[Solved] Slow boot after add Custom Firewall Rules

Hi all, greeting from Brazil.

I have a ZBT WG3526 running LEDE Reboot 17.01.4 r3560-79f57e422d / LuCI lede-17.01 branch (git-17.290.79498-d3f0685). The Kernel version is 4.4.92.
It has a good hardware configuration, everything is working, but if I add some custom firewall rules the boot time increases significantly. It goes from seconds to 4 or 5 minutes. If I delete these custom rules, it comes back to seconds again.

Do you have any advices to solve this problem?


you have to check your firewall rules, one by one. It seems that a boot process has network timeouts due to your custom firewall rules.
can you list your custom rules?

Hi wtuppa, thanks for you reply... these are my rules:

iptables -t nat -A POSTROUTING -s -d -j ACCEPT
iptables -t nat -A POSTROUTING -s -d -j ACCEPT
iptables -t nat -A POSTROUTING -s -d -j ACCEPT
iptables -t nat -A POSTROUTING -s -d -j ACCEPT
iptables -t nat -A POSTROUTING -s -d -j ACCEPT
iptables -t nat -A POSTROUTING -s -d -j ACCEPT

iptables -t nat -A POSTROUTING -s -j MASQUERADE

so you are using a VPN network.
what do you want with the custom rules. as far as I can see, the first ones allow the VPN network to access some local networks, but the last one does masquerading for the VPN network source addresses??
Isn't that rule for internet traffic (outgoing traffic through VPN).

I think the last rule should be
iptables -t nat -A POSTROUTING -o -j MASQUERADE
where is the name of VPN IP device.

can you give us a view of your network (local, internet)?

I'm using strongswan to make my VPNs site-to-site, if I remove these rules, none of the tunnels works.

My network is very simple:

Remote Client1:
Remote Client2:

All sites are connected by site-to-site VPNs.
The last rule is to permit internet access only for the default network as we have some internal subnets used to make tests eventually.

I have a Tp-Link WDR4300 running Openwrt 15.05.1 at the Site2 with the same rules, but the boot time is ok.

OK, what is the IP address of your WAN interface? (both sites)
PS: you can add an interface to your custom rules.

This rule tells all outbound traffic to masquerade with the IP assigned to the LEDE's interface; NOT JUST INTERNET. This rule conflicts with the six other rules. Make the Masquerade rule more specific, specify the correct interface, etc.; and verify the order of all seven rule(s).

1 Like

I found out the reason.

I don't know why some rules were not copied... They are about open traffic to some addresses that uses Dynamic IP, so I was using DNS to get the IP... It was the main cause. I removed these rules and it came back to normal boot time again.


OK, that seems to be the issue, as you cannot specify hostnames in iptables.

You'd have to write a script to do a DNS lookup and save the result as a variable (so long as the rule isn't needed during bootup).

Glad you got it working.

1 Like