OpenWrt don’t allow android's samba server /w unusual ports while stock firmware allow

ccchan · September 14, 2020, 1:41pm

Hi,

When using TP!ink C2 archer's stock firmware,
A win10 PC connected to LAN port, /w cifs ports modified to SMB TCP 1445,
NETBIOS UDP 1137, 1138, using freeware "multi port forwarder"

Together with an unroot-ed android, using samba server app "landrive",
connect thru wifi, /w ports modified above,
were able to share files.
The PC can ping, can FTP into, and enter the samba server app.
The unusual ports are used because of an unroot-ed android (see landrive)
(The PC can also CIFS into another win10, using normal ports)

BUT if that router is changed into an openwrt router,
No matter it is commercial GL inet BrumeW, v3.104 stock firmware (a 19.07.x),
OR DIY D1ink 842 /w latest openwrt snapshot.
The PC can ping, can FTP into, but CANNOT enter the samba server app.
!!! (BUT The PC can STILL CIFS into another win10, using normal ports)

I don’t have a USB lan for android so I cant try phone+LAN yet.
Could there be some restriction between the wifi and the LAN of an openwrt?

Help is appreciated as this is the only problem introduced after I switched into openwrt.
Thanks.

.
.
.
.
.
.
.
.
.
.

^------------above is shorter version after I did some test, thanks
old title:
OpenWrt router don’t allow samba /w unusal ports TCP1445, UDP1137/1138, thx
Hi~

For an unrooted android to act as samba server, and share files to a win10,

I have to use an app called "LAN drive", which use unusual ports:
SMB TCP 1445, and
NETBIOS UDP 1137, 1138.
(only 3 changes)

Graphically:

Unrooted android ------- router------- win 10 PC.

The PC side need install a freeware "multi port forwarder" for the 3 changes.

Previously I can do so with a TP!ink C2 router,
But recently I changed the router into an openwrt one,
Namely GL inet BrumeW, (v3.104 of stock firmware),
Which is a 19.07.

So I cant share files in that way now.
Hope there could be help and that could help others too.

Thanks

faser · September 14, 2020, 1:47pm

Why?

Are they all on the same LAN bridge or what is the router doing?
If the router is routing between networks and running a firewall you might need to use a different approach.

ccchan · September 14, 2020, 1:49pm

when using TP!ink C2,
when PC connect to LAN port,
android connect by wifi,
YES the landrive samba is working.

I ONLY changed the router to a GL-inet's BrumeW,
then it's not working.

so definitely is openwrt router preventing the file sharing.

thx

from what I guess,
is it that TP!ink allow all port communication,
while openwrt is more secure,
and closed such ports? (the lan drive only work with
that 3 ports).

I am not sure.

thx

faser · September 14, 2020, 1:51pm

Not if your Ethernet and Wifi is on the same LAN bridge.

ccchan · September 14, 2020, 2:14pm

additonal info:
The PC can ping successfully the android when using BrumeW.

The PC can even login a FTP server when using BrumeW.

so I think it's openwrt/BrumeW blocked some ports so it allow ping, allow FTP login, but disallow the modified samba. thanks

lleachii · September 14, 2020, 2:47pm

Just open/redirect the ports to be used.

ccchan · September 14, 2020, 3:00pm

further info:
using TP!ink, PC cifs share to PC is OK (using normal ports), PC samba phone is OK (using unusual port, in which PC use “multi port forwarder” and android use “landrive”, using the above 3 ports).

but using a GL inet BrumeW,
PC cifs share to PC is ok (using normal ports),
while PC samba phone is NOT ok (have to use the above 3 ports for landrive as is an unrooted android).

a self flashed D1ink 842 is ok with PC cifs share to PC using normal ports

thanks

vgaetera · September 14, 2020, 3:25pm

ccchan · September 14, 2020, 3:29pm

it doesn't help, bro.

i can forward tons of medical books to you yet
you cant cure your disease.

something like that.

thx

krazeh · September 14, 2020, 3:36pm

Do you know how to use SSH?

Can you copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

cat /etc/config/network; cat /etc/config/firewall; cat /etc/config/dhcp; \
head -n -0 /etc/firewall.user; \
iptables-save -c;\
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

ccchan · September 14, 2020, 4:04pm

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd39:4209:31f2::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'lan0 lan1 usb0'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option hostname 'GL-MV1000-0b8'
        option ipaddr '192.168.8.1'

config interface 'wan'
        option ifname 'wan'
        option proto 'dhcp'
        option hostname 'GL-MV1000-0b8'
        option metric '10'

config interface 'wan6'
        option ifname 'wan'
        option proto 'dhcpv6'

config interface 'lan0'
        option ifname 'lan0'
        option macaddr 'xx.xx.xx.xx.xx.xx'

config interface 'lan1'
        option ifname 'lan1'
        option macaddr 'xx.xx.xx.xx.xx.xx'

config interface 'guest'
        option ifname 'guest'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.9.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'ovpn'
        option ifname 'tun0'
        option proto 'none'


config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '0'
        option flow_offloading_hw '0'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'
        option enabled '0'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'
        option reload '1'

config include 'gls2s'
        option type 'script'
        option path '/var/etc/gls2s.include'
        option reload '1'

config include 'glfw'
        option type 'script'
        option path '/usr/bin/glfw.sh'
        option reload '1'

config include 'glqos'
        option type 'script'
        option path '/usr/sbin/glqos.sh'
        option reload '1'

config include 'mwan3'
        option type 'script'
        option path '/var/etc/mwan3.include'
        option reload '1'

config rule 'glservice_rule'
        option name 'glservice'
        option dest_port '83'
        option proto 'tcp udp'
        option src 'wan'
        option target 'ACCEPT'
        option enabled '0'

config zone 'guestzone'
        option name 'guestzone'
        option network 'guest'
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'

config forwarding 'guestzone_fwd'
        option src 'guestzone'
        option dest 'wan'
        option enabled '0'

config rule 'guestzone_dhcp'
        option name 'guestzone_DHCP'
        option src 'guestzone'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'

config rule 'guestzone_dns'
        option name 'guestzone_DNS'
        option src 'guestzone'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'

config rule 'safe_mode_lan'
        option name 'safe_mode_lan'
        option proto 'all'
        option src 'lan'
        option dest 'wan'
        option target 'DROP'

config rule 'safe_mode_guest'
        option name 'safe_mode_guest'
        option proto 'all'
        option src 'guestzone'
        option dest 'wan'
        option target 'DROP'

config zone 'vpn_zone'
        option name 'ovpn'
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option network 'ovpn'
        option masq '1'
        option mtu_fix '1'

config forwarding 'forwarding_vpn1'
        option dest 'ovpn'
        option src 'lan'

config forwarding 'forwarding_guest_ovpn'
        option dest 'ovpn'
        option src 'guestzone'


config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option nonwildcard '1'
        option localservice '1'
        option strictorder '1'
        option noresolv '1'
        option rebind_protection '1'
        list server '2a07:a8c1::99:98cc'
        list server '45.90.30.0'
        list server '2a07:a8c0::99:98cc'
        list server '45.90.28.0'
        option resolvfile '/tmp/resolv.conf.vpn'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option force '1'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config domain 'localhost'
        option name 'console.gl-inet.com'
        option ip '192.168.8.1'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option dhcpv6 'server'
        option ra 'server'

config host '482ae33d2ed7'
        option mac 'xx.xx.xx.xx.xx.xx'
        option ip '192.168.8.58'
        option name 'ws001'

config host '080027913cad'
        option mac 'xx.xx.xx.xx.xx.xx'
        option ip '192.168.8.158'
        option name 'DESKTOP-64L4CJL'


force_dns() {
        # lanip=$(ifconfig br-lan |sed -n 's/.*dr:\(.*\) Bc.*/\1/p')
        lanip=$(uci get network.lan.ipaddr)
        [ "$1" = "add" ] && {
                ip=$(uci get glconfig.general.ipaddr)
                [ -z "$ip" ] && ip=$(uci get network.lan.ipaddr)
                iptables -t nat -D PREROUTING -s 0/0 -p udp --dport 53 -j DNAT --to $ip
                iptables -t nat -D PREROUTING -s 0/0 -p tcp --dport 53 -j DNAT --to $ip

                uci set glconfig.general.ipaddr=$lanip
                uci commit glconfig
                iptables -t nat -C PREROUTING -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
                [ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
                iptables -t nat -C PREROUTING -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
                [ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip


        }
        [ "$1" = "remove" ] && {
                lanip=$(uci get glconfig.general.ipaddr)
                [ -z "$lanip" ] && lanip=$(uci get network.lan.ipaddr)
                iptables -t nat -C PREROUTING -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
                [ "$?" = "0" ] && iptables -t nat -D PREROUTING -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
                iptables -t nat -C PREROUTING -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
                [ "$?" = "0" ] && iptables -t nat -D PREROUTING -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
        }
}

force=$(uci get glconfig.general.force_dns)
if [ -n "$force" ]; then
    force_dns add
else
    force_dns remove
fi
gl-firewall

# PPTP Passthrough
iptables -t raw -D OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
iptables -t raw -A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
# Generated by iptables-save v1.8.3 on Mon Sep 14 23:49:29 2020
*nat
:PREROUTING ACCEPT [1731:435828]
:INPUT ACCEPT [141:10633]
:OUTPUT ACCEPT [2272:176499]
:POSTROUTING ACCEPT [7:1354]
:GL_SPEC_DMZ - [0:0]
:GL_SPEC_FORWARDING - [0:0]
:ROUTE_POLICY - [0:0]
:postrouting_guestzone_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_ovpn_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guestzone_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_ovpn_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guestzone_postrouting - [0:0]
:zone_guestzone_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_ovpn_postrouting - [0:0]
:zone_ovpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[21165:3338809] -A PREROUTING -j GL_SPEC_DMZ
[21165:3338809] -A PREROUTING -j GL_SPEC_FORWARDING
[117741:15001970] -A PREROUTING -j ROUTE_POLICY
[21166:3338861] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[18555:3070795] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[2609:267831] -A PREROUTING -i wan -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_guestzone_prerouting
[2:235] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_ovpn_prerouting
[25962:3086091] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[103:21129] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[14768:1827921] -A POSTROUTING -o wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_guestzone_postrouting
[11091:1237041] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_ovpn_postrouting
[0:0] -A ROUTE_POLICY -i br-guest -p tcp -m tcp --dport 53 -j DNAT --to-destination 103.86.96.100
[0:0] -A ROUTE_POLICY -i br-guest -p udp -m udp --dport 53 -j DNAT --to-destination 103.86.96.100
[0:0] -A zone_guestzone_postrouting -m comment --comment "!fw3: Custom guestzone postrouting rule chain" -j postrouting_guestzone_rule
[0:0] -A zone_guestzone_prerouting -m comment --comment "!fw3: Custom guestzone prerouting rule chain" -j prerouting_guestzone_rule
[103:21129] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[18555:3070795] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[11091:1237041] -A zone_ovpn_postrouting -m comment --comment "!fw3: Custom ovpn postrouting rule chain" -j postrouting_ovpn_rule
[11091:1237041] -A zone_ovpn_postrouting -m comment --comment "!fw3" -j MASQUERADE
[2:235] -A zone_ovpn_prerouting -m comment --comment "!fw3: Custom ovpn prerouting rule chain" -j prerouting_ovpn_rule
[14768:1827921] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[14768:1827921] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[2609:267831] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Mon Sep 14 23:49:29 2020
# Generated by iptables-save v1.8.3 on Mon Sep 14 23:49:29 2020
*raw
:PREROUTING ACCEPT [2196086:2184448356]
:OUTPUT ACCEPT [217698:66629097]
:zone_guestzone_helper - [0:0]
:zone_lan_helper - [0:0]
[564381:117207769] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[0:0] -A PREROUTING -i br-guest -m comment --comment "!fw3: guestzone CT helper assignment" -j zone_guestzone_helper
[0:0] -A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_guestzone_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_guestzone_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
[0:0] -A zone_guestzone_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_guestzone_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_guestzone_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
[0:0] -A zone_guestzone_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_guestzone_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_guestzone_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_guestzone_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
[0:0] -A zone_guestzone_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_lan_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_lan_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_lan_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
[0:0] -A zone_lan_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_lan_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
COMMIT
# Completed on Mon Sep 14 23:49:29 2020
# Generated by iptables-save v1.8.3 on Mon Sep 14 23:49:29 2020
*mangle
:PREROUTING ACCEPT [2195298:2184237799]
:INPUT ACCEPT [351613:351869631]
:FORWARD ACCEPT [1837352:1831317441]
:OUTPUT ACCEPT [217342:66505250]
:POSTROUTING ACCEPT [2054575:1897838423]
:ROUTE_POLICY - [0:0]
:ROUTE_POLICY_LOCAL - [0:0]
:mwan3_connected - [0:0]
:mwan3_hook - [0:0]
:mwan3_iface_in_wan - [0:0]
:mwan3_iface_out_wan - [0:0]
:mwan3_ifaces_in - [0:0]
:mwan3_ifaces_out - [0:0]
:mwan3_policy_default_poli - [0:0]
:mwan3_rules - [0:0]
[2196030:2184429357] -A PREROUTING -j mwan3_hook
[10941869:11475635988] -A PREROUTING -j ROUTE_POLICY
[2780:153880] -A FORWARD -o wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[2826:150168] -A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone ovpn MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[217691:66626993] -A OUTPUT -j mwan3_hook
[936011:271564494] -A OUTPUT -j ROUTE_POLICY_LOCAL
[373163:75881614] -A ROUTE_POLICY -i br-lan -m set --match-set gl_bypass_vpn_mac src -j MARK --set-xmark 0x80000/0x80000
[2195298:2184237799] -A ROUTE_POLICY -j CONNMARK --save-mark --nfmask 0x1c0000 --ctmask 0x1c0000
[34393:4414491] -A mwan3_connected -m set --match-set mwan3_connected dst -j MARK --set-xmark 0x3f00/0x3f00
[2413721:2251056350] -A mwan3_hook -j CONNMARK --restore-mark --nfmask 0x3f00 --ctmask 0x3f00
[36857:4579224] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_in
[34101:4304989] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_connected
[0:0] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_out
[0:0] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_rules
[2413721:2251056350] -A mwan3_hook -j CONNMARK --save-mark --nfmask 0x3f00 --ctmask 0x3f00
[292:109502] -A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_connected
[2756:274235] -A mwan3_iface_in_wan -i wan -m set --match-set mwan3_connected src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
[0:0] -A mwan3_iface_in_wan -i wan -m mark --mark 0x0/0x3f00 -m comment --comment wan -j MARK --set-xmark 0x100/0x3f00
[0:0] -A mwan3_iface_out_wan -o wan -m mark --mark 0x0/0x3f00 -m comment --comment wan -j MARK --set-xmark 0x100/0x3f00
[36857:4579224] -A mwan3_ifaces_in -m mark --mark 0x0/0x3f00 -j mwan3_iface_in_wan
[0:0] -A mwan3_ifaces_out -m mark --mark 0x0/0x3f00 -j mwan3_iface_out_wan
[0:0] -A mwan3_policy_default_poli -m mark --mark 0x0/0x3f00 -m comment --comment "wan 3 3" -j MARK --set-xmark 0x100/0x3f00
[0:0] -A mwan3_rules -m mark --mark 0x0/0x3f00 -m comment --comment default_rule -j mwan3_policy_default_poli
COMMIT
# Completed on Mon Sep 14 23:49:29 2020
# Generated by iptables-save v1.8.3 on Mon Sep 14 23:49:29 2020
*filter
:INPUT ACCEPT [42:1932]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:GL_SPEC_OPENING - [0:0]
:ROUTE_POLICY - [0:0]
:forwarding_guestzone_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_ovpn_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guestzone_rule - [0:0]
:input_lan_rule - [0:0]
:input_ovpn_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_guestzone_rule - [0:0]
:output_lan_rule - [0:0]
:output_ovpn_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guestzone_dest_ACCEPT - [0:0]
:zone_guestzone_dest_REJECT - [0:0]
:zone_guestzone_forward - [0:0]
:zone_guestzone_input - [0:0]
:zone_guestzone_output - [0:0]
:zone_guestzone_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_ovpn_dest_ACCEPT - [0:0]
:zone_ovpn_dest_REJECT - [0:0]
:zone_ovpn_forward - [0:0]
:zone_ovpn_input - [0:0]
:zone_ovpn_output - [0:0]
:zone_ovpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]

ccchan · September 14, 2020, 4:05pm


[352021:351965333] -A INPUT -j GL_SPEC_OPENING
[17:1564] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[352033:351981771] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[342317:351162485] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[3829:184060] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[6923:543224] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[2756:274235] -A INPUT -i wan -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i br-guest -m comment --comment "!fw3" -j zone_guestzone_input
[37:1827] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_ovpn_input
[47470:3541077] -A FORWARD -m set --match-set GL_MAC_BLOCK src -j DROP
[9079324:9489959907] -A FORWARD -j ROUTE_POLICY
[1477710:1758410103] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[1473155:1757286075] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[4555:1124028] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_guestzone_forward
[0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_ovpn_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[17:1564] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[217729:66638503] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[202430:65396887] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[216:42024] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[10010:847661] -A OUTPUT -o wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_guestzone_output
[5073:351931] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_ovpn_output
[0:0] -A ROUTE_POLICY -i br-lan -m mark --mark 0x40000/0x40000 -j DROP
[2646608:2280880440] -A ROUTE_POLICY -i br-lan -m mark --mark 0x80000/0x80000 -j ACCEPT
[0:0] -A ROUTE_POLICY -i br-guest -m mark --mark 0x40000/0x40000 -j DROP
[0:0] -A ROUTE_POLICY -i br-guest -m mark --mark 0x80000/0x80000 -j ACCEPT
[2330:223278] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[193:32437] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[3829:184060] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_guestzone_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guestzone_dest_REJECT -o br-guest -m comment --comment "!fw3" -j reject
[0:0] -A zone_guestzone_forward -m comment --comment "!fw3: Custom guestzone forwarding rule chain" -j forwarding_guestzone_rule
[0:0] -A zone_guestzone_forward -m comment --comment "!fw3: safe_mode_guest" -j zone_wan_dest_DROP
[0:0] -A zone_guestzone_forward -m comment --comment "!fw3: Zone guestzone to ovpn forwarding policy" -j zone_ovpn_dest_ACCEPT
[0:0] -A zone_guestzone_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_guestzone_forward -m comment --comment "!fw3" -j zone_guestzone_dest_REJECT
[0:0] -A zone_guestzone_input -m comment --comment "!fw3: Custom guestzone input rule chain" -j input_guestzone_rule
[0:0] -A zone_guestzone_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: guestzone_DHCP" -j ACCEPT
[0:0] -A zone_guestzone_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: guestzone_DNS" -j ACCEPT
[0:0] -A zone_guestzone_input -p udp -m udp --dport 53 -m comment --comment "!fw3: guestzone_DNS" -j ACCEPT
[0:0] -A zone_guestzone_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_guestzone_input -m comment --comment "!fw3" -j zone_guestzone_src_REJECT
[0:0] -A zone_guestzone_output -m comment --comment "!fw3: Custom guestzone output rule chain" -j output_guestzone_rule
[0:0] -A zone_guestzone_output -m comment --comment "!fw3" -j zone_guestzone_dest_ACCEPT
[0:0] -A zone_guestzone_src_REJECT -i br-guest -m comment --comment "!fw3" -j reject
[216:42024] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[4555:1124028] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[4555:1124028] -A zone_lan_forward -m comment --comment "!fw3: safe_mode_lan" -j zone_wan_dest_DROP
[4555:1124028] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to ovpn forwarding policy" -j zone_ovpn_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[6923:543224] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[6923:543224] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[216:42024] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[216:42024] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[6916:542884] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[221:8888] -A zone_ovpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[9407:1467071] -A zone_ovpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_ovpn_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_ovpn_forward -m comment --comment "!fw3: Custom ovpn forwarding rule chain" -j forwarding_ovpn_rule
[0:0] -A zone_ovpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_ovpn_forward -m comment --comment "!fw3" -j zone_ovpn_dest_REJECT
[37:1827] -A zone_ovpn_input -m comment --comment "!fw3: Custom ovpn input rule chain" -j input_ovpn_rule
[0:0] -A zone_ovpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[37:1827] -A zone_ovpn_input -m comment --comment "!fw3" -j zone_ovpn_src_ACCEPT
[5073:351931] -A zone_ovpn_output -m comment --comment "!fw3: Custom ovpn output rule chain" -j output_ovpn_rule
[5073:351931] -A zone_ovpn_output -m comment --comment "!fw3" -j zone_ovpn_dest_ACCEPT
[2:235] -A zone_ovpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[10010:847661] -A zone_wan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_DROP -o wan -m comment --comment "!fw3" -j DROP
[0:0] -A zone_wan_dest_REJECT -o wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[2756:274235] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[233:18520] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[2523:255715] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[10010:847661] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[10010:847661] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[2523:255715] -A zone_wan_src_REJECT -i wan -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Mon Sep 14 23:49:29 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 219.79.43.125/24 brd 219.79.43.255 scope global wan
       valid_lft forever preferred_lft forever
17: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.8.1/24 brd 192.168.8.255 scope global br-lan
       valid_lft forever preferred_lft forever
18: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.8.2.6/24 brd 10.8.2.255 scope global tun0
       valid_lft forever preferred_lft forever
default via 219.79.43.254 dev wan table 1
default via 219.79.43.254 dev wan table 51 proto static src 219.79.43.125 metric 10
103.86.96.100 dev tun0 table 51 scope link
103.86.99.100 dev tun0 table 51 scope link
192.168.8.0/24 dev br-lan table 51 proto kernel scope link src 192.168.8.1
209.58.188.29 via 219.79.43.254 dev wan table 51
219.79.43.0/24 dev wan table 51 proto static scope link metric 10
default via 219.79.43.254 dev wan table 52 proto static src 219.79.43.125 metric 10
192.168.8.0/24 dev br-lan table 52 proto kernel scope link src 192.168.8.1
209.58.188.29 via 219.79.43.254 dev wan table 52
219.79.43.0/24 dev wan table 52 proto static scope link metric 10
0.0.0.0/1 via 10.8.2.1 dev tun0
default via 219.79.43.254 dev wan proto static src 219.79.43.125 metric 10
10.8.2.0/24 dev tun0 proto kernel scope link src 10.8.2.6
128.0.0.0/1 via 10.8.2.1 dev tun0
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1
209.58.188.29 via 219.79.43.254 dev wan
219.79.43.0/24 dev wan proto static scope link metric 10
broadcast 10.8.2.0 dev tun0 table local proto kernel scope link src 10.8.2.6
local 10.8.2.6 dev tun0 table local proto kernel scope host src 10.8.2.6
broadcast 10.8.2.255 dev tun0 table local proto kernel scope link src 10.8.2.6
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.8.0 dev br-lan table local proto kernel scope link src 192.168.8.1
local 192.168.8.1 dev br-lan table local proto kernel scope host src 192.168.8.1
broadcast 192.168.8.255 dev br-lan table local proto kernel scope link src 192.168.8.1
broadcast 219.79.43.0 dev wan table local proto kernel scope link src 219.79.43.125
local 219.79.43.125 dev wan table local proto kernel scope host src 219.79.43.125
broadcast 219.79.43.255 dev wan table local proto kernel scope link src 219.79.43.125
0:      from all lookup local
51:     from all fwmark 0x100000/0x100000 lookup 51
52:     from all fwmark 0x80000/0x80000 lookup 52
1001:   from all iif wan lookup main
2001:   from all fwmark 0x100/0x3f00 lookup 1
2061:   from all fwmark 0x3d00/0x3f00 blackhole
2062:   from all fwmark 0x3e00/0x3f00 unreachable
32766:  from all lookup main
32767:  from all lookup default

split-ed into 2 post,
thanks

ccchan · September 14, 2020, 5:00pm

latest update:
BOTH the commercial openwrt GL inet BrumeW,
and the self flashed D1ink 842 (lastest snapshot) allow-ed ping, allow-ed FTP (port 2121), also normal CIFS (PC to PC, normal ports), but NOT modified samba (PC to android, above 3 ports).

While a TP1link C2 stock firmware allowed all.

So that should be openwrt's setting I think.

thanks

krazeh · September 14, 2020, 5:11pm

Is the Dlink 842 running OpenWRT? Can you provide the output of the above commands for it?

Your PC and the Android device are both connected to the same router?

ccchan · September 14, 2020, 5:43pm

yeah the dlink just flashed with openwrt in afternoon and tested this nite.
will do so tmr. thx

ccchan · September 15, 2020, 1:38am

ps: in all cases, PC is connected to router's LAN port, while phone is using wifi.

I'll try to test what if both are using wifi, thanks.

update:
no joy,
even PC and phone all using wifi, still can ping and FTP into, but not samba /w unusual ports. thx

vgaetera · September 15, 2020, 2:16am

Your firewall configuration is missing the redirect rules.
Create 3 redirects for non-default ports to the default ports on the router.

ccchan · September 15, 2020, 2:34am

hi, thx but....

Yes, the ports are unusual, however,
the app landrive (a samba server app) on android was set to use the above 3 ports,
AND the win10 are set to use those 3 unusual ports too (by using the multi port forwarder).

So, even using a stock TP1ink C2 archer,
the modified android (on wifi) COULD communicate with modified Win10 (on LAN).

THE ONLY THING I changed is the router, from C2 to openwrt (commercial GL inet BrumeW, or self flashed openwrt 20.x D1ink 842).

So i think the problem lies on the openwrt routers' settings.

If you mean I need "connect/forward" unusual ports on android to usual ports on win10,
i think that's not the case, as both are using the unusual ports after both sides' modifications.

thanks

ccchan · September 15, 2020, 2:50am

hi,
in all cases, PC is using LAN to connect to LAN port of router, while phone is connected using wifi.

Yeah the D1ink 842 is flashed with the lastest snapshot of openwrt.

it's info here:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd4c:758e:daaa::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr 'xx.xx.xx.xx.xx.xx'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr 'xx.xx.xx.xx.xx.xx'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0t'

config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option src_ip           fc00::/6
        option dest_ip          fc00::/6
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT

# allow interoperability with traceroute classic
# note that traceroute uses a fixed port range, and depends on getting
# back ICMP Unreachables.  if we're operating in DROP mode, it won't
# work so we explicitly REJECT packets on these ports.
config rule
        option name             Support-UDP-Traceroute
        option src              wan
        option dest_port        33434:33689
        option proto            udp
        option family           ipv4
        option target           REJECT
        option enabled          false

# include a file with users custom iptables rules
config include
        option path /etc/firewall.user


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP

# port redirect port coming in on wan to lan
#config redirect
#       option src                      wan
#       option src_dport        80
#       option dest                     lan
#       option dest_ip          192.168.16.235
#       option dest_port        80
#       option proto            tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#       option src              wan
#       option src_dport        22001
#       option dest             lan
#       option dest_port        22
#       option proto            tcp

### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  xx.xx.xx.xx.xx.xx
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  0xx.xx.xx.xx.xx.xx
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'tplink'
        option dns '1'
        option mac 'xx.xx.xx.xx.xx.xx'
        option ip '192.168.1.93'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.4 on Mon Sep 14 21:50:35 2020
*nat
:PREROUTING ACCEPT [992:97805]
:INPUT ACCEPT [735:49841]
:OUTPUT ACCEPT [224:21795]
:POSTROUTING ACCEPT [224:21795]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[992:97805] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[992:97805] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[224:21795] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[2:680] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[2:680] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[992:97805] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Mon Sep 14 21:50:35 2020
# Generated by iptables-save v1.8.4 on Mon Sep 14 21:50:35 2020
*mangle
:PREROUTING ACCEPT [8238:1072896]
:INPUT ACCEPT [7981:1024932]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10245:7992593]
:POSTROUTING ACCEPT [10245:7992593]
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Sep 14 21:50:35 2020
# Generated by iptables-save v1.8.4 on Mon Sep 14 21:50:35 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[2288:214818] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[5695:810194] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[4860:751639] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[9:468] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[835:58555] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[2288:214818] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[7962:7778723] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[7960:7778043] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2:680] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[9:468] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[2:680] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[835:58555] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[835:58555] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[2:680] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[2:680] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[835:58555] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Mon Sep 14 21:50:35 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local scope link  src 192.168.1.1
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

thx

pwned · September 15, 2020, 10:45am

How do you try to access your shares? Using IP or Hostname? For me it sounds like a name resolution issue. I can imagine that your TP-Link Archer C2 is running it's own samba server using Netbios/WINS (running as a master) to do name resolution for all samba servers and clients. This is not the case for a plain OpenWrt installation.