Failing to configure ip forwarding, do I need to use nft on openwrt?

Michael11 · January 27, 2024, 9:55am

Hi,

I am trying to use an openwrt box as a basic router, no NAT or PBR or firewall. Just forward IP between interfaces. OpenWRT box has one WireGuard interface configured and Wireguard works perfectly. I am failing miserably getting IP forwarding to work though.

I have unconfigured everything in firewall settings via LuCI. So to my understanding this is just a machine with a number of network inetrfaces and IP forwarding enabled. When I am on the OpenWRT router I can reach all IP neighbours just fine: uplink router, wifi clients, whole internet. But wifi stations cannot access anywhere but their own network. Not even other interface on OpenWRT.

I syspect I need to set nft properly? Which is odd - though I never used nftables before. Am I right? Can you point out where to look, please?

my settings are:


root@OpenWrt:~# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

root@OpenWrt:~# ip a sh
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1504 qdisc fq_codel state UP qlen 1000
    link/ether 50:eb:f6:86:6d:10 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::52eb:f6ff:fe86:6d10/64 scope link 
       valid_lft forever preferred_lft forever
3: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 50:eb:f6:86:6d:10 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.2/24 brd 192.168.0.255 scope global wan
       valid_lft forever preferred_lft forever
    inet6 fe80::52eb:f6ff:fe86:6d10/64 scope link 
       valid_lft forever preferred_lft forever
4: lan1@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    link/ether 50:eb:f6:86:6d:10 brd ff:ff:ff:ff:ff:ff
5: lan2@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    link/ether 50:eb:f6:86:6d:10 brd ff:ff:ff:ff:ff:ff
6: lan3@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    link/ether 50:eb:f6:86:6d:10 brd ff:ff:ff:ff:ff:ff
9: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 50:eb:f6:86:6d:10 brd ff:ff:ff:ff:ff:ff
    inet 192.168.50.1/24 brd 192.168.50.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fde2:6570:9e18::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::52eb:f6ff:fe86:6d10/64 scope link 
       valid_lft forever preferred_lft forever
11: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 50:eb:f6:86:6d:14 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::52eb:f6ff:fe86:6d14/64 scope link 
       valid_lft forever preferred_lft forever
12: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 50:eb:f6:86:6d:10 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::52eb:f6ff:fe86:6d10/64 scope link 
       valid_lft forever preferred_lft forever
13: WG0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    link/[65534] 
    inet 192.168.100.2/32 brd 255.255.255.255 scope global WG0
       valid_lft forever preferred_lft forever


root@OpenWrt:~# ip ro sh
default dev WG0 scope link 
xxx.xxx.xxx.xxx via 192.168.0.1 dev wan 
192.168.0.0/24 dev wan scope link  src 192.168.0.2 
192.168.50.0/24 dev br-lan scope link  src 192.168.50.1 

root@OpenWrt:~# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.packet_steering='1'
network.globals.ula_prefix='fde2:6570:9e18::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan1' 'lan2' 'lan3'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.50.1'
network.wan=interface
network.wan.device='wan'
network.wan.proto='static'
network.wan.ipaddr='192.168.0.2'
network.wan.netmask='255.255.255.0'
network.wan.gateway='192.168.0.1'
network.wan6=interface
network.wan6.device='wan'
network.wan6.proto='dhcpv6'
network.WG0=interface
network.WG0.proto='wireguard'
network.WG0.private_key='##########################g='
network.WG0.addresses='192.168.100.2'
network.@wireguard_WG0[0]=wireguard_WG0
network.@wireguard_WG0[0].description='ozzy'
network.@wireguard_WG0[0].public_key='#################Q='
network.@wireguard_WG0[0].endpoint_host='correct.whatever.com'
network.@wireguard_WG0[0].endpoint_port='xxxxx'
network.@wireguard_WG0[0].route_allowed_ips='1'
network.@wireguard_WG0[0].allowed_ips='0.0.0.0/0'
network.@wireguard_WG0[0].persistent_keepalive='25'


root@OpenWrt:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='ACCEPT'

root@OpenWrt:~# nft list ruleset
table inet fw4 {
chain input {
type filter hook input priority filter; policy accept;
iifname "lo" accept comment "!fw4: Accept traffic from loopback"
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
}

chain forward {
type filter hook forward priority filter; policy accept;
ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
}

chain output {
type filter hook output priority filter; policy accept;
oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
ct state established,related accept comment "!fw4: Allow outbound established and related flows"
}

chain prerouting {
type filter hook prerouting priority filter; policy accept;
}

chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject comment "!fw4: Reject any other traffic"
}

chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
}

chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
}

chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
}

chain raw_output {
type filter hook output priority raw; policy accept;
}

chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
}

chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
}

chain mangle_input {
type filter hook input priority mangle; policy accept;
}

chain mangle_output {
type route hook output priority mangle; policy accept;
}

chain mangle_forward {
type filter hook forward priority mangle; policy accept;
}
}

root@OpenWrt:~# arp -a
IP address       HW type     Flags       HW address            Mask     Device
192.168.50.233   0x1         0x2         3c:22:fb:62:1c:60     *        br-lan
192.168.0.1      0x1         0x2         dc:e3:05:32:c0:9a     *        wan
192.168.0.12     0x1         0x2         3c:06:30:3c:01:6d     *        wan

thanks for any advise

Michael11 · January 27, 2024, 10:32pm

Hi, fixed it. Just to close the topic for whoever will be looking. I did have to configure nftables to get forwarding between interfaces to work.

I created zones for each interface, and then got firewall configured to allow forwarding between these zones. And that enabled ip forwarding finally.

_bernd · January 27, 2024, 11:53pm

If you do not need or want or use the firewall you can also just stop and disable the firewall service.

Michael11 · January 28, 2024, 1:56am

Thank you. But without nftables config - just forwarding configured I could not even ping other interface on the same openwrt box (192.168.0.1) from a wifi station (192.168.50.222). Even when I stopped nftables. So I just got this nft configerd as many mentioned here on forums. It worked.

I see your point though. To me - it should have worked as long as ip forwarding enabled in the kernel. Firewall should not interfere with this or that I thought. Likely I am missing something here. Well, I am not a network guy anyway so I just leave it as it is

Thank you again for the replay anyway!