Tinyproxy error opensock: Could not establish a connection to ::1

vgaetera · September 16, 2021, 7:20pm

The proper IPv6 LLA prefix must be fe80::/10, or use own ULA prefix.

wafles · September 16, 2021, 7:24pm

alright, fixed (syncthing still doesn't work btw)

vgaetera · September 16, 2021, 7:33pm

Which mode is that proxy supposed to operate?

A canonical proxy requires explicit client side configuration.
A transparent proxy relies on the firewall intercepting rules.

wafles · September 16, 2021, 7:37pm

uh.... I don't know, I guess it's a transparent proxy because I often have to go to tinyproxy settings and allow ports to it. It's using the default configuration on openwrt

vgaetera · September 16, 2021, 7:40pm

Ports allowed to connect to are unrelated to the operating mode.
Have you configured this proxy explicitly on the client side?
What are the related firewall rules on the router?

uci show firewall; iptables-save -c; ip6tables-save -c

wafles · September 16, 2021, 8:03pm

I used this guide https://openwrt.org/docs/guide-user/services/proxy/tinyproxy the proxy is hosted on the router, not by a device on the network. The device trying to connect to the proxy is on a vlan, but the issue happens even without the vlan

Kind of lost, I don't understand these questions.

# Generated by ip6tables-save v1.8.7 on Thu Sep 16 15:57:29 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16:1408]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
[3553:311595] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[97:6874] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[69:5290] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[7:392] -A INPUT -i wlan0 -m comment --comment "!fw3" -j zone_wan_input
[21:1192] -A INPUT -i br-guest -m comment --comment "!fw3" -j zone_guest_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wlan0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_guest_forward
[3553:311595] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[110:13698] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[28:3486] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[48:7104] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[8:764] -A OUTPUT -o wlan0 -m comment --comment "!fw3" -j zone_wan_output
[10:936] -A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_guest_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[10:936] -A zone_guest_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[21:1192] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
[0:0] -A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
[21:1192] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_ACCEPT
[10:936] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
[10:936] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[21:1192] -A zone_guest_src_ACCEPT -i br-guest -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[28:3486] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -p tcp -m tcp --dport 443 -m set --match-set doh6 dst -m comment --comment "!fw3: Deny-DoH" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m udp --dport 443 -m set --match-set doh6 dst -m comment --comment "!fw3: Deny-DoH" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m tcp --dport 853 -m comment --comment "!fw3: Deny-DoT" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m udp --dport 853 -m comment --comment "!fw3: Deny-DoT" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[69:5290] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[69:5290] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[28:3486] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[28:3486] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[69:5290] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[48:7104] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o wlan0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[8:764] -A zone_wan_dest_ACCEPT -o wlan0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o wlan0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[7:392] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[7:392] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
[56:7868] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[56:7868] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_ACCEPT -i eth0.2 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_src_ACCEPT -i wlan0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Thu Sep 16 15:57:29 2021

Edit: Not sure if the command is repeating itself, here's the pastebin https://pastebin.com/nTcJnbS5

wafles · September 16, 2021, 8:50pm

like this?

# Fetch LAN subnet
. /lib/functions/network.sh
network_flush_cache
network_get_subnet6 NET_SUB6 lan
 
# Configure IP sets
uci -q delete firewall.proxy6
uci set firewall.proxy6="ipset"
uci set firewall.proxy6.name="proxy6"
uci set firewall.proxy6.family="ipv6"
uci set firewall.proxy6.storage="hash"
uci set firewall.proxy6.match="net"
uci add_list firewall.proxy6.entry="::1/128 nomatch"
uci add_list firewall.proxy6.entry="fe80::/10 nomatch"
uci add_list firewall.proxy6.entry="${NET_SUB6} nomatch"
uci add_list firewall.proxy6.entry="::/1"
uci add_list firewall.proxy6.entry="8888::/1"

uci commit firewall
/etc/init.d/firewall restart

Edit: I still get the same error

vgaetera · September 16, 2021, 8:55pm

. /lib/functions/network.sh
network_flush_cache
for IPV in 4 6
do
eval network_get_subnet${IPV%4} NET_SUB lan
uci -q delete firewall.proxy_int${IPV%4}
uci set firewall.proxy_int${IPV%4}="redirect"
uci set firewall.proxy_int${IPV%4}.name="Proxy-Intercept"
uci set firewall.proxy_int${IPV%4}.src="lan"
uci set firewall.proxy_int${IPV%4}.dest_port="8888"
uci set firewall.proxy_int${IPV%4}.proto="tcp"
uci set firewall.proxy_int${IPV%4}.ipset="proxy${IPV%4} dest"
uci set firewall.proxy_int${IPV%4}.family="ipv${IPV}"
uci set firewall.proxy_int${IPV%4}.target="DNAT"
uci -q delete firewall.proxy${IPV%4}
uci set firewall.proxy${IPV%4}="ipset"
uci set firewall.proxy${IPV%4}.name="proxy${IPV%4}"
uci set firewall.proxy${IPV%4}.family="ipv${IPV}"
uci set firewall.proxy${IPV%4}.match="net"
uci add_list firewall.proxy${IPV%4}.entry="${NET_SUB} nomatch"
done
uci add_list firewall.proxy.entry="127.0.0.0/8 nomatch"
uci add_list firewall.proxy.entry="0.0.0.0/1"
uci add_list firewall.proxy.entry="128.0.0.0/1"
uci add_list firewall.proxy6.entry="::1/128 nomatch"
uci add_list firewall.proxy6.entry="fe80::/10 nomatch"
uci add_list firewall.proxy6.entry="::/1"
uci add_list firewall.proxy6.entry="8000::/1"
uci commit firewall
/etc/init.d/firewall restart

wafles · September 16, 2021, 9:01pm

I still get the same error https://pastebin.com/AcYJXKeW

vgaetera · September 16, 2021, 9:08pm

Disable the original redirect to proxy.
Then copy-paste the above code again as I fixed a couple of typos.
If the issue persists, check this:

uci show firewall; \
iptables-save -c -t nat; ipset list proxy; \
ip6tables-save -c -t nat; ipset list proxy6

wafles · September 16, 2021, 9:11pm

here it is

uci show firewall; \
> iptables-save -c -t nat; ipset list proxy; \
> ip6tables-save -c -t nat; ipset list proxy6
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].synflood_protect='1'
firewall.@defaults[0].forward='ACCEPT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan' 'wan6' 'wwan'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].forward='ACCEPT'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='0'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='Transparent Proxy Redirect'
firewall.@redirect[0].src='lan'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[0].dest_port='8888'
firewall.@redirect[0].src_dport='80'
firewall.@redirect[0].src_dip='!192.168.1.1'
firewall.@redirect[0].dest='guest'
firewall.@redirect[0].dest_ip='192.168.1.1'
firewall.nat6=include
firewall.nat6.path='/etc/firewall.nat6'
firewall.nat6.reload='1'
firewall.doh=ipset
firewall.doh.name='doh'
firewall.doh.family='ipv4'
firewall.doh.storage='hash'
firewall.doh.match='ip'
firewall.doh6=ipset
firewall.doh6.name='doh6'
firewall.doh6.family='ipv6'
firewall.doh6.storage='hash'
firewall.doh6.match='ip'
firewall.doh_fwd=rule
firewall.doh_fwd.name='Deny-DoH'
firewall.doh_fwd.src='lan'
firewall.doh_fwd.dest='wan'
firewall.doh_fwd.dest_port='443'
firewall.doh_fwd.proto='tcp udp'
firewall.doh_fwd.family='ipv4'
firewall.doh_fwd.ipset='doh dest'
firewall.doh_fwd.target='REJECT'
firewall.doh6_fwd=rule
firewall.doh6_fwd.name='Deny-DoH'
firewall.doh6_fwd.src='lan'
firewall.doh6_fwd.dest='wan'
firewall.doh6_fwd.dest_port='443'
firewall.doh6_fwd.proto='tcp udp'
firewall.doh6_fwd.family='ipv6'
firewall.doh6_fwd.ipset='doh6 dest'
firewall.doh6_fwd.target='REJECT'
firewall.dot_fwd=rule
firewall.dot_fwd.name='Deny-DoT'
firewall.dot_fwd.src='lan'
firewall.dot_fwd.dest='wan'
firewall.dot_fwd.dest_port='853'
firewall.dot_fwd.proto='tcp udp'
firewall.dot_fwd.target='REJECT'
firewall.dns_masq=nat
firewall.dns_masq.name='Masquerade-DNS'
firewall.dns_masq.src='lan'
firewall.dns_masq.dest_ip='192.168.1.96'
firewall.dns_masq.dest_port='53'
firewall.dns_masq.proto='tcp udp'
firewall.dns_masq.target='MASQUERADE'
firewall.guest=zone
firewall.guest.name='guest'
firewall.guest.network='guest'
firewall.guest.output='ACCEPT'
firewall.guest.input='ACCEPT'
firewall.guest.forward='ACCEPT'
firewall.guest_wan=forwarding
firewall.guest_wan.src='guest'
firewall.guest_wan.dest='wan'
firewall.guest_wan.enabled='1'
firewall.guest_dns=rule
firewall.guest_dns.name='Allow-DNS-Guest'
firewall.guest_dns.src='guest'
firewall.guest_dns.dest_port='53'
firewall.guest_dns.proto='tcp udp'
firewall.guest_dns.target='ACCEPT'
firewall.guest_dhcp=rule
firewall.guest_dhcp.name='Allow-DHCP-Guest'
firewall.guest_dhcp.src='guest'
firewall.guest_dhcp.dest_port='67'
firewall.guest_dhcp.proto='udp'
firewall.guest_dhcp.family='ipv4'
firewall.guest_dhcp.target='ACCEPT'
firewall.tor=ipset
firewall.tor.name='tor'
firewall.tor.family='ipv4'
firewall.tor.storage='hash'
firewall.tor.match='net'
firewall.tor.entry='127.0.0.0/8 nomatch' '192.168.2.1/24 nomatch' '0.0.0.0/1' '128.0.0.0/1'
firewall.tor6=ipset
firewall.tor6.name='tor6'
firewall.tor6.family='ipv6'
firewall.tor6.storage='hash'
firewall.tor6.match='net'
firewall.tor6.entry='::1/128 nomatch' 'fe80::/10 nomatch' ' nomatch' '::/1' '8000::/1'
firewall.tcp_int=redirect
firewall.tcp_int.name='Intercept-TCP'
firewall.tcp_int.src='guest'
firewall.tcp_int.dest_port='9040'
firewall.tcp_int.proto='tcp'
firewall.tcp_int.extra='--syn'
firewall.tcp_int.ipset='tor dest'
firewall.tcp_int.target='DNAT'
firewall.@rule[15]=rule
firewall.@rule[15].name='Allow-IGMP-Guest'
firewall.@rule[15].src='guest'
firewall.@rule[15].target='ACCEPT'
firewall.@rule[15].proto='igmp'
firewall.@rule[15].family='ipv4'
firewall.miniupnpd=include
firewall.miniupnpd.type='script'
firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
firewall.miniupnpd.family='any'
firewall.miniupnpd.reload='1'
firewall.proxy=ipset
firewall.proxy.name='proxy'
firewall.proxy.family='ipv4'
firewall.proxy.storage='hash'
firewall.proxy.match='net'
firewall.proxy.entry='127.0.0.0/8 nomatch' '192.168.1.1/24 nomatch' '0.0.0.0/1' '128.0.0.0/1'
firewall.proxy6=ipset
firewall.proxy6.name='proxy6'
firewall.proxy6.family='ipv6'
firewall.proxy6.storage='hash'
firewall.proxy6.match='net'
firewall.proxy6.entry='::1/128 nomatch' 'fe80::/10 nomatch' 'fdb2:4498:a235::1/60 nomatch' '::/1' '8000::/1'
firewall.proxy_int=redirect
firewall.proxy_int.name='Proxy-Intercept'
firewall.proxy_int.src='lan'
firewall.proxy_int.dest_port='8888'
firewall.proxy_int.proto='tcp'
firewall.proxy_int.ipset='proxy dest'
firewall.proxy_int.target='DNAT'
# Generated by iptables-save v1.8.7 on Thu Sep 16 17:10:46 2021
*nat
:PREROUTING ACCEPT [67:14035]
:INPUT ACCEPT [22:3940]
:OUTPUT ACCEPT [11:2569]
:POSTROUTING ACCEPT [10:2506]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[68:14087] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[1:68] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[55:11280] -A PREROUTING -i wlan0 -m comment --comment "!fw3" -j zone_wan_prerouting
[12:2739] -A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_guest_prerouting
[15:2787] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[1:63] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[5:338] -A POSTROUTING -o wlan0 -m comment --comment "!fw3" -j zone_wan_postrouting
[3:1996] -A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_guest_postrouting
[3:1996] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
[12:2739] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
[1:52] -A zone_guest_prerouting -p tcp -m set --match-set tor dst -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3: Intercept-TCP" -j REDIRECT --to-ports 9040
[1:63] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -d 192.168.1.96/32 -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Masquerade-DNS" -j MASQUERADE
[1:63] -A zone_lan_postrouting -d 192.168.1.96/32 -p udp -m udp --dport 53 -m comment --comment "!fw3: Masquerade-DNS" -j MASQUERADE
[1:68] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting ! -d 192.168.1.1/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Transparent Proxy Redirect" -j DNAT --to-destination 192.168.1.1:8888
[0:0] -A zone_lan_prerouting -p tcp -m set --match-set proxy dst -m comment --comment "!fw3: Proxy-Intercept" -j REDIRECT --to-ports 8888
[5:338] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[5:338] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[55:11280] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Sep 16 17:10:46 2021
Name: proxy
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 588
References: 1
Number of entries: 4
Members:
192.168.1.0/24 nomatch
128.0.0.0/1
127.0.0.0/8 nomatch
0.0.0.0/1
# Generated by ip6tables-save v1.8.7 on Thu Sep 16 17:10:46 2021
*nat
:PREROUTING ACCEPT [17:12955]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [6:520]
:POSTROUTING ACCEPT [6:520]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[17:12955] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[0:0] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[9:4211] -A PREROUTING -i wlan0 -m comment --comment "!fw3" -j zone_wan_prerouting
[8:8744] -A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_guest_prerouting
[6:520] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o wlan0 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_guest_postrouting
[0:0] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
[8:8744] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
[0:0] -A zone_guest_prerouting -p tcp -m set --match-set tor6 dst -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3: Intercept-TCP" -j REDIRECT --to-ports 9040
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -p tcp -m set --match-set proxy6 dst -m comment --comment "!fw3: Proxy-Intercept" -j REDIRECT --to-ports 8888
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[9:4211] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Sep 16 17:10:46 2021
Name: proxy6
Type: hash:net
Revision: 6
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 1664
References: 1
Number of entries: 5
Members:
::/1
8000::/1
fe80::/10 nomatch
::1 nomatch
fdb2:4498:a235::/60 nomatch

vgaetera · September 16, 2021, 9:18pm

It looks correct, except you should disable/remove that redirect:

wafles · September 16, 2021, 9:22pm

oh alright

Same issue

trendy · September 16, 2021, 9:27pm

Without redirects tinyproxy works fine for me with IPv6.
Most likely it won't work properly with transparent, as most of the content is served over https and you'll have warnings for mitm attack when trying to intercept https.

vgaetera · September 16, 2021, 9:31pm

Describe your testing method and check traffic counters after trying to use the proxy:

iptables-save -c -t nat | grep -e Proxy-Intercept; \
ip6tables-save -c -t nat | grep -e Proxy-Intercept

wafles · September 16, 2021, 9:44pm

Yeah, it works for ipv4, I had only had a problem recently when trying to access syncthingtrayzor. The way I test this is by press syncthing then refresh browser, it will be blank, after that I look at the proxify logs and it says that

[09.16 17:41:10] cefsharp.browsersubprocess.exe (12516) - [::1]:8384 (IPv6) error : Could not connect through proxy 192.168.2.1(192.168.2.1):8888 - Proxy server cannot establish a connection with the target, status code 500

Proxify uses 192.168.2.1:8888 as a proxy server.

After that, I run cat /var/log/tinyproxy.log to look at tinyproxy's logs and see if the issue is still happening, and if I see the error is still there I believe the issue persists. This is the only way I know how to test this

iptables-save -c -t nat | grep -e Proxy-Intercept; \
> ip6tables-save -c -t nat | grep -e Proxy-Intercept
[356:21360] -A zone_lan_prerouting -p tcp -m set --match-set proxy dst -m comment --comment "!fw3: Proxy-Intercept" -j REDIRECT --to-ports 8888
[0:0] -A zone_lan_prerouting -p tcp -m set --match-set proxy6 dst -m comment --comment "!fw3: Proxy-Intercept" -j REDIRECT --to-ports 8888

my computer (doing ssh and proxify) is connected to the 192.168.2.1 subnet. I have a mobile device on this subnet as well. I have another mobile device connected to the 192.168.1.1 subnet, the goal is to make syncthing able to see this device (which can be done if every device uses this proxy for syncthing). My pihole laptop also has syncthing installed (not running). It could work if I could use this device instead to transfer files across all the network. Sadly, wirelessly connecting ubuntu to two wireless hotspot seems difficult, and probably not possible because my laptop is from 2010 or older (not sure). This pihole laptop is connected to the openwrt router with an ethernet cable.

vgaetera · September 16, 2021, 10:15pm

Try opening from the LAN client:

It should increment both IPv4 and IPv6 counters.
Assuming the client has dual-stack connectivity.

wafles · September 16, 2021, 10:27pm

it says ipv6 is not supported on all of my machines, even without being connected to the proxy. This is true, I don't have a public ipv6 address

wafles · September 16, 2021, 10:44pm

I am starting to think that syncthing might still not be able to see all my devices on both networks even if I do all of this. (Solve this error) Syncthing is the only application on my lan that needs to be able to do this (and maybe minecraft, if I ever run a lan server, but I doubt it)

I would probably have to sacrifice, and leave my 192.168.0.1 network with no pihole. That way wifi will go to 192.168.2.1 instead. I tend to avoid the 192.168.0.1 network nowadays anyways, it's mostly for everyone else at home, so I might not leak by doing this (but I have one device that might still use that network.... I don't know if it will use it or if I should even worry about that device). Anyways, by doing this I can have syncthing run on the pihole device and transfer files across all my devices. It's the easiest solution but it has a sacrifice that I don't know if I'll regret, I would have to think about it.

Devices on 192.168.0.1 can't reach devices in 192.168.1.96 (and even if it could, it might be very slow for pihole). This is because of the configuration for the stock router in 192.168.0.1, probably also openwrt being wireless. I doubt there is any way to allow it to reach devices in openwrt.

Update: just a few mins ago one of my devices in my 192.168.0.1 network got rate limited by pihole lol, there is no straightforward way to remove the rate limit, a quick google search without looking too much into it suggests you just disable the rate limit. I think that's a sign that 192.168.0.1 should stop using pihole before someone else gets mad at me again.

system · October 25, 2021, 4:10pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.