How to interpret this log?
Thu Nov 22 17:49:18 2018 kern.warn kernel: [692984.833966] REJECT wan in: IN=eth0.2 OUT= MAC=8a:3a:aa:ba:2a:5a:3a:4a:7a:ba:fa:5a:08:00:45:00:00:64 SRC=185.60.216.54 DST=192.168.0.11 LEN=100 TOS=0x00 PREC=0x00 TTL=52 ID=54080 PROTO=UDP SPT=20737 DPT=16393 LEN=80
This log is from a openwrt router sitting behind a cable modem (192.168.0.1) having a static ip 192.168.0.11 on WAN. The cable modem has no open ports / forwarding configured and is not in bridge mode.
Just what it says, a UDP packet from 185.60.216.54:20737 destined for 192.168.0.11:16393 of 80 bytes was rejected on the "wan".
In and of itself, a single packet like that is completely unsurprising. "Stale" packets destined to clients behind NAT are not uncommon, especially with UDP where there is not even a semblance of connection termination.
traceroute suggests that it is a packet associated with Facebook. I'd guess someone on your network has or had Facebook open in a browser or running on their phone, potentially connected to Facebook's messenger service.
I was very surprised since this openWRT router is sitting behind another cable modem with firewall up and that has no open ports / forwarding configured and is not in bridge mode.
ISP --> Cable modem (Firewall WAN - LAN "closed") -> OpenWRT router (Firewall zone WAN - LAN: REJECT)
I mean how can the router block a package that is not supposed and allowed to be there? How does it reach the router...
This can be reproduced by doing face time calls.
As soon as one of your clients opens a connection, your firewall is "open" for that port combination, as is your ISP's. What I would guess your seeing is a "stale" or "late" packet associated with a previously established connection that has timed out on your OpenWrt router, but not on your ISP's modem-router.
That makes sense: The blocked incoming package was a "packet associated with a previously established connection that has timed out on your OpenWrt router, but not on your ISP's modem-router."