Firewall forward rule isn't stateful?

ahuman · May 20, 2025, 5:26pm

I have a dumb AP on a different subnet than my "management" LAN. I need to be able to SSH into it from a device in the management LAN. I created this firewall rule to allow SSH to forward from the management LAN to the dumb AP:

config rule
        option src 'lan'
        option dest 'aplan'
        option name 'Allow-SSH-AP'
        option family 'ipv4'
        list proto 'tcp'
        list dest_ip '192.168.152.2'
        option dest_port '22'
        option target 'ACCEPT'

But this doesn't work as I expected (clearly I'm misunderstanding). I thought the firewall was stateful in that this rule would allow the forward and also allow the return traffic. But the return traffic is being dropped between lan and aplan according to tcpdump:

# tcpdump -ni br-lan port 22 and not host 192.168.150.1
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
10:53:44.986328 IP 192.168.150.175.35390 > 192.168.152.2.22: Flags [S], seq 2914023664, win 64240, options [mss 1460,sackOK,TS val 623910729 ecr 0,nop,wscale 7], length 0
10:53:46.044082 IP 192.168.150.175.35390 > 192.168.152.2.22: Flags [S], seq 2914023664, win 64240, options [mss 1460,sackOK,TS val 623911787 ecr 0,nop,wscale 7], length 0
10:53:47.066956 IP 192.168.150.175.35390 > 192.168.152.2.22: Flags [S], seq 2914023664, win 64240, options [mss 1460,sackOK,TS val 623912810 ecr 0,nop,wscale 7], length 0
10:53:48.091457 IP 192.168.150.175.35390 > 192.168.152.2.22: Flags [S], seq 2914023664, win 64240, options [mss 1460,sackOK,TS val 623913834 ecr 0,nop,wscale 7], length 0

# tcpdump -ni br-aplan port 22
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br-aplan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
10:54:52.702535 IP 192.168.150.175.46702 > 192.168.152.2.22: Flags [S], seq 3238024325, win 64240, options [mss 1460,sackOK,TS val 623978445 ecr 0,nop,wscale 7], length 0
10:54:52.703034 IP 192.168.152.2.22 > 192.168.150.175.46702: Flags [S.], seq 3272355192, ack 3238024326, win 65160, options [mss 1460,sackOK,TS val 1279495327 ecr 623978445,nop,wscale 7], length 0
10:54:53.755578 IP 192.168.150.175.46702 > 192.168.152.2.22: Flags [S], seq 3238024325, win 64240, options [mss 1460,sackOK,TS val 623979498 ecr 0,nop,wscale 7], length 0
10:54:53.756037 IP 192.168.152.2.22 > 192.168.150.175.46702: Flags [S.], seq 3272355192, ack 3238024326, win 65160, options [mss 1460,sackOK,TS val 1279496380 ecr 623978445,nop,wscale 7], length 0
10:54:54.779293 IP 192.168.150.175.46702 > 192.168.152.2.22: Flags [S], seq 3238024325, win 64240, options [mss 1460,sackOK,TS val 623980522 ecr 0,nop,wscale 7], length 0

Where 192.168.150.175 is my LAN client and 192.168.152.2 is the dumb AP. You can see in the second tcpdump that responses are coming back from the AP, but in the first tcpdump, they are not arriving to the management LAN.

What is my misunderstanding of how this rule works, and how can I make it work correctly?

grrr2 · May 20, 2025, 5:29pm

you have zone lan and aplan, right, and lan is the trusted/main/management lan. why not simply allow zone forwarding from lan to aplan?

ahuman · May 20, 2025, 6:18pm

That's worth considering, and thank you for pointing it out, but I'd still like to know why my existing rule fails, or given your suggestion, why the blanket zone forward would work but this rule does not...

ahuman · May 20, 2025, 9:22pm

Update: I tried just allowing zone forward from lan to aplan as suggested by @grrr2, but that doesn't actually work either. The responses from the AP are visible on aplan but get dropped before getting back to lan.

brada4 · May 20, 2025, 9:33pm

Please post /etc/config/firewall and ubus call system board.

Your packet trace does indicate some kind of nat. ( and you are hiding it)

ahuman · May 20, 2025, 11:04pm

# ubus call system board
{
        "kernel": "6.6.86",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Bananapi BPI-R3",
        "board_name": "bananapi,bpi-r3",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.1",
                "revision": "r28597-0425664679",
                "target": "mediatek/filogic",
                "description": "OpenWrt 24.10.1 r28597-0425664679",
                "builddate": "1744562312"
        }
}

# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'aplan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option family 'ipv4'
        list network 'aplan'

config zone
        option name 'boxes'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option family 'ipv4'
        list network 'boxes'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config zone
        option name 'Mullvad'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option family 'ipv4'
        list network 'Mullvad'

config zone
        option name 'my-wg'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'my-wg'

config zone
        option name 'ZT_BR'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'ZT_BR'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping-WAN'
        option src 'wan'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'
        option limit '10/second'

config rule
        option name 'Allow-Ping-my-wg'
        option src 'my-wg'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'

config rule
        option name 'Allow-IGMP-WAN'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP-my-wg'
        option src 'my-wg'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6-WAN'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-DHCPv6-my-wg'
        option src 'my-wg'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD-WAN'
        option src 'wan'
        option proto 'icmp'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'
        list src_ip 'fe80::/10'

config rule
        option name 'Allow-MLD-my-wg'
        option src 'my-wg'
        option proto 'icmp'
        option family 'ipv6'
        option target 'ACCEPT'
        list src_ip 'fe80::/10'

config rule
        option name 'Allow-ICMPv6-Input-WAN'
        option src 'wan'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'packet-too-big'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'

config rule
        option name 'Allow-ICMPv6-Input-my-wg'
        option src 'my-wg'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'packet-too-big'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'

config rule
        option name 'Allow-ICMPv6-Forward-WAN'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'

config rule
        option name 'Allow-ICMPv6-Forward-my-wg'
        option src 'my-wg'
        option dest '*'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'

config rule
        option name 'Allow-IPSec-ESP-LAN'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP-aplan'
        option src 'wan'
        option dest 'aplan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP-LAN'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP-aplan'
        option src 'wan'
        option dest 'aplan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'aplan'
        option dest 'wan'

config rule
        option src 'guest'
        option name 'Allow-DNS-guest'
        option dest_port '53'
        option target 'ACCEPT'

config redirect
        option target 'DNAT'
        option name 'Intercept-DNS-guest'
        option family 'any'
        option src 'guest'
        option src_dport '53'

config redirect
        option target 'DNAT'
        option name 'Intercept-DNS-aplan'
        option family 'any'
        option src 'aplan'
        option src_dport '53'

config redirect
        option target 'DNAT'
        option name 'Intercept-DNS-LAN'
        option family 'any'
        option src 'lan'
        option src_dport '53'

config rule
        option src 'guest'
        option name 'Allow-DHCP-guest'
        option family 'ipv4'
        list proto 'udp'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option src 'guest'
        option dest 'wan'
        option name 'Allow-HTTP/S-guest'
        option family 'ipv4'
        list proto 'tcp'
        option dest_port '80 443'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'Mullvad'

config forwarding
        option src 'lan'
        option dest 'my-wg'

config rule
        option src 'my-wg'
        option dest 'lan'
        option name 'Allow-SSH-LAN-my-wg'
        option family 'ipv4'
        list proto 'tcp'
        option dest_port '22'
        option target 'ACCEPT'

config rule
        option src 'my-wg'
        option name 'Allow-SSH-OpenWrt-my-wg'
        option family 'ipv4'
        list proto 'tcp'
        option dest_port '22'
        option target 'ACCEPT'

config rule
        option src 'my-wg'
        option dest 'aplan'
        option name 'Allow-SSH-One-my-wg'
        list proto 'tcp'
        list dest_ip '192.168.152.2'
        option dest_port '22'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option src 'lan'
        option dest 'aplan'
        option name 'Allow-SSH-One-LAN'
        option family 'ipv4'
        list proto 'tcp'
        list dest_ip '192.168.152.2'
        option dest_port '22'
        option target 'ACCEPT'

config forwarding
        option src 'ZT_BR'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'ZT_BR'

config rule
        option src '*'
        option name 'Allow-ZeroTier-Primary'
        list proto 'udp'
        option dest_port '9994'
        option target 'ACCEPT'

config rule
        option src '*'
        option name 'Allow-ZeroTier-Secondary'
        list proto 'udp'
        option dest_port '29994'
        option target 'ACCEPT'

config rule
        option dest 'aplan'
        option name 'Allow-NTP-From-OpenWrt'
        option family 'ipv4'
        list proto 'udp'
        option dest_port '123'
        option target 'ACCEPT'
        list dest_ip '192.168.152.2'

config rule
        option src 'lan'
        option dest 'aplan'
        option name 'Allow-NTP-From-LAN'
        option family 'ipv4'
        option dest_port '123'
        option target 'ACCEPT'
        list dest_ip '192.168.152.2'
        list proto 'udp'

config rule
        option src 'boxes'
        option dest 'aplan'
        option name 'Allow-NTP-From-boxes'
        option family 'ipv4'
        list proto 'udp'
        list dest_ip '192.168.152.2'
        option dest_port '123'
        option target 'ACCEPT'

config rule
        option src 'guest'
        option dest 'aplan'
        option name 'Allow-NTP-From-guest'
        list proto 'udp'
        list dest_ip '192.168.152.2'
        option dest_port '123'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'aplan'

192.168.152.2 is an OpenWrt One set up as a dumb AP per the guide in the wiki. I also have it acting as the local NTP server, but it turns out that isn't working for apparently the same reason (responses appear to get dropped coming back from the aplan zone to the source). I didn't notice that earlier.

brada4 · May 21, 2025, 5:07am

Nothing obvious sticking out in your config
Please set up nftables tracing, change to 22/tcp obviously and lets see rules (not) processing the packets.

ahuman · May 21, 2025, 3:33pm

Hopefully I've correctly snipped out one complete trace for what we're discussing (the trace gets really big, really fast):

trace id 7e9f613d inet fw4 trace_chain packet: iif "br-lan" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 64358 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id 7e9f613d inet fw4 trace_chain rule meta l4proto { tcp, udp } th sport . th dport { 22 . 0-65535, 0-65535 . 22 } meta nftrace set 1 (verdict continue)
trace id 7e9f613d inet fw4 trace_chain verdict continue 
trace id 7e9f613d inet fw4 raw_prerouting verdict continue 
trace id 7e9f613d inet fw4 raw_prerouting policy accept 
trace id 7e9f613d inet fw4 mangle_prerouting packet: iif "br-lan" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 64358 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id 7e9f613d inet fw4 mangle_prerouting verdict continue 
trace id 7e9f613d inet fw4 mangle_prerouting policy accept 
trace id 7e9f613d inet fw4 prerouting packet: iif "br-lan" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 64358 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id 7e9f613d inet fw4 prerouting rule iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment" (verdict jump helper_lan)
trace id 7e9f613d inet fw4 helper_lan verdict continue 
trace id 7e9f613d inet fw4 prerouting verdict continue 
trace id 7e9f613d inet fw4 prerouting policy accept 
trace id 7e9f613d inet fw4 mangle_forward packet: iif "br-lan" oif "br-lan2" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 64358 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id 7e9f613d inet fw4 mangle_forward verdict continue 
trace id 7e9f613d inet fw4 mangle_forward policy accept 
trace id 7e9f613d inet fw4 forward packet: iif "br-lan" oif "br-lan2" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 64358 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id 7e9f613d inet fw4 forward rule ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" (verdict accept)
trace id 7e9f613d inet fw4 mangle_postrouting packet: iif "br-lan" oif "br-lan2" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 64358 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id 7e9f613d inet fw4 mangle_postrouting verdict continue 
trace id 7e9f613d inet fw4 mangle_postrouting policy accept 
trace id a55b75b4 inet fw4 trace_chain packet: iif "br-lan2" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id a55b75b4 inet fw4 trace_chain rule meta l4proto { tcp, udp } th sport . th dport { 22 . 0-65535, 0-65535 . 22 } meta nftrace set 1 (verdict continue)
trace id a55b75b4 inet fw4 trace_chain verdict continue 
trace id a55b75b4 inet fw4 raw_prerouting verdict continue 
trace id a55b75b4 inet fw4 raw_prerouting policy accept 
trace id a55b75b4 inet fw4 mangle_prerouting packet: iif "br-lan2" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id a55b75b4 inet fw4 mangle_prerouting verdict continue 
trace id a55b75b4 inet fw4 mangle_prerouting policy accept 
trace id a55b75b4 inet fw4 prerouting packet: iif "br-lan2" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id a55b75b4 inet fw4 prerouting rule meta nfproto ipv4 iifname "br-lan2" jump helper_aplan comment "!fw4: Handle aplan IPv4 helper assignment" (verdict jump helper_aplan)
trace id a55b75b4 inet fw4 helper_aplan verdict continue 
trace id a55b75b4 inet fw4 prerouting verdict continue 
trace id a55b75b4 inet fw4 prerouting policy accept 
trace id a55b75b4 inet fw4 mangle_forward packet: iif "br-lan2" oif "br-wan.1000" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id a55b75b4 inet fw4 mangle_forward verdict continue 
trace id a55b75b4 inet fw4 mangle_forward policy accept 
trace id a55b75b4 inet fw4 forward packet: iif "br-lan2" oif "br-wan.1000" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id a55b75b4 inet fw4 forward rule ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" (verdict accept)
trace id a55b75b4 inet fw4 mangle_postrouting packet: iif "br-lan2" oif "br-wan.1000" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id a55b75b4 inet fw4 mangle_postrouting rule oifname "br-wan.1000" tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing" (verdict continue)
trace id a55b75b4 inet fw4 mangle_postrouting verdict continue 
trace id a55b75b4 inet fw4 mangle_postrouting policy accept

br-lan2 is the underlying bridge for the aplan interface.
br-wan.1000 is the wan (the 1 Gbps WAN port on the BPI-R3 is a switch port, and it's tagged VLAN 1000 here for the ISP).

I don't understand why the wan is being referenced here at all. If I'm reading it right, the return packets are being forwarded to the wan for some reason, instead of back to br-lan?

grrr2 · May 21, 2025, 3:52pm

and your dumb ap is dumb, meaning no wan port and or firewall and or custom routing is used/running/set on it?

ahuman · May 21, 2025, 4:01pm

The WAN port of the AP (an OpenWrt One) is bridged so it can extend the wired side of aplan (that port is serving an unmanaged switch for a game console, TV, etc). Aside from the NTP server, it's set up exactly per the Wiki guide for dumb APs.

brada4 · May 21, 2025, 4:48pm

Somehow there should be first syn going to accept path later, not ct state filter, these are syn 0x2 +ack 0x10 ie 2nd packet in flow.

brada4 · May 21, 2025, 4:50pm

Btw

meta l4proto tcp

ahuman · May 21, 2025, 5:03pm

I don't know what this means, sorry.

ahuman · May 21, 2025, 5:14pm

trace id 2d6359db inet fw4 trace_chain packet: iif "br-lan" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 64357 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id 2d6359db inet fw4 trace_chain rule meta l4proto { tcp, udp } th sport . th dport { 22 . 0-65535, 0-65535 . 22 } meta nftrace set 1 (verdict continue)
trace id 2d6359db inet fw4 trace_chain verdict continue 
trace id 2d6359db inet fw4 raw_prerouting verdict continue 
trace id 2d6359db inet fw4 raw_prerouting policy accept 
trace id 2d6359db inet fw4 mangle_prerouting packet: iif "br-lan" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 64357 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id 2d6359db inet fw4 mangle_prerouting verdict continue 
trace id 2d6359db inet fw4 mangle_prerouting policy accept 
trace id 2d6359db inet fw4 dstnat packet: iif "br-lan" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 64357 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id 2d6359db inet fw4 dstnat rule iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic" (verdict jump dstnat_lan)
trace id 2d6359db inet fw4 dstnat_lan verdict continue 
trace id 2d6359db inet fw4 dstnat rule jump upnp_prerouting comment "Hook into miniupnpd prerouting chain" (verdict jump upnp_prerouting)
trace id 2d6359db inet fw4 upnp_prerouting verdict continue 
trace id 2d6359db inet fw4 dstnat verdict continue 
trace id 2d6359db inet fw4 dstnat policy accept 
trace id 2d6359db inet fw4 prerouting packet: iif "br-lan" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 64357 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id 2d6359db inet fw4 prerouting rule iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment" (verdict jump helper_lan)
trace id 2d6359db inet fw4 helper_lan verdict continue 
trace id 2d6359db inet fw4 prerouting verdict continue 
trace id 2d6359db inet fw4 prerouting policy accept 
trace id 2d6359db inet fw4 mangle_forward packet: iif "br-lan" oif "br-lan2" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 64357 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id 2d6359db inet fw4 mangle_forward verdict continue 
trace id 2d6359db inet fw4 mangle_forward policy accept 
trace id 2d6359db inet fw4 forward packet: iif "br-lan" oif "br-lan2" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 64357 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id 2d6359db inet fw4 forward rule iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" (verdict jump forward_lan)
trace id 2d6359db inet fw4 forward_lan rule ip daddr 192.168.152.2 tcp dport 22 counter packets 2 bytes 120 jump accept_to_aplan comment "!fw4: Allow-SSH-One-LAN" (verdict jump accept_to_aplan)
trace id 2d6359db inet fw4 accept_to_aplan rule meta nfproto ipv4 oifname "br-lan2" counter packets 128 bytes 17172 accept comment "!fw4: accept aplan IPv4 traffic" (verdict accept)
trace id 2d6359db inet fw4 mangle_postrouting packet: iif "br-lan" oif "br-lan2" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 64357 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id 2d6359db inet fw4 mangle_postrouting verdict continue 
trace id 2d6359db inet fw4 mangle_postrouting policy accept 
trace id 2d6359db inet fw4 srcnat packet: iif "br-lan" oif "br-lan2" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 64357 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id 2d6359db inet fw4 srcnat rule jump upnp_postrouting comment "Hook into miniupnpd postrouting chain" (verdict jump upnp_postrouting)
trace id 2d6359db inet fw4 upnp_postrouting verdict continue 
trace id 2d6359db inet fw4 srcnat verdict continue 
trace id 2d6359db inet fw4 srcnat policy accept 
trace id 409dbb5d inet fw4 trace_chain packet: iif "br-lan2" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id 409dbb5d inet fw4 trace_chain rule meta l4proto { tcp, udp } th sport . th dport { 22 . 0-65535, 0-65535 . 22 } meta nftrace set 1 (verdict continue)
trace id 409dbb5d inet fw4 trace_chain verdict continue 
trace id 409dbb5d inet fw4 raw_prerouting verdict continue 
trace id 409dbb5d inet fw4 raw_prerouting policy accept 
trace id 409dbb5d inet fw4 mangle_prerouting packet: iif "br-lan2" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id 409dbb5d inet fw4 mangle_prerouting verdict continue 
trace id 409dbb5d inet fw4 mangle_prerouting policy accept 
trace id 409dbb5d inet fw4 prerouting packet: iif "br-lan2" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id 409dbb5d inet fw4 prerouting rule meta nfproto ipv4 iifname "br-lan2" jump helper_aplan comment "!fw4: Handle aplan IPv4 helper assignment" (verdict jump helper_aplan)
trace id 409dbb5d inet fw4 helper_aplan verdict continue 
trace id 409dbb5d inet fw4 prerouting verdict continue 
trace id 409dbb5d inet fw4 prerouting policy accept 
trace id 409dbb5d inet fw4 mangle_forward packet: iif "br-lan2" oif "br-wan.1000" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id 409dbb5d inet fw4 mangle_forward verdict continue 
trace id 409dbb5d inet fw4 mangle_forward policy accept 
trace id 409dbb5d inet fw4 forward packet: iif "br-lan2" oif "br-wan.1000" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id 409dbb5d inet fw4 forward rule ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" (verdict accept)
trace id 409dbb5d inet fw4 mangle_postrouting packet: iif "br-lan2" oif "br-wan.1000" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id 409dbb5d inet fw4 mangle_postrouting rule oifname "br-wan.1000" tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing" (verdict continue)
trace id 409dbb5d inet fw4 mangle_postrouting verdict continue 
trace id 409dbb5d inet fw4 mangle_postrouting policy accept 
trace id 882dd0b3 inet fw4 trace_chain packet: iif "br-lan2" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id 882dd0b3 inet fw4 trace_chain rule meta l4proto { tcp, udp } th sport . th dport { 22 . 0-65535, 0-65535 . 22 } meta nftrace set 1 (verdict continue)
trace id 882dd0b3 inet fw4 trace_chain verdict continue 
trace id 882dd0b3 inet fw4 raw_prerouting verdict continue 
trace id 882dd0b3 inet fw4 raw_prerouting policy accept 
trace id 882dd0b3 inet fw4 mangle_prerouting packet: iif "br-lan2" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id 882dd0b3 inet fw4 mangle_prerouting verdict continue 
trace id 882dd0b3 inet fw4 mangle_prerouting policy accept 
trace id 882dd0b3 inet fw4 prerouting packet: iif "br-lan2" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id 882dd0b3 inet fw4 prerouting rule meta nfproto ipv4 iifname "br-lan2" jump helper_aplan comment "!fw4: Handle aplan IPv4 helper assignment" (verdict jump helper_aplan)
trace id 882dd0b3 inet fw4 helper_aplan verdict continue 
trace id 882dd0b3 inet fw4 prerouting verdict continue 
trace id 882dd0b3 inet fw4 prerouting policy accept 
trace id 882dd0b3 inet fw4 mangle_forward packet: iif "br-lan2" oif "br-wan.1000" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id 882dd0b3 inet fw4 mangle_forward verdict continue 
trace id 882dd0b3 inet fw4 mangle_forward policy accept 
trace id 882dd0b3 inet fw4 forward packet: iif "br-lan2" oif "br-wan.1000" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id 882dd0b3 inet fw4 forward rule ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" (verdict accept)
trace id 882dd0b3 inet fw4 mangle_postrouting packet: iif "br-lan2" oif "br-wan.1000" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id 882dd0b3 inet fw4 mangle_postrouting rule oifname "br-wan.1000" tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing" (verdict continue)
trace id 882dd0b3 inet fw4 mangle_postrouting verdict continue 
trace id 882dd0b3 inet fw4 mangle_postrouting policy accept 
trace id 7e9f613d inet fw4 trace_chain packet: iif "br-lan" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 64358 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id 7e9f613d inet fw4 trace_chain rule meta l4proto { tcp, udp } th sport . th dport { 22 . 0-65535, 0-65535 . 22 } meta nftrace set 1 (verdict continue)
trace id 7e9f613d inet fw4 trace_chain verdict continue 
trace id 7e9f613d inet fw4 raw_prerouting verdict continue 
trace id 7e9f613d inet fw4 raw_prerouting policy accept 
trace id 7e9f613d inet fw4 mangle_prerouting packet: iif "br-lan" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 64358 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id 7e9f613d inet fw4 mangle_prerouting verdict continue 
trace id 7e9f613d inet fw4 mangle_prerouting policy accept 
trace id 7e9f613d inet fw4 prerouting packet: iif "br-lan" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 64358 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id 7e9f613d inet fw4 prerouting rule iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment" (verdict jump helper_lan)
trace id 7e9f613d inet fw4 helper_lan verdict continue 
trace id 7e9f613d inet fw4 prerouting verdict continue 
trace id 7e9f613d inet fw4 prerouting policy accept 
trace id 7e9f613d inet fw4 mangle_forward packet: iif "br-lan" oif "br-lan2" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 64358 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id 7e9f613d inet fw4 mangle_forward verdict continue 
trace id 7e9f613d inet fw4 mangle_forward policy accept 
trace id 7e9f613d inet fw4 forward packet: iif "br-lan" oif "br-lan2" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 64358 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id 7e9f613d inet fw4 forward rule ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" (verdict accept)
trace id 7e9f613d inet fw4 mangle_postrouting packet: iif "br-lan" oif "br-lan2" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 64358 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id 7e9f613d inet fw4 mangle_postrouting verdict continue 
trace id 7e9f613d inet fw4 mangle_postrouting policy accept 
trace id a55b75b4 inet fw4 trace_chain packet: iif "br-lan2" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id a55b75b4 inet fw4 trace_chain rule meta l4proto { tcp, udp } th sport . th dport { 22 . 0-65535, 0-65535 . 22 } meta nftrace set 1 (verdict continue)
trace id a55b75b4 inet fw4 trace_chain verdict continue 
trace id a55b75b4 inet fw4 raw_prerouting verdict continue 
trace id a55b75b4 inet fw4 raw_prerouting policy accept 
trace id a55b75b4 inet fw4 mangle_prerouting packet: iif "br-lan2" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id a55b75b4 inet fw4 mangle_prerouting verdict continue 
trace id a55b75b4 inet fw4 mangle_prerouting policy accept 
trace id a55b75b4 inet fw4 prerouting packet: iif "br-lan2" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id a55b75b4 inet fw4 prerouting rule meta nfproto ipv4 iifname "br-lan2" jump helper_aplan comment "!fw4: Handle aplan IPv4 helper assignment" (verdict jump helper_aplan)
trace id a55b75b4 inet fw4 helper_aplan verdict continue 
trace id a55b75b4 inet fw4 prerouting verdict continue 
trace id a55b75b4 inet fw4 prerouting policy accept 
trace id a55b75b4 inet fw4 mangle_forward packet: iif "br-lan2" oif "br-wan.1000" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id a55b75b4 inet fw4 mangle_forward verdict continue 
trace id a55b75b4 inet fw4 mangle_forward policy accept 
trace id a55b75b4 inet fw4 forward packet: iif "br-lan2" oif "br-wan.1000" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id a55b75b4 inet fw4 forward rule ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" (verdict accept)
trace id a55b75b4 inet fw4 mangle_postrouting packet: iif "br-lan2" oif "br-wan.1000" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id a55b75b4 inet fw4 mangle_postrouting rule oifname "br-wan.1000" tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing" (verdict continue)
trace id a55b75b4 inet fw4 mangle_postrouting verdict continue 
trace id a55b75b4 inet fw4 mangle_postrouting policy accept 
trace id bbdbc944 inet fw4 trace_chain packet: iif "br-lan" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 64359 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id bbdbc944 inet fw4 trace_chain rule meta l4proto { tcp, udp } th sport . th dport { 22 . 0-65535, 0-65535 . 22 } meta nftrace set 1 (verdict continue)
trace id bbdbc944 inet fw4 trace_chain verdict continue 
trace id bbdbc944 inet fw4 raw_prerouting verdict continue 
trace id bbdbc944 inet fw4 raw_prerouting policy accept 
trace id bbdbc944 inet fw4 mangle_prerouting packet: iif "br-lan" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 64359 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id bbdbc944 inet fw4 mangle_prerouting verdict continue 
trace id bbdbc944 inet fw4 mangle_prerouting policy accept 
trace id bbdbc944 inet fw4 prerouting packet: iif "br-lan" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 64359 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id bbdbc944 inet fw4 prerouting rule iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment" (verdict jump helper_lan)
trace id bbdbc944 inet fw4 helper_lan verdict continue 
trace id bbdbc944 inet fw4 prerouting verdict continue 
trace id bbdbc944 inet fw4 prerouting policy accept 
trace id bbdbc944 inet fw4 mangle_forward packet: iif "br-lan" oif "br-lan2" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 64359 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id bbdbc944 inet fw4 mangle_forward verdict continue 
trace id bbdbc944 inet fw4 mangle_forward policy accept 
trace id bbdbc944 inet fw4 forward packet: iif "br-lan" oif "br-lan2" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 64359 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id bbdbc944 inet fw4 forward rule ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" (verdict accept)
trace id bbdbc944 inet fw4 mangle_postrouting packet: iif "br-lan" oif "br-lan2" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 64359 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id bbdbc944 inet fw4 mangle_postrouting verdict continue 
trace id bbdbc944 inet fw4 mangle_postrouting policy accept 
trace id 4ffc357c inet fw4 trace_chain packet: iif "br-lan2" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id 4ffc357c inet fw4 trace_chain rule meta l4proto { tcp, udp } th sport . th dport { 22 . 0-65535, 0-65535 . 22 } meta nftrace set 1 (verdict continue)
trace id 4ffc357c inet fw4 trace_chain verdict continue 
trace id 4ffc357c inet fw4 raw_prerouting verdict continue 
trace id 4ffc357c inet fw4 raw_prerouting policy accept 
trace id 4ffc357c inet fw4 mangle_prerouting packet: iif "br-lan2" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id 4ffc357c inet fw4 mangle_prerouting verdict continue 
trace id 4ffc357c inet fw4 mangle_prerouting policy accept 
trace id 4ffc357c inet fw4 prerouting packet: iif "br-lan2" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id 4ffc357c inet fw4 prerouting rule meta nfproto ipv4 iifname "br-lan2" jump helper_aplan comment "!fw4: Handle aplan IPv4 helper assignment" (verdict jump helper_aplan)
trace id 4ffc357c inet fw4 helper_aplan verdict continue 
trace id 4ffc357c inet fw4 prerouting verdict continue 
trace id 4ffc357c inet fw4 prerouting policy accept 
trace id 4ffc357c inet fw4 mangle_forward packet: iif "br-lan2" oif "br-wan.1000" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id 4ffc357c inet fw4 mangle_forward verdict continue 
trace id 4ffc357c inet fw4 mangle_forward policy accept 
trace id 4ffc357c inet fw4 forward packet: iif "br-lan2" oif "br-wan.1000" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id 4ffc357c inet fw4 forward rule ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" (verdict accept)
trace id 4ffc357c inet fw4 mangle_postrouting packet: iif "br-lan2" oif "br-wan.1000" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id 4ffc357c inet fw4 mangle_postrouting rule oifname "br-wan.1000" tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing" (verdict continue)
trace id 4ffc357c inet fw4 mangle_postrouting verdict continue 
trace id 4ffc357c inet fw4 mangle_postrouting policy accept 
trace id d39135d3 inet fw4 trace_chain packet: iif "br-lan" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 64360 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id d39135d3 inet fw4 trace_chain rule meta l4proto { tcp, udp } th sport . th dport { 22 . 0-65535, 0-65535 . 22 } meta nftrace set 1 (verdict continue)
trace id d39135d3 inet fw4 trace_chain verdict continue 
trace id d39135d3 inet fw4 raw_prerouting verdict continue 
trace id d39135d3 inet fw4 raw_prerouting policy accept 
trace id d39135d3 inet fw4 mangle_prerouting packet: iif "br-lan" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 64360 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id d39135d3 inet fw4 mangle_prerouting verdict continue 
trace id d39135d3 inet fw4 mangle_prerouting policy accept 
trace id d39135d3 inet fw4 prerouting packet: iif "br-lan" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 64360 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id d39135d3 inet fw4 prerouting rule iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment" (verdict jump helper_lan)
trace id d39135d3 inet fw4 helper_lan verdict continue 
trace id d39135d3 inet fw4 prerouting verdict continue 
trace id d39135d3 inet fw4 prerouting policy accept 
trace id d39135d3 inet fw4 mangle_forward packet: iif "br-lan" oif "br-lan2" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 64360 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id d39135d3 inet fw4 mangle_forward verdict continue 
trace id d39135d3 inet fw4 mangle_forward policy accept 
trace id d39135d3 inet fw4 forward packet: iif "br-lan" oif "br-lan2" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 64360 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id d39135d3 inet fw4 forward rule ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" (verdict accept)
trace id d39135d3 inet fw4 mangle_postrouting packet: iif "br-lan" oif "br-lan2" ether saddr 54:ee:75:fb:c7:52 ether daddr 82:91:21:c5:24:9a ip saddr 192.168.150.175 ip daddr 192.168.152.2 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 64360 ip protocol tcp ip length 60 tcp sport 44834 tcp dport 22 tcp flags == syn tcp window 64240 
trace id d39135d3 inet fw4 mangle_postrouting verdict continue 
trace id d39135d3 inet fw4 mangle_postrouting policy accept 
trace id d53c63a4 inet fw4 trace_chain packet: iif "br-lan2" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id d53c63a4 inet fw4 trace_chain rule meta l4proto { tcp, udp } th sport . th dport { 22 . 0-65535, 0-65535 . 22 } meta nftrace set 1 (verdict continue)
trace id d53c63a4 inet fw4 trace_chain verdict continue 
trace id d53c63a4 inet fw4 raw_prerouting verdict continue 
trace id d53c63a4 inet fw4 raw_prerouting policy accept 
trace id d53c63a4 inet fw4 mangle_prerouting packet: iif "br-lan2" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id d53c63a4 inet fw4 mangle_prerouting verdict continue 
trace id d53c63a4 inet fw4 mangle_prerouting policy accept 
trace id d53c63a4 inet fw4 prerouting packet: iif "br-lan2" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 64 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id d53c63a4 inet fw4 prerouting rule meta nfproto ipv4 iifname "br-lan2" jump helper_aplan comment "!fw4: Handle aplan IPv4 helper assignment" (verdict jump helper_aplan)
trace id d53c63a4 inet fw4 helper_aplan verdict continue 
trace id d53c63a4 inet fw4 prerouting verdict continue 
trace id d53c63a4 inet fw4 prerouting policy accept 
trace id d53c63a4 inet fw4 mangle_forward packet: iif "br-lan2" oif "br-wan.1000" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id d53c63a4 inet fw4 mangle_forward verdict continue 
trace id d53c63a4 inet fw4 mangle_forward policy accept 
trace id d53c63a4 inet fw4 forward packet: iif "br-lan2" oif "br-wan.1000" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id d53c63a4 inet fw4 forward rule ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" (verdict accept)
trace id d53c63a4 inet fw4 mangle_postrouting packet: iif "br-lan2" oif "br-wan.1000" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160 
trace id d53c63a4 inet fw4 mangle_postrouting rule oifname "br-wan.1000" tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing" (verdict continue)
trace id d53c63a4 inet fw4 mangle_postrouting verdict continue 
trace id d53c63a4 inet fw4 mangle_postrouting policy accept

I'm limited to 32000 chars but this is the first 30-something-K of the trace.

brada4 · May 21, 2025, 5:49pm

ssh server gets syn replies syn+ack ... both forward through firewall .... wheres the 3rd as state is established now. 3rd would appear as "ct status assured" in conntrack -E

REF: https://en.wikipedia.org/wiki/Handshake_(computing)#TCP_three-way_handshake

ahuman · May 21, 2025, 5:59pm

It looks to me like the SYN+ACK packets are getting forwarded to the wan instead of returned to br-lan, so the SSH client device never sees them, hence it never sends a final ACK. But why would that be happening? Isn't that kind of crazy?

trace id 409dbb5d inet fw4 mangle_forward packet: iif "br-lan2" oif "br-wan.1000" ether saddr 20:05:b7:00:3c:91 ether daddr 82:91:21:c5:24:9b ip saddr 192.168.152.2 ip daddr 192.168.150.175 ip dscp af21 ip ecn not-ect ip ttl 63 ip id 0 ip protocol tcp ip length 60 tcp sport 22 tcp dport 44834 tcp flags == 0x12 tcp window 65160
...

grrr2 · May 21, 2025, 6:04pm

could you pls share the dumb ap's network config as well?

ahuman · May 21, 2025, 6:04pm

I can't access it because of this issue...

grrr2 · May 21, 2025, 6:12pm

i get that you cannot access via network but cannot connect directly maybe?

ahuman · May 21, 2025, 6:15pm

With no DHCP server running on it, is that possible? Will it work if I connect to the LAN port and set a manual IP on my laptop?

Sorry if that's a stupid question, I just haven't done it before.