Port forwarding LAN - Guest

mietz · January 15, 2021, 10:13am

I want to forward the the DLNA UPnP and Web Interface Ports of my NAS into the Guest Network.
I managed to get the Ports open and but I've no connectivity. I'm not sure what I'm missing.
My Setup:

I also did a tcpdump for the web interface port 5001 and it looks like the traffic is forwarded over wan interface?

tcpdump -i any -vn tcp port 5001

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
10:06:43.769885 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60336 > 10.19.90.1.5001: Flags [S], cksum 0x1d5e (correct), seq 3868754770, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294049307 ecr 0,sackOK,eol], length 0
10:06:43.769885 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60336 > 10.19.90.1.5001: Flags [S], cksum 0x1d5e (correct), seq 3868754770, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294049307 ecr 0,sackOK,eol], length 0
10:06:43.770337 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.17.2.60336 > 10.19.89.161.5001: Flags [S], cksum 0xc5bd (correct), seq 3868754770, win 65535, options [mss 1380,nop,wscale 6,nop,nop,TS val 294049307 ecr 0,sackOK,eol], length 0
10:06:44.020503 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60337 > 10.19.90.1.5001: Flags [S], cksum 0x334c (correct), seq 259539850, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294049557 ecr 0,sackOK,eol], length 0
10:06:44.020503 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60337 > 10.19.90.1.5001: Flags [S], cksum 0x334c (correct), seq 259539850, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294049557 ecr 0,sackOK,eol], length 0
10:06:44.020884 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.17.2.60337 > 10.19.89.161.5001: Flags [S], cksum 0xdbab (correct), seq 259539850, win 65535, options [mss 1380,nop,wscale 6,nop,nop,TS val 294049557 ecr 0,sackOK,eol], length 0
10:06:44.775156 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60336 > 10.19.90.1.5001: Flags [S], cksum 0x1975 (correct), seq 3868754770, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294050308 ecr 0,sackOK,eol], length 0
10:06:44.775156 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60336 > 10.19.90.1.5001: Flags [S], cksum 0x1975 (correct), seq 3868754770, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294050308 ecr 0,sackOK,eol], length 0
10:06:44.775750 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.17.2.60336 > 10.19.89.161.5001: Flags [S], cksum 0xc1d4 (correct), seq 3868754770, win 65535, options [mss 1380,nop,wscale 6,nop,nop,TS val 294050308 ecr 0,sackOK,eol], length 0
10:06:45.025344 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60337 > 10.19.90.1.5001: Flags [S], cksum 0x2f63 (correct), seq 259539850, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294050558 ecr 0,sackOK,eol], length 0
10:06:45.025344 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60337 > 10.19.90.1.5001: Flags [S], cksum 0x2f63 (correct), seq 259539850, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294050558 ecr 0,sackOK,eol], length 0
10:06:45.025774 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.17.2.60337 > 10.19.89.161.5001: Flags [S], cksum 0xd7c2 (correct), seq 259539850, win 65535, options [mss 1380,nop,wscale 6,nop,nop,TS val 294050558 ecr 0,sackOK,eol], length 0
10:06:45.778853 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60336 > 10.19.90.1.5001: Flags [S], cksum 0x158c (correct), seq 3868754770, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294051309 ecr 0,sackOK,eol], length 0
10:06:45.778853 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60336 > 10.19.90.1.5001: Flags [S], cksum 0x158c (correct), seq 3868754770, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294051309 ecr 0,sackOK,eol], length 0
10:06:45.779234 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.17.2.60336 > 10.19.89.161.5001: Flags [S], cksum 0xbdeb (correct), seq 3868754770, win 65535, options [mss 1380,nop,wscale 6,nop,nop,TS val 294051309 ecr 0,sackOK,eol], length 0
10:06:46.028953 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60337 > 10.19.90.1.5001: Flags [S], cksum 0x2b7a (correct), seq 259539850, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294051559 ecr 0,sackOK,eol], length 0
10:06:46.028953 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60337 > 10.19.90.1.5001: Flags [S], cksum 0x2b7a (correct), seq 259539850, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294051559 ecr 0,sackOK,eol], length 0
10:06:46.029299 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.17.2.60337 > 10.19.89.161.5001: Flags [S], cksum 0xd3d9 (correct), seq 259539850, win 65535, options [mss 1380,nop,wscale 6,nop,nop,TS val 294051559 ecr 0,sackOK,eol], length 0
10:06:46.782518 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60336 > 10.19.90.1.5001: Flags [S], cksum 0x11a3 (correct), seq 3868754770, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294052310 ecr 0,sackOK,eol], length 0
10:06:46.782518 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60336 > 10.19.90.1.5001: Flags [S], cksum 0x11a3 (correct), seq 3868754770, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294052310 ecr 0,sackOK,eol], length 0
10:06:46.782989 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.17.2.60336 > 10.19.89.161.5001: Flags [S], cksum 0xba02 (correct), seq 3868754770, win 65535, options [mss 1380,nop,wscale 6,nop,nop,TS val 294052310 ecr 0,sackOK,eol], length 0
10:06:47.032437 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60337 > 10.19.90.1.5001: Flags [S], cksum 0x2791 (correct), seq 259539850, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294052560 ecr 0,sackOK,eol], length 0
10:06:47.032437 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60337 > 10.19.90.1.5001: Flags [S], cksum 0x2791 (correct), seq 259539850, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294052560 ecr 0,sackOK,eol], length 0
10:06:47.032762 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.17.2.60337 > 10.19.89.161.5001: Flags [S], cksum 0xcff0 (correct), seq 259539850, win 65535, options [mss 1380,nop,wscale 6,nop,nop,TS val 294052560 ecr 0,sackOK,eol], length 0
10:06:47.766099 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60293 > 10.19.90.1.5001: Flags [S], cksum 0x47ca (correct), seq 3674297623, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294053292 ecr 0,sackOK,eol], length 0
10:06:47.766099 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60293 > 10.19.90.1.5001: Flags [S], cksum 0x47ca (correct), seq 3674297623, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294053292 ecr 0,sackOK,eol], length 0
10:06:47.766434 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.17.2.60293 > 10.19.89.161.5001: Flags [S], cksum 0xf029 (correct), seq 3674297623, win 65535, options [mss 1380,nop,wscale 6,nop,nop,TS val 294053292 ecr 0,sackOK,eol], length 0
10:06:47.784658 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60336 > 10.19.90.1.5001: Flags [S], cksum 0x0dba (correct), seq 3868754770, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294053311 ecr 0,sackOK,eol], length 0
10:06:47.784658 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60336 > 10.19.90.1.5001: Flags [S], cksum 0x0dba (correct), seq 3868754770, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294053311 ecr 0,sackOK,eol], length 0
10:06:47.784979 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.17.2.60336 > 10.19.89.161.5001: Flags [S], cksum 0xb619 (correct), seq 3868754770, win 65535, options [mss 1380,nop,wscale 6,nop,nop,TS val 294053311 ecr 0,sackOK,eol], length 0
10:06:48.020245 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60294 > 10.19.90.1.5001: Flags [S], cksum 0xd465 (correct), seq 3398883303, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294053546 ecr 0,sackOK,eol], length 0
10:06:48.020245 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60294 > 10.19.90.1.5001: Flags [S], cksum 0xd465 (correct), seq 3398883303, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294053546 ecr 0,sackOK,eol], length 0
10:06:48.020583 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.17.2.60294 > 10.19.89.161.5001: Flags [S], cksum 0x7cc5 (correct), seq 3398883303, win 65535, options [mss 1380,nop,wscale 6,nop,nop,TS val 294053546 ecr 0,sackOK,eol], length 0
10:06:48.034769 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60337 > 10.19.90.1.5001: Flags [S], cksum 0x23a9 (correct), seq 259539850, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294053560 ecr 0,sackOK,eol], length 0
10:06:48.034769 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60337 > 10.19.90.1.5001: Flags [S], cksum 0x23a9 (correct), seq 259539850, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294053560 ecr 0,sackOK,eol], length 0
10:06:48.035069 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.17.2.60337 > 10.19.89.161.5001: Flags [S], cksum 0xcc08 (correct), seq 259539850, win 65535, options [mss 1380,nop,wscale 6,nop,nop,TS val 294053560 ecr 0,sackOK,eol], length 0
10:06:48.789648 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60336 > 10.19.90.1.5001: Flags [S], cksum 0x09d1 (correct), seq 3868754770, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294054312 ecr 0,sackOK,eol], length 0
10:06:48.789648 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60336 > 10.19.90.1.5001: Flags [S], cksum 0x09d1 (correct), seq 3868754770, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294054312 ecr 0,sackOK,eol], length 0
10:06:48.790189 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.17.2.60336 > 10.19.89.161.5001: Flags [S], cksum 0xb230 (correct), seq 3868754770, win 65535, options [mss 1380,nop,wscale 6,nop,nop,TS val 294054312 ecr 0,sackOK,eol], length 0
10:06:49.038393 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60337 > 10.19.90.1.5001: Flags [S], cksum 0x1fc0 (correct), seq 259539850, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294054561 ecr 0,sackOK,eol], length 0
10:06:49.038393 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60337 > 10.19.90.1.5001: Flags [S], cksum 0x1fc0 (correct), seq 259539850, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294054561 ecr 0,sackOK,eol], length 0
10:06:49.038903 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.17.2.60337 > 10.19.89.161.5001: Flags [S], cksum 0xc81f (correct), seq 259539850, win 65535, options [mss 1380,nop,wscale 6,nop,nop,TS val 294054561 ecr 0,sackOK,eol], length 0
10:06:50.793600 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60336 > 10.19.90.1.5001: Flags [S], cksum 0x0200 (correct), seq 3868754770, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294056313 ecr 0,sackOK,eol], length 0
10:06:50.793600 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60336 > 10.19.90.1.5001: Flags [S], cksum 0x0200 (correct), seq 3868754770, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294056313 ecr 0,sackOK,eol], length 0
10:06:50.793953 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.17.2.60336 > 10.19.89.161.5001: Flags [S], cksum 0xaa5f (correct), seq 3868754770, win 65535, options [mss 1380,nop,wscale 6,nop,nop,TS val 294056313 ecr 0,sackOK,eol], length 0
10:06:51.042325 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60337 > 10.19.90.1.5001: Flags [S], cksum 0x17ef (correct), seq 259539850, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294056562 ecr 0,sackOK,eol], length 0
10:06:51.042325 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60337 > 10.19.90.1.5001: Flags [S], cksum 0x17ef (correct), seq 259539850, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294056562 ecr 0,sackOK,eol], length 0
10:06:51.042671 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.17.2.60337 > 10.19.89.161.5001: Flags [S], cksum 0xc04e (correct), seq 259539850, win 65535, options [mss 1380,nop,wscale 6,nop,nop,TS val 294056562 ecr 0,sackOK,eol], length 0
10:06:54.800935 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60336 > 10.19.90.1.5001: Flags [S], cksum 0xf25e (correct), seq 3868754770, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294060314 ecr 0,sackOK,eol], length 0
10:06:54.800935 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60336 > 10.19.90.1.5001: Flags [S], cksum 0xf25e (correct), seq 3868754770, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294060314 ecr 0,sackOK,eol], length 0
10:06:54.801389 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.17.2.60336 > 10.19.89.161.5001: Flags [S], cksum 0x9abe (correct), seq 3868754770, win 65535, options [mss 1380,nop,wscale 6,nop,nop,TS val 294060314 ecr 0,sackOK,eol], length 0
10:06:55.050142 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60337 > 10.19.90.1.5001: Flags [S], cksum 0x084f (correct), seq 259539850, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294060562 ecr 0,sackOK,eol], length 0
10:06:55.050142 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60337 > 10.19.90.1.5001: Flags [S], cksum 0x084f (correct), seq 259539850, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294060562 ecr 0,sackOK,eol], length 0
10:06:55.050502 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.17.2.60337 > 10.19.89.161.5001: Flags [S], cksum 0xb0ae (correct), seq 259539850, win 65535, options [mss 1380,nop,wscale 6,nop,nop,TS val 294060562 ecr 0,sackOK,eol], length 0
10:07:02.818256 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60336 > 10.19.90.1.5001: Flags [S], cksum 0xd31e (correct), seq 3868754770, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294068314 ecr 0,sackOK,eol], length 0
10:07:02.818256 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60336 > 10.19.90.1.5001: Flags [S], cksum 0xd31e (correct), seq 3868754770, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294068314 ecr 0,sackOK,eol], length 0
10:07:02.818579 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.17.2.60336 > 10.19.89.161.5001: Flags [S], cksum 0x7b7e (correct), seq 3868754770, win 65535, options [mss 1380,nop,wscale 6,nop,nop,TS val 294068314 ecr 0,sackOK,eol], length 0
10:07:03.067553 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60337 > 10.19.90.1.5001: Flags [S], cksum 0xe90d (correct), seq 259539850, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294068563 ecr 0,sackOK,eol], length 0
10:07:03.067553 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60337 > 10.19.90.1.5001: Flags [S], cksum 0xe90d (correct), seq 259539850, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294068563 ecr 0,sackOK,eol], length 0
10:07:03.067910 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.17.2.60337 > 10.19.89.161.5001: Flags [S], cksum 0x916d (correct), seq 259539850, win 65535, options [mss 1380,nop,wscale 6,nop,nop,TS val 294068563 ecr 0,sackOK,eol], length 0
10:07:18.845960 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60336 > 10.19.90.1.5001: Flags [S], cksum 0x949d (correct), seq 3868754770, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294084315 ecr 0,sackOK,eol], length 0
10:07:18.845960 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60336 > 10.19.90.1.5001: Flags [S], cksum 0x949d (correct), seq 3868754770, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294084315 ecr 0,sackOK,eol], length 0
10:07:18.846227 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.17.2.60336 > 10.19.89.161.5001: Flags [S], cksum 0x3cfd (correct), seq 3868754770, win 65535, options [mss 1380,nop,wscale 6,nop,nop,TS val 294084315 ecr 0,sackOK,eol], length 0
10:07:19.095376 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60337 > 10.19.90.1.5001: Flags [S], cksum 0xaa8c (correct), seq 259539850, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294084564 ecr 0,sackOK,eol], length 0
10:07:19.095376 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.19.90.176.60337 > 10.19.90.1.5001: Flags [S], cksum 0xaa8c (correct), seq 259539850, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 294084564 ecr 0,sackOK,eol], length 0
10:07:19.095848 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.17.2.60337 > 10.19.89.161.5001: Flags [S], cksum 0x52ec (correct), seq 259539850, win 65535, options [mss 1380,nop,wscale 6,nop,nop,TS val 294084564 ecr 0,sackOK,eol], length 0
10:07:19.824129 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 48)
    10.19.90.176.60293 > 10.19.90.1.5001: Flags [S], cksum 0x8c21 (correct), seq 3674297623, win 65535, options [mss 1460,sackOK,eol], length 0
10:07:19.824129 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 48)
    10.19.90.176.60293 > 10.19.90.1.5001: Flags [S], cksum 0x8c21 (correct), seq 3674297623, win 65535, options [mss 1460,sackOK,eol], length 0
10:07:19.824458 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 48)
    172.17.17.2.60293 > 10.19.89.161.5001: Flags [S], cksum 0x3481 (correct), seq 3674297623, win 65535, options [mss 1380,sackOK,eol], length 0
10:07:20.079191 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 48)
    10.19.90.176.60294 > 10.19.90.1.5001: Flags [S], cksum 0x19bb (correct), seq 3398883303, win 65535, options [mss 1460,sackOK,eol], length 0
10:07:20.079191 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 48)
    10.19.90.176.60294 > 10.19.90.1.5001: Flags [S], cksum 0x19bb (correct), seq 3398883303, win 65535, options [mss 1460,sackOK,eol], length 0
10:07:20.079627 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 48)
    172.17.17.2.60294 > 10.19.89.161.5001: Flags [S], cksum 0xc21a (correct), seq 3398883303, win 65535, options [mss 1380,sackOK,eol], length 0

mietz · January 15, 2021, 10:14am

uci show network

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd30:f1aa:41e2::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0 eth2'
network.lan.proto='static'
network.lan.ipaddr='10.19.89.1'
network.lan.ip6assign='60'
network.lan.netmask='255.255.255.0'
network.wan=interface
network.wan.ifname='eth1'
network.wan.proto='dhcp'
network.mullvad=interface
network.mullvad.proto='wireguard'
network.mullvad.addresses='***'
network.mullvad.private_key='***'
network.mullvad.force_link='1'
network.@wireguard_mullvad[0]=wireguard_mullvad
network.@wireguard_mullvad[0].persistent_keepalive='25'
network.@wireguard_mullvad[0].endpoint_port='51820'
network.@wireguard_mullvad[0].allowed_ips='0.0.0.0/0'
network.@wireguard_mullvad[0].route_allowed_ips='1'
network.@wireguard_mullvad[0].endpoint_host='de17-wireguard.mullvad.net'
network.@wireguard_mullvad[0].public_key='Fp3bDkNLmmTajbN3cSVM9zi0OeSuOZySMGypk7HOO3E='
network.@wireguard_mullvad[0].description='de17-wireguard.mullvad.net'
network.guest=interface
network.guest.proto='static'
network.guest.ifname='eth3'
network.guest.type='bridge'
network.guest.netmask='255.255.255.0'
network.guest.ipaddr='10.19.90.1'

uci show firewall

firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].network='guest'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].name='guest'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[2]=zone
firewall.@zone[2].name='wan'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].network='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[3]=zone
firewall.@zone[3].network='mullvad'
firewall.@zone[3].name='mullvad'
firewall.@zone[3].mtu_fix='1'
firewall.@zone[3].input='REJECT'
firewall.@zone[3].forward='REJECT'
firewall.@zone[3].masq='1'
firewall.@zone[3].output='ACCEPT'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='mullvad'
firewall.@forwarding[0].src='lan'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[1].src='guest'
firewall.@rule[9]=rule
firewall.@rule[9].dest_port='67-68'
firewall.@rule[9].src='guest'
firewall.@rule[9].name='Allow-Guest-DHCP'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].proto='udp'
firewall.@rule[10]=rule
firewall.@rule[10].dest_port='53'
firewall.@rule[10].src='guest'
firewall.@rule[10].name='Allow-Guest-DNS'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].proto='udp'
firewall.@rule[11]=rule
firewall.@rule[11].dest_port='1900'
firewall.@rule[11].src='guest'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].name='Allow-Guest-UPnP-NAS'
firewall.@rule[12]=rule
firewall.@rule[12].dest_port='50001'
firewall.@rule[12].src='guest'
firewall.@rule[12].target='ACCEPT'
firewall.@rule[12].name='Allow-Guest-DLNA-Browse-NAS'
firewall.@rule[13]=rule
firewall.@rule[13].dest_port='50002'
firewall.@rule[13].src='guest'
firewall.@rule[13].target='ACCEPT'
firewall.@rule[13].name='Allow-Guest-DLNA-Stream-NAS'
firewall.@rule[14]=rule
firewall.@rule[14].dest_port='5001'
firewall.@rule[14].src='guest'
firewall.@rule[14].target='ACCEPT'
firewall.@rule[14].name='Allow-Guest-Web-Interface-NAS'
firewall.@rule[15]=rule
firewall.@rule[15].dest='wan'
firewall.@rule[15].src='guest'
firewall.@rule[15].target='REJECT'
firewall.@rule[15].name='Deny-Guest-Fritzbox'
firewall.@rule[15].dest_ip='172.17.17.1/24'
firewall.@rule[16]=rule
firewall.@rule[16].dest='wan'
firewall.@rule[16].src='lan'
firewall.@rule[16].target='ACCEPT'
firewall.@rule[16].name='Allow-Lan-Fritzbox'
firewall.@rule[16].dest_ip='172.17.17.1/24'
firewall.@redirect[0]=redirect
firewall.@redirect[0].name='UPnP-NAS'
firewall.@redirect[0].src_dport='1900'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].proto='tcp' 'udp'
firewall.@redirect[0].dest_port='1900'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].src='guest'
firewall.@redirect[0].dest_ip='10.19.89.161'
firewall.@redirect[0].src_dip='10.19.90.1'
firewall.@redirect[1]=redirect
firewall.@redirect[1].name='DLNA-Brows-NAS'
firewall.@redirect[1].src_dport='50001'
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].dest_port='50001'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].src='guest'
firewall.@redirect[1].dest_ip='10.19.89.161'
firewall.@redirect[1].src_dip='10.19.90.1'
firewall.@redirect[2]=redirect
firewall.@redirect[2].name='DLNA-Stream-NAS'
firewall.@redirect[2].src_dport='50002'
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].dest_port='50002'
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].src='guest'
firewall.@redirect[2].dest_ip='10.19.89.161'
firewall.@redirect[2].src_dip='10.19.90.1'
firewall.@redirect[3]=redirect
firewall.@redirect[3].dest_port='5001'
firewall.@redirect[3].src='guest'
firewall.@redirect[3].src_dport='5001'
firewall.@redirect[3].target='DNAT'
firewall.@redirect[3].dest_ip='10.19.89.161'
firewall.@redirect[3].src_dip='10.19.90.1'
firewall.@redirect[3].dest='lan'
firewall.@redirect[3].name='Web-Interface-NAS'

uci show vpn-policy-routing

vpn-policy-routing.@policy[0]=policy
vpn-policy-routing.@policy[0].interface='wan'
vpn-policy-routing.@policy[0].name='Guest'
vpn-policy-routing.@policy[0].src_addr='10.19.90.2/24'
vpn-policy-routing.config=vpn-policy-routing
vpn-policy-routing.config.verbosity='2'
vpn-policy-routing.config.strict_enforcement='1'
vpn-policy-routing.config.src_ipset='0'
vpn-policy-routing.config.dest_ipset='dnsmasq.ipset'
vpn-policy-routing.config.ipv6_enabled='0'
vpn-policy-routing.config.supported_interface=''
vpn-policy-routing.config.ignored_interface='vpnserver wgserver'
vpn-policy-routing.config.boot_timeout='30'
vpn-policy-routing.config.iptables_rule_option='append'
vpn-policy-routing.config.iprule_enabled='0'
vpn-policy-routing.config.webui_enable_column='0'
vpn-policy-routing.config.webui_protocol_column='0'
vpn-policy-routing.config.webui_chain_column='0'
vpn-policy-routing.config.webui_sorting='1'
vpn-policy-routing.config.webui_supported_protocol='tcp' 'udp' 'tcp udp' 'icmp' 'all'
vpn-policy-routing.config.enabled='1'
vpn-policy-routing.@include[0]=include
vpn-policy-routing.@include[0].path='/etc/vpn-policy-routing.netflix.user'
vpn-policy-routing.@include[0].enabled='0'
vpn-policy-routing.@include[1]=include
vpn-policy-routing.@include[1].path='/etc/vpn-policy-routing.aws.user'
vpn-policy-routing.@include[1].enabled='0'

ip route show table all

default via 172.17.17.1 dev eth1 table 201 
10.19.90.0/24 dev br-guest table 201 proto kernel scope link src 10.19.90.1 
default via X.X.X.X dev mullvad table 202 
10.19.90.0/24 dev br-guest table 202 proto kernel scope link src 10.19.90.1 
default dev mullvad proto static scope link 
10.19.89.0/24 dev br-lan proto kernel scope link src 10.19.89.1 
172.17.17.0/24 dev eth1 proto kernel scope link src 172.17.17.2 
193.27.14.146 via 172.17.17.1 dev eth1 proto static 
broadcast 10.19.89.0 dev br-lan table local proto kernel scope link src 10.19.89.1 
local 10.19.89.1 dev br-lan table local proto kernel scope host src 10.19.89.1 
broadcast 10.19.89.255 dev br-lan table local proto kernel scope link src 10.19.89.1 
broadcast 10.19.90.0 dev br-guest table local proto kernel scope link src 10.19.90.1 
local 10.19.90.1 dev br-guest table local proto kernel scope host src 10.19.90.1 
broadcast 10.19.90.255 dev br-guest table local proto kernel scope link src 10.19.90.1 
local X.X.X.X dev mullvad table local proto kernel scope host src X.X.X.X 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 172.17.17.0 dev eth1 table local proto kernel scope link src 172.17.17.2 
local 172.17.17.2 dev eth1 table local proto kernel scope host src 172.17.17.2 
broadcast 172.17.17.255 dev eth1 table local proto kernel scope link src 172.17.17.2 
fd30:f1aa:41e2::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd30:f1aa:41e2::/48 dev lo proto static metric 2147483647 error 4294967183 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev br-guest proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev ifb4eth1 proto kernel metric 256 pref medium
fe80::/64 dev ifb4mullvad proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fd30:f1aa:41e2:: dev br-lan table local proto kernel metric 0 pref medium
local fd30:f1aa:41e2::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev br-guest table local proto kernel metric 0 pref medium
anycast fe80:: dev eth1 table local proto kernel metric 0 pref medium
anycast fe80:: dev ifb4eth1 table local proto kernel metric 0 pref medium
anycast fe80:: dev ifb4mullvad table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan1 table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan0 table local proto kernel metric 0 pref medium
local fe80::20d:b9ff:fe4c:a344 dev eth1 table local proto kernel metric 0 pref medium
local fe80::20d:b9ff:fe4c:a346 dev br-guest table local proto kernel metric 0 pref medium
local fe80::6f0:21ff:fe85:423a dev wlan0 table local proto kernel metric 0 pref medium
local fe80::6f0:21ff:fe88:4033 dev wlan1 table local proto kernel metric 0 pref medium
local fe80::3832:67ff:fe2c:4f28 dev br-lan table local proto kernel metric 0 pref medium
local fe80::84eb:f1ff:fe99:9f51 dev ifb4mullvad table local proto kernel metric 0 pref medium
local fe80::a0a6:a6ff:fe59:3c1a dev ifb4eth1 table local proto kernel metric 0 pref medium
ff00::/8 dev br-lan table local metric 256 pref medium
ff00::/8 dev br-guest table local metric 256 pref medium
ff00::/8 dev eth1 table local metric 256 pref medium
ff00::/8 dev ifb4eth1 table local metric 256 pref medium
ff00::/8 dev mullvad table local metric 256 pref medium
ff00::/8 dev ifb4mullvad table local metric 256 pref medium
ff00::/8 dev wlan1 table local metric 256 pref medium
ff00::/8 dev wlan0 table local metric 256 pref medium

ip address show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP group default qlen 1000
    link/ether 3a:32:67:2c:4f:28 brd ff:ff:ff:ff:ff:ff
3: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
    link/ether 56:4e:e3:da:86:62 brd ff:ff:ff:ff:ff:ff
4: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
    link/ether 1a:8e:40:34:af:ec brd ff:ff:ff:ff:ff:ff
5: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc htb state UP group default qlen 1000
    link/ether 00:0d:b9:4c:a3:44 brd ff:ff:ff:ff:ff:ff
    inet 172.17.17.2/24 brd 172.17.17.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::20d:b9ff:fe4c:a344/64 scope link 
       valid_lft forever preferred_lft forever
6: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
    link/ether 00:0d:b9:4c:a3:45 brd ff:ff:ff:ff:ff:ff
7: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-guest state UP group default qlen 1000
    link/ether 00:0d:b9:4c:a3:46 brd ff:ff:ff:ff:ff:ff
69: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:0d:b9:4c:a3:46 brd ff:ff:ff:ff:ff:ff
    inet 10.19.90.1/24 brd 10.19.90.255 scope global br-guest
       valid_lft forever preferred_lft forever
    inet6 fe80::20d:b9ff:fe4c:a346/64 scope link 
       valid_lft forever preferred_lft forever
70: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 3a:32:67:2c:4f:28 brd ff:ff:ff:ff:ff:ff
    inet 10.19.89.1/24 brd 10.19.89.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd30:f1aa:41e2::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::3832:67ff:fe2c:4f28/64 scope link 
       valid_lft forever preferred_lft forever
71: mullvad: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc htb state UNKNOWN group default qlen 1000
    link/none 
    inet X.X.X.X/32 brd 255.255.255.255 scope global mullvad
       valid_lft forever preferred_lft forever
76: ifb4eth1: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc htb state UNKNOWN group default qlen 32
    link/ether a2:a6:a6:59:3c:1a brd ff:ff:ff:ff:ff:ff
    inet6 fe80::a0a6:a6ff:fe59:3c1a/64 scope link 
       valid_lft forever preferred_lft forever
80: ifb4mullvad: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc htb state UNKNOWN group default qlen 32
    link/ether 86:eb:f1:99:9f:51 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::84eb:f1ff:fe99:9f51/64 scope link 
       valid_lft forever preferred_lft forever
82: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP group default qlen 1000
    link/ether 04:f0:21:88:40:33 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6f0:21ff:fe88:4033/64 scope link 
       valid_lft forever preferred_lft forever
83: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 04:f0:21:85:42:3a brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6f0:21ff:fe85:423a/64 scope link 
       valid_lft forever preferred_lft forever

ip route show table all

default via 172.17.17.1 dev eth1 table 201 
10.19.90.0/24 dev br-guest table 201 proto kernel scope link src 10.19.90.1 
default via X.X.X.X dev mullvad table 202 
10.19.90.0/24 dev br-guest table 202 proto kernel scope link src 10.19.90.1 
default dev mullvad proto static scope link 
10.19.89.0/24 dev br-lan proto kernel scope link src 10.19.89.1 
172.17.17.0/24 dev eth1 proto kernel scope link src 172.17.17.2 
193.27.14.146 via 172.17.17.1 dev eth1 proto static 
broadcast 10.19.89.0 dev br-lan table local proto kernel scope link src 10.19.89.1 
local 10.19.89.1 dev br-lan table local proto kernel scope host src 10.19.89.1 
broadcast 10.19.89.255 dev br-lan table local proto kernel scope link src 10.19.89.1 
broadcast 10.19.90.0 dev br-guest table local proto kernel scope link src 10.19.90.1 
local 10.19.90.1 dev br-guest table local proto kernel scope host src 10.19.90.1 
broadcast 10.19.90.255 dev br-guest table local proto kernel scope link src 10.19.90.1 
local X.X.X.X dev mullvad table local proto kernel scope host src X.X.X.X 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 172.17.17.0 dev eth1 table local proto kernel scope link src 172.17.17.2 
local 172.17.17.2 dev eth1 table local proto kernel scope host src 172.17.17.2 
broadcast 172.17.17.255 dev eth1 table local proto kernel scope link src 172.17.17.2 
fd30:f1aa:41e2::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd30:f1aa:41e2::/48 dev lo proto static metric 2147483647 error 4294967183 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev br-guest proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev ifb4eth1 proto kernel metric 256 pref medium
fe80::/64 dev ifb4mullvad proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fd30:f1aa:41e2:: dev br-lan table local proto kernel metric 0 pref medium
local fd30:f1aa:41e2::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev br-guest table local proto kernel metric 0 pref medium
anycast fe80:: dev eth1 table local proto kernel metric 0 pref medium
anycast fe80:: dev ifb4eth1 table local proto kernel metric 0 pref medium
anycast fe80:: dev ifb4mullvad table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan1 table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan0 table local proto kernel metric 0 pref medium
local fe80::20d:b9ff:fe4c:a344 dev eth1 table local proto kernel metric 0 pref medium
local fe80::20d:b9ff:fe4c:a346 dev br-guest table local proto kernel metric 0 pref medium
local fe80::6f0:21ff:fe85:423a dev wlan0 table local proto kernel metric 0 pref medium
local fe80::6f0:21ff:fe88:4033 dev wlan1 table local proto kernel metric 0 pref medium
local fe80::3832:67ff:fe2c:4f28 dev br-lan table local proto kernel metric 0 pref medium
local fe80::84eb:f1ff:fe99:9f51 dev ifb4mullvad table local proto kernel metric 0 pref medium
local fe80::a0a6:a6ff:fe59:3c1a dev ifb4eth1 table local proto kernel metric 0 pref medium
ff00::/8 dev br-lan table local metric 256 pref medium
ff00::/8 dev br-guest table local metric 256 pref medium
ff00::/8 dev eth1 table local metric 256 pref medium
ff00::/8 dev ifb4eth1 table local metric 256 pref medium
ff00::/8 dev mullvad table local metric 256 pref medium
ff00::/8 dev ifb4mullvad table local metric 256 pref medium
ff00::/8 dev wlan1 table local metric 256 pref medium
ff00::/8 dev wlan0 table local metric 256 pref medium

ip rule show

0:      from all lookup local 
32708:  from all fwmark 0x20000/0xff0000 lookup 202 
32709:  from all fwmark 0x10000/0xff0000 lookup 201 
32766:  from all lookup main 
32767:  from all lookup default

trendy · January 15, 2021, 11:16am

This is an invalid address, either use 10.19.90.0/24 or 10.19.90.2

Create a PBR policy for the lan interface to use the Mullvad interface. Currently the custom routing tables only have the guest interface apart from the default.
The src_dip at the redirects should not be necessary, better remove it.
Firewall rules 11-14 are not needed, you can remove them.

mietz · January 15, 2021, 12:07pm

Thank you for your Feedback, I've deleted the unnecessary src_dip and Firewall rules 11-14. Btw. why don't I need 11-14, but need 9 & 10?

I also fixed the PBR rules:

uci show vpn-policy-routing

vpn-policy-routing.@policy[0]=policy
vpn-policy-routing.@policy[0].interface='wan'
vpn-policy-routing.@policy[0].name='Guest'
vpn-policy-routing.@policy[0].src_addr='10.19.90.0/24'
vpn-policy-routing.config=vpn-policy-routing
vpn-policy-routing.config.verbosity='2'
vpn-policy-routing.config.strict_enforcement='1'
vpn-policy-routing.config.src_ipset='0'
vpn-policy-routing.config.dest_ipset='dnsmasq.ipset'
vpn-policy-routing.config.ipv6_enabled='0'
vpn-policy-routing.config.supported_interface=''
vpn-policy-routing.config.ignored_interface='vpnserver wgserver'
vpn-policy-routing.config.boot_timeout='30'
vpn-policy-routing.config.iptables_rule_option='append'
vpn-policy-routing.config.iprule_enabled='0'
vpn-policy-routing.config.webui_enable_column='0'
vpn-policy-routing.config.webui_protocol_column='0'
vpn-policy-routing.config.webui_chain_column='0'
vpn-policy-routing.config.webui_sorting='1'
vpn-policy-routing.config.webui_supported_protocol='tcp' 'udp' 'tcp udp' 'icmp' 'all'
vpn-policy-routing.config.enabled='1'
vpn-policy-routing.@include[0]=include
vpn-policy-routing.@include[0].path='/etc/vpn-policy-routing.netflix.user'
vpn-policy-routing.@include[0].enabled='0'
vpn-policy-routing.@include[1]=include
vpn-policy-routing.@include[1].path='/etc/vpn-policy-routing.aws.user'
vpn-policy-routing.@include[1].enabled='0'
vpn-policy-routing.@policy[1]=policy
vpn-policy-routing.@policy[1].name='Lan'
vpn-policy-routing.@policy[1].src_addr='10.19.89.0/24'
vpn-policy-routing.@policy[1].interface='mullvad

But still can't access the web interface from the guest network.

trendy · January 15, 2021, 1:02pm

Because you reject the input of the guest zone, so you have to accept the dhcp and dns for hosts to work.
11-14 are not running on the router, so there is no point to allow the input.

iptables-save -c -t mangle; ip -4 ro li table all

mietz · January 15, 2021, 1:23pm

root@OpenWrt:~# iptables-save -c -t mangle; ip -4 ro li table all
# Generated by iptables-save v1.8.3 on Fri Jan 15 13:21:19 2021
*mangle
:PREROUTING ACCEPT [12622785:14057512844]
:INPUT ACCEPT [4809343:7093849390]
:FORWARD ACCEPT [7812961:6963539438]
:OUTPUT ACCEPT [3846656:478769225]
:POSTROUTING ACCEPT [11659596:7442308247]
:QOS_MARK_eth1 - [0:0]
:QOS_MARK_mullvad - [0:0]
:VPR_FORWARD - [0:0]
:VPR_INPUT - [0:0]
:VPR_OUTPUT - [0:0]
:VPR_PREROUTING - [0:0]
[0:0] -A PREROUTING -i vtun+ -p tcp -j MARK --set-xmark 0x2/0xff
[4371:4166836] -A PREROUTING -i mullvad -m dscp ! --dscp 0x00 -j DSCP --set-dscp 0x00
[46:1656] -A PREROUTING -i eth1 -m dscp ! --dscp 0x00 -j DSCP --set-dscp 0x00
[12622788:14057512997] -A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
[4807919:7093662375] -A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
[3967527:6762113442] -A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
[134:8432] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[46:2760] -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[655:39668] -A FORWARD -o mullvad -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone mullvad MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[275:16420] -A FORWARD -i mullvad -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone mullvad MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[3070:265957] -A OUTPUT -p udp -m multiport --ports 123,53 -j DSCP --set-dscp 0x24
[3846658:478769366] -A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
[3854764:479999164] -A POSTROUTING -o eth1 -m mark --mark 0x0/0xff -g QOS_MARK_eth1
[3847383:201886633] -A POSTROUTING -o mullvad -m mark --mark 0x0/0xff -g QOS_MARK_mullvad
[3854764:479999164] -A QOS_MARK_eth1 -j MARK --set-xmark 0x2/0xff
[0:0] -A QOS_MARK_eth1 -m dscp --dscp 0x08 -j MARK --set-xmark 0x3/0xff
[2:293] -A QOS_MARK_eth1 -m dscp --dscp 0x30 -j MARK --set-xmark 0x1/0xff
[0:0] -A QOS_MARK_eth1 -m dscp --dscp 0x2e -j MARK --set-xmark 0x1/0xff
[294:20860] -A QOS_MARK_eth1 -m dscp --dscp 0x24 -j MARK --set-xmark 0x1/0xff
[297:21088] -A QOS_MARK_eth1 -m tos --tos 0x10/0x3f -j MARK --set-xmark 0x1/0xff
[3847383:201886633] -A QOS_MARK_mullvad -j MARK --set-xmark 0x2/0xff
[0:0] -A QOS_MARK_mullvad -m dscp --dscp 0x08 -j MARK --set-xmark 0x3/0xff
[191:26315] -A QOS_MARK_mullvad -m dscp --dscp 0x30 -j MARK --set-xmark 0x1/0xff
[49:3724] -A QOS_MARK_mullvad -m dscp --dscp 0x2e -j MARK --set-xmark 0x1/0xff
[164:12464] -A QOS_MARK_mullvad -m dscp --dscp 0x24 -j MARK --set-xmark 0x1/0xff
[170:12920] -A QOS_MARK_mullvad -m tos --tos 0x10/0x3f -j MARK --set-xmark 0x1/0xff
[3845469:201443081] -A VPR_PREROUTING -s 10.19.89.0/24 -m comment --comment Lan -j MARK --set-xmark 0x20000/0xff0000
[1873:294099] -A VPR_PREROUTING -s 10.19.90.0/24 -m comment --comment Guest -j MARK --set-xmark 0x10000/0xff0000
COMMIT
# Completed on Fri Jan 15 13:21:19 2021
default via 172.17.17.1 dev eth1 table 201 
10.19.90.0/24 dev br-guest table 201 proto kernel scope link src 10.19.90.1 
default via X.X.X.X dev mullvad table 202 
10.19.90.0/24 dev br-guest table 202 proto kernel scope link src 10.19.90.1 
default dev mullvad proto static scope link 
10.19.89.0/24 dev br-lan proto kernel scope link src 10.19.89.1 
10.19.90.0/24 dev br-guest proto kernel scope link src 10.19.90.1 
172.17.17.0/24 dev eth1 proto kernel scope link src 172.17.17.2 
193.27.14.146 via 172.17.17.1 dev eth1 proto static 
broadcast 10.19.89.0 dev br-lan table local proto kernel scope link src 10.19.89.1 
local 10.19.89.1 dev br-lan table local proto kernel scope host src 10.19.89.1 
broadcast 10.19.89.255 dev br-lan table local proto kernel scope link src 10.19.89.1 
broadcast 10.19.90.0 dev br-guest table local proto kernel scope link src 10.19.90.1 
local 10.19.90.1 dev br-guest table local proto kernel scope host src 10.19.90.1 
broadcast 10.19.90.255 dev br-guest table local proto kernel scope link src 10.19.90.1 
local X.X.X.X dev mullvad table local proto kernel scope host src X.X.X.X 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 172.17.17.0 dev eth1 table local proto kernel scope link src 172.17.17.2 
local 172.17.17.2 dev eth1 table local proto kernel scope host src 172.17.17.2 
broadcast 172.17.17.255 dev eth1 table local proto kernel scope link src 172.17.17.2

trendy · January 15, 2021, 1:38pm

The routes are still not populated for some reason.
What does /etc/init.d/vpn-policy-routing status say?

mietz · January 15, 2021, 1:40pm

root@OpenWrt:~# /etc/init.d/vpn-policy-routing status
Syntax: /etc/init.d/vpn-policy-routing [command]

Available commands:
        start   Start the service
        stop    Stop the service
        restart Restart the service
        reload  Reload configuration files (or restart if service does not implement reload)
        enable  Enable service autostart
        disable Disable service autostart
        support Generates output required to troubleshoot routing issues
                Use '-d' option for more detailed output
                Use '-p' option to automatically upload data under VPR paste.ee account
                        WARNING: while paste.ee uploads are unlisted, they are still publicly available
                List domain names after options to include their lookup in report
root@OpenWrt:~# /etc/init.d/vpn-policy-routing support
ERROR: DNSMASQ ipset support is enabled in vpn-policy-routing, but DNSMASQ is either not installed or installed DNSMASQ does not support ipsets!
vpn-policy-routing 0.2.1-13 running on OpenWrt 19.07.5. WAN (IPv4): wan/dev/172.17.17.1.
============================================================
Dnsmasq version 2.80  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         *               0.0.0.0         U     0      0        0 mullvad
IPv4 Table 201: default via 172.17.17.1 dev eth1
10.19.90.0/24 dev br-guest proto kernel scope link src 10.19.90.1
IPv4 Table 201 Rules:
32741:  from all fwmark 0x10000/0xff0000 lookup 201
IPv4 Table 202: default via X.X.X.X dev mullvad
10.19.90.0/24 dev br-guest proto kernel scope link src 10.19.90.1
IPv4 Table 202 Rules:
32740:  from all fwmark 0x20000/0xff0000 lookup 202
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 10.19.89.0/24 -m comment --comment Lan -c 3850645 202373006 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -s 10.19.90.0/24 -m comment --comment Guest -c 2143 325205 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
============================================================
IP Tables INPUT
-N VPR_INPUT
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
============================================================
Current ipsets
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
root@OpenWrt:~#

trendy · January 15, 2021, 1:45pm

Our configs are almost identical, I am using version 0.2.1-14 and I have the status option available. Also in every routing table created by vpn-pbr I have all my local routes, so there is no limitation in intranet traffic regardless of the gateway.
@stangri maybe you have an idea what's wrong here and the routing tables are not filled in properly?

mietz · January 15, 2021, 1:48pm

I'm also wondering whats wrong here, since dnsmasq is installed

root@OpenWrt:~# opkg list-installed | grep ^dnsmasq
dnsmasq - 2.80-16.1

trendy · January 15, 2021, 2:04pm

You need dnsmasq-full for that, but it is not necessary if you don't use ipsets.

vgaetera · January 15, 2021, 7:49pm

uci set vpn-policy-routing.@policy[0].dest_addr="!10.19.88.0/22"
uci commit vpn-policy-routing
/etc/init.d/vpn-policy-routing restart

stangri · January 15, 2021, 10:53pm

Sorry, can you maybe highlight somehow what is expected to be in the routing tables but isn't present?

trendy · January 16, 2021, 8:21am

Sure! The OP has only one entry for the 10.19.90.0/24 from guest interface.
I have routes for all my interfaces, lan, guest, iot, plus some more static routes there are in main routing table:

Routes/IP Rules
default         blah.blah       0.0.0.0         UG    10     0        0 pppoe-wan
default         *               0.0.0.0         U     90     0        0 tun2
IPv4 Table 201: default via 95.152.X.X dev pppoe-wan
10.0.0.0/19 via 10.0.20.1 dev tun0 proto zebra metric 20
unreachable 10.0.0.0/8 proto static metric 240
10.0.2.0/24 dev eth0.4 proto kernel scope link src 10.0.2.1
10.0.3.0/24 via 10.0.10.3 dev roadwarrior proto zebra metric 20
10.0.10.0/24 dev roadwarrior proto kernel scope link src 10.0.10.1
10.0.20.0/30 dev tun0 proto kernel scope link src 10.0.20.2
10.0.20.2 via 10.0.20.1 dev tun0 proto zebra metric 20
10.0.20.4/30 dev elvetias proto kernel scope link src 10.0.20.5
10.0.20.10 via 10.0.20.1 dev tun0 proto zebra metric 20
10.0.20.14 via 10.0.20.1 dev tun0 proto zebra metric 20
unreachable 169.254.0.0/16 proto static metric 240
unreachable 172.16.0.0/12 proto static metric 240
172.17.17.0/24 dev eth0.2 proto kernel scope link src 172.17.17.1
172.30.30.0/24 dev eth0.3 proto kernel scope link src 172.30.30.1
unreachable 192.168.0.0/16 proto static metric 240
192.168.1.0/24 via 10.0.20.6 dev elvetias proto zebra metric 20
192.168.8.0/24 dev tun1 proto kernel scope link src 192.168.8.1
IPv4 Table 201 Rules:
...

vgaetera · January 16, 2021, 8:29am

You can simply exclude local networks from the policy scope as mentioned above.

trendy · January 16, 2021, 8:37am

The question is why we have different output in the routing tables with the same configuration? The only differences I found were some webgui cosmetics, apart from the slightly different version. And none has excluded any networks like you suggested.

root@magiatiko / > uci show vpn-policy-routing
vpn-policy-routing.@policy[0]=policy
vpn-policy-routing.@policy[0].src_addr='10.0.2.5/32'
vpn-policy-routing.@policy[0].proto='all'
vpn-policy-routing.@policy[0].interface='proton'
vpn-policy-routing.@policy[0].name='rockpi proton'
vpn-policy-routing.@policy[1]=policy
vpn-policy-routing.@policy[1].interface='wan'
vpn-policy-routing.@policy[1].name='rockpi local'
vpn-policy-routing.@policy[1].src_addr='10.0.2.5/32'
vpn-policy-routing.@policy[1].dest_addr='10.0.0.0/19'
vpn-policy-routing.@policy[2]=policy
vpn-policy-routing.@policy[2].interface='wan'
vpn-policy-routing.@policy[2].name='roadwarrior'
vpn-policy-routing.@policy[2].src_port='1200'
vpn-policy-routing.@policy[2].chain='OUTPUT'
vpn-policy-routing.@policy[2].proto='udp'
vpn-policy-routing.@policy[2].enabled='0'
vpn-policy-routing.config=vpn-policy-routing
vpn-policy-routing.config.ipv6_enabled='0'
vpn-policy-routing.config.supported_interface=''
vpn-policy-routing.config.boot_timeout='30'
vpn-policy-routing.config.webui_sorting='1'
vpn-policy-routing.config.webui_supported_protocol='tcp' 'udp' 'tcp udp' 'icmp' 'all'
vpn-policy-routing.config.webui_enable_column='1'
vpn-policy-routing.config.webui_protocol_column='1'
vpn-policy-routing.config.webui_chain_column='1'
vpn-policy-routing.config.iprule_enabled='0'
vpn-policy-routing.config.strict_enforcement='1'
vpn-policy-routing.config.enabled='1'
vpn-policy-routing.config.iptables_rule_option='append'
vpn-policy-routing.config.dest_ipset='dnsmasq.ipset'
vpn-policy-routing.config.src_ipset='0'
vpn-policy-routing.config.ignored_interface='vpnserver wgserver' 'roadwarrior' 'elvetias' 'vps'
vpn-policy-routing.config.verbosity='0'
vpn-policy-routing.@include[0]=include
vpn-policy-routing.@include[0].path='/etc/vpn-policy-routing.netflix.user'
vpn-policy-routing.@include[0].enabled='0'
vpn-policy-routing.@include[1]=include
vpn-policy-routing.@include[1].path='/etc/vpn-policy-routing.aws.user'
vpn-policy-routing.@include[1].enabled='0'

vgaetera · January 16, 2021, 9:15am

It looks like br-lan is ignored for some reason, so the issue affects all bridge lan* interfaces.

stangri · January 17, 2021, 2:26pm

@vgaetera beat me to it. This is a piece of code which copies the entries from main routing table to the VPR tables: https://github.com/stangri/source.openwrt.melmac.net/blob/master/vpn-policy-routing/files/vpn-policy-routing.init#L627-L632.

If between the two of you, you can come up with a better code/idea, please do let me know/send PR. You have way more experience here.

mietz · January 17, 2021, 4:39pm

As there seems to be no straightforward solution with PBR, I've played around with VLANs.
After I found out that my NAS can be in configured to be in multiple VLAN's at once (How To Configure Multiple VLANs on one Synology Bond) I now have a working solution.

If some has a solution with port forwarding I'm happy to test it. Thank you all

vgaetera · January 17, 2021, 4:47pm

Actually, it works for me by excluding local networks as destination from the policy scope.