Ping from wan timeout

komeilkma · October 20, 2020, 6:42pm

Hello friends
In the wwan connection on the wan interface (module lte ec25) for the modem, when I ping wan ip from another system with another internet, the amount of request time out is high.

But when I remove the interface from the firewall, the problem is solved
How can I troubleshoot this?

All firewall settings are by default

There is no problem when the lte module is connected alone (without openwrt) and wan is out of the firewall

I activated the wan zone log and saw these items in it

Tue Oct 20 22:03:09 2020 kern.warn kernel: [ 1013.544780] REJECT wan in: IN=wwan0 OUT= MAC= SRC==*********** DST=*********** LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=19949 PROTO=TCP SPT=58284 DPT=46416 WINDOW=1200 RES=0x00 RST URGP=0
Tue Oct 20 22:03:09 2020 kern.warn kernel: [ 1014.104329] REJECT wan in: IN=wwan0 OUT= MAC= SRC==*********** DST=*********** LEN=40 TOS=0x00 PREC=0x00 TTL=53 ID=40609 PROTO=TCP SPT=443 DPT=9293 WINDOW=275 RES=0x00 ACK RST URGP=0
Tue Oct 20 22:03:47 2020 kern.warn kernel: [ 1051.696316] REJECT wan in: IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=40 TOS=0x00 PREC=0x00 TTL=44 ID=0 DF PROTO=TCP SPT=443 DPT=2417 WINDOW=0 RES=0x00 ACK RST URGP=0
Tue Oct 20 22:03:55 2020 kern.warn kernel: [ 1060.154339] REJECT wan in: IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=40 TOS=0x00 PREC=0x00 TTL=44 ID=0 DF PROTO=TCP SPT=443 DPT=2479 WINDOW=0 RES=0x00 ACK RST URGP=0
Tue Oct 20 22:04:03 2020 kern.warn kernel: [ 1067.455023] REJECT wan in: IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=40 TOS=0x00 PREC=0x00 TTL=44 ID=0 DF PROTO=TCP SPT=443 DPT=2519 WINDOW=0 RES=0x00 ACK RST URGP=0
Tue Oct 20 22:04:25 2020 kern.warn kernel: [ 1089.620785] REJECT wan in: IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=40 TOS=0x00 PREC=0x00 TTL=44 ID=0 DF PROTO=TCP SPT=443 DPT=2660 WINDOW=0 RES=0x00 ACK RST URGP=0
Tue Oct 20 22:04:27 2020 kern.warn kernel: [ 1091.261048] REJECT wan in: IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=40 TOS=0x00 PREC=0x00 TTL=44 ID=0 DF PROTO=TCP SPT=443 DPT=2686 WINDOW=0 RES=0x00 ACK RST URGP=0
Tue Oct 20 22:04:30 2020 kern.warn kernel: [ 1094.693979] REJECT wan in: IN=wwan0 OUT= MAC= SRC==*********** DST=*********** LEN=44 TOS=0x00 PREC=0x00 TTL=115 ID=6994 PROTO=TCP SPT=23320 DPT=7548 WINDOW=29476 RES=0x00 SYN URGP=0
Tue Oct 20 22:05:26 2020 kern.warn kernel: [ 1150.419323] REJECT wan in: IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=40 TOS=0x00 PREC=0x00 TTL=44 ID=0 DF PROTO=TCP SPT=443 DPT=3056 WINDOW=0 RES=0x00 ACK RST URGP=0
Tue Oct 20 22:05:43 2020 kern.warn kernel: [ 1167.745044] REJECT wan in: IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=40 TOS=0x00 PREC=0x00 TTL=44 ID=0 DF PROTO=TCP SPT=443 DPT=3165 WINDOW=0 RES=0x00 ACK RST URGP=0
Tue Oct 20 22:05:45 2020 kern.warn kernel: [ 1170.176096] REJECT wan in: IN=wwan0 OUT= MAC= SRC==*********** DST=*********** LEN=44 TOS=0x00 PREC=0x40 TTL=229 ID=54321 PROTO=TCP SPT=56963 DPT=30083 WINDOW=65535 RES=0x00 SYN URGP=0
Tue Oct 20 22:05:49 2020 kern.warn kernel: [ 1173.799095] REJECT wan in: IN=wwan0 OUT= MAC= SRC==*********** DST=*********** LEN=44 TOS=0x00 PREC=0x00 TTL=235 ID=54321 PROTO=TCP SPT=56743 DPT=28017 WINDOW=65535 RES=0x00 SYN URGP=0
Tue Oct 20 22:05:59 2020 kern.warn kernel: [ 1183.949897] REJECT wan in: IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=40 TOS=0x00 PREC=0x00 TTL=44 ID=0 DF PROTO=TCP SPT=443 DPT=3258 WINDOW=0 RES=0x00 ACK RST URGP=0
Tue Oct 20 22:06:13 2020 kern.warn kernel: [ 1197.592952] REJECT wan in: IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=40 TOS=0x00 PREC=0x00 TTL=44 ID=0 DF PROTO=TCP SPT=443 DPT=3365 WINDOW=0 RES=0x00 ACK RST URGP=0
Tue Oct 20 22:06:25 2020 kern.warn kernel: [ 1209.791019] REJECT wan in: IN=wwan0 OUT= MAC= SRC==*********** DST=*********** LEN=44 TOS=0x00 PREC=0x00 TTL=243 ID=7349 PROTO=TCP SPT=51908 DPT=5899 WINDOW=1024 RES=0x00 SYN URGP=0
Tue Oct 20 22:06:26 2020 kern.warn kernel: [ 1210.605070] REJECT wan in: IN=wwan0 OUT= MAC= SRC==*********** DST=*********** LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=7348 PROTO=TCP SPT=51908 DPT=5899 WINDOW=1200 RES=0x00 RST URGP=0

trendy · October 21, 2020, 8:40am

It is blocked by the firewall.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user

komeilkma · October 22, 2020, 4:35pm

ok sure
ubus call system board :

{
        "kernel": "4.14.128",
        "hostname": "******",
        "system": "MediaTek MT7628AN ver:1 eco:2",
        "model": "UniElec U7628-01 (128M RAM\/16M flash)",
        "board_name": "u7628-01-128M-16M",
        "release": {
                "distribution": "OpenWrt",
                "version": "103B",
                "revision": "r7798-97ae9e0ccb",
                "target": "ramips\/mt76x8",
                "description": "OpenWrt 18.06.3 r7798-97ae9e0ccb"
        }

uci export network :

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd53:1033:1d2a::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '20:32:33:a3:34:b6'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr '20:32:33:a3:34:b7'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
root@Leanotek-ML141:~# uci export network
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd53:1033:1d2a::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '***********'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr '***********'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'

config interface 'VPN_PPTP'
        option ifname 'tun1'
        option proto 'pptp'
        option auto '0'

config interface 'VPN_L2TP'
        option ifname 'tun0'
        option proto 'pptp'
        option auto '0'

config interface 'wan1'
        option proto 'qmi'
        option device '/dev/cdc-wdm0'

config interface 'mygre'
        option ipaddr '0.0.0.0'
        option peeraddr '0.0.0.0'
        option proto 'gre'
        option auto '0'

config interface 'mygre_static'
        option proto 'static'
        option ifname '@mygre'
        option ipaddr '0.0.0.0'
        option netmask '0.0.0.0'
        option auto '0'

uci export firewall


config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 wan1 wan1_6 VPN_PPTP VPN_L2TP'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '1'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

head -n -0 /etc/firewall.user:

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

komeilkma · October 22, 2020, 6:42pm

@trendy
Can you help me solve this problem?

anon50098793 · October 23, 2020, 1:02am

uci show wireless | grep network

trendy · October 23, 2020, 7:28am

I believe the wwan0 is the physical interface of wan1 uci interface.
@komeilkma
icmp is allowed for wan zone. The rejected packets on the logs are all tcp, nothing about icmp. So far there is no evidence of packets dropped because of the firewall.

komeilkma · October 23, 2020, 8:11am

But as soon as I disable the firewall or remove wwan0 from the firewall everything will be fine

trendy · October 23, 2020, 9:05am

I believe you are experiencing something odd, but if you don't show it to us we cannot understand what might be the problem.
The logs didn't show something relevant. Is it only the ping or other things too?
I hope it is not connected to the bridge experiments you are trying here. Better deal with one problem at a time.

komeilkma · October 23, 2020, 9:16am

Yes, the problem is only in ping
Does not mss clamping or synflood cause this problem?

vgaetera · October 23, 2020, 9:29am

Check the runtime configuration:

ip address show; ip route show; ip rule show; iptables-save

komeilkma · October 23, 2020, 9:50am

ip address show:

12: wwan0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/none
    inet ***************/29 brd **************** scope global wwan0
       valid_lft forever preferred_lft forever
    *******************************/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

ip route show :

default via *************** dev wwan0 proto static src ***************
*****************/29 dev wwan0 proto kernel scope link src ****************
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1

ip rule show

0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

iptables-save :

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i wwan0 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o wwan0 -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_lan_prerouting -p tcp -m tcp --dport 161 -m comment --comment "!fw3: snmp2" -j DNAT --to-destination 192.168.1.1:161
-A zone_lan_prerouting -p udp -m udp --dport 161 -m comment --comment "!fw3: snmp2" -j DNAT --to-destination 192.168.1.1:161
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 7547 -m comment --comment "!fw3: acsnew" -j DNAT --to-destination 192.168.1.1:7547
-A zone_wan_prerouting -p udp -m udp --dport 7547 -m comment --comment "!fw3: acsnew" -j DNAT --to-destination 192.168.1.1:7547
-A zone_wan_prerouting -p tcp -m tcp --dport 161 -m comment --comment "!fw3: snmp" -j DNAT --to-destination 192.168.1.1:161
-A zone_wan_prerouting -p udp -m udp --dport 161 -m comment --comment "!fw3: snmp" -j DNAT --to-destination 192.168.1.1:161
-A zone_wan_prerouting -j MINIUPNPD
COMMIT
# Completed on Fri Oct 23 13:19:17 2020
# Generated by iptables-save v1.6.2 on Fri Oct 23 13:19:17 2020
*mangle
:PREROUTING ACCEPT [52:8125]
:INPUT ACCEPT [24:1856]
:FORWARD ACCEPT [28:6269]
:OUTPUT ACCEPT [20:4320]
:POSTROUTING ACCEPT [48:10589]
:qos_Default - [0:0]
:qos_Default_ct - [0:0]
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o wwan0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A qos_Default -j CONNMARK --restore-mark --nfmask 0xf --ctmask 0xf
-A qos_Default -m mark --mark 0x0/0xf -j qos_Default_ct
-A qos_Default -p udp -m mark --mark 0x0/0xf0 -m length --length 0:500 -j MARK --set-xmark 0x22/0xff
-A qos_Default -p icmp -j MARK --set-xmark 0x11/0xff
-A qos_Default -p tcp -m mark --mark 0x0/0xf0 -m tcp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
-A qos_Default -p udp -m mark --mark 0x0/0xf0 -m udp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
-A qos_Default -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
-A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 20,21,25,80,110,443,993,995 -m comment --comment "ftp, smtp, http(s), imap" -j MARK --set-xmark 0x33/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
-A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
-A qos_Default_ct -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
COMMIT
# Completed on Fri Oct 23 13:19:17 2020
# Generated by iptables-save v1.6.2 on Fri Oct 23 13:19:17 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i wwan0 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i wwan0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o wwan0 -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: IP Filtering" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o wwan0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o wwan0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o wwan0 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i wwan0 -m comment --comment "!fw3" -j reject

vgaetera · October 23, 2020, 10:05am

Your config is not applied properly, e.g. the rule Allow-Ping is missing.
Try restarting the firewall and checking its runtime config again.

komeilkma · October 23, 2020, 10:07am

komeilkma:

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '1'

allow ping in my settings :

komeilkma:

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '1'

vgaetera · October 23, 2020, 10:08am

Yep, it is present in the persistent config, but missing in the runtime config.

komeilkma · October 23, 2020, 10:11am

Yes, I disabled it for testing and forgot to enable it when I get new reports
But in general, this case has been active because if it is not active, it is not possible to ping them at all

komeilkma · October 24, 2020, 9:42am

@trendy
@vgaetera
How can I see log icmp on openwrt?

vgaetera · October 24, 2020, 10:48am

iptables -I INPUT -p icmp -j LOG --log-prefix iptables:; logread -f
tcpdump -n -i any icmp

komeilkma · October 24, 2020, 1:55pm

That's how I got the log
But there is no problem in this section and it is normal like other requests
But time out is seen in the source that is pinging

How should I investigate the cause of this problem?

source ping :

Reply from ***********: bytes=32 time=83ms TTL=54
Reply from ***********: bytes=32 time=37ms TTL=54
Reply from ***********: bytes=32 time=29ms TTL=54
Reply from ***********: bytes=32 time=50ms TTL=54
Reply from ***********: bytes=32 time=70ms TTL=54
Reply from ***********: bytes=32 time=68ms TTL=54
Reply from ***********: bytes=32 time=76ms TTL=54
Reply from ***********: bytes=32 time=31ms TTL=54
Reply from ***********: bytes=32 time=52ms TTL=54
Reply from ***********: bytes=32 time=40ms TTL=54
Reply from ***********: bytes=32 time=41ms TTL=54
Reply from ***********: bytes=32 time=53ms TTL=54
Reply from ***********: bytes=32 time=72ms TTL=54
Reply from ***********: bytes=32 time=86ms TTL=54
Reply from ***********: bytes=32 time=34ms TTL=54
Reply from ***********: bytes=32 time=39ms TTL=54
Reply from ***********: bytes=32 time=43ms TTL=54
Reply from ***********: bytes=32 time=48ms TTL=54
Reply from ***********: bytes=32 time=32ms TTL=54
Reply from ***********: bytes=32 time=66ms TTL=54
Reply from ***********: bytes=32 time=71ms TTL=54
Reply from ***********: bytes=32 time=82ms TTL=54
Reply from ***********: bytes=32 time=83ms TTL=54
Reply from ***********: bytes=32 time=33ms TTL=54
Request timed out.
Reply from ***********: bytes=32 time=38ms TTL=54
Reply from ***********: bytes=32 time=42ms TTL=54
Reply from ***********: bytes=32 time=46ms TTL=54
Reply from ***********: bytes=32 time=51ms TTL=54
Reply from ***********: bytes=32 time=66ms TTL=54
Reply from ***********: bytes=32 time=30ms TTL=54
Reply from ***********: bytes=32 time=28ms TTL=54
Reply from ***********: bytes=32 time=38ms TTL=54

openwrt log :

Sat Oct 24 17:20:12 2020 kern.warn kernel: [  788.324907] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28596 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5407
Sat Oct 24 17:20:13 2020 kern.warn kernel: [  789.284752] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28597 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5409
Sat Oct 24 17:20:14 2020 kern.warn kernel: [  790.306215] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28598 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5411
Sat Oct 24 17:20:15 2020 kern.warn kernel: [  791.332256] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28599 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5413
Sat Oct 24 17:20:16 2020 kern.warn kernel: [  792.356138] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28600 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5415
Sat Oct 24 17:20:17 2020 kern.warn kernel: [  793.381002] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28601 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5417
Sat Oct 24 17:20:18 2020 kern.warn kernel: [  794.404381] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28602 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5419
Sat Oct 24 17:20:19 2020 kern.warn kernel: [  795.380497] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28603 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5421
Sat Oct 24 17:20:20 2020 kern.warn kernel: [  796.420343] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28604 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5423
Sat Oct 24 17:20:21 2020 kern.warn kernel: [  797.412750] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28605 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5425
Sat Oct 24 17:20:22 2020 kern.warn kernel: [  798.436756] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28606 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5427
Sat Oct 24 17:20:23 2020 kern.warn kernel: [  799.461007] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28607 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5429
Sat Oct 24 17:20:24 2020 kern.warn kernel: [  800.484749] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28608 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5431
Sat Oct 24 17:20:25 2020 kern.warn kernel: [  801.508629] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28609 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5433
Sat Oct 24 17:20:26 2020 kern.warn kernel: [  802.476500] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28610 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5435
Sat Oct 24 17:20:27 2020 kern.warn kernel: [  803.492375] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28611 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5437
Sat Oct 24 17:20:28 2020 kern.warn kernel: [  804.516247] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28612 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5439
Sat Oct 24 17:20:29 2020 kern.warn kernel: [  805.540621] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28613 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5441
Sat Oct 24 17:20:30 2020 kern.warn kernel: [  806.540385] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28614 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5443
Sat Oct 24 17:20:31 2020 kern.warn kernel: [  807.588103] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28615 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5445
Sat Oct 24 17:20:32 2020 kern.warn kernel: [  808.612242] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28616 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5447
Sat Oct 24 17:20:33 2020 kern.warn kernel: [  809.636758] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28617 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5449
Sat Oct 24 17:20:34 2020 kern.warn kernel: [  810.660251] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28618 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5451
Sat Oct 24 17:20:35 2020 kern.warn kernel: [  811.620138] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28619 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5453
Sat Oct 24 17:20:36 2020 kern.warn kernel: [  812.644236] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28620 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5455
Sat Oct 24 17:20:41 2020 kern.warn kernel: [  817.384498] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28621 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5461
Sat Oct 24 17:20:42 2020 kern.warn kernel: [  818.404494] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28622 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5463
Sat Oct 24 17:20:43 2020 kern.warn kernel: [  819.428747] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28623 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5465
Sat Oct 24 17:20:44 2020 kern.warn kernel: [  820.451634] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28624 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5467
Sat Oct 24 17:20:45 2020 kern.warn kernel: [  821.476123] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28625 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5469
Sat Oct 24 17:20:46 2020 kern.warn kernel: [  822.460988] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28626 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5471
Sat Oct 24 17:20:47 2020 kern.warn kernel: [  823.477063] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28627 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5473
Sat Oct 24 17:20:48 2020 kern.warn kernel: [  824.496596] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28628 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5475

komeilkma · October 24, 2020, 1:58pm

As soon as I stop the firewall, everything is fixed and not even one packet loss is observed

vgaetera · October 24, 2020, 2:37pm

Restart the firewall:

/etc/init.d/firewall restart

Then try to ping and check the output:

iptables-save -c