Local syslog-ng server not receiving original source IPs

Recently I updated to the v23.05 and found something really interesting. I hadn't noticed at first, but once I got some alerts showing incorrect data, I realized this... It appears OpenWRT, since every I updated to this version, intercepts local network syslog requests to my syslog server and uses itself as the source IP address.

So basically I have all my network devices talking to a syslog server on the network. This means the traffic on the network would be: Device -> Router -> Syslog Server - so no external traffic.

ALL my logs for these internal devices show up as my router IP address. At first I thought my syslog server was on the fritz, but after much troubleshooting, I found this when doing a tcpdump on OpenWRT:

21:02:03.009364 eth3  P   IP 192.168.1.33.53142 > 192.168.1.150.514: SYSLOG user.info, length: 142
21:02:03.009395 eth2  Out IP 192.168.1.1.53142 > 192.168.1.150.514: SYSLOG user.info, length: 142

It appears the packet comes in and then goes out with the router's ip address as the source instead of the original device. My thoughts are this is related to perhaps the bridge firewall... But would love to know if anyone has any context to this and how to fix it? I need those syslog logs to have the original IP addresses of my devices, not OpenWRTs - but also need the bridge firewall (assuming that's what's causing this, if not then disregard).

Edit: Note this seems to be very specifically port 514 (syslog) just did a test with acting like syslog was on port 515 and it doesn't overwrite the source IP.... So that's suspicious. Still investigating...

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
1 Like
{
	"kernel": "5.15.150",
	"hostname": "router",
	"system": "Intel(R) Celeron(R) J6412 @ 2.00GHz",
	"model": "Protectli VP2420",
	"board_name": "protectli-vp2420",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "x86/64",
		"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
	}
}
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	list dns '192.168.1.75'
	option delegate '0'

config interface 'wan'
	option device 'eth0'
	option proto 'static'
	option ipaddr '192.168.0.2'
	option netmask '255.255.255.0'
	option gateway '192.168.0.1'
config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

I'm thinking there's some hidden masquerade that happens specifically around syslog but not sure. I tried to manually add a NAT rule in the UI, but that didn't resolve it (so I removed those since then).

That is the only masquerade IP that could become forged source.

Not sure I follow. Is that line making it change the source IP to 192.168.1.1? 192.168.0.2 is the IP assigned to OpenWRT to the firewall it's connected to. The incoming syslog from the firewall (192.168.0.1) come in perfectly fine and have the proper source IP, but I figured this was because it was over WAN instead of the LAN bridge.

So seeing theabove, any thoughts or ideas on why it's doing a masquerade on syslog, and only syslog? As mentioned, if I mock a call with a different port number, I can clearly see it sends the original source IP when monitoring in tcpdump. It seems to be only syslog that gets changed to the router's IP address... I disabled /etc/init.d/log but that it looks like it still does it anyway.