Firewall Log Location - Option to troubleshoot blocked Connections

Hi,
i have the Problem to establish a VPN IPSEC Client Connection from my Anroid Mobile (which is behind my LEDE Router) to another Router. From my mobile Providers Network the Connection Works without any Problem and also from a Windows Client behind my LEDE Router (which is a Little bit strange). I tried the different Firewall rules for ESP/AH Traffic and Port 4500/500 like here for example:
https://zhmail.com/2015/09/15/configuring-ikev1-xauth-psk-in-openwrt1505/
But it didn't help.
So is there a possibiity to troubleshoot blocked Firewall Connections in LEDE with a log or something else?
Thanks!

Same here... want to hear what our experts can guide us on ... I have this issue connecting to my corporate VPN using a VPN client through LEDE. When I use the "Pulse VPN" client, it never connects ... when I use Microsoft DirectAccess, sometimes it connects, sometimes it does not.

When I go through my phone's 4G , both connection methods works on the first try.

I've been trying to do a tcpdump on the router to see what's going on, but was unsuccessful so far...

The IPSEC VPN connect from my Android Mobile works now. I managed to set the right Firewall rules for IPSEC/L2TP Passthrough.

Here they are:

# IPsec/NAT-T
config 'rule'
        option 'target' 'ACCEPT'
        option 'name' 'IPsec NAT-T'
        option 'src' 'wan'
        option 'proto' 'udp'
        option 'dest_port' '4500'

# IPsec/IKE
config 'rule'
        option 'target' 'ACCEPT'
        option 'name' 'IPsec IKE'
        option 'src' 'wan'
        option 'proto' 'udp'
        option 'dest_port' '500'

# IPsec/ESP
config 'rule'
        option 'target' 'ACCEPT'
        option 'name' 'IPsec ESP'
        option 'src' 'wan'
        option 'proto' 'esp'

# L2TP/ESP
config 'rule'
        option 'target' 'ACCEPT'
        option 'name' 'L2TP ESP'
        option 'src' 'wan'
        option 'proto' 'udp'
        option 'dest_port' '1701'
        option 'extra' '-m policy --strict --dir in --pol ipsec --proto esp'

This post contains the rules mentioned:
https://forum.openwrt.org/viewtopic.php?id=39645

Still not working here :frowning:

You can use normal iptables commands for firewall logging. iptables logs the items to the system log (read with logread), so the log can fill quickly if you have lots of traffic.

Firewall zone config is LuCI offers the possibility to log rejected/dropped connections. That is in zone's options, advanced tab.

E.g. enabling the drop/reject logging for wan creates the following rules:

root@LEDE:~# iptables-save  | grep -i log
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m limit --limit 10/sec -m comment --comment "!fw3: wan (mtu_fix logging)" -j LOG --log-prefix "MSSFIX(wan): "
-A zone_wan_dest_REJECT -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT(dest wan)"
-A zone_wan_src_REJECT -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT(src wan)"

Modifying the logging rules by hand requires naturally some iptables knowledge and understanding of the various rule chains (and tables) in the firewall.

E.g. manually create a rule to log all incoming UDP packets from interface eth0.2 to port 2222:

iptables -I PREROUTING -t mangle -i eth0.2 -p udp --dst-port 2222 -j LOG

I would suggest you to activate IPTables logging like in this examples here:
http://www.thegeekstuff.com/2012/08/iptables-log-packets/?utm_source=feedburner

1 Like