cat /etc/resolv.conf on Trusted
nameserver 8.8.8.8
cat /etc/resolv.conf on Guests
nameserver 10.5.0.1
So it is the local DNS where the bottleneck lies. I will figure out now where that 8.8.8.8 is comming from
grep -v -e ^# -e ^$ /etc/nsswitch.conf /etc/resolv.conf; \
ip address show; ip route show; ip rule show; \
time nslookup example.org; \
time nslookup example.org 8.8.8.8; \
time nslookup example.org 1.1.1.1
8.8.8.8 was hardcoded in my network manager for the Trusted wireless network.
So the local DNS is the problem which now also applies to the Trusted network
pvedesktop@pvemobile:~$ grep -v -e ^# -e ^$ /etc/nsswitch.conf /etc/resolv.conf; \
> ip address show; ip route show; ip rule show; \
> time nslookup openwrt.org; \
> time nslookup openwrt.org 8.8.8.8; \
> time nslookup openwrt.org 1.1.1.1
/etc/nsswitch.conf:passwd: files systemd
/etc/nsswitch.conf:group: files systemd
/etc/nsswitch.conf:shadow: files
/etc/nsswitch.conf:gshadow: files
/etc/nsswitch.conf:hosts: files mdns4_minimal [NOTFOUND=return] dns
/etc/nsswitch.conf:networks: files
/etc/nsswitch.conf:protocols: db files
/etc/nsswitch.conf:services: db files
/etc/nsswitch.conf:ethers: db files
/etc/nsswitch.conf:rpc: db files
/etc/nsswitch.conf:netgroup: nis
/etc/resolv.conf:domain lan
/etc/resolv.conf:search lan
/etc/resolv.conf:nameserver 10.5.0.1
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s31f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast master vmbr0 state DOWN group default qlen 1000
link/ether c8:5b:76:72:f3:b6 brd ff:ff:ff:ff:ff:ff
3: wlp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether e4:a7:a0:66:00:8f brd ff:ff:ff:ff:ff:ff
inet 10.5.4.1/16 brd 10.5.255.255 scope global dynamic wlp4s0
valid_lft 91sec preferred_lft 91sec
inet6 fe80::e6a7:a0ff:fe66:8f/64 scope link
valid_lft forever preferred_lft forever
4: vmbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether c8:5b:76:72:f3:b6 brd ff:ff:ff:ff:ff:ff
default via 10.5.0.1 dev wlp4s0
10.5.0.0/16 dev wlp4s0 proto kernel scope link src 10.5.4.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Server: 10.5.0.1
Address: 10.5.0.1#53
Non-authoritative answer:
Name: openwrt.org
Address: 139.59.209.225
;; connection timed out; no servers could be reached
real 0m25.016s
user 0m0.011s
sys 0m0.000s
;; connection timed out; no servers could be reached
real 0m15.010s
user 0m0.010s
sys 0m0.000s
Server: 1.1.1.1
Address: 1.1.1.1#53
Non-authoritative answer:
Name: openwrt.org
Address: 139.59.209.225
Name: openwrt.org
Address: 2a03:b0c0:3:d0::1af1:1
real 0m5.036s
user 0m0.008s
sys 0m0.004s
1 Like
Disable peer DNS and configure a major public DNS provider:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#upstream_dns_provider
Then check:
# OpenWrt
head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*; \
time nslookup example.org; \
time nslookup example.org 8.8.8.8; \
time nslookup example.org 1.1.1.1
# Client
time nslookup example.org
after these changes:
uci -q delete network.wan.dns
uci add_list network.wan.dns="8.8.8.8"
uci set network.wan.peerdns="0"
uci commit network
/etc/init.d/network restart
I am no longer able to ssh into 10.0.0.1 (openwrt) using the Guests network
EDIT: I should have never been able to ssh into OpenWrt when using the Guest network. I guess my previous post was not solved yet or it is and I experienced something really weird just now. anyway I got a connection refused just now on port 22 when trying to ssh into OpenWrt. Which is good as this is a guest network
EDIT 2: I realize now that I never was able to ssh into OpenWrt using the Guests network. So that part seems to be working as intended
EDIT 3: There is something terribly wrong with my config. Even when changing the if_Guests interface to the lan firewall zone and restarting the router the Guests network is still not able to ssh into OpenWrt.
So I guess that needs to be resolved first and then the DNS issue will automaggically disappear
1 Like
These will not work when the upstream nameserver has private IP. That is why you are not getting any response.
iptables-save -c | grep "INPUT -i br-if_Guests"
root@OpenWrt:~# iptables-save -c | grep "INPUT -i br-if_Guests"
[9:1248] -A INPUT -i br-if_Guests -m comment --comment "!fw3" -j zone_lan_input
After a good night sleep now I am able to connect to OpenWrt when using the Guests interface. Somehow it seems things are cached for well after a router reboot. Is there any way I can make any change forcibly be applied? I.e flush anything related?
DNS resolving now also seems to be doing well. I'll try switching the Guests back to it's own fwzone
EDIT: it's getting more ridiculous by the minute 
Just a while ago the guest network started blocking access to openwrt again. without any configuration change on my end what so ever.
I did find something strange though when I actually did try to move the guests back to the guests fwzone again. (L)uci is messing with configs more than I'd like
root@OpenWrt:~# head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*; \
> time nslookup openwrt.org; \
> time nslookup openwrt.org 8.8.8.8; \
> time nslookup openwrt.org 1.1.1.1
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf.auto <==
# Interface if_Guests
nameserver 1.1.1.1
# Interface if_Trusted
nameserver 1.1.1.1
# Interface wan
nameserver 1.1.1.1
head: /tmp/resolv.*/*: No such file or directory
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: openwrt.org
Address 1: 139.59.209.225
Address 2: 2a03:b0c0:3:d0::1af1:1
real 0m 0.00s
user 0m 0.00s
sys 0m 0.00s
Server: 8.8.8.8
Address: 8.8.8.8#53
Name: openwrt.org
Address 1: 139.59.209.225
Address 2: 2a03:b0c0:3:d0::1af1:1
real 0m 0.01s
user 0m 0.00s
sys 0m 0.00s
Server: 1.1.1.1
Address: 1.1.1.1#53
Name: openwrt.org
Address 1: 139.59.209.225
Address 2: 2a03:b0c0:3:d0::1af1:1
real 0m 0.00s
user 0m 0.00s
sys 0m 0.00s
pvedesktop@pvemobile:~$ time nslookup openwrt.org
Server: 10.5.0.1
Address: 10.5.0.1#53
Non-authoritative answer:
Name: openwrt.org
Address: 139.59.209.225
Name: openwrt.org
Address: 2a03:b0c0:3:d0::1af1:1
real 0m0.014s
user 0m0.010s
sys 0m0.000s
1 Like
# Flush DNS cache
/etc/init.d/dnsmasq restart
# Disable DNS caching
uci set dhcp.@dnsmasq[0].cachesize="0"
uci commit dhcp
/etc/init.d/dnsmasq restart
I must be missing something obvious. it's either that or I have found a serious bug in the latest kernel.
Done;
# Flush DNS cache
/etc/init.d/dnsmasq restart
# Disable DNS caching
uci set dhcp.@dnsmasq[0].cachesize="0"
uci commit dhcp
/etc/init.d/dnsmasq restart
when connected to the guests network;
pvedesktop@pvemobile:~$ time nslookup openwrt.org
;; connection timed out; no servers could be reached
real 0m15.010s
user 0m0.006s
sys 0m0.005s
pvedesktop@pvemobile:~$ ssh root@10.0.0.1
root@10.0.0.1's password: # I really should not be getting this far
# after a long long while
Connection closed by 10.0.0.1 port 22 #which is good in one sense but nah not good in all other senses I guess
Current cleaned up config;
root@OpenWrt:/etc/config# cat network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd68:74a7:6e62::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '10.0.0.1'
option netmask '255.252.0.0'
option delegate '0'
option force_link '0'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0 1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
option ports '4 6t'
config interface 'if_Trusted'
option proto 'static'
option force_link '0'
option type 'bridge'
option ipaddr '10.4.0.1'
option netmask '255.255.0.0'
option ifname 'eth0.40'
option delegate '0'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '2t 5t'
option vid '40'
config interface 'if_Guests'
option proto 'static'
option type 'bridge'
option ipaddr '10.5.0.1'
option netmask '255.255.0.0'
option ifname 'eth0.50'
option delegate '0'
option force_link '0'
config switch_vlan
option device 'switch0'
option vlan '4'
option ports '2t 5t'
option vid '50'
config interface 'if_tmp_oldlan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ifname '@lan'
root@OpenWrt:/etc/config# cat firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan if_Trusted if_tmp_oldlan if_Guests'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone 'guest'
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'guest'
config forwarding 'guest_wan'
option src 'guest'
option dest 'wan'
config rule 'guest_dns'
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule 'guest_dhcp'
option name 'Allow-DHCP-Guest'
option src 'guest'
option dest_port '67'
option family 'ipv4'
option proto 'udp'
option target 'ACCEPT'
root@OpenWrt:/etc/config# cat dhcp
config dnsmasq
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option sequential_ip '1'
option localservice '0'
option boguspriv '0'
option cachesize '0'
config dhcp 'if_Trusted'
option interface 'if_Trusted'
option start '1025'
option limit '1000'
option leasetime '2m'
option force '1'
config dhcp 'if_Guests'
option interface 'if_Guests'
option start '1025'
option limit '1000'
option leasetime '2m'
option force '1'
Can someone please release me from this misery? 
Should I file a bug or is the config still not correct?
EDIT: config not correct. the guest network interface name in firewall config for firewall rule is not set correctly. UCI for the win Or me being a newb or both ;).
Ill keep one updated
I told you already.
My humble apologies. I must have missed that
But the wan network config has a DNS server set to 1.1.1.1 which is public
iptables-save -c | grep "INPUT -i br-if_Guests"
[206:14799] -A INPUT -i br-if_Guests -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i br-if_Guests -m comment --comment "!fw3" -j zone_guest_input
And some weird differences again between Guests and Trusted. The interfaces refuse to use 1.1.1.1 as DNS but on the Trusted network that does not seem to matter
pvedesktop@pvemobile:~$ #current on Guests network
pvedesktop@pvemobile:~$ time nslookup openwrt.org
Server: 10.5.0.1 #not sure why this still lists a private ip even though the wan interface explicitly sets 1.1.1.1
Address: 10.5.0.1#53
Non-authoritative answer:
Name: openwrt.org
Address: 139.59.209.225
Name: openwrt.org
Address: 2a03:b0c0:3:d0::1af1:1
real 0m10.022s #ouch.
user 0m0.005s
sys 0m0.005s
pvedesktop@pvemobile:~$ ssh root@openwrt.lan
ssh: Could not resolve hostname openwrt.lan: Temporary failure in name resolution #good I guess
pvedesktop@pvemobile:~$ ssh root@10.0.0.1
ssh: connect to host 10.0.0.1 port 22: Connection timed out # very good!
pvedesktop@pvemobile:~$ #switching to Trusted network
pvedesktop@pvemobile:~$ time nslookup openwrt.org
Server: 10.4.0.1 #this is also a local ip but this is fast. it's not consistent ;(
Address: 10.4.0.1#53
Non-authoritative answer:
Name: openwrt.org
Address: 139.59.209.225
Name: openwrt.org
Address: 2a03:b0c0:3:d0::1af1:1
real 0m0.023s
user 0m0.010s
sys 0m0.000s
pvedesktop@pvemobile:~$ ssh root@openwrt.lan
root@openwrt.lan's password:
Post again everything you have configured here to get the whole picture:
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
root@OpenWrt:~# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.*
/tmp/resolv.* /tmp/resolv.*/*
{
"kernel": "4.14.195",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT3200ACM",
"board_name": "linksys,rango",
"release": {
"distribution": "OpenWrt",
"version": "19.07.4",
"revision": "r11208-ce6496d796",
"target": "mvebu/cortexa9",
"description": "OpenWrt 19.07.4 r11208-ce6496d796"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd68:74a7:6e62::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '10.0.0.1'
option netmask '255.252.0.0'
option delegate '0'
option force_link '0'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0 1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
option ports '4 6t'
config interface 'if_Trusted'
option proto 'static'
option force_link '0'
option type 'bridge'
option ipaddr '10.4.0.1'
option netmask '255.255.0.0'
option ifname 'eth0.40'
option delegate '0'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '2t 5t'
option vid '40'
config interface 'if_Guests'
option proto 'static'
option type 'bridge'
option ipaddr '10.5.0.1'
option netmask '255.255.0.0'
option ifname 'eth0.50'
option delegate '0'
option force_link '0'
config switch_vlan
option device 'switch0'
option vlan '4'
option ports '2t 5t'
option vid '50'
config interface 'if_tmp_oldlan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ifname '@lan'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11a'
option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
option country 'NL'
option legacy_rates '0'
option txpower '20'
option htmode 'VHT80'
option channel '44'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11g'
option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
option txpower '20'
option country 'NL'
option noscan '1'
option channel '6'
option htmode 'HT40'
config wifi-device 'radio2'
option type 'mac80211'
option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
option country 'NL'
config wifi-iface 'wifinet0'
option device 'radio0'
option ssid 'OpenWrt-Trusted+'
option network 'if_Trusted'
option encryption 'psk2'
option mode 'ap'
option key '12345678'
config wifi-iface 'wifinet1'
option device 'radio0'
option ssid 'OpenWrt-Guests+'
option network 'if_Guests'
option encryption 'psk2'
option mode 'ap'
option key '12345678'
config wifi-iface 'wifinet2'
option device 'radio1'
option ssid 'OpenWrt-Trusted'
option network 'if_Trusted'
option encryption 'psk2'
option mode 'ap'
option key '12345678'
config wifi-iface 'wifinet3'
option device 'radio1'
option ssid 'OpenWrt-Guests'
option network 'if_Guests'
option encryption 'psk2'
option mode 'ap'
option key '12345678'
package dhcp
config dnsmasq
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option sequential_ip '1'
option localservice '0'
option boguspriv '0'
option cachesize '0'
config dhcp 'if_Trusted'
option interface 'if_Trusted'
option start '1025'
option limit '1000'
option leasetime '2m'
option force '1'
config dhcp 'if_Guests'
option interface 'if_Guests'
option start '1025'
option limit '1000'
option leasetime '2m'
option force '1'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan if_Trusted if_tmp_oldlan if_Guests'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone 'guest'
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'if_Guests'
config forwarding 'guest_wan'
option src 'guest'
option dest 'wan'
config rule 'guest_dns'
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule 'guest_dhcp'
option name 'Allow-DHCP-Guest'
option src 'guest'
option dest_port '67'
option family 'ipv4'
option proto 'udp'
option target 'ACCEPT'
config rule
option src 'lan'
option name 'block iot wan'
option src_ip '192.168.1.128/25'
option dest 'wan'
option target 'DROP'
config rule
option src 'lan'
option name 'block default ipcam'
option src_ip '192.168.1.10'
option dest 'wan'
option target 'DROP'
config redirect
option dest_port '443'
option src 'wan'
option name 'guideriis'
option src_dport '443'
option target 'DNAT'
option dest 'lan'
option proto 'tcp udp'
option dest_ip '192.168.1.111'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.3 on Fri Nov 13 11:06:18 2020
*nat
:PREROUTING ACCEPT [7041:738494]
:INPUT ACCEPT [1920:156338]
:OUTPUT ACCEPT [2752:193300]
:POSTROUTING ACCEPT [740:82375]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[7038:738362] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[2087:262298] -A PREROUTING -i br-if_Trusted -m comment --comment "!fw3" -j zone_lan_prerouting
[4619:448452] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[257:22765] -A PREROUTING -i br-if_Guests -m comment --comment "!fw3" -j zone_lan_prerouting
[75:4847] -A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[257:22765] -A PREROUTING -i br-if_Guests -m comment --comment "!fw3" -j zone_guest_prerouting
[4360:400992] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[2:376] -A POSTROUTING -o br-if_Trusted -m comment --comment "!fw3" -j zone_lan_postrouting
[732:80887] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[4:1032] -A POSTROUTING -o br-if_Guests -m comment --comment "!fw3" -j zone_lan_postrouting
[3622:318697] -A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[4:1032] -A POSTROUTING -o br-if_Guests -m comment --comment "!fw3" -j zone_guest_postrouting
[4:1032] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
[257:22765] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
[738:82295] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 10.0.0.0/14 -d 192.168.1.111/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.0.0.1
[0:0] -A zone_lan_postrouting -s 10.0.0.0/14 -d 192.168.1.111/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.0.0.1
[0:0] -A zone_lan_postrouting -s 10.4.0.0/16 -d 192.168.1.111/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.4.0.1
[0:0] -A zone_lan_postrouting -s 10.4.0.0/16 -d 192.168.1.111/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.4.0.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.111/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.111/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 10.5.0.0/16 -d 192.168.1.111/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.5.0.1
[0:0] -A zone_lan_postrouting -s 10.5.0.0/16 -d 192.168.1.111/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.5.0.1
[6963:733515] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 10.0.0.0/14 -d 192.168.178.20/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
[0:0] -A zone_lan_prerouting -s 10.0.0.0/14 -d 192.168.178.20/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
[0:0] -A zone_lan_prerouting -s 10.4.0.0/16 -d 192.168.178.20/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
[0:0] -A zone_lan_prerouting -s 10.4.0.0/16 -d 192.168.178.20/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.178.20/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.178.20/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
[0:0] -A zone_lan_prerouting -s 10.5.0.0/16 -d 192.168.178.20/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
[0:0] -A zone_lan_prerouting -s 10.5.0.0/16 -d 192.168.178.20/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
[3622:318697] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[3622:318697] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[75:4847] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: guideriis" -j DNAT --to-destination 192.168.1.111:443
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 443 -m comment --comment "!fw3: guideriis" -j DNAT --to-destination 192.168.1.111:443
COMMIT
# Completed on Fri Nov 13 11:06:18 2020
# Generated by iptables-save v1.8.3 on Fri Nov 13 11:06:18 2020
*mangle
:PREROUTING ACCEPT [2909518:372202251]
:INPUT ACCEPT [6437:736890]
:FORWARD ACCEPT [2902145:371347612]
:OUTPUT ACCEPT [8210:881406]
:POSTROUTING ACCEPT [2907361:371914342]
[1450:81896] -A FORWARD -o eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[670:35936] -A FORWARD -i eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Nov 13 11:06:18 2020
# Generated by iptables-save v1.8.3 on Fri Nov 13 11:06:18 2020
*filter
:INPUT ACCEPT [7:899]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[18:2796] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[6424:734354] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[3697:394428] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[8:480] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[773:68677] -A INPUT -i br-if_Trusted -m comment --comment "!fw3" -j zone_lan_input
[1634:249975] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[206:14799] -A INPUT -i br-if_Guests -m comment --comment "!fw3" -j zone_lan_input
[114:6475] -A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i br-if_Guests -m comment --comment "!fw3" -j zone_guest_input
[2902148:371347732] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[105961:258679763] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1421:252063] -A FORWARD -i br-if_Trusted -m comment --comment "!fw3" -j zone_lan_forward
[2794667:112409966] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[99:5940] -A FORWARD -i br-if_Guests -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i br-if_Guests -m comment --comment "!fw3" -j zone_guest_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[57:5916] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[7991:826714] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[5193:630095] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[4:744] -A OUTPUT -o br-if_Trusted -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[5:1360] -A OUTPUT -o br-if_Guests -m comment --comment "!fw3" -j zone_lan_output
[2789:194515] -A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o br-if_Guests -m comment --comment "!fw3" -j zone_guest_output
[100:5971] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[8:480] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_guest_dest_ACCEPT -o br-if_Guests -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guest_dest_REJECT -o br-if_Guests -m comment --comment "!fw3" -j reject
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
[0:0] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
[0:0] -A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 67 -m comment --comment "!fw3: Allow-DHCP-Guest" -j ACCEPT
[0:0] -A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
[0:0] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
[0:0] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[0:0] -A zone_guest_src_REJECT -i br-if_Guests -m comment --comment "!fw3" -j reject
[10:1020] -A zone_lan_dest_ACCEPT -o br-if_Trusted -m comment --comment "!fw3" -j ACCEPT
[2792356:112173768] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[5:1360] -A zone_lan_dest_ACCEPT -o br-if_Guests -m comment --comment "!fw3" -j ACCEPT
[2796187:112667969] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[642:38520] -A zone_lan_forward -s 192.168.1.128/25 -p tcp -m comment --comment "!fw3: block iot wan" -j zone_wan_dest_DROP
[1933:216264] -A zone_lan_forward -s 192.168.1.128/25 -p udp -m comment --comment "!fw3: block iot wan" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -s 192.168.1.10/32 -p tcp -m comment --comment "!fw3: block default ipcam" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -s 192.168.1.10/32 -p udp -m comment --comment "!fw3: block default ipcam" -j zone_wan_dest_DROP
[2793612:112413185] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[2792362:112174044] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[2613:333451] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[2613:333451] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[9:2104] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[9:2104] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[766:67778] -A zone_lan_src_ACCEPT -i br-if_Trusted -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[1634:249975] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[206:14799] -A zone_lan_src_ACCEPT -i br-if_Guests -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[250:10000] -A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[3789:423656] -A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
[2575:254784] -A zone_wan_dest_DROP -o eth1.2 -m comment --comment "!fw3" -j DROP
[0:0] -A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[114:6475] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[14:504] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[100:5971] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[2789:194515] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[2789:194515] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[100:5971] -A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Nov 13 11:06:18 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
19: br-if_Guests: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 10.5.0.1/16 brd 10.5.255.255 scope global br-if_Guests
valid_lft forever preferred_lft forever
21: br-if_Trusted: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 10.4.0.1/16 brd 10.4.255.255 scope global br-if_Trusted
valid_lft forever preferred_lft forever
23: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 10.0.0.1/14 brd 10.3.255.255 scope global br-lan
valid_lft forever preferred_lft forever
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
25: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.178.20/24 brd 192.168.178.255 scope global eth1.2
valid_lft forever preferred_lft forever
default via 192.168.178.1 dev eth1.2 proto static src 192.168.178.20
10.0.0.0/14 dev br-lan proto kernel scope link src 10.0.0.1
10.4.0.0/16 dev br-if_Trusted proto kernel scope link src 10.4.0.1
10.5.0.0/16 dev br-if_Guests proto kernel scope link src 10.5.0.1
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.178.0/24 dev eth1.2 proto kernel scope link src 192.168.178.20
broadcast 10.0.0.0 dev br-lan table local proto kernel scope link src 10.0.0.1
local 10.0.0.1 dev br-lan table local proto kernel scope host src 10.0.0.1
broadcast 10.3.255.255 dev br-lan table local proto kernel scope link src 10.0.0.1
broadcast 10.4.0.0 dev br-if_Trusted table local proto kernel scope link src 10.4.0.1
local 10.4.0.1 dev br-if_Trusted table local proto kernel scope host src 10.4.0.1
broadcast 10.4.255.255 dev br-if_Trusted table local proto kernel scope link src 10.4.0.1
broadcast 10.5.0.0 dev br-if_Guests table local proto kernel scope link src 10.5.0.1
local 10.5.0.1 dev br-if_Guests table local proto kernel scope host src 10.5.0.1
broadcast 10.5.255.255 dev br-if_Guests table local proto kernel scope link src 10.5.0.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
broadcast 192.168.178.0 dev eth1.2 table local proto kernel scope link src 192.168.178.20
local 192.168.178.20 dev eth1.2 table local proto kernel scope host src 192.168.178.20
broadcast 192.168.178.255 dev eth1.2 table local proto kernel scope link src 192.168.178.20
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
ls: /tmp/resolv.*/*: No such file or directory
lrwxrwxrwx 1 root root 16 Sep 6 18:19 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 32 Nov 13 10:16 /tmp/resolv.conf
-rw-r--r-- 1 root root 35 Nov 13 10:16 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 1.1.1.1
head: /tmp/resolv.*/*: No such file or directory
if_Guests is defined in 2 zones, lan and guest. It is applied first on lan and will use the policies of the lan zone. Make sure it belongs to one zone only to avoid any issues on the firewall.
1 Like
Thanks for spotting that!
Note to self "Never touch Luci again without double checking the result in the config directly"
Being dyslectic also does not help ;(
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan if_Trusted if_tmp_oldlan'
But you've guessed it no help. It's even worse now than with a incorrect firewall config
pvedesktop@pvemobile:~$ time nslookup openwrt.org
;; connection timed out; no servers could be reached
real 0m15.009s
user 0m0.005s
sys 0m0.005s
Try to capture the packets. Install tcpdump if not there already.
tcpdump -i any -vn udp port 53
Then run the commands.
1 Like
On OpenWrt running the following commands in a second ssh connectoin results in:
oot@OpenWrt:~# tcpdump -i any -vn udp port 53
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
13:56:32.008257 ethertype IPv4, IP (tos 0x0, ttl 64, id 10023, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.44350 > 10.4.0.1.53: 25048+ A? openwrt.org. (29)
13:56:32.008257 IP (tos 0x0, ttl 64, id 10023, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.44350 > 10.4.0.1.53: 25048+ A? openwrt.org. (29)
13:56:32.008257 IP (tos 0x0, ttl 64, id 10023, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.44350 > 10.4.0.1.53: 25048+ A? openwrt.org. (29)
13:56:32.008600 IP (tos 0x0, ttl 64, id 60680, offset 0, flags [DF], proto UDP (17), length 57)
192.168.178.20.45265 > 1.1.1.1.53: 41502+ A? openwrt.org. (29)
13:56:32.011692 ethertype IPv4, IP (tos 0x0, ttl 60, id 55608, offset 0, flags [DF], proto UDP (17), length 73)
1.1.1.1.53 > 192.168.178.20.45265: 41502 1/0/0 openwrt.org. A 139.59.209.225 (45)
13:56:32.011692 IP (tos 0x0, ttl 60, id 55608, offset 0, flags [DF], proto UDP (17), length 73)
1.1.1.1.53 > 192.168.178.20.45265: 41502 1/0/0 openwrt.org. A 139.59.209.225 (45)
13:56:32.011773 IP (tos 0x0, ttl 64, id 42313, offset 0, flags [DF], proto UDP (17), length 73)
10.4.0.1.53 > 10.4.4.5.44350: 25048 1/0/0 openwrt.org. A 139.59.209.225 (45)
13:56:32.011778 IP (tos 0x0, ttl 64, id 42313, offset 0, flags [DF], proto UDP (17), length 73)
10.4.0.1.53 > 10.4.4.5.44350: 25048 1/0/0 openwrt.org. A 139.59.209.225 (45)
13:56:32.019986 ethertype IPv4, IP (tos 0x0, ttl 64, id 10024, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.39540 > 10.4.0.1.53: 62430+ AAAA? openwrt.org. (29)
13:56:32.019986 IP (tos 0x0, ttl 64, id 10024, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.39540 > 10.4.0.1.53: 62430+ AAAA? openwrt.org. (29)
13:56:32.019986 IP (tos 0x0, ttl 64, id 10024, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.39540 > 10.4.0.1.53: 62430+ AAAA? openwrt.org. (29)
13:56:32.020098 IP (tos 0x0, ttl 64, id 60681, offset 0, flags [DF], proto UDP (17), length 57)
192.168.178.20.26662 > 1.1.1.1.53: 42274+ AAAA? openwrt.org. (29)
13:56:32.023079 ethertype IPv4, IP (tos 0x0, ttl 60, id 21415, offset 0, flags [DF], proto UDP (17), length 85)
1.1.1.1.53 > 192.168.178.20.26662: 42274 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
13:56:32.023079 IP (tos 0x0, ttl 60, id 21415, offset 0, flags [DF], proto UDP (17), length 85)
1.1.1.1.53 > 192.168.178.20.26662: 42274 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
13:56:32.023147 IP (tos 0x0, ttl 64, id 42314, offset 0, flags [DF], proto UDP (17), length 85)
10.4.0.1.53 > 10.4.4.5.39540: 62430 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
13:56:32.023152 IP (tos 0x0, ttl 64, id 42314, offset 0, flags [DF], proto UDP (17), length 85)
10.4.0.1.53 > 10.4.4.5.39540: 62430 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
13:56:32.083463 ethertype IPv4, IP (tos 0x0, ttl 64, id 63408, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.44796 > 8.8.8.8.53: 40532+ A? openwrt.org. (29)
13:56:32.083463 IP (tos 0x0, ttl 64, id 63408, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.44796 > 8.8.8.8.53: 40532+ A? openwrt.org. (29)
13:56:32.083463 IP (tos 0x0, ttl 64, id 63408, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.44796 > 8.8.8.8.53: 40532+ A? openwrt.org. (29)
13:56:32.083516 IP (tos 0x0, ttl 63, id 63408, offset 0, flags [none], proto UDP (17), length 57)
192.168.178.20.44796 > 8.8.8.8.53: 40532+ A? openwrt.org. (29)
13:56:32.089694 ethertype IPv4, IP (tos 0x0, ttl 123, id 6317, offset 0, flags [none], proto UDP (17), length 73)
8.8.8.8.53 > 192.168.178.20.44796: 40532 1/0/0 openwrt.org. A 139.59.209.225 (45)
13:56:32.089694 IP (tos 0x0, ttl 123, id 6317, offset 0, flags [none], proto UDP (17), length 73)
8.8.8.8.53 > 192.168.178.20.44796: 40532 1/0/0 openwrt.org. A 139.59.209.225 (45)
13:56:32.089712 IP (tos 0x0, ttl 122, id 6317, offset 0, flags [none], proto UDP (17), length 73)
8.8.8.8.53 > 10.4.4.5.44796: 40532 1/0/0 openwrt.org. A 139.59.209.225 (45)
13:56:32.089716 IP (tos 0x0, ttl 122, id 6317, offset 0, flags [none], proto UDP (17), length 73)
8.8.8.8.53 > 10.4.4.5.44796: 40532 1/0/0 openwrt.org. A 139.59.209.225 (45)
13:56:32.113749 ethertype IPv4, IP (tos 0x0, ttl 64, id 63412, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.33426 > 8.8.8.8.53: 21073+ AAAA? openwrt.org. (29)
13:56:32.113749 IP (tos 0x0, ttl 64, id 63412, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.33426 > 8.8.8.8.53: 21073+ AAAA? openwrt.org. (29)
13:56:32.113749 IP (tos 0x0, ttl 64, id 63412, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.33426 > 8.8.8.8.53: 21073+ AAAA? openwrt.org. (29)
13:56:32.113775 IP (tos 0x0, ttl 63, id 63412, offset 0, flags [none], proto UDP (17), length 57)
192.168.178.20.33426 > 8.8.8.8.53: 21073+ AAAA? openwrt.org. (29)
13:56:32.125356 ethertype IPv4, IP (tos 0x0, ttl 123, id 14299, offset 0, flags [none], proto UDP (17), length 85)
8.8.8.8.53 > 192.168.178.20.33426: 21073 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
13:56:32.125356 IP (tos 0x0, ttl 123, id 14299, offset 0, flags [none], proto UDP (17), length 85)
8.8.8.8.53 > 192.168.178.20.33426: 21073 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
13:56:32.125374 IP (tos 0x0, ttl 122, id 14299, offset 0, flags [none], proto UDP (17), length 85)
8.8.8.8.53 > 10.4.4.5.33426: 21073 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
13:56:32.125377 IP (tos 0x0, ttl 122, id 14299, offset 0, flags [none], proto UDP (17), length 85)
8.8.8.8.53 > 10.4.4.5.33426: 21073 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
13:56:32.139727 ethertype IPv4, IP (tos 0x0, ttl 64, id 32765, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.38864 > 1.1.1.1.53: 43372+ A? openwrt.org. (29)
13:56:32.139727 IP (tos 0x0, ttl 64, id 32765, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.38864 > 1.1.1.1.53: 43372+ A? openwrt.org. (29)
13:56:32.139727 IP (tos 0x0, ttl 64, id 32765, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.38864 > 1.1.1.1.53: 43372+ A? openwrt.org. (29)
13:56:32.139754 IP (tos 0x0, ttl 63, id 32765, offset 0, flags [none], proto UDP (17), length 57)
192.168.178.20.38864 > 1.1.1.1.53: 43372+ A? openwrt.org. (29)
13:56:32.144909 ethertype IPv4, IP (tos 0x0, ttl 60, id 16697, offset 0, flags [DF], proto UDP (17), length 73)
1.1.1.1.53 > 192.168.178.20.38864: 43372 1/0/0 openwrt.org. A 139.59.209.225 (45)
13:56:32.144909 IP (tos 0x0, ttl 60, id 16697, offset 0, flags [DF], proto UDP (17), length 73)
1.1.1.1.53 > 192.168.178.20.38864: 43372 1/0/0 openwrt.org. A 139.59.209.225 (45)
13:56:32.144926 IP (tos 0x0, ttl 59, id 16697, offset 0, flags [DF], proto UDP (17), length 73)
1.1.1.1.53 > 10.4.4.5.38864: 43372 1/0/0 openwrt.org. A 139.59.209.225 (45)
13:56:32.144929 IP (tos 0x0, ttl 59, id 16697, offset 0, flags [DF], proto UDP (17), length 73)
1.1.1.1.53 > 10.4.4.5.38864: 43372 1/0/0 openwrt.org. A 139.59.209.225 (45)
13:56:32.146630 ethertype IPv4, IP (tos 0x0, ttl 64, id 32767, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.53416 > 1.1.1.1.53: 56440+ AAAA? openwrt.org. (29)
13:56:32.146630 IP (tos 0x0, ttl 64, id 32767, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.53416 > 1.1.1.1.53: 56440+ AAAA? openwrt.org. (29)
13:56:32.146630 IP (tos 0x0, ttl 64, id 32767, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.53416 > 1.1.1.1.53: 56440+ AAAA? openwrt.org. (29)
13:56:32.146655 IP (tos 0x0, ttl 63, id 32767, offset 0, flags [none], proto UDP (17), length 57)
192.168.178.20.53416 > 1.1.1.1.53: 56440+ AAAA? openwrt.org. (29)
13:56:32.149764 ethertype IPv4, IP (tos 0x0, ttl 60, id 20197, offset 0, flags [DF], proto UDP (17), length 85)
1.1.1.1.53 > 192.168.178.20.53416: 56440 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
13:56:32.149764 IP (tos 0x0, ttl 60, id 20197, offset 0, flags [DF], proto UDP (17), length 85)
1.1.1.1.53 > 192.168.178.20.53416: 56440 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
13:56:32.149779 IP (tos 0x0, ttl 59, id 20197, offset 0, flags [DF], proto UDP (17), length 85)
1.1.1.1.53 > 10.4.4.5.53416: 56440 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
13:56:32.149782 IP (tos 0x0, ttl 59, id 20197, offset 0, flags [DF], proto UDP (17), length 85)
1.1.1.1.53 > 10.4.4.5.53416: 56440 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
Since I can't ssh into oopenwrt to tcp dump when on the Guests network I am running the nslookup openwrt.org from a windows client
Using Trusted network
root@OpenWrt:~# tcpdump -i any -vn udp port 53
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
14:00:16.541515 ethertype IPv4, IP (tos 0x0, ttl 128, id 11038, offset 0, flags [none], proto UDP (17), length 67)
10.4.4.6.59184 > 10.4.0.1.53: 1+ PTR? 1.0.4.10.in-addr.arpa. (39)
14:00:16.541515 IP (tos 0x0, ttl 128, id 11038, offset 0, flags [none], proto UDP (17), length 67)
10.4.4.6.59184 > 10.4.0.1.53: 1+ PTR? 1.0.4.10.in-addr.arpa. (39)
14:00:16.541515 IP (tos 0x0, ttl 128, id 11038, offset 0, flags [none], proto UDP (17), length 67)
10.4.4.6.59184 > 10.4.0.1.53: 1+ PTR? 1.0.4.10.in-addr.arpa. (39)
14:00:16.541718 IP (tos 0x0, ttl 64, id 47456, offset 0, flags [DF], proto UDP (17), length 92)
10.4.0.1.53 > 10.4.4.6.59184: 1* 1/0/0 1.0.4.10.in-addr.arpa. PTR OpenWrt.lan. (64)
14:00:16.541725 IP (tos 0x0, ttl 64, id 47456, offset 0, flags [DF], proto UDP (17), length 92)
10.4.0.1.53 > 10.4.4.6.59184: 1* 1/0/0 1.0.4.10.in-addr.arpa. PTR OpenWrt.lan. (64)
14:00:16.563674 ethertype IPv4, IP (tos 0x0, ttl 128, id 11039, offset 0, flags [none], proto UDP (17), length 61)
10.4.4.6.59185 > 10.4.0.1.53: 2+ A? openwrt.org.lan. (33)
14:00:16.563674 IP (tos 0x0, ttl 128, id 11039, offset 0, flags [none], proto UDP (17), length 61)
10.4.4.6.59185 > 10.4.0.1.53: 2+ A? openwrt.org.lan. (33)
14:00:16.563674 IP (tos 0x0, ttl 128, id 11039, offset 0, flags [none], proto UDP (17), length 61)
10.4.4.6.59185 > 10.4.0.1.53: 2+ A? openwrt.org.lan. (33)
14:00:16.563783 IP (tos 0x0, ttl 64, id 47457, offset 0, flags [DF], proto UDP (17), length 61)
10.4.0.1.53 > 10.4.4.6.59185: 2 NXDomain 0/0/0 (33)
14:00:16.563788 IP (tos 0x0, ttl 64, id 47457, offset 0, flags [DF], proto UDP (17), length 61)
10.4.0.1.53 > 10.4.4.6.59185: 2 NXDomain 0/0/0 (33)
14:00:16.566699 ethertype IPv4, IP (tos 0x0, ttl 128, id 11040, offset 0, flags [none], proto UDP (17), length 61)
10.4.4.6.59186 > 10.4.0.1.53: 3+ AAAA? openwrt.org.lan. (33)
14:00:16.566699 IP (tos 0x0, ttl 128, id 11040, offset 0, flags [none], proto UDP (17), length 61)
10.4.4.6.59186 > 10.4.0.1.53: 3+ AAAA? openwrt.org.lan. (33)
14:00:16.566699 IP (tos 0x0, ttl 128, id 11040, offset 0, flags [none], proto UDP (17), length 61)
10.4.4.6.59186 > 10.4.0.1.53: 3+ AAAA? openwrt.org.lan. (33)
14:00:16.566786 IP (tos 0x0, ttl 64, id 47458, offset 0, flags [DF], proto UDP (17), length 61)
10.4.0.1.53 > 10.4.4.6.59186: 3 NXDomain 0/0/0 (33)
14:00:16.566791 IP (tos 0x0, ttl 64, id 47458, offset 0, flags [DF], proto UDP (17), length 61)
10.4.0.1.53 > 10.4.4.6.59186: 3 NXDomain 0/0/0 (33)
14:00:16.570033 ethertype IPv4, IP (tos 0x0, ttl 128, id 11041, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.6.59187 > 10.4.0.1.53: 4+ A? openwrt.org. (29)
14:00:16.570033 IP (tos 0x0, ttl 128, id 11041, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.6.59187 > 10.4.0.1.53: 4+ A? openwrt.org. (29)
14:00:16.570033 IP (tos 0x0, ttl 128, id 11041, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.6.59187 > 10.4.0.1.53: 4+ A? openwrt.org. (29)
14:00:16.570151 IP (tos 0x0, ttl 64, id 7380, offset 0, flags [DF], proto UDP (17), length 57)
192.168.178.20.56393 > 1.1.1.1.53: 30975+ A? openwrt.org. (29)
14:00:16.575775 ethertype IPv4, IP (tos 0x0, ttl 60, id 17733, offset 0, flags [DF], proto UDP (17), length 73)
1.1.1.1.53 > 192.168.178.20.56393: 30975 1/0/0 openwrt.org. A 139.59.209.225 (45)
14:00:16.575775 IP (tos 0x0, ttl 60, id 17733, offset 0, flags [DF], proto UDP (17), length 73)
1.1.1.1.53 > 192.168.178.20.56393: 30975 1/0/0 openwrt.org. A 139.59.209.225 (45)
14:00:16.575836 IP (tos 0x0, ttl 64, id 47459, offset 0, flags [DF], proto UDP (17), length 73)
10.4.0.1.53 > 10.4.4.6.59187: 4 1/0/0 openwrt.org. A 139.59.209.225 (45)
14:00:16.575840 IP (tos 0x0, ttl 64, id 47459, offset 0, flags [DF], proto UDP (17), length 73)
10.4.0.1.53 > 10.4.4.6.59187: 4 1/0/0 openwrt.org. A 139.59.209.225 (45)
14:00:16.580136 ethertype IPv4, IP (tos 0x0, ttl 128, id 11042, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.6.59188 > 10.4.0.1.53: 5+ AAAA? openwrt.org. (29)
14:00:16.580136 IP (tos 0x0, ttl 128, id 11042, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.6.59188 > 10.4.0.1.53: 5+ AAAA? openwrt.org. (29)
14:00:16.580136 IP (tos 0x0, ttl 128, id 11042, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.6.59188 > 10.4.0.1.53: 5+ AAAA? openwrt.org. (29)
14:00:16.580228 IP (tos 0x0, ttl 64, id 7381, offset 0, flags [DF], proto UDP (17), length 57)
192.168.178.20.19002 > 1.1.1.1.53: 25145+ AAAA? openwrt.org. (29)
14:00:16.583373 ethertype IPv4, IP (tos 0x0, ttl 60, id 41319, offset 0, flags [DF], proto UDP (17), length 85)
1.1.1.1.53 > 192.168.178.20.19002: 25145 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
14:00:16.583373 IP (tos 0x0, ttl 60, id 41319, offset 0, flags [DF], proto UDP (17), length 85)
1.1.1.1.53 > 192.168.178.20.19002: 25145 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
14:00:16.583443 IP (tos 0x0, ttl 64, id 47460, offset 0, flags [DF], proto UDP (17), length 85)
10.4.0.1.53 > 10.4.4.6.59188: 5 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
14:00:16.583447 IP (tos 0x0, ttl 64, id 47460, offset 0, flags [DF], proto UDP (17), length 85)
10.4.0.1.53 > 10.4.4.6.59188: 5 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
using Guests network
#a long time nothing because the nslookup on the client is timing out multiple times
#-- client output typed by me not copied so not verbatim
DNS request timeout was 2 seconds
Server: unknown
Address: 10.5.0.1
DNS request timeout was 2 seconds (3x)
Name: openwrt.org
Address: a non ip4 address (2a03:b0c0:3:d0::1af1:1)
#and very late in the above process suddenly
root@OpenWrt:~# tcpdump -i any -vn udp port 53
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
14:02:02.921513 ethertype IPv4, IP (tos 0x0, ttl 128, id 11223, offset 0, flags [none], proto UDP (17), length 57)
10.5.4.1.54691 > 10.5.0.1.53: 5+ AAAA? openwrt.org. (29)
14:02:02.921513 IP (tos 0x0, ttl 128, id 11223, offset 0, flags [none], proto UDP (17), length 57)
10.5.4.1.54691 > 10.5.0.1.53: 5+ AAAA? openwrt.org. (29)
14:02:02.921513 IP (tos 0x0, ttl 128, id 11223, offset 0, flags [none], proto UDP (17), length 57)
10.5.4.1.54691 > 10.5.0.1.53: 5+ AAAA? openwrt.org. (29)
14:02:02.921691 IP (tos 0x0, ttl 64, id 13327, offset 0, flags [DF], proto UDP (17), length 57)
192.168.178.20.30236 > 1.1.1.1.53: 57888+ AAAA? openwrt.org. (29)
14:02:02.926517 ethertype IPv4, IP (tos 0x0, ttl 60, id 14438, offset 0, flags [DF], proto UDP (17), length 85)
1.1.1.1.53 > 192.168.178.20.30236: 57888 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
14:02:02.926517 IP (tos 0x0, ttl 60, id 14438, offset 0, flags [DF], proto UDP (17), length 85)
1.1.1.1.53 > 192.168.178.20.30236: 57888 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
14:02:02.926605 IP (tos 0x0, ttl 64, id 20613, offset 0, flags [DF], proto UDP (17), length 85)
10.5.0.1.53 > 10.5.4.1.54691: 5 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
14:02:02.926611 IP (tos 0x0, ttl 64, id 20613, offset 0, flags [DF], proto UDP (17), length 85)
10.5.0.1.53 > 10.5.4.1.54691: 5 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
Based on this all I am guessing that I should debug the firewall. Why is it choking for a whlie for a DNS request from the Guests network before finally deciding to let it go through. At least I am assuming that is what is happening
perhaps this helps?
fw3 print
root@OpenWrt:~# fw3 print
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @rule[7] (block iot wan) does not specify a protocol, assuming TCP+UDP
Warning: Section @rule[8] (block default ipcam) does not specify a protocol, assuming TCP+UDP
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t filter -N reject
iptables -t filter -N input_rule
iptables -t filter -N output_rule
iptables -t filter -N forwarding_rule
iptables -t filter -N syn_flood
iptables -t filter -N zone_lan_input
iptables -t filter -N zone_lan_output
iptables -t filter -N zone_lan_forward
iptables -t filter -N zone_lan_src_ACCEPT
iptables -t filter -N zone_lan_dest_ACCEPT
iptables -t filter -N input_lan_rule
iptables -t filter -N output_lan_rule
iptables -t filter -N forwarding_lan_rule
iptables -t filter -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
iptables -t filter -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
iptables -t filter -N zone_wan_input
iptables -t filter -N zone_wan_output
iptables -t filter -N zone_wan_forward
iptables -t filter -N zone_wan_src_REJECT
iptables -t filter -N zone_wan_dest_ACCEPT
iptables -t filter -N zone_wan_dest_REJECT
iptables -t filter -N zone_wan_dest_DROP
iptables -t filter -N input_wan_rule
iptables -t filter -N output_wan_rule
iptables -t filter -N forwarding_wan_rule
iptables -t filter -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
iptables -t filter -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
iptables -t filter -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
iptables -t filter -N zone_guest_input
iptables -t filter -N zone_guest_output
iptables -t filter -N zone_guest_forward
iptables -t filter -N zone_guest_src_REJECT
iptables -t filter -N zone_guest_dest_ACCEPT
iptables -t filter -N zone_guest_dest_REJECT
iptables -t filter -N input_guest_rule
iptables -t filter -N output_guest_rule
iptables -t filter -N forwarding_guest_rule
iptables -t filter -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
iptables -t filter -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
iptables -t filter -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
iptables -t filter -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
iptables -t filter -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
iptables -t filter -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
iptables -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
iptables -t filter -A syn_flood -m comment --comment "!fw3" -j DROP
iptables -t filter -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
iptables -t filter -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
iptables -t filter -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
iptables -t filter -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
iptables -t filter -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
iptables -t filter -A zone_wan_input -p 2 -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
iptables -t filter -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
iptables -t filter -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
iptables -t filter -A zone_guest_input -p udp -m udp --dport 67 -m comment --comment "!fw3: Allow-DHCP-Guest" -j ACCEPT
iptables -t filter -A zone_lan_forward -p tcp -s 192.168.1.128/255.255.255.128 -m comment --comment "!fw3: block iot wan" -j zone_wan_dest_DROP
iptables -t filter -A zone_lan_forward -p udp -s 192.168.1.128/255.255.255.128 -m comment --comment "!fw3: block iot wan" -j zone_wan_dest_DROP
iptables -t filter -A zone_lan_forward -p tcp -s 192.168.1.10/255.255.255.255 -m comment --comment "!fw3: block default ipcam" -j zone_wan_dest_DROP
iptables -t filter -A zone_lan_forward -p udp -s 192.168.1.10/255.255.255.255 -m comment --comment "!fw3: block default ipcam" -j zone_wan_dest_DROP
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
iptables -t filter -A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
iptables -t filter -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
iptables -t filter -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
iptables -t filter -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
iptables -t filter -D zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -D OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -D FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -D zone_lan_src_ACCEPT -i br-if_Trusted -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_src_ACCEPT -i br-if_Trusted -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_lan_dest_ACCEPT -o br-if_Trusted -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_dest_ACCEPT -o br-if_Trusted -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D INPUT -i br-if_Trusted -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -A INPUT -i br-if_Trusted -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -D OUTPUT -o br-if_Trusted -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -A OUTPUT -o br-if_Trusted -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -D FORWARD -i br-if_Trusted -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -A FORWARD -i br-if_Trusted -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
iptables -t filter -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
iptables -t filter -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
iptables -t filter -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
iptables -t filter -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
iptables -t filter -D zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
iptables -t filter -D zone_wan_dest_DROP -o eth1.2 -m comment --comment "!fw3" -j DROP
iptables -t filter -A zone_wan_dest_DROP -o eth1.2 -m comment --comment "!fw3" -j DROP
iptables -t filter -D INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -D OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -D FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
iptables -t filter -A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
iptables -t filter -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
iptables -t filter -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
iptables -t filter -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
iptables -t filter -D zone_guest_dest_ACCEPT -o br-if_Guests -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_guest_dest_ACCEPT -o br-if_Guests -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_guest_src_REJECT -i br-if_Guests -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_guest_src_REJECT -i br-if_Guests -m comment --comment "!fw3" -j reject
iptables -t filter -D zone_guest_dest_REJECT -o br-if_Guests -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_guest_dest_REJECT -o br-if_Guests -m comment --comment "!fw3" -j reject
iptables -t filter -D INPUT -i br-if_Guests -m comment --comment "!fw3" -j zone_guest_input
iptables -t filter -A INPUT -i br-if_Guests -m comment --comment "!fw3" -j zone_guest_input
iptables -t filter -D OUTPUT -o br-if_Guests -m comment --comment "!fw3" -j zone_guest_output
iptables -t filter -A OUTPUT -o br-if_Guests -m comment --comment "!fw3" -j zone_guest_output
iptables -t filter -D FORWARD -i br-if_Guests -m comment --comment "!fw3" -j zone_guest_forward
iptables -t filter -A FORWARD -i br-if_Guests -m comment --comment "!fw3" -j zone_guest_forward
iptables -t filter -D zone_guest_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_guest_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_guest_src_REJECT -i br-lan -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_guest_src_REJECT -i br-lan -m comment --comment "!fw3" -j reject
iptables -t filter -D zone_guest_dest_REJECT -o br-lan -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_guest_dest_REJECT -o br-lan -m comment --comment "!fw3" -j reject
iptables -t filter -D INPUT -i br-lan -m comment --comment "!fw3" -j zone_guest_input
iptables -t filter -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_guest_input
iptables -t filter -D OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_guest_output
iptables -t filter -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_guest_output
iptables -t filter -D FORWARD -i br-lan -m comment --comment "!fw3" -j zone_guest_forward
iptables -t filter -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_guest_forward
iptables -t filter -A FORWARD -m comment --comment "!fw3" -j reject
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule
iptables -t nat -N zone_lan_postrouting
iptables -t nat -N zone_lan_prerouting
iptables -t nat -N prerouting_lan_rule
iptables -t nat -N postrouting_lan_rule
iptables -t nat -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
iptables -t nat -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
iptables -t nat -N zone_wan_postrouting
iptables -t nat -N zone_wan_prerouting
iptables -t nat -N prerouting_wan_rule
iptables -t nat -N postrouting_wan_rule
iptables -t nat -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
iptables -t nat -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
iptables -t nat -N zone_guest_postrouting
iptables -t nat -N zone_guest_prerouting
iptables -t nat -N prerouting_guest_rule
iptables -t nat -N postrouting_guest_rule
iptables -t nat -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
iptables -t nat -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
iptables -t nat -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
iptables -t nat -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
iptables -t nat -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: guideriis" -j DNAT --to-destination 192.168.1.111:443
iptables -t nat -A zone_wan_prerouting -p udp -m udp --dport 443 -m comment --comment "!fw3: guideriis" -j DNAT --to-destination 192.168.1.111:443
iptables -t nat -D zone_lan_prerouting -p tcp -s 10.0.0.0/255.252.0.0 -d 192.168.178.20/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
iptables -t nat -A zone_lan_prerouting -p tcp -s 10.0.0.0/255.252.0.0 -d 192.168.178.20/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
iptables -t nat -D zone_lan_postrouting -p tcp -s 10.0.0.0/255.252.0.0 -d 192.168.1.111/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.0.0.1
iptables -t nat -A zone_lan_postrouting -p tcp -s 10.0.0.0/255.252.0.0 -d 192.168.1.111/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.0.0.1
iptables -t nat -D zone_lan_prerouting -p udp -s 10.0.0.0/255.252.0.0 -d 192.168.178.20/255.255.255.255 -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
iptables -t nat -A zone_lan_prerouting -p udp -s 10.0.0.0/255.252.0.0 -d 192.168.178.20/255.255.255.255 -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
iptables -t nat -D zone_lan_postrouting -p udp -s 10.0.0.0/255.252.0.0 -d 192.168.1.111/255.255.255.255 -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.0.0.1
iptables -t nat -A zone_lan_postrouting -p udp -s 10.0.0.0/255.252.0.0 -d 192.168.1.111/255.255.255.255 -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.0.0.1
iptables -t nat -D zone_lan_prerouting -p tcp -s 10.4.0.0/255.255.0.0 -d 192.168.178.20/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
iptables -t nat -A zone_lan_prerouting -p tcp -s 10.4.0.0/255.255.0.0 -d 192.168.178.20/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
iptables -t nat -D zone_lan_postrouting -p tcp -s 10.4.0.0/255.255.0.0 -d 192.168.1.111/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.4.0.1
iptables -t nat -A zone_lan_postrouting -p tcp -s 10.4.0.0/255.255.0.0 -d 192.168.1.111/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.4.0.1
iptables -t nat -D zone_lan_prerouting -p udp -s 10.4.0.0/255.255.0.0 -d 192.168.178.20/255.255.255.255 -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
iptables -t nat -A zone_lan_prerouting -p udp -s 10.4.0.0/255.255.0.0 -d 192.168.178.20/255.255.255.255 -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
iptables -t nat -D zone_lan_postrouting -p udp -s 10.4.0.0/255.255.0.0 -d 192.168.1.111/255.255.255.255 -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.4.0.1
iptables -t nat -A zone_lan_postrouting -p udp -s 10.4.0.0/255.255.0.0 -d 192.168.1.111/255.255.255.255 -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.4.0.1
iptables -t nat -D PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -D POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -D PREROUTING -i br-if_Trusted -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -A PREROUTING -i br-if_Trusted -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -D POSTROUTING -o br-if_Trusted -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -A POSTROUTING -o br-if_Trusted -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
iptables -t nat -D PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -D POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -D PREROUTING -i br-if_Guests -m comment --comment "!fw3" -j zone_guest_prerouting
iptables -t nat -A PREROUTING -i br-if_Guests -m comment --comment "!fw3" -j zone_guest_prerouting
iptables -t nat -D POSTROUTING -o br-if_Guests -m comment --comment "!fw3" -j zone_guest_postrouting
iptables -t nat -A POSTROUTING -o br-if_Guests -m comment --comment "!fw3" -j zone_guest_postrouting
iptables -t nat -D PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_guest_prerouting
iptables -t nat -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_guest_prerouting
iptables -t nat -D POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_guest_postrouting
iptables -t nat -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_guest_postrouting
iptables -t mangle -D FORWARD -p tcp -o eth1.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A FORWARD -p tcp -o eth1.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -D FORWARD -p tcp -i eth1.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A FORWARD -p tcp -i eth1.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
Time difference between first query and first reply is under 1 second.
The client is requesting the wrong fqdn. There is a .lan at the end.
The client is asking for IPv6 address.
Yes great, that is how it should be right? i even think it was no more than 200ms if I interpret it correctly.
But this from the openwrt it self probably using the lan interface or the wan interface directly.
Are you sure that is the clients doing? the exact verbatim syntax I used on the client was
nslookup openwrt.org
Also I am using the official firmware for my device not having tinkered with fqdn's so I would then still think this is an openwrt issue? Any settings I can check to see where that is comming from?
If you think it could help I can change it around. I can have my windows client do all the logging on openwrt and have my xfce4 do the dns requesting
Even though ip6 is disabled on the client in the interface settings hmm but windows in known for stranger things. I will change it around then and try a different fqdn