How to route device on lan switch through firewall

echvoyager · August 12, 2022, 1:17pm

Device is Xiaomi AX3600 running stock firmware which itself is a modified version of Openwrt 18.06. I'm using the AX3600 in Bridged AP mode, meaning its connected to a modem with built-in router that handles pppoe and dhcp while the AX3600 shares the same subnet as the main router and simply extends the signal. The caveat is that I'm running some transparent proxy software that can only be run on the AX3600 and when I connect wirelessly to the AX3600, my data is routed through the firewall and the transparent proxy is taking effect. However, if I connect to AX3600 using wired connection directly to its lan port, the data is not going through the firewall therefore the transparent proxy does not work. I'm not very well versed in network and linux firewall but I can offer any data or diagnostics that could be useful for solving my problem. Here's my nat and filter iptables rule and my network and firewall configuration.

iptables -t filter -L -v -n 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 miot_input  all  --  br-miot *       0.0.0.0/0            0.0.0.0/0           
59550 9052K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
1192K  881M input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom input rule chain */
 939K  865M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
   91  6020 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3 */
 252K   15M zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 ACCEPT     tcp  --  *      *       10.0.0.0/8           0.0.0.0/0            tcp dpt:7890
    0     0 ACCEPT     tcp  --  *      *       127.0.0.0/8          0.0.0.0/0            tcp dpt:7890
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/16       0.0.0.0/0            tcp dpt:7890
    0     0 ACCEPT     tcp  --  *      *       172.16.0.0/12        0.0.0.0/0            tcp dpt:7890
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:7890 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 514K   92M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-is-bridged
    0     0 DROP       all  --  br-miot *       0.0.0.0/0            0.0.0.0/0           
    8   966 forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom forwarding rule chain */
    1    84 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3 */
    7   882 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
59193 9014K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            /* !fw3 */
1218K  846M output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom output rule chain */
1070K  837M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
    7   535 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3 */
 147K 9134K zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain MINIUPNPD (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_ready_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   283 macfilter_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 252K   15M macfilter_input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain input_ready_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain macfilter_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain macfilter_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain miot_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:54321
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spts:67:68 dpts:67:68
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_ready_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain reject (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with icmp-port-unreachable

Chain zone_lan_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 147K 9135K ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    7   882 forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan forwarding rule chain */
    7   882 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Zone lan to wan forwarding policy */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    7   882 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 252K   15M input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan input rule chain */
 222K   14M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
29934 1613K zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 147K 9134K output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan output rule chain */
 147K 9134K zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
29934 1613K ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_ready_dest_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_ready_dest_DROP (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_ready_forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_ready_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom ready forwarding rule chain */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_ready_dest_DROP  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_ready_input (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 input_ready_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom ready input rule chain */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spts:67:68 dpts:67:68 /* !fw3: DHCP for ready */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:786 /* !fw3: minet ready */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:786 /* !fw3: minet ready */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
    0     0 zone_ready_src_DROP  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_ready_output (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 output_ready_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom ready output rule chain */
    0     0 zone_ready_dest_ACCEPT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spts:67:68 dpts:67:68 /* !fw3: DHCP for ready */
    0     0 zone_ready_dest_DROP  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_ready_src_DROP (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_wan_dest_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_wan_dest_REJECT (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_wan_forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MINIUPNPD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan forwarding rule chain */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_input (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan input rule chain */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68 /* !fw3: Allow-DHCP-Renew */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* !fw3: Allow-Ping */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
    0     0 zone_wan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_output (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan output rule chain */
    0     0 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination

iptables -t nat -L -v -n 
Chain PREROUTING (policy ACCEPT 80786 packets, 7008K bytes)
 pkts bytes target     prot opt in     out     source               destination         
58953 3734K clash_dns  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
 104K 9043K prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom prerouting rule chain */
 104K 9043K zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
19345 1254K clash      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22,53,587,465,995,993,143,80,443,8080

Chain INPUT (policy ACCEPT 65744 packets, 4167K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 115K packets, 7148K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 191K packets, 13M bytes)
 pkts bytes target     prot opt in     out     source               destination         
 232K   16M postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom postrouting rule chain */
 232K   16M zone_lan_postrouting  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain MINIUPNPD (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain MINIUPNPD-POSTROUTING (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain clash (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/8           
   84  4944 RETURN     all  --  *      *       0.0.0.0/0            10.0.0.0/8          
    0     0 RETURN     all  --  *      *       0.0.0.0/0            127.0.0.0/8         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            100.64.0.0/10       
    0     0 RETURN     all  --  *      *       0.0.0.0/0            169.254.0.0/16      
    0     0 RETURN     all  --  *      *       0.0.0.0/0            172.16.0.0/12       
   12   768 RETURN     all  --  *      *       0.0.0.0/0            192.168.0.0/16      
    0     0 RETURN     all  --  *      *       0.0.0.0/0            224.0.0.0/4         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            240.0.0.0/4         
14341  933K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set cn_ip dst
 4908  316K REDIRECT   tcp  --  *      *       192.168.0.0/16       0.0.0.0/0            redir ports 7892
    0     0 REDIRECT   tcp  --  *      *       10.0.0.0/8           0.0.0.0/0            redir ports 7892

Chain clash_dns (1 references)
 pkts bytes target     prot opt in     out     source               destination         
58953 3734K REDIRECT   udp  --  *      *       0.0.0.0/0            0.0.0.0/0            redir ports 1053

Chain postrouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_ready_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_ready_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_lan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 232K   16M postrouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan postrouting rule chain */

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 104K 9043K prerouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan prerouting rule chain */

Chain zone_ready_postrouting (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 postrouting_ready_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom ready postrouting rule chain */

Chain zone_ready_prerouting (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 prerouting_ready_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom ready prerouting rule chain */

Chain zone_wan_postrouting (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 postrouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan postrouting rule chain */
    0     0 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_prerouting (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MINIUPNPD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 prerouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan prerouting rule chain */

cat /etc/config/network 

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config switch
	option name 'switch0'

config interface 'lan'
	option force_link '1'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option multicast_querier '0'
	option igmp_snooping '0'
	option macaddr '8c:53:c3:da:6a:6b'
	option ieee1905managed '1'
	option ipaddr '192.168.1.2'
	option gateway '192.168.1.1'
	option mtu '1500'
	list dns '192.168.1.1'
	option ifname 'eth1 eth2 eth3 eth4'

config interface 'eth1'
	option ifname 'eth1'
	option keepup '1'

config interface 'eth2'
	option ifname 'eth2'

config interface 'eth3'
	option ifname 'eth3'

config interface 'eth4'
	option ifname 'eth4'

config interface 'miot'
	option ifname 'wl13'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.32.1'
	option netmask '255.255.255.0'

cat /etc/config/firewall

config defaults
	option syn_flood '0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option drop_invalid '1'
	option disable_ipv6 '1'

config zone
	option name 'lan'
	option network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fe80::/10'
	option src_port '547'
	option dest_ip 'fe80::/10'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest 'lan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule 'Forbidden_Wan_RA'
	option name 'Forbidden_Wan_RA'
	option dest 'wan'
	option proto 'icmp'
	list icmp_type 'router-advertisement'
	option family 'ipv6'
	option target 'REJECT'

config include 'webinitrdr'
	option path '/lib/firewall.sysapi.loader webinitrdr'
	option reload '1'
	option enabled '1'

config include 'dnsmiwifi'
	option path '/lib/firewall.sysapi.loader dnsmiwifi'
	option reload '1'
	option enabled '1'

config include 'macfilter'
	option path '/lib/firewall.sysapi.loader macfilter'
	option reload '1'
	option enabled '1'

config include 'ipv6_masq'
	option path '/lib/firewall.sysapi.loader ipv6_masq'
	option reload '1'

config include 'set_tcpmss'
	option path '/lib/firewall.sysapi.loader set_tcpmss'
	option reload '1'

config include 'miot'
	option path '/lib/firewall.sysapi.loader miot'
	option reload '1'

config rule 'guest_8999'
	option name 'Hello wifi 8999'
	option src 'guest'
	option proto 'tcp'
	option dest_port '8999'
	option target 'ACCEPT'

config rule 'guest_8300'
	option name 'Hello wifi 8300'
	option src 'guest'
	option proto 'tcp'
	option dest_port '8300'
	option target 'ACCEPT'

config rule 'guest_7080'
	option name 'Hello wifi 7080'
	option src 'guest'
	option proto 'tcp'
	option dest_port '7080'
	option target 'ACCEPT'

config zone 'ready_zone'
	option name 'ready'
	list network 'ready'
	option input 'DROP'
	option forward 'DROP'
	option output 'DROP'

config rule 'ready_dhcp'
	option name 'DHCP for ready'
	option src 'ready'
	option src_port '67-68'
	option dest_port '67-68'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule 'ready_dhcp_out'
	option name 'DHCP for ready'
	option dest 'ready'
	option src_port '67-68'
	option dest_port '67-68'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule 'ready_minet_in'
	option name 'minet ready'
	option src 'ready'
	option dest_port '786'
	option proto 'tcp'
	option target 'ACCEPT'

config rule 'ready_minet_out'
	option name 'minet ready'
	option src 'ready'
	option src_port '786'
	option proto 'tcp'
	option target 'ACCEPT'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'IPv4'
	option reload '1'

config include 'qcanssecm'
	option type 'script'
	option path '/etc/firewall.d/qca-nss-ecm'
	option family 'any'
	option reload '1'

echvoyager · August 12, 2022, 1:18pm

Any help is appreciated!

mk24 · August 12, 2022, 1:32pm

You don't show which network the wifi is using but I guess it is miot so they can be specially proxied. In that case you would just need to move one or more eth ports out of lan and into miot by changing the ifname lines.

echvoyager · August 12, 2022, 1:59pm

Sorry, forgot to add the wireless configurations, the miot network is not used at all by me.
Here is the wireless configuration:

cat /etc/config/wireless 

config wifi-device 'wifi0'
	option type 'qcawificfg80211'
	option channel 'auto'
	option macaddr '8c:53:c3:da:6a:6c'
	option hwmode '11axa'
	option htmode 'HT80'
	option disabled '0'
	option txbf '3'
	option ax '1'
	option bw '0'
	option txpwr 'max'
	option CSwOpts '0x31'

config wifi-iface
	option device 'wifi0'
	option ifname 'wl0'
	option network 'lan'
	option mode 'ap'
	option wpsdevicename 'XiaoMiRouter'
	option macfilter 'disabled'
	option miwifi_mesh '0'
	option disabled '0'
	option encryption 'psk2'
	option wnm '1'
	option rrm '1'
	option channel_block_list '52,56,60,64,149,153,157,161,165'
	option wscconfigstatus '2'

config wifi-device 'wifi1'
	option type 'qcawificfg80211'
	option channel 'auto'
	option macaddr '8c:53:c3:da:6a:6b'
	option hwmode '11axg'
	option htmode 'HT40'
	option disabled '0'
	option txbf '3'
	option ax '1'
	option txpwr 'max'

config wifi-iface
	option device 'wifi1'
	option ifname 'wl1'
	option network 'lan'
	option mode 'ap'
	option wpsdevicename 'XiaoMiRouter'
	option macfilter 'disabled'
	option encryption 'psk2'
	option disabled '0'
	option wnm '1'
	option rrm '1'
	option wscconfigstatus '2'

config wifi-device 'wifi2'
	option type 'qcawificfg80211'
	option channel 'auto'
	option macaddr '8c:53:c3:da:6a:6d'
	option hwmode '11ac'
	option htmode 'HT20'
	option disabled '0'
	option txbf '3'
	option ax '1'
	option bw '20'

config wifi-iface
	option device 'wifi2'
	option ifname 'wl2'
	option mode 'sta'
	option ssid 'MIIOT_DEV'
	option encryption 'none'
	option wpsdevicename 'XiaoMiRouter'
	option disabled '0'

config wifi-iface 'miot_2G'
	option ifname 'wl13'
	option network 'miot'
	option encryption 'none'
	option device 'wifi1'
	option mode 'ap'
	option hidden '1'
	option maxsta '20'
	option ssid '25c829b1922d3123_miwifi'
	option bsd '0'
	option ap_isolate '1'
	option userswitch '1'
	option disabled '0'
	option bindstatus '1'

config wifi-iface
	option device 'wifi0'
	option ifname 'wl5'
	option network 'lan'
	option mode 'ap'
	option channel_block_list '52,56,60,64,149,153,157,161,165'
	option ssid 'MiMesh_90eff2d3'
	option encryption 'psk2'
	option key 'c437335f03d40ed2'
	option hidden '1'
	option backhaul '1'
	option backhaul_ap '1'
	option wds '1'
	option wps_pbc '1'
	option wps_pbc_enable '0'
	option wps_pbc_start_time '0'
	option wps_pbc_duration '120'
	option group '0'
	option athnewind '1'
	option mesh_ver '2'
	option mesh_apmac '8C:53:C3:DA:6A:6B'
	option mesh_aplimit '9'
	option macfilter 'allow'
	list maclist '96:DE:F9:DF:3C:D1'
	list maclist '92:DE:F9:DF:3C:D1'
	option disabled '0'