Iptables uses wrong interface on boot

Sixtiz · September 21, 2020, 4:51am

Using latest snapshots from git on D-Link DIR-878, it looks like now the iptables rules are using the wrong interface name on boot, "pppoe-wan" instead of "wan", and I have no internet access until I hit "Firewall restart" then all the rules correctly use "wan" again and it works... Any idea what's happening?

trendy · September 21, 2020, 9:38pm

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*

You can run it once after the reboot and one more time after the restart of the firewall.

Sixtiz · October 2, 2020, 3:52am

Just after reboot:

{
	"kernel": "5.4.68",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "D-Link DIR-878 A1",
	"board_name": "dlink,dir-878-a1",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r14612-18acf62be1",
		"target": "ramips/mt7621",
		"description": "OpenWrt SNAPSHOT r14612-18acf62be1"
	}
}
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd32:44e7:7e3a::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'lan1 lan2 lan3 lan4'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.1.1.1'

config interface 'wan'
	option ifname 'wan'
	option proto 'pppoe'
	option username 'xxxxxxxxxxxxxx@wba.nbnonline.com.au'
	option password 'xxxxxxxxxxxxxx'
	option ipv6 '0'
	option keepalive '5 30'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxxxxx'
	option listen_port '51820'
	list addresses '10.10.10.1/24'

config wireguard_wg0
	option description 'SXTZ-A5'
	list allowed_ips '10.10.10.2/24'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option public_key 'xxxxxxxxxxxxxx'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'HT20'
	option country 'AU'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option encryption 'psk2'
	option key 'xxxxxxxxxxxxxx'
	option ssid 'xxxxxxxxxxxxxx'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option htmode 'VHT80'
	option country 'AU'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'xxxxxxxxxxxxxx'
	option encryption 'psk2'
	option key 'xxxxxxxxxxxxxx'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option noresolv '1'
	option doh_backup_noresolv '-1'
	list server '127.0.0.1#5053'
	list server '127.0.0.1#5054'
	list doh_backup_server '127.0.0.1#5053'
	list doh_backup_server '127.0.0.1#5054'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config domain
	option ip '10.1.1.6'
	option name 'sxtz-nas'

config host
	option name 'nas'
	option dns '1'
	option mac '00:08:9B:BD:AE:1A'
	option ip '10.1.1.6'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan wg0'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config redirect
	option target 'DNAT'
	option name 'Golem-3282'
	list proto 'tcp'
	option src 'wan'
	option src_dport '3282'
	option dest 'lan'
	option dest_ip '10.1.1.151'
	option dest_port '3282'

config redirect
	option target 'DNAT'
	option name 'Golem-40102'
	list proto 'tcp'
	option src 'wan'
	option src_dport '40102'
	option dest 'lan'
	option dest_ip '10.1.1.151'
	option dest_port '40102'

config redirect
	option target 'DNAT'
	option name 'Golem-40103'
	list proto 'tcp'
	option src 'wan'
	option src_dport '40103'
	option dest 'lan'
	option dest_ip '10.1.1.151'
	option dest_port '40103'

config rule
	option name 'Allow-Wireguard'
	list proto 'udp'
	option src 'wan'
	option target 'ACCEPT'
	option dest_port '51820'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.4 on Fri Oct  2 13:34:45 2020
*nat
:PREROUTING ACCEPT [1403:119326]
:INPUT ACCEPT [666:52197]
:OUTPUT ACCEPT [322:25021]
:POSTROUTING ACCEPT [856:46381]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[1403:119326] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[1312:112849] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i wan -m comment --comment "!fw3" -j zone_wan_prerouting
[856:46381] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[543:24792] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o wan -m comment --comment "!fw3" -j zone_wan_postrouting
[543:24792] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[1312:112849] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 3282 -m comment --comment "!fw3: Golem-3282" -j DNAT --to-destination 10.1.1.151:3282
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 40102 -m comment --comment "!fw3: Golem-40102" -j DNAT --to-destination 10.1.1.151:40102
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 40103 -m comment --comment "!fw3: Golem-40103" -j DNAT --to-destination 10.1.1.151:40103
COMMIT
# Completed on Fri Oct  2 13:34:45 2020
# Generated by iptables-save v1.8.4 on Fri Oct  2 13:34:45 2020
*raw
:PREROUTING ACCEPT [3472:386585]
:OUTPUT ACCEPT [3217:442730]
:zone_lan_helper - [0:0]
[2650:216807] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[0:0] -A PREROUTING -i wg0 -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
COMMIT
# Completed on Fri Oct  2 13:34:45 2020
# Generated by iptables-save v1.8.4 on Fri Oct  2 13:34:45 2020
*mangle
:PREROUTING ACCEPT [3472:386585]
:INPUT ACCEPT [2729:318583]
:FORWARD ACCEPT [583:48421]
:OUTPUT ACCEPT [3217:442730]
:POSTROUTING ACCEPT [3217:442730]
[0:0] -A FORWARD -o wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Oct  2 13:34:45 2020
# Generated by iptables-save v1.8.4 on Fri Oct  2 13:34:45 2020
*filter
:INPUT ACCEPT [89:4557]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [142:9073]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[378:41176] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[2351:277407] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[1560:214423] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[44:2056] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[702:58427] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i wan -m comment --comment "!fw3" -j zone_wan_input
[583:48421] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[583:48421] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i wan -m comment --comment "!fw3" -j zone_wan_forward
[583:48421] -A FORWARD -m comment --comment "!fw3" -j reject
[378:41176] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[2839:401554] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[2646:347339] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[51:45142] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o wan -m comment --comment "!fw3" -j zone_wan_output
[540:32139] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[43:16282] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[44:2056] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[51:45142] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
[583:48421] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[583:48421] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[583:48421] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[702:58427] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[702:58427] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[51:45142] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[51:45142] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[702:58427] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i wg0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 51820 -m comment --comment "!fw3: Allow-Wireguard" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i wan -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Oct  2 13:34:45 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
15: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.1.1.1/24 brd 10.1.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
16: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.10.10.1/24 brd 10.10.10.255 scope global wg0
       valid_lft forever preferred_lft forever
19: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
    inet 125.168.226.250 peer 202.138.24.237/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
default via 202.138.24.237 dev pppoe-wan proto static 
10.1.1.0/24 dev br-lan proto kernel scope link src 10.1.1.1 
10.10.10.0/24 dev wg0 proto kernel scope link src 10.10.10.1 
202.138.24.237 dev pppoe-wan proto kernel scope link src 125.168.226.250 
broadcast 10.1.1.0 dev br-lan table local proto kernel scope link src 10.1.1.1 
local 10.1.1.1 dev br-lan table local proto kernel scope host src 10.1.1.1 
broadcast 10.1.1.255 dev br-lan table local proto kernel scope link src 10.1.1.1 
broadcast 10.10.10.0 dev wg0 table local proto kernel scope link src 10.10.10.1 
local 10.10.10.1 dev wg0 table local proto kernel scope host src 10.10.10.1 
broadcast 10.10.10.255 dev wg0 table local proto kernel scope link src 10.10.10.1 
local 125.168.226.250 dev pppoe-wan table local proto kernel scope host src 125.168.226.250 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default
lrwxrwxrwx    1 root     root            16 Sep 30 08:06 /etc/resolv.conf -> /tmp/resolv.conf
lrwxrwxrwx    1 root     root            35 Oct  2 13:22 /tmp/resolv.conf -> /tmp/resolv.conf.d/resolv.conf.auto
-rw-r--r--    1 root     root            50 Oct  2 13:22 /tmp/resolv.conf.ppp

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            66 Oct  2 13:22 resolv.conf.auto
==> /etc/resolv.conf <==
# Interface wan
nameserver 203.134.24.70
nameserver 203.134.26.70

==> /tmp/resolv.conf <==
# Interface wan
nameserver 203.134.24.70
nameserver 203.134.26.70

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.ppp <==
nameserver 203.134.24.70
nameserver 203.134.26.70

Sixtiz · October 2, 2020, 3:52am

After hitting Restart Firewall:

{
	"kernel": "5.4.68",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "D-Link DIR-878 A1",
	"board_name": "dlink,dir-878-a1",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r14612-18acf62be1",
		"target": "ramips/mt7621",
		"description": "OpenWrt SNAPSHOT r14612-18acf62be1"
	}
}
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd32:44e7:7e3a::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'lan1 lan2 lan3 lan4'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.1.1.1'

config interface 'wan'
	option ifname 'wan'
	option proto 'pppoe'
	option username 'xxxxxxxxxxxxxx@wba.nbnonline.com.au'
	option password 'xxxxxxxxxxxxxx'
	option ipv6 '0'
	option keepalive '5 30'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxxxxx'
	option listen_port '51820'
	list addresses '10.10.10.1/24'

config wireguard_wg0
	option description 'SXTZ-A5'
	list allowed_ips '10.10.10.2/24'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option public_key 'xxxxxxxxxxxxxx'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'HT20'
	option country 'AU'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option encryption 'psk2'
	option key 'xxxxxxxxxxxxxx'
	option ssid 'xxxxxxxxxxxxxx'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option htmode 'VHT80'
	option country 'AU'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'xxxxxxxxxxxxxx'
	option encryption 'psk2'
	option key 'xxxxxxxxxxxxxx'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option noresolv '1'
	option doh_backup_noresolv '-1'
	list server '127.0.0.1#5053'
	list server '127.0.0.1#5054'
	list doh_backup_server '127.0.0.1#5053'
	list doh_backup_server '127.0.0.1#5054'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config domain
	option ip '10.1.1.6'
	option name 'sxtz-nas'

config host
	option name 'nas'
	option dns '1'
	option mac '00:08:9B:BD:AE:1A'
	option ip '10.1.1.6'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan wg0'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config redirect
	option target 'DNAT'
	option name 'Golem-3282'
	list proto 'tcp'
	option src 'wan'
	option src_dport '3282'
	option dest 'lan'
	option dest_ip '10.1.1.151'
	option dest_port '3282'

config redirect
	option target 'DNAT'
	option name 'Golem-40102'
	list proto 'tcp'
	option src 'wan'
	option src_dport '40102'
	option dest 'lan'
	option dest_ip '10.1.1.151'
	option dest_port '40102'

config redirect
	option target 'DNAT'
	option name 'Golem-40103'
	list proto 'tcp'
	option src 'wan'
	option src_dport '40103'
	option dest 'lan'
	option dest_ip '10.1.1.151'
	option dest_port '40103'

config rule
	option name 'Allow-Wireguard'
	list proto 'udp'
	option src 'wan'
	option target 'ACCEPT'
	option dest_port '51820'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.4 on Fri Oct  2 13:42:02 2020
*nat
:PREROUTING ACCEPT [103:7829]
:INPUT ACCEPT [28:1950]
:OUTPUT ACCEPT [48:4578]
:POSTROUTING ACCEPT [18:2503]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[104:7905] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[77:6145] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_lan_prerouting
[27:1760] -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[101:8981] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[7:1681] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_lan_postrouting
[79:6270] -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[7:1681] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 10.1.1.0/24 -d 10.1.1.151/32 -p tcp -m tcp --dport 3282 -m comment --comment "!fw3: Golem-3282 (reflection)" -j SNAT --to-source 10.1.1.1
[0:0] -A zone_lan_postrouting -s 10.10.10.0/24 -d 10.1.1.151/32 -p tcp -m tcp --dport 3282 -m comment --comment "!fw3: Golem-3282 (reflection)" -j SNAT --to-source 10.10.10.1
[0:0] -A zone_lan_postrouting -s 10.1.1.0/24 -d 10.1.1.151/32 -p tcp -m tcp --dport 40102 -m comment --comment "!fw3: Golem-40102 (reflection)" -j SNAT --to-source 10.1.1.1
[0:0] -A zone_lan_postrouting -s 10.10.10.0/24 -d 10.1.1.151/32 -p tcp -m tcp --dport 40102 -m comment --comment "!fw3: Golem-40102 (reflection)" -j SNAT --to-source 10.10.10.1
[0:0] -A zone_lan_postrouting -s 10.1.1.0/24 -d 10.1.1.151/32 -p tcp -m tcp --dport 40103 -m comment --comment "!fw3: Golem-40103 (reflection)" -j SNAT --to-source 10.1.1.1
[0:0] -A zone_lan_postrouting -s 10.10.10.0/24 -d 10.1.1.151/32 -p tcp -m tcp --dport 40103 -m comment --comment "!fw3: Golem-40103 (reflection)" -j SNAT --to-source 10.10.10.1
[77:6145] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 10.1.1.0/24 -d 125.168.226.250/32 -p tcp -m tcp --dport 3282 -m comment --comment "!fw3: Golem-3282 (reflection)" -j DNAT --to-destination 10.1.1.151:3282
[0:0] -A zone_lan_prerouting -s 10.10.10.0/24 -d 125.168.226.250/32 -p tcp -m tcp --dport 3282 -m comment --comment "!fw3: Golem-3282 (reflection)" -j DNAT --to-destination 10.1.1.151:3282
[0:0] -A zone_lan_prerouting -s 10.1.1.0/24 -d 125.168.226.250/32 -p tcp -m tcp --dport 40102 -m comment --comment "!fw3: Golem-40102 (reflection)" -j DNAT --to-destination 10.1.1.151:40102
[0:0] -A zone_lan_prerouting -s 10.10.10.0/24 -d 125.168.226.250/32 -p tcp -m tcp --dport 40102 -m comment --comment "!fw3: Golem-40102 (reflection)" -j DNAT --to-destination 10.1.1.151:40102
[0:0] -A zone_lan_prerouting -s 10.1.1.0/24 -d 125.168.226.250/32 -p tcp -m tcp --dport 40103 -m comment --comment "!fw3: Golem-40103 (reflection)" -j DNAT --to-destination 10.1.1.151:40103
[0:0] -A zone_lan_prerouting -s 10.10.10.0/24 -d 125.168.226.250/32 -p tcp -m tcp --dport 40103 -m comment --comment "!fw3: Golem-40103 (reflection)" -j DNAT --to-destination 10.1.1.151:40103
[79:6270] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[79:6270] -A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
[79:6270] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[27:1760] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 3282 -m comment --comment "!fw3: Golem-3282" -j DNAT --to-destination 10.1.1.151:3282
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 40102 -m comment --comment "!fw3: Golem-40102" -j DNAT --to-destination 10.1.1.151:40102
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 40103 -m comment --comment "!fw3: Golem-40103" -j DNAT --to-destination 10.1.1.151:40103
[26:1684] -A zone_wan_prerouting -j MINIUPNPD
COMMIT
# Completed on Fri Oct  2 13:42:02 2020
# Generated by iptables-save v1.8.4 on Fri Oct  2 13:42:02 2020
*raw
:PREROUTING ACCEPT [12007:4932805]
:OUTPUT ACCEPT [2544:856812]
:zone_lan_helper - [0:0]
[6963:2365981] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[0:0] -A PREROUTING -i wg0 -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
COMMIT
# Completed on Fri Oct  2 13:42:02 2020
# Generated by iptables-save v1.8.4 on Fri Oct  2 13:42:02 2020
*mangle
:PREROUTING ACCEPT [12008:4932857]
:INPUT ACCEPT [2610:234709]
:FORWARD ACCEPT [9379:4696828]
:OUTPUT ACCEPT [2545:856864]
:POSTROUTING ACCEPT [11924:5553692]
[41:2460] -A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[21:1228] -A FORWARD -i pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Oct  2 13:42:02 2020
# Generated by iptables-save v1.8.4 on Fri Oct  2 13:42:02 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[28:2588] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[2582:232121] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[2523:228596] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[9:368] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[36:2485] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_lan_input
[23:1040] -A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
[9379:4696828] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[9320:4691677] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[59:5151] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[28:2588] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[2517:854276] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[2474:842424] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[13:9777] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_lan_output
[30:2075] -A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
[15:608] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[8:432] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[9:368] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[13:9777] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
[59:5151] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[59:5151] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[36:2485] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[36:2485] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[13:9777] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[13:9777] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[36:2485] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i wg0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[89:7226] -A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -j MINIUPNPD
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[23:1040] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 51820 -m comment --comment "!fw3: Allow-Wireguard" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[23:1040] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[30:2075] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[30:2075] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[23:1040] -A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Oct  2 13:42:02 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
15: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.1.1.1/24 brd 10.1.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
16: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.10.10.1/24 brd 10.10.10.255 scope global wg0
       valid_lft forever preferred_lft forever
19: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
    inet 125.168.226.250 peer 202.138.24.237/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
default via 202.138.24.237 dev pppoe-wan proto static 
10.1.1.0/24 dev br-lan proto kernel scope link src 10.1.1.1 
10.10.10.0/24 dev wg0 proto kernel scope link src 10.10.10.1 
202.138.24.237 dev pppoe-wan proto kernel scope link src 125.168.226.250 
broadcast 10.1.1.0 dev br-lan table local proto kernel scope link src 10.1.1.1 
local 10.1.1.1 dev br-lan table local proto kernel scope host src 10.1.1.1 
broadcast 10.1.1.255 dev br-lan table local proto kernel scope link src 10.1.1.1 
broadcast 10.10.10.0 dev wg0 table local proto kernel scope link src 10.10.10.1 
local 10.10.10.1 dev wg0 table local proto kernel scope host src 10.10.10.1 
broadcast 10.10.10.255 dev wg0 table local proto kernel scope link src 10.10.10.1 
local 125.168.226.250 dev pppoe-wan table local proto kernel scope host src 125.168.226.250 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default
lrwxrwxrwx    1 root     root            16 Sep 30 08:06 /etc/resolv.conf -> /tmp/resolv.conf
lrwxrwxrwx    1 root     root            35 Oct  2 13:22 /tmp/resolv.conf -> /tmp/resolv.conf.d/resolv.conf.auto
-rw-r--r--    1 root     root            50 Oct  2 13:22 /tmp/resolv.conf.ppp

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            66 Oct  2 13:22 resolv.conf.auto
==> /etc/resolv.conf <==
# Interface wan
nameserver 203.134.24.70
nameserver 203.134.26.70

==> /tmp/resolv.conf <==
# Interface wan
nameserver 203.134.24.70
nameserver 203.134.26.70

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.ppp <==
nameserver 203.134.24.70
nameserver 203.134.26.70

Sixtiz · October 2, 2020, 3:58am

The only difference I can see is with the iptables rules... At boot they use wan instead of pppoe-wan and some are just missing. I noticed with the latest snapshots that the web interface lags sometimes and I also frequently get pppoe disconnects, must be something wrong introduced recently...

vgaetera · October 2, 2020, 5:12am

Workaround:

cat << "EOF" > /etc/hotplug.d/iface/99-firewall-fix
. /lib/functions/network.sh
network_flush_cache
network_find_wan NET_IF
if [ "${ACTION}" = "ifup" -a "${INTERFACE}" = "${NET_IF}" ]
then /etc/init.d/firewall restart
fi
EOF

See also: https://openwrt.org/docs/guide-user/base-system/hotplug

Sixtiz · October 2, 2020, 7:46am

I'll try the workaround... Should that be raised as a bug? It didn't happen on the snapshots from a few months ago...

trendy · October 2, 2020, 9:46am

Yes, if you can pinpoint the previous version where it worked fine, it would be very helpful.

Borromini · December 2, 2020, 7:32pm

@Sixtiz Were you able to fix this or did you happen to open a bug report on this? I am bumping into the same issue, with the exact same hardware somehow (D-Link DIR-878 A1).

Thanks!

Sixtiz · December 14, 2020, 4:59am

No, I had to revert to an older version close to when the DIR-878 patch was merged, as the last versions were giving me lots of PPPoE disconnections. And that doesn't seem to have the interface name issue on boot.

Sixtiz · July 19, 2022, 12:45pm

I think this is the same issue as https://forum.openwrt.org/t/22-03-no-routing-until-firewall-gets-reloaded/128693 as I had included luci-app-ntpc in my build...

Borromini · July 19, 2022, 6:00pm

Bug report here:

github.com/openwrt/packages

ntpclient: hotplug handler spawning ntpclient command that never returns

opened 09:01PM - 04 Jun 22 UTC

Borromini

Maintainer: @thess Environment: mvebu/cortexa72 Description: The ntpclie…nt hotplug handler hangs, which blocks all subsequent hotplug events, resulting in routing being broken since the firewall does not get reloaded after my PPPoE WAN connection being brought up. Manually restarting the firewall will restore routing. In the [forum topic](https://forum.openwrt.org/t/22-03-no-routing-until-firewall-gets-reloaded/128693) I opened (and after further digging on IRC) it turned out this was due to the ntpclient hotplug handler spawning an ntpclient command that never returns. I am not an active user of ntpclient, but it is pulled in by luci-app-ntpc. Ntpclient as a project upstream seems dead (last code update from 2015?) and jow pointed out to me on IRC that e.g. the -D flag [used in the hotplug handler](https://github.com/openwrt/packages/blob/master/net/ntpclient/files/ntpclient.hotplug#L44) does not exist in the corresponding source code. He said the script instance is hanging on [line 31](https://github.com/openwrt/packages/blob/master/net/ntpclient/files/ntpclient.hotplug#L31) of the hotplug script ('presumably checking the availability of a given server', to quote him). He suggested to either mark the package as broken, or rewrite it into a procd service. Since luci-app-ntpc relies on it, I was wondering if there are alternatives available in OpenWrt that could replace it? The [NTP wiki entry](https://openwrt.org/docs/guide-user/services/ntp/client-server) suggests there are multiple programs offering NTP functionality, but I suppose ntpclient had a limited footprint. Thank you