It seems default OpenWRT passes unallowed traffic to the client

I'm using OpenWRT with a TP-Link tiny device inet over pppoe.
On Client side i'm using a simple nft firewall.

Client nft rules:

table ip filter {
	chain input {
		type filter hook input priority 0; policy drop;
		ct state established,related accept
		iif "lo" accept
		ct state invalid drop
		log prefix "REJECT" reject

	chain forward {
		type filter hook forward priority 0; policy drop;

	chain output {
		type filter hook output priority 0; policy accept;

The client surfing the internet and got following logs from nftables:

Jun 12 14:26:40 localhost kernel: REJECT IN=eth0 OUT= MAC=X SRC=140.211.X.X DST= LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=50025 DF PROTO=TCP SPT=80 DPT=37830 WINDOW=22 RES=0x00 ACK URGP=0

I'm look the ip address up and it's a website i visited but why is it REJECTED?
I'm sync openwrt with ntpd from internet and client with openwrt as ntpd server.

My Openwrt firewall config:

config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
config zone
	option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
	option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            DROP
        option output           ACCEPT
        option forward          DROP
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

config include
	option path /etc/firewall.user

config rule
	option src              wan
        option proto    ICMP
        option target   DROP

Running iptables and nftables together is "unconventional" at best. You've got two, disconnected systems processing the same packets. Results are, as it is often described, "unpredictable". In addition to what you "see" in /etc/config/firewall, there are the "base" iptables rules as well.

Pick iptables or nftables and disable the other. Removing iptables completely in a build is nearly impossible, but at the very least, all its rules can be removed .

1 Like

I'm switching from iptables to nftables on client side and behaviour was the same.

What does this mean?

  • That you completely uninstalled iptables?
  • Or are your referring to another device?

BTW, welcome to the community, @markolss!

Before i touched kernel config to add nftables and installing it i'm using iptables with similar rules on client side.

-A INPUT -j LOG --log-prefix "iptables denied: " --log-level 7

And it generate comparable logs.

It looks like an ordinary packet from the website you requested to your browser, thus it should be allowed.

I found the problem.

It was not a website I visited respectively not on my own.
I had forgotten that i changed in Firefox user.prefs / about:config replace all urls with localhost.
But I did not get it right away.
Sorry for blame OpenWrt.

I want to say something about iptables/nftables.The client can still use whatever firewall, i'm right?

I am still unclear on what you mean by "client"...are you talking about the router, or a device you've connected on the router?

A device connected to the router can use whatever it wants...and you've been told you can experience quirks running both on a router.

If the router, why do you keep calling it a client?

workstation (a device you've connected on the router) = client.
if you will router = server.

OK, the client is unrelated to OpenWrt then. It can use whatever firewall you wish.