Hi @jow
First of all, I know this is not your business and I totally understand that you'd prefer if I reproduced this using a vanilla OpenWrt installation. I sincerely appreciate your help, though.
I (maybe wrongly) discarded this being a firewall misconfiguration as, if I understand correctly, tcpdump
sits before netfilter for input traffic so the fact that there's nothing on the interface shouldn't have anything to do with the firewall. It smells like the traffic is discarded at kernel/driver level before it's delivered to user space. I've also tried to enable /proc/sys/net/ipv4/conf/lan4/log_martians
just in case but nothing is being logged.
Here's the requested information (I've obfuscated public IP addresses, MAC addresses and some device names):
ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1024
link/ether MAC7 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1508 qdisc mq state UP group default qlen 1024
link/ether MAC8 brd ff:ff:ff:ff:ff:ff
inet6 fe80::MAC1/64 scope link
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1024
link/ether MAC7 brd ff:ff:ff:ff:ff:ff
inet IPV4_PUB_ADDR/24 brd 85.195.208.255 scope global eth2
valid_lft forever preferred_lft forever
inet6 IPV6_PREFIX_2:MAC2/64 scope global dynamic noprefixroute
valid_lft 2591998sec preferred_lft 604798sec
inet6 IPV6_PREFIX_2::10/128 scope global dynamic noprefixroute
valid_lft 3635sec preferred_lft 2635sec
inet6 fe80::MAC2/64 scope link
valid_lft forever preferred_lft forever
5: lan0@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
link/ether MAC8 brd ff:ff:ff:ff:ff:ff
6: lan1@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
link/ether MAC8 brd ff:ff:ff:ff:ff:ff
7: lan2@eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN group default qlen 1000
link/ether MAC8 brd ff:ff:ff:ff:ff:ff
8: lan3@eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN group default qlen 1000
link/ether MAC8 brd ff:ff:ff:ff:ff:ff
9: lan4@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether MAC8 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.1/24 brd 192.168.2.255 scope global lan4
valid_lft forever preferred_lft forever
inet6 IPV6_PREFIX:2::1/64 scope global dynamic noprefixroute
valid_lft 3635sec preferred_lft 2635sec
inet6 fe80::MAC1/64 scope link
valid_lft forever preferred_lft forever
10: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default qlen 1000
link/tunnel6 :: brd :: permaddr e61f:cd46:ff44::
11: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/sit 0.0.0.0 brd 0.0.0.0
19: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether MAC8 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 IPV6_PREFIX:1::1/64 scope global dynamic noprefixroute
valid_lft 3635sec preferred_lft 2635sec
inet6 fe80::MAC1/64 scope link
valid_lft forever preferred_lft forever
20: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
link/ether MAC10 brd ff:ff:ff:ff:ff:ff
inet6 fe80::MAC3/64 scope link
valid_lft forever preferred_lft forever
21: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
link/ether MAC11 brd ff:ff:ff:ff:ff:ff
inet6 fe80::MAC4/64 scope link
valid_lft forever preferred_lft forever
26: vtun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 172.16.1.1/24 scope global vtun0
valid_lft forever preferred_lft forever
inet6 IPV6_PREFIX:f::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::e8fd:ff62:ec78:b97c/64 scope link stable-privacy
valid_lft forever preferred_lft forever
So basically all physical LAN devices plus the two WLANs bridged into br-lan
living in a single network. Then lan4
with a separate network where the device that generates the IGMP traffic sits. The WAN interface is eth2
. There's also a virtual interface for a VPN (vtun0
).
/etc/config/firewall
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option src 'wan'
option family 'ipv6'
option dest_ip 'IPV6_PREFIX:1::25'
option dest_port '51413'
option name 'Allow PY to ZZ'
option dest 'lan'
config rule
option target 'ACCEPT'
option src 'lan'
option name 'Allow outgoing ntpd from TT'
option proto 'udp'
option src_mac 'MAC1'
option dest 'wan'
option dest_port '123'
config rule
option src 'lan'
option name 'Drop outgoing traffic from TT'
option src_mac 'MAC1'
option target 'REJECT'
option dest 'wan'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '1194'
option name 'Allow-OpenVPN'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'OpenVPN VERO lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6 WAN4'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.user'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '51413'
option dest_ip '192.168.1.25'
option dest_port '51413'
option name 'YYT'
config rule
option dest_port '80'
option src 'wan'
option name 'Allow-HTTP-XX'
option target 'ACCEPT'
option family 'ipv6'
list dest_ip 'IPV6_PREFIX:1::26'
option dest 'lan'
list proto 'tcp'
config rule
option dest_port '443'
option src 'wan'
option name 'Allow-HTTPS-XX'
option target 'ACCEPT'
option family 'ipv6'
list dest_ip 'IPV6_PREFIX:1::26'
option dest 'lan'
list proto 'tcp'
config zone 'turris_vpn_client'
option name 'tr_vpn_cl'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
config forwarding 'turris_vpn_client_forward'
option src 'lan'
option dest 'tr_vpn_cl'
sysctl -a | grep lan4
net.ipv4.conf.lan4.accept_local = 0
net.ipv4.conf.lan4.accept_redirects = 1
net.ipv4.conf.lan4.accept_source_route = 1
net.ipv4.conf.lan4.arp_accept = 0
net.ipv4.conf.lan4.arp_announce = 0
net.ipv4.conf.lan4.arp_filter = 0
net.ipv4.conf.lan4.arp_ignore = 1
net.ipv4.conf.lan4.arp_notify = 0
net.ipv4.conf.lan4.bc_forwarding = 0
net.ipv4.conf.lan4.bootp_relay = 0
net.ipv4.conf.lan4.disable_policy = 0
net.ipv4.conf.lan4.disable_xfrm = 0
net.ipv4.conf.lan4.drop_gratuitous_arp = 0
net.ipv4.conf.lan4.drop_unicast_in_l2_multicast = 0
net.ipv4.conf.lan4.force_igmp_version = 0
net.ipv4.conf.lan4.forwarding = 1
net.ipv4.conf.lan4.igmpv2_unsolicited_report_interval = 10000
net.ipv4.conf.lan4.igmpv3_unsolicited_report_interval = 1000
net.ipv4.conf.lan4.ignore_routes_with_linkdown = 0
net.ipv4.conf.lan4.log_martians = 0
net.ipv4.conf.lan4.mc_forwarding = 1
net.ipv4.conf.lan4.medium_id = 0
net.ipv4.conf.lan4.promote_secondaries = 0
net.ipv4.conf.lan4.proxy_arp = 0
net.ipv4.conf.lan4.proxy_arp_pvlan = 0
net.ipv4.conf.lan4.route_localnet = 0
net.ipv4.conf.lan4.rp_filter = 0
net.ipv4.conf.lan4.secure_redirects = 1
net.ipv4.conf.lan4.send_redirects = 1
net.ipv4.conf.lan4.shared_media = 1
net.ipv4.conf.lan4.src_valid_mark = 0
net.ipv4.conf.lan4.tag = 0
net.ipv4.neigh.lan4.anycast_delay = 100
net.ipv4.neigh.lan4.app_solicit = 0
net.ipv4.neigh.lan4.base_reachable_time = 30
net.ipv4.neigh.lan4.base_reachable_time_ms = 30000
net.ipv4.neigh.lan4.delay_first_probe_time = 5
net.ipv4.neigh.lan4.gc_stale_time = 60
net.ipv4.neigh.lan4.locktime = 100
net.ipv4.neigh.lan4.mcast_resolicit = 0
net.ipv4.neigh.lan4.mcast_solicit = 3
net.ipv4.neigh.lan4.proxy_delay = 80
net.ipv4.neigh.lan4.proxy_qlen = 64
net.ipv4.neigh.lan4.retrans_time = 100
net.ipv4.neigh.lan4.retrans_time_ms = 1000
net.ipv4.neigh.lan4.ucast_solicit = 3
net.ipv4.neigh.lan4.unres_qlen = 91
net.ipv4.neigh.lan4.unres_qlen_bytes = 180224
net.ipv6.conf.lan4.accept_dad = 1
net.ipv6.conf.lan4.accept_ra = 0
net.ipv6.conf.lan4.accept_ra_defrtr = 1
net.ipv6.conf.lan4.accept_ra_from_local = 0
net.ipv6.conf.lan4.accept_ra_min_hop_limit = 1
net.ipv6.conf.lan4.accept_ra_mtu = 1
net.ipv6.conf.lan4.accept_ra_pinfo = 1
net.ipv6.conf.lan4.accept_redirects = 1
net.ipv6.conf.lan4.accept_source_route = 0
net.ipv6.conf.lan4.addr_gen_mode = 0
net.ipv6.conf.lan4.autoconf = 1
net.ipv6.conf.lan4.dad_transmits = 1
net.ipv6.conf.lan4.disable_ipv6 = 0
net.ipv6.conf.lan4.disable_policy = 0
net.ipv6.conf.lan4.drop_unicast_in_l2_multicast = 0
net.ipv6.conf.lan4.drop_unsolicited_na = 0
net.ipv6.conf.lan4.enhanced_dad = 1
net.ipv6.conf.lan4.force_mld_version = 0
net.ipv6.conf.lan4.force_tllao = 0
net.ipv6.conf.lan4.forwarding = 1
net.ipv6.conf.lan4.hop_limit = 64
net.ipv6.conf.lan4.ignore_routes_with_linkdown = 0
net.ipv6.conf.lan4.ioam6_enabled = 0
net.ipv6.conf.lan4.ioam6_id = 65535
net.ipv6.conf.lan4.ioam6_id_wide = 4294967295
net.ipv6.conf.lan4.keep_addr_on_down = 0
net.ipv6.conf.lan4.max_addresses = 16
net.ipv6.conf.lan4.max_desync_factor = 600
net.ipv6.conf.lan4.mc_forwarding = 0
net.ipv6.conf.lan4.mldv1_unsolicited_report_interval = 10000
net.ipv6.conf.lan4.mldv2_unsolicited_report_interval = 1000
net.ipv6.conf.lan4.mtu = 1500
net.ipv6.conf.lan4.ndisc_notify = 0
net.ipv6.conf.lan4.ndisc_tclass = 0
net.ipv6.conf.lan4.proxy_ndp = 0
net.ipv6.conf.lan4.ra_defrtr_metric = 1024
net.ipv6.conf.lan4.regen_max_retry = 3
net.ipv6.conf.lan4.router_solicitation_delay = 1
net.ipv6.conf.lan4.router_solicitation_interval = 4
net.ipv6.conf.lan4.router_solicitation_max_interval = 3600
net.ipv6.conf.lan4.router_solicitations = -1
net.ipv6.conf.lan4.rpl_seg_enabled = 0
net.ipv6.conf.lan4.seg6_enabled = 0
sysctl: error reading key 'net.ipv6.conf.lan4.stable_secret': I/O error
net.ipv6.conf.lan4.suppress_frag_ndisc = 1
net.ipv6.conf.lan4.temp_prefered_lft = 86400
net.ipv6.conf.lan4.temp_valid_lft = 604800
net.ipv6.conf.lan4.use_oif_addrs_only = 0
net.ipv6.conf.lan4.use_tempaddr = 0
net.ipv6.neigh.lan4.anycast_delay = 100
net.ipv6.neigh.lan4.app_solicit = 0
net.ipv6.neigh.lan4.base_reachable_time = 30
net.ipv6.neigh.lan4.base_reachable_time_ms = 30000
net.ipv6.neigh.lan4.delay_first_probe_time = 5
net.ipv6.neigh.lan4.gc_stale_time = 60
net.ipv6.neigh.lan4.locktime = 0
net.ipv6.neigh.lan4.mcast_resolicit = 0
net.ipv6.neigh.lan4.mcast_solicit = 3
net.ipv6.neigh.lan4.proxy_delay = 80
net.ipv6.neigh.lan4.proxy_qlen = 64
net.ipv6.neigh.lan4.retrans_time = 100
net.ipv6.neigh.lan4.retrans_time_ms = 1000
net.ipv6.neigh.lan4.ucast_solicit = 3
net.ipv6.neigh.lan4.unres_qlen = 91
net.ipv6.neigh.lan4.unres_qlen_bytes = 180224
/etc/config/network
config interface 'loopback'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option device 'lo'
config globals 'globals'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '64'
option ip6hint '1'
option device 'br-lan'
config interface 'wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option device 'eth2'
config interface 'VERO'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '64'
option ip6hint '2'
option device 'lan4'
option igmp_snooping '1'
config interface 'WAN4'
option proto 'dhcp'
option device 'eth2'
config interface 'OpenVPN'
option proto 'static'
option auto '0'
option device 'vtun0'
config route6
option target 'IPV6_PREFIX:c::/64'
option interface 'lan'
option gateway 'fe80::MAC1'
config route
option gateway '192.168.1.26'
option interface 'lan'
option target '172.18.0.0'
option netmask '255.255.0.0'
config device 'br_lan'
option name 'br-lan'
option bridge_empty '1'
list ports 'lan0'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
option type 'bridge'
option macaddr 'MAC2'
Some extra info:
[/]@192.168.1.1
λ brctl show
bridge name bridge id STP enabled interfaces
br-lan 7fff.d858d7003b55 no lan2
wlan0
lan0
lan3
wlan1
lan1
igmpproxy
is also configured, but as the IGMP traffic is discarded somewhere before it can be seen by it then this should be irrelevant. Here's the configuration anyway:
[/]@192.168.1.1
λ cat etc/config/igmpproxy
config igmpproxy
option quickleave 1
# option verbose [0-3](none, minimal[default], more, maximum)
config phyint
option network WAN4
option zone wan
option direction upstream
list altnet 0.0.0.0/0
config phyint
option network VERO
option zone lan
option direction downstream
Anything that could be useful to help debugging just ask.
Thanks again.