Not seeing these rules in firewall ipv4 rule section. How to ssh to see if it's applied

StarIndigo · September 18, 2023, 1:36pm

trendy · September 18, 2023, 1:58pm

Use ssh to connect to the device.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export firewall; \
nft list ruleset

StarIndigo · September 18, 2023, 2:09pm

I'm new to this forum so bare with me ..this is what I got

StarIndigo · September 18, 2023, 2:12pm

root@OpenWrt:~# ubus call system board; \ uci export firewall; \ nft list rulese

t
{
"kernel": "4.14.215",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT1900ACv2",
"board_name": "linksys,cobra",
"release": {
"distribution": "OpenWrt",
"version": "19.07.6",
"revision": "r11278-8055e38794",
"target": "mvebu/cortexa9",
"description": "OpenWrt 19.07.6 r11278-8055e38794"
}
}
-ash: uci: not found
-ash: nft: not found
root@OpenWrt:~#

eduperez · September 18, 2023, 2:33pm

Do not put all the commands on the same line, copy-and-paste what @trendy suggested, "as is".

StarIndigo · September 18, 2023, 2:37pm

root@OpenWrt:~# ubus call system board; \

uci export firewall;
nft list ruleset
{
"kernel": "4.14.215",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT1900ACv2",
"board_name": "linksys,cobra",
"release": {
"distribution": "OpenWrt",
"version": "19.07.6",
"revision": "r11278-8055e38794",
"target": "mvebu/cortexa9",
"description": "OpenWrt 19.07.6 r11278-8055e38794"
}
}
package firewall

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'

config redirect
option src 'wan'
option name 'Ps5'
option target 'DNAT'
option dest_ip '192.168.1.100'
option dest 'lan'
list proto 'all'

config rule
option dest 'lan'
option src 'wan'
option target 'DSCP'
option set_dscp 'EF'
option name 'Call of Duty'
list src_ip '192.168.1.100'
list proto 'udp'

config rule
option dest 'lan'
option src 'wan'
option target 'DSCP'
option set_dscp 'CS0'
option name 'Everything'
list src_ip '192.168.1.180'
list src_ip '192.168.1.154'
list src_ip '192.168.1.165'
list proto 'all'

-ash: nft: not found
root@OpenWrt:~#

trendy · September 18, 2023, 3:21pm

Rather old and unsupported version.
What is the output of this:
iptables-save -c

StarIndigo · September 18, 2023, 3:26pm

root@OpenWrt:~# iptables-save -c

Generated by iptables-save v1.8.3 on Mon Sep 18 15:25:58 2023

*nat
:PREROUTING ACCEPT [3916:527536]
:INPUT ACCEPT [1749:121055]
:OUTPUT ACCEPT [1342:94996]
:POSTROUTING ACCEPT [3:129]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[3919:527665] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[3916:527536] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[3:129] -A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[3107:428233] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[3:129] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[3104:428104] -A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[3:129] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.100/32 -m comment --comment "!fw3: Ps5 (reflection)" -j SNAT --to-source 192.168.1.1
[3916:527536] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.100.2/32 -m comment --comment "!fw3: Ps5 (reflection)" -j DNAT --to-destination 192.168.1.100
[3104:428104] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[3104:428104] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[3:129] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[3:129] -A zone_wan_prerouting -m comment --comment "!fw3: Ps5" -j DNAT --to-destination 192.168.1.100
COMMIT

Completed on Mon Sep 18 15:25:58 2023

Generated by iptables-save v1.8.3 on Mon Sep 18 15:25:58 2023

*raw
:PREROUTING ACCEPT [259991:156205558]
:OUTPUT ACCEPT [4308:507002]
:zone_lan_helper - [0:0]
[131015:39947242] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
COMMIT

Completed on Mon Sep 18 15:25:58 2023

Generated by iptables-save v1.8.3 on Mon Sep 18 15:25:58 2023

*mangle
:PREROUTING ACCEPT [259991:156205558]
:INPUT ACCEPT [4449:479586]
:FORWARD ACCEPT [255137:155652599]
:OUTPUT ACCEPT [4308:507002]
:POSTROUTING ACCEPT [259045:156138193]
[1747:96396] -A FORWARD -o eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[1331:74656] -A FORWARD -i eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT

Completed on Mon Sep 18 15:25:58 2023

Generated by iptables-save v1.8.3 on Mon Sep 18 15:25:58 2023

*filter
:INPUT ACCEPT [1:52]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[67:10130] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[4383:469508] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[2165:284666] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[349:18156] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[2215:184722] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[3:120] -A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
[255137:155652599] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[250425:153089177] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[4709:2563293] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[3:129] -A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[67:10130] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[4241:496872] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[2804:394832] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1:40] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[1436:102000] -A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
[3:120] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[349:18156] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1:40] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[4709:2563293] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[4709:2563293] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[2215:184722] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[2215:184722] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[1:40] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[1:40] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[2214:184670] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[400:21408] -A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[5745:2643885] -A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
[3:129] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[3:129] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[3:120] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[3:120] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[1436:102000] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[1436:102000] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[3:120] -A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
COMMIT

Completed on Mon Sep 18 15:25:58 2023

root@OpenWrt:~#

StarIndigo · September 18, 2023, 3:29pm

I use 19.07.6 because I've upgraded to some of the 20 versions and some brick my router so I just went back to 19.07.6...any suggested stable builds I can upgrade to?

trendy · September 18, 2023, 3:30pm

First, could you fix the previous post and put the console output in a preformatted text block so it is easier to read?

Just make sure you "sandwich" your text between two rows of backtick characters ` (which themselves will be invisible in the preview) looking in something like this in the editor:
```
Your Pasted Text as preformatted text with fixed width font
1
1111 (note with fixed-width fonts the numbers are right-aligned)
```
but looking like this in the rendered forum:

Your Pasted Text as preformatted text with fixed width font
   1
1111 (note with fixed-width fonts the numbers are right-aligned)

Second, you have the DSCP rules from wan to lan but you are using source IP from the lan, is that correct?

StarIndigo · September 18, 2023, 3:34pm

Not sure if it's correct..is it?

StarIndigo · September 18, 2023, 3:35pm

Can you show me where the console output is..I'm somewhat new to this..I learn pretty fast

trendy · September 18, 2023, 3:47pm

It is not.

It's the text you got from ssh on the console and you pasted it here.

StarIndigo · September 18, 2023, 4:14pm

[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.100/32 -m comment --comment "!fw3: Ps5 (reflection)" -j SNAT --to-source 192.168.1.1
[7908:1208154] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.100.2/32 -m comment --comment "!fw3: Ps5 (reflection)" -j DNAT --to-destination 192.168.1.100
[5599:958558] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[5599:958558] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[3:129] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[3:129] -A zone_wan_prerouting -m comment --comment "!fw3: Ps5" -j DNAT --to-destination 192.168.1.100
COMMIT

StarIndigo · September 18, 2023, 4:15pm

This is the only thing I see with ps5 ip address in it

StarIndigo · September 18, 2023, 4:17pm

Will love to learn the correct way...should the ps5 ip be in the destination field

trendy · September 18, 2023, 4:28pm

First of all why are you marking the ingress packets? Is your home network congested and your switches support prioritization with DSCP marks?
The expected application of such marks would be in the egress path. But usually no one guarantees that the ISP will respect them.

lleachii · September 18, 2023, 4:32pm

Actually, if look at the rule, OP specifics SRC IPs in the WAN zone too.

Please provide complete output, the rules you pictured have different IPs listed and none say "PS5"
What IP is the PS5? (you never told us - and your rules seem improperly written, so I don't want to assume)

Also, please provide the output of:

ifstatus lan | grep '"address": "192'

StarIndigo · September 18, 2023, 4:33pm

Since applying sqm to both ingress and egress and the dscp markings my connection to my games have become so smooth and playable..I wasn't seeing the rules in the firewall so I wanted to know if the were working