openwrt has switched to fw4/nft by default, after rebuilding image with fw4/nft I noticed that I cannot connect neither to my wireguard or openvpn servers installed on the router, both vpn servers configured to listen on udp(there is no other option for wireguard though ). If i reconfigure openvpn to listen tcp port then it works fine. I think it's a bug because tcp traffic rules works as they should, also there is no incoming packets in the input_wan chain
tcp dport 51820 counter packets 0 bytes 0 accept comment "!fw4: wireguard"
udp dport 51820 counter packets 0 bytes 0 accept comment "!fw4: wireguard"
tcp dport 1194 counter packets 0 bytes 0 accept comment "!fw4: openvpn"
udp dport 1194 counter packets 0 bytes 0 accept comment "!fw4: openvpn"
So basically my old config with fw/iptables works fine but fw4/nft doesn't.
I think you can scratch fw4, as it apparently creates the proper rules. So it likely is an nft issue.
Is any kind of offloading in use?
Tried w/ and w/o sw/hw offloading
On which target/device does this problem occur on?
ubiquiti edgerouter X mt7621
Hmm, using an Ubnt ER-X-SFP as my home gateway here and I can't easily reproduce UDP specific issues, the UDP test rule coupled with some netcat -u probing works as expected... packets arrive, rule has non-zero counter.
Given that your rules all have zero counters I suppose that they're simply not reached and the TCP connect maybe works because it's accidentially allowed by something else by chance. Would you mind to PM me your complete /etc/config/firewall as well as the
nft list ruleset output?
Interesting, I removed all port forward rules and now udp works, looks like the same issue as per Firewall4 issues with multi-protocol port forwards
Multiprotocol rules breaks the things)