Hi Trendy! Thank you much for a prompt response.
The network diagram is really simple.
Cisco4321 router > OpenWRT router with LTE Module (static public IP) >>> The Internet <<< Another Cisco 4321 with public static IP.
GRE tunnel is between the two Cisco's.
Redacted below are the public static IP xxx.xxx.176.69/32 of one GRE endpoint, MAC address of the OpenWRT route.
OpenWRT Forum
{
"kernel": "3.14.77",
"hostname": "OpenWRT",
"system": "ARMv7 Processor rev 5 (v7l)",
"model": "Qualcomm Technologies, Inc. IPQ40xx\/AP-DK04.1-C1",
"release": {
"distribution": "OpenWrt",
"version": "Chaos Calmer",
"revision": "r35193",
"codename": "chaos_calmer",
"target": "ipq806x\/generic",
"description": "OpenWrt Chaos Calmer 15.05.1"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'auto'
config interface 'lan'
option ifname 'eth1'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option macaddr 'XX:XX:XX:24:31:F0'
option ieee1905managed '1'
option mtu '1430'
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
option macaddr 'XX:XX:XX:24:31:F1'
option provision_macaddr 'XX:XX:XX:24:31:F1'
option mtu '1430'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 1 2 3 4'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 5'
config switch_ext
option device 'switch0'
option name 'QosPtMode'
option port_id '1'
option mode 'dscp'
option status 'enable'
config switch_ext
option device 'switch0'
option name 'QosPtMode'
option port_id '2'
option mode 'dscp'
option status 'enable'
config switch_ext
option device 'switch0'
option name 'QosPtMode'
option port_id '3'
option mode 'dscp'
option status 'enable'
config switch_ext
option device 'switch0'
option name 'QosPtMode'
option port_id '4'
option mode 'dscp'
option status 'enable'
config switch_ext
option device 'switch0'
option name 'QosPtMode'
option port_id '5'
option mode 'dscp'
option status 'enable'
config interface 'LTE'
option ifname 'usb0'
option proto 'dhcp'
option mtu '1430'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option disabled '0'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6 LTE'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.user'
config rule
option enabled '1'
option src 'wan'
option name 'wan_limit'
option family 'ipv4'
option proto 'tcp'
option dest_port '80'
option target 'DROP'
config zone
option name 'SDWAN'
option network 'SDWAN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'SDWAN'
option dest 'wan'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config include 'qcanssecm'
option type 'script'
option path '/etc/firewall.d/qca-nss-ecm'
option family 'any'
option reload '1'
config rule
option src 'lan'
option dest 'wan'
option name 'Alg_pptp_pt_1'
option family 'ipv4'
option proto 'tcp'
option dest_port '1723'
option target 'DROP'
option enabled '1'
config rule
option src 'lan'
option dest 'wan'
option name 'Alg_pptp_pt_2'
option family 'ipv4'
option proto '47'
option target 'DROP'
option enabled '1'
config rule
option src 'lan'
option dest 'wan'
option name 'Alg_l2tp_pt'
option family 'ipv4'
option proto 'tcp'
option dest_port '1701'
option target 'DROP'
option enabled '1'
config rule
option src 'lan'
option dest 'wan'
option name 'Alg_ipsec_pt_1'
option family 'ipv4'
option proto 'tcp'
option dest_port '500'
option target 'DROP'
option enabled '1'
config rule
option src 'lan'
option dest 'wan'
option name 'Alg_ipsec_pt_2'
option family 'ipv4'
option proto 'tcp'
option dest_port '4500'
option target 'DROP'
option enabled '1'
config rule
option src 'lan'
option dest 'wan'
option name 'Alg_ipsec_pt_3'
option family 'ipv4'
option proto '50'
option target 'DROP'
option enabled '1'
config rule
option src 'lan'
option dest 'wan'
option name 'Alg_ipsec_pt_4'
option family 'ipv4'
option proto '51'
option target 'DROP'
option enabled '1'
config rule
option enabled '1'
option target 'ACCEPT'
option src 'wan'
option name 'web_manager_allow'
option family 'ipv4'
option proto 'tcp'
option dest_port '443'
config rule
option enabled '1'
option target 'ACCEPT'
option src 'wan'
option name 'web_manager_allow'
option family 'ipv4'
option proto 'tcp'
option dest_port '50080'
config rule
option enabled '0'
option target 'DROP'
option src 'wan'
option name 'http_limit'
option family 'ipv4'
option proto 'tcp'
option dest_port '50080'
config rule
option enabled '0'
option target 'DROP'
option src 'wan'
option name 'http_limit_ssl'
option family 'ipv4'
option proto 'tcp'
option dest_port '443'
config rule
option enabled '1'
option target 'DROP'
option src 'wan'
option name 'wan_telnet'
option family 'ipv4'
option proto 'tcp'
option dest_port '23'
config rule
option enabled '1'
option target 'ACCEPT'
option src 'wan'
option name 'ssh_wan'
option family 'ipv4'
option proto 'tcp'
option dest_port '22'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
. /lib/functions.sh
. /lib/functions/network.sh
. /sbin/common_lib.sh
drop_invalid=`uci get firewall.@defaults[0].drop_invalid`
if [ "$drop_invalid" = "1" ]; then
iptables -I input_rule -p 47 -j ACCEPT
iptables -I output_rule -p 47 -j ACCEPT
fi
# Generated by iptables-save v1.4.21 on Tue Sep 1 10:15:59 2020
*nat
:PREROUTING ACCEPT [856:53459]
:INPUT ACCEPT [90:5784]
:OUTPUT ACCEPT [106:8886]
:POSTROUTING ACCEPT [284:16788]
:MINIUPNPD - [0:0]
:delegate_postrouting - [0:0]
:delegate_prerouting - [0:0]
:postrouting_SDWAN_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_SDWAN_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_SDWAN_postrouting - [0:0]
:zone_SDWAN_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[7619:380313] -A PREROUTING -j delegate_prerouting
[8143:474832] -A POSTROUTING -j delegate_postrouting
[8143:474832] -A delegate_postrouting -m comment --comment "user chain for postrouting" -j postrouting_rule
[6559:342313] -A delegate_postrouting -o br-lan -j zone_lan_postrouting
[0:0] -A delegate_postrouting -o eth0 -j zone_wan_postrouting
[1343:117319] -A delegate_postrouting -o usb0 -j zone_wan_postrouting
[7619:380313] -A delegate_prerouting -m comment --comment "user chain for prerouting" -j prerouting_rule
[589:39846] -A delegate_prerouting -i br-lan -j zone_lan_prerouting
[0:0] -A delegate_prerouting -i eth0 -j zone_wan_prerouting
[7030:340467] -A delegate_prerouting -i usb0 -j zone_wan_prerouting
[0:0] -A zone_SDWAN_postrouting -m comment --comment "user chain for postrouting" -j postrouting_SDWAN_rule
[0:0] -A zone_SDWAN_prerouting -m comment --comment "user chain for prerouting" -j prerouting_SDWAN_rule
[6559:342313] -A zone_lan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_lan_rule
[589:39846] -A zone_lan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_lan_rule
[1343:117319] -A zone_wan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_wan_rule
[1343:117319] -A zone_wan_postrouting -j MASQUERADE
[7030:340467] -A zone_wan_prerouting -j MINIUPNPD
[7030:340467] -A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_wan_rule
COMMIT
# Completed on Tue Sep 1 10:15:59 2020
# Generated by iptables-save v1.4.21 on Tue Sep 1 10:15:59 2020
*raw
:PREROUTING ACCEPT [78921:7044608]
:OUTPUT ACCEPT [7079:765445]
:delegate_notrack - [0:0]
[4:190] -A PREROUTING -s xxx.xxx.176.69/32 -p udp -j CT --notrack
[4:190] -A PREROUTING -s xxx.xxx.176.69/32 -p udp -j CT --notrack
[112:5824] -A PREROUTING -i br-lan -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
[22:1168] -A PREROUTING -i usb0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN,ACK -j ACCEPT
[7364:302668] -A PREROUTING -i usb0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
[8640:381736] -A PREROUTING -i br-lan -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN,ACK -j ACCEPT
[21332:1703707] -A PREROUTING -s xxx.xxx.176.69/32 -i br-lan -p tcp -j CT --notrack
[23732:1321893] -A PREROUTING -i usb0 -p tcp -j CT --notrack
[0:0] -A PREROUTING -i br-lan -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
[0:0] -A PREROUTING -i usb0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN,ACK -j ACCEPT
[0:0] -A PREROUTING -i usb0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
[0:0] -A PREROUTING -i br-lan -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN,ACK -j ACCEPT
[21332:1703707] -A PREROUTING -s xxx.xxx.176.69/32 -i br-lan -p tcp -j CT --notrack
[23732:1321893] -A PREROUTING -i usb0 -p tcp -j CT --notrack
[78921:7044608] -A PREROUTING -j delegate_notrack
COMMIT
# Completed on Tue Sep 1 10:15:59 2020
# Generated by iptables-save v1.4.21 on Tue Sep 1 10:15:59 2020
*mangle
:PREROUTING ACCEPT [94529:7711604]
:INPUT ACCEPT [8226:810589]
:FORWARD ACCEPT [85866:6875194]
:OUTPUT ACCEPT [7093:768289]
:POSTROUTING ACCEPT [93120:7709881]
:fwmark - [0:0]
:mssfix - [0:0]
:on - [0:0]
:pn - [0:0]
:qos_Default - [0:0]
:qos_Default_ct - [0:0]
:we - [0:0]
[100381:8285002] -A PREROUTING -j we
[100381:8285002] -A PREROUTING -j we
[94532:7711744] -A PREROUTING -j fwmark
[85868:6875282] -A FORWARD -j mssfix
[11188:2074728] -A OUTPUT -j on
[11188:2074728] -A OUTPUT -j on
[16548:715568] -A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[16542:741800] -A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[98930:9132358] -A POSTROUTING -j pn
[98930:9132358] -A POSTROUTING -j pn
[0:0] -A mssfix -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
[8571:379532] -A mssfix -o usb0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
[16652:3402942] -A on -o usb0 -j CONNMARK --set-xmark 0x3/0xffffffff
[16652:3402942] -A on -o usb0 -m connmark --mark 0x3 -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
[16652:3402942] -A on -o usb0 -j CONNMARK --set-xmark 0x3/0xffffffff
[16652:3402942] -A on -o usb0 -m connmark --mark 0x3 -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
[33082:1483480] -A pn -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[33082:1483480] -A pn -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A qos_Default -j CONNMARK --restore-mark --nfmask 0xf --ctmask 0xf
[0:0] -A qos_Default -m mark --mark 0x0/0xf -j qos_Default_ct
[0:0] -A qos_Default -p udp -m mark --mark 0x0/0xf0 -m length --length 0:500 -j MARK --set-xmark 0x22/0xff
[0:0] -A qos_Default -p icmp -j MARK --set-xmark 0x11/0xff
[0:0] -A qos_Default -p tcp -m mark --mark 0x0/0xf0 -m tcp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
[0:0] -A qos_Default -p udp -m mark --mark 0x0/0xf0 -m udp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
[0:0] -A qos_Default -j CONNMARK --save-mark --nfmask 0xf0 --ctmask 0xf0
[0:0] -A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
[0:0] -A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
[0:0] -A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 20,21,25,80,110,443,993,995 -m comment --comment "ftp, smtp, http(s), imap" -j MARK --set-xmark 0x33/0xff
[0:0] -A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
[0:0] -A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
[0:0] -A qos_Default_ct -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
[0:0] -A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
[0:0] -A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
[0:0] -A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 20,21,25,80,110,443,993,995 -m comment --comment "ftp, smtp, http(s), imap" -j MARK --set-xmark 0x33/0xff
[0:0] -A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
[0:0] -A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
[4:1372] -A we -i br-lan -p udp -m udp --sport 68 --dport 67 -j RETURN
[0:0] -A we -d xxx.xxx.176.69/32 -i usb0 -p tcp -m tcp --dport 50080 -j RETURN
[8312:896156] -A we -d xxx.xxx.176.69/32 -i usb0 -p tcp -m tcp --dport 443 -j RETURN
[1090:86596] -A we -i usb0 -p icmp -m icmp --icmp-type 8 -j RETURN
[20:1020] -A we -d xxx.xxx.176.69/32 -i usb0 -p tcp -m tcp --dport 7547 -j RETURN
[7008:607388] -A we -i usb0 -m connmark --mark 0x3 -j RETURN
[83900:6010426] -A we -d xxx.xxx.176.69/32 -i usb0 -j MARK --set-xmark 0xb/0xffffffff
[90942:7977578] -A we -s xxx.xxx.176.69/32 -i br-lan -j MARK --set-xmark 0x16/0xffffffff
[0:0] -A we -i br-lan -p udp -m udp --sport 68 --dport 67 -j RETURN
[0:0] -A we -d xxx.xxx.176.69/32 -i usb0 -p tcp -m tcp --dport 50080 -j RETURN
[0:0] -A we -d xxx.xxx.176.69/32 -i usb0 -p tcp -m tcp --dport 443 -j RETURN
[0:0] -A we -i usb0 -p icmp -m icmp --icmp-type 8 -j RETURN
[0:0] -A we -d xxx.xxx.176.69/32 -i usb0 -p tcp -m tcp --dport 7547 -j RETURN
[0:0] -A we -i usb0 -m connmark --mark 0x3 -j RETURN
[83900:6010426] -A we -d xxx.xxx.176.69/32 -i usb0 -j MARK --set-xmark 0xb/0xffffffff
[90942:7977578] -A we -s xxx.xxx.176.69/32 -i br-lan -j MARK --set-xmark 0x16/0xffffffff
COMMIT
# Completed on Tue Sep 1 10:15:59 2020
# Generated by iptables-save v1.4.21 on Tue Sep 1 10:15:59 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [5932:466843]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:delegate_forward - [0:0]
:delegate_input - [0:0]
:delegate_output - [0:0]
:error_forward_lteip_drop - [0:0]
:error_output_lteip_drop - [0:0]
:forwarding_SDWAN_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_SDWAN_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_SDWAN_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_SDWAN_dest_ACCEPT - [0:0]
:zone_SDWAN_forward - [0:0]
:zone_SDWAN_input - [0:0]
:zone_SDWAN_output - [0:0]
:zone_SDWAN_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
[8239:811121] -A INPUT -j delegate_input
[12132:1094280] -A FORWARD -j error_forward_lteip_drop
[6887:509492] -A FORWARD -j error_forward_lteip_drop
[7596:541964] -A FORWARD -j error_forward_lteip_drop
[7890:554918] -A FORWARD -j error_forward_lteip_drop
[8354:573621] -A FORWARD -j error_forward_lteip_drop
[8928:601021] -A FORWARD -j error_forward_lteip_drop
[9671:634872] -A FORWARD -j error_forward_lteip_drop
[10621:675916] -A FORWARD -j error_forward_lteip_drop
[11490:713928] -A FORWARD -j error_forward_lteip_drop
[11375:709474] -A FORWARD -j error_forward_lteip_drop
[12040:737877] -A FORWARD -j error_forward_lteip_drop
[13337:828635] -A FORWARD -j error_forward_lteip_drop
[13930:837001] -A FORWARD -j error_forward_lteip_drop
[41366:3394909] -A FORWARD -j error_forward_lteip_drop
[50026:3930354] -A FORWARD -j error_forward_lteip_drop
[41765:3010468] -A FORWARD -j error_forward_lteip_drop
[40433:2895836] -A FORWARD -j error_forward_lteip_drop
[41091:2925317] -A FORWARD -j error_forward_lteip_drop
[13:572] -A FORWARD -s xxx.xxx.176.69/32 -p tcp -m conntrack --ctstate INVALID -m mark --mark 0x16 -j ACCEPT
[0:0] -A FORWARD -d xxx.xxx.176.69/32 -p tcp -m conntrack --ctstate INVALID -m mark --mark 0xb -j ACCEPT
[0:0] -A FORWARD -s xxx.xxx.176.69/32 -p tcp -m conntrack --ctstate INVALID -m mark --mark 0x16 -j ACCEPT
[0:0] -A FORWARD -d xxx.xxx.176.69/32 -p tcp -m conntrack --ctstate INVALID -m mark --mark 0xb -j ACCEPT
[42990:3063061] -A FORWARD -j error_forward_lteip_drop
[41869:2982474] -A FORWARD -j error_forward_lteip_drop
[41869:2982474] -A FORWARD -j error_forward_lteip_drop
[0:0] -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
[0:0] -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
[0:0] -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
[0:0] -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
[40930:2925296] -A FORWARD -j delegate_forward
[0:0] -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
[648:86075] -A OUTPUT -j error_output_lteip_drop
[1136:139696] -A OUTPUT -j error_output_lteip_drop
[1558:181248] -A OUTPUT -j error_output_lteip_drop
[1901:215424] -A OUTPUT -j error_output_lteip_drop
[2232:249325] -A OUTPUT -j error_output_lteip_drop
[2614:295654] -A OUTPUT -j error_output_lteip_drop
[2958:331160] -A OUTPUT -j error_output_lteip_drop
[3285:364937] -A OUTPUT -j error_output_lteip_drop
[3637:410792] -A OUTPUT -j error_output_lteip_drop
[4025:450646] -A OUTPUT -j error_output_lteip_drop
[4367:486400] -A OUTPUT -j error_output_lteip_drop
[4734:523362] -A OUTPUT -j error_output_lteip_drop
[5077:561299] -A OUTPUT -j error_output_lteip_drop
[5427:599595] -A OUTPUT -j error_output_lteip_drop
[5830:650446] -A OUTPUT -j error_output_lteip_drop
[6245:689508] -A OUTPUT -j error_output_lteip_drop
[6583:724880] -A OUTPUT -j error_output_lteip_drop
[7008:764842] -A OUTPUT -j error_output_lteip_drop
[11211:2081884] -A OUTPUT -j error_output_lteip_drop
[11340:2104131] -A OUTPUT -j error_output_lteip_drop
[11342:2104274] -A OUTPUT -j error_output_lteip_drop
[7115:775385] -A OUTPUT -j delegate_output
[40930:2925296] -A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule
[535:22756] -A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[1:124] -A delegate_forward -i br-lan -j zone_lan_forward
[0:0] -A delegate_forward -i eth0 -j zone_wan_forward
[40394:2902416] -A delegate_forward -i usb0 -j zone_wan_forward
[2280:271242] -A delegate_input -i lo -j ACCEPT
[5959:539879] -A delegate_input -m comment --comment "user chain for input" -j input_rule
[3506:303950] -A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[65:3128] -A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
[1430:144170] -A delegate_input -i br-lan -j zone_lan_input
[0:0] -A delegate_input -i eth0 -j zone_wan_input
[1023:91759] -A delegate_input -i usb0 -j zone_wan_input
[2280:271242] -A delegate_output -o lo -j ACCEPT
[4835:504143] -A delegate_output -m comment --comment "user chain for output" -j output_rule
[3308:346461] -A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[183:43205] -A delegate_output -o br-lan -j zone_lan_output
[0:0] -A delegate_output -o eth0 -j zone_wan_output
[1344:114477] -A delegate_output -o usb0 -j zone_wan_output
[5867:603684] -A error_forward_lteip_drop -s 107.125.176.0/24 -o usb0 -j ACCEPT
[249:19007] -A error_forward_lteip_drop -s 192.168.1.0/24 -o usb0 -j ACCEPT
[17:1542] -A error_forward_lteip_drop -o usb0 -j DROP
[0:0] -A error_output_lteip_drop ! -s 107.125.176.68/30 -o usb0 -j DROP
[0:0] -A input_rule -p gre -j ACCEPT
[0:0] -A input_rule -p gre -j ACCEPT
[0:0] -A output_rule -p gre -j ACCEPT
[0:0] -A output_rule -p gre -j ACCEPT
[0:0] -A reject -p tcp -j REJECT --reject-with tcp-reset
[0:0] -A reject -j REJECT --reject-with icmp-port-unreachable
[65:3128] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
[0:0] -A syn_flood -j DROP
[0:0] -A zone_SDWAN_forward -m comment --comment "user chain for forwarding" -j forwarding_SDWAN_rule
[0:0] -A zone_SDWAN_forward -m comment --comment "forwarding SDWAN -> wan" -j zone_wan_dest_ACCEPT
[0:0] -A zone_SDWAN_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
[0:0] -A zone_SDWAN_forward -j zone_SDWAN_dest_ACCEPT
[0:0] -A zone_SDWAN_input -m comment --comment "user chain for input" -j input_SDWAN_rule
[0:0] -A zone_SDWAN_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
[0:0] -A zone_SDWAN_input -j zone_SDWAN_src_ACCEPT
[0:0] -A zone_SDWAN_output -m comment --comment "user chain for output" -j output_SDWAN_rule
[0:0] -A zone_SDWAN_output -j zone_SDWAN_dest_ACCEPT
[183:43205] -A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
[1:124] -A zone_lan_forward -m comment --comment "user chain for forwarding" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -p tcp -m tcp --dport 1723 -m comment --comment Alg_pptp_pt_1 -j zone_wan_dest_DROP
[1:124] -A zone_lan_forward -p gre -m comment --comment Alg_pptp_pt_2 -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p tcp -m tcp --dport 1701 -m comment --comment Alg_l2tp_pt -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p tcp -m tcp --dport 500 -m comment --comment Alg_ipsec_pt_1 -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p tcp -m tcp --dport 4500 -m comment --comment Alg_ipsec_pt_2 -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p esp -m comment --comment Alg_ipsec_pt_3 -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p ah -m comment --comment Alg_ipsec_pt_4 -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -j zone_lan_dest_ACCEPT
[1430:144170] -A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
[1430:144170] -A zone_lan_input -j zone_lan_src_ACCEPT
[183:43205] -A zone_lan_output -m comment --comment "user chain for output" -j output_lan_rule
[183:43205] -A zone_lan_output -j zone_lan_dest_ACCEPT
[1430:144170] -A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0 -j ACCEPT
[1344:114477] -A zone_wan_dest_ACCEPT -o usb0 -j ACCEPT
[0:0] -A zone_wan_dest_DROP -o eth0 -j DROP
[1:124] -A zone_wan_dest_DROP -o usb0 -j DROP
[40394:2902416] -A zone_wan_forward -j MINIUPNPD
[40394:2902416] -A zone_wan_forward -m comment --comment "user chain for forwarding" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
[40394:2902416] -A zone_wan_forward -j zone_wan_dest_ACCEPT
[1023:91759] -A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule
[0:0] -A zone_wan_input -p tcp -m tcp --dport 80 -m comment --comment wan_limit -j DROP
[469:36945] -A zone_wan_input -p tcp -m tcp --dport 443 -m comment --comment web_manager_allow -j ACCEPT
[0:0] -A zone_wan_input -p tcp -m tcp --dport 50080 -m comment --comment web_manager_allow -j ACCEPT
[0:0] -A zone_wan_input -p tcp -m tcp --dport 23 -m comment --comment wan_telnet -j DROP
[0:0] -A zone_wan_input -p tcp -m tcp --dport 22 -m comment --comment ssh_wan -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
[554:54814] -A zone_wan_input -j zone_wan_src_ACCEPT
[1344:114477] -A zone_wan_output -m comment --comment "user chain for output" -j output_wan_rule
[1344:114477] -A zone_wan_output -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_ACCEPT -i eth0 -j ACCEPT
[554:54814] -A zone_wan_src_ACCEPT -i usb0 -j ACCEPT
COMMIT
# Completed on Tue Sep 1 10:15:59 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
15: usb0: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 1430 qdisc hyfi_pfifo_fast state UP group default qlen 1000
inet xxx.xxx.176.69/24 brd 107.125.176.255 scope global usb0
valid_lft forever preferred_lft forever
16: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1430 qdisc noqueue state UP group default
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
default via 107.125.176.1 dev usb0 table rt-usb0
107.125.176.0/24 dev usb0 table rt-usb0 scope link
192.168.1.0/24 dev br-lan table rt-br-lan proto kernel scope link src 192.168.1.1
192.168.1.254 dev br-lan table rt-static scope link
xxx.xxx.176.69 via 192.168.1.254 dev br-lan table rt-lan
default via 107.125.176.1 dev usb0 table rt-wan
107.125.176.0/24 dev usb0 table rt-wan scope link
107.125.176.0/24 dev usb0 proto kernel scope link src xxx.xxx.176.69
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
broadcast 107.125.176.0 dev usb0 table local proto kernel scope link src xxx.xxx.176.69
local xxx.xxx.176.69 dev usb0 table local proto kernel scope host src xxx.xxx.176.69
broadcast 107.125.176.255 dev usb0 table local proto kernel scope link src xxx.xxx.176.69
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
0: from all lookup 128
0: from all fwmark 0xb lookup rt-lan
0: from all fwmark 0x16 lookup rt-wan
1: from all lookup local
1000: from 192.168.1.254 lookup rt-static
10102: from all to 107.77.79.57 lookup rt-usb0
10202: from all to 107.77.79.58 lookup rt-usb0
10302: from xxx.xxx.176.69 lookup rt-usb0
10350: from all lookup rt-br-lan
30001: from all lookup rt-usb0
30003: from all lookup rt-usb0
32766: from all lookup main
32767: from all lookup default
That said, somehow enabling drop_invalid breaks the GRE. I found a line with "drop_invalid" in /sbin/fw3 binary. Something must be going on there, but I'm not sure what exactly. Appreciate your help.