Multicast to unicast conversion on a wire only router

nokoru · February 21, 2022, 10:58am

Unfortunately, incrementing TTL does not seem to help.
Note that I do not use smcroute for multicast -> unicast conversion. I am only using the DNAT rule. Do I need smcroute for this conversion?

trendy · February 21, 2022, 11:27am

First of all, does the packet leave the output interface of the router with the correct headers?

nokoru · February 22, 2022, 6:14am

How do I find this out? I have Wireshark in promiscuous mode and directly connected to the output interface but am seeing nothing resembling the expected packets so I am assuming the packets are not even sent out.

trendy · February 22, 2022, 7:53am

You can install and run tcpdump on the router and capture packets leaving the egress interface. Use the filters to match the destination IP.

nokoru · February 22, 2022, 8:08am

Seems like the router failed to route my packets out of the output interface as suspected.
Using "tcpdump -i lan1 -Q out", the only thing captured are ARP and ICMP packets.

trendy · February 22, 2022, 8:12am

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

Also the smcroute configuration if used.

trendy · February 22, 2022, 12:10pm

I cannot depend troubleshooting on that. Copy the output from the device, paste it on a notepad, and post it when you have your laptop connected to the internet.

nokoru · February 23, 2022, 5:28am

Deleted previously posted command outputs to avoid confusion.

command output

root@GL-MV1000:~# ubus call system board; uci export network; uci export dhcp; uci export firewall; head -n -0 /etc/firewall.user; iptables-save -c; ip -4 addr; ip -4 ro li tab all; ip -4 ru
{
        "kernel": "4.14.221",
        "hostname": "GL-MV1000",
        "model": "GL.inet GL-MV1000",
        "board_name": "gl-mv1000",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.7",
                "revision": "r11306-c4a6851c72",
                "target": "mvebu/cortexa53",
                "description": "OpenWrt 19.07.7 r11306-c4a6851c72"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7f:467c:2b5f::/48'

config interface 'lan0'
        option ifname 'lan0'
        option proto 'static'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'

config interface 'lan1'
        option ifname 'lan1'
        option proto 'static'
        option ipaddr '192.168.9.1'
        option netmask '255.255.255.0'

config interface 'wan'
        option ifname 'wan'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option force '1'
        option dhcpv6 'disabled'
        option ra 'disabled'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config domain 'localhost'
        option name 'console.gl-inet.com'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan0'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        list network 'lan0'

config zone
        option name 'lan1'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        list network 'lan1'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        list network 'wan'

config forwarding
        option src 'lan0'
        option dest 'lan1'

config forwarding
        option src 'lan1'
        option dest 'lan0'

config redirect
        option src 'lan1'
        option src_dip '192.168.9.1'
        option src_port '25000'
        option src_dport '25000'
        option dest_ip '224.10.10.11'
        option target 'DNAT'

config redirect
        option src 'lan0'
        option src_dip '224.10.10.10'
        option src_port '25000'
        option src_dport '25000'
        option dest_ip '192.168.9.123'
        option target 'DNAT'


force_dns() {
        # lanip=$(ifconfig br-lan |sed -n 's/.*dr:\(.*\) Bc.*/\1/p')
        lanip=$(uci get network.lan.ipaddr)
        tor=$(ps|grep /usr/sbin/tor|grep -v grep)
        [ "$1" = "add" ] && {
                ip=$(uci get glconfig.general.ipaddr)
                [ -z "$ip" ] && ip=$(uci get network.lan.ipaddr)
                iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $ip
                iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $ip

                uci set glconfig.general.ipaddr=$lanip
                uci commit glconfig
                iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
                [ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
                iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
                [ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip

                if [ -n "$tor" ];then
                        iptables -t nat -C PREROUTING -i br-lan -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 9053
                        [ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-lan -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 9053
                        iptables -t nat -C PREROUTING -i br-lan -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
                        [ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-lan -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
                fi



        }
        [ "$1" = "remove" ] && {
                lanip=$(uci get glconfig.general.ipaddr)
                [ -z "$lanip" ] && lanip=$(uci get network.lan.ipaddr)
                iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
                [ "$?" = "0" ] && iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
                iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
                [ "$?" = "0" ] && iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip

                if [ -n "$tor" ];then
                        iptables -t nat -D PREROUTING -i br-lan -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 9053
                        iptables -t nat -D PREROUTING -i br-lan -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
                fi
        }
}

force=$(uci get glconfig.general.force_dns)
if [ -n "$force" ]; then
    force_dns add
else
    force_dns remove
fi
gl-firewall

# PPTP Passthrough
iptables -t raw -D OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
iptables -t raw -A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
# Generated by iptables-save v1.8.3 on Wed Feb 23 05:07:40 2022
*nat
:PREROUTING ACCEPT [117:6665]
:INPUT ACCEPT [5:1130]
:OUTPUT ACCEPT [435:35936]
:POSTROUTING ACCEPT [447:37210]
:GL_SPEC_DMZ - [0:0]
:postrouting_lan0_rule - [0:0]
:postrouting_lan1_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan0_rule - [0:0]
:prerouting_lan1_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan0_postrouting - [0:0]
:zone_lan0_prerouting - [0:0]
:zone_lan1_postrouting - [0:0]
:zone_lan1_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[1449:1109794] -A PREROUTING -j GL_SPEC_DMZ
[1434:1105043] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[93:14491] -A PREROUTING -i lan1 -m comment --comment "!fw3" -j zone_lan1_prerouting
[1341:1090552] -A PREROUTING -i lan0 -m comment --comment "!fw3" -j zone_lan0_prerouting
[0:0] -A PREROUTING -i wan -m comment --comment "!fw3" -j zone_wan_prerouting
[447:37210] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[10:400] -A POSTROUTING -o lan1 -m comment --comment "!fw3" -j zone_lan1_postrouting
[3:914] -A POSTROUTING -o lan0 -m comment --comment "!fw3" -j zone_lan0_postrouting
[399:33516] -A POSTROUTING -o wan -m comment --comment "!fw3" -j zone_wan_postrouting
[3:914] -A zone_lan0_postrouting -m comment --comment "!fw3: Custom lan0 postrouting rule chain" -j postrouting_lan0_rule
[1341:1090552] -A zone_lan0_prerouting -m comment --comment "!fw3: Custom lan0 prerouting rule chain" -j prerouting_lan0_rule
[0:0] -A zone_lan0_prerouting -d 224.10.10.10/32 -p tcp -m tcp --sport 25000 --dport 25000 -m comment --comment "!fw3: @redirect[1]" -j DNAT --to-destination 192.168.9.123:25000
[1305:1088370] -A zone_lan0_prerouting -d 224.10.10.10/32 -p udp -m udp --sport 25000 --dport 25000 -m comment --comment "!fw3: @redirect[1]" -j DNAT --to-destination 192.168.9.123:25000
[10:400] -A zone_lan1_postrouting -m comment --comment "!fw3: Custom lan1 postrouting rule chain" -j postrouting_lan1_rule
[93:14491] -A zone_lan1_prerouting -m comment --comment "!fw3: Custom lan1 prerouting rule chain" -j prerouting_lan1_rule
[0:0] -A zone_lan1_prerouting -d 192.168.9.1/32 -p tcp -m tcp --sport 25000 --dport 25000 -m comment --comment "!fw3: @redirect[0]" -j DNAT --to-destination 224.10.10.11:25000
[12:10008] -A zone_lan1_prerouting -d 192.168.9.1/32 -p udp -m udp --sport 25000 --dport 25000 -m comment --comment "!fw3: @redirect[0]" -j DNAT --to-destination 224.10.10.11:25000
[399:33516] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Wed Feb 23 05:07:40 2022
# Generated by iptables-save v1.8.3 on Wed Feb 23 05:07:40 2022
*raw
:PREROUTING ACCEPT [4664:2123247]
:OUTPUT ACCEPT [2512:325928]
:zone_lan0_helper - [0:0]
:zone_lan1_helper - [0:0]
:zone_wan_helper - [0:0]
[1113:848935] -A PREROUTING -i lan1 -m comment --comment "!fw3: lan1 CT helper assignment" -j zone_lan1_helper
[2872:1210584] -A PREROUTING -i lan0 -m comment --comment "!fw3: lan0 CT helper assignment" -j zone_lan0_helper
[0:0] -A PREROUTING -i wan -m comment --comment "!fw3: wan CT helper assignment" -j zone_wan_helper
[0:0] -A zone_lan0_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_lan0_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
[0:0] -A zone_lan0_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_lan0_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_lan0_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
[0:0] -A zone_lan0_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_lan0_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan0_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan0_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
[0:0] -A zone_lan0_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
[0:0] -A zone_lan1_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_lan1_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
[0:0] -A zone_lan1_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_lan1_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_lan1_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
[0:0] -A zone_lan1_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_lan1_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan1_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan1_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
[0:0] -A zone_lan1_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
[0:0] -A zone_wan_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_wan_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
[0:0] -A zone_wan_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_wan_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_wan_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
[0:0] -A zone_wan_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_wan_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_wan_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_wan_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
[0:0] -A zone_wan_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
COMMIT
# Completed on Wed Feb 23 05:07:40 2022
# Generated by iptables-save v1.8.3 on Wed Feb 23 05:07:40 2022
*mangle
:PREROUTING ACCEPT [175:71430]
:INPUT ACCEPT [68:6316]
:FORWARD ACCEPT [32:26688]
:OUTPUT ACCEPT [112:24136]
:POSTROUTING ACCEPT [144:50824]
:mwan3_connected - [0:0]
:mwan3_hook - [0:0]
:mwan3_ifaces_in - [0:0]
:mwan3_policy_default_poli - [0:0]
:mwan3_rules - [0:0]
[4675:2125303] -A PREROUTING -j mwan3_hook
[0:0] -A PREROUTING -d 224.10.10.10/32 -i lan0 -p tcp -m tcp --sport 25000 --dport 25000 -j TTL --ttl-inc 1
[46:38364] -A PREROUTING -d 224.10.10.10/32 -i lan0 -p udp -m udp --sport 25000 --dport 25000 -j TTL --ttl-inc 1
[2528:331876] -A OUTPUT -j mwan3_hook
[1419:1107341] -A mwan3_connected -m set --match-set mwan3_connected dst -j MARK --set-xmark 0x3f00/0x3f00
[7203:2457179] -A mwan3_hook -j CONNMARK --restore-mark --nfmask 0x3f00 --ctmask 0x3f00
[1876:1142919] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_in
[1876:1142919] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_connected
[493:38746] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_rules
[7203:2457179] -A mwan3_hook -j CONNMARK --save-mark --nfmask 0x3f00 --ctmask 0x3f00
[60:4796] -A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_connected
[388:32592] -A mwan3_policy_default_poli -o wan -m mark --mark 0x0/0x3f00 -m comment --comment "out wan wan" -j MARK --set-xmark 0x3f00/0x3f00
[81:4526] -A mwan3_policy_default_poli -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
[469:37118] -A mwan3_rules -m mark --mark 0x0/0x3f00 -m comment --comment default_rule -j mwan3_policy_default_poli
COMMIT
# Completed on Wed Feb 23 05:07:40 2022
# Generated by iptables-save v1.8.3 on Wed Feb 23 05:07:40 2022
*filter
:INPUT ACCEPT [1:40]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:GL_SPEC_OPENING - [0:0]
:forwarding_lan0_rule - [0:0]
:forwarding_lan1_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan0_rule - [0:0]
:input_lan1_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan0_rule - [0:0]
:output_lan1_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan0_dest_ACCEPT - [0:0]
:zone_lan0_forward - [0:0]
:zone_lan0_input - [0:0]
:zone_lan0_output - [0:0]
:zone_lan0_src_ACCEPT - [0:0]
:zone_lan1_dest_ACCEPT - [0:0]
:zone_lan1_forward - [0:0]
:zone_lan1_input - [0:0]
:zone_lan1_output - [0:0]
:zone_lan1_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
[3229:996348] -A INPUT -j GL_SPEC_OPENING
[679:63728] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[2542:932020] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[1545:120592] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2:104] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[994:811284] -A INPUT -i lan1 -m comment --comment "!fw3" -j zone_lan1_input
[3:144] -A INPUT -i lan0 -m comment --comment "!fw3" -j zone_lan0_input
[0:0] -A INPUT -i wan -m comment --comment "!fw3" -j zone_wan_input
[1011:834568] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOFFLOAD --hw
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1009:834468] -A FORWARD -i lan1 -m comment --comment "!fw3" -j zone_lan1_forward
[2:100] -A FORWARD -i lan0 -m comment --comment "!fw3" -j zone_lan0_forward
[0:0] -A FORWARD -i wan -m comment --comment "!fw3" -j zone_wan_forward
[11:568] -A FORWARD -m comment --comment "!fw3" -j reject
[679:63728] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[1863:271272] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[1461:237636] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2:80] -A OUTPUT -o lan1 -m comment --comment "!fw3" -j zone_lan1_output
[1:40] -A OUTPUT -o lan0 -m comment --comment "!fw3" -j zone_lan0_output
[399:33516] -A OUTPUT -o wan -m comment --comment "!fw3" -j zone_wan_output
[11:568] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[2:104] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1001:834040] -A zone_lan0_dest_ACCEPT -o lan0 -m comment --comment "!fw3" -j ACCEPT
[2:100] -A zone_lan0_forward -m comment --comment "!fw3: Custom lan0 forwarding rule chain" -j forwarding_lan0_rule
[2:100] -A zone_lan0_forward -m comment --comment "!fw3: Zone lan0 to lan1 forwarding policy" -j zone_lan1_dest_ACCEPT
[0:0] -A zone_lan0_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[2:100] -A zone_lan0_forward -m comment --comment "!fw3" -j zone_lan0_dest_ACCEPT
[3:144] -A zone_lan0_input -m comment --comment "!fw3: Custom lan0 input rule chain" -j input_lan0_rule
[0:0] -A zone_lan0_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[3:144] -A zone_lan0_input -m comment --comment "!fw3" -j zone_lan0_src_ACCEPT
[1:40] -A zone_lan0_output -m comment --comment "!fw3: Custom lan0 output rule chain" -j output_lan0_rule
[1:40] -A zone_lan0_output -m comment --comment "!fw3" -j zone_lan0_dest_ACCEPT
[2:104] -A zone_lan0_src_ACCEPT -i lan0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[2:80] -A zone_lan1_dest_ACCEPT -o lan1 -m comment --comment "!fw3" -j ACCEPT
[1009:834468] -A zone_lan1_forward -m comment --comment "!fw3: Custom lan1 forwarding rule chain" -j forwarding_lan1_rule
[1009:834468] -A zone_lan1_forward -m comment --comment "!fw3: Zone lan1 to lan0 forwarding policy" -j zone_lan0_dest_ACCEPT
[0:0] -A zone_lan1_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[9:468] -A zone_lan1_forward -m comment --comment "!fw3" -j zone_lan1_dest_ACCEPT
[994:811284] -A zone_lan1_input -m comment --comment "!fw3: Custom lan1 input rule chain" -j input_lan1_rule
[970:808980] -A zone_lan1_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[24:2304] -A zone_lan1_input -m comment --comment "!fw3" -j zone_lan1_src_ACCEPT
[2:80] -A zone_lan1_output -m comment --comment "!fw3: Custom lan1 output rule chain" -j output_lan1_rule
[2:80] -A zone_lan1_output -m comment --comment "!fw3" -j zone_lan1_dest_ACCEPT
[24:2304] -A zone_lan1_src_ACCEPT -i lan1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[399:33516] -A zone_wan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
[399:33516] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[399:33516] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_ACCEPT -i wan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Wed Feb 23 05:07:40 2022
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: wan@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default qlen 1000
    inet 192.168.10.1/24 brd 192.168.10.255 scope global wan
       valid_lft forever preferred_lft forever
4: lan0@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.8.1/24 brd 192.168.8.255 scope global lan0
       valid_lft forever preferred_lft forever
5: lan1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.9.1/24 brd 192.168.9.255 scope global lan1
       valid_lft forever preferred_lft forever
192.168.8.0/24 dev lan0 proto kernel scope link src 192.168.8.1
192.168.9.0/24 dev lan1 proto kernel scope link src 192.168.9.1
192.168.10.0/24 dev wan proto kernel scope link src 192.168.10.1 linkdown
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.8.0 dev lan0 table local proto kernel scope link src 192.168.8.1
local 192.168.8.1 dev lan0 table local proto kernel scope host src 192.168.8.1
broadcast 192.168.8.255 dev lan0 table local proto kernel scope link src 192.168.8.1
broadcast 192.168.9.0 dev lan1 table local proto kernel scope link src 192.168.9.1
local 192.168.9.1 dev lan1 table local proto kernel scope host src 192.168.9.1
broadcast 192.168.9.255 dev lan1 table local proto kernel scope link src 192.168.9.1
broadcast 192.168.10.0 dev wan table local proto kernel scope link src 192.168.10.1 linkdown
local 192.168.10.1 dev wan table local proto kernel scope host src 192.168.10.1
broadcast 192.168.10.255 dev wan table local proto kernel scope link src 192.168.10.1 linkdown
0:      from all lookup local
2061:   from all fwmark 0x3d00/0x3f00 blackhole
2062:   from all fwmark 0x3e00/0x3f00 unreachable
32766:  from all lookup main
32767:  from all lookup default

smcroute.conf

mgroup from lan1 group 224.10.10.11
mroute from lan1 group 224.10.10.11 to lan0

trendy · February 23, 2022, 8:50am

The rule has some hits, so you can verify that packets are being sent out of this interface.
tcpdump -i lan1 -evn udp port 25000

nokoru · February 23, 2022, 9:02am

Nothing.
I started a new session by restarting firewall and noticed that the lan0 -> lan1 forward chain in filter table has 0 hits despite seemingly only having one match criteria which is the input interface being lan0.
What exactly happens after DNAT and before forwarding? Is it routing?
I did ip route with the following output:

192.168.8.0/24 dev lan0 proto kernel scope link src 192.168.8.1
192.168.9.0/24 dev lan1 proto kernel scope link src 192.168.9.1
192.168.10.0/24 dev wan proto kernel scope link src 192.168.10.1 linkdown

Routing seems fine?

trendy · February 23, 2022, 9:20am

Routing is fine, disable mwan3.

nokoru · February 23, 2022, 9:33am

No visible effect. tcpdump command still shows nothing.

trendy · February 23, 2022, 9:36am

Post once again to check how it looks now.

nokoru · February 24, 2022, 1:20am

root@GL-MV1000:~# ubus call system board; uci export network; uci export dhcp; uci export firewall; head -n -0 /etc/firewall.user; iptables-save -c; ip -4 addr; ip -4 ro li tab all; ip -4 ru
{
        "kernel": "4.14.221",
        "hostname": "GL-MV1000",
        "model": "GL.inet GL-MV1000",
        "board_name": "gl-mv1000",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.7",
                "revision": "r11306-c4a6851c72",
                "target": "mvebu/cortexa53",
                "description": "OpenWrt 19.07.7 r11306-c4a6851c72"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7f:467c:2b5f::/48'

config interface 'lan0'
        option ifname 'lan0'
        option proto 'static'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'

config interface 'lan1'
        option ifname 'lan1'
        option proto 'static'
        option ipaddr '192.168.9.1'
        option netmask '255.255.255.0'

config interface 'wan'
        option ifname 'wan'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option force '1'
        option dhcpv6 'disabled'
        option ra 'disabled'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config domain 'localhost'
        option name 'console.gl-inet.com'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan0'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        list network 'lan0'

config zone
        option name 'lan1'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        list network 'lan1'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        list network 'wan'

config forwarding
        option src 'lan0'
        option dest 'lan1'

config forwarding
        option src 'lan1'
        option dest 'lan0'

config redirect
        option src 'lan1'
        option src_dip '192.168.9.1'
        option src_port '25000'
        option src_dport '25000'
        option dest_ip '224.10.10.11'
        option target 'DNAT'

config redirect
        option src 'lan0'
        option src_dip '224.10.10.10'
        option src_port '25000'
        option src_dport '25000'
        option dest_ip '192.168.9.123'
        option target 'DNAT'


force_dns() {
        # lanip=$(ifconfig br-lan |sed -n 's/.*dr:\(.*\) Bc.*/\1/p')
        lanip=$(uci get network.lan.ipaddr)
        tor=$(ps|grep /usr/sbin/tor|grep -v grep)
        [ "$1" = "add" ] && {
                ip=$(uci get glconfig.general.ipaddr)
                [ -z "$ip" ] && ip=$(uci get network.lan.ipaddr)
                iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $ip
                iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $ip

                uci set glconfig.general.ipaddr=$lanip
                uci commit glconfig
                iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
                [ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
                iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
                [ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip

                if [ -n "$tor" ];then
                        iptables -t nat -C PREROUTING -i br-lan -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 9053
                        [ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-lan -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 9053
                        iptables -t nat -C PREROUTING -i br-lan -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
                        [ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-lan -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
                fi



        }
        [ "$1" = "remove" ] && {
                lanip=$(uci get glconfig.general.ipaddr)
                [ -z "$lanip" ] && lanip=$(uci get network.lan.ipaddr)
                iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
                [ "$?" = "0" ] && iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
                iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
                [ "$?" = "0" ] && iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip

                if [ -n "$tor" ];then
                        iptables -t nat -D PREROUTING -i br-lan -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 9053
                        iptables -t nat -D PREROUTING -i br-lan -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
                fi
        }
}

force=$(uci get glconfig.general.force_dns)
if [ -n "$force" ]; then
    force_dns add
else
    force_dns remove
fi
gl-firewall

# PPTP Passthrough
iptables -t raw -D OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
iptables -t raw -A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp

# increase TTL by 1
iptables -t mangle -D PREROUTING -i lan0 -p tcp -d 224.10.10.10 --sport 25000 --dport 25000 -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -i lan0 -p tcp -d 224.10.10.10 --sport 25000 --dport 25000 -j TTL --ttl-inc 1
iptables -t mangle -D PREROUTING -i lan0 -p udp -d 224.10.10.10 --sport 25000 --dport 25000 -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -i lan0 -p udp -d 224.10.10.10 --sport 25000 --dport 25000 -j TTL --ttl-inc 1
# Generated by iptables-save v1.8.3 on Wed Feb 23 09:48:42 2022
*nat
:PREROUTING ACCEPT [22:1229]
:INPUT ACCEPT [3:200]
:OUTPUT ACCEPT [23:1776]
:POSTROUTING ACCEPT [34:2216]
:GL_SPEC_DMZ - [0:0]
:postrouting_lan0_rule - [0:0]
:postrouting_lan1_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan0_rule - [0:0]
:prerouting_lan1_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan0_postrouting - [0:0]
:zone_lan0_prerouting - [0:0]
:zone_lan1_postrouting - [0:0]
:zone_lan1_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[81:45022] -A PREROUTING -j GL_SPEC_DMZ
[71:42095] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[51:40970] -A PREROUTING -i lan0 -m comment --comment "!fw3" -j zone_lan0_prerouting
[20:1125] -A PREROUTING -i lan1 -m comment --comment "!fw3" -j zone_lan1_prerouting
[0:0] -A PREROUTING -i wan -m comment --comment "!fw3" -j zone_wan_prerouting
[34:2216] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o lan0 -m comment --comment "!fw3" -j zone_lan0_postrouting
[12:480] -A POSTROUTING -o lan1 -m comment --comment "!fw3" -j zone_lan1_postrouting
[15:1260] -A POSTROUTING -o wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A zone_lan0_postrouting -m comment --comment "!fw3: Custom lan0 postrouting rule chain" -j postrouting_lan0_rule
[51:40970] -A zone_lan0_prerouting -m comment --comment "!fw3: Custom lan0 prerouting rule chain" -j prerouting_lan0_rule
[0:0] -A zone_lan0_prerouting -d 224.10.10.10/32 -p tcp -m tcp --sport 25000 --dport 25000 -m comment --comment "!fw3: @redirect[1]" -j DNAT --to-destination 192.168.9.123:25000
[49:40866] -A zone_lan0_prerouting -d 224.10.10.10/32 -p udp -m udp --sport 25000 --dport 25000 -m comment --comment "!fw3: @redirect[1]" -j DNAT --to-destination 192.168.9.123:25000
[12:480] -A zone_lan1_postrouting -m comment --comment "!fw3: Custom lan1 postrouting rule chain" -j postrouting_lan1_rule
[20:1125] -A zone_lan1_prerouting -m comment --comment "!fw3: Custom lan1 prerouting rule chain" -j prerouting_lan1_rule
[0:0] -A zone_lan1_prerouting -d 192.168.9.1/32 -p tcp -m tcp --sport 25000 --dport 25000 -m comment --comment "!fw3: @redirect[0]" -j DNAT --to-destination 224.10.10.11:25000
[0:0] -A zone_lan1_prerouting -d 192.168.9.1/32 -p udp -m udp --sport 25000 --dport 25000 -m comment --comment "!fw3: @redirect[0]" -j DNAT --to-destination 224.10.10.11:25000
[15:1260] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Wed Feb 23 09:48:42 2022
# Generated by iptables-save v1.8.3 on Wed Feb 23 09:48:42 2022
*raw
:PREROUTING ACCEPT [281:61751]
:OUTPUT ACCEPT [264:38216]
:zone_lan0_helper - [0:0]
:zone_lan1_helper - [0:0]
:zone_wan_helper - [0:0]
[179:54082] -A PREROUTING -i lan0 -m comment --comment "!fw3: lan0 CT helper assignment" -j zone_lan0_helper
[31:2181] -A PREROUTING -i lan1 -m comment --comment "!fw3: lan1 CT helper assignment" -j zone_lan1_helper
[0:0] -A PREROUTING -i wan -m comment --comment "!fw3: wan CT helper assignment" -j zone_wan_helper
[0:0] -A zone_lan0_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_lan0_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
[0:0] -A zone_lan0_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_lan0_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_lan0_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
[0:0] -A zone_lan0_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_lan0_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan0_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan0_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
[0:0] -A zone_lan0_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
[0:0] -A zone_lan1_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_lan1_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
[0:0] -A zone_lan1_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_lan1_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_lan1_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
[0:0] -A zone_lan1_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_lan1_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan1_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan1_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
[0:0] -A zone_lan1_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
[0:0] -A zone_wan_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_wan_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
[0:0] -A zone_wan_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_wan_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_wan_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
[0:0] -A zone_wan_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_wan_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_wan_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_wan_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
[0:0] -A zone_wan_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
COMMIT
# Completed on Wed Feb 23 09:48:42 2022
# Generated by iptables-save v1.8.3 on Wed Feb 23 09:48:42 2022
*mangle
:PREROUTING ACCEPT [54:13852]
:INPUT ACCEPT [40:2176]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [77:20456]
:POSTROUTING ACCEPT [77:20456]
:mwan3_connected - [0:0]
:mwan3_hook - [0:0]
:mwan3_ifaces_in - [0:0]
:mwan3_policy_default_poli - [0:0]
:mwan3_rules - [0:0]
[286:62761] -A PREROUTING -j mwan3_hook
[271:42844] -A OUTPUT -j mwan3_hook
[107:46137] -A mwan3_connected -m set --match-set mwan3_connected dst -j MARK --set-xmark 0x3f00/0x3f00
[557:105605] -A mwan3_hook -j CONNMARK --restore-mark --nfmask 0x3f00 --ctmask 0x3f00
[99:44925] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_in
[99:44925] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_connected
[27:1916] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_rules
[557:105605] -A mwan3_hook -j CONNMARK --save-mark --nfmask 0x3f00 --ctmask 0x3f00
[58:4708] -A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_connected
[4:336] -A mwan3_policy_default_poli -o wan -m mark --mark 0x0/0x3f00 -m comment --comment "out wan wan" -j MARK --set-xmark 0x3f00/0x3f00
[0:0] -A mwan3_policy_default_poli -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
[4:336] -A mwan3_rules -m mark --mark 0x0/0x3f00 -m comment --comment default_rule -j mwan3_policy_default_poli
COMMIT
# Completed on Wed Feb 23 09:48:42 2022
# Generated by iptables-save v1.8.3 on Wed Feb 23 09:48:42 2022
*filter
:INPUT ACCEPT [1:40]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:GL_SPEC_OPENING - [0:0]
:forwarding_lan0_rule - [0:0]
:forwarding_lan1_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan0_rule - [0:0]
:input_lan1_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan0_rule - [0:0]
:output_lan1_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan0_dest_ACCEPT - [0:0]
:zone_lan0_forward - [0:0]
:zone_lan0_input - [0:0]
:zone_lan0_output - [0:0]
:zone_lan0_src_ACCEPT - [0:0]
:zone_lan1_dest_ACCEPT - [0:0]
:zone_lan1_forward - [0:0]
:zone_lan1_input - [0:0]
:zone_lan1_output - [0:0]
:zone_lan1_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
[229:20832] -A INPUT -j GL_SPEC_OPENING
[71:5488] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[150:14688] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[135:13392] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2:104] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[3:144] -A INPUT -i lan0 -m comment --comment "!fw3" -j zone_lan0_input
[12:1152] -A INPUT -i lan1 -m comment --comment "!fw3" -j zone_lan1_input
[0:0] -A INPUT -i wan -m comment --comment "!fw3" -j zone_wan_input
[11:572] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOFFLOAD --hw
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i lan0 -m comment --comment "!fw3" -j zone_lan0_forward
[11:572] -A FORWARD -i lan1 -m comment --comment "!fw3" -j zone_lan1_forward
[0:0] -A FORWARD -i wan -m comment --comment "!fw3" -j zone_wan_forward
[11:572] -A FORWARD -m comment --comment "!fw3" -j reject
[71:5488] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[208:40112] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[190:38732] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1:40] -A OUTPUT -o lan0 -m comment --comment "!fw3" -j zone_lan0_output
[2:80] -A OUTPUT -o lan1 -m comment --comment "!fw3" -j zone_lan1_output
[15:1260] -A OUTPUT -o wan -m comment --comment "!fw3" -j zone_wan_output
[11:572] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[2:104] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1:40] -A zone_lan0_dest_ACCEPT -o lan0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan0_forward -m comment --comment "!fw3: Custom lan0 forwarding rule chain" -j forwarding_lan0_rule
[0:0] -A zone_lan0_forward -m comment --comment "!fw3: Zone lan0 to lan1 forwarding policy" -j zone_lan1_dest_ACCEPT
[0:0] -A zone_lan0_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan0_forward -m comment --comment "!fw3" -j zone_lan0_dest_ACCEPT
[3:144] -A zone_lan0_input -m comment --comment "!fw3: Custom lan0 input rule chain" -j input_lan0_rule
[0:0] -A zone_lan0_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[3:144] -A zone_lan0_input -m comment --comment "!fw3" -j zone_lan0_src_ACCEPT
[1:40] -A zone_lan0_output -m comment --comment "!fw3: Custom lan0 output rule chain" -j output_lan0_rule
[1:40] -A zone_lan0_output -m comment --comment "!fw3" -j zone_lan0_dest_ACCEPT
[2:104] -A zone_lan0_src_ACCEPT -i lan0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[2:80] -A zone_lan1_dest_ACCEPT -o lan1 -m comment --comment "!fw3" -j ACCEPT
[11:572] -A zone_lan1_forward -m comment --comment "!fw3: Custom lan1 forwarding rule chain" -j forwarding_lan1_rule
[11:572] -A zone_lan1_forward -m comment --comment "!fw3: Zone lan1 to lan0 forwarding policy" -j zone_lan0_dest_ACCEPT
[0:0] -A zone_lan1_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[11:572] -A zone_lan1_forward -m comment --comment "!fw3" -j zone_lan1_dest_ACCEPT
[12:1152] -A zone_lan1_input -m comment --comment "!fw3: Custom lan1 input rule chain" -j input_lan1_rule
[0:0] -A zone_lan1_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[12:1152] -A zone_lan1_input -m comment --comment "!fw3" -j zone_lan1_src_ACCEPT
[2:80] -A zone_lan1_output -m comment --comment "!fw3: Custom lan1 output rule chain" -j output_lan1_rule
[2:80] -A zone_lan1_output -m comment --comment "!fw3" -j zone_lan1_dest_ACCEPT
[12:1152] -A zone_lan1_src_ACCEPT -i lan1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[15:1260] -A zone_wan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
[15:1260] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[15:1260] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_ACCEPT -i wan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Wed Feb 23 09:48:42 2022
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: wan@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default qlen 1000
    inet 192.168.10.1/24 brd 192.168.10.255 scope global wan
       valid_lft forever preferred_lft forever
4: lan0@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.8.1/24 brd 192.168.8.255 scope global lan0
       valid_lft forever preferred_lft forever
5: lan1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.9.1/24 brd 192.168.9.255 scope global lan1
       valid_lft forever preferred_lft forever
192.168.8.0/24 dev lan0 proto kernel scope link src 192.168.8.1
192.168.9.0/24 dev lan1 proto kernel scope link src 192.168.9.1
192.168.10.0/24 dev wan proto kernel scope link src 192.168.10.1 linkdown
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.8.0 dev lan0 table local proto kernel scope link src 192.168.8.1
local 192.168.8.1 dev lan0 table local proto kernel scope host src 192.168.8.1
broadcast 192.168.8.255 dev lan0 table local proto kernel scope link src 192.168.8.1
broadcast 192.168.9.0 dev lan1 table local proto kernel scope link src 192.168.9.1
local 192.168.9.1 dev lan1 table local proto kernel scope host src 192.168.9.1
broadcast 192.168.9.255 dev lan1 table local proto kernel scope link src 192.168.9.1
broadcast 192.168.10.0 dev wan table local proto kernel scope link src 192.168.10.1 linkdown
local 192.168.10.1 dev wan table local proto kernel scope host src 192.168.10.1
broadcast 192.168.10.255 dev wan table local proto kernel scope link src 192.168.10.1 linkdown
0:      from all lookup local
2061:   from all fwmark 0x3d00/0x3f00 blackhole
2062:   from all fwmark 0x3e00/0x3f00 unreachable
32766:  from all lookup main
32767:  from all lookup default

I added the commands used to increment TTL in /etc/firewall.user

trendy · February 24, 2022, 10:24am

mwan3 is still running.
Disable the custom firewall rules from gl in firewall.user.
Add a route in smcroute
mroute from lan0 group 224.10.10.10 to lan1

nokoru · February 25, 2022, 1:26am

Strange the initscript for mwan3 is shown to be disabled on luci.
I checked using ps | grep mwan3 and seems like mwan3rtmon and mwan3track are still running. How do I disable them? they are not listed by luci and also not in /etc/init.d.

In order to work around the issue with mwan3 running processes, I did the following steps, including the actions you listed:

removed every line except the TTL incrementing commands in firewall.user
added mroute from lan0 group 224.10.10.10 to lan1
reboot
ps | grep mwan3 and killed both mwan3rtmon and mwan3track
fw3 flush (in hindsight does make step 1 kind of pointless)
service firewall restart to get back rules added in /etc/config/firewall
manually issued the TTL incrementing commands to get back rules added in /etc/firewall.user

Still does not seem to get me any closer to my objective.
There are hits to the TTL chain, hits to the DNAT chain, no hit to forward chain, tcpdump shows no packet outputting on lan1 and Wireshark on receiving device shows the same.

trendy · February 25, 2022, 9:58am

There should be an init script under /etc/init.d/ which you can use to stop the service and disable it from running in the next boot.

I suspect that the DNAT is applied too early and smcroute cannot match the packet based on the multicast address. Run a tcpdump on all interfaces to see where is it sent and try to make it very verbose to see if there is something weird in the contents of the packet.

nokoru · February 25, 2022, 10:32am

I do not see a file called "init script". I have however found mwan3, but is this any different from what I did, which was /etc/init.d/mwan3 disable? Do I need to delete the file instead?

I had in fact tried the same thing a week ago, the "same thing" being adding multicast route with smcroute to route packets with destination 224.10.10.10 from lan0 to lan1. The reason why the multicast packet isn't sent may be because the receiving device does not subscribe to the group 224.10.10.10. In combination to the added route, setting multicast_to_unicast to 1 for lan1 will result in the multicast packet being sent out. However, this is not what I want as the destination remains multicast.

trendy · February 25, 2022, 11:58am

I meant the mwan3. If you ran the stop and then disable, it should be killed and not run on next boot. If not, something else is wrong in your installation.

Problem is that you cannot apply the DNAT on that phase. Check where the packet goes, or if it is dropped from the firewall and post here a packet capture.

nokoru · February 28, 2022, 8:24am

You mean with option multicast_to_unicast '1' or without?

Here are the outputs for the changes suggested 4days ago (without option multicast_to_unicast '1'):

root@GL-MV1000:~# ubus call system board; uci export network; uci export dhcp; uci export firewall; head -n -0 /etc/firewall.user; iptables-save -c; ip -4 addr; ip -4 ro li tab all; ip -4 ru
{
        "kernel": "4.14.221",
        "hostname": "GL-MV1000",
        "model": "GL.inet GL-MV1000",
        "board_name": "gl-mv1000",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.7",
                "revision": "r11306-c4a6851c72",
                "target": "mvebu/cortexa53",
                "description": "OpenWrt 19.07.7 r11306-c4a6851c72"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7f:467c:2b5f::/48'

config interface 'lan0'
        option ifname 'lan0'
        option proto 'static'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'

config interface 'lan1'
        option ifname 'lan1'
        option proto 'static'
        option ipaddr '192.168.9.1'
        option netmask '255.255.255.0'

config interface 'wan'
        option ifname 'wan'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option force '1'
        option dhcpv6 'disabled'
        option ra 'disabled'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config domain 'localhost'
        option name 'console.gl-inet.com'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan0'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        list network 'lan0'

config zone
        option name 'lan1'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        list network 'lan1'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        list network 'wan'

config forwarding
        option src 'lan0'
        option dest 'lan1'

config forwarding
        option src 'lan1'
        option dest 'lan0'

config redirect
        option src 'lan1'
        option src_dip '192.168.9.1'
        option src_port '25000'
        option src_dport '25000'
        option dest_ip '224.10.10.11'
        option target 'DNAT'

config redirect
        option src 'lan0'
        option src_dip '224.10.10.10'
        option src_port '25000'
        option src_dport '25000'
        option dest_ip '192.168.9.123'
        option target 'DNAT'


# increase TTL by 1
iptables -t mangle -D PREROUTING -i lan0 -p tcp -d 224.10.10.10 --sport 25000 --dport 25000 -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -i lan0 -p tcp -d 224.10.10.10 --sport 25000 --dport 25000 -j TTL --ttl-inc 1
iptables -t mangle -D PREROUTING -i lan0 -p udp -d 224.10.10.10 --sport 25000 --dport 25000 -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -i lan0 -p udp -d 224.10.10.10 --sport 25000 --dport 25000 -j TTL --ttl-inc 1
# Generated by iptables-save v1.8.3 on Fri Feb 25 03:22:05 2022
*nat
:PREROUTING ACCEPT [30:1752]
:INPUT ACCEPT [13:684]
:OUTPUT ACCEPT [6:512]
:POSTROUTING ACCEPT [6:512]
:postrouting_lan0_rule - [0:0]
:postrouting_lan1_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan0_rule - [0:0]
:prerouting_lan1_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan0_postrouting - [0:0]
:zone_lan0_prerouting - [0:0]
:zone_lan1_postrouting - [0:0]
:zone_lan1_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[302:228600] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[292:228080] -A PREROUTING -i lan0 -m comment --comment "!fw3" -j zone_lan0_prerouting
[10:520] -A PREROUTING -i lan1 -m comment --comment "!fw3" -j zone_lan1_prerouting
[0:0] -A PREROUTING -i wan -m comment --comment "!fw3" -j zone_wan_prerouting
[5:392] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[1:120] -A POSTROUTING -o lan0 -m comment --comment "!fw3" -j zone_lan0_postrouting
[0:0] -A POSTROUTING -o lan1 -m comment --comment "!fw3" -j zone_lan1_postrouting
[0:0] -A POSTROUTING -o wan -m comment --comment "!fw3" -j zone_wan_postrouting
[1:120] -A zone_lan0_postrouting -m comment --comment "!fw3: Custom lan0 postrouting rule chain" -j postrouting_lan0_rule
[292:228080] -A zone_lan0_prerouting -m comment --comment "!fw3: Custom lan0 prerouting rule chain" -j prerouting_lan0_rule
[0:0] -A zone_lan0_prerouting -d 224.10.10.10/32 -p tcp -m tcp --sport 25000 --dport 25000 -m comment --comment "!fw3: @redirect[1]" -j DNAT --to-destination 192.168.9.123:25000
[272:226848] -A zone_lan0_prerouting -d 224.10.10.10/32 -p udp -m udp --sport 25000 --dport 25000 -m comment --comment "!fw3: @redirect[1]" -j DNAT --to-destination 192.168.9.123:25000
[0:0] -A zone_lan1_postrouting -m comment --comment "!fw3: Custom lan1 postrouting rule chain" -j postrouting_lan1_rule
[10:520] -A zone_lan1_prerouting -m comment --comment "!fw3: Custom lan1 prerouting rule chain" -j prerouting_lan1_rule
[0:0] -A zone_lan1_prerouting -d 192.168.9.1/32 -p tcp -m tcp --sport 25000 --dport 25000 -m comment --comment "!fw3: @redirect[0]" -j DNAT --to-destination 224.10.10.11:25000
[0:0] -A zone_lan1_prerouting -d 192.168.9.1/32 -p udp -m udp --sport 25000 --dport 25000 -m comment --comment "!fw3: @redirect[0]" -j DNAT --to-destination 224.10.10.11:25000
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Fri Feb 25 03:22:05 2022
# Generated by iptables-save v1.8.3 on Fri Feb 25 03:22:05 2022
*raw
:PREROUTING ACCEPT [1681:502130]
:OUTPUT ACCEPT [2332:1554944]
:zone_lan0_helper - [0:0]
:zone_lan1_helper - [0:0]
:zone_wan_helper - [0:0]
[1637:499354] -A PREROUTING -i lan0 -m comment --comment "!fw3: lan0 CT helper assignment" -j zone_lan0_helper
[10:520] -A PREROUTING -i lan1 -m comment --comment "!fw3: lan1 CT helper assignment" -j zone_lan1_helper
[0:0] -A PREROUTING -i wan -m comment --comment "!fw3: wan CT helper assignment" -j zone_wan_helper
[0:0] -A zone_lan0_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_lan0_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
[0:0] -A zone_lan0_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_lan0_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_lan0_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
[0:0] -A zone_lan0_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_lan0_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan0_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan0_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
[0:0] -A zone_lan0_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
[0:0] -A zone_lan1_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_lan1_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
[0:0] -A zone_lan1_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_lan1_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_lan1_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
[0:0] -A zone_lan1_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_lan1_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan1_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan1_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
[0:0] -A zone_lan1_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
[0:0] -A zone_wan_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_wan_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
[0:0] -A zone_wan_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_wan_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_wan_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
[0:0] -A zone_wan_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_wan_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_wan_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_wan_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
[0:0] -A zone_wan_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
COMMIT
# Completed on Fri Feb 25 03:22:05 2022
# Generated by iptables-save v1.8.3 on Fri Feb 25 03:22:05 2022
*mangle
:PREROUTING ACCEPT [1643:492644]
:INPUT ACCEPT [1363:272234]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2311:1555444]
:POSTROUTING ACCEPT [2311:1555444]
[0:0] -A PREROUTING -d 224.10.10.10/32 -i lan0 -p tcp -m tcp --sport 25000 --dport 25000 -j TTL --ttl-inc 1
[263:219342] -A PREROUTING -d 224.10.10.10/32 -i lan0 -p udp -m udp --sport 25000 --dport 25000 -j TTL --ttl-inc 1
COMMIT
# Completed on Fri Feb 25 03:22:05 2022
# Generated by iptables-save v1.8.3 on Fri Feb 25 03:22:05 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan0_rule - [0:0]
:forwarding_lan1_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan0_rule - [0:0]
:input_lan1_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan0_rule - [0:0]
:output_lan1_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan0_dest_ACCEPT - [0:0]
:zone_lan0_forward - [0:0]
:zone_lan0_input - [0:0]
:zone_lan0_output - [0:0]
:zone_lan0_src_ACCEPT - [0:0]
:zone_lan1_dest_ACCEPT - [0:0]
:zone_lan1_forward - [0:0]
:zone_lan1_input - [0:0]
:zone_lan1_output - [0:0]
:zone_lan1_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
[32:2176] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[1375:272638] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[1362:271954] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[12:624] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[13:684] -A INPUT -i lan0 -m comment --comment "!fw3" -j zone_lan0_input
[0:0] -A INPUT -i lan1 -m comment --comment "!fw3" -j zone_lan1_input
[0:0] -A INPUT -i wan -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOFFLOAD --hw
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i lan0 -m comment --comment "!fw3" -j zone_lan0_forward
[0:0] -A FORWARD -i lan1 -m comment --comment "!fw3" -j zone_lan1_forward
[0:0] -A FORWARD -i wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[32:2176] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[2331:1560952] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[2328:1560592] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[3:360] -A OUTPUT -o lan0 -m comment --comment "!fw3" -j zone_lan0_output
[0:0] -A OUTPUT -o lan1 -m comment --comment "!fw3" -j zone_lan1_output
[0:0] -A OUTPUT -o wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[12:624] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[3:360] -A zone_lan0_dest_ACCEPT -o lan0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan0_forward -m comment --comment "!fw3: Custom lan0 forwarding rule chain" -j forwarding_lan0_rule
[0:0] -A zone_lan0_forward -m comment --comment "!fw3: Zone lan0 to lan1 forwarding policy" -j zone_lan1_dest_ACCEPT
[0:0] -A zone_lan0_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan0_forward -m comment --comment "!fw3" -j zone_lan0_dest_ACCEPT
[13:684] -A zone_lan0_input -m comment --comment "!fw3: Custom lan0 input rule chain" -j input_lan0_rule
[0:0] -A zone_lan0_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[13:684] -A zone_lan0_input -m comment --comment "!fw3" -j zone_lan0_src_ACCEPT
[3:360] -A zone_lan0_output -m comment --comment "!fw3: Custom lan0 output rule chain" -j output_lan0_rule
[3:360] -A zone_lan0_output -m comment --comment "!fw3" -j zone_lan0_dest_ACCEPT
[13:684] -A zone_lan0_src_ACCEPT -i lan0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan1_dest_ACCEPT -o lan1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan1_forward -m comment --comment "!fw3: Custom lan1 forwarding rule chain" -j forwarding_lan1_rule
[0:0] -A zone_lan1_forward -m comment --comment "!fw3: Zone lan1 to lan0 forwarding policy" -j zone_lan0_dest_ACCEPT
[0:0] -A zone_lan1_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan1_forward -m comment --comment "!fw3" -j zone_lan1_dest_ACCEPT
[0:0] -A zone_lan1_input -m comment --comment "!fw3: Custom lan1 input rule chain" -j input_lan1_rule
[0:0] -A zone_lan1_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_lan1_input -m comment --comment "!fw3" -j zone_lan1_src_ACCEPT
[0:0] -A zone_lan1_output -m comment --comment "!fw3: Custom lan1 output rule chain" -j output_lan1_rule
[0:0] -A zone_lan1_output -m comment --comment "!fw3" -j zone_lan1_dest_ACCEPT
[0:0] -A zone_lan1_src_ACCEPT -i lan1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_ACCEPT -i wan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Fri Feb 25 03:22:05 2022
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: wan@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default qlen 1000
    inet 192.168.10.1/24 brd 192.168.10.255 scope global wan
       valid_lft forever preferred_lft forever
4: lan0@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.8.1/24 brd 192.168.8.255 scope global lan0
       valid_lft forever preferred_lft forever
5: lan1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.9.1/24 brd 192.168.9.255 scope global lan1
       valid_lft forever preferred_lft forever
192.168.8.0/24 dev lan0 proto kernel scope link src 192.168.8.1
192.168.9.0/24 dev lan1 proto kernel scope link src 192.168.9.1
192.168.10.0/24 dev wan proto kernel scope link src 192.168.10.1 linkdown
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.8.0 dev lan0 table local proto kernel scope link src 192.168.8.1
local 192.168.8.1 dev lan0 table local proto kernel scope host src 192.168.8.1
broadcast 192.168.8.255 dev lan0 table local proto kernel scope link src 192.168.8.1
broadcast 192.168.9.0 dev lan1 table local proto kernel scope link src 192.168.9.1
local 192.168.9.1 dev lan1 table local proto kernel scope host src 192.168.9.1
broadcast 192.168.9.255 dev lan1 table local proto kernel scope link src 192.168.9.1
broadcast 192.168.10.0 dev wan table local proto kernel scope link src 192.168.10.1 linkdown
local 192.168.10.1 dev wan table local proto kernel scope host src 192.168.10.1
broadcast 192.168.10.255 dev wan table local proto kernel scope link src 192.168.10.1 linkdown
0:      from all lookup local
2061:   from all fwmark 0x3d00/0x3f00 blackhole
2062:   from all fwmark 0x3e00/0x3f00 unreachable
32766:  from all lookup main
32767:  from all lookup default

root@GL-MV1000:~# tcpdump -i lan1 -evn udp port 25000
tcpdump: listening on lan1, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

mgroup from lan1 group 224.10.10.11
mroute from lan1 group 224.10.10.11 to lan0
mroute from lan0 group 224.10.10.10 to lan1

Note that the tcpdump command was left running for a few minutes while the packets are sent out once every second.