Some NAT problem with 22.03.0-rc4 fourth release candidate

Original post:

Have some strange issue with NAT on the TOTOLINK X5000R
I have two different subnets on the router.
The one is just br-lan with static IP and gateway, it's linked with some wireless networks, there is no DHCP and no NAT.
The second network is connected to WAN and the WLAN NETWORK, WLAN is using "unspecified device" network for NAT, there are static IP on this network and DHCP enabled. This configuration works on the 21 versions and not working on the 22.x.
The problem is that in second subnet, clients are successfully connected to wireless network, getting IP, but can not connect to WAN, no internet, NAT is broken. I have tried clean install, tried all options, no luck. Any thoughts?

Continuing the discussion from OpenWrt 22.03.0-rc4 fourth release candidate:

firewall


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option name '4gLAN'
	list network 'LANW'
	option forward 'REJECT'

config zone
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option name '4gwan'
	list network '4GLINK'

config forwarding
	option src '4gLAN'
	option dest '4gwan'
config include
	option path '/etc/firewall.user'

config rule
	option name 'any'
	list proto 'all'
	option src '4gLAN'
	option dest '4gwan'
	option target 'ACCEPT'

config rule
	option name 'any'
	list proto 'all'
	option src '4gwan'
	option dest '4gLAN'
	option target 'ACCEPT'

config rule
	option name 'any'
	list proto 'all'
	option src '4gwan'
	option dest '*'
	option target 'ACCEPT'

config rule
	option name 'any'
	list proto 'all'
	option src '*'
	option dest '4gLAN'
	option target 'ACCEPT'


network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fdd9:f5e0:a057::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.0.7.87'
	option gateway '10.0.7.5'

config interface '4GLINK'
	option proto 'dhcp'
	option device 'wan'

config interface 'LANW'
	option proto 'static'
	option ipaddr '10.0.56.1'
	option netmask '255.255.255.0'

config device
	option name 'wan'
	option ipv6 '0'

wireless

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'AAABBBCCC'
	option encryption 'psk2'
	option key 'mycatsname'
	option network 'LANW'

I assume that @jow meant to provide all information that would stand-alone in this thread.

i.e. Why did you post configs?

(Maybe you should provide those details why you posted them, too.)

In fact, I had to search for your post mentioning those things: OpenWrt 22.03.0-rc4 fourth release candidate - #34 by woffko

(If you don't mind, I'll Private Message you about the information you choose to post, what you didn't and the ease of getting help for OpenWrt issues - i.e. making mutiple post about the same thing, issue requests, etc. I'm updating the Wiki for others future ease-of-use.)

Edited. Hope this is better now. I'm sorry I acted stupidly, hurried and tired. :grin:

1 Like

First I would change all the names to use lowercase only. There is some ambiguilty because LuCI upcases them for display, and some scripts may lowcase them.

It appears that you want the effect of two routers in one box, that is the lanw network goes out to one wan, and the lan network goes to a different wan. In the default setup, there is one routing table thus one gateway used for all Internet. To help set up the use of multiple wans, there are policy routing helpers like mwan3 or vpn-policy-routing.

This configuration worked fine on two different routers since version 19.

Never have had problems with that. I'll try but...

It's going to other subnet not using NAT or anything it's like simple bridge attached to different subnet. MultiWAN usually means that one client have access to both networks simultaneously, in my case those subnets have each other own clients. At least they don't overlap, if not isolated.

I'll look at it... but I don't think it's my case anyway

If the error occurs, can you please provide the output of nft list ruleset as well as cat /var/run/fw4.state and ifstatus LANW as well as ifstatus 4GLINK ?

Working, OpenWrt SNAPSHOT r18302-ea49690ff4 / LuCI Master git-21.343.55550-008bd89

ifstatus LANW
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 40290,
        "l3_device": "wlan0",
        "proto": "static",
        "device": "wlan0",
        "updated": [
                "addresses"
        ],
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [
                {
                        "address": "10.0.56.1",
                        "mask": 24
                }
        ],
        "ipv6-address": [

        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [

        ],
        "dns-server": [

        ],
        "dns-search": [

        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {

        }
}

root@OpenWrt:~# ifstatus 4GLINK
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 40429,
        "l3_device": "wan",
        "proto": "dhcp",
        "device": "wan",
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [
                {
                        "address": "10.0.100.102",
                        "mask": 24
                }
        ],
        "ipv6-address": [

        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "0.0.0.0",
                        "mask": 0,
                        "nexthop": "10.0.100.1",
                        "source": "10.0.100.102/32"
                }
        ],
        "dns-server": [
                "10.0.100.1"
        ],
        "dns-search": [
                "lan"
        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {
                "hostname": "OpenWrt",
                "leasetime": 43200
        }
}

package fw3_state

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option __flags_v4 '0x180017'
	option __flags_v6 '0x180025'

config zone
	option name '4gLAN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '0'
	option mtu_fix '0'
	option custom_chains '1'
	list device 'wlan0@LANW'
	list __addrs '10.0.56.1'
	list __addrs 'fe80::5e92:5eff:fe37:92c0'
	option __flags_v4 '0x8964c7'
	option __flags_v6 '0x904c5'

config zone
	option name '4gwan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option custom_chains '1'
	list device 'wan@4GLINK'
	list __addrs '10.0.100.102'
	option __flags_v4 '0x8a60c7'
	option __flags_v6 '0xa00c5'

No nft installed.

iptables --list-rules
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N forwarding_4gLAN_rule
-N forwarding_4gwan_rule
-N forwarding_rule
-N input_4gLAN_rule
-N input_4gwan_rule
-N input_rule
-N output_4gLAN_rule
-N output_4gwan_rule
-N output_rule
-N reject
-N syn_flood
-N zone_4gLAN_dest_ACCEPT
-N zone_4gLAN_dest_REJECT
-N zone_4gLAN_forward
-N zone_4gLAN_input
-N zone_4gLAN_output
-N zone_4gLAN_src_ACCEPT
-N zone_4gwan_dest_ACCEPT
-N zone_4gwan_dest_REJECT
-N zone_4gwan_forward
-N zone_4gwan_input
-N zone_4gwan_output
-N zone_4gwan_src_REJECT
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i wlan0 -m comment --comment "!fw3" -j zone_4gLAN_input
-A INPUT -i wan -m comment --comment "!fw3" -j zone_4gwan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -m comment --comment "!fw3: any" -j zone_4gLAN_dest_ACCEPT
-A FORWARD -i wlan0 -m comment --comment "!fw3" -j zone_4gLAN_forward
-A FORWARD -i wan -m comment --comment "!fw3" -j zone_4gwan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o wlan0 -m comment --comment "!fw3" -j zone_4gLAN_output
-A OUTPUT -o wan -m comment --comment "!fw3" -j zone_4gwan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_4gLAN_dest_ACCEPT -o wlan0 -m comment --comment "!fw3" -j ACCEPT
-A zone_4gLAN_dest_REJECT -o wlan0 -m comment --comment "!fw3" -j reject
-A zone_4gLAN_forward -m comment --comment "!fw3: Custom 4gLAN forwarding rule chain" -j forwarding_4gLAN_rule
-A zone_4gLAN_forward -m comment --comment "!fw3: any" -j zone_4gwan_dest_ACCEPT
-A zone_4gLAN_forward -m comment --comment "!fw3: Zone 4gLAN to 4gwan forwarding policy" -j zone_4gwan_dest_ACCEPT
-A zone_4gLAN_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_4gLAN_forward -m comment --comment "!fw3" -j zone_4gLAN_dest_REJECT
-A zone_4gLAN_input -m comment --comment "!fw3: Custom 4gLAN input rule chain" -j input_4gLAN_rule
-A zone_4gLAN_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_4gLAN_input -m comment --comment "!fw3" -j zone_4gLAN_src_ACCEPT
-A zone_4gLAN_output -m comment --comment "!fw3: Custom 4gLAN output rule chain" -j output_4gLAN_rule
-A zone_4gLAN_output -m comment --comment "!fw3" -j zone_4gLAN_dest_ACCEPT
-A zone_4gLAN_src_ACCEPT -i wlan0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_4gwan_dest_ACCEPT -o wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_4gwan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
-A zone_4gwan_dest_REJECT -o wan -m comment --comment "!fw3" -j reject
-A zone_4gwan_forward -m comment --comment "!fw3: Custom 4gwan forwarding rule chain" -j forwarding_4gwan_rule
-A zone_4gwan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_4gLAN_dest_ACCEPT
-A zone_4gwan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_4gLAN_dest_ACCEPT
-A zone_4gwan_forward -m comment --comment "!fw3: any" -j zone_4gLAN_dest_ACCEPT
-A zone_4gwan_forward -m comment --comment "!fw3: any" -j ACCEPT
-A zone_4gwan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_4gwan_forward -m comment --comment "!fw3" -j zone_4gwan_dest_REJECT
-A zone_4gwan_input -m comment --comment "!fw3: Custom 4gwan input rule chain" -j input_4gwan_rule
-A zone_4gwan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_4gwan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_4gwan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_4gwan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_4gwan_input -m comment --comment "!fw3" -j zone_4gwan_src_REJECT
-A zone_4gwan_output -m comment --comment "!fw3: Custom 4gwan output rule chain" -j output_4gwan_rule
-A zone_4gwan_output -m comment --comment "!fw3" -j zone_4gwan_dest_ACCEPT
-A zone_4gwan_src_REJECT -i wan -m comment --comment "!fw3" -j reject

OpenWrt 22.03.0-rc4 r19426-2b1941e47d / LuCI openwrt-22.03 branch git-22.140.66268-ef99568

root@OpenWrt:~# nft list ruleset
table inet fw4 {
        chain input {
                type filter hook input priority filter; policy accept;
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
                ct state established,related accept comment "!fw4: Allow inbound established and related flows"
                tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
        }

        chain forward {
                type filter hook forward priority filter; policy drop;
                ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
                counter packets 20 bytes 1742 jump accept_to_4gLAN comment "!fw4: any"
                jump handle_reject
        }

        chain output {
                type filter hook output priority filter; policy accept;
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
                ct state established,related accept comment "!fw4: Allow outbound established and related flows"
        }

        chain handle_reject {
                meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
                reject comment "!fw4: Reject any other traffic"
        }

        chain syn_flood {
                limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
                drop comment "!fw4: Drop excess packets"
        }

        chain input_4gLAN {
                jump accept_from_4gLAN
        }

        chain output_4gLAN {
                jump accept_to_4gLAN
        }

        chain forward_4gLAN {
                counter packets 0 bytes 0 jump accept_to_4gwan comment "!fw4: any"
                jump accept_to_4gwan comment "!fw4: Accept 4gLAN to 4gwan forwarding"
                jump reject_to_4gLAN
        }

        chain accept_from_4gLAN {
        }

        chain accept_to_4gLAN {
        }

        chain reject_to_4gLAN {
        }

        chain input_4gwan {
                meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
                icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
                meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
                ip6 saddr fc00::/6 ip6 daddr fc00::/6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
                ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
                jump reject_from_4gwan
        }

        chain output_4gwan {
                jump accept_to_4gwan
        }

        chain forward_4gwan {
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                meta l4proto esp counter packets 0 bytes 0 jump accept_to_4gLAN comment "!fw4: Allow-IPSec-ESP"
                udp dport 500 counter packets 0 bytes 0 jump accept_to_4gLAN comment "!fw4: Allow-ISAKMP"
                counter packets 0 bytes 0 jump accept_to_4gLAN comment "!fw4: any"
                counter packets 0 bytes 0 accept comment "!fw4: any"
                jump reject_to_4gwan
        }

        chain accept_to_4gwan {
        }

        chain reject_from_4gwan {
        }

        chain reject_to_4gwan {
        }

        chain dstnat {
                type nat hook prerouting priority dstnat; policy accept;
        }

        chain srcnat {
                type nat hook postrouting priority srcnat; policy accept;
        }

        chain srcnat_4gwan {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 4gwan traffic"
        }

        chain raw_prerouting {
                type filter hook prerouting priority raw; policy accept;
        }

        chain raw_output {
                type filter hook output priority raw; policy accept;
        }

        chain helper_4gLAN {
        }

        chain mangle_prerouting {
                type filter hook prerouting priority mangle; policy accept;
        }

        chain mangle_postrouting {
                type filter hook postrouting priority mangle; policy accept;
        }

        chain mangle_input {
                type filter hook input priority mangle; policy accept;
        }

        chain mangle_output {
                type route hook output priority mangle; policy accept;
        }

        chain mangle_forward {
                type filter hook forward priority mangle; policy accept;
        }
}

root@OpenWrt:~# cat /var/run/fw4.state
{ "zones": [ { "enabled": true, "name": "4gLAN", "network": [ { "invert": false, "val": "LANW", "device": "LANW" } ], "input": "accept", "output": "accept", "forward": "reject", "auto_helper": true, "counter": true, "family": null, "match_rules": [ { "family": 0, "devices_pos": [ "wlan0" ], "devices_neg": null, "devices_neg_wildcard": null, "subnets_pos": null, "subnets_neg": null, "subnets_masked": null } ], "masq4_src_subnets": [ [ null, null, null ] ], "masq4_dest_subnets": [ [ null, null, null ] ], "masq6_src_subnets": [ [ null, null, null ] ], "masq6_dest_subnets": [ [ null, null, null ] ], "sflags": { "accept": true }, "dflags": { "accept": true, "reject": true, "helper": true }, "match_devices": [ "wlan0" ], "match_subnets": [ "10.0.56.0/24" ], "related_subnets": [ { "family": 4, "addr": "10.0.56.1", "mask": "255.255.255.0", "bits": 24 } ], "related_physdevs": [ "wlan0" ] }, { "enabled": true, "name": "4gwan", "network": [ { "invert": false, "val": "4GLINK", "device": "4GLINK" } ], "input": "reject", "output": "accept", "forward": "reject", "masq": true, "mtu_fix": true, "auto_helper": true, "counter": true, "family": null, "match_rules": [ { "family": 0, "devices_pos": [ "wan" ], "devices_neg": null, "devices_neg_wildcard": null, "subnets_pos": null, "subnets_neg": null, "subnets_masked": null } ], "masq4_src_subnets": [ [ null, null, null ] ], "masq4_dest_subnets": [ [ null, null, null ] ], "masq6_src_subnets": [ [ null, null, null ] ], "masq6_dest_subnets": [ [ null, null, null ] ], "sflags": { "reject": true }, "dflags": { "accept": true, "reject": true, "snat": true }, "match_devices": [ "wan" ], "match_subnets": [ "10.0.100.0/24" ], "related_subnets": [ { "family": 4, "addr": "10.0.100.102", "mask": "255.255.255.0", "bits": 24 } ], "related_physdevs": [ "wan" ] } ], "ipsets": null, "networks": { "4GLINK": { "up": true, "device": "wan", "physdev": "wan", "zone": null, "ipaddrs": [ { "family": 4, "addr": "10.0.100.102", "mask": "255.255.255.0", "bits": 24 } ] }, "LANW": { "up": true, "device": "wlan0", "physdev": "wlan0", "zone": null, "ipaddrs": [ { "family": 4, "addr": "10.0.56.1", "mask": "255.255.255.0", "bits": 24 } ] }, "lan": { "up": true, "device": "br-lan", "physdev": "br-lan", "zone": null, "ipaddrs": [ { "family": 4, "addr": "10.0.77.87", "mask": "255.255.255.0", "bits": 24 }, { "family": 6, "addr": "fdd9:f5e0:a057::1", "mask": "ffff:ffff:ffff:fff0::", "bits": 60 } ] }, "loopback": { "up": true, "device": "lo", "physdev": "lo", "zone": null, "ipaddrs": [ { "family": 4, "addr": "127.0.0.1", "maroot@OpenWrt:~# cat /var/run/fw4.state
{ "zones": [ { "enabled": true, "name": "4gLAN", "network": [ { "invert": false, "val": "LANW", "device": "LANW" } ], "input": "accept", "output": "accept", "forward": "reject", "auto_helper": true, "counter": true, "family": null, "match_rules": [ { "family": 0, "devices_pos": [ "wlan0" ], "devices_neg": null, "devices_neg_wildcard": null, "subnets_pos": null, "subnets_neg": null, "subnets_masked": null } ], "masq4_src_subnets": [ [ null, null, null ] ], "masq4_dest_subnets": [ [ null, null, null ] ], "masq6_src_subnets": [ [ null, null, null ] ], "masq6_dest_subnets": [ [ null, null, null ] ], "sflags": { "accept": true }, "dflags": { "accept": true, "reject": true, "helper": true }, "match_devices": [ "wlan0" ], "match_subnets": [ "10.0.56.0/24" ], "related_subnets": [ { "family": 4, "addr": "10.0.56.1", "mask": "255.255.255.0", "bits": 24 } ], "related_physdevs": [ "wlan0" ] }, { "enabled": true, "name": "4gwan", "network": [ { "invert": false, "val": "4GLINK", "device": "4GLINK" } ], "input": "reject", "output": "accept", "forward": "reject", "masq": true, "mtu_fix": true, "auto_helper": true, "counter": true, "family": null, "match_rules": [ { "family": 0, "devices_pos": [ "wan" ], "devices_neg": null, "devices_neg_wildcard": null, "subnets_pos": null, "subnets_neg": null, "subnets_masked": null } ], "masq4_src_subnets": [ [ null, null, null ] ], "masq4_dest_subnets": [ [ null, null, null ] ], "masq6_src_subnets": [ [ null, null, null ] ], "masq6_dest_subnets": [ [ null, null, null ] ], "sflags": { "reject": true }, "dflags": { "accept": true, "reject": true, "snat": true }, "match_devices": [ "wan" ], "match_subnets": [ "10.0.100.0/24" ], "related_subnets": [ { "family": 4, "addr": "10.0.100.102", "mask": "255.255.255.0", "bits": 24 } ], "related_physdevs": [ "wan" ] } ], "ipsets": null, "networks": { "4GLINK": { "up": true, "device": "wan", "physdev": "wan", "zone": null, "ipaddrs": [ { "family": 4, "addr": "10.0.100.102", "mask": "255.255.255.0", "bits": 24 } ] }, "LANW": { "up": true, "device": "wlan0", "physdev": "wlan0", "zone": null, "ipaddrs": [ { "family": 4, "addr": "10.0.56.1", "mask": "255.255.255.0", "bits": 24 } ] }, "lan": { "up": true, "device": "br-lan", "physdev": "br-lan", "zone": null, "ipaddrs": [ { "family": 4, "addr": "10.0.77.87", "mask": "255.255.255.0", "bits": 24 }, { "family": 6, "addr": "fdd9:f5e0:a057::1", "mask": "ffff:ffff:ffff:fff0::", "bits": 60 } ] }, "loopback": { "up": true, "device": "lo", "physdev": "lo", "zone": null, "ipaddrs": [ { "family": 4, "addr": "127.0.0.1", "mask": "255.0.0.0", "bits": 8 } ] } }, "ubus_rules": [ ] }root@OpenWrt:~#

root@OpenWrt:~# ifstatus LANW
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 325,
        "l3_device": "wlan0",
        "proto": "static",
        "device": "wlan0",
        "updated": [
                "addresses"
        ],
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [
                {
                        "address": "10.0.56.1",
                        "mask": 24
                }
        ],
        "ipv6-address": [

        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [

        ],
        "dns-server": [

        ],
        "dns-search": [

        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {

        }
}


root@OpenWrt:~# ifstatus 4GLINK
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 358,
        "l3_device": "wan",
        "proto": "dhcp",
        "device": "wan",
        "updated": [
                "addresses",
                "routes",
                "data"
        ],
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [
                {
                        "address": "10.0.100.102",
                        "mask": 24
                }
        ],
        "ipv6-address": [

        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "0.0.0.0",
                        "mask": 0,
                        "nexthop": "10.0.100.1",
                        "source": "10.0.100.102/32"
                }
        ],
        "dns-server": [
                "10.0.100.1"
        ],
        "dns-search": [
                "lan"
        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {
                "dhcpserver": "10.0.100.1",
                "hostname": "OpenWrt",
                "leasetime": 43200
        }
}

FYI
I have configured OpenWrt from zero, and now it has a little different firewall config, there are standard generated rules, like Allow Ping, Allow DHCP renew and so on, but I don't think it's playing any role... I hope it's not necessary to post config again...

Current solution is to configure WAN as bridge, make new UNMANAGED interface and use it in wireless AP settings. In my case, it is an acceptable solution without using NAT and firewall, because I have it already on the linked device.

config device
	option type 'bridge'
	option name 'ROOTER_BRIDGE'
	list ports 'wan'
	option bridge_empty '1'

config interface 'ROOTER_LAN'
	option proto 'none'
	option device 'ROOTER_BRIDGE'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'bckp'
	option encryption 'psk2'
	option key 'nonono'
	option network 'ROOTER_LAN'