AP, Bridge and the Firewall (LAN vs WLAN)

echvoyager · August 12, 2022, 8:17pm

The situation is as follow:

I have a modem with built-in router that acts as my main router which manages PPPoE and DHCP
I have an OpenWrt wireless router (Xiaomi AX3600) that's connected to the main router via LAN cable and act as a wired AP(not sure what the technical term is), meaning that the AX3600 shares the same subnet as the main router and simply extends the network's signal.
Now I need to use some transparent proxy software that can only run on the AX3600 (because the modem can't). The software is called "clash" and it directs traffic from port 7890 to itself.
When I connect to the AX3600 via WiFi, my data is routed through the transparent proxy software
When I connect to the AX3600 via LAN, my data is NOT routed though the transparent proxy software

I'm not an expert in anything, but I think there's something wrong with the firewall? or the bridge? I tried to modify the iptable rules to no avail and don't really know what else I can do. Here's my network and firewall configurations if that's useful. It really feels like that there could be a very simple fix, but I'm simply not equipped with the knowledge or experience to diagnose where the problem is, so any help is appreciated! Thanks in advance!

cat /etc/config/firewall

cat /etc/config/firewall

config defaults
	option syn_flood '0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option drop_invalid '1'
	option disable_ipv6 '1'

config zone
	option name 'lan'
	option network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fe80::/10'
	option src_port '547'
	option dest_ip 'fe80::/10'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest 'lan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule 'Forbidden_Wan_RA'
	option name 'Forbidden_Wan_RA'
	option dest 'wan'
	option proto 'icmp'
	list icmp_type 'router-advertisement'
	option family 'ipv6'
	option target 'REJECT'

config include 'webinitrdr'
	option path '/lib/firewall.sysapi.loader webinitrdr'
	option reload '1'
	option enabled '1'

config include 'dnsmiwifi'
	option path '/lib/firewall.sysapi.loader dnsmiwifi'
	option reload '1'
	option enabled '1'

config include 'macfilter'
	option path '/lib/firewall.sysapi.loader macfilter'
	option reload '1'
	option enabled '1'

config include 'ipv6_masq'
	option path '/lib/firewall.sysapi.loader ipv6_masq'
	option reload '1'

config include 'set_tcpmss'
	option path '/lib/firewall.sysapi.loader set_tcpmss'
	option reload '1'

config include 'miot'
	option path '/lib/firewall.sysapi.loader miot'
	option reload '1'

config rule 'guest_8999'
	option name 'Hello wifi 8999'
	option src 'guest'
	option proto 'tcp'
	option dest_port '8999'
	option target 'ACCEPT'

config rule 'guest_8300'
	option name 'Hello wifi 8300'
	option src 'guest'
	option proto 'tcp'
	option dest_port '8300'
	option target 'ACCEPT'

config rule 'guest_7080'
	option name 'Hello wifi 7080'
	option src 'guest'
	option proto 'tcp'
	option dest_port '7080'
	option target 'ACCEPT'

config zone 'ready_zone'
	option name 'ready'
	list network 'ready'
	option input 'DROP'
	option forward 'DROP'
	option output 'DROP'

config rule 'ready_dhcp'
	option name 'DHCP for ready'
	option src 'ready'
	option src_port '67-68'
	option dest_port '67-68'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule 'ready_dhcp_out'
	option name 'DHCP for ready'
	option dest 'ready'
	option src_port '67-68'
	option dest_port '67-68'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule 'ready_minet_in'
	option name 'minet ready'
	option src 'ready'
	option dest_port '786'
	option proto 'tcp'
	option target 'ACCEPT'

config rule 'ready_minet_out'
	option name 'minet ready'
	option src 'ready'
	option src_port '786'
	option proto 'tcp'
	option target 'ACCEPT'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'IPv4'
	option reload '1'

config include 'qcanssecm'
	option type 'script'
	option path '/etc/firewall.d/qca-nss-ecm'
	option family 'any'
	option reload '1'

cat /etc/config/network

cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config switch
	option name 'switch0'

config interface 'lan'
	option force_link '1'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option multicast_querier '0'
	option igmp_snooping '0'
	option macaddr '8c:53:c3:da:6a:6b'
	option ieee1905managed '1'
	option ipaddr '192.168.1.2'
	option gateway '192.168.1.1'
	option mtu '1500'
	list dns '192.168.1.1'
	option ifname 'eth1 eth2 eth3 eth4'

config interface 'eth1'
	option ifname 'eth1'
	option keepup '1'

config interface 'eth2'
	option ifname 'eth2'

config interface 'eth3'
	option ifname 'eth3'

config interface 'eth4'
	option ifname 'eth4'

config interface 'miot'
	option ifname 'wl13'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.32.1'
	option netmask '255.255.255.0'

cat /etc/config/wireless

cat /etc/config/wireless

config wifi-device 'wifi0'
	option type 'qcawificfg80211'
	option channel 'auto'
	option macaddr '8c:53:c3:da:6a:6c'
	option hwmode '11axa'
	option htmode 'HT80'
	option disabled '0'
	option txbf '3'
	option ax '1'
	option bw '0'
	option txpwr 'max'

config wifi-iface
	option device 'wifi0'
	option ifname 'wl0'
	option network 'lan'
	option mode 'ap'
	option wpsdevicename 'XiaoMiRouter'
	option channel_block_list '52,56,60,64'
	option macfilter 'disabled'
	option miwifi_mesh '0'
	option disabled '0'
	option ssid 'AX3600_5G'
	option encryption 'psk2'
	option key 'password'

config wifi-device 'wifi1'
	option type 'qcawificfg80211'
	option channel 'auto'
	option macaddr '8c:53:c3:da:6a:6b'
	option hwmode '11axg'
	option htmode 'HT40'
	option disabled '0'
	option txbf '3'
	option ax '1'
	option txpwr 'max'

config wifi-iface
	option device 'wifi1'
	option ifname 'wl1'
	option network 'lan'
	option mode 'ap'
	option wpsdevicename 'XiaoMiRouter'
	option macfilter 'disabled'
	option ssid 'AX3600'
	option encryption 'psk2'
	option key 'password'
	option disabled '0'

config wifi-device 'wifi2'
	option type 'qcawificfg80211'
	option channel 'auto'
	option macaddr '8c:53:c3:da:6a:6d'
	option hwmode '11ac'
	option htmode 'HT20'
	option disabled '0'
	option txbf '3'
	option ax '1'
	option bw '20'

config wifi-iface
	option device 'wifi2'
	option ifname 'wl2'
	option mode 'sta'
	option ssid 'MIIOT_DEV'
	option encryption 'none'
	option wpsdevicename 'XiaoMiRouter'
	option disabled '0'

config wifi-iface 'miot_2G'
	option ifname 'wl13'
	option network 'miot'
	option encryption 'none'
	option device 'wifi1'
	option mode 'ap'
	option hidden '1'
	option maxsta '20'
	option ssid '25c829b1922d3123_miwifi'
	option bsd '0'
	option ap_isolate '1'
	option userswitch '1'
	option disabled '0'
	option bindstatus '1'

iptables -t filter -S

iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N MINIUPNPD
-N forwarding_lan_rule
-N forwarding_ready_rule
-N forwarding_rule
-N forwarding_wan_rule
-N input_lan_rule
-N input_ready_rule
-N input_rule
-N input_wan_rule
-N macfilter_input
-N macfilter_wan
-N miot_input
-N output_lan_rule
-N output_ready_rule
-N output_rule
-N output_wan_rule
-N reject
-N zone_lan_dest_ACCEPT
-N zone_lan_dest_REJECT
-N zone_lan_forward
-N zone_lan_input
-N zone_lan_output
-N zone_lan_src_ACCEPT
-N zone_ready_dest_ACCEPT
-N zone_ready_dest_DROP
-N zone_ready_forward
-N zone_ready_input
-N zone_ready_output
-N zone_ready_src_DROP
-N zone_wan_dest_ACCEPT
-N zone_wan_dest_REJECT
-N zone_wan_forward
-N zone_wan_input
-N zone_wan_output
-N zone_wan_src_REJECT
-A INPUT -i br-miot -j miot_input
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -s 10.0.0.0/8 -p tcp -m tcp --dport 7890 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -p tcp -m tcp --dport 7890 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 7890 -j ACCEPT
-A INPUT -s 172.16.0.0/12 -p tcp -m tcp --dport 7890 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7890 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i br-miot -j DROP
-A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A forwarding_rule -j macfilter_wan
-A input_lan_rule -j macfilter_input
-A miot_input -p udp -m udp --sport 54321 -j ACCEPT
-A miot_input -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A miot_input -j DROP
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_REJECT -o br-lan -m comment --comment "!fw3" -j reject
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_REJECT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_ready_forward -m comment --comment "!fw3: Custom ready forwarding rule chain" -j forwarding_ready_rule
-A zone_ready_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_ready_forward -m comment --comment "!fw3" -j zone_ready_dest_DROP
-A zone_ready_input -m comment --comment "!fw3: Custom ready input rule chain" -j input_ready_rule
-A zone_ready_input -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "!fw3: DHCP for ready" -j ACCEPT
-A zone_ready_input -p tcp -m tcp --dport 786 -m comment --comment "!fw3: minet ready" -j ACCEPT
-A zone_ready_input -p tcp -m tcp --sport 786 -m comment --comment "!fw3: minet ready" -j ACCEPT
-A zone_ready_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_ready_input -m comment --comment "!fw3" -j zone_ready_src_DROP
-A zone_ready_output -m comment --comment "!fw3: Custom ready output rule chain" -j output_ready_rule
-A zone_ready_output -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "!fw3: DHCP for ready" -j zone_ready_dest_ACCEPT
-A zone_ready_output -m comment --comment "!fw3" -j zone_ready_dest_DROP
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT

iptables -t mangle -S

iptables -t mangle -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT

iptables -t nat -S

iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N MINIUPNPD
-N MINIUPNPD-POSTROUTING
-N clash
-N clash_dns
-N postrouting_lan_rule
-N postrouting_ready_rule
-N postrouting_rule
-N postrouting_wan_rule
-N prerouting_lan_rule
-N prerouting_ready_rule
-N prerouting_rule
-N prerouting_wan_rule
-N zone_lan_postrouting
-N zone_lan_prerouting
-N zone_ready_postrouting
-N zone_ready_prerouting
-N zone_wan_postrouting
-N zone_wan_prerouting
-A PREROUTING -p udp -m udp --dport 53 -j clash_dns
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -p tcp -m multiport --dports 22,53,587,465,995,993,143,80,443,8080 -j clash
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A clash -d 0.0.0.0/8 -j RETURN
-A clash -d 10.0.0.0/8 -j RETURN
-A clash -d 127.0.0.0/8 -j RETURN
-A clash -d 100.64.0.0/10 -j RETURN
-A clash -d 169.254.0.0/16 -j RETURN
-A clash -d 172.16.0.0/12 -j RETURN
-A clash -d 192.168.0.0/16 -j RETURN
-A clash -d 224.0.0.0/4 -j RETURN
-A clash -d 240.0.0.0/4 -j RETURN
-A clash -s 192.168.0.0/16 -p tcp -j REDIRECT --to-ports 7892
-A clash -s 10.0.0.0/8 -p tcp -j REDIRECT --to-ports 7892
-A clash_dns -p udp -j REDIRECT --to-ports 1053
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_ready_postrouting -m comment --comment "!fw3: Custom ready postrouting rule chain" -j postrouting_ready_rule
-A zone_ready_prerouting -m comment --comment "!fw3: Custom ready prerouting rule chain" -j prerouting_ready_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule

psherman · August 12, 2022, 8:49pm

What version of OpenWrt is this running?

ubus call system board

echvoyager · August 12, 2022, 8:55pm

ubus call system board

ubus call system board
{
	"kernel": "4.4.60",
	"hostname": "XiaoQiang",
	"model": "Qualcomm Technologies, Inc. IPQ807x\/AP-AC04",
	"board_name": "ap-ac04",
	"release": {
		"distribution": "OpenWrt",
		"version": "18.06-SNAPSHOT",
		"revision": "unknown",
		"target": "ipq807x_64\/MiWiFi",
		"description": "OpenWrt 18.06-SNAPSHOT unknown"
	}
}

psherman · August 12, 2022, 8:56pm

This is running a very old (and obsolete/unsupported) version of OpenWrt that is actually customized by the manufacturer and is therefore non-standard. Please install an official version of OpenWrt (21.02.3 is current as of this moment), or ask on the vendor's support site/forums.

echvoyager · August 12, 2022, 9:03pm

I would prefer to leave the stock firmware as it is since I'm setting it up for my family and I won't be around to troubleshoot if any other issue may arise. This problem I'm facing isn't really critical, but it does bugs me quite a bit since it appears to be a very simple fix despite me not knowing how... Thanks for the reply anyways.

psherman · August 12, 2022, 9:04pm

That's reasonable. But since the firmware is customized by the manufacturer, you will need to reach out to them to get your questions answered.

echvoyager · August 12, 2022, 9:09pm

Alas, the price you pay for purchasing inexpensive Chinese hardware. There isn't really any technical support or community support that I can find.

psherman · August 12, 2022, 9:17pm

That's a bummer. And it also appears that it is not officially supported by OpenWrt.

slh · August 12, 2022, 10:28pm

Officially, no - not yet. But Adding OpenWrt support for Xiaomi AX3600 is on its way of getting official. Contrary to the OEM firmware, the above is something we could help you with. However, two caveats, you will need to build it from source yourself (to get more exotic kernel modules working) until it's officially supported and you are alone with anything "clash" specific.