Special Case Note: This OpenWrt operating system actually functions as a NAS (Network Attached Storage) and does not handle network routing.
I deployed Tailscale in the system and observed that, under the same router and LAN, my PC can establish P2P connections with a high success rate. However, when this NAS, equipped with the OpenWrt system, faces a pure IPv4 environment, the probability of NAT traversal failure is significantly high; it can be considered almost impossible to establish P2P connections, forcing the use of relays. Therefore, it is certain that there is an issue with the firewall or some other aspect.
Upon searching online, I found someone with a similar issue. However, his router is a standard OpenWrt, and he could follow the tutorial settings easily. In my case, this NAS just happens to use the OpenWrt system and lacks Luci. I have to rely on manually editing firewall rules using UCI. However, after attempting this, it seems that the NAT traversal capability has not improved. I suspect that the firewall rules may not be configured correctly.
Tailscale tutorial on openwrt wiki:
Create a new unmanaged interface via LuCI: Network → Interfaces → Add new interface
- Name: tailscale
- Protocol: Unmanaged
- Device: tailscale0
Create a new firewall zone via LuCI: Network → Firewall → Zones → Add
- Name: tailscale
- Input: ACCEPT (default)
- Output: ACCEPT (default)
- Forward: ACCEPT
- Masquerading: on
- MSS Clamping: on
- Covered networks: tailscale
- Allow forward to destination zones: Select your LAN (and/or other internal zones or WAN if you plan on using this device as an exit node)
- Allow forward from source zones: Select your LAN (and/or other internal zones or leave it blank if you do not want to route LAN traffic to other tailscale hosts)
Click Save & Apply
To my NAS, system configured network:
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdb3:5d24:4bbe::/48'
network.wan1=interface
network.wan1.ifname='eth0'
network.wan1.proto='dhcp'
network.wan2=interface
network.wan2.ifname='eth1'
network.wan2.proto='dhcp'
network.wan26=interface
network.wan26.proto='dhcpv6'
network.wan26.device='@wan2'
network.wan26.disabled='1'
network.wan16=interface
network.wan16.proto='dhcpv6'
network.wan16.device='@wan1'
network.wan16.disabled='0'
System configured zone & forwarding:
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
System configured rules:
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='false'
/config/network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdb3:5d24:4bbe::/48'
config interface 'wan1'
option ifname 'eth0'
option proto 'dhcp'
config interface 'wan2'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan26'
option proto 'dhcpv6'
option device '@wan2'
option disabled '1'
config interface 'wan16'
option proto 'dhcpv6'
option device '@wan1'
option disabled '0'
ifconfig:
eth0 Link encap:Ethernet HWaddr 98:6E:E8:28:CD:13
inet addr:192.168.1.20 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: 240e:3b5:34e1:edd0::20/128 Scope:Global
inet6 addr: 240e:3b5:34e1:edd0:9a6e:e8ff:fe28:cd13/64 Scope:Global
inet6 addr: fe80::9a6e:e8ff:fe28:cd13/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9108961 errors:0 dropped:0 overruns:0 frame:0
TX packets:19775610 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1086087055 (1.0 GiB) TX bytes:24185129426 (22.5 GiB)
Memory:7fe00000-7fefffff
eth1 Link encap:Ethernet HWaddr 98:6E:E8:28:CD:14
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Memory:7fc00000-7fcfffff
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:336526 errors:0 dropped:0 overruns:0 frame:0
TX packets:336526 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:35845496 (34.1 MiB) TX bytes:35845496 (34.1 MiB)
tailscale0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:100.64.32.34 P-t-P:100.64.32.34 Mask:255.255.255.255
inet6 addr: fe80::5f8b:6f05:140c:eaa7/64 Scope:Link
inet6 addr: fd7a:115c:a1e0::22/128 Scope:Global
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1280 Metric:1
RX packets:1255346 errors:0 dropped:0 overruns:0 frame:0
TX packets:1060667 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:70650430 (67.3 MiB) TX bytes:4456946163 (4.1 GiB)
Rules I tried:
uci add network interface
uci set network.@interface[-1].name='tailscale'
uci set network.@interface[-1].proto='unmanaged'
uci set network.@interface[-1].ifname='tailscale0'
uci commit network
uci add firewall zone
uci set firewall.@zone[-1].name='tailscale'
uci set firewall.@zone[-1].input='ACCEPT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='ACCEPT'
uci set firewall.@zone[-1].network='tailscale'
uci commit firewall
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='tailscale'
uci set firewall.@forwarding[-1].dest='lan'
uci commit firewall
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='tailscale'
uci set firewall.@forwarding[-1].dest='wan'
uci commit firewall
/etc/init.d/firewall restart
Got warning above after reloading /etc/init.d/firewall:
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @zone[0] (lan) cannot resolve device of network 'lan'
Warning: Section @zone[1] (wan) cannot resolve device of network 'wan'
Warning: Section @zone[1] (wan) cannot resolve device of network 'wan6'
Warning: Section @zone[2] (tailscale) cannot resolve device of network 'tailscale'
Warning: Section @zone[0] (lan) has no device, network, subnet or extra options
Warning: Section @zone[1] (wan) has no device, network, subnet or extra options
Warning: Section @zone[2] (tailscale) has no device, network, subnet or extra options
I haven't noticed an improvement in traversal capability; I believe I haven't configured it correctly. So im here asking for help 