Thanks a lot for the info. It skips offload at connection start, looks like postponing offload after packet manipulations are complete and offload is expected to work from there.
Ok I disabled hardware offloading to none, now wired works too.
zapret patches ruleset.uc, you have to enable offload from zapret otherwise offload bypasses it too early.
You mean from the inside ./install_something.sh script right? It asks at the end none, software, hardware; choose one? Is that it?
1 Like
Sure thing, but mind that I disabled all hardware of software offloading at this example here, since it doesn't work properly with it. Do you want me to enable it?
nft list ruleset | grep flow
chain flow_offload {
tcp dport { 80, 443 } ct original packets 1-9 ip daddr != @nozapret return comment "direct flow offloading exemption"
udp dport 443 ct original packets 1-9 ip daddr != @nozapret return comment "direct flow offloading exemption"
ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
You need to enablee offload via zapret which will patch firewall to permit rules to postpone offload after it did packet mutations. But dont use luci checkbox to enable offload.
Oh OKAY, because I did that and it only worked on wireless. Trying again. Will report soon.
I did what you said here. Also enabled hardware offloading from inside zapret, not from luci:
root@OpenWrt:/opt/zapret# nft list ruleset | grep flow
flowtable ft {
oifname @wanif jump flow_offload
oifname @wanif6 jump flow_offload
chain flow_offload {
tcp dport { 80, 443 } ct original packets 1-9 ip daddr != @nozapret return comment "direct flow offloading exemption"
udp dport 443 ct original packets 1-9 ip daddr != @nozapret return comment "direct flow offloading exemption"
meta l4proto { tcp, udp } flow add @ft
ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
It is derived from zapret config. As you see 2 jumps patched into ruleset in diffetent place than fw4
1 Like
Oh okay now i get it. If this helps you in any way, I will be glad 
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.