Hello, all
I meet forward problem when use openwrt with 1wan 1lan, the device behind lan cannot connect to device out of wan, look at nft tables, it seems forward is good, I'm not good at nft, can somebody help me.
I have two net device in my device, eth0 use as lan, and eth1 use as wan
ifconfig :
/ # ifconfig
br-lan Link encap:Ethernet HWaddr 5A:F1:DB:56:DC:A8
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fd00:ab:cd::1/60 Scope:Global
inet6 addr: fe80::58f1:dbff:fe56:dca8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8186 errors:0 dropped:0 overruns:0 frame:0
TX packets:5483 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:851730 (831.7 KiB) TX bytes:4678480 (4.4 MiB)
docker0 Link encap:Ethernet HWaddr 02:42:4E:09:AF:12
inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
eth0 Link encap:Ethernet HWaddr 5A:F1:DB:56:DC:A8
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8188 errors:0 dropped:0 overruns:0 frame:0
TX packets:5483 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:966478 (943.8 KiB) TX bytes:4678480 (4.4 MiB)
Interrupt:46
eth1 Link encap:Ethernet HWaddr 56:F1:DB:56:DC:A8
inet addr:10.11.81.91 Bcast:10.11.255.255 Mask:255.255.0.0
inet6 addr: fe80::54f1:dbff:fe56:dca8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:20143 errors:0 dropped:0 overruns:0 frame:0
TX packets:1435 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2012215 (1.9 MiB) TX bytes:152302 (148.7 KiB)
Interrupt:54
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:95 errors:0 dropped:0 overruns:0 frame:0
TX packets:95 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:18386 (17.9 KiB) TX bytes:18386 (17.9 KiB)`
nft list ruleset:
/ # nft list ruleset
table inet fw4 {
ct helper amanda {
type "amanda" protocol udp
l3proto inet
}
ct helper ftp {
type "ftp" protocol tcp
l3proto inet
}
ct helper RAS {
type "RAS" protocol udp
l3proto inet
}
ct helper Q.931 {
type "Q.931" protocol tcp
l3proto inet
}
ct helper irc {
type "irc" protocol tcp
l3proto ip
}
ct helper netbios-ns {
type "netbios-ns" protocol udp
l3proto ip
}
ct helper sane {
type "sane" protocol tcp
l3proto inet
}
ct helper sip {
type "sip" protocol udp
l3proto inet
}
ct helper snmp {
type "snmp" protocol udp
l3proto ip
}
ct helper tftp {
type "tftp" protocol udp
l3proto inet
}
chain input {
type filter hook input priority filter; policy accept;
iifname "lo" accept comment "!fw4: Accept traffic from loopback"
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
iifname "eth1" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
}
chain forward {
type filter hook forward priority filter; policy accept;
ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname "eth1" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
jump upnp_forward comment "Hook into miniupnpd forwarding chain"
}
chain output {
type fylter hook output priority filter; policy accept;
oifname "lo" accept comment "!fw4: cept traffic towards |oopback"
ct state established,related accept comment "!fw4: Allow outbound establishe| and related flows"
â–’ oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/I\v6 output traffic"
â–’oifname "eth1" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
}
z chain prtype filter hook prerouting priority filter; policy accept;
iofname "br-lan" jump h}lper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
}
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject comment "!fw4: Reject any other traffic"
}
chain syn_flood {
limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
drop comment "!fw4: Drop excess packets"
}
chain input_lan {
jump accept_from_lan
}
chain output_lan {
jump accept_to_lan
}
chain forward_lan {
jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
jump accept_to_lan
}
chain helper_lan {
udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto"
tcp dport 21 ct helper set "ftp" comment "!fw4: FTP passive connection tracking"
udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking"
tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking"
meta nfproto ipv4 tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking"
meta nfproto ipv4 udp dport 137 ct helper set "netbios-ns" comment "!fw4: NetBIOS name service broadcast tracking"
tcp dport 6566 ct helper set "sane" comment "!fw4: SANE scanner connection tracking"
udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking"
meta nfproto ipv4 udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking"
udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
}
chain accept_from_lan {
iifname "br-lan" counter packets 122 bytes 10415 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain accept_to_lan {
oifname "br-lan" counter packets 89 bytes 7776 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain input_wan {
meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
icmp type echo-request counter packets 1 bytes 28 accept comment "!fw4: Allow-Ping"
meta nfproto ipv4 meta l4proto igmp counter packets 344 bytes 10840 accept comment "!fw4: Allow-IGMP"
meta nfproto ipv6 udp dport 5<6 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route,<mld-listener-done . no-route, mld2-listenerâ–’report . no-route } counter packets 42 bytes 3192 accept comment "?fw4: Allow-MLD"
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/sâ–’cond counter packets 63 bytes 3464 accept cooment "!fw4: Allow-ICMpv6-Input"
icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 156 bytes 11232 accept comment "!fw4: Allow-ICMPv6-Input"
jump accept_from_wan
}
chain output_wan {
jump accept_to_wan
}
chain forward_wan {
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
jump accept_to_wan
}
chain accept_to_wan {
oifname "eth1" counter packets 3306 bytes 274077 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
}
chain reject_from_wan {
}
chain reject_to_wan {
}
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
jump upnp_prerouting comment "Hook into miniupnpd prerouting chain"
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
oifname "eth1" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
jump upnp_postrouting comment "Hook into miniupnpd postrouting chain"
}
chain srcnat_wan {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
}
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
}
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
}
chain mangle_input {
type filter hook input priority mangle; policy accext;
}
chain mangle_output {
type route hook output priori mangle; policy accep|;
}
chain mangle_forward {
type filter hook forward priority mangle; policy acpt;
iifname "eth1"â–’tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
â–’ } oifname "eth1" tcp flags syn tcp option maxseg size set rt mtu comment "?fw4: Zone wan IPv4/IPv6 egress MTU fixing"
chain upnp_forward {
}
chain upnp_prerouting {
}
chain upnp_postrouting {
}
chain trace_chain {
type filter hook prerouting priority raw - 1; policy accept;
meta nftrace set 1
}
chain accept_from_wan {
iifname "eth1" counter packets 6629 bytes 1145724 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
}
}
table inet nft-qos-monitor {
chain upload {
type filter hook postrouting priority filter; policy accept;
ip saddr 192.168.1.210 counter packets 0 bytes 0
}
chain download {
type filter hook prerouting priority filter; policy accept;
ip daddr 192.168.1.210 counter packets 0 bytes 0
}
}
when I tried to ping baidu.com from lan device, it cannot work well.
device behind lan ip is 192.168.1.210, baidu.com ip is 39.156.66.10
nft monitor trace
trace id 4a2d7453 inet fw4 trace_chain packet: iif "br-lan" ether saddr 76:bf:94:b5:19:13 ether daddr 5a:f1:db:56:dc:a8 ip saddr 192.168.1.210 ip daddr 39.156.66.10 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 40170 ip protocol icmp ip length 84 icmp type echo-request icmp code net-unreachable icmp id 25 icmp sequence 232 @th,64,96 0xc4b08663645a090008090a0b
trace id 4a2d7453 inet fw4 trace_chain rule meta nftrace set 1 (verdict continue)
trace id 4a2d7453 inet fw4 trace_chain verdict continue
trace id 4a2d7453 inet fw4 trace_chain policy accept
trace id 4a2d7453 inet fw4 raw_prerouting packet: iif "br-lan" ether saddr 76:bf:94:b5:19:13 ether daddr 5a:f1:db:56:dc:a8 ip saddr 192.168.1.210 ip daddr 39.156.66.10 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 40170 ip protocol icmp ip length 84 icmp type echo-request icmp code net-unreachable icmp id 25 icmp sequence 232 @th,64,96 0xc4b08663645a090008090a0b
trace id 4a2d7453 inet fw4 raw_prerouting verdict continue
trace id 4a2d7453 inet fw4 raw_prerouting policy accept
trace id 4a2d7453 inet fw4 mangle_prerouting packet: iif "br-lan" ether saddr 76:bf:94:b5:19:13 ether daddr 5a:f1:db:56:dc:a8 ip saddr 192.168.1.210 ip daddr 39.156.66.10 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 40170 ip protocol icmp ip length 84 icmp type echo-request icmp code net-unreachable icmp id 25 icmp sequence 232 @th,64,96 0xc4b08663645a090008090a0b
trace id 4a2d7453 inet fw4 mangle_prerouting verdict continue
trace id 4a2d7453 inet fw4 mangle_prerouting policy accept
trace id 4a2d7453 inet fw4 dstnat packet: iif "br-lan" ether saddr 76:bf:94:b5:19:13 ether daddr 5a:f1:db:56:dc:a8 ip saddr 192.168.1.210 ip daddr 39.156.66.10 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 40170 ip protocol icmp ip length 84 icmp type echo-request icmp code net-unreachable icmp id 25 icmp sequence 232 @th,64,96 0xc4b08663645a090008090a0b
trace id 4a2d7453 inet fw4 dstnat rule jump upnp_prerouting comment "Hook into miniupnpd prerouting chain" (verdict jump upnp_prerouting)
trace id 4a2d7453 inet fw4 upnp_prerouting verdict continue
trace id 4a2d7453 inet fw4 dstnat verdict continue
trace id 4a2d7453 inet fw4 dstnat policy accept
trace id 4a2d7453 inet nft-qos-monitor download packet: iif "br-lan" ether saddr 76:bf:94:b5:19:13 ether daddr 5a:f1:db:56:dc:a8 ip saddr 192.168.1.210 ip daddr 39.156.66.10 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 40170 ip protocol icmp ip length 84 icmp type echo-request icmp code net-unreachable icmp id 25 icmp sequence 232 @th,64,96 0xc4b08663645a090008090a0b
trace id 4a2d7453 inet nft-qos-monitor download verdict continue
trace id 4a2d7453 inet nft-qos-monitor download policy accept
trace id 4a2d7453 inet fw4 prerouting packet: iif "br-lan" ether saddr 76:bf:94:b5:19:13 ether daddr 5a:f1:db:56:dc:a8 ip saddr 192.168.1.210 ip daddr 39.156.66.10 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 40170 ip protocol icmp ip length 84 icmp type echo-request icmp code net-unreachable icmp id 25 icmp sequence 232 @th,64,96 0xc4b08663645a090008090a0b
trace id 4a2d7453 inet fw4 prerouting rule iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment" (verdict jump helper_lan)
trace id 4a2d7453 inet fw4 helper_lan verdict continue
trace id 4a2d7453 inet fw4 prerouting verdict continue
trace id 4a2d7453 inet fw4 prerouting policy accept
trace id 1b6d2be0 inet fw4 mangle_forward packet: iif "br-lan" oif "eth1" ether saddr 76:bf:94:b5:19:13 ether daddr 5a:f1:db:56:dc:a8 ip saddr 192.168.1.210 ip daddr 39.156.66.10 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 40170 ip protocol icmp ip length 84 icmp type echo-request icmp code net-unreachable icmp id 25 icmp sequence 232 @th,64,96 0xc4b08663645a090008090a0b
trace id 1b6d2be0 inet fw4 mangle_forward verdict continue
trace id 1b6d2be0 inet fw4 mangle_forward policy accept
trace id 1b6d2be0 inet fw4 forward packet: iif "br-lan" oif "eth1" ether saddr 76:bf:94:b5:19:13 ether daddr 5a:f1:db:56:dc:a8 ip saddr 192.168.1.210 ip daddr 39.156.66.10 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 40170 ip protocol icmp ip length 84 icmp type echo-request icmp code net-unreachable icmp id 25 icmp sequence 232 @th,64,96 0xc4b08663645a090008090a0b
trace id 1b6d2be0 inet fw4 forward rule iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" (verdict jump forward_lan)
trace id 1b6d2be0 inet fw4 forward_lan rule jump accept_to_wan comment "!fw4: Accept lan to wan forwarding" (verdict jump accept_to_wan)
trace id 1b6d2be0 inet fw4 accept_to_wan rule oifname "eth1" counter packets 1993 bytes 162500 accept comment "!fw4: accept wan IPv4/IPv6 traffic" (verdict accept)