FWKNOPD not working OWRT 23.05.5

october02 · January 3, 2025, 6:56pm

FWKNOPD working on OWRT 19 but now i change my router install owrt 23.05.05 install fwknopd and it doesn work while rules appears in iptables/nft

nft list ruleset
tl:dr;
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
counter packets 5699 bytes 484390 jump FWKNOP_INPUT
}

    chain FWKNOP_INPUT {
            ip saddr 85.249.18.152 tcp dport 22 xt match "comment" counter packets 0 bytes 0 accept
            ip saddr 85.249.18.152 tcp dport 80 xt match "comment" counter packets 0 bytes 0 accept
            ip saddr 85.249.18.152 tcp dport 443 xt match "comment" counter packets 1 bytes 60 accept

root@bolgenswith:~# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
FWKNOP_INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
FWKNOP_FORWARD  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain FWKNOP_FORWARD (1 references)
target     prot opt source               destination

Chain FWKNOP_INPUT (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  85.249.18.152        0.0.0.0/0            tcp dpt:22 /* _exp_1735929289 */
ACCEPT     tcp  --  85.249.18.152        0.0.0.0/0            tcp dpt:80 /* _exp_1735929289 */
ACCEPT     tcp  --  85.249.18.152        0.0.0.0/0            tcp dpt:443 /* _exp_1735929289 */

the rules to access appears in iptables/nft but access doesnt work
If I make manual rules in Firewall section all worked but its unsecure

F1!

october02 · January 4, 2025, 11:50am

i tried this but also not working
but rules are appear

october02 · January 4, 2025, 12:42pm

mmm okay
1 install as above
2 carefuly check

You can check wether those will match the existing by executing

nft -a list chain inet fw4 input_wan | grep drop_from_wan
your final rule in that chain should be looking similar to below

jump drop_from_wan # handle 346

it can be drop_from_wan or reject_from_wan, it depends on drop o reject in wan-firewall settings, on my router it was "reject" so Ichange it do "drop" and all works