I've recently gotten my router up and running thanks to the forums and users that have come before me with similar issues that I've been having. I was able to get my quectel modem working and configure it to send traffic to my router at home, but now I'm randomly running into configuration issues as I'm trying to make some firewall rules and port forwards.

Issue: trying to add a port forward rule to do DNS hijacking, and it's not reloading the firewall

returning this error

root@OpenWrt:~# service firewall restart
/dev/stdin:18:9-19: Error: redefinition of symbol 'wan_devices'
        define wan_devices = { "wwan0" }
               ^^^^^^^^^^^
The rendered ruleset contains errors, not doing firewall restart.

Current base firewall config is as follows:
lan --> vpn input, output, forward all accept, masquarading on
vpn ---> wan/ lan input accept, output accept, forward accept, masquarading on
lan --> wan reject
wan --> )()()() reject accept reject for both masquarading and non masquarading

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option masq '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'tailscale'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'tailscale'

config forwarding
        option src 'tailscale'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'tailscale'

config zone
        option name 'wan'
        list network 'wwan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding
        option src 'tailscale'
        option dest 'wan'

config redirect
        option target 'DNAT'
        option name 'Force DNS'
        option src 'lan'
        option src_dport '53'

when I go into luci to see if there was an issue with the interfaces I set up for wwan, I get this error

RPCError

RPC call to uci/get failed with ubus code 9: Unspecified error at ClassConstructor.handleCallReply (http://172.31.128.1/luci-static/resources/rpc.js?v=git-23.236.53405-fc638c8:15:3)

Here are the steps I used to create the setup so far:

added the following config to /etc/config/network

config interface 'wwan'
        option proto 'qmi'
        option device '/dev/cdc-wdm0'
        option apn 'internet'
        option pdptype 'ip'

uqmi -d /dev/cdc-wdm0 --start-network --apn internet

installed tailscale
configured firewall port forwards to be what you see above

I figured out what the issue was. I had two blocks for the wan zone because I thought they would get bundled together. Once I moved list network 'wwan' out of its own block and into the original wan zone block, it worked fine.

However, my DNS hijacking still isn't working properly. I'm also still getting the RPC error shown in the first post.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.