I have a problem with my firewall on OpenWrt. I run the script in rclocal.
Ping to an IPv6 address breaks after adding the following last line to the nftables firewall script:

add rule inet nat POSTROUTING meta nfproto ipv4 oifname "eth0.2" counter masquerade

If I remove this last line, I get ping replies, but then I cannot reach services like ssh to internett from a computer connected to one of the interfaces.

You can find the complete firewall script here: https://lamasti.net/filer/firewall.nft. How can I fix the problem?

What are you expecting this script to do for you?

Do you have iptables or config/firewall source of your translated nftables script?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Thanks for your reply.

[Paul]

What are you expecting this script to do for you?

I'm expecting it to set up a firewall that blocks all trafic that's not explicitly allowed by this script.

Why use a script rather than configuring the firewall with UCI?

[Krazeh]

Why use a script rather than configuring the firewall with UCI?

Well, I migrated a working script from another system years back. So it was easiest to only maintain that solution.

Lars

It is ubuntu ufw firewall converted to nft, more or less multiple good-bad zones in fw3/fw4 setup, and ip6 ping will work.

Was this system using OpenWRT?

But not the best. You'd be far better off, as a minimum, recreating the rules from scratch without the baggage of iptables. A even better approach would be to set up the required UCI rules and allow OpenWRT to create the required firewall rules in the background.

[Andrispe]

Do you have iptables or config/firewall source of your translated nftables
script?

I had two scripts, one for IPv4 and one for IPv6:

https://lamasti.net/filer/firewall.user

https://lamasti.net/filer/firewall6.user

My approach is to use the inet family in the nftables script so that most of the rules ar common for both IPv4 and -6.

I'm confused because the very last line in the script, which is specifically set to affect IPv4, breaks ping to an IPv6 address.

Thanks

Get rid of the script. Create the relevant UCI configs for the required redirects/forwards. You'll be much better off now and in the long run.

I volunteer to convert ufw objects to config/firewall entries
RE-ing twice chewed refuse is not the task for the weekend.

I am baffled how you managed to produce 10 paragraphs but not a single OpenWRT config item.

[Andrispe]

I am baffled how you managed to produce 10 paragraphs but not a single OpenWRT
config item.

Sorry. Which config item do you want me to share?

Thanks

^ what they said.

I tried to reply by email, but it seems that it didn't reach the forum. Here's a link to my reply with lots of output:

Instead of this link, I will paste the text below.

Please note that the ping command i refered to in my initial post, was issued on the OpenWrt box itself.

I tried to reply in the web UI, but then, I got an error saying that I couldn't post a link to that host. I don't know why.

I got the same error when replying by email. This is strange.

Ping from the OpenWrt box to an IPv6 address breaks after adding the following last line to the nftables firewall script:

add rule inet nat POSTROUTING meta nfproto ipv4 oifname "eth0.2" counter masquerade

If I remove this last line, I get ping replies, but then I cannot reach services like ssh to internett from a computer connected to one of the interfaces.

[Andrispe]

Do you have iptables or config/firewall source of your translated nftables
script?

Some years ago I switched from iptables to nftables.

Please connect to your OpenWrt device using ssh and copy the output of the
following commands and post it here using the "Preformatted text </> " button:
grafik

Hope it's fine to reply by email. That's easiest for me, as I'm using a screen reader.

[...]

ubus call system board

{
"kernel": "5.15.162",
"hostname": "lamagw",
"system": "Atheros AR9344 rev 2",
"model": "TP-Link TL-WDR3600 v1",
"board_name": "tplink,tl-wdr3600-v1",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.4",
"revision": "r24012-d8dd03c46f",
"target": "ath79/generic",
"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
}
}

cat /etc/config/network

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fda4:f0f0:5137::/48'

config interface 'lan'
option ifname 'eth0.1 tap0'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '10.0.1.1'
option netmask '255.255.255.0'
option dhcpv6 disabled # it doesn't work at the moment.
option ip6assign '60'

config interface wlan
option ifname 'eth0.3 wlan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option dhcpv6 disabled
option ip6assign '60'

config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'

config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
option reqprefix 'auto'
option reqaddress 'try'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 2 3 4'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 1'

config switch_vlan
option device 'switch0'
option vlan '3'
option ports '0t 5'

cat /etc/config/wireless

I've turned off wireless on this box at one point, but see now that the radios are enabled. Anyway, I have an external access point connected to one of the lan ports.

config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option htmode 'HT20'
option country 'NO'
option disabled '0'
option path 'platform/ahb/18100000.wmac'

config wifi-iface 'default_radio0'
option device 'radio0'
option network 'wlan'
option mode 'ap'
option ssid 'lamasti'
option encryption 'none'

config wifi-device 'radio1'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0'
option htmode 'HT20'
option country 'NO'
option disabled '0'

config wifi-iface 'default_radio1'
option device 'radio1'
option network 'wlan'
option mode 'ap'
option ssid 'lamasti'
option encryption 'none'

cat /etc/config/dhcp

config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'x'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'

option resolvfile '/tmp/resolv.conf.auto'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'

config dhcp 'wlan'
option interface 'wlan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'

config dhcp 'wl'
option interface 'wl'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'

cat /etc/config/firewall

config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option drop_invalid '1'
option synflood_protect '1'
option synflood_rate '25/s'
option synflood_burst '50'
option tcp_ecn '1'
option tcp_syncookies '1'
option tcp_window_scaling '1'

#config include

option type 'script'

option path '/etc/firewall.nft'

option fw4_compatible 1

config rule
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '546'
option name 'Allow DHCPv6 replies'
option family 'ipv6'
option src_port '547'

Thanks

Put back both icmp6 rules before your insert (and check other icmp6 rules if they match yours, likely no need for your script filtering icmp6

These options are no-op in firewall4, you need to use netifd or sysctl to set them.

- option tcp_ecn '1'
- option tcp_syncookies '1'
- option tcp_window_scaling '1'