Crowdsec not blocking traffic

_shorty · October 27, 2025, 7:44pm

Hi there,

I'm trying to migrate from opensense to openwrt but the process is quiet difficult. Currently I'm trying to get Crowdsec running but after a successful installation and configuration Crowdsec is not blocking traffic that was added by f.e. a manual decision.

In the file /var/log/crowdsec-firewall-bouncer.log I can see that the decission was added to the chains of crowdsec but it won't block anything.

time="2025-10-27T20:18:47Z" level=info msg="Starting crowdsec-firewall-bouncer "
time="2025-10-27T20:18:47Z" level=info msg="backend type: nftables"
time="2025-10-27T20:18:47Z" level=info msg="IPV6 is disabled"
time="2025-10-27T20:18:47Z" level=info msg="nftables initiated"
time="2025-10-27T20:18:47Z" level=info msg="Using API key auth"
time="2025-10-27T20:18:47Z" level=info msg="Processing new and deleted decisions . . ."
time="2025-10-27T20:18:48Z" level=info msg="1550 decisions deleted"
time="2025-10-27T20:18:48Z" level=info msg="Created set and rule for origin CAPI and type ipv4_addr in chain crowdsec-chain-input"
time="2025-10-27T20:18:48Z" level=info msg="Created set and rule for origin CAPI and type ipv4_addr in chain crowdsec-chain-forward"
time="2025-10-27T20:18:48Z" level=info msg="13467 decisions added"
time="2025-10-27T20:19:17Z" level=info msg="Created set and rule for origin cscli and type ipv4_addr in chain crowdsec-chain-forward"
time="2025-10-27T20:19:17Z" level=info msg="Created set and rule for origin cscli and type ipv4_addr in chain crowdsec-chain-input"
time="2025-10-27T20:19:17Z" level=info msg="1 decision added"

The manually added ip is also added to the nft table of crowdsec

root@OpenWrt:~# nft list tables
table inet fw4
table ip crowdsec
root@OpenWrt:~# nft list table crowdsec
...
...
                             223.221.36.42 timeout 6d22h8m51s170ms expires 6d22h6m49s550ms,
                             223.221.38.226 timeout 4d20h56m8s170ms expires 4d20h54m6s550ms,
                             223.223.177.215 timeout 5d19h8m51s170ms expires 5d19h6m49s550ms,
                             223.241.214.127 timeout 1d10h56m8s170ms expires 1d10h54m6s550ms,
                             223.241.247.214 timeout 6d21h8m51s170ms expires 6d21h6m49s550ms,
                             223.243.24.178 timeout 3d23h56m8s170ms expires 3d23h54m6s550ms,
                             223.244.25.6 timeout 4d21h56m8s170ms expires 4d21h54m6s550ms,
                             223.247.33.150 timeout 6d20h8m51s170ms expires 6d20h6m49s550ms,
                             223.247.218.112 timeout 6d22h8m51s170ms expires 6d22h6m49s550ms }
        }

        set crowdsec-blacklists-cscli {
                type ipv4_addr
                flags timeout
                elements = { 192.168.2.208 timeout 4m53s310ms expires 3m21s50ms }
        }

        chain crowdsec-chain-input {
                type filter hook input priority filter + 4; policy accept;
                ct state established,related accept
                iifname != "eth0" accept
                counter name "processed"
                ip saddr @crowdsec-blacklists-CAPI counter name "crowdsec-blacklists-CAPI" drop
                ip saddr @crowdsec-blacklists-cscli counter name "crowdsec-blacklists-cscli" drop
        }

        chain crowdsec-chain-forward {
                type filter hook forward priority filter + 4; policy accept;
                ct state established,related accept
                iifname != "eth0" accept
                counter name "processed"
                ip saddr @crowdsec-blacklists-CAPI counter name "crowdsec-blacklists-CAPI" drop
                ip saddr @crowdsec-blacklists-cscli counter name "crowdsec-blacklists-cscli" drop
        }
}

I'm testing the block by using a port forwarding to a test machine. Testing the same command on a opnsense box is working fine and blocking the traffic on openWRT this is not happing and I don't know why.

Can someone help?

Regards,
Shorty

brada4 · October 27, 2025, 7:52pm

Please use the "Preformatted text </>" button for logs, scripts, configs and general console output.

Please edit your post accordingly. Thank you!

_shorty · October 27, 2025, 8:21pm

Hi @brada4,

changed it.

brada4 · October 27, 2025, 8:31pm

Try this Firewall traffic log "live view" for rule debugging - #12 by brada4

Crowdsc hook will mot grip br-lan bridge traffic. It has to cross into interface with ip(6) address directed to somewhere else.

Also pbr or offload will interfere.

antonk · October 27, 2025, 9:10pm

Possibly wrong network device name. What's the output of

cat /etc/config/firewall

brada4 · October 27, 2025, 9:35pm

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

ETH0 is LAN by default. are you blocking traffic on LAN?

_shorty · October 28, 2025, 7:09pm

cat /etc/config/firewall


config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'port 21'
        option family 'ipv4'
        option src 'wan'
        option src_dport '21'
        option dest_ip '192.168.1.214'
        option dest_port '21'

brada4 · October 28, 2025, 7:14pm

Last rule is no-op, you need ct helper to handle ftp. And what about "network" config to understand positionig of eth0 in the routeR?

_shorty · October 28, 2025, 7:19pm

Looks like the hint with eth1 did the trick. The layout it confusing me, that the lan port is left and the wan is right. After switching it in the config of crowdsec to eth1 it is working.

system · November 7, 2025, 7:20pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.