Firewall failure due to ipip6 after every reboot

I have a x86 box, now I have to flip the "Software flow offloading" option in order to get IPv4 Internet access from lan after every reboot and wan interface is up, IPv6 works good.

Route tracing to any wan IPv4 address on lan devices also end up at router with all the hops from 2 not responding or showing.

Probably the issue is not related to "Software flow offload", because there is no Internet access from LAN but the router itself, no matter "Software flow offloading" is on or off.

However, when I turn on or off "Software flow offloading", all lan devices will have Internet access, until next reboot.

Due to the router is in production environment of my store, currently, I have no choice other than adding the following to startup script.

uci set firewall.@defaults[0].flow_offloading=1
uci commit firewall
uci set firewall.@defaults[0].flow_offloading=0
uci commit firewall

Anyone have a better idea for this?

Update

I found that firewall is malfunctioning after I added ipip6 tunnel for IPv4 connectivity, it is started but not doing any NAT, fw4 reload solved this.

What I did before is nonsense because uci will reload firewall after changes commited.(I found that when I change any firewall related config it will return normal)

Now startup script can be simplified as below.

fw4 reload

I am still trying to figure out what causes this issue.

I dont know, how SW Offload behaves in this case:
by default, only 1 LAN port on x86 is active and part of the LAN zone, you have to add the remaining LAN ports manually and save config.

And this looks a bit like your config is not saved/preserved over reboots.

Prominent reasons for that could be broken SSD device (which had switched to readonly mode), using a RAM OpenWRT image, or being out of free space on the overlay partition. Maybe there are more reasons.

Which image and version are you using?

Please add outputs of:

ubus call system board
cat /etc/config/firewall
nft list ruleset | head -20

Feel free to replace secrest with asterisks

Output of ubus call system board

{
        "kernel": "5.15.167",
        "hostname": "********",
        "system": "Intel(R) Celeron(R) N5105 @ 2.00GHz",
        "model": "Techvision TVI7309X",
        "board_name": "techvision-tvi7309x",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "x86/64",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}

Content of /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'DROP'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wgtunnel'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option input 'DROP'
        option forward 'DROP'
        option masq '1'
        list network 'wan'
        list network 'wan6'
        list network 'wan6pd'
        list network 'wanb'
        list network 'wand'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'HTTPsrv'
        list proto 'tcp'
        option src 'wan'
        option src_dport '80'
        option dest_port '80'
        option family 'ipv4'
        option dest_ip '**********'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'HTTPSsrv'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest_port '443'
        option family 'ipv4'
        option dest_ip '**********'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'DTV_TUNER'
        option family 'ipv4'
        option src 'wan'
        option src_dport '*****'
        option dest_port '*****'
        option dest_ip '**********'
        list proto 'tcp'
        list proto 'udp'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name '*********'
        option family 'ipv4'
        list proto 'udp'
        option src 'wan'
        option src_dport '****'
        option dest_ip '**********'
        option dest_port '****'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'L2TP500'
        option family 'ipv4'
        list proto 'udp'
        option src 'wan'
        option src_dport '500'
        option dest_ip '**********'
        option dest_port '500'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'L2TP4500'
        list proto 'udp'
        option src 'wan'
        option src_dport '4500'
        option dest_ip '**********'
        option dest_port '4500'
        option family 'ipv4'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name '**********'
        option family 'ipv4'
        option src 'wan'
        option src_dport '****'
        option dest_ip '**********'
        option dest_port '****'

config rule
        option name 'Allow-Wireguard'
        option family 'ipv4'
        list proto 'udp'
        option target 'ACCEPT'
        option src 'wan'
        option dest_port '*******'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name '********'
        option family 'ipv4'
        list proto 'tcp'
        option src 'wan'
        option src_dport '****'
        option dest_ip '*********'
        option dest_port '****'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name '******'
        option family 'ipv4'
        option src 'wan'
        option src_dport '********'
        option dest_ip '********'
        option dest_port '****'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'

Output of nft list ruleset | head -20

table inet fw4 {
        ct helper amanda {
                type "amanda" protocol udp
                l3proto inet
        }

        ct helper ftp {
                type "ftp" protocol tcp
                l3proto inet
        }

        ct helper RAS {
                type "RAS" protocol udp
                l3proto inet
        }

        ct helper Q.931 {
                type "Q.931" protocol tcp
                l3proto inet
        }

I wrote the 23.05.5 x86_64 generic-ext4-combined-efi image retrieved from downloads.openwrt.org to disk directly.

I resized / to 1GiB and created another ext4 partition on the remaining space for my plan to use lxc and docker. Currently I have not mounted that new partition, neither installing lxc and docker.

At first I thinked about partition corruption because of newer version of resize2fs. So I tried write that image without resizing, nothing helps.

Then I found out that when I added ipip6 tunnel for IPv4 connection, firewall will only work properly with a reload every reboot.

I am still trying to figure out what causes this.

you can remove extra conntrack helpers (package) for clarity if you do not use those protocols.
default package has only legacy ftp.

please run fw4 check and examine its output, nothing seems immediately wrong.

do you use wg to connect homes or to access internet?

Yes, I use WireGuard for remote work.

---

After talking with the author of ipip6 script, it seems like the part to get port access of the script didn't address fw4 well, causing the disappearance of all the fw4 rules. There are also 22.03/23.05 users seeking help about this in Japanese forums.

Due to few need of a static IPv4 address over ipip6 in Japan with OpenWrt, this issue is too late to be find. Fix will be merged to ds-lite package ASAP. Because this script is based on cleanroom of proprietary router firmware, it may take a long time to address this.

Currently reloading on start is the best temporarily solution.

You can upload their testing script directly to the device, nothing that config parameters could save.