Removed IPtables, now routing to WAN is screwed

Hey everyone, so i have a DIR645, with 64 RAM but i had some trouble with the wifi slowing down after usage, so i read that you can remove packages like firewall and iptable so the ram won't be cluttered and filled.

So i read up on iptable and it states that it only deals with firewall functions, so since i removed the firewall, i removed iptable as well.

Ever since my router can reach things on the internet (via the diagnostics) but devices in my lan can't reach outside the lan at all.

So the question is, why did it happen?

Just to let you know, i run pppoe from this router, in order to get a connection.

Thanks and have a great day!

You removed iptables, which does the "masquerading". So you removed the part that does the internet sharing on your router, so the internet is no longer shared to the devices in your LAN.

Is that a fancy name for NAT? If so, how do i set it back up? I reinstalled the iptables, i'm guessing i have to do something else?

I think reconfiguring the firewall to do masquerading again should be sufficient. Else just restore your most recent LEDE config backup.

LEDE - General Settings - LuCI 2017-11-01 11-58-16

So unless i want the router as an access point, i must have the firewall installed? Who named the features in lede?

You must have iptables installed so the router can do NAT and masquerading. I guess it's part of the firewall tab in Luci because iptables also does firewalling and port forwarding.
As to who named it, the Luci team. What would you have named it?

well, i would name features like they are named in standard networking gear like Cisco and such. and since when are routing and firewalling linked? those are 2 features that have nothing in common. the firewall is just a monitor for traffic, it's a bouncer of sorts, it does not direct the traffic, like some sort of info booth.

sorry if this comes off as a bit much, but i'm a CCNA and other networking certificates, and it was my job for about a decade, so it pisses me off a bit, when some conventions aren't kept and you get these kind of troubles.

anyway just a quick update, reinstalled firewall, internet came back.

is there no way to cancel the firewall then? and also are there any good packages that purge logs or do maintenance stuff automatically?

You can also use the device as managed switch without iptables. You can also use the device as a ROUTER PASSING IP TRAFFIC WITHOUT NAT or Firewalling. I think you misunderstand that NAT was added to the Internet Protocol after the design of IPv4. The "feature" was not named by LEDE, all Linux-based routers call that function "IP Masquerade." It's configured using the Netfilter software suite - of which iptables are one of the tools.


Actually, 'IP Masquerade' is the name that is given to that form of NAT in Linux. All linux machines refer to outbound NAT using the Interface's IP as "IP Masquerade."

When iptables was designed, IP Masquerade was included there, simple.


@lleachii that's what i think is stupid, linux might have mixed routing and firewalling in some distros, but that's not the case for major appliances, Cisco for example use a QNX and Linux inspired OS, but the functions there are clear cut, and separated.

it makes sense if you want your router to do just routing, and no firewalling, let's say you're using in inside a smb behind the large corporate firewall, you don't need another firewall that could mess up traffic and make your life a troubleshooting hell.

Cisco's IOS is not "Linux." It's a totally re-done OS used for Cisco's purposes. This should be obvious, since Cisco doesn't publish their code. Netfilter is under the GPL licenses, so we can assume the Open Source code site is obscure, or their NATing is proprietary software.

You can. That's what I described above:

NAT is an added feature to Internet Protocol version 4...that's the paradigm that Netfilter was developed in. If you ordered multiple IPs from your ISP for all your downstream devices, you could get rid of Masquerade via Netfilter.

My suggestion??

You can find (or write) a software that just does NATing.

A. the fact it's not open source does not mean it's not linux based. that's not what defines linux.
B. NAT is not a firewall feature, it's a routing feature, and should be basic in the routing packages of LEDE/Openwrt.
i don't see why i need a new package, what exactly does the routing feature include if NAT isn't one of it's features?

From the Linux Foundation site:

The Linux Foundation is dedicated to building sustainable ecosystems around open source projects

I simply highlighted that Cisco isn't Open Source. I never said it wasn't Linux-based. I think your statement may imply more (or be circular reasoning). But my point is, if you could get a copy their software or code, you could implement the NAT you want, without Netfilter.

First of all, ROUTING is not a feature of any software we've discussed. Routing is built into the Linux Kernel and is activated and deactivated with a sysctl call: net.ipv4.ip_forward=1. This is enabled by default in LEDE. net.ipv4.ip_forward=1 simply tells the Kernel to forward a packet received to it's destination, based on the Kernel's routing table...nothing more...nothing less.

I never said that NAT was a firewall feature (amongst those who know the history of IPv4, NAT was used for firewalling, but that was never what it was designed for). So to answer you about another package - regardless of your views of iptables, or how Linux implements it. If you want to get rid of that tool and use NAT, you have to find a completely different set of tools to accomplish that - that doesn't use the Netfilter suite at all.

From Wikipedia:

Netfilter is a framework provided by Linux that allows various networking-related operations to be implemented in the form of customized handlers.

i never said it's pure linux, i said it's linux based. the point i was making is, linux might work fine with the features you described on computers and dedicated hardware made for linux, but when you want to implement a linux based system on a hardware like a router that was designed with limited hardware and with a single software in mind, you're going to have to make things modular to the very basic stuff.

1 Like

I think this thread went a little bit off topic .....

I would like to know, how did you remove iptables?

1 Like

Here is a software that claims to implement NAT without Netfilter.

easy, from luci, software page.

I'm going to ignore all of the replies up untill this point because I'm about the get an aneurysm.
I grew up on Linux so all the naming schemes make perfect sense to me vs. Cisco/Juniper/Whatever naming conventions being ass backwards.

So moving on.

I've seen openwrt crowbar'ed into an 8mb ram device (arguably ages ago) so the firewall and packet filtering are not why you're running out of RAM. Those bufferes are mostly allocated statically and shouldn't bloat at random.

 22:30:01 up 41 days, 21:04,  load average: 0.08, 0.05, 0.00

             total       used       free     shared    buffers     cached
Mem:        125372      43080      82292        144       3836      10624
-/+ buffers/cache:      28620      96752
Swap:            0          0          0

I've installed a buch of extra packages and I'm barely using 45mb, after necessary buffers and junk I'm probably at 54-58mb RAM. With your base install you probably need a good chunk less RAM then I do.

If you want to free up RAM that badly uninstall LUCI, nothing uses more resources then LUCI in a unmodified release image.

@weedy Hey, i've removed what was suggested for the 32MB RAM device in another topic, and have installed zram, but still after some usage my ram goes from 40MB free to 10 and my wifi becomes sluggish to non responsive.

that's the whole reason i started messing with removing modules, the base firmware has a ton more modules and it worked, so i'm guessing it's capable of running a lot of stuff. so that's why i don't get this, i have no idea what clutters my ram, and why i have to reboot the system to release that memory.

if you know of any packages that do ram management or a config for luci or something that could help that i might've missed, i'd be grateful.

also, if there's a list of stuff i can remove, like packages i don't need (i.e. vpn and stuff like that) i'd love a link, or a point in it's general direction.


Look at the output of "ps -w" or "top". What process is eating a all your RAM.

May I add that going the Cisco way is not always the best approach? I understand that when having a CCNA certificate (Cisco Certified Network Associate) everything Cisco does seems like the best. But since they are also known for doing many things differently than others manufacturers I don't think its fair to compare Linux/LEDE to Cisco. Take for instance VLAN in Cisco and other big brand networking manufactures, they all use TRUNK VLANs but they are not generally the same.

Sorry to be rude but what I don't understand is why it is hard for a "CCNA and other networking certificates" guy to know what a firewall does. Sure iptables is specific for Linux but things like NAT and Firewall are not. I would think that it is basic networking knowledge that a local IP should be translated to the routers external IP before leaving the WAN interface of a general comsumer. Sure it can also be routered, but since most consumers are using private subnets this is not really feasible. Correct me if I'm wrong.