IPV4 port forwarding stops working when 6in4 tunnel interface connected

stavster · November 12, 2020, 12:12am

Hi There,

I have an issue with what appears to be a routing/gateway issue. I have recently set up a 6in4 IPV6 tunnel as my ISP does not natively support IPV6 yet.

However after trying to connect to my VPN server while away from home today, I noticed that I could not connect anymore with the VPN server running on a server within my home LAN. (Note: VPN service not running on the Openwrt device).

After running through and troubleshooting my port forwarding rules, through process of elimination I have discovered that if I stop the 6in4 tunnel interface, I can then connect again to port forwards on the external "wan" IPV4 interface.

Allowed/opened ports to the openwrt device itself are fine and are not effected such as SSH, HTTPS etc when the 6in4 tunnel is connected.

So this appears to be only affecting NAT to IP's on my LAN behind openwrt.

Any ideas as to what could be causing this? Your help would be appreciated.

Thanks

Here is the output of :

cat /etc/config/network; cat /etc/config/firewall; ip -4 addr ; ip -4 ro ; ip -4 ru ; ip -6 addr ; ip -6 ro ; ip -6 ru

 OpenWrt 19.07.4, r11208-ce6496d796
 -----------------------------------------------------
root@unicorn:~#
root@unicorn:~# cat /etc/config/network; cat /etc/config/firewall; ip -4 addr ; ip -4 ro ; ip -4 ru ; ip -6 addr ; ip -6 ro ; ip -6 ru

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option igmp_snooping '1'
        option ipaddr '10.99.69.254'

config interface 'lan60'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ifname 'eth0.60'
        option ipaddr '192.168.77.254'
        option ip6assign '60'

config interface 'lan99'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.82.254'
        option ifname 'eth0.99'

config interface 'wan'
        option ifname 'eth1'
        option proto 'static'
        option netmask '255.255.255.0'
        option gateway '172.25.69.1'
        option ipaddr '172.25.69.254'
        list dns '127.0.0.1'
        option metric '0'

config interface 'airvpn'
        option proto 'none'
        option ifname 'tun0'

config interface 'wan6'
        option ifname 'eth1'
        option proto '6in4'
        option username 'stavster'
        option password 'tHf7YCv**********'
        option peeraddr '216.66.80.26'
        list ip6prefix '2001:470:697b::/48'
        option ip6addr '2001:470:1f08:7cb::2/64'
        option tunnelid '598155'
        option metric '0'

config interface 'wgmullvad'
        option proto 'wireguard'
        list addresses '10.67.0.80'
        list addresses 'fc00:bbbb:bbbb:bb01::4:4f'
        option private_key 'xfaKnMSGfR3a**************'

config wireguard_wgmullvad
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::0/0'
        option persistent_keepalive '25'
        option endpoint_port '51820'
        option public_key 'ug9qzYOLA7WR******************'
        option description 'mullvadgb18both'
        option endpoint_host '89.238.176.162'

config interface 'wan6b'
        option proto '6in4'
        option peeraddr '45.12.68.66'
        list ip6prefix '2a0c:3b80:7b04:002b::/64'
        option ip6addr '2a0c:3b80:7b04:2a::2/64'
        option auto '0'

config interface 'wan6c'
        option proto '6in4'
        option username 'stavster'
        option peeraddr '216.66.88.98'
        list ip6prefix '2001:470:19c9::/48'
        option ip6addr '2001:470:1f1c:1b8::2/64'
        option tunnelid '533259'
        option password 'ZlC1Q************'
        option auto '0'

config interface 'wgmullmhop'
        option proto 'wireguard'
        list addresses '10.65.134.94'
        list addresses 'fc00:bbbb:bbbb:bb01::2:865d'
        option private_key 'ZDIPW/dV/H9WMqi*****************'

config wireguard_wgmullmhop
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::0/0'
        option endpoint_port '3340'
        option public_key 'OLqqtEra8OCMZ**************'
        option description 'mlvdch16gb16ipv6in'
        option endpoint_host '2001:ac8:28:94::a16f'


config rule
        option dest_port '68'
        option src 'guest'
        option name 'guest-allow-dhcp-renew'
        option target 'ACCEPT'
        list proto 'udp'
        option family 'ipv4'

config rule
        list proto 'udp'
        list dest_ip 'fc00::/6'
        option dest_port '546'
        option src 'guest'
        option name 'guest-allow-dhcp6-renew'
        list src_ip 'fc00::/6'
        option target 'ACCEPT'
        option family 'ipv6'

config rule
        option dest_port '53'
        option src 'guest'
        option name 'guest-allow-dns'
        option target 'ACCEPT'
        option dest '*'

config rule
        option dest_port '53'
        option src 'guest'
        option name 'guest-allow-dns-device'
        option target 'ACCEPT'

config rule
        option src 'guest'
        option name 'guest-deny-zones'
        option dest 'lan'
        option target 'REJECT'
        list proto 'all'

config rule
        option src 'guest'
        option name 'guest-allow-all-wan'
        option dest 'wan'
        option target 'ACCEPT'
        list proto 'all'

config rule
        option src 'guest'
        option name 'guest-allow-all-wan6'
        option dest 'wan6'
        option target 'ACCEPT'
        list proto 'all'
        option family 'ipv6'

config rule
        option src 'guest'
        option name 'guest-allow-all-airvpn'
        option dest 'airvpnzone'
        option target 'ACCEPT'
        list proto 'all'

config rule
        option src 'guest'
        option name 'guest-deny-all'
        option dest '*'
        option target 'REJECT'
        list proto 'all'

config rule
        option dest_port '68'
        option src 'cctv'
        option name 'cctv-allow-dhcp-renew'
        option family 'ipv4'
        option target 'ACCEPT'
        list proto 'udp'

config rule
        option dest_port '546'
        list proto 'udp'
        option name 'cctv-allow-dhcp6-renew'
        list src_ip 'fc00::/6'
        option target 'ACCEPT'
        list dest_ip 'fc00::/6'
        option src 'cctv'
        option family 'ipv6'

config rule
        option dest_port '53'
        option src 'cctv'
        option name 'cctv-allow-dns'
        option target 'ACCEPT'
        option dest '*'

config rule
        option dest_port '53'
        option src 'cctv'
        option name 'cctv-allow-dns-device'
        option target 'ACCEPT'

config rule
        option src 'cctv'
        option name 'cctv-deny-zones'
        option dest 'lan'
        option target 'REJECT'
        list proto 'all'

config rule
        option src 'cctv'
        option name 'cctv-allow-all-wan'
        option dest 'wan'
        option target 'ACCEPT'
        list proto 'all'

config rule
        option src 'cctv'
        option name 'cctv-allow-all-wan6'
        option dest 'wan6'
        option target 'ACCEPT'
        list proto 'all'
        option family 'ipv6'

config rule
        option src 'cctv'
        option name 'cctv-allow-all-airvpn'
        option dest 'airvpnzone'
        option target 'ACCEPT'
        list proto 'all'

config rule
        option src 'cctv'
        option name 'cctv-deny-all'
        option dest '*'
        option target 'REJECT'
        list proto 'all'

config rule
        option src 'wan6'
        option name 'WAN6-IN-Allow-SSH-Router-22232'
        option target 'ACCEPT'
        option family 'ipv6'
        option dest_port '22232'
        list proto 'tcp'

config rule
        option src 'wan6'
        option name 'WAN6-IN-Allow-SSH-Router-110'
        option target 'ACCEPT'
        option family 'ipv6'
        option dest_port '110'
        list proto 'tcp'

config rule
        option src 'wan6'
        option name 'WAN6-IN-Allow-LUCI-Router-80-443'
        option target 'ACCEPT'
        option family 'ipv6'
        option dest_port '80 443'
        list proto 'tcp'

config rule
        option dest_port '546'
        option src 'wan6'
        list src_ip 'fc00::/6'
        option family 'ipv6'
        list dest_ip 'fc00::/6'
        option target 'ACCEPT'
        list proto 'udp'
        option name 'WAN6-IN-Allow-DHCPv6'

config rule
        option src 'wan6'
        option proto 'icmp'
        option family 'ipv6'
        option target 'ACCEPT'
        list src_ip 'fe80::/10'
        option name 'WAN6-IN-Allow-MLD'

config rule
        option src 'wan6'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'
        option name 'WAN6-IN-Allow-ICMPv6-Input'

config rule
        option src 'wan6'
        option dest '*'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'time-exceeded'
        option name 'WAN6-IN-Allow-ICMPv6-Forward'

config rule
        option src 'wan6'
        option target 'DROP'
        list proto 'all'
        option name 'WAN6-IN-DENY-ALL'
        option family 'ipv6'
        option dest '*'

config rule
        list proto 'icmp'
        option src 'lan'
        option family 'ipv6'
        option dest 'wan6'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        option name 'WAN6-OUT-ALLOW-Ping-IPV6'
        option target 'ACCEPT'

config rule
        option target 'ACCEPT'
        option proto 'tcp'
        option src 'lan'
        option dest 'wan6'
        option dest_port '80 443'
        option name 'WAN6-OUT-Allow-HTTP'
        option family 'ipv6'

config rule
        option target 'ACCEPT'
        option proto 'tcp'
        option src 'lan'
        option dest 'wan6'
        option dest_port '20 21'
        option name 'WAN6-OUT-Allow-FTP'
        option family 'ipv6'

config rule
        option target 'ACCEPT'
        option proto 'tcp'
        option src 'lan'
        option dest 'wan6'
        option dest_port '23'
        option name 'WAN6-OUT-Allow-Telnet'
        option family 'ipv6'

config rule
        option target 'ACCEPT'
        option proto 'tcp'
        option src 'lan'
        option dest 'wan6'
        option dest_port '25 110 143 465 993 995 2525'
        option name 'WAN6-OUT-Allow-MailPorts'
        option family 'ipv6'

config rule
        option target 'ACCEPT'
        option proto 'tcp'
        option src 'lan'
        option dest 'wan6'
        option dest_port '22 115'
        option name 'WAN6-OUT-Allow-SSH-SFTP'
        option family 'ipv6'

config rule
        option target 'ACCEPT'
        option proto 'tcp udp'
        option src 'lan'
        option dest 'wan6'
        option dest_port '554'
        option name 'WAN6-OUT-Allow-RTSP'
        option family 'ipv6'

config rule
        option target 'ACCEPT'
        option proto 'tcp'
        option src 'lan'
        option dest 'wan6'
        option dest_port '563'
        option name 'WAN6-OUT-Allow-NNTP'
        option family 'ipv6'

config rule
        option target 'ACCEPT'
        option proto 'tcp'
        option src 'lan'
        option dest 'wan6'
        option dest_port '80 443'
        option name 'WAN6-OUT-Allow-HTTP'
        option family 'ipv6'

config rule
        option src 'lan'
        option dest 'wan6'
        list proto 'all'
        option name 'WAN6-OUT-DENY-ALL'
        option family 'ipv6'
        option target 'REJECT'

config rule
        option src 'wan'
        option proto 'icmp'
        option family 'ipv4'
        list icmp_type 'echo-request'
        option name 'WAN-DROP-Ping'
        option target 'DROP'
        option dest 'lan'
        option enabled '0'

config rule
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
        option name 'WAN-Allow-DHCP-Renew'

config rule
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option name 'WAN-Allow-IGMP'

config rule
        option src 'wan'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'
        option name 'WAN-Allow-multicast'
        list dest_ip '224.0.0.0/4'

config rule
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        list dest_ip 'fc00::/6'
        option name 'WAN-Allow-DHCPv6'
        list src_ip 'fc00::/6'

config rule
        option src 'wan'
        option proto 'icmp'
        option family 'ipv6'
        option target 'ACCEPT'
        option name 'WAN-Allow-MLD'
        list src_ip 'fe80::/10'

config rule
        option src 'wan'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option name 'WAN-Allow-ICMPv6-Input'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'

config rule
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option name 'WAN-Allow-ICMPv6-Forward'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'time-exceeded'

config rule
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
        option name 'WAN-Allow-IPSec-ESP'
        option family 'ipv4'

config rule
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option name 'WAN-Allow-ISAKMP'
        option family 'ipv4'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option name 'WAN-allow-SSH'
        option dest_port '22232 110'
        option family 'ipv4'

config rule
        option dest_port '5000'
        option src 'wan'
        option name 'WAN-Allow-TCP-5000'
        option dest 'lan'
        option target 'ACCEPT'
        list proto 'tcp'
        list dest_ip '10.99.69.252'

config rule
        option src 'wan'
        option target 'DROP'
        list proto 'all'
        option name 'WAN-DENY-ALL-DEVICE'
        option family 'ipv4'

config rule
        option src 'wan'
        option name 'WAN-DENY-ALL-LAN '
        option dest 'lan'
        option target 'DROP'
        list proto 'all'
        option family 'ipv4'

config rule
        option target 'ACCEPT'
        option proto 'tcp udp'
        option src 'lan'
        option dest '*'
        option name 'LAN-allow-all-NAS'
        list src_ip '10.99.69.3'
        option family 'ipv4'


config rule
        option target 'ACCEPT'
        option proto 'tcp'
        option src 'lan'
        option dest_port '80 443'
        option name 'LAN-allow-HTTP'
        option dest '*'
        option family 'ipv4'

config rule
        option target 'ACCEPT'
        option proto 'tcp'
        option name 'LAN-allow-sshtelnet'
        option src 'lan'
        option dest '*'
        option dest_port '22 23'
        option family 'ipv4'

config rule
        option target 'ACCEPT'
        option proto 'tcp'
        option name 'LAN-allow-EMAIL'
        option src 'lan'
        option dest '*'
        option dest_port '110 143 25 995 993 465'
        option family 'ipv4'

config rule
        option target 'ACCEPT'
        option proto 'udp'
        option src 'lan'
        option dest '*'
        option dest_port '500 4500'
        option name 'LAN-wificalling-UDP'
        option family 'ipv4'

config rule
        option target 'ACCEPT'
        option name 'LAN-allow-ICMP'
        option proto 'icmp'
        option src 'lan'
        option dest '*'
        option family 'ipv4'

config rule
        option target 'ACCEPT'
        option proto 'udp'
        option name 'LAN-allow-NTP'
        option src 'lan'
        option dest '*'
        option dest_port '123'
        option family 'ipv4'

config rule
        option target 'ACCEPT'
        option proto 'tcp'
        option dest_port '6667'
        option src 'lan'
        option dest '*'
        option name 'LAN-allow-irc'
        option family 'ipv4'

config rule
        option dest_port '5060 5061'
        option src 'lan'
        option name 'LAN-allow-SIP'
        option dest '*'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option dest_port '4244 5222 5223 5228 5242'
        option src 'lan'
        option dest '*'
        option target 'ACCEPT'
        option name 'LAN-allow-whatsapp-TCP'
        list proto 'tcp'
        option family 'ipv4'

config rule
        option dest_port '3478 45395'
        option src 'lan'
        option name 'LAN-allow-whatsapp-UDP'
        option dest '*'
        option target 'ACCEPT'
        list proto 'udp'
        option family 'ipv4'

config rule
        option dest_port '33434-33464'
        option src 'lan'
        option name 'LAN-allow-traceroute'
        option dest '*'
        option target 'ACCEPT'
        list proto 'udp'
        option family 'ipv4'

config rule
        option dest_port '4083'
        option src 'lan'
        option name 'LAN-allow-Losangeles-VPS'
        option dest '*'
        option target 'ACCEPT'
        list proto 'tcp'
        option family 'ipv4'

config rule
        option dest_port '443'
        option src 'lan'
        option name 'LAN-allow-443-UDP'
        option dest '*'
        option target 'ACCEPT'
        list proto 'udp'
        option family 'ipv4'

config rule
        option dest_port '943'
        option src 'lan'
        option name 'LAN-Allow-openvpnserver'
        option dest '*'
        option target 'ACCEPT'
        list proto 'tcp'
        option family 'ipv4'

config rule
        option src 'lan'
        option name 'LAN-ALLOW-ALL'
        option dest '*'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'
        option family 'ipv4'
        option enabled '0'

config rule
        option src 'lan'
        option proto 'all'
        option dest '*'
        option name 'LAN-DENY-ALL'
        option target 'REJECT'
        option family 'ipv4'

config redirect
        option src 'wan'
        option name 'WAN_NAS_WEB'
        option target 'DNAT'
        option dest 'lan'
        list proto 'tcp'
        option src_dport '5000'
        option dest_port '5000'
        option dest_ip '10.99.69.252'

config redirect
        option src 'airvpnzone'
        option name 'airvpn-soulseek-x79'
        option target 'DNAT'
        option dest 'lan'
        option dest_port '23327-23328'
        option dest_ip '10.99.69.149'
        option src_dport '23327-23328'

config redirect
        option target 'DNAT'
        option src 'airvpnzone'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '46969'
        option dest_ip '10.99.69.3'
        option dest_port '46969'
        option name 'airvpn-transmission-rslnas'
        option enabled '0'

config redirect
        option dest_port '36969'
        option src 'airvpnzone'
        option name 'airvpn-tixati-x79'
        option src_dport '36969'
        option target 'DNAT'
        option dest_ip '10.99.69.178'
        option dest 'lan'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'airvpnzone'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '26969'
        option dest_port '26969'
        option name 'i2pd-vpn'
        option dest_ip '10.99.69.251'
        option enabled '0'

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option flow_offloading '1'
        option flow_offloading_hw '1'
        option forward 'REJECT'
        option drop_invalid '1'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan'
        option family 'ipv4'
        option input 'DROP'
        option forward 'DROP'

config include
        option path '/etc/firewall.user'

config zone
        option output 'ACCEPT'
        option name 'airvpnzone'
        option masq '1'
        option mtu_fix '1'
        option input 'DROP'
        option forward 'DROP'
        option network 'airvpn wgmullvad wgmullmhop'

config forwarding
        option dest 'airvpnzone'
        option src 'lan'

config forwarding
        option dest 'wan'
        option src 'lan'

config redirect
        option dest_port '1194'
        option src 'wan'
        option name 'OpenVPN-NAS'
        option src_dport '1194'
        option target 'DNAT'
        option dest_ip '10.99.69.3'
        option dest 'lan'
        list proto 'udp'

config redirect
        option dest_port '53'
        option src 'lan'
        option name 'PS4_DNS_Redirect'
        option src_ip '10.99.69.69'
        option target 'DNAT'
        option dest_ip '165.227.83.145'
        option dest 'wan'
        option src_dport '53'
        option enabled '0'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config redirect 'adblock_dns_53'
        option name 'Adblock DNS, port 53'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_dns_853'
        option name 'Adblock DNS, port 853'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_dns_5353'
        option name 'Adblock DNS, port 5353'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config redirect 'adblock_dns_5453'
        option name 'Adblock DNS, port 5453'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '5453'
        option dest_port '5453'
        option target 'DNAT'

config zone
        option name 'wan6'
        option input 'DROP'
        option forward 'DROP'
        option masq '1'
        option family 'ipv6'
        option output 'ACCEPT'
        option network 'wan6 wan6b wan6c'

config zone
        option name 'mullvadwg'
        option output 'ACCEPT'
        option input 'DROP'
        option forward 'DROP'
        option masq '1'

config forwarding
        option dest 'wan6'
        option src 'lan'

config forwarding
        option dest 'mullvadwg'
        option src 'lan'

config zone
        option name 'vpnipv4'
        option output 'ACCEPT'
        option input 'DROP'
        option forward 'DROP'
        option masq '1'

config zone
        option name 'vpnipv6'
        option output 'ACCEPT'
        option input 'DROP'
        option forward 'DROP'
        option masq '1'

config forwarding
        option dest 'vpnipv4'
        option src 'lan'

config forwarding
        option dest 'vpnipv6'
        option src 'lan'

config zone
        option network 'lan60'
        option input 'ACCEPT'
        option name 'guest'
        option output 'ACCEPT'
        option masq '1'
        option forward 'DROP'

config zone
        option network 'lan99'
        option input 'ACCEPT'
        option name 'cctv'
        option output 'ACCEPT'
        option masq '1'
        option forward 'DROP'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc cake state UP group default qlen 1000
    inet 172.25.69.254/24 brd 172.25.69.255 scope global eth1
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.99.69.254/24 brd 10.99.69.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: br-lan60: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc cake state UP group default qlen 1000
    inet 192.168.77.254/24 brd 192.168.77.255 scope global br-lan60
       valid_lft forever preferred_lft forever
11: br-lan99: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.82.254/24 brd 192.168.82.255 scope global br-lan99
       valid_lft forever preferred_lft forever
20: wgmullvad: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.67.0.80/32 brd 255.255.255.255 scope global wgmullvad
       valid_lft forever preferred_lft forever
49: wgmullmhop: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.65.134.94/32 brd 255.255.255.255 scope global wgmullmhop
       valid_lft forever preferred_lft forever
default via 172.25.69.1 dev eth1 proto static
10.99.69.0/24 dev br-lan proto kernel scope link src 10.99.69.254
172.25.69.0/24 dev eth1 proto kernel scope link src 172.25.69.254
192.168.77.0/24 dev br-lan60 proto kernel scope link src 192.168.77.254
192.168.82.0/24 dev br-lan99 proto kernel scope link src 192.168.82.254
216.66.80.26 via 172.25.69.1 dev eth1 proto static
0:      from all lookup local
32676:  from all fwmark 0x80000/0xff0000 lookup wgmullmhop
32677:  from all fwmark 0x60000/0xff0000 lookup wgmullvad
32678:  from all fwmark 0x20000/0xff0000 lookup wan
32766:  from all lookup main
32767:  from all lookup default
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
6: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::20e:c6ff:fed6:f880/64 scope link
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:470:697b::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::226:9eff:fe61:2f53/64 scope link
       valid_lft forever preferred_lft forever
9: br-lan60: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:470:697b:10::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::226:9eff:fe61:2f53/64 scope link
       valid_lft forever preferred_lft forever
11: br-lan99: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:470:697b:20::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::226:9eff:fe61:2f53/64 scope link
       valid_lft forever preferred_lft forever
20: wgmullvad: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 state UNKNOWN qlen 1000
    inet6 fc00:bbbb:bbbb:bb01::4:4f/128 scope global
       valid_lft forever preferred_lft forever
33: ifb4br-lan60: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 32
    inet6 fe80::a08b:2eff:fe6d:d920/64 scope link
       valid_lft forever preferred_lft forever
37: ifb4eth1: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 32
    inet6 fe80::901d:34ff:fe6a:89d2/64 scope link
       valid_lft forever preferred_lft forever
48: 6in4-wan6@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 state UNKNOWN qlen 1000
    inet6 2001:470:1f08:7cb::2/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::ac19:45fe/64 scope link
       valid_lft forever preferred_lft forever
49: wgmullmhop: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 state UNKNOWN qlen 1000
    inet6 fc00:bbbb:bbbb:bb01::2:865d/128 scope global
       valid_lft forever preferred_lft forever
default from 2001:470:1f08:7cb::/64 dev 6in4-wan6 proto static metric 1024 pref medium
default from 2001:470:697b::/48 dev 6in4-wan6 proto static metric 1024 pref medium
2001:470:1f08:7cb::/64 dev 6in4-wan6 proto kernel metric 256 pref medium
2001:470:697b::/64 dev br-lan proto static metric 1024 pref medium
2001:470:697b:10::/64 dev br-lan60 proto static metric 1024 pref medium
2001:470:697b:20::/64 dev br-lan99 proto static metric 1024 pref medium
unreachable 2001:470:697b::/48 dev lo proto static metric 2147483647 error 4294967183 pref medium
2001:ac8:28:94::a16f dev 6in4-wan6 proto static metric 1024 pref medium
fc00:bbbb:bbbb:bb01::2:865d dev wgmullmhop proto kernel metric 256 pref medium
fc00:bbbb:bbbb:bb01::4:4f dev wgmullvad proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev ifb4br-lan60 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev br-lan60 proto kernel metric 256 pref medium
fe80::/64 dev br-lan99 proto kernel metric 256 pref medium
fe80::/64 dev ifb4eth1 proto kernel metric 256 pref medium
fe80::/64 dev 6in4-wan6 proto kernel metric 256 pref medium
0:      from all lookup local
32676:  from all fwmark 0x80000/0xff0000 lookup wgmullmhop
32677:  from all fwmark 0x60000/0xff0000 lookup wgmullvad
32678:  from all fwmark 0x20000/0xff0000 lookup wan
32766:  from all lookup main
4200000000:     from 2001:470:697b::1/60 iif br-lan unreachable
4200000000:     from 2001:470:697b:10::1/60 iif br-lan60 unreachable
4200000000:     from 2001:470:697b:20::1/60 iif br-lan99 unreachable
4200000001:     from all iif lo failed_policy
4200000006:     from all iif eth1 failed_policy
4200000007:     from all iif br-lan failed_policy
4200000009:     from all iif br-lan60 failed_policy
4200000011:     from all iif br-lan99 failed_policy
4200000020:     from all iif wgmullvad failed_policy
4200000048:     from all iif 6in4-wan6 failed_policy
4200000049:     from all iif wgmullmhop failed_policy
root@unicorn:~#

lleachii · November 12, 2020, 12:19am

???

On IPv6; or IPv4 traffic?

Also, you have a lot of VPNs; but you state:

Where is this port forward?

stavster:

config redirect
        option dest_port '1194'
        option src 'wan'
        option name 'OpenVPN-NAS'
        option src_dport '1194'
        option target 'DNAT'
        option dest_ip '10.99.69.3'
        option dest 'lan'
        list proto 'udp'

Here?

Where's your TCP rule?

trendy · November 12, 2020, 7:58am

In general there is a lot of unused configuration. A few remarks:
list dns '127.0.0.1' is not needed under wan interface. You can set there nameservers reachable from the internet.

config interface 'wan6'
        option ifname 'eth1'
        option proto '6in4'

I am not sure why is there ifname in wan6. wan6b and wan6c look more correct.
Your firewall needs to be written from scratch, following the norms. For example:

config rule
        option src 'guest'
        option name 'guest-allow-all-wan'
        option dest 'wan'
        option target 'ACCEPT'
        list proto 'all'

is not used, there are forwardings for that.

And whatever is not allowed in forwarding, is dropped. So such rules are not needed.

config rule
        option src 'guest'
        option name 'guest-deny-zones'
        option dest 'lan'
        option target 'REJECT'
        list proto 'all'

config rule
        option src 'guest'
        option name 'guest-deny-all'
        option dest '*'
        option target 'REJECT'
        list proto 'all'

The default wan zone including wan and wan6 interfaces would work fine for your case, but you made it more complicated by splitting them.
In a nutshell, take a backup, reset and reconfigure following the guides.
Create the interfaces you need and not more.
Assign them to zones. Make sure zones have proper input/forward/output permissions. Add zone forwardings and port redirects.

It is not needed, if OpenVPN runs on udp.

stavster · November 12, 2020, 2:44pm

Hi,

Thanks for the response. Yes my firewall rules are large and they could do with resetting and starting from scratch. I realise having forwarding set to drop or reject on the zone stops traversing traffic, however adding in deny statements is probably just me from using previous firewall vendors where you have to explicitly deny at the end of an access list.

I was also a little paranoid as builders are operating at my home at the moment for the last 6 months and I had to create some vlan zones to segregate their internet traffic and cctv.

For the purpose of this support log and before I posted the issue, I did disable all of the zone deny statements in the traffic rules and relied on the zone definitions but the issue still persisted.

In relation to the many wan6 entries, this is because I have three separate 6in4 interfaces to enable tunnels from three different providers/endpoints. However I only ever have one active at a time but I could just remove the other two I guess.

I also have a few different wireguard VPN interfaces set up which route in different ways such as multihop etc for security on some traffic. However apart from one I disabled during testing and before posting the config here.

Realise its hard to troubleshoot with so much data in the config so I will have a go at clearing the firewall rules down first. A factory reset as this point isnt possible until I get a good few days clear without commercial third parties needing the network to work.

To answer lleachii, The OpenVPN server is running on a NAS (10.99.69.3) but using standard UDP 1194 port. This isnt working along with TCP port forwards when 6in4 interface is connected. But works as soon as I disconnect the 6in4 interface.

Thanks

trendy · November 12, 2020, 4:49pm

You can try a quick way to find out if there is some correlation between 6in4 and port forward.
Run iptables-save -c -t nat | grep DNAT before and after, see if there are any differences.