It makes VPN usage (server is in the Western Europe) more complicated. And sometimes impossible.

What do we have for now?
No VPN. But we have a stable internet connection without VPN (router2>router1>ISP). Also I think, that SQM configured properly and no one feels in-comfortable when somebody downloading something heavy.
So I have to say "thank you" to @moeller0 @Lynx @LilRedDog for your help and support.

I'll update this topic when I'll get anything from the ISP.

1 Like
24

Hi guys, here is the small update.
All these problems are related to "cross-border" provider and it's issues, so it's impossible to do much in this situation.
Option #1 - to change ISP.
Option #2 - to change VPS hoster.

So I can assume, that

  1. Routers work fine
  2. SQM configured and also fine-tuned
  3. Topic could be closed

PS: Many thanks to all the participants @moeller0 @LilRedDog @Lynx

1 Like