Problems with Double NAT

zetto33 · September 21, 2020, 3:22pm

Hi,

I have a TP-Link Archer C7 v5 with 19.07.2 r10947.
My scenario is the following:
2 distinct ISP. One is used as Primary Link, the other as Backup. They work properly with OpenWRT Load Balance ( mwan3 - 2.8.4-2 / luci-app-mwan3 - git-20.136.49537-fb2f363-1).
I am able to remote access the OpenWRT from cloud, but not the devices inside NAT.
OpenWRT is on DMZ from my both ISP routers.

That is what is occurring (sudo tcpdump -n -i any) where 192.168.15.12, and 192.168.1.1 are the OpenWRT IP Address.
Port 8443 is the external port, and 443 is the internal port.
IP 192.168.1.228 is the VM that host the application on port 443 that I intent to access from cloud.

14:11:36.142105 ethertype IPv4, IP 189.X.X.212.39856 > 192.168.15.12.8443: Flags [S], seq 710327887, win 65535, options [mss 1370,sackOK,TS val 18012707 ecr 0,nop,wscale 9], length 0
14:11:36.142105 IP 189.X.X.212.39856 > 192.168.15.12.8443: Flags [S], seq 710327887, win 65535, options [mss 1370,sackOK,TS val 18012707 ecr 0,nop,wscale 9], length 0
14:11:36.142333 IP 192.168.1.1.39856 > 192.168.1.228.443: Flags [S], seq 710327887, win 65535, options [mss 1370,sackOK,TS val 18012707 ecr 0,nop,wscale 9], length 0
14:11:36.142356 IP 192.168.1.1.39856 > 192.168.1.228.443: Flags [S], seq 710327887, win 65535, options [mss 1370,sackOK,TS val 18012707 ecr 0,nop,wscale 9], length 0
14:11:36.142365 ethertype Unknown, Unknown SSAP 0x6c > Unknown DSAP 0x64 Information, send seq 32, rcv seq 0, Flags [Command], length 56
        0x0000:  646c 4000 3506 5d1a c0a8 0101 c0a8 01e4  dl@.5.].........
        0x0010:  9bb0 01bb 2a56 be4f 0000 0000 a002 ffff  ....*V.O........
        0x0020:  62db 0000 0204 055a 0402 080a 0112 da23  b......Z.......#
        0x0030:  0000 0000 0103 0309                      ........
14:11:36.142616 ethertype IPv4, IP 192.168.1.228.443 > 192.168.1.1.39856: Flags [S.], seq 2939002406, ack 710327888, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 312171 ecr 18012707], length 0
14:11:36.142616 IP 192.168.1.228.443 > 192.168.1.1.39856: Flags [S.], seq 2939002406, ack 710327888, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 312171 ecr 18012707], length 0

Occurs that when the package arrives from VM 192.168.1.228.443 > to OpenWRT (192.168.1.1.39856) I believe iptables discard the packages, per above tcpdump.

Question. Is anyone aware if I could create an iptables rules in order to OpenWRT return to my ISP router?
I am not able to create static routes on my both ISP router, reason I am using double NAT.

psherman · September 21, 2020, 4:06pm

Why do you have a double-NAT configuration in the first place? Are you trying to create two distinct networks? Or some other situation? Can you remove the ISP router? Or if it is an integrated modem+router, can you set that device in bridge mode so that it delivers your public IP address to the WAN of your OpenWrt router instead?

zetto33 · September 21, 2020, 5:29pm

Hi, thank you for your answer.
Reason for Double NAT is I have 2 different ISP in Load Balance. Load Balance force me to use 3 networks. ISP01 (192.168.15.0/24), ISP02 (192.168.0.0/24), and Internal Network (192.168.1.1/24).
Both ISP are integrated modem+router.
I can't use bridge because ISP router does not have static routes configurations on it.
Case static routes were an option I could stop using NAT for internal IPs.
I don't have Public IP address, I am using DDNS services.
I can access from the cloud on both ISP networks 192.168.15.0/24, and 192.168.0.0/24, but iptables seems to discard packets from my internal network.

psherman · September 21, 2020, 5:41pm

I think you may be misunderstanding the purpose of bridge mode... you do not need static routes if you enable the bridge mode (assuming it is available). Specifically, it makes the modem just a 'media converter' (converting from cable/dsl/fiber/satellite/etc. to ethernet with no routing at all). If this is available, this is what you want to use. Please check your modem configuration pages to see if there is a bridge mode (if in doubt, you can provide information about the models of the modems as well as screenshots of the config pages).

You are confusing the idea of a dynamic vs static IP with a public IP. You may not have static IPs, but it is reasonably likely that you have a public IP (i.e. one that is publicly routable). This is in comparison to the RFC1918 private address ranges. That is to say that the IP address itself may change at certain times, but it is an address that can be routed on the public internet. The DDNS services allow you to use a constant domain name that is updated to point to your actual IP address anytime it changes.

That said, it is important to make sure that you do indeed have public IP addresses on the WANs of each of the modem+router units (or if you can use them in bridge mode, the WANs of your OpenWrt router). If the WANs are in the RFC1918 ranges (10.0.0.0/8, 172.16.0.0./12, 192.168.0.0/16) those are not public. Nor is the CG-NAT range 100.64.0.0/10.

One way to check is to see what is being reported by each of the ISP modem/router devices as its WAN address and then to do an IP check (google: what's my IP) to see if they match.

eduperez · September 21, 2020, 6:16pm

I would first try to set both ISP routers on bridge modem (no need to worry about static routes, as far as I know), so your router has two public IP addresses.

zetto33 · September 21, 2020, 6:29pm

My ISP01 need to operate as Router, because it manage internal applications such TV decoder.
It is a Askey, RTF3507VW-N1 - REV2_B2.
It has a warning message:
"Attention: Changing the operation mode to bridge will disable internet, telephony and TV services.
This will also make it impossible for you to receive support and updates with improvements".

I will need to check if it can be done on my ISP02. I don't have device credentials, but I am pretty sure it's running on default (another reason for NAT), but definitely bridge should resolve it.
I will check that, and come back to this forum threat (in case someone has same doubt on future).

Yes, indeed I have 2 Public IP Address, I missunderstood the question, apologies.
I meant I did not bought any static IP. (On the tcpdump I have only hide my public IP:: 189.X.X.212.39856)

Thank you

trendy · September 21, 2020, 9:34pm

It looks strange in the tcpdump that you have different source address for the packet that goes to the VM with the https. But the VM anyway replies back with a SYNACK (last 2 lines)

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

zetto33 · September 22, 2020, 5:51pm

Thank you for your reply trandy,

I was able to set my ISP02 modem/router to act as bridge (100.X.X.246/32 - 100.0.0.0/8 is NOT under LACNIC range).. but ISP does not deliver my request to OpenWRT. So it's worthless, I don't have 2 Public IPs, as I said, but only 1 - that I cannot change device behavior.

Here is the config you have required (I have replaced some IPs, and Ports - but not the ports that I am testing for the purpose for this threat):

MyLogin@Archer:~$ sudo ubus call system board; \
> sudo uci export network; uci export dhcp; uci export firewall; \
> sudo head -n -0 /etc/firewall.user; \
> sudo iptables-save -c; \
> sudo ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
        "kernel": "4.14.171",
        "hostname": "Archer",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "TP-Link Archer C7 v5",
        "board_name": "tplink,archer-c7-v5",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.2",
                "revision": "r10947-65030d81f3",
                "target": "ath79/generic",
                "description": "OpenWrt 19.07.2 r10947-65030d81f3"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd02:f5c0:e811::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.1'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        list dns '192.168.1.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'static'
        option ipaddr '192.168.15.12'
        option netmask '255.255.255.0'
        option gateway '192.168.15.1'
        option broadcast '192.168.15.255'
        list dns '192.168.15.1'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr '50:d4:f7:00:00:00'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 3 4 5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '0t 2'

config interface 'guest'
        option proto 'static'
        option ifname 'eth0'
        option type 'bridge'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

config interface 'wanbk'
        option proto 'dhcp'
        option ifname 'eth0.3'

uci: I/O error
uci: I/O error
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.3 on Tue Sep 22 14:24:27 2020
*nat
:PREROUTING ACCEPT [3447:622009]
:INPUT ACCEPT [445:33185]
:OUTPUT ACCEPT [627:47560]
:POSTROUTING ACCEPT [4:260]
:postrouting_guest_rule - [0:0]
:postrouting_iwan_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_iwan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_iwan_postrouting - [0:0]
:zone_iwan_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[3463:622969] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[2586:275477] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[7:2658] -A PREROUTING -i eth0.3 -m comment --comment "!fw3" -j zone_wan_prerouting
[242:79093] -A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_guest_prerouting
[628:265741] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_iwan_prerouting
[1012:167859] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[16:960] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[150:12600] -A POSTROUTING -o eth0.3 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_guest_postrouting
[842:154039] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_iwan_postrouting
[0:0] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
[242:79093] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
[842:154039] -A zone_iwan_postrouting -m comment --comment "!fw3: Custom iwan postrouting rule chain" -j postrouting_iwan_rule
[842:154039] -A zone_iwan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[628:265741] -A zone_iwan_prerouting -m comment --comment "!fw3: Custom iwan prerouting rule chain" -j prerouting_iwan_rule
[16:960] -A zone_iwan_prerouting -p tcp -m tcp --dport 8443 -m comment --comment "!fw3: teste" -j DNAT --to-destination 192.168.1.228:443
[16:960] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.13/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: Escritorio (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.13/32 -p tcp -m tcp --dport 27036:27037 -m comment --comment "!fw3: SteamLink (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.13/32 -p udp -m udp --dport 27031:27036 -m comment --comment "!fw3: SteamLink (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.228/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: teste (reflection)" -j SNAT --to-source 192.168.1.1
[16:960] -A zone_lan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[2586:275477] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.X.X.246/32 -p tcp -m tcp --dport 221 -m comment --comment "!fw3: Escritorio (reflection)" -j DNAT --to-destination 192.168.1.13:22
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.X.X.246/32 -p tcp -m tcp --dport 27036:27037 -m comment --comment "!fw3: SteamLink (reflection)" -j DNAT --to-destination 192.168.1.13:27036-27037
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.X.X.246/32 -p udp -m udp --dport 27031:27036 -m comment --comment "!fw3: SteamLink (reflection)" -j DNAT --to-destination 192.168.1.13:27031-27036
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.15.12/32 -p tcp -m tcp --dport 8443 -m comment --comment "!fw3: teste (reflection)" -j DNAT --to-destination 192.168.1.228:443
[150:12600] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[150:12600] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[7:2658] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 221 -m comment --comment "!fw3: Escritorio" -j DNAT --to-destination 192.168.1.13:22
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 27036:27037 -m comment --comment "!fw3: SteamLink" -j DNAT --to-destination 192.168.1.13:27036-27037
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 27031:27036 -m comment --comment "!fw3: SteamLink" -j DNAT --to-destination 192.168.1.13:27031-27036
COMMIT
# Completed on Tue Sep 22 14:24:27 2020
# Generated by iptables-save v1.8.3 on Tue Sep 22 14:24:27 2020
*raw
:PREROUTING ACCEPT [462146:305260282]
:OUTPUT ACCEPT [16380:8734727]
:zone_guest_helper - [0:0]
[232610:86034572] -A PREROUTING -i br-guest -m comment --comment "!fw3: guest CT helper assignment" -j zone_guest_helper
COMMIT
# Completed on Tue Sep 22 14:24:27 2020
# Generated by iptables-save v1.8.3 on Tue Sep 22 14:24:27 2020
*mangle
:PREROUTING ACCEPT [462148:305261598]
:INPUT ACCEPT [9791:598426]
:FORWARD ACCEPT [449802:304220682]
:OUTPUT ACCEPT [16382:8735271]
:POSTROUTING ACCEPT [466110:312929678]
:mwan3_connected - [0:0]
:mwan3_hook - [0:0]
:mwan3_iface_in_wan - [0:0]
:mwan3_iface_in_wanbk - [0:0]
:mwan3_ifaces_in - [0:0]
:mwan3_policy_balanced - [0:0]
:mwan3_policy_wan2_only - [0:0]
:mwan3_policy_wan2_wan - [0:0]
:mwan3_policy_wan_only - [0:0]
:mwan3_policy_wan_wan2 - [0:0]
:mwan3_rule_https - [0:0]
:mwan3_rules - [0:0]
[7199696:5315513780] -A PREROUTING -j mwan3_hook
[48:2816] -A FORWARD -o eth0.3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[128300:51618307] -A OUTPUT -j mwan3_hook
[4049462:4803670186] -A mwan3_connected -m set --match-set mwan3_connected dst -j MARK --set-xmark 0x3f00/0x3f00
[7327996:5367132087] -A mwan3_hook -j CONNMARK --restore-mark --nfmask 0x3f00 --ctmask 0x3f00
[168068:27083033] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_in
[141540:15367960] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_connected
[34647:6843181] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_rules
[7327996:5367132087] -A mwan3_hook -j CONNMARK --save-mark --nfmask 0x3f00 --ctmask 0x3f00
[7011891:5286600423] -A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_connected
[21810:11287363] -A mwan3_iface_in_wan -i eth0.2 -m set --match-set mwan3_connected src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
[4433:323380] -A mwan3_iface_in_wan -i eth0.2 -m mark --mark 0x0/0x3f00 -m comment --comment wan -j MARK --set-xmark 0x100/0x3f00
[4:1343] -A mwan3_iface_in_wanbk -i eth0.3 -m set --match-set mwan3_connected src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
[281:102987] -A mwan3_iface_in_wanbk -i eth0.3 -m mark --mark 0x0/0x3f00 -m comment --comment wanbk -j MARK --set-xmark 0x200/0x3f00
[168045:27078870] -A mwan3_ifaces_in -m mark --mark 0x0/0x3f00 -j mwan3_iface_in_wan
[141613:15454102] -A mwan3_ifaces_in -m mark --mark 0x0/0x3f00 -j mwan3_iface_in_wanbk
[3384:284256] -A mwan3_policy_balanced -m mark --mark 0x0/0x3f00 -m statistic --mode random --probability 0.50000000000 -m comment --comment "wanbk 3 6" -j MARK --set-xmark 0x200/0x3f00
[3450:289800] -A mwan3_policy_balanced -m mark --mark 0x0/0x3f00 -m comment --comment "wan 3 3" -j MARK --set-xmark 0x100/0x3f00
[0:0] -A mwan3_policy_wan2_only -m mark --mark 0x0/0x3f00 -m comment --comment "wanbk 3 3" -j MARK --set-xmark 0x200/0x3f00
[0:0] -A mwan3_policy_wan2_wan -m mark --mark 0x0/0x3f00 -m comment --comment "wanbk 3 3" -j MARK --set-xmark 0x200/0x3f00
[0:0] -A mwan3_policy_wan_only -m mark --mark 0x0/0x3f00 -m comment --comment "wan 3 3" -j MARK --set-xmark 0x100/0x3f00
[20691:5798318] -A mwan3_policy_wan_wan2 -m mark --mark 0x0/0x3f00 -m comment --comment "wan 3 3" -j MARK --set-xmark 0x100/0x3f00
[7150:470430] -A mwan3_rule_https -m mark --mark 0x0/0x3f00 -j MARK --set-xmark 0x100/0x3f00
[67:3954] -A mwan3_rule_https -m mark --mark 0x100/0x3f00 -m set ! --match-set mwan3_sticky_https src,src -j MARK --set-xmark 0x0/0x3f00
[67:3954] -A mwan3_rule_https -m mark --mark 0x0/0x3f00 -j mwan3_policy_wan_wan2
[7150:470430] -A mwan3_rule_https -m mark ! --mark 0xfc00/0xfc00 -j SET --del-set mwan3_sticky_https src,src
[7150:470430] -A mwan3_rule_https -m mark ! --mark 0xfc00/0xfc00 -j SET --add-set mwan3_sticky_https src,src
[0:0] -A mwan3_rules -d 107.180.58.61/32 -m mark --mark 0x0/0x3f00 -m comment --comment google -j mwan3_policy_wan2_only
[7150:470430] -A mwan3_rules -p tcp -m multiport --sports 0:65535 -m multiport --dports 443 -m mark --mark 0x0/0x3f00 -m comment --comment https -j mwan3_rule_https
[6834:574056] -A mwan3_rules -d 8.8.8.8/32 -p icmp -m mark --mark 0x0/0x3f00 -m comment --comment ping -j mwan3_policy_balanced
[20618:5793989] -A mwan3_rules -m mark --mark 0x0/0x3f00 -m comment --comment default_rule -j mwan3_policy_wan_wan2
COMMIT
# Completed on Tue Sep 22 14:24:27 2020
# Generated by iptables-save v1.8.3 on Tue Sep 22 14:24:27 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_iwan_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guest_rule - [0:0]
:input_iwan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_guest_rule - [0:0]
:output_iwan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_iwan_dest_ACCEPT - [0:0]
:zone_iwan_dest_REJECT - [0:0]
:zone_iwan_forward - [0:0]
:zone_iwan_input - [0:0]
:zone_iwan_output - [0:0]
:zone_iwan_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[88:7405] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[9711:591341] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[8168:456211] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[165:7860] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[1326:119986] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[17:6504] -A INPUT -i eth0.3 -m comment --comment "!fw3" -j zone_wan_input
[27:1767] -A INPUT -i br-guest -m comment --comment "!fw3" -j zone_guest_input
[173:6873] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_iwan_input
[449839:304250633] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[449422:304072503] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[279:148430] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.3 -m comment --comment "!fw3" -j zone_wan_forward
[122:28740] -A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_guest_forward
[16:960] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_iwan_forward
[72:26140] -A FORWARD -m comment --comment "!fw3" -j reject
[88:7405] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[16326:8735130] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[15699:8687574] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[378:28331] -A OUTPUT -o eth0.3 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_guest_output
[249:19225] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_iwan_output
[98:4368] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[78:26547] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[165:7860] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_guest_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guest_dest_REJECT -o br-guest -m comment --comment "!fw3" -j reject
[122:28740] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
[49:2548] -A zone_guest_forward -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Guest-Https" -j zone_wan_dest_ACCEPT
[18:21042] -A zone_guest_forward -p udp -m udp --dport 443 -m comment --comment "!fw3: Guest-Https" -j zone_wan_dest_ACCEPT
[49:2548] -A zone_guest_forward -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Guest-Https" -j zone_iwan_dest_ACCEPT
[1:52] -A zone_guest_forward -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Guest-Http" -j zone_wan_dest_ACCEPT
[1:52] -A zone_guest_forward -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Guest-Http" -j zone_iwan_dest_ACCEPT
[0:0] -A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[72:26140] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
[27:1767] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
[0:0] -A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Guest-DNS" -j ACCEPT
[24:1533] -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Guest-DNS" -j ACCEPT
[0:0] -A zone_guest_input -p tcp -m tcp --dport 67:68 -m comment --comment "!fw3: Guest-DHCP" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: Guest-DHCP" -j ACCEPT
[0:0] -A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[3:234] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
[0:0] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
[0:0] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[3:234] -A zone_guest_src_REJECT -i br-guest -m comment --comment "!fw3" -j reject
[2:135] -A zone_iwan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[569:169532] -A zone_iwan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_iwan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[16:960] -A zone_iwan_forward -m comment --comment "!fw3: Custom iwan forwarding rule chain" -j forwarding_iwan_rule
[0:0] -A zone_iwan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j ACCEPT
[0:0] -A zone_iwan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j ACCEPT
[16:960] -A zone_iwan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_iwan_forward -m comment --comment "!fw3" -j zone_iwan_dest_REJECT
[173:6873] -A zone_iwan_input -m comment --comment "!fw3: Custom iwan input rule chain" -j input_iwan_rule
[0:0] -A zone_iwan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_iwan_input -p icmp -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[71:2272] -A zone_iwan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[1:60] -A zone_iwan_input -p tcp -m tcp --dport 222 -m comment --comment "!fw3: FromVivoNetRouter" -j ACCEPT
[0:0] -A zone_iwan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[101:4541] -A zone_iwan_input -m comment --comment "!fw3" -j zone_iwan_src_REJECT
[249:19225] -A zone_iwan_output -m comment --comment "!fw3: Custom iwan output rule chain" -j output_iwan_rule
[249:19225] -A zone_iwan_output -m comment --comment "!fw3" -j zone_iwan_dest_ACCEPT
[101:4541] -A zone_iwan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[279:148430] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[279:148430] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[272:147842] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to guest forwarding policy" -j zone_guest_dest_ACCEPT
[272:147842] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to iwan forwarding policy" -j zone_iwan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1326:119986] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1326:119986] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1326:119986] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.3 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[385:28919] -A zone_wan_dest_ACCEPT -o eth0.3 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.3 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[17:6504] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[17:6504] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -p tcp -m tcp --dport 222 -m comment --comment "!fw3: FromVivoNetToRouter" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[378:28331] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[378:28331] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0.3 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue Sep 22 14:24:27 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-guest
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.15.12/24 brd 192.168.15.255 scope global eth0.2
       valid_lft forever preferred_lft forever
10: eth0.3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 100.X.X.246/19 brd 100.80.191.255 scope global eth0.3
       valid_lft forever preferred_lft forever
default via 192.168.15.1 dev eth0.2 table 1
100.80.160.0/19 dev eth0.3 table 1 proto kernel scope link src 100.X.X.246
192.168.1.0/24 dev br-lan table 1 proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev br-guest table 1 proto kernel scope link src 192.168.2.1
192.168.15.0/24 dev eth0.2 table 1 proto kernel scope link src 192.168.15.12
default via 100.80.160.1 dev eth0.3 table 2
100.80.160.0/19 dev eth0.3 table 2 proto kernel scope link src 100.X.X.246
192.168.1.0/24 dev br-lan table 2 proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev br-guest table 2 proto kernel scope link src 192.168.2.1
192.168.15.0/24 dev eth0.2 table 2 proto kernel scope link src 192.168.15.12
default via 100.80.160.1 dev eth0.3 proto static src 100.X.X.246
100.80.160.0/19 dev eth0.3 proto kernel scope link src 100.X.X.246
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev br-guest proto kernel scope link src 192.168.2.1
192.168.15.0/24 dev eth0.2 proto kernel scope link src 192.168.15.12
broadcast 100.80.160.0 dev eth0.3 table local proto kernel scope link src 100.X.X.246
local 100.X.X.246 dev eth0.3 table local proto kernel scope host src 100.X.X.246
broadcast 100.80.191.255 dev eth0.3 table local proto kernel scope link src 100.X.X.246
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
broadcast 192.168.2.0 dev br-guest table local proto kernel scope link src 192.168.2.1
local 192.168.2.1 dev br-guest table local proto kernel scope host src 192.168.2.1
broadcast 192.168.2.255 dev br-guest table local proto kernel scope link src 192.168.2.1
broadcast 192.168.15.0 dev eth0.2 table local proto kernel scope link src 192.168.15.12
local 192.168.15.12 dev eth0.2 table local proto kernel scope host src 192.168.15.12
broadcast 192.168.15.255 dev eth0.2 table local proto kernel scope link src 192.168.15.12
0:      from all lookup local
1001:   from all iif eth0.2 lookup 1
1002:   from all iif eth0.3 lookup 2
2001:   from all fwmark 0x100/0x3f00 lookup 1
2002:   from all fwmark 0x200/0x3f00 lookup 2
2061:   from all fwmark 0x3d00/0x3f00 blackhole
2062:   from all fwmark 0x3e00/0x3f00 unreachable
32766:  from all lookup main
32767:  from all lookup default
MyLogin@Archer:~$

trendy · September 22, 2020, 9:54pm

Remove the 192.168.1.1 dns from lan interface. The GoogleDNS should be under wan interface.

There was some problem reading the dhcp and firewall files:

I suppose wan interface is in iwan zone and wanbk is in wan.

Rule has hits, so it works.

I think there is an issue with the mwan3 rule you have, but better post the uci export mwan3 as well to cross check.
By the way the IP you got from the cellular is behind cgnat.
Unless you have agreed with your ISP, port forwarding will not work here.

zetto33 · September 22, 2020, 11:15pm

Remove the 192.168.1.1 dns from lan interface. The GoogleDNS should be under wan interface.

Removed, ty

There was some problem reading the dhcp and firewall files:

Apologies, I forgot to add sudo command

@Archer:~$ sudo uci export dhcp
Password:
package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'guest'

config host
        option name 'Escritorio'
        option dns '1'
        option mac '1C:1B:0D:00:00:00'
        option ip '192.168.1.13'
        option leasetime '12'

config host
        option name 'Media'
        option dns '1'
        option mac 'BC:5F:F4:00:00:00'
        option ip '192.168.1.14'
        option leasetime '12'

config host
        option name 'HPDEB431'
        option dns '1'
        option mac '38:22:E2:00:00:00'
        option ip '192.168.1.135'
        option leasetime '12'

config host
        option name 'RasPI'
        option dns '1'
        option mac 'B8:27:EB:00:00:00'
        option ip '192.168.1.20'
        option leasetime '12'

@Archer:~$ sudo uci export firewall
package firewall

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-DHCP-Renew'
        list proto 'udp'
        option src 'iwan'
        option target 'ACCEPT'
        option family 'ipv4'
        option dest_port '68'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-Ping'
        list proto 'icmp'
        option src 'iwan'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        list proto 'igmp'
        option src 'iwan'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        list proto 'udp'
        option src 'iwan'
        list src_ip 'fc00::/6'
        option target 'ACCEPT'
        option family 'ipv6'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        list proto 'icmp'
        option src 'iwan'
        list src_ip 'fe80::/10'
        option target 'ACCEPT'
        option family 'ipv6'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option family 'ipv6'
        list proto 'icmp'
        option src 'iwan'
        option target 'ACCEPT'
        option limit '1000/second'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option family 'ipv6'
        list proto 'icmp'
        option src 'iwan'
        option dest '*'
        option target 'ACCEPT'
        option limit '1000/second'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        list proto 'esp'
        option src 'iwan'
        option dest '*'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        list proto 'udp'
        option src 'iwan'
        option dest '*'
        option dest_port '500'
        option target 'ACCEPT'

config rule
        option target 'ACCEPT'
        option src 'guest'
        option name 'Guest-DNS'
        option dest_port '53'

config rule
        option target 'ACCEPT'
        option src 'guest'
        option name 'Guest-DHCP'
        option dest_port '67-68'

config rule
        option target 'ACCEPT'
        option src 'guest'
        option dest_port '443'
        option dest 'wan'
        option name 'Guest-Https'

config rule
        list proto 'tcp'
        option src 'guest'
        option dest 'iwan'
        option target 'ACCEPT'
        option dest_port '443'
        option name 'Guest-Https'

config rule
        option target 'ACCEPT'
        option src 'guest'
        option name 'Guest-Http'
        option proto 'tcp'
        option dest_port '80'
        option dest 'wan'

config rule
        option name 'Guest-Http'
        list proto 'tcp'
        option src 'guest'
        option dest 'iwan'
        option dest_port '80'
        option target 'ACCEPT'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option name 'FromVivoNetToRouter'
        option proto 'tcp'
        option src_ip '0.0.0.0/0'
        option dest_port '222'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'
        option masq '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'WAN2 wwan wanbk'

config include
        option path '/etc/firewall.user'

config zone
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'guest'
        option input 'REJECT'
        option network 'guest'

config forwarding
        option dest 'wan'
        option src 'lan'

config redirect
        option target 'DNAT'
        option dest 'lan'
        option proto 'tcp'
        option dest_ip '192.168.1.13'
        option dest_port '22'
        option name 'Escritorio'
        option src_dport '221'
        option src 'iwan'

config forwarding
        option dest 'guest'
        option src 'lan'

config redirect
        option target 'DNAT'
        option name 'SteamLink'
        list proto 'tcp'
        option src_dport '27036-27037'
        option dest 'lan'
        option dest_ip '192.168.1.13'
        option src 'iwan'

config redirect
        option target 'DNAT'
        option name 'SteamLink'
        list proto 'udp'
        option src_dport '27031-27036'
        option dest 'lan'
        option dest_ip '192.168.1.13'
        option src 'iwan'

config zone
        option name 'iwan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option network 'wan wan6'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'iwan'

config rule
        list proto 'tcp'
        option src 'iwan'
        option dest_port '222'
        option target 'ACCEPT'
        list src_ip '0.0.0.0/0'
        option name 'FromVivoNetRouter'

config redirect
        option target 'DNAT'
        option name 'teste'
        list proto 'tcp'
        option src 'iwan'
        option dest 'lan'
        option src_dport '8443'
        option dest_ip '192.168.1.228'
        option dest_port '443'

I think there is an issue with the mwan3 rule you have, but better post the uci export mwan3 as well to cross check.

@Archer:~$ sudo uci export mwan3
Password:
package mwan3

config rule 'google'
        option sticky '0'
        option use_policy 'wan2_only'
        option dest_ip 'www.meuip.com.br'
        option proto 'all'

config rule 'https'
        option sticky '1'
        option dest_port '443'
        option proto 'tcp'
        option use_policy 'wan_wan2'

config rule 'ping'
        option dest_ip '8.8.8.8'
        option proto 'icmp'
        option sticky '0'
        option use_policy 'balanced'

config rule 'default_rule'
        option dest_ip '0.0.0.0/0'
        option proto 'all'
        option sticky '0'
        option use_policy 'wan_wan2'

config member 'wan_m1_w3'
        option interface 'wan'
        option metric '1'
        option weight '3'

config member 'wan_m2_w3'
        option metric '2'
        option weight '3'
        option interface 'wan'

config policy 'wan_only'
        list use_member 'wan_m1_w3'
        option last_resort 'unreachable'

config policy 'wan2_only'
        option last_resort 'unreachable'
        list use_member 'wanbk_m1_w3'

config policy 'wan_wan2'
        option last_resort 'unreachable'
        list use_member 'wan_m1_w3'
        list use_member 'wanbk_m2_w3'

config policy 'balanced'
        list use_member 'wan_m1_w3'
        list use_member 'wanbk_m1_w3'
        option last_resort 'unreachable'

config globals 'globals'
        option mmx_mask '0x3F00'
        option local_source 'lan'

config interface 'wan'
        option enabled '1'
        option family 'ipv4'
        option count '1'
        option interval '5'
        option down '3'
        option initial_state 'online'
        list track_ip '8.8.4.4'
        list track_ip '8.8.8.8'
        option track_method 'ping'
        option size '56'
        option max_ttl '60'
        option check_quality '0'
        option failure_interval '5'
        option recovery_interval '5'
        option up '5'
        option reliability '1'
        option timeout '3'

config interface 'wanbk'
        option initial_state 'online'
        option family 'ipv4'
        option track_method 'ping'
        option reliability '1'
        option count '1'
        option size '56'
        option max_ttl '60'
        option check_quality '0'
        option interval '5'
        option failure_interval '5'
        option recovery_interval '5'
        option down '3'
        option enabled '1'
        option timeout '3'
        option up '5'
        list track_ip '8.8.8.8'
        list track_ip '8.8.4.4'

config member 'wanbk_m2_w3'
        option interface 'wanbk'
        option metric '2'
        option weight '3'

config member 'wanbk_m1_w3'
        option interface 'wanbk'
        option metric '1'
        option weight '3'

config policy 'wan2_wan'
        list use_member 'wanbk_m1_w3'
        list use_member 'wan_m2_w3'
        option last_resort 'unreachable'

@Archer:~$

Thank you

trendy · September 23, 2020, 6:49am

Is there a reason to masquerade on the lan?

Also there is no mtu_fix in iwan zone, why?

mwan3 looks fine too.
Fix the above mentioned comments and let us know how it goes.

zetto33 · September 24, 2020, 6:22pm

That was a test due my guest zone. I forgot to rollback.

Also there is no mtu_fix in iwan zone, why?

Luci...

I have attempt to remove masquerade, but issue persist.
I will perform same tests, and get results later.

Thank you

zetto33 · September 24, 2020, 10:35pm

trendy, problem still on going, but it does not seem an issue with the router.

19:26:28.386619 ethertype IPv4, IP 191.X.X.202.45463 > 192.168.15.12.8443
(...)
19:26:28.446670 ethertype IPv4, IP 192.168.1.228.443 > 191.169.X.X.45462

for some reason 192.168.1.228 replies to port 45462 instead of 45463.
Do you know the reason?

19:26:28.386619 ethertype IPv4, IP 191.X.X.202.45463 > 192.168.15.12.8443: Flags [.], ack 897599262, win 161, options [nop,nop,TS val 47175 ecr 19216970], length 0
19:26:28.386619 IP 191.X.X.202.45463 > 192.168.15.12.8443: Flags [.], ack 1, win 161, options [nop,nop,TS val 47175 ecr 19216970], length 0
19:26:28.386766 IP 191.X.X.202.45463 > 192.168.1.228.443: Flags [.], ack 897599262, win 161, options [nop,nop,TS val 47175 ecr 19216970], length 0
19:26:28.414146 IP 127.0.0.1.42957 > 127.0.0.1.53: 33451+ PTR? 159.2.168.192.in-addr.arpa. (44)
19:26:28.443148 ethertype IPv4, IP 192.168.1.13.63169 > 192.168.1.1.59222: Flags [.], ack 290032, win 8210, length 0
19:26:28.446670 ethertype IPv4, IP 192.168.1.228.443 > 191.X.X.202.45462: Flags [.], ack 3538335950, win 259, options [nop,nop,TS val 19216979 ecr 47173], length 0

I really appreciate your support..
Thank you very much!

trendy · September 25, 2020, 8:26am

Most likely this is a response to a different flow, not captured here, which uses the 45462 port from the client.