Generic helper won't handle protocol 47

[80423.989764] conntrack: generic helper won't handle protocol 47. Please consider loading the specific helper module.

  • Is this a request for help?
  • This simply means that your WAN received an IP Protocol No. 47 (GRE) packet and you don't have that conntrack helper module loaded (likely since you're not using GRE).

Do you have a concern about this log message?

1 Like

I have the same message and I would like to ask if it is something I should be worried about or just ignore.

Model
Xiaomi Mi Router 3G v2
Architecture
MediaTek MT7621 ver:1 eco:3
Firmware Version
OpenWrt 19.07.3 r11063-85e04e9f46 / LuCI openwrt-19.07 branch git-20.146.54255-39d5f2e
Kernel Version
4.14.180

Thanks

root@OpenWrt:~# cat /etc/config/firewall 

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan wg0'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '1234'
	option name 'Allow-Wireguard-Inbound'

config zone
	option name 'wg'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'

config forwarding
	option src 'wg'
	option dest 'wan'

config forwarding
	option src 'wg'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'wg'

config forwarding
	option src 'wan'
	option dest 'wg'

config redirect
	option dest_port '1234'
	option src 'wan'
	option name 'WireGuard'
	option src_dport '1234'
	option target 'DNAT'
	option dest_ip '172.28.10.75'
	option dest 'lan'
	list proto 'udp'

config redirect 'adblock_dns_53'
	option name 'Adblock DNS, port 53'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'

config redirect 'adblock_dns_853'
	option name 'Adblock DNS, port 853'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '853'
	option dest_port '853'
	option target 'DNAT'

config redirect 'adblock_dns_5353'
	option name 'Adblock DNS, port 5353'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '5353'
	option dest_port '5353'
	option target 'DNAT'

And after one year, the same questions still apply for those receiving the message:

And my same response applies: