I have just updated my MicroTik router to OpenWrt 22.03.02, and therefore into FW4. My configuration has a Verizon Fios router at the edge, and then the OpenWrt router inside of that. I have disabled masquerading on the OpenWrt router in order to avoid a double nat, and have used this in the WAN zone config to support a stateful filrewall:
Since I am unable to setup a static route in the G-series routers, I could not disable masquerade in OpenWrt. Also some devices won't masquerade for a subnet not configured on it - I never got to the steps to test on a G-series device.
Hence my OpenWrt is the border device and the Verizon device sits downstream.
The Fios router is a G-1100. I created my static routes under Advanced > Routing. I set the WAN IP on my OpenWrt to a static address in the G-1100’s subnet. This address is the gateway for my G routes.
The Verizon device wasn’t very intuitive. It took sone time and guess work to figure it out.
There have been references in prior forum posts that the option was needed if you were not masquerading. This is one that I saw from today which was posted in October 2022 - https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_config_examples. I have seen other similar posts previously, and I have had the option included in older OpenWrt versions. It made stateful rules work. To be clear, the official documentation was always silent on the topic.
With all of this said, I have been doing a ton of reading on nftables and fw4 over the past 12 hours or so. The best I can tell, at least in currency fw4, connection tracking is always enabled, regardless of whether NAT is used. Doing some testing, and it appears to be working.
There's a big fat warning on that section that mentions conntrack, and it might be something that existed before fw4, I can't check.
Anyway, does this return nothing?
cat /proc/net/nf_conntrack
Or why are you chasing rabbits? Are the firewall rules not working?
I recall in much older OpenWrt versions, you did have to enable connectrack to firewall un-masqueraded traffic. I had a public subnet thru a tunnel, (as I recall) it would not firewall until I did so.
Notes I made for that organization's Wiki notes "14.07 or greater" - meaning older versions needed it. Quite long ago now.
It has been an issue in prior versions and the option for enabling conntrack worked. I always start with my prior working configuration when I upgrade (unless there is documentation that something changed), and troubleshoot from there. That is all I was doing here. Additionally, all that warning says that it should theoretically work, but he hasn’t tested it. I doubt he would have invented that specific option, that is identical to prior posts, unless he had seen it before.
With regard to chasing rabbits, I’m not going back to document old posts and linking them here in order to prove myself. They exist if you want to google them. What would actually be helpful would be to update the documentation to tell users that conntrack is always turned on in 22.03+. I would do it myself if someone would tell me how. Given prior posts, I can’t be the only one, although I’m sure it is a corner case.
Sorry I took offense. Tone can be so difficult to interpret in writing sometimes.
cat /proc/net/nf_conntrack
It did work. That is something I discovered when I was teaching myself how the firewall actually works yesterday. I will say that many things about the firewall were a mystery to me, but my understanding is now much more clear. I am in the process updating and testing.
I am serious about the documentation though. I’m not certain I would have access to update it, but it should be done and I’m happy to help.
You can have working firewall without connection tracking but this is something you have done in the early 90th. If you want to accept packets as early as possible because it was accepted before and now the connections are established, related You want to have conntrack enabled.
Feel free to see the thread about how to get a Wiki account. Since I'm not quite sure what page or text (and I never understood the Wiki to say that) - feel free to edit the concerning portions.
The link posted above (IPv4 firewall examples) has a "fw3" in the name so I'm guessing it was written a while ago and not updated. But removing it isn't a solution either, since older releases that are not switched to nftables & fw4 are still maintained. And editing all those wiki pages to mention what settings apply to what version would be a lot of work.
And since it is mentioned in the 22.03 release notes the change from iptables to nftables and from fw3 to fw4 one should expect changes.
Short page that explaines a few changes:
