Tethering USB + regular WAN (iptables issue)

Hello everyone,

I have an Archer C7 running openwrt. So far I have WAN coming from ISP router connected to the ethernet WAN port. Also, I configured an interface called "TetheringWAN" (receiving signal from my phone through usb port) as a spare when my ISP is down (to do that I followed a step-by-step guide from some website).

This worked very well. No complaints there.

Lately I've been trying to do something a bit different. And that's where I need help.

I manage to have my regular ISP running trough the 2.4GHZ wifi and the TetheringWAN running through 5Ghz wifi. They are independent from each other.

This is almost perfect. The only thing I'm missing is that I can't seem to apply iptables rules to the TetheringWAN. The rules only apply to my "regular" WAN.

Can anyone give me some insights on what I'm missing out?
I'm still a begginer to all this. Thanks in advance.

Could you please share your config files here?

Sure! I'm not at home right now but I'll send it as soon as I get the chance.

Which files specifically do you want to see?

These at "/etc/config": network, wireless, firewall.

So here are the files.
Please excuse any mess, I was trying out different things to get the result I wanted.

Also, you will notice an interface called "DMZ". That's not necessary anymore.

Just making myself clear: my wish is to have one wifi (2.4Ghz) "connected" to my ISP for general purpose. The other wifi (5GHz) will be "connected" to usb port for gaming purposes (just my PS4 as client). (Before you ask: yes, sadly I get better gaming experience through my 4G then through my ISP.)

Remember: it's important to get iptables applied to both networks.

Thanks a lot for the attention.

Network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd29:ce8e:107f::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option delegate '0'
	option dns '200.221.11.100 200.221.11.101 8.8.8.8 1.1.1.1'
	option ifname 'eth1.1'

config interface 'wan'
	option _orig_ifname 'eth0'
	option _orig_bridge 'true'
	option proto 'static'
	option ipaddr '10.10.10.200'
	option netmask '255.255.255.0'
	option gateway '10.10.10.254'
	option ifname 'eth0.2'
	option delegate '0'
	option dns '8.8.8.8'
	option mtu '1500'

config interface 'wan6'
	option proto 'dhcpv6'
	option reqaddress 'none'
	option reqprefix 'no'
	option auto '0'
	option delegate '0'
	option defaultroute '0'
	option peerdns '0'
	option ifname 'eth0.2'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 3 4 5'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '1 6t'

config interface 'TetheringWAN'
	option proto 'dhcp'
	option ifname 'eth1.3 usb0'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '0t 2'

config interface 'DMZ'
	option proto 'static'
	option ifname 'eth1.3'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface '4g_lan'
	option proto 'dhcp'
	option type 'bridge'
	option ifname 'eth1.3 lan2 usb0'

Wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:01/0000:01:00.0'
	option htmode 'VHT80'
	option country 'BR'
	option txpower '16'
	option legacy_rates '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/qca955x_wmac'
	option country 'BR'
	option txpower '20'
	option htmode 'HT20'
	option channel '11'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option key '***********'
	option ssid 'Internet da Vo'
	option mode 'ap'
	option encryption 'psk2+ccmp'
	option network 'lan'

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'psk2'
	option key '**********'
	option network 'TetheringWAN 4g_lan'

Firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'tc1p udp'
	option dest_port '3659'
	option name 'ps4'
	option dest_ip '192.168.1.171'
	option dest '*'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '3074'
	option name 'ps4'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '3478-3479'
	option name 'ps4'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '6000'
	option name 'ps4'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'tcp'
	option dest_port '1935'
	option name 'ps4'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'tcp'
	option dest_port '3478-3480'
	option name 'ps4'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'tcp'
	option dest_port '10000-10099'
	option name 'ps4'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'tcp'
	option dest_port '42127'
	option name 'ps4'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config zone
	option name 'DMZ'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option family 'ipv4'
	option network ' '

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'DMZ'
	option proto 'tcp udp'
	option src_dport '1-65535'
	option dest_ip '192.168.0.100'
	option dest_port '1-65535'
	option name 'DMZ'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option dest_port '53'
	option name 'dmz-dns'
	option dest_ip '192.168.0.1'
	option family 'ipv4'
	option proto 'udp'

config zone
	option name 'tetheringWAN'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'TetheringWAN'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'DMZ'
	option src 'tetheringWAN'

config forwarding
	option dest 'tetheringWAN'
	option src 'DMZ'

Are you bridging the "TetheringWAN" and "4g_lan" together?

Yes, before that it was only TetheringWAN bridged to wlan0.

In my last attempt I created an interface called "4g_lan" and tried to put them all together.

That did not work so I stopped and came here for help from people who know what they're doing.

Sorry, but I am a bit confused now about what "works" and what doesn't, and what does exactly "works" mean in each case...

Here are the files again. This time I tried to get rid of the excessive stuff.

Wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:01/0000:01:00.0'
	option htmode 'VHT80'
	option country 'BR'
	option txpower '16'
	option legacy_rates '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/qca955x_wmac'
	option country 'BR'
	option txpower '20'
	option htmode 'HT20'
	option channel '11'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option key '*****'
	option ssid 'Internet da Vo'
	option mode 'ap'
	option encryption 'psk2+ccmp'
	option network 'lan'

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'psk2'
	option key '*****'
	option network 'LAN_4G'

Firewall

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd29:ce8e:107f::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option delegate '0'
	option dns '200.221.11.100 200.221.11.101 8.8.8.8 1.1.1.1'
	option ifname 'eth1.1'

config interface 'wan'
	option _orig_ifname 'eth0'
	option _orig_bridge 'true'
	option proto 'static'
	option ipaddr '10.10.10.200'
	option netmask '255.255.255.0'
	option gateway '10.10.10.254'
	option ifname 'eth0.2'
	option delegate '0'
	option dns '8.8.8.8'

config interface 'wan6'
	option proto 'dhcpv6'
	option reqaddress 'none'
	option reqprefix 'no'
	option auto '0'
	option delegate '0'
	option defaultroute '0'
	option peerdns '0'
	option ifname 'eth0.2'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 3 4 5'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '1 6t'

config interface 'TetheringWAN'
	option proto 'dhcp'
	option ifname 'eth1.3 usb0'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '0t 2'

config interface 'LAN_4G'
	option proto 'static'
	option delegate '0'
	option type 'bridge'
	option ifname 'usb0'
	option netmask '255.255.255.0'
	option ipaddr '192.168.2.1'

Firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option dest_port '53'
	option name 'dmz-dns'
	option dest_ip '192.168.0.1'
	option family 'ipv4'
	option proto 'udp'
	option enabled '0'

config zone
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'TetheringWAN'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option name '4gwan'

config forwarding
	option dest 'wan'
	option src 'lan'

config zone
	option name '4glan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'LAN_4G'
	option forward 'ACCEPT'

config forwarding
	option dest '4gwan'
	option src '4glan'

This way I can get two completely independent wifis. However iptables and nf_conntrack don't apply to the 4G_LAN network. I think mainly my question is regarding this fact. What to do to apply these resources to two different networks.

Other thing I noticed is that when I connect to "OpenWrt" wifi I don't get IP in the range of 192.168.2.* as I expected. I get an IP in the range of 192.168.42.*.

I get an IP in the range of 192.168.42.*.

I can't help, but I can say that this sounds like an IP given out by the phone's DHCP server when in hotspot/tether mode...