Hi,
I'm dealing with kind of an odd problem here. I'm running almost the default configuration with a few additions:
I've added an OpenVPN-Server which works flawlessly and a few custom firewall rules to regulate traffic from lan to wan, which also work fine.
Then I've configured another WLAN interface and bridged it with a LAN port (via VLAN) which also works (the host on the VLAN-port and the hosts in the new WIFI see each other). I'm calling this bridge "br-untrusted".
Then I've tried to get packets from the lan-bridge to the newly added one. And that's when things stopped making sense. I can't seem to get anything from br-lan to br-untrusted. I see the packets going in on the br-lan interface but I see absolutely nothing coming out on br-untrusted, even with the firewall turned off. Then again, forwarding from br-untrusted to wan works.
What could be the matter here? I'll add the relevant parts of the config files below:
cat /etc/openwrt_version
r10947-65030d81f3
cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd6a:9a1a:430b::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ip6assign '60'
list ipaddr '10.6.67.1/24'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '6t 4 3 2 1t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
option vid '2'
config interface 'untrusted'
option proto 'static'
list ipaddr '10.6.65.1/24'
option type 'bridge'
option ifname 'eth1.3'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
option ports '6t 1'
cat /etc/config/wifi
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
option htmode 'VHT80'
option disabled '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option key 'XXX'
option ssid 'XXX'
option encryption 'psk2+tkip+ccmp'
config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
option htmode 'HT20'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option key 'XXX'
option encryption 'psk2+tkip+ccmp'
option ssid 'XXX'
config wifi-iface 'wifinet2'
option ssid 'XXX'
option encryption 'psk2'
option device 'radio1'
option mode 'ap'
option key 'XXX'
option network 'untrusted'
cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'untrusted'
option name 'untrusted'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'untrusted'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone 'wan'
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
option network 'wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule 'ovpn'
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option proto 'udp'
option target 'ACCEPT'
config rule
list proto 'all'
option name 'Allow VPN Router'
list src_ip '10.6.67.2'
option dest 'wan'
option target 'ACCEPT'
option src 'lan'
config rule
option src 'lan'
option name 'Block direct Internet'
option dest 'wan'
list dest_ip '!10.6.66.0/24'
option target 'REJECT'
list proto 'all'
config rule
list proto 'all'
option dest 'wan'
option src 'untrusted'
option name 'Block untrusted Internet'
option target 'REJECT'
option enabled '1'
config rule
list proto 'all'
option src 'lan'
option dest 'untrusted'
option name 'Allow LAN -> Untrusted'
option target 'ACCEPT'
option enabled '1'
config forwarding 'lan_untrusted'
option dest 'untrusted'
option src 'lan'
config forwarding 'untrusted_wan'
option src 'untrusted'
option dest 'wan'
There are no custom iptables rules.
That should be all of it. Please let me know if you need anything else.
Cheers,
Mike
trendy
April 19, 2020, 9:42pm
2
What does iptables-save -c say?
iptables-save -c
# Generated by iptables-save v1.8.3 on Sun Apr 19 22:00:21 2020
*nat
:PREROUTING ACCEPT [28000:1704316]
:INPUT ACCEPT [26349:1395841]
:OUTPUT ACCEPT [626:46382]
:POSTROUTING ACCEPT [346:15211]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_untrusted_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_untrusted_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_untrusted_postrouting - [0:0]
:zone_untrusted_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[28000:1704316] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[46:2890] -A PREROUTING -i br-untrusted -m comment --comment "!fw3" -j zone_untrusted_prerouting
[27938:1699530] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[16:1896] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[971:60351] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[28:1288] -A POSTROUTING -o br-untrusted -m comment --comment "!fw3" -j zone_untrusted_postrouting
[308:13211] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[625:45140] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[308:13211] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[27938:1699530] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[28:1288] -A zone_untrusted_postrouting -m comment --comment "!fw3: Custom untrusted postrouting rule chain" -j postrouting_untrusted_rule
[46:2890] -A zone_untrusted_prerouting -m comment --comment "!fw3: Custom untrusted prerouting rule chain" -j prerouting_untrusted_rule
[625:45140] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[625:45140] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[16:1896] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Sun Apr 19 22:00:21 2020
# Generated by iptables-save v1.8.3 on Sun Apr 19 22:00:21 2020
*mangle
:PREROUTING ACCEPT [174337:58358360]
:INPUT ACCEPT [32372:2101890]
:FORWARD ACCEPT [140920:55990882]
:OUTPUT ACCEPT [31910:2385785]
:POSTROUTING ACCEPT [172240:58335843]
[331:19860] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sun Apr 19 22:00:21 2020
# Generated by iptables-save v1.8.3 on Sun Apr 19 22:00:21 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_untrusted_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_untrusted_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_untrusted_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_untrusted_dest_ACCEPT - [0:0]
:zone_untrusted_forward - [0:0]
:zone_untrusted_input - [0:0]
:zone_untrusted_output - [0:0]
:zone_untrusted_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[217:21492] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[32155:2080398] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[4923:575698] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[189:11324] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[20:1330] -A INPUT -i br-untrusted -m comment --comment "!fw3" -j zone_untrusted_input
[27196:1501474] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[16:1896] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[140920:55990882] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[140327:55949431] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[26:1560] -A FORWARD -i br-untrusted -m comment --comment "!fw3" -j zone_untrusted_forward
[567:39891] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[160:13440] -A FORWARD -m comment --comment "!fw3" -j reject
[217:21492] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[31693:2364293] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[31063:2316612] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[14:1576] -A OUTPUT -o br-untrusted -m comment --comment "!fw3" -j zone_untrusted_output
[5:1694] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[611:44411] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[344:20624] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[261:22054] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[189:11324] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[5:1694] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[567:39891] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[3:627] -A zone_lan_forward -s 10.6.67.2/32 -m comment --comment "!fw3: Allow VPN Router" -j zone_wan_dest_ACCEPT
[404:25824] -A zone_lan_forward ! -d 10.6.66.0/24 -m comment --comment "!fw3: Block direct Internet" -j zone_wan_dest_REJECT
[160:13440] -A zone_lan_forward -m comment --comment "!fw3: Allow LAN -> Untrusted" -j zone_untrusted_dest_ACCEPT
[160:13440] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to untrusted forwarding policy" -j zone_untrusted_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[160:13440] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[27196:1501474] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[27196:1501474] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[5:1694] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[5:1694] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[27196:1501474] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[14:1576] -A zone_untrusted_dest_ACCEPT -o br-untrusted -m comment --comment "!fw3" -j ACCEPT
[26:1560] -A zone_untrusted_forward -m comment --comment "!fw3: Custom untrusted forwarding rule chain" -j forwarding_untrusted_rule
[26:1560] -A zone_untrusted_forward -m comment --comment "!fw3: Block untrusted Internet" -j zone_wan_dest_REJECT
[0:0] -A zone_untrusted_forward -m comment --comment "!fw3: Zone untrusted to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_untrusted_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_untrusted_forward -m comment --comment "!fw3" -j zone_untrusted_dest_ACCEPT
[20:1330] -A zone_untrusted_input -m comment --comment "!fw3: Custom untrusted input rule chain" -j input_untrusted_rule
[0:0] -A zone_untrusted_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[20:1330] -A zone_untrusted_input -m comment --comment "!fw3" -j zone_untrusted_src_ACCEPT
[14:1576] -A zone_untrusted_output -m comment --comment "!fw3: Custom untrusted output rule chain" -j output_untrusted_rule
[14:1576] -A zone_untrusted_output -m comment --comment "!fw3" -j zone_untrusted_dest_ACCEPT
[20:1330] -A zone_untrusted_src_ACCEPT -i br-untrusted -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[614:45038] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[430:27384] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[16:1896] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[1:42] -A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[15:1854] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[611:44411] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[611:44411] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[15:1854] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sun Apr 19 22:00:21 2020
trendy
April 20, 2020, 11:25am
4
The firewall is correct but it seems that it won't stop at the rule to forward traffic from lan to untrusted:
[160:13440] -A zone_lan_forward -m comment --comment "!fw3: Allow LAN -> Untrusted" -j zone_untrusted_dest_ACCEPT
[160:13440] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to untrusted forwarding policy" -j zone_untrusted_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[160:13440] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
You have the same number of hits.ip -4 addr; ip -4 ru; ip -4 ro; ip -4 ro ls tab all
I took the liberty to correct 'ls' to 'li' in the last cmd
# ip -4 addr; ip -4 ru; ip -4 ro; ip -4 ro li tab all
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 10.6.67.1/24 brd 10.6.67.255 scope global br-lan
valid_lft forever preferred_lft forever
9: br-untrusted: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 10.6.65.1/24 brd 10.6.65.255 scope global br-untrusted
valid_lft forever preferred_lft forever
11: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 10.6.66.5/24 brd 10.6.66.255 scope global eth0.2
valid_lft forever preferred_lft forever
622: openvpn-server: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
inet 10.1.0.1 peer 10.1.0.2/32 scope global openvpn-server
valid_lft forever preferred_lft forever
0: from all lookup local
32765: from 10.6.67.0/24 lookup 200
32766: from all lookup main
32767: from all lookup default
default via 10.6.66.254 dev eth0.2 src 10.6.66.5
10.1.0.2 dev openvpn-server scope link src 10.1.0.1
10.6.65.0/24 dev br-untrusted scope link src 10.6.65.1
10.6.66.0/24 dev eth0.2 scope link src 10.6.66.5
10.6.67.0/24 dev br-lan scope link src 10.6.67.1
default via 10.6.66.254 dev eth0.2 src 10.6.66.5
10.1.0.2 dev openvpn-server scope link src 10.1.0.1
10.6.65.0/24 dev br-untrusted scope link src 10.6.65.1
10.6.66.0/24 dev eth0.2 scope link src 10.6.66.5
10.6.67.0/24 dev br-lan scope link src 10.6.67.1
local 10.1.0.1 dev openvpn-server table local scope host src 10.1.0.1
broadcast 10.6.65.0 dev br-untrusted table local scope link src 10.6.65.1
local 10.6.65.1 dev br-untrusted table local scope host src 10.6.65.1
broadcast 10.6.65.255 dev br-untrusted table local scope link src 10.6.65.1
broadcast 10.6.66.0 dev eth0.2 table local scope link src 10.6.66.5
local 10.6.66.5 dev eth0.2 table local scope host src 10.6.66.5
broadcast 10.6.66.255 dev eth0.2 table local scope link src 10.6.66.5
broadcast 10.6.67.0 dev br-lan table local scope link src 10.6.67.1
local 10.6.67.1 dev br-lan table local scope host src 10.6.67.1
broadcast 10.6.67.255 dev br-lan table local scope link src 10.6.67.1
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
trendy
April 20, 2020, 6:40pm
6
li and ls are both shortcuts to list. Anyway, you have a rule to use table 200 for traffic from lan, but I don't see any table 200.
Somehow my ip didn't like 'ls', but anyway, the table 200 rule was my fault. I added that rule in my feeble attempts to remedy the original problem, but it didn't seem to make a difference. I've since rebootet to get rid of any other non persistent changes I might have made, and that rule is gone now, but there is still no forwarding between the two bridges.
trendy
April 20, 2020, 9:51pm
8
Ok one last thing before resetting to defaults. Capture the packets between these interfaces to see what is coming in and out. Stop the firewall just in case.tcpdump -i any -evn "icmp and (host 10.6.67.X or host 10.6.65.Y)"
# tcpdump -i any -evn "icmp and (host 10.6.67.197 or host 10.6.65.216)"
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
22:14:54.889531 P d4:6d:6d:ed:de:fb ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 64, id 24286, offset 0, flags [DF], proto ICMP (1), length 84)
10.6.67.197 > 10.6.65.216: ICMP echo request, id 18771, seq 1, length 64
22:14:54.889573 Out d4:6d:6d:ed:de:fb ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 64, id 24286, offset 0, flags [DF], proto ICMP (1), length 84)
10.6.67.197 > 10.6.65.216: ICMP echo request, id 18771, seq 1, length 64
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel
trendy
April 21, 2020, 8:29am
10
Is 10.6.65.216 a Windows host?
No, it's an Android phone. I verified that it has the correct gateway set and I can ping it from the router.
trendy
April 21, 2020, 12:17pm
12
Can you try with some other OS that can do some packet capturing? Because what I can see in the tcpdump is that packet is received and sent, but there is no response back.
I tried with a regular Linux host, same result. Nothing gets there. Where ever those packets are going, they are not coming out of that bridge.
trendy
April 21, 2020, 8:16pm
14
Try it one more time with the egress interface to clear any doubt. If there is a packet there it means it is on the wire.
tcpdump -i br-untrusted -evn icmp
I've tried that lots of times before. Still nothing there. Verified that the firewall was off. Not that it makes any difference, though.
trendy
April 22, 2020, 7:27am
16
You can either troubleshoot it more, or take a backup and start from scratch. This is not normal behaviour anyway.
I've backed up my settings and did a factory reset, then manually restored the settings in question one by one. Tried the raw wlan-interface and the bridge with the VLAN ethernet device. No openvpn or any other "advanced" features yet. Still the same result. Absolutely nothing that enters the router on br-lan leaves the router on that interface (either wlan or bridge).
I'm close to giving the term 'hacking' a more literal meaning and getting the axe from the shed...
Model: Netgear Nighthawk X4S R7800
Architecture: ARMv7 Processor rev 0 (v7l)
Firmware Version: OpenWrt 19.07.2 r10947-65030d81f3 / LuCI openwrt-19.07 branch git-20.057.55219-13dd17f
Kernel Version: 4.14.171
trendy
April 22, 2020, 1:47pm
20
randomdude:
option ports '6t 1'
I didn't notice that in the beginning but which port is the CPU?
