Port redirection for local DPI tunnel

Hi! I'm trying to set up youtubeUnblock pakage. It should redirect port 443 to 537 and manipulate packages there localy on the router but this doesn't seem to work. I'm using my openwrt router as AP that is connected to main router. Here is my network setup:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf3:34c6:bdd8::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth0.1'
	list ports 'eth0.2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.0.2'
	option netmask '255.255.255.0'
	option gateway '192.168.0.1'
	list dns '1.1.1.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 8t'

config switch_vlan
	option device 'switch0'
	option ports '4 8t'
	option vlan '2'

And here are my nft rules:

root@OpenWrt:~# nft list ruleset
table inet fw4 {
	chain input {
		type filter hook input priority filter; policy accept;
		iifname "lo" accept comment "!fw4: Accept traffic from loopback"
		ct state established,related accept comment "!fw4: Allow inbound established and related flows"
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
	}

	chain output {
		type filter hook output priority filter; policy accept;
		meta mark & 0x00008000 == 0x00008000 counter packets 0 bytes 0 accept
		oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
		ct state established,related accept comment "!fw4: Allow outbound established and related flows"
	}

	chain prerouting {
		type filter hook prerouting priority filter; policy accept;
	}

	chain handle_reject {
		meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
		reject comment "!fw4: Reject any other traffic"
	}

	chain syn_flood {
	}

	chain input_bridge {
	}

	chain output_bridge {
	}

	chain forward_bridge {
	}

	chain helper_bridge {
	}

	chain accept_from_bridge {
	}

	chain accept_to_bridge {
	}

	chain dstnat {
		type nat hook prerouting priority dstnat; policy accept;
	}

	chain srcnat {
		type nat hook postrouting priority srcnat; policy accept;
	}

	chain raw_prerouting {
		type filter hook prerouting priority raw; policy accept;
	}

	chain raw_output {
		type filter hook output priority raw; policy accept;
	}

	chain mangle_prerouting {
		type filter hook prerouting priority mangle; policy accept;
	}

	chain mangle_postrouting {
		type filter hook postrouting priority mangle; policy accept;
	}

	chain mangle_input {
		type filter hook input priority mangle; policy accept;
	}

	chain mangle_output {
		type route hook output priority mangle; policy accept;
	}

And the main part is:

	chain mangle_forward {
		type filter hook forward priority mangle; policy accept;
		tcp dport 443 ct original packets < 20 counter packets 0 bytes 0 queue flags bypass to 537
	}

My guess is that bridging might pass-through all the traffic to gateway without port redirection. Although tcpdump says smth like that (outputs only port '80' traffic):

root@OpenWrt:~# tcpdump -i br-lan port 80 or port 443 or port 537 -c 5
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
17:34:25.647228 IP 192.168.0.2.80 > 192.168.0.104.41400: Flags [.], ack 3127470889, win 8010, options [nop,nop,TS val 2463209184 ecr 2872752555], length 0
17:34:25.647478 IP 192.168.0.104.41400 > 192.168.0.2.80: Flags [.], ack 1, win 501, options [nop,nop,TS val 2872753595 ecr 2463207102], length 0
17:34:26.687231 IP 192.168.0.2.80 > 192.168.0.104.41400: Flags [.], ack 1, win 8010, options [nop,nop,TS val 2463210224 ecr 2872753595], length 0
17:34:26.687540 IP 192.168.0.104.41400 > 192.168.0.2.80: Flags [.], ack 1, win 501, options [nop,nop,TS val 2872754635 ecr 2463207102], length 0
17:34:27.727231 IP 192.168.0.2.80 > 192.168.0.104.41400: Flags [.], ack 1, win 8010, options [nop,nop,TS val 2463211264 ecr 2872754635], length 0
5 packets captured
6 packets received by filter
0 packets dropped by kernel

Where ...104 is my PC ip and ...2 is AP router ip. Hope there is no dangerous info to be redacted in tcpdump output.

You should probably start with addressing your issues here: https://github.com/Waujito/youtubeUnblock/issues

Thanks for suggestion, I created an issue there and I'll link solution if it appears. Although I think the problem might be caused by wrong AP set up and my router just bridges my devices to main router without any processing which is not what I want. Is there a way to diagnose such behavior? Or am I stupid for thinking like that?

Owner of package says the problem appears because I use 2 routers - openwrt AP and main one. So, traffic on wrt just bypasses to gateway. I guess the solution is to create a subnet. Will be digging in that direction.

upd: solved issue, made my open wrt as router device following this guid

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.