Logging WAN traffic

I have a basic openwrt installation working and set to send syslog events to my logging server. It all works fine but I am only seeing outbound traffic being logged, there is no inbound connections coming through.

Just wondering why this is? Thanks.

What inbound connections? Acks from the syslog server, or something like that?

Your description is rather vague and offers no details.
How are you logging the traffic? Which iptables rules? And attached to which chains?

Pure guess, but you might have attached the logging rule to a wrong place regarding the incoming traffic.

Thanks for your response.

So I have basic lede install working correctly. I have enabled traffic logging on the WAN link in an effort to see source and destination IP address of all WAN traffic and blocked/allowed status. Ideally I want this to send as syslog to a seperate log manager application. I have lede set to send syslog to seperate log reader and it is working correctly, however the WAN traffic is not showing all of the blocked WAN traffic.

It looks to me like it is only logging outbound successful traffic, not incoming.

Hope that makes sense.

Any help greatly appreciated.

You still did not tell any details how you have tried to do the firewall logging itself. My previous guess still is valid, as there are no deteails for a better advice.

some generic advice:

You can use normal iptables commands for firewall logging. iptables logs the items to the system log (read with logread), so the log can fill quickly if you have lots of traffic.

Firewall zone config is LuCI offers the possibility to log rejected/dropped connections. That is in zone's options, advanced tab.

E.g. enabling the drop/reject logging for wan creates the following rules:

root@LEDE:~# iptables-save  | grep -i log
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m limit --limit 10/sec -m comment --comment "!fw3: wan (mtu_fix logging)" -j LOG --log-prefix "MSSFIX(wan): "
-A zone_wan_dest_REJECT -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT(dest wan)"
-A zone_wan_src_REJECT -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT(src wan)"

Modifying the logging rules by hand requires naturally some iptables knowledge and understanding of the various rule chains (and tables) in the firewall.

E.g. manually create a rule to log all incoming UDP packets from interface eth0.2 to port 2222:

iptables -I PREROUTING -t mangle -i eth0.2 -p udp --dst-port 2222 -j LOG

OK so it looks like i'm confused, I'm referring to the default logging options in the luci gui. I've checked the logging option in the zone advance tab but it still wont log rejected or dropped inbound connections.

I guess I can just use the iptables command to log inbound UDP and TCP, and modify it slightly do do outbound as well?

Can you please confirm weather enabling the logging checkbox in luci gui will log all traffic on the selected interface? I want everything from tcp to udp weather dropped or allowed

The issue I'm seeing is that enabling WAN logging through UCI, while it does log rejected inbound traffic as I would expect, generates a ton of MSSFIX logging related to established connections.

Ideally there would be a way to log some of the inbound WAN traffic without having all of the MSSFIX messages. I wound up disabling the built in WAN logging.

The generic advice here may help me. Though the problem I run into is how to make this generic enough that I can add it to the UCI config or firewall.user without using any hardcoded information like interface names.

Should add the question - is the logging of MSSFIX messages a bug or a feature?

The firewall documentation [0] describes the log boolean as "Create log rules for rejected and dropped traffic in this zone."

AFAICT, MSSFIX traffic is neither rejected or dropped. So is it a bug in the implementation or the documentation?

I remember at one point the MSSFIX logging was considered a bug and then a regression in OpenWRT. But it didn't get fixed in subsequent updates. So is this the desired behavior?


[0] https://lede-project.org/docs/user-guide/firewall_configuration