Static route to VPN server

Because of asymmetric routing, some packets come to the firewall out of order hence they are considered invalid.


With drop_invalid enabled, I added masq_allow_invalid='1' to the LAN firewall zone and it won't work.

It also seems interesting that the curl command works from all other LAN clients, which are using the same assymetric routing. Is it that the AP builds "worse" packets as a result of it than the other clients?

As a test you can enable MASQUERADING on the LAN zone this should solve the asymmetric routing (not saying this is an ideal solution)
That way traffic will come from the router to which it will return

1 Like

You can also test this:

# Disable dropping invalid packets
uci set firewall.@defaults[0].drop_invalid="0"
uci commit firewall
service firewall restart

# Enable masquerading and MTU fix for LAN zone
uci set firewall.@zone[0].masq="1"
uci set firewall.@zone[0].mtu_fix="1"
uci commit firewall
service firewall restart

# Disable sending ICMP redirects
cat << EOF >> /etc/sysctl.conf
service sysctl restart
service network restart

The first two fix the issue, the third doesn't show a noticeable change. Probably because the AP never went directly to the VPN server but always went over the router.

This thread has been very helpful to me, thank you all a lot. In the long-run I will move the VPN server to OpenWrt which will get rid of any issues like that and fits the situation better anways. Then I can re-enable drop_invalid :wink:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.