Ping from wan timeout

But as soon as I disable the firewall or remove wwan0 from the firewall everything will be fine

I believe you are experiencing something odd, but if you don't show it to us we cannot understand what might be the problem.
The logs didn't show something relevant. Is it only the ping or other things too?
I hope it is not connected to the bridge experiments you are trying here. Better deal with one problem at a time.

1 Like

Yes, the problem is only in ping
Does not mss clamping or synflood cause this problem?

Check the runtime configuration:

ip address show; ip route show; ip rule show; iptables-save
2 Likes

ip address show:

12: wwan0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/none
    inet ***************/29 brd **************** scope global wwan0
       valid_lft forever preferred_lft forever
    *******************************/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

ip route show :

default via *************** dev wwan0 proto static src ***************
*****************/29 dev wwan0 proto kernel scope link src ****************
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1

ip rule show

0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

iptables-save :

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i wwan0 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o wwan0 -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_lan_prerouting -p tcp -m tcp --dport 161 -m comment --comment "!fw3: snmp2" -j DNAT --to-destination 192.168.1.1:161
-A zone_lan_prerouting -p udp -m udp --dport 161 -m comment --comment "!fw3: snmp2" -j DNAT --to-destination 192.168.1.1:161
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 7547 -m comment --comment "!fw3: acsnew" -j DNAT --to-destination 192.168.1.1:7547
-A zone_wan_prerouting -p udp -m udp --dport 7547 -m comment --comment "!fw3: acsnew" -j DNAT --to-destination 192.168.1.1:7547
-A zone_wan_prerouting -p tcp -m tcp --dport 161 -m comment --comment "!fw3: snmp" -j DNAT --to-destination 192.168.1.1:161
-A zone_wan_prerouting -p udp -m udp --dport 161 -m comment --comment "!fw3: snmp" -j DNAT --to-destination 192.168.1.1:161
-A zone_wan_prerouting -j MINIUPNPD
COMMIT
# Completed on Fri Oct 23 13:19:17 2020
# Generated by iptables-save v1.6.2 on Fri Oct 23 13:19:17 2020
*mangle
:PREROUTING ACCEPT [52:8125]
:INPUT ACCEPT [24:1856]
:FORWARD ACCEPT [28:6269]
:OUTPUT ACCEPT [20:4320]
:POSTROUTING ACCEPT [48:10589]
:qos_Default - [0:0]
:qos_Default_ct - [0:0]
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o wwan0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A qos_Default -j CONNMARK --restore-mark --nfmask 0xf --ctmask 0xf
-A qos_Default -m mark --mark 0x0/0xf -j qos_Default_ct
-A qos_Default -p udp -m mark --mark 0x0/0xf0 -m length --length 0:500 -j MARK --set-xmark 0x22/0xff
-A qos_Default -p icmp -j MARK --set-xmark 0x11/0xff
-A qos_Default -p tcp -m mark --mark 0x0/0xf0 -m tcp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
-A qos_Default -p udp -m mark --mark 0x0/0xf0 -m udp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
-A qos_Default -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
-A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 20,21,25,80,110,443,993,995 -m comment --comment "ftp, smtp, http(s), imap" -j MARK --set-xmark 0x33/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
-A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
-A qos_Default_ct -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
COMMIT
# Completed on Fri Oct 23 13:19:17 2020
# Generated by iptables-save v1.6.2 on Fri Oct 23 13:19:17 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i wwan0 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i wwan0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o wwan0 -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: IP Filtering" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o wwan0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o wwan0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o wwan0 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i wwan0 -m comment --comment "!fw3" -j reject
1 Like

As you can see, your config is not applied properly, e.g. the rule Allow-Ping is missing.
This could be the result of a race condition.
Try to restart the firewall and check its runtime config again.
As a workaround, you can use the hotplug script which calls:

/etc/init.d/firewall restart
2 Likes

allow ping in my settings :

1 Like

Yep, it is present in the persistent config, but missing in the runtime config.

2 Likes

Yes, I disabled it for testing and forgot to enable it when I get new reports
But in general, this case has been active because if it is not active, it is not possible to ping them at all

@trendy
@vgaetera
How can I see log icmp on openwrt?

iptables -I INPUT -p icmp -j LOG --log-prefix iptables:; logread -f
tcpdump -n -i any icmp
1 Like

That's how I got the log
But there is no problem in this section and it is normal like other requests
But time out is seen in the source that is pinging

How should I investigate the cause of this problem?

source ping :

Reply from ***********: bytes=32 time=83ms TTL=54
Reply from ***********: bytes=32 time=37ms TTL=54
Reply from ***********: bytes=32 time=29ms TTL=54
Reply from ***********: bytes=32 time=50ms TTL=54
Reply from ***********: bytes=32 time=70ms TTL=54
Reply from ***********: bytes=32 time=68ms TTL=54
Reply from ***********: bytes=32 time=76ms TTL=54
Reply from ***********: bytes=32 time=31ms TTL=54
Reply from ***********: bytes=32 time=52ms TTL=54
Reply from ***********: bytes=32 time=40ms TTL=54
Reply from ***********: bytes=32 time=41ms TTL=54
Reply from ***********: bytes=32 time=53ms TTL=54
Reply from ***********: bytes=32 time=72ms TTL=54
Reply from ***********: bytes=32 time=86ms TTL=54
Reply from ***********: bytes=32 time=34ms TTL=54
Reply from ***********: bytes=32 time=39ms TTL=54
Reply from ***********: bytes=32 time=43ms TTL=54
Reply from ***********: bytes=32 time=48ms TTL=54
Reply from ***********: bytes=32 time=32ms TTL=54
Reply from ***********: bytes=32 time=66ms TTL=54
Reply from ***********: bytes=32 time=71ms TTL=54
Reply from ***********: bytes=32 time=82ms TTL=54
Reply from ***********: bytes=32 time=83ms TTL=54
Reply from ***********: bytes=32 time=33ms TTL=54
Request timed out.
Reply from ***********: bytes=32 time=38ms TTL=54
Reply from ***********: bytes=32 time=42ms TTL=54
Reply from ***********: bytes=32 time=46ms TTL=54
Reply from ***********: bytes=32 time=51ms TTL=54
Reply from ***********: bytes=32 time=66ms TTL=54
Reply from ***********: bytes=32 time=30ms TTL=54
Reply from ***********: bytes=32 time=28ms TTL=54
Reply from ***********: bytes=32 time=38ms TTL=54

openwrt log :

Sat Oct 24 17:20:12 2020 kern.warn kernel: [  788.324907] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28596 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5407
Sat Oct 24 17:20:13 2020 kern.warn kernel: [  789.284752] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28597 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5409
Sat Oct 24 17:20:14 2020 kern.warn kernel: [  790.306215] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28598 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5411
Sat Oct 24 17:20:15 2020 kern.warn kernel: [  791.332256] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28599 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5413
Sat Oct 24 17:20:16 2020 kern.warn kernel: [  792.356138] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28600 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5415
Sat Oct 24 17:20:17 2020 kern.warn kernel: [  793.381002] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28601 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5417
Sat Oct 24 17:20:18 2020 kern.warn kernel: [  794.404381] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28602 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5419
Sat Oct 24 17:20:19 2020 kern.warn kernel: [  795.380497] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28603 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5421
Sat Oct 24 17:20:20 2020 kern.warn kernel: [  796.420343] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28604 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5423
Sat Oct 24 17:20:21 2020 kern.warn kernel: [  797.412750] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28605 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5425
Sat Oct 24 17:20:22 2020 kern.warn kernel: [  798.436756] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28606 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5427
Sat Oct 24 17:20:23 2020 kern.warn kernel: [  799.461007] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28607 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5429
Sat Oct 24 17:20:24 2020 kern.warn kernel: [  800.484749] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28608 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5431
Sat Oct 24 17:20:25 2020 kern.warn kernel: [  801.508629] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28609 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5433
Sat Oct 24 17:20:26 2020 kern.warn kernel: [  802.476500] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28610 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5435
Sat Oct 24 17:20:27 2020 kern.warn kernel: [  803.492375] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28611 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5437
Sat Oct 24 17:20:28 2020 kern.warn kernel: [  804.516247] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28612 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5439
Sat Oct 24 17:20:29 2020 kern.warn kernel: [  805.540621] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28613 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5441
Sat Oct 24 17:20:30 2020 kern.warn kernel: [  806.540385] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28614 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5443
Sat Oct 24 17:20:31 2020 kern.warn kernel: [  807.588103] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28615 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5445
Sat Oct 24 17:20:32 2020 kern.warn kernel: [  808.612242] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28616 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5447
Sat Oct 24 17:20:33 2020 kern.warn kernel: [  809.636758] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28617 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5449
Sat Oct 24 17:20:34 2020 kern.warn kernel: [  810.660251] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28618 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5451
Sat Oct 24 17:20:35 2020 kern.warn kernel: [  811.620138] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28619 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5453
Sat Oct 24 17:20:36 2020 kern.warn kernel: [  812.644236] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28620 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5455
Sat Oct 24 17:20:41 2020 kern.warn kernel: [  817.384498] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28621 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5461
Sat Oct 24 17:20:42 2020 kern.warn kernel: [  818.404494] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28622 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5463
Sat Oct 24 17:20:43 2020 kern.warn kernel: [  819.428747] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28623 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5465
Sat Oct 24 17:20:44 2020 kern.warn kernel: [  820.451634] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28624 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5467
Sat Oct 24 17:20:45 2020 kern.warn kernel: [  821.476123] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28625 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5469
Sat Oct 24 17:20:46 2020 kern.warn kernel: [  822.460988] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28626 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5471
Sat Oct 24 17:20:47 2020 kern.warn kernel: [  823.477063] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28627 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5473
Sat Oct 24 17:20:48 2020 kern.warn kernel: [  824.496596] iptables:IN=wwan0 OUT= MAC= SRC=*********** DST=*********** LEN=60 TOS=0x00 PREC=0x00 TTL=118 ID=28628 PROTO=ICMP TYPE=8 CODE=0 ID=5 SEQ=5475

As soon as I stop the firewall, everything is fixed and not even one packet loss is observed

1 Like

Restart the firewall:

/etc/init.d/firewall restart

Then try to ping and check the output:

iptables-save -c
1 Like
*nat
:PREROUTING ACCEPT [6:348]
:INPUT ACCEPT [6:348]
:OUTPUT ACCEPT [7:421]
:POSTROUTING ACCEPT [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[6:348] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[6:348] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i wwan0 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[7:421] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[7:421] -A POSTROUTING -o wwan0 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[6:348] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -p tcp -m tcp --dport 161 -m comment --comment "!fw3: snmp2" -j DNAT --to-destination 192.168.0.1:161
[0:0] -A zone_lan_prerouting -p udp -m udp --dport 161 -m comment --comment "!fw3: snmp2" -j DNAT --to-destination 192.168.0.1:161
[7:421] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[7:421] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 7547 -m comment --comment "!fw3: acsnew" -j DNAT --to-destination 192.168.0.1:7547
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 7547 -m comment --comment "!fw3: acsnew" -j DNAT --to-destination 192.168.0.1:7547
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: wanhttp" -j DNAT --to-destination 192.168.0.1:80
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 80 -m comment --comment "!fw3: wanhttp" -j DNAT --to-destination 192.168.0.1:80
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 161 -m comment --comment "!fw3: snmp" -j DNAT --to-destination 192.168.0.1:161
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 161 -m comment --comment "!fw3: snmp" -j DNAT --to-destination 192.168.0.1:161
COMMIT
# Completed on Sat Oct 24 18:10:27 2020
# Generated by iptables-save v1.6.2 on Sat Oct 24 18:10:27 2020
*mangle
:PREROUTING ACCEPT [734:128321]
:INPUT ACCEPT [718:126949]
:FORWARD ACCEPT [6:240]
:OUTPUT ACCEPT [731:218061]
:POSTROUTING ACCEPT [727:217809]
COMMIT
# Completed on Sat Oct 24 18:10:27 2020
# Generated by iptables-save v1.6.2 on Sat Oct 24 18:10:27 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[80:7443] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[74:7095] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[6:348] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i wwan0 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[1:40] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1:40] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i wwan0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[72:11691] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[65:11270] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[7:421] -A OUTPUT -o wwan0 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[1:40] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[1:40] -A zone_lan_forward -m comment --comment "!fw3: IP Filtering" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[6:348] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[6:348] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[6:348] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[1:40] -A zone_wan_dest_ACCEPT -o wwan0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[7:421] -A zone_wan_dest_ACCEPT -o wwan0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o wwan0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -p tcp -m tcp --dport 161 -m comment --comment "!fw3: AllowWANWeb" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[7:421] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[7:421] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i wwan0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat Oct 24 18:10:28 2020
1 Like

for wwan0 wan device

[1:44] -A PREROUTING -i wwan0 -m comment --comment "!fw3" -j zone_wan_prerouting
[1:40] -A POSTROUTING -o wwan0 -m comment --comment "!fw3" -j zone_wan_postrouting
[1:44] -A INPUT -i wwan0 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A FORWARD -i wwan0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A OUTPUT -o wwan0 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A zone_wan_dest_ACCEPT -o wwan0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o wwan0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o wwan0 -m comment --comment "!fw3" -j reject
[1:44] -A zone_wan_src_REJECT -i wwan0 -m comment --comment "!fw3" -j reject
1 Like

There's no incoming traffic in the WAN zone.
Where are you pinging from?

1 Like

from wan1 that connectd to wwan0 for lte module

1 Like

I can see only one ping lost. Is this the reason you have opened the topic?

2 Likes

No, this number of pings is only for this 15 seconds. About 50,000 pings I have 1% packet loss.
but the packet loss is 0 when the firewall is disabled. Nothing is lost