Outgoing WAN IPv4 traffic does not work while IPv6 traffic does!

Hi!

Since last night, all outgoing (WAN) IPv4 traffic stopped working while IPv6 traffic does work, in a setup which has worked for almost two years with next to no changes during this period. At least I didn't do any changes recently!

I've been doing diagnostics and just can not find a reason as to why the traffic doesn't go trough. I can use this forum from my main computer (with the router in use) only since this works with IPv6 (too)!

I already called my ISP thinking the error is on their end. As suggested, I tried without the router - and to my surprise, a laptop can use IPv4 just fine without the router in between!

I'm not sure what information to post here. I'll try to post relevant information while being concise (please ask / suggest what to check next):

  • H/W: TP_Link Archer C7 v2 - running OpenWrt 18.06.2 r7676-cddd7b4c77
  • LAN traffic works fined, both IPV6 and IPV4
  • I can connect via IPV6 to internet from any device in my LAN
  • I can not connect via IPV4 to anything outside LAN (i.e. the Intertnet)
  • I can connect via IPv4 if I remove the router and connect directly to my ISP
  • we have per-apartment RJ-45 sockets here; I have no control over what's outside my apartment. I suppose a fiber optic modem owned by my ISP somewhere in the basement of this apartment complex.

I've checked via ifconfig and ip route the DHCP setup I get:

  • on the Archer C7 and
  • from a laptop connected directly to the ISP.

The only difference I can spot is a different IPV4 address given. The GW is the same. Only difference I can see, is that the laptop can connect (ping) to the IPv4 GW while the router can not!

Symptoms: No site using IPV4 only can be accessed. 'ping -4 www.google.com' -> all packets are lost, while 'ping -6 www.google.com' works. This is true for both devices behind the router and the router itself (I can try ping trough LuCI diagnostics page or by SSHing to the router and then try ping).

Curiuously, when I connected my laptop to the ISP (without Router in between), it seemed that IPv4 pings were getting trough but IPv6 was not.

Current configuration: Should be quite simple and default. I have two WAN interfaces, WAN (running DHCP Client) and WAN6 (running DHCPv6 client). These are in eth0 physical interfce. LAN zone has the WiFi radios (2.4 and 5GHz) and eth1. There are few port forwards I've added manually and some rules for Strongswan roadwarrior VPN (for while I'm travelling; the actual service is disabled ATM since I'm at home).

The logical step would be to get the router to be able to talk via ipv4. But it can not! I'm a bit dumbfounded; ISP error can not be ruled out. Being paranoid, I'm even thinking about some kind of (partialy failed?) MITM attack.

Sorry if this post is not coherent, I'm trying to keep it us such.

Any ideas?

Hi!
Connect your notebook to the ISP line again. What IP (ipv4) does it get? Is it somethig like 192.168.1.X ? If so, that would explain your problems, as OpenWrt internal IP are also 192.168.1.X as standard.

Please post here the output of the following command, copy and paste the whole block:

uci show network;uci show wireless; \
head -n -0 /etc/firewall.user; \
uci show firewall; uci show dhcp; \
ip -4 addr ; ip -4 ro ; ip -4 ru; \
ip -6 addr ; ip -6 ro ; ip -6 ru; \
iptables-save; ip6tables-save; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*

Please use "Preformatted text </>" for logs, scripts, configs and general console output.
grafik

I will post in two blocks, since in my case the output is >32000 characters and this forum has problems with that.

Block 1 of 2 (I hope):

root@LEDE:/tmp# uci show network;uci show wireless; \
> head -n -0 /etc/firewall.user; \
> uci show firewall; uci show dhcp;
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdd7:991d:5b85::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.66.6'
network.wan6=interface
network.wan6.ifname='eth0'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 3 4 5 0'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 6'
network.Guest=interface
network.Guest.proto='static'
network.Guest.netmask='255.255.255.0'
network.Guest.ipaddr='192.168.69.0'
network.WAN=interface
network.WAN.proto='dhcp'
network.WAN.ifname='eth0'
network.WAN.delegate='0'
wireless.radio0=wifi-device
wireless.radio0.type='mac80211'
wireless.radio0.hwmode='11a'
wireless.radio0.path='pci0000:01/0000:01:00.0'
wireless.radio0.htmode='VHT80'
wireless.radio0.country='FI'
wireless.radio0.distance='15'
wireless.radio0.channel='auto'
wireless.radio0.legacy_rates='1'
wireless.default_radio0=wifi-iface
wireless.default_radio0.device='radio0'
wireless.default_radio0.network='lan'
wireless.default_radio0.mode='ap'
wireless.default_radio0.ssid='KnightsWhoSayNi'
wireless.default_radio0.encryption='psk2'
wireless.default_radio0.key='REMOVEDWILLCHANGEMYPASSWORDLATER'
wireless.radio1=wifi-device
wireless.radio1.type='mac80211'
wireless.radio1.hwmode='11g'
wireless.radio1.path='platform/qca955x_wmac'
wireless.radio1.htmode='HT20'
wireless.radio1.country='FI'
wireless.radio1.distance='15'
wireless.radio1.channel='auto'
wireless.default_radio1=wifi-iface
wireless.default_radio1.device='radio1'
wireless.default_radio1.network='lan'
wireless.default_radio1.mode='ap'
wireless.default_radio1.ssid='KnightsWhoSayNi'
wireless.default_radio1.encryption='psk2'
wireless.default_radio1.key='ALSOREMOVED'
wireless.@wifi-iface[2]=wifi-iface
wireless.@wifi-iface[2].device='radio0'
wireless.@wifi-iface[2].mode='ap'
wireless.@wifi-iface[2].encryption='none'
wireless.@wifi-iface[2].ssid='KnightsWhoSayNi-Guest'
wireless.@wifi-iface[2].network='Guest'
wireless.@wifi-iface[2].disabled='1'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
#

iptables -I INPUT  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD  -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT   -m policy --dir out --pol ipsec --proto esp -j ACCEPT
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='REJECT'
firewall.@defaults[0].output='REJECT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].network='wan wan6 WAN'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].enabled='0'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@rule[9]=rule
firewall.@rule[9].src='wan'
firewall.@rule[9].name='IPSec ESP'
firewall.@rule[9].proto='esp'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[10]=rule
firewall.@rule[10].src='wan'
firewall.@rule[10].name='IPSec IKE'
firewall.@rule[10].proto='udp'
firewall.@rule[10].dest_port='500'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[11]=rule
firewall.@rule[11].src='wan'
firewall.@rule[11].name='IPSec NAT-T'
firewall.@rule[11].proto='udp'
firewall.@rule[11].dest_port='4500'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[12]=rule
firewall.@rule[12].src='wan'
firewall.@rule[12].name='Auth Header'
firewall.@rule[12].proto='ah'
firewall.@rule[12].target='ACCEPT'
firewall.miniupnpd=include
firewall.miniupnpd.type='script'
firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
firewall.miniupnpd.family='any'
firewall.miniupnpd.reload='1'
firewall.@zone[2]=zone
firewall.@zone[2].name='Guest'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].network='Guest'
firewall.@zone[2].output='ACCEPT'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[0].src='Guest'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[1].src='lan'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='tcp udp'
firewall.@redirect[0].src_dport='2222'
firewall.@redirect[0].dest_ip='192.168.66.3'
firewall.@redirect[0].dest_port='2222'
firewall.@redirect[0].name='ssh'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].proto='tcp udp'
firewall.@redirect[1].src_dport='61278'
firewall.@redirect[1].dest_ip='192.168.66.3'
firewall.@redirect[1].dest_port='61278'
firewall.@redirect[1].name='61278'
firewall.@rule[13]=rule
firewall.@rule[13].target='ACCEPT'
firewall.@rule[13].src='wan'
firewall.@rule[13].name='ipv6-ssh'
firewall.@rule[13].family='ipv6'
firewall.@rule[13].dest='lan'
firewall.@rule[13].dest_port='2222'
firewall.@rule[14]=rule
firewall.@rule[14].enabled='1'
firewall.@rule[14].target='ACCEPT'
firewall.@rule[14].src='wan'
firewall.@rule[14].name='61278'
firewall.@rule[14].family='ipv6'
firewall.@rule[14].dest='lan'
firewall.@rule[14].dest_port='61278'
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].nonwildcard='0'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_management='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.@host[0]=host
dhcp.@host[0].name='ArkkiVille'
dhcp.@host[0].dns='1'
dhcp.@host[0].mac='10:c3:7b:9d:93:9c'
dhcp.@host[0].ip='192.168.66.3'
dhcp.@host[0].leasetime='infinite'
dhcp.@domain[0]=domain
dhcp.@host[1]=host
dhcp.@host[1].dns='1'
dhcp.@host[1].mac='00:1E:06:C0:8F:1A'
dhcp.@host[1].ip='192.168.66.69'
dhcp.@host[1].leasetime='infinite'
dhcp.@host[1].name='LibreVille'

Block 2of2:

root@LEDE:/tmp# ip -4 addr ; ip -4 ro ; ip -4 ru; \
> ip -6 addr ; ip -6 ro ; ip -6 ru; \
> iptables-save; ip6tables-save; \
> ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    inet 87.92.81.146/18 brd 87.92.127.255 scope global eth0
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.66.6/24 brd 192.168.66.255 scope global br-lan
       valid_lft forever preferred_lft forever
default via 87.92.64.1 dev eth0  src 87.92.81.146 
87.92.64.0/18 dev eth0 scope link  src 87.92.81.146 
192.168.66.0/24 dev br-lan scope link  src 192.168.66.6 
0:      from all lookup local 
32766:  from all lookup main 
32767:  from all lookup default 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:14ba:8b00::1:6555/128 scope global dynamic 
       valid_lft 17418sec preferred_lft 8418sec
    inet6 fe80::f6f2:6dff:feaf:24f4/64 scope link 
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:14ba:8852:c000::1/60 scope global dynamic 
       valid_lft 17418sec preferred_lft 8418sec
    inet6 fdd7:991d:5b85::1/60 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::f6f2:6dff:feaf:24f3/64 scope link 
       valid_lft forever preferred_lft forever
7: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::f6f2:6dff:feaf:24f1/64 scope link 
       valid_lft forever preferred_lft forever
8: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::f6f2:6dff:feaf:24f2/64 scope link 
       valid_lft forever preferred_lft forever
default from 2001:14ba:8852:c000::/56 via fe80::200:5eff:fe00:101 dev eth0  metric 512 
default from 2001:14ba:8b00::1:6555 via fe80::200:5eff:fe00:101 dev eth0  metric 512 
2001:14ba:8852:c000::/64 dev br-lan  metric 1024 
unreachable 2001:14ba:8852:c000::/56 dev lo  metric 2147483647  error -148
2001:14ba:8b00::/64 dev eth0  metric 256 
fdd7:991d:5b85::/64 dev br-lan  metric 1024 
unreachable fdd7:991d:5b85::/48 dev lo  metric 2147483647  error -148
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev eth0  metric 256 
fe80::/64 dev wlan1  metric 256 
fe80::/64 dev wlan0  metric 256 
unreachable default dev lo  metric -1  error -128
ff00::/8 dev br-lan  metric 256 
ff00::/8 dev eth0  metric 256 
ff00::/8 dev wlan1  metric 256 
ff00::/8 dev wlan0  metric 256 
unreachable default dev lo  metric -1  error -128
0:      from all lookup local 
32766:  from all lookup main 
4200000000:     from 2001:14ba:8852:c000::1/60 iif br-lan lookup unspec unreachable
4200000001:     from all iif lo lookup unspec 12
4200000002:     from all iif eth0 lookup unspec 12
4200000002:     from all iif eth0 lookup unspec 12
4200000006:     from all iif br-lan lookup unspec 12
# Generated by iptables-save v1.6.2 on Thu Jun  6 16:33:30 2019
*nat
:PREROUTING ACCEPT [10369:699294]
:INPUT ACCEPT [5669:369542]
:OUTPUT ACCEPT [2320:159358]
:POSTROUTING ACCEPT [1334:93472]
:postrouting_Guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_Guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_Guest_postrouting - [0:0]
:zone_Guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_Guest_postrouting -m comment --comment "!fw3: Custom Guest postrouting rule chain" -j postrouting_Guest_rule
-A zone_Guest_prerouting -m comment --comment "!fw3: Custom Guest prerouting rule chain" -j prerouting_Guest_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_postrouting -s 192.168.66.0/24 -d 192.168.66.3/32 -p tcp -m tcp --dport 2222 -m comment --comment "!fw3: ssh (reflection)" -j SNAT --to-source 192.168.66.6
-A zone_lan_postrouting -s 192.168.66.0/24 -d 192.168.66.3/32 -p udp -m udp --dport 2222 -m comment --comment "!fw3: ssh (reflection)" -j SNAT --to-source 192.168.66.6
-A zone_lan_postrouting -s 192.168.66.0/24 -d 192.168.66.3/32 -p tcp -m tcp --dport 61278 -m comment --comment "!fw3: 61278 (reflection)" -j SNAT --to-source 192.168.66.6
-A zone_lan_postrouting -s 192.168.66.0/24 -d 192.168.66.3/32 -p udp -m udp --dport 61278 -m comment --comment "!fw3: 61278 (reflection)" -j SNAT --to-source 192.168.66.6
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_lan_prerouting -s 192.168.66.0/24 -d 87.92.81.146/32 -p tcp -m tcp --dport 2222 -m comment --comment "!fw3: ssh (reflection)" -j DNAT --to-destination 192.168.66.3:2222
-A zone_lan_prerouting -s 192.168.66.0/24 -d 87.92.81.146/32 -p udp -m udp --dport 2222 -m comment --comment "!fw3: ssh (reflection)" -j DNAT --to-destination 192.168.66.3:2222
-A zone_lan_prerouting -s 192.168.66.0/24 -d 87.92.81.146/32 -p tcp -m tcp --dport 61278 -m comment --comment "!fw3: 61278 (reflection)" -j DNAT --to-destination 192.168.66.3:61278
-A zone_lan_prerouting -s 192.168.66.0/24 -d 87.92.81.146/32 -p udp -m udp --dport 61278 -m comment --comment "!fw3: 61278 (reflection)" -j DNAT --to-destination 192.168.66.3:61278
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 2222 -m comment --comment "!fw3: ssh" -j DNAT --to-destination 192.168.66.3:2222
-A zone_wan_prerouting -p udp -m udp --dport 2222 -m comment --comment "!fw3: ssh" -j DNAT --to-destination 192.168.66.3:2222
-A zone_wan_prerouting -p tcp -m tcp --dport 61278 -m comment --comment "!fw3: 61278" -j DNAT --to-destination 192.168.66.3:61278
-A zone_wan_prerouting -p udp -m udp --dport 61278 -m comment --comment "!fw3: 61278" -j DNAT --to-destination 192.168.66.3:61278
COMMIT
# Completed on Thu Jun  6 16:33:30 2019
# Generated by iptables-save v1.6.2 on Thu Jun  6 16:33:30 2019
*mangle
:PREROUTING ACCEPT [118917:9739336]
:INPUT ACCEPT [97106:8213916]
:FORWARD ACCEPT [21770:1520208]
:OUTPUT ACCEPT [96023:14834979]
:POSTROUTING ACCEPT [117793:16355187]
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Jun  6 16:33:30 2019
# Generated by iptables-save v1.6.2 on Thu Jun  6 16:33:30 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:forwarding_Guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_Guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_Guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_Guest_dest_ACCEPT - [0:0]
:zone_Guest_dest_REJECT - [0:0]
:zone_Guest_forward - [0:0]
:zone_Guest_input - [0:0]
:zone_Guest_output - [0:0]
:zone_Guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -m comment --comment "!fw3" -j reject
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -m comment --comment "!fw3" -j reject
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_Guest_forward -m comment --comment "!fw3: Custom Guest forwarding rule chain" -j forwarding_Guest_rule
-A zone_Guest_forward -m comment --comment "!fw3: Zone Guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_Guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_Guest_forward -m comment --comment "!fw3" -j zone_Guest_dest_REJECT
-A zone_Guest_input -m comment --comment "!fw3: Custom Guest input rule chain" -j input_Guest_rule
-A zone_Guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_Guest_input -m comment --comment "!fw3" -j zone_Guest_src_REJECT
-A zone_Guest_output -m comment --comment "!fw3: Custom Guest output rule chain" -j output_Guest_rule
-A zone_Guest_output -m comment --comment "!fw3" -j zone_Guest_dest_ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -p esp -m comment --comment "!fw3: IPSec ESP" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 500 -m comment --comment "!fw3: IPSec IKE" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 4500 -m comment --comment "!fw3: IPSec NAT-T" -j ACCEPT
-A zone_wan_input -p ah -m comment --comment "!fw3: Auth Header" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Jun  6 16:33:30 2019
# Generated by ip6tables-save v1.6.2 on Thu Jun  6 16:33:30 2019
*mangle
:PREROUTING ACCEPT [84450:37642601]
:INPUT ACCEPT [6834:1329453]
:FORWARD ACCEPT [77484:36293646]
:OUTPUT ACCEPT [7061:740807]
:POSTROUTING ACCEPT [84455:37027235]
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Jun  6 16:33:30 2019
# Generated by ip6tables-save v1.6.2 on Thu Jun  6 16:33:30 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:forwarding_Guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_Guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_Guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_Guest_dest_ACCEPT - [0:0]
:zone_Guest_dest_REJECT - [0:0]
:zone_Guest_forward - [0:0]
:zone_Guest_input - [0:0]
:zone_Guest_output - [0:0]
:zone_Guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -m comment --comment "!fw3" -j reject
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -m comment --comment "!fw3" -j reject
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_Guest_forward -m comment --comment "!fw3: Custom Guest forwarding rule chain" -j forwarding_Guest_rule
-A zone_Guest_forward -m comment --comment "!fw3: Zone Guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_Guest_forward -m comment --comment "!fw3" -j zone_Guest_dest_REJECT
-A zone_Guest_input -m comment --comment "!fw3: Custom Guest input rule chain" -j input_Guest_rule
-A zone_Guest_input -m comment --comment "!fw3" -j zone_Guest_src_REJECT
-A zone_Guest_output -m comment --comment "!fw3: Custom Guest output rule chain" -j output_Guest_rule
-A zone_Guest_output -m comment --comment "!fw3" -j zone_Guest_dest_ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p tcp -m tcp --dport 2222 -m comment --comment "!fw3: ipv6-ssh" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 2222 -m comment --comment "!fw3: ipv6-ssh" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p tcp -m tcp --dport 61278 -m comment --comment "!fw3: 61278" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 61278 -m comment --comment "!fw3: 61278" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p esp -m comment --comment "!fw3: IPSec ESP" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 500 -m comment --comment "!fw3: IPSec IKE" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 4500 -m comment --comment "!fw3: IPSec NAT-T" -j ACCEPT
-A zone_wan_input -p ah -m comment --comment "!fw3: Auth Header" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Jun  6 16:33:30 2019
lrwxrwxrwx    1 root     root            16 Jan 30 14:21 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Jun  6 13:08 /tmp/resolv.conf
-rw-r--r--    1 root     root           143 Jun  6 12:52 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface WAN
nameserver 62.241.198.246
nameserver 62.241.198.245
# Interface wan6
nameserver 2001:14b8:1000::1
nameserver 2001:14b8:1000::2

My ISP (the wall RJ45 connection) gives public IP addresses and they are not of that (or any other private IP space reserved) form. My LAN (from the router) is of form 192.168.66.X (netmask 255.255.255.0) - I changed that from default for two reasons: for gigglles (my router is now 666!) and some roadwarrior setups may work more reliably, as it is less likely the IP addresses of my home LAN would conflict with the one I'm connecting trough on the road (don't reemember the details anymore, this might not actually have mattered with the setup I used - It's been months since I used the roadwarrior VPN).

But you can see all this information in the pastes I just posted...

I don't see anything weird in your config. I presume you have restarted the router quite a few times already.
Could you run a tcpdump in the background and try to ping from the router or some host connected behind it some address, e.g 8.8.8.8, and paste here the output.

tcpdump -i eth0 -vvn

Hi!

EDIT: You're right in that I've rebooted the router many times after this started!

I see the icmp request and some noise; some probably caused by the ongoing SSH connections from my desktop to the router (hopefully nothying too fishy; I tried to shut down all other programs / services possibly using the NET and there should be no other devices currently in my home LAN save for a few sockets running Sonoff-Tasmota - but they shouldn't connect the outside WAN).

The first sequence (18 packets) was from the router itself @87.92.81.146 (or 192.168.66.6, if you will, but I believe the LAN IP is irrelevant); the second sequence of 8 packets was run from a desktop computer:

19:05:11.706439 IP (tos 0x0, ttl 64, id 22239, offset 0, flags [DF], proto ICMP (1), length 84)
    87.92.81.146 > 8.8.8.8: ICMP echo request, id 24481, seq 0, length 64
19:05:12.707199 IP (tos 0x0, ttl 64, id 22265, offset 0, flags [DF], proto ICMP (1), length 84)
    87.92.81.146 > 8.8.8.8: ICMP echo request, id 24481, seq 1, length 64
19:05:12.821692 IP (tos 0x0, ttl 60, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    80.247.32.241.80 > 85.23.43.255.49708: Flags [.], cksum 0x4928 (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.822510 IP (tos 0x0, ttl 58, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.80 > 85.23.43.255.49708: Flags [.], cksum 0x14d3 (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.823274 IP (tos 0x0, ttl 56, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.50479 > 85.23.43.255.49708: Flags [.], cksum 0x4ff3 (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.823921 IP (tos 0x0, ttl 54, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.54101 > 85.23.43.255.49708: Flags [.], cksum 0x41cd (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.824632 IP (tos 0x0, ttl 52, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.61400 > 85.23.43.255.49708: Flags [.], cksum 0x254a (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.825352 IP (tos 0x0, ttl 50, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.43623 > 85.23.43.255.49708: Flags [.], cksum 0x6abb (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.826069 IP (tos 0x0, ttl 48, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.46127 > 85.23.43.255.49708: Flags [.], cksum 0x60f3 (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.826772 IP (tos 0x0, ttl 46, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.57289 > 85.23.43.255.49708: Flags [.], cksum 0x3559 (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.827514 IP (tos 0x0, ttl 44, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.60840 > 85.23.43.255.49708: Flags [.], cksum 0x277a (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.828224 IP (tos 0x0, ttl 42, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.56985 > 85.23.43.255.49708: Flags [.], cksum 0x3689 (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.828917 IP (tos 0x0, ttl 40, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.59317 > 85.23.43.255.49708: Flags [.], cksum 0x2d6d (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.829993 IP (tos 0x0, ttl 38, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.47810 > 85.23.43.255.49708: Flags [.], cksum 0x5a60 (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.830673 IP (tos 0x0, ttl 36, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.49180 > 85.23.43.255.49708: Flags [.], cksum 0x5506 (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.831386 IP (tos 0x0, ttl 34, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.60509 > 85.23.43.255.49708: Flags [.], cksum 0x28c5 (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.832106 IP (tos 0x0, ttl 32, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.36219 > 85.23.43.255.49708: Flags [.], cksum 0x87a7 (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.832825 IP (tos 0x0, ttl 30, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.55705 > 85.23.43.255.49708: Flags [.], cksum 0x3b89 (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.833541 IP (tos 0x0, ttl 28, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.43337 > 85.23.43.255.49708: Flags [.], cksum 0x6bd9 (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.834262 IP (tos 0x0, ttl 26, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.49703 > 85.23.43.255.49708: Flags [.], cksum 0x52fb (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.834980 IP (tos 0x0, ttl 24, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.38088 > 85.23.43.255.49708: Flags [.], cksum 0x805a (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.835692 IP (tos 0x0, ttl 22, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.35859 > 85.23.43.255.49708: Flags [.], cksum 0x890f (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.836403 IP (tos 0x0, ttl 20, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.32781 > 85.23.43.255.49708: Flags [.], cksum 0x9515 (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.837106 IP (tos 0x0, ttl 18, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.35963 > 85.23.43.255.49708: Flags [.], cksum 0x88a7 (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.837813 IP (tos 0x0, ttl 16, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.63230 > 85.23.43.255.49708: Flags [.], cksum 0x1e24 (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.838681 IP (tos 0x0, ttl 14, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.49061 > 85.23.43.255.49708: Flags [.], cksum 0x557d (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.839346 IP (tos 0x0, ttl 12, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.54127 > 85.23.43.255.49708: Flags [.], cksum 0x41b3 (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.840046 IP (tos 0x0, ttl 10, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.54559 > 85.23.43.255.49708: Flags [.], cksum 0x4003 (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.840767 IP (tos 0x0, ttl 8, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.35986 > 85.23.43.255.49708: Flags [.], cksum 0x8890 (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.841490 IP (tos 0x0, ttl 6, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.60879 > 85.23.43.255.49708: Flags [.], cksum 0x2753 (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.842206 IP (tos 0x0, ttl 4, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.33452 > 85.23.43.255.49708: Flags [.], cksum 0x9276 (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:12.842919 IP (tos 0x0, ttl 2, id 28672, offset 0, flags [none], proto TCP (6), length 40)
    87.92.78.225.61631 > 85.23.43.255.49708: Flags [.], cksum 0x2463 (correct), seq 1109292666, ack 1109292666, win 16384, length 0
19:05:13.015371 IP (tos 0x0, ttl 63, id 52321, offset 0, flags [DF], proto TCP (6), length 60)
    87.92.81.146.52434 > 82.196.7.246.80: Flags [S], cksum 0x3519 (correct), seq 3327175125, win 64240, options [mss 1460,sackOK,TS val 3554411304 ecr 0,nop,wscale 7], length 0
19:05:13.707392 IP (tos 0x0, ttl 64, id 22333, offset 0, flags [DF], proto ICMP (1), length 84)
    87.92.81.146 > 8.8.8.8: ICMP echo request, id 24481, seq 2, length 64
19:05:14.183154 IP (tos 0x0, ttl 64, id 43940, offset 0, flags [DF], proto UDP (17), length 65)
    87.92.81.146.30010 > 62.241.198.246.53: [udp sum ok] 56489+ A? 0.lede.pool.ntp.org. (37)
19:05:14.183261 IP (tos 0x0, ttl 64, id 23727, offset 0, flags [DF], proto UDP (17), length 65)
    87.92.81.146.30010 > 62.241.198.245.53: [udp sum ok] 56489+ A? 0.lede.pool.ntp.org. (37)
19:05:14.183448 IP6 (flowlabel 0xaf267, hlim 64, next-header UDP (17) payload length: 45) 2001:14ba:8b00::1:6555.32514 > 2001:14b8:1000::1.53: [udp sum ok] 56489+ A? 0.lede.pool.ntp.org. (37)
19:05:14.183557 IP6 (flowlabel 0x183db, hlim 64, next-header UDP (17) payload length: 45) 2001:14ba:8b00::1:6555.32514 > 2001:14b8:1000::2.53: [udp sum ok] 56489+ A? 0.lede.pool.ntp.org. (37)
19:05:14.195268 IP6 (flowlabel 0xdb6cf, hlim 62, next-header UDP (17) payload length: 109) 2001:14b8:1000::2.53 > 2001:14ba:8b00::1:6555.32514: [udp sum ok] 56489 q: A? 0.lede.pool.ntp.org. 4/0/0 0.lede.pool.ntp.org. A 95.216.147.242, 0.lede.pool.ntp.org. A 95.216.78.223, 0.lede.pool.ntp.org. A 95.216.101.162, 0.lede.pool.ntp.org. A 62.80.139.68 (101)
19:05:14.195546 IP6 (flowlabel 0x26dc1, hlim 62, next-header UDP (17) payload length: 109) 2001:14b8:1000::1.53 > 2001:14ba:8b00::1:6555.32514: [udp sum ok] 56489 q: A? 0.lede.pool.ntp.org. 4/0/0 0.lede.pool.ntp.org. A 194.100.206.70, 0.lede.pool.ntp.org. A 95.216.138.141, 0.lede.pool.ntp.org. A 80.69.163.42, 0.lede.pool.ntp.org. A 62.80.139.57 (101)
19:05:14.707591 IP (tos 0x0, ttl 64, id 22410, offset 0, flags [DF], proto ICMP (1), length 84)
    87.92.81.146 > 8.8.8.8: ICMP echo request, id 24481, seq 3, length 64
19:05:15.707782 IP (tos 0x0, ttl 64, id 22450, offset 0, flags [DF], proto ICMP (1), length 84)
    87.92.81.146 > 8.8.8.8: ICMP echo request, id 24481, seq 4, length 64
19:05:16.495010 04:f9:38:86:73:90 > 01:80:c2:00:00:0a, ethertype Unknown (0x9998), length 60: 
        0x0000:  0001 0000 000c 0000 0003 0000 0000 0000  ................
        0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
19:05:16.707976 IP (tos 0x0, ttl 64, id 22465, offset 0, flags [DF], proto ICMP (1), length 84)
    87.92.81.146 > 8.8.8.8: ICMP echo request, id 24481, seq 5, length 64
19:05:17.708171 IP (tos 0x0, ttl 64, id 22534, offset 0, flags [DF], proto ICMP (1), length 84)
    87.92.81.146 > 8.8.8.8: ICMP echo request, id 24481, seq 6, length 64
19:05:18.708367 IP (tos 0x0, ttl 64, id 22605, offset 0, flags [DF], proto ICMP (1), length 84)
    87.92.81.146 > 8.8.8.8: ICMP echo request, id 24481, seq 7, length 64
19:05:19.249344 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::f6f2:6dff:feaf:24f4 > fe80::200:5eff:fe00:101: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::200:5eff:fe00:101
          source link-address option (1), length 8 (1): f4:f2:6d:af:24:f4
            0x0000:  f4f2 6daf 24f4
19:05:19.250262 IP6 (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::200:5eff:fe00:101 > fe80::f6f2:6dff:feaf:24f4: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is fe80::200:5eff:fe00:101, Flags [router, solicited, override]
          destination link-address option (2), length 8 (1): 00:00:5e:00:01:01
            0x0000:  0000 5e00 0101
19:05:19.708568 IP (tos 0x0, ttl 64, id 22699, offset 0, flags [DF], proto ICMP (1), length 84)
    87.92.81.146 > 8.8.8.8: ICMP echo request, id 24481, seq 8, length 64
19:05:20.708766 IP (tos 0x0, ttl 64, id 22770, offset 0, flags [DF], proto ICMP (1), length 84)
    87.92.81.146 > 8.8.8.8: ICMP echo request, id 24481, seq 9, length 64
19:05:21.122087 IP (tos 0x0, ttl 63, id 52322, offset 0, flags [DF], proto TCP (6), length 60)
    87.92.81.146.52434 > 82.196.7.246.80: Flags [S], cksum 0x156e (correct), seq 3327175125, win 64240, options [mss 1460,sackOK,TS val 3554419411 ecr 0,nop,wscale 7], length 0
19:05:21.708962 IP (tos 0x0, ttl 64, id 22772, offset 0, flags [DF], proto ICMP (1), length 84)
    87.92.81.146 > 8.8.8.8: ICMP echo request, id 24481, seq 10, length 64
19:05:22.199478 IP (tos 0x10, ttl 64, id 27336, offset 0, flags [DF], proto UDP (17), length 76)
    87.92.81.146.60078 > 194.100.49.151.123: [udp sum ok] NTPv4, length 48
        Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 0 (1s), precision 0
        Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
          Reference Timestamp:  0.000000000
          Originator Timestamp: 0.000000000
          Receive Timestamp:    0.000000000
          Transmit Timestamp:   461905579.208294458 (1914/08/22 06:06:19)
            Originator - Receive Timestamp:  0.000000000
            Originator - Transmit Timestamp: 461905579.208294458 (1914/08/22 06:06:19)
19:05:22.402014 04:f9:38:86:73:90 > 01:80:c2:00:00:0a, ethertype Unknown (0x9998), length 60: 
        0x0000:  0001 0000 000c 0000 0003 0000 0000 0000  ................
        0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
19:05:22.709159 IP (tos 0x0, ttl 64, id 22863, offset 0, flags [DF], proto ICMP (1), length 84)
    87.92.81.146 > 8.8.8.8: ICMP echo request, id 24481, seq 11, length 64
19:05:23.709372 IP (tos 0x0, ttl 64, id 22932, offset 0, flags [DF], proto ICMP (1), length 84)
    87.92.81.146 > 8.8.8.8: ICMP echo request, id 24481, seq 12, length 64
19:05:23.926992 IP6 (flowlabel 0xe7f73, hlim 63, next-header TCP (6) payload length: 121) 2001:14ba:8852:c000::4d3.38834 > 2001:67c:4e8:f004::a.443: Flags [P.], cksum 0xea99 (correct), seq 267:356, ack 268, win 507, options [nop,nop,TS val 986228519 ecr 4111471052], length 89
19:05:23.975015 IP6 (class 0x48, hlim 54, next-header TCP (6) payload length: 121) 2001:67c:4e8:f004::a.443 > 2001:14ba:8852:c000::4d3.38834: Flags [P.], cksum 0xc2fb (correct), seq 268:357, ack 356, win 4374, options [nop,nop,TS val 4111482303 ecr 986228519], length 89
19:05:23.975440 IP6 (flowlabel 0xe7f73, hlim 63, next-header TCP (6) payload length: 32) 2001:14ba:8852:c000::4d3.38834 > 2001:67c:4e8:f004::a.443: Flags [.], cksum 0xc7a1 (correct), seq 356, ack 357, win 507, options [nop,nop,TS val 986228567 ecr 4111482303], length 0
19:05:24.134681 00:e0:fc:09:bc:f9 > 01:80:c2:00:00:0a, ethertype Unknown (0x88a7), length 211: 
        0x0000:  0003 0000 01b4 5ff7 0001 000e 0000 0000  ......_.........
        0x0010:  04f9 3886 7390 0007 0014 6f75 6c2d 7369  ..8.s.....oul-si
        0x0020:  696c 6f74 3231 2d61 7335 000f 001b 5335  ilot21-as5....S5
        0x0030:  3330 3020 5632 3030 5230 3035 4330 3053  300.V200R005C00S
        0x0040:  5043 3330 3000 1200 2356 6572 7369 6f6e  PC300...#Version
        0x0050:  2035 2e31 3530 2056 3230 3052 3030 3543  .5.150.V200R005C
        0x0060:  3030 5350 4333 3030 0011 0023 5665 7273  00SPC300...#Vers
        0x0070:  696f 6e20 352e 3135 3020 5632 3030 5230  ion.5.150.V200R0
        0x0080:  3035 4330 3053 5043 3330 3000 0c00 1410  05C00SPC300.....
        0x0090:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00a0:  1300 0800 0000 0c00 0200 1847 6967 6162  ...........Gigab
        0x00b0:  6974 4574 6865 726e 6574 302f 302f 3700  itEthernet0/0/7.
        0x00c0:  0b00 0600 01                             .....
19:05:24.709568 IP (tos 0x0, ttl 64, id 22968, offset 0, flags [DF], proto ICMP (1), length 84)
    87.92.81.146 > 8.8.8.8: ICMP echo request, id 24481, seq 13, length 64
19:05:25.709764 IP (tos 0x0, ttl 64, id 23008, offset 0, flags [DF], proto ICMP (1), length 84)
    87.92.81.146 > 8.8.8.8: ICMP echo request, id 24481, seq 14, length 64
19:05:25.803271 IP (tos 0x0, ttl 63, id 59846, offset 0, flags [DF], proto TCP (6), length 60)
    87.92.81.146.37400 > 37.139.20.5.80: Flags [S], cksum 0x1c43 (correct), seq 5018938, win 64240, options [mss 1460,sackOK,TS val 291509503 ecr 0,nop,wscale 7], length 0
19:05:26.709961 IP (tos 0x0, ttl 64, id 23020, offset 0, flags [DF], proto ICMP (1), length 84)
    87.92.81.146 > 8.8.8.8: ICMP echo request, id 24481, seq 15, length 64
19:05:27.710158 IP (tos 0x0, ttl 64, id 23105, offset 0, flags [DF], proto ICMP (1), length 84)
    87.92.81.146 > 8.8.8.8: ICMP echo request, id 24481, seq 16, length 64
19:05:28.194828 04:f9:38:86:73:90 > 01:80:c2:00:00:0a, ethertype Unknown (0x9998), length 60: 
        0x0000:  0001 0000 000c 0000 0003 0000 0000 0000  ................
        0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
19:05:28.710356 IP (tos 0x0, ttl 64, id 23155, offset 0, flags [DF], proto ICMP (1), length 84)
    87.92.81.146 > 8.8.8.8: ICMP echo request, id 24481, seq 17, length 64
19:05:29.377591 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::200:5eff:fe00:101 > ff02::1:ff9f:9100: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::4d10:8441:a29f:9100
          source link-address option (1), length 8 (1): 00:00:5e:00:01:01
            0x0000:  0000 5e00 0101
19:05:34.044503 IP (tos 0x0, ttl 63, id 1140, offset 0, flags [DF], proto ICMP (1), length 84)
    87.92.81.146 > 8.8.8.8: ICMP echo request, id 2297, seq 1, length 64
19:05:34.193525 04:f9:38:86:73:90 > 01:80:c2:00:00:0a, ethertype Unknown (0x9998), length 60: 
        0x0000:  0001 0000 000c 0000 0003 0000 0000 0000  ................
        0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
19:05:35.068879 IP (tos 0x0, ttl 63, id 1257, offset 0, flags [DF], proto ICMP (1), length 84)
    87.92.81.146 > 8.8.8.8: ICMP echo request, id 2297, seq 2, length 64
19:05:36.082201 IP (tos 0x0, ttl 63, id 1380, offset 0, flags [DF], proto ICMP (1), length 84)
    87.92.81.146 > 8.8.8.8: ICMP echo request, id 2297, seq 3, length 64
19:05:37.095548 IP (tos 0x0, ttl 63, id 1404, offset 0, flags [DF], proto ICMP (1), length 84)
    87.92.81.146 > 8.8.8.8: ICMP echo request, id 2297, seq 4, length 64
19:05:38.108891 IP (tos 0x0, ttl 63, id 1460, offset 0, flags [DF], proto ICMP (1), length 84)
    87.92.81.146 > 8.8.8.8: ICMP echo request, id 2297, seq 5, length 64
19:05:39.122229 IP (tos 0x0, ttl 63, id 1580, offset 0, flags [DF], proto ICMP (1), length 84)
    87.92.81.146 > 8.8.8.8: ICMP echo request, id 2297, seq 6, length 64
19:05:40.135569 IP (tos 0x0, ttl 63, id 1769, offset 0, flags [DF], proto ICMP (1), length 84)
    87.92.81.146 > 8.8.8.8: ICMP echo request, id 2297, seq 7, length 64

First of all the fact that there are multiple requests from the router but no reply is worrying.
But it is even more worrying to see other IPs traversing your WAN interface like this:

87.92.78.225.61400 > 85.23.43.255.49708

Can you describe the connections? How are the devices connected on your router? Have you bridged the wan with a lan port?

Ok, I'll try to describe things as well as I can.

First, let's forget the router and describe the apartment.

I have an electric box (with fuses and stuff) which has the per-apartment incoming RJ45. There are 8 sockets in the apartment. Supposedly you could either jump the incoming connection to any one of the sockets in the apartment or use a switch.

I have jumped incoming RJ45 to RJ45(1) which in turn goes to the router (this is because the box is metal and even then mostly surrounded by concrete, so wireless reception would be poor).

Now let's talk about the router:

This particular router model is quite standard / common as for any router I've seen and meant for home usage; it has five ethernet ports; blue labeled "WAN" end 4 yellow ones labeled "LAN". OpenWRT firmware has these connections connected to interfaces "eth0" and "eth1",respectively. I believe I could change that, but I never have.

The Router is placed where I have most devices which require a RJ-45 connection, but one of the 4 connections is looped back into the electrical box. There I have placed a basic 8-port switch, which is connected to all remaining sockets in the apartment, so that they can be used whenever needed (one is used all the time, some sometimes, some never as they are in a useless place - but the perfectionist within me wanted to make all usable :slight_smile: . It is not too easy to get into the electric box at will).

EDIT: The computer I'm typing currently is the same I made the "ping google DNS at 8.8.8.8" previously. It is connected via the switch; so connections are: computer<->swich<->router<->ISP. To clarify, all "<->" here loop trough the electric box. At the moment, no other devices are physically connected (or are powered off)!

As for bridging: I checked there shouldn't be any misconfigurations. In Luci: Network->Interfaces-> for each "Guest/WAN/WAN6/LAN" and "Physical Settings" are as following:

  • "Guest" WLAN interface is disabled, not bridged (I though I needed a Guest WLAN and started to configure it, but didn't, it got never used). Interface: radio0.network2
  • "WAN" and "WAN6" are not bridged, bound to interface "eth0".
  • "LAN" interface is bridged (eth1, radio0.network1, radio1.network1). I've disabled WLAN radios since I accidentally pasted my WLAN credentials here previously (to this thread a few hours ago). I've set up it so devices in WLAN can not connect the router admin interface, in case a malicious user got in. EDIT: Or at least though I have blocked admin access from WLAN, but I'm not actually sure anymore!

Now, are you saying it is possible (/probable/certain?!??) my router is compromised? Or, is it possible those packets are stray packets from neighboring customers from the same ISP? If that is the case, is it normal, abnormal? Misconfiguration on my part or ISPs? I checked with whois and those IPs are within DNA network (DNA.fi is my ISP).

It looks to me that it is some problem from the ISP side.
You see stray packets in the WAN interface. You don't get replies. You didn't make any change when it happened.

Notify your ISP about these stray packets and verify with them that they only see your router's MAC address on their side.

Ok;

I spoofed a new MAC address on the router. Suddenly IPV4 traffic get's trough!

Is it possible they somehow blacklisted the MAC address of my router (for IPV4 only)? However, I already contacted them, and if that was the case, I'd thought they would have told me, and also given a reason.

I think I'll report back to my ISP, as it seems something might be wrong on their end (with the MAC addresses of the devices which have been connected on my end).

Very much thanks for your help!

It doesn't look like blacklisting; can't think why an ISP would do that instead of just cancelling your service. It looks more like a misconfiguration on their side for the static dhcp/arp/mac table. Better call them again and sort it out. Good luck!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.