Udpxy with init7 / going nuts after upgrade

hi, i have a working version of openwrt i created some time ago. now i thought i upgrade because… thought maybe something got improved or bugfixes/security/whatever…

so i built openwrt as i usual do with my files/ config but somehow when my mobile phone connects via wifi, i got an error (IP-Konfigurationsfehler). Wierd tho, all other devices (laptop etc.) worked. So i thought easy, i start from scratch. I deleted $OPENWRT/files, used the default .config, added my packages and started to configure… but… i am failing in the very beginning with udpxy and its driving me crazy. this took the whole day and i dont find the problem.

So i have a working SD and a non-working SD. is anyone willing to help me? I can provide all logs and configs, i just need to know which are relevant. As i guess network, wireless and udpxy are the most important ones, here we go:

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'vpn'

config zone
	option name 'sfpwan'
	list network 'sfpwan'
	list network 'sfpwan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'sfpwan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'sfpwan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'sfpwan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'sfpwan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP-Broadcast'
	option src 'sfpwan'
	option proto 'udp'
	option dest_ip '224.0.0.0/4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'sfpwan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'sfpwan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'sfpwan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'sfpwan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'sfpwan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'sfpwan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow-Wireguard'
	list proto 'udp'
	option src 'sfpwan'
	option dest_port '51820'
	option target 'ACCEPT'

config forwarding
	option src 'vpn'
	option dest 'sfpwan'

config rule
	option name 'Allow-Input-UDPXY'
	list proto 'tcp'
	option src 'vpn'
	option dest_port '4022'
	option target 'ACCEPT'

config udpxy
	option disabled '0'
	option respawn '1'
	option verbose '0'
	option status '1'
	option bind '0.0.0.0'
	option port '4022'
	# option source '0.0.0.0'
	# option max_clients '3'
	# option log_file '/var/log/udpxy'
	# option buffer_size '4096'
	# option buffer_messages '-1'
	# option buffer_time '-1'
	# option nice_increment '0'
	# option mcsub_renew '0'

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxx::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'sfp-lan'
	list ports 'wan'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6addr 'xxx8::1/64'

config device
	option name 'sfp-wan'
	option macaddr 'xxx'

config interface 'sfpwan'
	option device 'sfp-wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '192.168.1.1'

config interface 'sfpwan6'
	option device 'sfp-wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option norelease '1'
	option peerdns '0'

config ntpserver
	option hostname '216.239.35.12'
	option port '123'

config interface 'vpn'
	option proto 'wireguard'
	option private_key 'xxx'
	option listen_port '51820'
	list addresses '192.xxxx'

config wireguard_vpn
	option description 'xxx'
	option public_key 'xxx'
	option persistent_keepalive '25'
	list allowed_ips '192xxx'
	option route_allowed_ips '1'

config wireguard_vpn
	option description 'laptop'
	option public_key 'xxx'
	option private_key 'xxx'
	list allowed_ips '192.1xxxx2'
	option route_allowed_ips '1'

config wireguard_vpn
	option description 'handy'
	option public_key 'xxx'
	option private_key 'xxx'
	option route_allowed_ips '1'
	list allowed_ips '192.168.xxxxx2'

if anything else is missing, please let me know, i can provide them.

If its enough to list the same configs now for the not-working version, i will do so in a couple of hours when i can reboot the device.

Is the config AI generated?

no, why? its quiet old, i assume some things got messed up but it was working with that

Explain how you enter"ntpserver" option via luci into /etc/config/network and what is it supposed %o do.

The way you set nameservers makes lookup busy-loop.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

i also use(d) ssh, like i did with all that vpn stuff. and i dont know how or why i added this part. maybe it was because of dnscrypt that i was using some time ago where i had serious problems when the date was wrong (would at least explain why i used an IP, because dnscrypt would fail when the date is wrong → no dns resolution).

i dont understand that. the old SD has unbound configured. how can i fix that?

thats now from the old SD. the only problem on the old SD is that my mobile phone somehow does not get a correct dns server for whatever reason, but laptop etc. works.

root@OpenWrt:~# ubus call system board
{
	"kernel": "6.12.60",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 0",
	"model": "Banana Pi BPI-R4 (2x SFP+)",
	"board_name": "bananapi,bpi-r4",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"firmware_url": "https://downloads.openwrt.org/",
		"revision": "r32231-35dbdd644c",
		"target": "mediatek/filogic",
		"description": "OpenWrt SNAPSHOT r32231-35dbdd644c",
		"builddate": "1765104644"
	}
}

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxx18::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'sfp-lan'
	list ports 'wan'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6addr 'xxx8::1/64'

config device
	option name 'sfp-wan'
	option macaddr 'xxx'

config interface 'sfpwan'
	option device 'sfp-wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '192.168.1.1'

config interface 'sfpwan6'
	option device 'sfp-wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option norelease '1'
	option peerdns '0'

config ntpserver
	option hostname '216.239.35.12'
	option port '123'

config interface 'vpn'
	option proto 'wireguard'
	option private_key 'xxx'
	option listen_port '51820'
	list addresses '192.168.100.1'

config wireguard_vpn
	option description 'xxx'
	option public_key 'xxx'
	option persistent_keepalive '25'
	list allowed_ips '192.168.100.2/32'
	option route_allowed_ips '1'

config wireguard_vpn
	option description 'laptop'
	option public_key 'xxx'
	option private_key 'xxx'
	list allowed_ips '192.xxx/32'
	option route_allowed_ips '1'

config wireguard_vpn
	option description 'handy'
	option public_key 'xxx'
	option private_key 'xxx'
	option route_allowed_ips '1'
	list allowed_ips '192.xxx/32'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/11300000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option radio '0'
	option band '2g'
	option channel 'auto'
	option htmode 'HT40'
	option cell_density '0'
	option country 'CH'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'oli'
	option encryption 'psk2'
	option key 'xxx'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'soc/11300000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option radio '1'
	option band '5g'
	option channel 'auto'
	option htmode 'VHT80'
	option cell_density '0'
	option country 'CH'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'oli5'
	option encryption 'sae'
	option key 'xxx'
	option ocv '0'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'soc/11300000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option radio '2'
	option band '6g'
	option channel 'auto'
	option htmode 'EHT160'
	option cell_density '0'
	option country 'CH'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'oli7'
	option encryption 'sae'
	option key 'xxx'
	option ocv '0'

root@OpenWrt:~# cat /etc/config/dhcp 

config dhcp 'lan'
	option dhcpv4 'server'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ra 'server'
	option dhcpv6 'server'
	list dhcp_option '6,192.168.1.1,fd6xxx::1' #thats where i tried a lot of stuff but nothing worked, thats why i thought i start over again fresh
	option ipv6_only_preferred '0'
	list dns '192.168.1.1'
	list ntp '0.openwrt.pool.ntp.org'

config dhcp 'sfpwan'
	option interface 'sfpwan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '1'
	option leasefile '/var/lib/odhcpd/dhcp.leases'
	option leasetrigger '/usr/lib/unbound/odhcpd.sh'
	option piofolder '/tmp/odhcpd-piofolder'
	option hostsdir '/tmp/hosts'
	option loglevel '5'

config host
	option name 'synology'
	option ip '192.xxx'
	list mac 'xxx'

config host
	option name 'CoreELEC'
	option ip '192.xxx'
	list mac 'xxx'

root@OpenWrt:~# cat /etc/config/firewall 

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'vpn'

config zone
	option name 'sfpwan'
	list network 'sfpwan'
	list network 'sfpwan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'sfpwan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'sfpwan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'sfpwan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'sfpwan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP-Broadcast'
	option src 'sfpwan'
	option proto 'udp'
	option dest_ip '224.0.0.0/4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'sfpwan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'sfpwan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'sfpwan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'sfpwan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'sfpwan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'sfpwan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow-Wireguard'
	list proto 'udp'
	option src 'sfpwan'
	option dest_port '51820'
	option target 'ACCEPT'

config forwarding
	option src 'vpn'
	option dest 'sfpwan'

config rule
	option name 'Allow-Input-UDPXY'
	list proto 'tcp'
	option src 'vpn'
	option dest_port '4022'
	option target 'ACCEPT'

root@OpenWrt:~# cat /etc/config/unbound 

config unbound 'ub_main'
	option add_extra_dns '0'
	option add_local_fqdn '1'
	option add_wan_fqdn '1'
	option dhcp_link 'odhcpd'
	option dhcp4_slaac6 '1'
	option dns64 '0'
	option domain 'lan'
	option domain_type 'static'
	option edns_size '1232'
	option extended_stats '0'
	option hide_binddata '1'
	option interface_auto '1'
	option listen_port '53'
	option localservice '1'
	option manual_conf '0'
	option num_threads '1'
	option protocol 'default'
	option rate_limit '0'
	option rebind_localhost '0'
	option rebind_protection '1'
	option recursion 'default'
	option resource 'default'
	option root_age '9'
	option ttl_min '120'
	option ttl_neg_max '1000'
	option unbound_control '1'
	option validator '1'
	option verbosity '1'
	option enabled '1'
	list iface_trig 'lan'
	list iface_lan 'lan'

config zone 'auth_icann'
	option enabled '0'
	option fallback '1'
	option url_dir 'https://www.internic.net/domain/'
	option zone_type 'auth_zone'
	list server 'lax.xfr.dns.icann.org'
	list server 'iad.xfr.dns.icann.org'
	list zone_name '.'
	list zone_name 'arpa.'
	list zone_name 'in-addr.arpa.'
	list zone_name 'ip6.arpa.'

config zone 'fwd_isp'
	option enabled '0'
	option fallback '1'
	option resolv_conf '1'
	option zone_type 'forward_zone'
	list zone_name 'isp-bill.example.com.'
	list zone_name 'isp-mail.example.net.'

config zone 'fwd_google'
	option enabled '0'
	option fallback '1'
	option tls_index 'dns.google'
	option tls_upstream '1'
	option zone_type 'forward_zone'
	list server '8.8.4.4'
	list server '8.8.8.8'
	list server '2001:4860:4860::8844'
	list server '2001:4860:4860::8888'
	list zone_name '.'

config zone 'fwd_cloudflare'
	option enabled '0'
	option fallback '1'
	option tls_index 'cloudflare-dns.com'
	option tls_upstream '1'
	option zone_type 'forward_zone'
	list server '1.1.1.1'
	list server '1.0.0.1'
	list server '2606:4700:4700::1111'
	list server '2606:4700:4700::1001'
	list zone_name '.'

and here is the new SD where i tried to start fresh (because i had dozens of old unused packages on the old SD too and old config etc.)

root@OpenWrt:~# ubus call system board
{
	"kernel": "6.12.60",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 0",
	"model": "Banana Pi BPI-R4 (2x SFP+)",
	"board_name": "bananapi,bpi-r4",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"firmware_url": "https://downloads.openwrt.org/",
		"revision": "r32247-75915e3580",
		"target": "mediatek/filogic",
		"description": "OpenWrt SNAPSHOT r32247-75915e3580",
		"builddate": "1765211427"
	}
}

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	list ipaddr '127.0.0.1/8'

config globals 'globals'
	option dhcp_default_duid '0004ab06axxxb11e2'
	option ula_prefix 'fdxxx:/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'sfp-lan'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	list ipaddr '192.168.1.1/24'
	option ip6assign '60'

config device
	option name 'sfp-wan'
	option macaddr 'xxx'

config interface 'wan'
	option device 'sfp-wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'sfp-wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option norelease '1'

root@OpenWrt:~# cat /etc/config/wireless 

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/11300000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option radio '0'
	option band '2g'
	option channel 'auto'
	option htmode 'HT20'
	option country 'CH'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'oli'
	option encryption 'psk2'
	option key 'xxx'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'soc/11300000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option radio '1'
	option band '5g'
	option channel 'auto'
	option htmode 'HE20'
	option country 'CH'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'oli5'
	option encryption 'sae'
	option key 'xxx'
	option ocv '0'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'soc/11300000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option radio '2'
	option band '5g'
	option channel 'auto'
	option htmode 'EHT160'
	option country 'CH'
	option cell_density '0'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'oli7'
	option encryption 'sae'
	option key 'xxxx'
	option ocv '0'

root@OpenWrt:~# cat /etc/config/dhcp 

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/odhcpd.leases'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
	option piofolder '/tmp/odhcpd-piofolder'
	option hostsdir '/tmp/hosts'

root@OpenWrt:~# cat /etc/config/firewall 

config defaults
	option input 'ACCEPT' #for testing, its now back at reject 
	option output 'ACCEPT'
	option forward 'ACCEPT' #for testing, its now back at reject 
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

root@OpenWrt:~# cat /etc/config/udpxy 

config udpxy
	option disabled '0'
	option respawn '1'
	option verbose '1'
	option status '1'
	option bind '0.0.0.0'
	option port '4022'
	option source_network 'wan'
	option source 'sfp-wan'
	option log_file '/var/log/udpxy'

I assume its a firewall problem, but thats just an assumption

… i found it. after comparing the firewall stuff, this part was missing:

config rule
	option name 'Allow-IGMP-Broadcast'
	option src 'wan'
	option proto 'udp'
	option dest_ip '224.0.0.0/4'
	option target 'ACCEPT'

If you find anything else that might be “off”, please let me know. Now i can continue…

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.