Try to capture the packets. Install tcpdump if not there already.
tcpdump -i any -vn udp port 53
Then run the commands.
On OpenWrt running the following commands in a second ssh connectoin results in:
oot@OpenWrt:~# tcpdump -i any -vn udp port 53
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
13:56:32.008257 ethertype IPv4, IP (tos 0x0, ttl 64, id 10023, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.44350 > 10.4.0.1.53: 25048+ A? openwrt.org. (29)
13:56:32.008257 IP (tos 0x0, ttl 64, id 10023, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.44350 > 10.4.0.1.53: 25048+ A? openwrt.org. (29)
13:56:32.008257 IP (tos 0x0, ttl 64, id 10023, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.44350 > 10.4.0.1.53: 25048+ A? openwrt.org. (29)
13:56:32.008600 IP (tos 0x0, ttl 64, id 60680, offset 0, flags [DF], proto UDP (17), length 57)
192.168.178.20.45265 > 1.1.1.1.53: 41502+ A? openwrt.org. (29)
13:56:32.011692 ethertype IPv4, IP (tos 0x0, ttl 60, id 55608, offset 0, flags [DF], proto UDP (17), length 73)
1.1.1.1.53 > 192.168.178.20.45265: 41502 1/0/0 openwrt.org. A 139.59.209.225 (45)
13:56:32.011692 IP (tos 0x0, ttl 60, id 55608, offset 0, flags [DF], proto UDP (17), length 73)
1.1.1.1.53 > 192.168.178.20.45265: 41502 1/0/0 openwrt.org. A 139.59.209.225 (45)
13:56:32.011773 IP (tos 0x0, ttl 64, id 42313, offset 0, flags [DF], proto UDP (17), length 73)
10.4.0.1.53 > 10.4.4.5.44350: 25048 1/0/0 openwrt.org. A 139.59.209.225 (45)
13:56:32.011778 IP (tos 0x0, ttl 64, id 42313, offset 0, flags [DF], proto UDP (17), length 73)
10.4.0.1.53 > 10.4.4.5.44350: 25048 1/0/0 openwrt.org. A 139.59.209.225 (45)
13:56:32.019986 ethertype IPv4, IP (tos 0x0, ttl 64, id 10024, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.39540 > 10.4.0.1.53: 62430+ AAAA? openwrt.org. (29)
13:56:32.019986 IP (tos 0x0, ttl 64, id 10024, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.39540 > 10.4.0.1.53: 62430+ AAAA? openwrt.org. (29)
13:56:32.019986 IP (tos 0x0, ttl 64, id 10024, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.39540 > 10.4.0.1.53: 62430+ AAAA? openwrt.org. (29)
13:56:32.020098 IP (tos 0x0, ttl 64, id 60681, offset 0, flags [DF], proto UDP (17), length 57)
192.168.178.20.26662 > 1.1.1.1.53: 42274+ AAAA? openwrt.org. (29)
13:56:32.023079 ethertype IPv4, IP (tos 0x0, ttl 60, id 21415, offset 0, flags [DF], proto UDP (17), length 85)
1.1.1.1.53 > 192.168.178.20.26662: 42274 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
13:56:32.023079 IP (tos 0x0, ttl 60, id 21415, offset 0, flags [DF], proto UDP (17), length 85)
1.1.1.1.53 > 192.168.178.20.26662: 42274 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
13:56:32.023147 IP (tos 0x0, ttl 64, id 42314, offset 0, flags [DF], proto UDP (17), length 85)
10.4.0.1.53 > 10.4.4.5.39540: 62430 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
13:56:32.023152 IP (tos 0x0, ttl 64, id 42314, offset 0, flags [DF], proto UDP (17), length 85)
10.4.0.1.53 > 10.4.4.5.39540: 62430 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
13:56:32.083463 ethertype IPv4, IP (tos 0x0, ttl 64, id 63408, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.44796 > 8.8.8.8.53: 40532+ A? openwrt.org. (29)
13:56:32.083463 IP (tos 0x0, ttl 64, id 63408, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.44796 > 8.8.8.8.53: 40532+ A? openwrt.org. (29)
13:56:32.083463 IP (tos 0x0, ttl 64, id 63408, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.44796 > 8.8.8.8.53: 40532+ A? openwrt.org. (29)
13:56:32.083516 IP (tos 0x0, ttl 63, id 63408, offset 0, flags [none], proto UDP (17), length 57)
192.168.178.20.44796 > 8.8.8.8.53: 40532+ A? openwrt.org. (29)
13:56:32.089694 ethertype IPv4, IP (tos 0x0, ttl 123, id 6317, offset 0, flags [none], proto UDP (17), length 73)
8.8.8.8.53 > 192.168.178.20.44796: 40532 1/0/0 openwrt.org. A 139.59.209.225 (45)
13:56:32.089694 IP (tos 0x0, ttl 123, id 6317, offset 0, flags [none], proto UDP (17), length 73)
8.8.8.8.53 > 192.168.178.20.44796: 40532 1/0/0 openwrt.org. A 139.59.209.225 (45)
13:56:32.089712 IP (tos 0x0, ttl 122, id 6317, offset 0, flags [none], proto UDP (17), length 73)
8.8.8.8.53 > 10.4.4.5.44796: 40532 1/0/0 openwrt.org. A 139.59.209.225 (45)
13:56:32.089716 IP (tos 0x0, ttl 122, id 6317, offset 0, flags [none], proto UDP (17), length 73)
8.8.8.8.53 > 10.4.4.5.44796: 40532 1/0/0 openwrt.org. A 139.59.209.225 (45)
13:56:32.113749 ethertype IPv4, IP (tos 0x0, ttl 64, id 63412, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.33426 > 8.8.8.8.53: 21073+ AAAA? openwrt.org. (29)
13:56:32.113749 IP (tos 0x0, ttl 64, id 63412, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.33426 > 8.8.8.8.53: 21073+ AAAA? openwrt.org. (29)
13:56:32.113749 IP (tos 0x0, ttl 64, id 63412, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.33426 > 8.8.8.8.53: 21073+ AAAA? openwrt.org. (29)
13:56:32.113775 IP (tos 0x0, ttl 63, id 63412, offset 0, flags [none], proto UDP (17), length 57)
192.168.178.20.33426 > 8.8.8.8.53: 21073+ AAAA? openwrt.org. (29)
13:56:32.125356 ethertype IPv4, IP (tos 0x0, ttl 123, id 14299, offset 0, flags [none], proto UDP (17), length 85)
8.8.8.8.53 > 192.168.178.20.33426: 21073 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
13:56:32.125356 IP (tos 0x0, ttl 123, id 14299, offset 0, flags [none], proto UDP (17), length 85)
8.8.8.8.53 > 192.168.178.20.33426: 21073 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
13:56:32.125374 IP (tos 0x0, ttl 122, id 14299, offset 0, flags [none], proto UDP (17), length 85)
8.8.8.8.53 > 10.4.4.5.33426: 21073 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
13:56:32.125377 IP (tos 0x0, ttl 122, id 14299, offset 0, flags [none], proto UDP (17), length 85)
8.8.8.8.53 > 10.4.4.5.33426: 21073 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
13:56:32.139727 ethertype IPv4, IP (tos 0x0, ttl 64, id 32765, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.38864 > 1.1.1.1.53: 43372+ A? openwrt.org. (29)
13:56:32.139727 IP (tos 0x0, ttl 64, id 32765, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.38864 > 1.1.1.1.53: 43372+ A? openwrt.org. (29)
13:56:32.139727 IP (tos 0x0, ttl 64, id 32765, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.38864 > 1.1.1.1.53: 43372+ A? openwrt.org. (29)
13:56:32.139754 IP (tos 0x0, ttl 63, id 32765, offset 0, flags [none], proto UDP (17), length 57)
192.168.178.20.38864 > 1.1.1.1.53: 43372+ A? openwrt.org. (29)
13:56:32.144909 ethertype IPv4, IP (tos 0x0, ttl 60, id 16697, offset 0, flags [DF], proto UDP (17), length 73)
1.1.1.1.53 > 192.168.178.20.38864: 43372 1/0/0 openwrt.org. A 139.59.209.225 (45)
13:56:32.144909 IP (tos 0x0, ttl 60, id 16697, offset 0, flags [DF], proto UDP (17), length 73)
1.1.1.1.53 > 192.168.178.20.38864: 43372 1/0/0 openwrt.org. A 139.59.209.225 (45)
13:56:32.144926 IP (tos 0x0, ttl 59, id 16697, offset 0, flags [DF], proto UDP (17), length 73)
1.1.1.1.53 > 10.4.4.5.38864: 43372 1/0/0 openwrt.org. A 139.59.209.225 (45)
13:56:32.144929 IP (tos 0x0, ttl 59, id 16697, offset 0, flags [DF], proto UDP (17), length 73)
1.1.1.1.53 > 10.4.4.5.38864: 43372 1/0/0 openwrt.org. A 139.59.209.225 (45)
13:56:32.146630 ethertype IPv4, IP (tos 0x0, ttl 64, id 32767, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.53416 > 1.1.1.1.53: 56440+ AAAA? openwrt.org. (29)
13:56:32.146630 IP (tos 0x0, ttl 64, id 32767, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.53416 > 1.1.1.1.53: 56440+ AAAA? openwrt.org. (29)
13:56:32.146630 IP (tos 0x0, ttl 64, id 32767, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.5.53416 > 1.1.1.1.53: 56440+ AAAA? openwrt.org. (29)
13:56:32.146655 IP (tos 0x0, ttl 63, id 32767, offset 0, flags [none], proto UDP (17), length 57)
192.168.178.20.53416 > 1.1.1.1.53: 56440+ AAAA? openwrt.org. (29)
13:56:32.149764 ethertype IPv4, IP (tos 0x0, ttl 60, id 20197, offset 0, flags [DF], proto UDP (17), length 85)
1.1.1.1.53 > 192.168.178.20.53416: 56440 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
13:56:32.149764 IP (tos 0x0, ttl 60, id 20197, offset 0, flags [DF], proto UDP (17), length 85)
1.1.1.1.53 > 192.168.178.20.53416: 56440 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
13:56:32.149779 IP (tos 0x0, ttl 59, id 20197, offset 0, flags [DF], proto UDP (17), length 85)
1.1.1.1.53 > 10.4.4.5.53416: 56440 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
13:56:32.149782 IP (tos 0x0, ttl 59, id 20197, offset 0, flags [DF], proto UDP (17), length 85)
1.1.1.1.53 > 10.4.4.5.53416: 56440 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
Since I can't ssh into oopenwrt to tcp dump when on the Guests network I am running the nslookup openwrt.org from a windows client
Using Trusted network
root@OpenWrt:~# tcpdump -i any -vn udp port 53
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
14:00:16.541515 ethertype IPv4, IP (tos 0x0, ttl 128, id 11038, offset 0, flags [none], proto UDP (17), length 67)
10.4.4.6.59184 > 10.4.0.1.53: 1+ PTR? 1.0.4.10.in-addr.arpa. (39)
14:00:16.541515 IP (tos 0x0, ttl 128, id 11038, offset 0, flags [none], proto UDP (17), length 67)
10.4.4.6.59184 > 10.4.0.1.53: 1+ PTR? 1.0.4.10.in-addr.arpa. (39)
14:00:16.541515 IP (tos 0x0, ttl 128, id 11038, offset 0, flags [none], proto UDP (17), length 67)
10.4.4.6.59184 > 10.4.0.1.53: 1+ PTR? 1.0.4.10.in-addr.arpa. (39)
14:00:16.541718 IP (tos 0x0, ttl 64, id 47456, offset 0, flags [DF], proto UDP (17), length 92)
10.4.0.1.53 > 10.4.4.6.59184: 1* 1/0/0 1.0.4.10.in-addr.arpa. PTR OpenWrt.lan. (64)
14:00:16.541725 IP (tos 0x0, ttl 64, id 47456, offset 0, flags [DF], proto UDP (17), length 92)
10.4.0.1.53 > 10.4.4.6.59184: 1* 1/0/0 1.0.4.10.in-addr.arpa. PTR OpenWrt.lan. (64)
14:00:16.563674 ethertype IPv4, IP (tos 0x0, ttl 128, id 11039, offset 0, flags [none], proto UDP (17), length 61)
10.4.4.6.59185 > 10.4.0.1.53: 2+ A? openwrt.org.lan. (33)
14:00:16.563674 IP (tos 0x0, ttl 128, id 11039, offset 0, flags [none], proto UDP (17), length 61)
10.4.4.6.59185 > 10.4.0.1.53: 2+ A? openwrt.org.lan. (33)
14:00:16.563674 IP (tos 0x0, ttl 128, id 11039, offset 0, flags [none], proto UDP (17), length 61)
10.4.4.6.59185 > 10.4.0.1.53: 2+ A? openwrt.org.lan. (33)
14:00:16.563783 IP (tos 0x0, ttl 64, id 47457, offset 0, flags [DF], proto UDP (17), length 61)
10.4.0.1.53 > 10.4.4.6.59185: 2 NXDomain 0/0/0 (33)
14:00:16.563788 IP (tos 0x0, ttl 64, id 47457, offset 0, flags [DF], proto UDP (17), length 61)
10.4.0.1.53 > 10.4.4.6.59185: 2 NXDomain 0/0/0 (33)
14:00:16.566699 ethertype IPv4, IP (tos 0x0, ttl 128, id 11040, offset 0, flags [none], proto UDP (17), length 61)
10.4.4.6.59186 > 10.4.0.1.53: 3+ AAAA? openwrt.org.lan. (33)
14:00:16.566699 IP (tos 0x0, ttl 128, id 11040, offset 0, flags [none], proto UDP (17), length 61)
10.4.4.6.59186 > 10.4.0.1.53: 3+ AAAA? openwrt.org.lan. (33)
14:00:16.566699 IP (tos 0x0, ttl 128, id 11040, offset 0, flags [none], proto UDP (17), length 61)
10.4.4.6.59186 > 10.4.0.1.53: 3+ AAAA? openwrt.org.lan. (33)
14:00:16.566786 IP (tos 0x0, ttl 64, id 47458, offset 0, flags [DF], proto UDP (17), length 61)
10.4.0.1.53 > 10.4.4.6.59186: 3 NXDomain 0/0/0 (33)
14:00:16.566791 IP (tos 0x0, ttl 64, id 47458, offset 0, flags [DF], proto UDP (17), length 61)
10.4.0.1.53 > 10.4.4.6.59186: 3 NXDomain 0/0/0 (33)
14:00:16.570033 ethertype IPv4, IP (tos 0x0, ttl 128, id 11041, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.6.59187 > 10.4.0.1.53: 4+ A? openwrt.org. (29)
14:00:16.570033 IP (tos 0x0, ttl 128, id 11041, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.6.59187 > 10.4.0.1.53: 4+ A? openwrt.org. (29)
14:00:16.570033 IP (tos 0x0, ttl 128, id 11041, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.6.59187 > 10.4.0.1.53: 4+ A? openwrt.org. (29)
14:00:16.570151 IP (tos 0x0, ttl 64, id 7380, offset 0, flags [DF], proto UDP (17), length 57)
192.168.178.20.56393 > 1.1.1.1.53: 30975+ A? openwrt.org. (29)
14:00:16.575775 ethertype IPv4, IP (tos 0x0, ttl 60, id 17733, offset 0, flags [DF], proto UDP (17), length 73)
1.1.1.1.53 > 192.168.178.20.56393: 30975 1/0/0 openwrt.org. A 139.59.209.225 (45)
14:00:16.575775 IP (tos 0x0, ttl 60, id 17733, offset 0, flags [DF], proto UDP (17), length 73)
1.1.1.1.53 > 192.168.178.20.56393: 30975 1/0/0 openwrt.org. A 139.59.209.225 (45)
14:00:16.575836 IP (tos 0x0, ttl 64, id 47459, offset 0, flags [DF], proto UDP (17), length 73)
10.4.0.1.53 > 10.4.4.6.59187: 4 1/0/0 openwrt.org. A 139.59.209.225 (45)
14:00:16.575840 IP (tos 0x0, ttl 64, id 47459, offset 0, flags [DF], proto UDP (17), length 73)
10.4.0.1.53 > 10.4.4.6.59187: 4 1/0/0 openwrt.org. A 139.59.209.225 (45)
14:00:16.580136 ethertype IPv4, IP (tos 0x0, ttl 128, id 11042, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.6.59188 > 10.4.0.1.53: 5+ AAAA? openwrt.org. (29)
14:00:16.580136 IP (tos 0x0, ttl 128, id 11042, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.6.59188 > 10.4.0.1.53: 5+ AAAA? openwrt.org. (29)
14:00:16.580136 IP (tos 0x0, ttl 128, id 11042, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.6.59188 > 10.4.0.1.53: 5+ AAAA? openwrt.org. (29)
14:00:16.580228 IP (tos 0x0, ttl 64, id 7381, offset 0, flags [DF], proto UDP (17), length 57)
192.168.178.20.19002 > 1.1.1.1.53: 25145+ AAAA? openwrt.org. (29)
14:00:16.583373 ethertype IPv4, IP (tos 0x0, ttl 60, id 41319, offset 0, flags [DF], proto UDP (17), length 85)
1.1.1.1.53 > 192.168.178.20.19002: 25145 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
14:00:16.583373 IP (tos 0x0, ttl 60, id 41319, offset 0, flags [DF], proto UDP (17), length 85)
1.1.1.1.53 > 192.168.178.20.19002: 25145 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
14:00:16.583443 IP (tos 0x0, ttl 64, id 47460, offset 0, flags [DF], proto UDP (17), length 85)
10.4.0.1.53 > 10.4.4.6.59188: 5 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
14:00:16.583447 IP (tos 0x0, ttl 64, id 47460, offset 0, flags [DF], proto UDP (17), length 85)
10.4.0.1.53 > 10.4.4.6.59188: 5 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
using Guests network
#a long time nothing because the nslookup on the client is timing out multiple times
#-- client output typed by me not copied so not verbatim
DNS request timeout was 2 seconds
Server: unknown
Address: 10.5.0.1
DNS request timeout was 2 seconds (3x)
Name: openwrt.org
Address: a non ip4 address (2a03:b0c0:3:d0::1af1:1)
#and very late in the above process suddenly
root@OpenWrt:~# tcpdump -i any -vn udp port 53
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
14:02:02.921513 ethertype IPv4, IP (tos 0x0, ttl 128, id 11223, offset 0, flags [none], proto UDP (17), length 57)
10.5.4.1.54691 > 10.5.0.1.53: 5+ AAAA? openwrt.org. (29)
14:02:02.921513 IP (tos 0x0, ttl 128, id 11223, offset 0, flags [none], proto UDP (17), length 57)
10.5.4.1.54691 > 10.5.0.1.53: 5+ AAAA? openwrt.org. (29)
14:02:02.921513 IP (tos 0x0, ttl 128, id 11223, offset 0, flags [none], proto UDP (17), length 57)
10.5.4.1.54691 > 10.5.0.1.53: 5+ AAAA? openwrt.org. (29)
14:02:02.921691 IP (tos 0x0, ttl 64, id 13327, offset 0, flags [DF], proto UDP (17), length 57)
192.168.178.20.30236 > 1.1.1.1.53: 57888+ AAAA? openwrt.org. (29)
14:02:02.926517 ethertype IPv4, IP (tos 0x0, ttl 60, id 14438, offset 0, flags [DF], proto UDP (17), length 85)
1.1.1.1.53 > 192.168.178.20.30236: 57888 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
14:02:02.926517 IP (tos 0x0, ttl 60, id 14438, offset 0, flags [DF], proto UDP (17), length 85)
1.1.1.1.53 > 192.168.178.20.30236: 57888 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
14:02:02.926605 IP (tos 0x0, ttl 64, id 20613, offset 0, flags [DF], proto UDP (17), length 85)
10.5.0.1.53 > 10.5.4.1.54691: 5 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
14:02:02.926611 IP (tos 0x0, ttl 64, id 20613, offset 0, flags [DF], proto UDP (17), length 85)
10.5.0.1.53 > 10.5.4.1.54691: 5 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
Based on this all I am guessing that I should debug the firewall. Why is it choking for a whlie for a DNS request from the Guests network before finally deciding to let it go through. At least I am assuming that is what is happening
perhaps this helps?
fw3 print
root@OpenWrt:~# fw3 print
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @rule[7] (block iot wan) does not specify a protocol, assuming TCP+UDP
Warning: Section @rule[8] (block default ipcam) does not specify a protocol, assuming TCP+UDP
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t filter -N reject
iptables -t filter -N input_rule
iptables -t filter -N output_rule
iptables -t filter -N forwarding_rule
iptables -t filter -N syn_flood
iptables -t filter -N zone_lan_input
iptables -t filter -N zone_lan_output
iptables -t filter -N zone_lan_forward
iptables -t filter -N zone_lan_src_ACCEPT
iptables -t filter -N zone_lan_dest_ACCEPT
iptables -t filter -N input_lan_rule
iptables -t filter -N output_lan_rule
iptables -t filter -N forwarding_lan_rule
iptables -t filter -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
iptables -t filter -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
iptables -t filter -N zone_wan_input
iptables -t filter -N zone_wan_output
iptables -t filter -N zone_wan_forward
iptables -t filter -N zone_wan_src_REJECT
iptables -t filter -N zone_wan_dest_ACCEPT
iptables -t filter -N zone_wan_dest_REJECT
iptables -t filter -N zone_wan_dest_DROP
iptables -t filter -N input_wan_rule
iptables -t filter -N output_wan_rule
iptables -t filter -N forwarding_wan_rule
iptables -t filter -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
iptables -t filter -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
iptables -t filter -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
iptables -t filter -N zone_guest_input
iptables -t filter -N zone_guest_output
iptables -t filter -N zone_guest_forward
iptables -t filter -N zone_guest_src_REJECT
iptables -t filter -N zone_guest_dest_ACCEPT
iptables -t filter -N zone_guest_dest_REJECT
iptables -t filter -N input_guest_rule
iptables -t filter -N output_guest_rule
iptables -t filter -N forwarding_guest_rule
iptables -t filter -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
iptables -t filter -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
iptables -t filter -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
iptables -t filter -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
iptables -t filter -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
iptables -t filter -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
iptables -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
iptables -t filter -A syn_flood -m comment --comment "!fw3" -j DROP
iptables -t filter -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
iptables -t filter -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
iptables -t filter -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
iptables -t filter -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
iptables -t filter -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
iptables -t filter -A zone_wan_input -p 2 -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
iptables -t filter -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
iptables -t filter -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
iptables -t filter -A zone_guest_input -p udp -m udp --dport 67 -m comment --comment "!fw3: Allow-DHCP-Guest" -j ACCEPT
iptables -t filter -A zone_lan_forward -p tcp -s 192.168.1.128/255.255.255.128 -m comment --comment "!fw3: block iot wan" -j zone_wan_dest_DROP
iptables -t filter -A zone_lan_forward -p udp -s 192.168.1.128/255.255.255.128 -m comment --comment "!fw3: block iot wan" -j zone_wan_dest_DROP
iptables -t filter -A zone_lan_forward -p tcp -s 192.168.1.10/255.255.255.255 -m comment --comment "!fw3: block default ipcam" -j zone_wan_dest_DROP
iptables -t filter -A zone_lan_forward -p udp -s 192.168.1.10/255.255.255.255 -m comment --comment "!fw3: block default ipcam" -j zone_wan_dest_DROP
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
iptables -t filter -A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
iptables -t filter -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
iptables -t filter -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
iptables -t filter -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
iptables -t filter -D zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -D OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -D FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -D zone_lan_src_ACCEPT -i br-if_Trusted -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_src_ACCEPT -i br-if_Trusted -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_lan_dest_ACCEPT -o br-if_Trusted -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_dest_ACCEPT -o br-if_Trusted -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D INPUT -i br-if_Trusted -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -A INPUT -i br-if_Trusted -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -D OUTPUT -o br-if_Trusted -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -A OUTPUT -o br-if_Trusted -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -D FORWARD -i br-if_Trusted -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -A FORWARD -i br-if_Trusted -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
iptables -t filter -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
iptables -t filter -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
iptables -t filter -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
iptables -t filter -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
iptables -t filter -D zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
iptables -t filter -D zone_wan_dest_DROP -o eth1.2 -m comment --comment "!fw3" -j DROP
iptables -t filter -A zone_wan_dest_DROP -o eth1.2 -m comment --comment "!fw3" -j DROP
iptables -t filter -D INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -D OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -D FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
iptables -t filter -A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
iptables -t filter -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
iptables -t filter -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
iptables -t filter -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
iptables -t filter -D zone_guest_dest_ACCEPT -o br-if_Guests -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_guest_dest_ACCEPT -o br-if_Guests -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_guest_src_REJECT -i br-if_Guests -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_guest_src_REJECT -i br-if_Guests -m comment --comment "!fw3" -j reject
iptables -t filter -D zone_guest_dest_REJECT -o br-if_Guests -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_guest_dest_REJECT -o br-if_Guests -m comment --comment "!fw3" -j reject
iptables -t filter -D INPUT -i br-if_Guests -m comment --comment "!fw3" -j zone_guest_input
iptables -t filter -A INPUT -i br-if_Guests -m comment --comment "!fw3" -j zone_guest_input
iptables -t filter -D OUTPUT -o br-if_Guests -m comment --comment "!fw3" -j zone_guest_output
iptables -t filter -A OUTPUT -o br-if_Guests -m comment --comment "!fw3" -j zone_guest_output
iptables -t filter -D FORWARD -i br-if_Guests -m comment --comment "!fw3" -j zone_guest_forward
iptables -t filter -A FORWARD -i br-if_Guests -m comment --comment "!fw3" -j zone_guest_forward
iptables -t filter -D zone_guest_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_guest_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_guest_src_REJECT -i br-lan -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_guest_src_REJECT -i br-lan -m comment --comment "!fw3" -j reject
iptables -t filter -D zone_guest_dest_REJECT -o br-lan -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_guest_dest_REJECT -o br-lan -m comment --comment "!fw3" -j reject
iptables -t filter -D INPUT -i br-lan -m comment --comment "!fw3" -j zone_guest_input
iptables -t filter -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_guest_input
iptables -t filter -D OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_guest_output
iptables -t filter -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_guest_output
iptables -t filter -D FORWARD -i br-lan -m comment --comment "!fw3" -j zone_guest_forward
iptables -t filter -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_guest_forward
iptables -t filter -A FORWARD -m comment --comment "!fw3" -j reject
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule
iptables -t nat -N zone_lan_postrouting
iptables -t nat -N zone_lan_prerouting
iptables -t nat -N prerouting_lan_rule
iptables -t nat -N postrouting_lan_rule
iptables -t nat -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
iptables -t nat -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
iptables -t nat -N zone_wan_postrouting
iptables -t nat -N zone_wan_prerouting
iptables -t nat -N prerouting_wan_rule
iptables -t nat -N postrouting_wan_rule
iptables -t nat -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
iptables -t nat -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
iptables -t nat -N zone_guest_postrouting
iptables -t nat -N zone_guest_prerouting
iptables -t nat -N prerouting_guest_rule
iptables -t nat -N postrouting_guest_rule
iptables -t nat -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
iptables -t nat -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
iptables -t nat -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
iptables -t nat -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
iptables -t nat -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: guideriis" -j DNAT --to-destination 192.168.1.111:443
iptables -t nat -A zone_wan_prerouting -p udp -m udp --dport 443 -m comment --comment "!fw3: guideriis" -j DNAT --to-destination 192.168.1.111:443
iptables -t nat -D zone_lan_prerouting -p tcp -s 10.0.0.0/255.252.0.0 -d 192.168.178.20/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
iptables -t nat -A zone_lan_prerouting -p tcp -s 10.0.0.0/255.252.0.0 -d 192.168.178.20/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
iptables -t nat -D zone_lan_postrouting -p tcp -s 10.0.0.0/255.252.0.0 -d 192.168.1.111/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.0.0.1
iptables -t nat -A zone_lan_postrouting -p tcp -s 10.0.0.0/255.252.0.0 -d 192.168.1.111/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.0.0.1
iptables -t nat -D zone_lan_prerouting -p udp -s 10.0.0.0/255.252.0.0 -d 192.168.178.20/255.255.255.255 -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
iptables -t nat -A zone_lan_prerouting -p udp -s 10.0.0.0/255.252.0.0 -d 192.168.178.20/255.255.255.255 -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
iptables -t nat -D zone_lan_postrouting -p udp -s 10.0.0.0/255.252.0.0 -d 192.168.1.111/255.255.255.255 -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.0.0.1
iptables -t nat -A zone_lan_postrouting -p udp -s 10.0.0.0/255.252.0.0 -d 192.168.1.111/255.255.255.255 -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.0.0.1
iptables -t nat -D zone_lan_prerouting -p tcp -s 10.4.0.0/255.255.0.0 -d 192.168.178.20/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
iptables -t nat -A zone_lan_prerouting -p tcp -s 10.4.0.0/255.255.0.0 -d 192.168.178.20/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
iptables -t nat -D zone_lan_postrouting -p tcp -s 10.4.0.0/255.255.0.0 -d 192.168.1.111/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.4.0.1
iptables -t nat -A zone_lan_postrouting -p tcp -s 10.4.0.0/255.255.0.0 -d 192.168.1.111/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.4.0.1
iptables -t nat -D zone_lan_prerouting -p udp -s 10.4.0.0/255.255.0.0 -d 192.168.178.20/255.255.255.255 -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
iptables -t nat -A zone_lan_prerouting -p udp -s 10.4.0.0/255.255.0.0 -d 192.168.178.20/255.255.255.255 -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
iptables -t nat -D zone_lan_postrouting -p udp -s 10.4.0.0/255.255.0.0 -d 192.168.1.111/255.255.255.255 -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.4.0.1
iptables -t nat -A zone_lan_postrouting -p udp -s 10.4.0.0/255.255.0.0 -d 192.168.1.111/255.255.255.255 -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.4.0.1
iptables -t nat -D PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -D POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -D PREROUTING -i br-if_Trusted -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -A PREROUTING -i br-if_Trusted -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -D POSTROUTING -o br-if_Trusted -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -A POSTROUTING -o br-if_Trusted -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
iptables -t nat -D PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -D POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -D PREROUTING -i br-if_Guests -m comment --comment "!fw3" -j zone_guest_prerouting
iptables -t nat -A PREROUTING -i br-if_Guests -m comment --comment "!fw3" -j zone_guest_prerouting
iptables -t nat -D POSTROUTING -o br-if_Guests -m comment --comment "!fw3" -j zone_guest_postrouting
iptables -t nat -A POSTROUTING -o br-if_Guests -m comment --comment "!fw3" -j zone_guest_postrouting
iptables -t nat -D PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_guest_prerouting
iptables -t nat -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_guest_prerouting
iptables -t nat -D POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_guest_postrouting
iptables -t nat -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_guest_postrouting
iptables -t mangle -D FORWARD -p tcp -o eth1.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A FORWARD -p tcp -o eth1.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -D FORWARD -p tcp -i eth1.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A FORWARD -p tcp -i eth1.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
Time difference between first query and first reply is under 1 second.
The client is requesting the wrong fqdn. There is a .lan at the end.
The client is asking for IPv6 address.
Yes great, that is how it should be right? i even think it was no more than 200ms if I interpret it correctly.
But this from the openwrt it self probably using the lan interface or the wan interface directly.
Are you sure that is the clients doing? the exact verbatim syntax I used on the client was
nslookup openwrt.org
Also I am using the official firmware for my device not having tinkered with fqdn's so I would then still think this is an openwrt issue? Any settings I can check to see where that is comming from?
If you think it could help I can change it around. I can have my windows client do all the logging on openwrt and have my xfce4 do the dns requesting
Even though ip6 is disabled on the client in the interface settings hmm but windows in known for stranger things. I will change it around then and try a different fqdn
more like 3 ms.
It can't be more obvious. This is what the client asks OpenWrt nameserver.
The weird thing is that it is not asking for both.
this also means that the Trusted network is bonkers as the 10.4 is trusted
this also means that the Trusted network is bonkers as the 10.4 is trusted
This is stupidity of the client OS suffixing the local .lan domain name to normal queries to an internet nameserver.
Now the client is xfce4 running on debian 10
When using the Trusted network it's near instant
root@OpenWrt:~# tcpdump -i any -vn udp port 53
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
17:14:08.102480 ethertype IPv4, IP (tos 0x0, ttl 64, id 56325, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.7.38547 > 10.4.0.1.53: 40149+ A? openwrt.org. (29)
17:14:08.102480 IP (tos 0x0, ttl 64, id 56325, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.7.38547 > 10.4.0.1.53: 40149+ A? openwrt.org. (29)
17:14:08.102480 IP (tos 0x0, ttl 64, id 56325, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.7.38547 > 10.4.0.1.53: 40149+ A? openwrt.org. (29)
17:14:08.102667 IP (tos 0x0, ttl 64, id 49407, offset 0, flags [DF], proto UDP (17), length 57)
192.168.178.20.9622 > 1.1.1.1.53: 37819+ A? openwrt.org. (29)
17:14:08.106021 ethertype IPv4, IP (tos 0x0, ttl 60, id 26750, offset 0, flags [DF], proto UDP (17), length 73)
1.1.1.1.53 > 192.168.178.20.9622: 37819 1/0/0 openwrt.org. A 139.59.209.225 (45)
17:14:08.106021 IP (tos 0x0, ttl 60, id 26750, offset 0, flags [DF], proto UDP (17), length 73)
1.1.1.1.53 > 192.168.178.20.9622: 37819 1/0/0 openwrt.org. A 139.59.209.225 (45)
17:14:08.106106 IP (tos 0x0, ttl 64, id 57206, offset 0, flags [DF], proto UDP (17), length 73)
10.4.0.1.53 > 10.4.4.7.38547: 40149 1/0/0 openwrt.org. A 139.59.209.225 (45)
17:14:08.106111 IP (tos 0x0, ttl 64, id 57206, offset 0, flags [DF], proto UDP (17), length 73)
10.4.0.1.53 > 10.4.4.7.38547: 40149 1/0/0 openwrt.org. A 139.59.209.225 (45)
17:14:08.108348 ethertype IPv4, IP (tos 0x0, ttl 64, id 56327, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.7.36345 > 10.4.0.1.53: 48352+ AAAA? openwrt.org. (29)
17:14:08.108348 IP (tos 0x0, ttl 64, id 56327, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.7.36345 > 10.4.0.1.53: 48352+ AAAA? openwrt.org. (29)
17:14:08.108348 IP (tos 0x0, ttl 64, id 56327, offset 0, flags [none], proto UDP (17), length 57)
10.4.4.7.36345 > 10.4.0.1.53: 48352+ AAAA? openwrt.org. (29)
17:14:08.108457 IP (tos 0x0, ttl 64, id 49408, offset 0, flags [DF], proto UDP (17), length 57)
192.168.178.20.20195 > 1.1.1.1.53: 58998+ AAAA? openwrt.org. (29)
17:14:08.111100 ethertype IPv4, IP (tos 0x0, ttl 60, id 61062, offset 0, flags [DF], proto UDP (17), length 85)
1.1.1.1.53 > 192.168.178.20.20195: 58998 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
17:14:08.111100 IP (tos 0x0, ttl 60, id 61062, offset 0, flags [DF], proto UDP (17), length 85)
1.1.1.1.53 > 192.168.178.20.20195: 58998 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
17:14:08.111166 IP (tos 0x0, ttl 64, id 57207, offset 0, flags [DF], proto UDP (17), length 85)
10.4.0.1.53 > 10.4.4.7.36345: 48352 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
17:14:08.111171 IP (tos 0x0, ttl 64, id 57207, offset 0, flags [DF], proto UDP (17), length 85)
10.4.0.1.53 > 10.4.4.7.36345: 48352 1/0/0 openwrt.org. AAAA 2a03:b0c0:3:d0::1af1:1 (57)
Client output:
pvedesktop@pvemobile:~$ time nslookup openwrt.org
Server: 10.4.0.1
Address: 10.4.0.1#53
Non-authoritative answer:
Name: openwrt.org
Address: 139.59.209.225
Name: openwrt.org
Address: 2a03:b0c0:3:d0::1af1:1
real 0m0.020s
user 0m0.005s
sys 0m0.005s
and when doing the same on the guests network I have no tcpdump to share as the request never reaches openwrt
pvedesktop@pvemobile:~$ time nslookup openwrt.org
;; connection timed out; no servers could be reached
real 0m15.014s
user 0m0.000s
sys 0m0.010s
Is there anything else I can try?
I have no tcpdump to share as the request never reaches openwrt
Did the host acquire the settings properly upon connecting to the guest SSID? Can you verify it has the correct IP and nameserver?
looks fine to me as far as I can tell;
pvedesktop@pvemobile:~$ cat /etc/resolv.conf
domain lan
search lan
nameserver 10.5.0.1
pvedesktop@pvemobile:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s31f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast master vmbr0 state DOWN group default qlen 1000
link/ether c8:5b:76:72:f3:b6 brd ff:ff:ff:ff:ff:ff
3: wlp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether e4:a7:a0:66:00:8f brd ff:ff:ff:ff:ff:ff
inet 10.5.4.1/16 brd 10.5.255.255 scope global dynamic wlp4s0
valid_lft 66sec preferred_lft 66sec
inet6 fe80::e6a7:a0ff:fe66:8f/64 scope link
valid_lft forever preferred_lft forever
4: vmbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether c8:5b:76:72:f3:b6 brd ff:ff:ff:ff:ff:ff
Alright, try to capture the dns packets on both the host and the router.
you'll never believe what happend just now. Scouts honor I did not change anything other than run tcpdump on the client.
I opened a second terminal while on the guests network for a time nslookup openwrt.org and boom! instant bliss
And indeed am unable to connect to openwrt router or any local client and going online is a breeze.
Even though I am ecstatic at the moment I am equally worried that things might stop working in the future and because I have no clue what made openwrt behave just now I don't trust things currently.
EDIT: I am now a greater distance away from the Level1 WAP test setup. Usually I test things in my office but am now in chill mode higher in the building. Could that be an explanation? It feels counter intuitive having a lesser signal strength getting better results.
EDIT 2: I'll check again tomorrow morning in my office. If things are indeed location related then there is still hope as I have 5 or 6 WAP's strategically placed. I might end up moving some of them then.
If you are not testing near the antenna, my only guess is that your signal strength is not enough to maintain a working connection. Better test first near the antenna will excellent signal, make sure everything works and then start moving further. It goes without saying that a proper network planning is needed to ensure there is optimal coverage in the areas that you need and you won't experience such problems in the future.
It feels counter intuitive having a lesser signal strength getting better results.
Could as well be less interference, which is not so visible in just signal strength, but matters in signal to noise ratio.
I am not sure but I think it was the quality of the cable between the test WAP and the OpenWrt device.
In the mean time I have all WAP configured and wired (with good quality cables) to the Switch, and the Switch is connected to the OpenWrt device again with a good quality cable and this all results in a complete joy at the moment
I am happy to have made it this far and think it should be smooth sailing from now on. Should things change I'll create a new topic referring back to all related topics.
Thx all for your help thus far. I have learned a lot.
Because the pencil is missing behind my topic I can't mark it as resolved ;( Any chance one could grant me that right permanently?
Because the pencil is missing behind my topic I can't mark it as resolved ;( Any chance one could grant me that right permanently?
We have added the [solved] in the title. You can also select one post as the solution or if it spans in more than one posts, you can write a new reply with all the steps that solved the problem and mark that as the solution.
Uggg.. the DNS issues are back It seems that now cabling is no longer an issue but the underlying config / software in openwrt might be at play as DNS resolving stopped on any interface, not only on the if_Guests after my ISP finally made it possible to hang the openwrt device directly to the ISP.
Shall I create a new topic or can this one be reopened?
Anyway this is what I have done to bring some sanity back
(Al steps done using luci, I will double check the resulting config in a later stage)
Reset openwrt to defaults.
Remove wan6 interface
Change lan ip address to 10.0.0.1, netmask 255.252.0.0
DHCP of lan interface => disabled ip6 assignment
When connected with wire to openwrt getting an expected 10.0.x.x dhcp lease.
Does not matter how often and with what interval I execute 'time nslookup openwrt.org' I am always getting fast response without fail.
Good so far.
Then I added the VLANs in the switch (40, 50, 60 and 70; eth0, port 1 to 4 tagged)
Still a fully functional experience.
Then I added interface if_Trused leaving everything default except;
ip = 10.4.0.1
netmask = 255.255.0.0
interface = eth0.40
firewall zone = lan
dhcp start 1025, end 1000, ip6 = all disabled
Now when connecting to the Trusted ssid I am getting an expected dhcp lease in the 10.4.x.x range.
Does not matter how often and with what interval I execute 'time nslookup openwrt.org' I am always getting fast response without fail.
I do the same steps as for adding if_Trusted but now for if_Guests
interface eth0.50, ip = 10.5.0.1
Now when connecting to the Guests ssid I am getting an expected dhcp lease in the 10.5.x.x range.
But now when I execute 'time nslookup openwrt.org' I am usually getting a response time of 5 seconds or a timeout after 15 seconds and sometimes a fast response.
And when I disable the if_Trused interface being connected to the Guests ssid gets far better results when I execute 'time nslookup openwrt.org'. usually a fast response and sometimes a 5 seconds wait. No more timeouts.
Does anyone know how to deal with this?
In the meantime I'd like to zero in on the underlying issue by having my client wired to the openwrt device directly. How can I configure the openwrt device in such a manner that when I am wired it will give me a dhcp lease in the if_Guests range?
I am interested to see what happens then with the response times.
Does anyone know how to deal with this?
Each case must be examined again individually with tcpdump to examine the reason for the delay or the timeout, like we did here.
How can I configure the openwrt device in such a manner that when I am wired it will give me a dhcp lease in the if_Guests range?
In the switch configuration assign one port in the guest vlan untagged.
I would however start with more simple configuration, using a /24 network rather than the /16 which I doubt will be needed.
In the switch configuration assign one port in the guest vlan untagged.
thx to having learned about what an untagged port does just now all is well again.
I have narrowed it down by first going wired on the openwrt and WAP on the Trusted and Guests interfaces only to find no issues what so ever.
The only thing that remained was the wireless multi AP capabilities of the Level one WGR-8031.
Turns out having all additional AP ssids enabled is simply too much for this relatively cheap, yet versatile, router.
The solution was to have the trusted ssid only on 5Ghz main AP. And the Guests on the 2.4Ghz main AP. The IOT and Peripherals are now only on the 2.4Ghz sub AP's (no longer also on the 5Ghz sub APs) but they are never going to need DNS anyway so even if there still would be issues with that in the future I am not going to notice
All is running like clockwork now.
WHooooooot!!!!!. what a ride this was
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.