So, summerize the current state.
- I disabled masquerading for the vpn zone
- I add the lan zone into the forwarding zone from ovpn
- i changed the forwardoption from the ovpn from reject to accept
After restarting the container and reconnect both client i get following results.
client runtime info:
root@GL-MT300N-V2:~# ip address show; ip route show; ip rule show; iptables-save
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
link/ether 94:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
inet6 fe80::9683:c4ff:fe09:4aa8/64 scope link
valid_lft forever preferred_lft forever
3: teql0: <NOARP> mtu 1500 qdisc noop state DOWN group default qlen 100
link/void
4: ra0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP group default qlen 1000
link/ether 94:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
5: ra1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 96:83:c4:19:4a:a8 brd ff:ff:ff:ff:ff:ff
6: wds0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 94:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
7: wds1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 94:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
8: wds2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 94:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
9: wds3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 94:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
10: apcli0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 96:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 94:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
inet 192.168.129.1/24 brd 192.168.129.255 scope global br-lan
valid_lft forever preferred_lft forever
12: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
link/ether 94:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
14: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 94:83:c4:09:4a:a8 brd ff:ff:ff:ff:ff:ff
inet 192.168.123.126/24 brd 192.168.123.255 scope global eth0.2
valid_lft forever preferred_lft forever
21: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 192.168.8.101/24 brd 192.168.8.255 scope global tun0
valid_lft forever preferred_lft forever
0.0.0.0/1 dev tun0 scope link
default via 192.168.123.1 dev eth0.2 proto static src 192.168.123.126 metric 10
128.0.0.0/1 dev tun0 scope link
185.250.248.18 via 192.168.123.1 dev eth0.2
192.168.8.0/24 dev tun0 proto kernel scope link src 192.168.8.101
192.168.123.0/24 dev eth0.2 proto static scope link metric 10
192.168.129.0/24 dev br-lan proto kernel scope link src 192.168.129.1
0: from all lookup local
1001: from all iif eth0.2 lookup main
2001: from all fwmark 0x100/0x3f00 lookup 1
2061: from all fwmark 0x3d00/0x3f00 blackhole
2062: from all fwmark 0x3e00/0x3f00 unreachable
32766: from all lookup main
32767: from all lookup default
# Generated by iptables-save v1.6.2 on Tue Oct 13 11:26:08 2020
*nat
:PREROUTING ACCEPT [2081:268377]
:INPUT ACCEPT [38:2965]
:OUTPUT ACCEPT [94:8030]
:POSTROUTING ACCEPT [23:2034]
:GL_SPEC_DMZ - [0:0]
:GL_SPEC_FORWARDING - [0:0]
:postrouting_guestzone_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_ovpn_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guestzone_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_ovpn_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guestzone_postrouting - [0:0]
:zone_guestzone_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_ovpn_postrouting - [0:0]
:zone_ovpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -j GL_SPEC_DMZ
-A PREROUTING -j GL_SPEC_FORWARDING
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_guestzone_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_ovpn_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_guestzone_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_ovpn_postrouting
-A zone_guestzone_postrouting -m comment --comment "!fw3: Custom guestzone postrouting rule chain" -j postrouting_guestzone_rule
-A zone_guestzone_prerouting -m comment --comment "!fw3: Custom guestzone prerouting rule chain" -j prerouting_guestzone_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_ovpn_postrouting -m comment --comment "!fw3: Custom ovpn postrouting rule chain" -j postrouting_ovpn_rule
-A zone_ovpn_prerouting -m comment --comment "!fw3: Custom ovpn prerouting rule chain" -j prerouting_ovpn_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Tue Oct 13 11:26:08 2020
# Generated by iptables-save v1.6.2 on Tue Oct 13 11:26:08 2020
*mangle
:PREROUTING ACCEPT [2575:360378]
:INPUT ACCEPT [886:165719]
:FORWARD ACCEPT [10:1047]
:OUTPUT ACCEPT [477:104901]
:POSTROUTING ACCEPT [491:107132]
:mwan3_connected - [0:0]
:mwan3_hook - [0:0]
:mwan3_iface_in_wan - [0:0]
:mwan3_iface_out_wan - [0:0]
:mwan3_ifaces_in - [0:0]
:mwan3_ifaces_out - [0:0]
:mwan3_policy_default_poli - [0:0]
:mwan3_rules - [0:0]
-A PREROUTING -j mwan3_hook
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone ovpn MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j mwan3_hook
-A mwan3_connected -m set --match-set mwan3_connected dst -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_hook -j CONNMARK --restore-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_in
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_connected
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_out
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_rules
-A mwan3_hook -j CONNMARK --save-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_connected
-A mwan3_iface_in_wan -i eth0.2 -m set --match-set mwan3_connected src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_iface_in_wan -i eth0.2 -m mark --mark 0x0/0x3f00 -m comment --comment wan -j MARK --set-xmark 0x100/0x3f00
-A mwan3_iface_out_wan -o eth0.2 -m mark --mark 0x0/0x3f00 -m comment --comment wan -j MARK --set-xmark 0x100/0x3f00
-A mwan3_ifaces_in -m mark --mark 0x0/0x3f00 -j mwan3_iface_in_wan
-A mwan3_ifaces_out -m mark --mark 0x0/0x3f00 -j mwan3_iface_out_wan
-A mwan3_policy_default_poli -m mark --mark 0x0/0x3f00 -m comment --comment "wan 3 3" -j MARK --set-xmark 0x100/0x3f00
-A mwan3_rules -m mark --mark 0x0/0x3f00 -m comment --comment default_rule -j mwan3_policy_default_poli
COMMIT
# Completed on Tue Oct 13 11:26:08 2020
# Generated by iptables-save v1.6.2 on Tue Oct 13 11:26:08 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:GL_SPEC_OPENING - [0:0]
:forwarding_guestzone_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_ovpn_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guestzone_rule - [0:0]
:input_lan_rule - [0:0]
:input_ovpn_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_guestzone_rule - [0:0]
:output_lan_rule - [0:0]
:output_ovpn_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guestzone_dest_ACCEPT - [0:0]
:zone_guestzone_dest_REJECT - [0:0]
:zone_guestzone_forward - [0:0]
:zone_guestzone_input - [0:0]
:zone_guestzone_output - [0:0]
:zone_guestzone_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_ovpn_dest_ACCEPT - [0:0]
:zone_ovpn_forward - [0:0]
:zone_ovpn_input - [0:0]
:zone_ovpn_output - [0:0]
:zone_ovpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -j GL_SPEC_OPENING
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i br-guest -m comment --comment "!fw3" -j zone_guestzone_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_ovpn_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_guestzone_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_ovpn_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_guestzone_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_ovpn_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_guestzone_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
-A zone_guestzone_dest_REJECT -o br-guest -m comment --comment "!fw3" -j reject
-A zone_guestzone_forward -m comment --comment "!fw3: Custom guestzone forwarding rule chain" -j forwarding_guestzone_rule
-A zone_guestzone_forward -m comment --comment "!fw3: Zone guestzone to ovpn forwarding policy" -j zone_ovpn_dest_ACCEPT
-A zone_guestzone_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_guestzone_forward -m comment --comment "!fw3" -j zone_guestzone_dest_REJECT
-A zone_guestzone_input -m comment --comment "!fw3: Custom guestzone input rule chain" -j input_guestzone_rule
-A zone_guestzone_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: guestzone_DHCP" -j ACCEPT
-A zone_guestzone_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: guestzone_DNS" -j ACCEPT
-A zone_guestzone_input -p udp -m udp --dport 53 -m comment --comment "!fw3: guestzone_DNS" -j ACCEPT
-A zone_guestzone_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_guestzone_input -m comment --comment "!fw3" -j zone_guestzone_src_REJECT
-A zone_guestzone_output -m comment --comment "!fw3: Custom guestzone output rule chain" -j output_guestzone_rule
-A zone_guestzone_output -m comment --comment "!fw3" -j zone_guestzone_dest_ACCEPT
-A zone_guestzone_src_REJECT -i br-guest -m comment --comment "!fw3" -j reject
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to ovpn forwarding policy" -j zone_ovpn_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_ovpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_ovpn_forward -m comment --comment "!fw3: Custom ovpn forwarding rule chain" -j forwarding_ovpn_rule
-A zone_ovpn_forward -m comment --comment "!fw3: Zone ovpn to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_ovpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_ovpn_forward -m comment --comment "!fw3" -j zone_ovpn_dest_ACCEPT
-A zone_ovpn_input -m comment --comment "!fw3: Custom ovpn input rule chain" -j input_ovpn_rule
-A zone_ovpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_ovpn_input -m comment --comment "!fw3" -j zone_ovpn_src_ACCEPT
-A zone_ovpn_output -m comment --comment "!fw3: Custom ovpn output rule chain" -j output_ovpn_rule
-A zone_ovpn_output -m comment --comment "!fw3" -j zone_ovpn_dest_ACCEPT
-A zone_ovpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue Oct 13 11:26:08 2020
server runtime info:
bash-4.4# ip address show; ip route show; ip rule show; iptables-save
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 192.168.8.1/24 brd 192.168.8.255 scope global tun0
valid_lft forever preferred_lft forever
79: eth0@if80: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:0a brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.10/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
default via 172.17.0.1 dev eth0
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.10
192.168.8.0/24 dev tun0 proto kernel scope link src 192.168.8.1
192.168.129.0/24 via 192.168.8.101 dev tun0
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
# Generated by iptables-save v1.6.1 on Tue Oct 13 11:27:09 2020
*nat
:PREROUTING ACCEPT [30:2218]
:INPUT ACCEPT [4:403]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.8.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.129.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Oct 13 11:27:09 2020