WAN to OpenConnect VPN traffic forward

spunky · July 2, 2021, 5:04pm

Hello,

I'd like to ask for help in configuring traffic forward from WAN interface to OpenConnect VPN client, the task sounds not complicated, but it fact nothing works.

So i have 2 routers, main router that is connected to ISP (192.168.0.0\24) which is WAN and OpenWrt (192.168.1.0\24) that has OpenConnect VPN client configured.
Ideally the routes i need to forward to VPN are set in default route on the main router (192.168.0.1\24).

The OpenConnect VPN client is connected to the Cisco AnyConnect VPN concentrator, all good, can get an echo reply from the DNS servers (10.124.128.51, 10.124.128.52) when testing on OpenWrt router, but no response on clients behind the WAN zone.
The WAN zone has no firewall restrictions, seems here should be about routing, but i can't figure out then how it needs to be routed.

The goal is for OpenWrt to connect to the Cisco AnyConnect VPN server instead of connecting on client machines.

Here are the OpenWrt router configs:

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth1
10.8.0.0        *               255.255.255.0   U     0      0        0 tun0
10.14.0.0       *               255.255.255.0   U     0      0        0 wg0
10.14.0.3       *               255.255.255.255 UH    0      0        0 wg0
10.124.0.0      *               255.255.255.0   U     0      0        0 vpn-dc0
10.124.126.64   *               255.255.255.192 U     0      0        0 vpn-dc0
10.124.128.51   *               255.255.255.255 UH    0      0        0 vpn-dc0
10.124.128.52   *               255.255.255.255 UH    0      0        0 vpn-dc0
10.124.146.0    *               255.255.255.0   U     0      0        0 vpn-dc0
172.26.250.26   *               255.255.255.255 UH    0      0        0 vpn-dc0
172.30.192.0    *               255.255.255.0   U     0      0        0 vpn-dc0
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
192.168.0.1     *               255.255.255.255 UH    0      0        0 eth1
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.144.0   *               255.255.255.0   U     0      0        0 vpn-dc0
xx.xx.xx.xx	    192.168.0.1     255.255.255.255 UGH   0      0        0 eth1

# ip r
default via 192.168.0.1 dev eth1  proto static  src 192.168.0.2
10.8.0.0/24 dev tun0  proto kernel  scope link  src 10.8.0.1
10.14.0.0/24 dev wg0  proto kernel  scope link  src 10.14.0.1
10.14.0.3 dev wg0  proto static  scope link
10.124.0.0/24 dev vpn-dc0  scope link
10.124.126.64/26 dev vpn-dc0  scope link
10.124.128.51 dev vpn-dc0  scope link
10.124.128.52 dev vpn-dc0  scope link
10.124.146.0/24 dev vpn-dc0  scope link
172.26.250.26 dev vpn-dc0  scope link
172.30.192.0/24 dev vpn-dc0  scope link
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.2
192.168.0.1 dev eth1  proto static  scope link  src 192.168.0.2
192.168.1.0/24 dev br-lan  proto kernel  scope link  src 192.168.1.1 linkdown
192.168.144.0/24 dev vpn-dc0  scope link
xx.xx.xx.xx via 192.168.0.1 dev eth1  proto static

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde9:a910:0a44::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0'

config interface 'vpn0'
        option ifname 'tun0'
        option proto 'none'
        option auto '1'

config interface 'wg0'
        option proto 'wireguard'
        option listen_port '51820'
        option private_key 'xxx'
        list addresses '10.14.0.1/24'

config wireguard_wg0
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option public_key 'xxx'
        list allowed_ips '10.14.0.3/32'

config interface 'dc0'
        option proto 'openconnect'
        option port '443'
        option username 'xxx'
        option password 'xxx'
        option auto '0'
        option no_dtls '1'
        option server 'xxx'
        option usergroup 'xxx'

/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'
        option forward 'ACCEPT'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option dest_port '1194'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option network 'vpn0 wg0'

config forwarding
        option src 'vpn'
        option dest 'lan'

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option dest_port '443'

config rule
        option src '*'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '51820'
        option name 'Allow-Wireguard-Inbound'

config zone
        option name 'DCVPN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'dc0'
        option masq '1'
        option forward 'ACCEPT'

config forwarding
        option dest 'lan'
        option src 'DCVPN'

config forwarding
        option dest 'DCVPN'
        option src 'lan'

config forwarding
        option dest 'DCVPN'
        option src 'wan'

config forwarding
        option dest 'lan'
        option src 'wan'

config forwarding
        option dest 'vpn'
        option src 'wan'

config forwarding
        option dest 'wan'
        option src 'DCVPN'

config forwarding
        option dest 'wan'
        option src 'lan'

config forwarding
        option dest 'wan'
        option src 'vpn'

Routing table /etc/iproute2/rt_tables

#
# reserved values
#
128     prelocal
255     local
254     main
253     default
0       unspec
#
# local
#
#1      inr.ruhep

PING tests:

On OpenWrt router:

# ping 10.124.128.51
PING 10.124.128.51 (10.124.128.51): 56 data bytes
64 bytes from 10.124.128.51: seq=0 ttl=127 time=9.415 ms
64 bytes from 10.124.128.51: seq=1 ttl=127 time=8.904 ms
64 bytes from 10.124.128.51: seq=2 ttl=127 time=8.952 ms
64 bytes from 10.124.128.51: seq=3 ttl=127 time=8.884 ms
^C
--- 10.124.128.51 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 8.884/9.038/9.415 ms
# ping 10.124.128.52
PING 10.124.128.52 (10.124.128.52): 56 data bytes
64 bytes from 10.124.128.52: seq=0 ttl=127 time=8.908 ms
64 bytes from 10.124.128.52: seq=1 ttl=127 time=8.669 ms
64 bytes from 10.124.128.52: seq=2 ttl=127 time=8.997 ms
64 bytes from 10.124.128.52: seq=3 ttl=127 time=9.674 ms
^C
--- 10.124.128.52 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 8.669/9.062/9.674 ms

On another client machine:

$ ping 10.124.128.51
PING 10.124.128.51 (10.124.128.51) 56(84) bytes of data.
^C
--- 10.124.128.51 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4097ms

$ traceroute 10.124.128.51
traceroute to 10.124.128.51 (10.124.128.51), 30 hops max, 60 byte packets
 1  192.168.0.2 (192.168.0.2)  3.894 ms  4.282 ms  4.607 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

I hope i'm not missing anything.
I'm really stuck here for some time and looking forward for any help.

Thank You.

trendy · July 3, 2021, 5:12pm

Does it work from a host connected in the lan?

spunky · July 3, 2021, 5:25pm

No, unfortunately it doesn’t work either.
First thing I’ve tried is to connect to OpenWrt router LAN, but still can’t get routed to the VPN network.

trendy · July 3, 2021, 5:57pm

cat /proc/sys/net/ipv4/ip_forward ?

spunky · July 3, 2021, 7:03pm

The forward is enabled:

# cat /proc/sys/net/ipv4/ip_forward
1

trendy · July 3, 2021, 9:27pm

Let's see what goes out:
tcpdump -i vpn-dc0 -evn host 10.124.128.51
Then start a ping from a lan host to that server.

spunky · July 4, 2021, 6:25pm

Something comes out:

Client:

$ ping -c4 10.124.128.51
PING 10.124.128.51 (10.124.128.51) 56(84) bytes of data.

--- 10.124.128.51 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3065ms

OpenWrt:

# tcpdump -i vpn-dc0 -evn host 10.124.128.51
tcpdump: listening on vpn-dc0, link-type RAW (Raw IP), capture size 262144 bytes
02:15:12.740718 ip: (tos 0x0, ttl 63, id 18631, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.0.151 > 10.124.128.51: ICMP echo request, id 7019, seq 1, length 64
02:15:13.760341 ip: (tos 0x0, ttl 63, id 18869, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.0.151 > 10.124.128.51: ICMP echo request, id 7019, seq 2, length 64
02:15:14.784961 ip: (tos 0x0, ttl 63, id 19032, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.0.151 > 10.124.128.51: ICMP echo request, id 7019, seq 3, length 64
02:15:15.808112 ip: (tos 0x0, ttl 63, id 19165, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.0.151 > 10.124.128.51: ICMP echo request, id 7019, seq 4, length 64
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel

trendy · July 4, 2021, 7:18pm

Seems that the outgoing packets are not masqueraded.
ip -4 addr; iptables-save -c -t nat | grep MASQ

spunky · July 4, 2021, 9:28pm

I think the masquerading is enabled on the FW:

# ip -4 addr; iptables-save -c -t nat | grep MASQ
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 192.168.0.2/24 brd 192.168.0.255 scope global eth1
       valid_lft forever preferred_lft forever
5: br-lan: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
6: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1
    inet 10.14.0.1/24 brd 10.14.0.255 scope global wg0
       valid_lft forever preferred_lft forever
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
       valid_lft forever preferred_lft forever
9: vpn-dc0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1335 qdisc fq_codel state UNKNOWN group default qlen 500
    inet 10.124.126.125/32 scope global vpn-dc0
       valid_lft forever preferred_lft forever
[0:0] -A zone_DCVPN_postrouting -m comment --comment "!fw3" -j MASQUERADE
[22:6699] -A zone_vpn_postrouting -m comment --comment "!fw3" -j MASQUERADE
[265:29667] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE

trendy · July 4, 2021, 10:05pm

It is but it is not used:

@vgaetera any idea? I haven't used OC myself.

vgaetera · July 4, 2021, 10:50pm

Try this way:

tcpdump -evni any icmp

Probably it's worth checking all routing tables and rules:

ip route show table all; ip rule show

Also the switch/VLAN config looks weird since the interfaces have no VIDs.

spunky · July 5, 2021, 9:20am

That's the output:

Client:

$ ping -c4 10.124.128.51
PING 10.124.128.51 (10.124.128.51) 56(84) bytes of data.

--- 10.124.128.51 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3057ms

OpenWrt:

# tcpdump -evni any icmp
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:41:39.970259  In xx:xx:xx:xx:xx:xx ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 64, id 50891, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.0.151 > 10.124.128.51: ICMP echo request, id 2990, seq 1, length 64
16:41:39.970475 Out ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 63, id 50891, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.0.151 > 10.124.128.51: ICMP echo request, id 2990, seq 1, length 64
16:41:40.978605  In xx:xx:xx:xx:xx:xx ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 64, id 50911, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.0.151 > 10.124.128.51: ICMP echo request, id 2990, seq 2, length 64
16:41:40.978763 Out ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 63, id 50911, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.0.151 > 10.124.128.51: ICMP echo request, id 2990, seq 2, length 64
16:41:42.003584  In xx:xx:xx:xx:xx:xx ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 64, id 51015, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.0.151 > 10.124.128.51: ICMP echo request, id 2990, seq 3, length 64
16:41:42.003708  In ethertype Unknown (0x0000), length 100:
        0x0000:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0020:  0000 0000 0000 0000 0000 0000 1011 1213  ................
        0x0030:  1415 1617 1819 1a1b 1c1d 1e1f 2021 2223  .............!"#
        0x0040:  2425 2627 2829 2a2b 2c2d 2e2f 0000 0000  $%&'()*+,-./....
        0x0050:  0000 0000                                ....
16:41:43.026637  In xx:xx:xx:xx:xx:xx ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 64, id 51106, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.0.151 > 10.124.128.51: ICMP echo request, id 2990, seq 4, length 64
16:41:43.026761 Out ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 63, id 51106, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.0.151 > 10.124.128.51: ICMP echo request, id 2990, seq 4, length 64
^C
8 packets captured
9 packets received by filter
0 packets dropped by kernel

The output:

# ip route show table all; ip rule show
default via 192.168.0.1 dev eth1  proto static  src 192.168.0.2
10.8.0.0/24 dev tun0  proto kernel  scope link  src 10.8.0.1
10.14.0.0/24 dev wg0  proto kernel  scope link  src 10.14.0.1
10.14.0.3 dev wg0  proto static  scope link
10.124.0.0/24 dev vpn-dc0  scope link
10.124.126.64/26 dev vpn-dc0  scope link
10.124.128.51 dev vpn-dc0  scope link
10.124.128.52 dev vpn-dc0  scope link
10.124.146.0/24 dev vpn-dc0  scope link
172.26.250.26 dev vpn-dc0  scope link
172.30.192.0/24 dev vpn-dc0  scope link
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.2
192.168.0.1 dev eth1  proto static  scope link  src 192.168.0.2
192.168.1.0/24 dev br-lan  proto kernel  scope link  src 192.168.1.1 linkdown
192.168.144.0/24 dev vpn-dc0  scope link
xxx.xxx.xxx.xxx via 192.168.0.1 dev eth1  proto static
broadcast 10.8.0.0 dev tun0  table local  proto kernel  scope link  src 10.8.0.1
local 10.8.0.1 dev tun0  table local  proto kernel  scope host  src 10.8.0.1
broadcast 10.8.0.255 dev tun0  table local  proto kernel  scope link  src 10.8.0.1
broadcast 10.14.0.0 dev wg0  table local  proto kernel  scope link  src 10.14.0.1
local 10.14.0.1 dev wg0  table local  proto kernel  scope host  src 10.14.0.1
broadcast 10.14.0.255 dev wg0  table local  proto kernel  scope link  src 10.14.0.1
local 10.124.126.82 dev vpn-dc0  table local  proto kernel  scope host  src 10.124.126.82
broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1
local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 127.0.0.1
broadcast 192.168.0.0 dev eth1  table local  proto kernel  scope link  src 192.168.0.2
local 192.168.0.2 dev eth1  table local  proto kernel  scope host  src 192.168.0.2
broadcast 192.168.0.255 dev eth1  table local  proto kernel  scope link  src 192.168.0.2
broadcast 192.168.1.0 dev br-lan  table local  proto kernel  scope link  src 192.168.1.1 linkdown
local 192.168.1.1 dev br-lan  table local  proto kernel  scope host  src 192.168.1.1
broadcast 192.168.1.255 dev br-lan  table local  proto kernel  scope link  src 192.168.1.1 linkdown
fde9:a910:a44::/64 dev br-lan  proto static  metric 1024 linkdown  pref medium
unreachable fde9:a910:a44::/48 dev lo  proto static  metric 2147483647  error -148 pref medium
fe80::/64 dev eth1  proto kernel  metric 256  pref medium
unreachable default dev lo  proto kernel  metric 4294967295  error -128 pref medium
local ::1 dev lo  table local  proto none  metric 0  pref medium
local fe80:: dev lo  table local  proto none  metric 0  pref medium
local fe80::c66e:1fff:fe4d:20b9 dev lo  table local  proto none  metric 0  pref medium
ff00::/8 dev br-lan  table local  metric 256 linkdown  pref medium
ff00::/8 dev eth1  table local  metric 256  pref medium
unreachable default dev lo  proto kernel  metric 4294967295  error -128 pref medium
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

You are right, the VLAN is not in use, i've disabled it, but i thought there should be no interference with it:

config switch
        option name 'switch0'
        option reset '1'

vgaetera · July 5, 2021, 12:40pm

Post the full output:

iptables-save; nft list ruleset

spunky · July 5, 2021, 1:10pm

IPTables:

# iptables-save
# Generated by iptables-save v1.4.21 on Mon Jul  5 21:02:37 2021
*nat
:PREROUTING ACCEPT [1661:148340]
:INPUT ACCEPT [826:108970]
:OUTPUT ACCEPT [587:82270]
:POSTROUTING ACCEPT [341:38610]
:postrouting_DCVPN_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_DCVPN_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_DCVPN_postrouting - [0:0]
:zone_DCVPN_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: user chain for prerouting" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting
-A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_vpn_prerouting
-A POSTROUTING -m comment --comment "!fw3: user chain for postrouting" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting
-A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_vpn_postrouting
-A zone_DCVPN_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_DCVPN_rule
-A zone_DCVPN_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_DCVPN_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_DCVPN_rule
-A zone_lan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_lan_rule
-A zone_vpn_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_vpn_rule
-A zone_vpn_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_vpn_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_vpn_rule
-A zone_wan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_wan_rule
COMMIT
# Completed on Mon Jul  5 21:02:37 2021
# Generated by iptables-save v1.4.21 on Mon Jul  5 21:02:37 2021
*mangle
:PREROUTING ACCEPT [16690:5104728]
:INPUT ACCEPT [15852:5065106]
:FORWARD ACCEPT [52:3216]
:OUTPUT ACCEPT [5263:1049435]
:POSTROUTING ACCEPT [6965:1238604]
-A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Jul  5 21:02:37 2021
# Generated by iptables-save v1.4.21 on Mon Jul  5 21:02:37 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [52:3216]
:OUTPUT ACCEPT [96:6672]
:forwarding_DCVPN_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_DCVPN_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:output_DCVPN_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_DCVPN_dest_ACCEPT - [0:0]
:zone_DCVPN_forward - [0:0]
:zone_DCVPN_input - [0:0]
:zone_DCVPN_output - [0:0]
:zone_DCVPN_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: user chain for input" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -p udp -m udp --dport 51820 -m comment --comment "!fw3: Allow-Wireguard-Inbound" -j ACCEPT
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
-A INPUT -i wg0 -m comment --comment "!fw3" -j zone_vpn_input
-A FORWARD -m comment --comment "!fw3: user chain for forwarding" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
-A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_vpn_forward
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: user chain for output" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
-A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_vpn_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_DCVPN_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_DCVPN_rule
-A zone_DCVPN_forward -m comment --comment "!fw3: forwarding DCVPN -> lan" -j zone_lan_dest_ACCEPT
-A zone_DCVPN_forward -m comment --comment "!fw3: forwarding DCVPN -> wan" -j zone_wan_dest_ACCEPT
-A zone_DCVPN_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_DCVPN_forward -m comment --comment "!fw3" -j zone_DCVPN_dest_ACCEPT
-A zone_DCVPN_input -m comment --comment "!fw3: user chain for input" -j input_DCVPN_rule
-A zone_DCVPN_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_DCVPN_input -m comment --comment "!fw3" -j zone_DCVPN_src_ACCEPT
-A zone_DCVPN_output -m comment --comment "!fw3: user chain for output" -j output_DCVPN_rule
-A zone_DCVPN_output -m comment --comment "!fw3" -j zone_DCVPN_dest_ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> DCVPN" -j zone_DCVPN_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: user chain for input" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: user chain for output" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_dest_ACCEPT -o wg0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_vpn_rule
-A zone_vpn_forward -m comment --comment "!fw3: forwarding vpn -> lan" -j zone_lan_dest_ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: forwarding vpn -> wan" -j zone_wan_dest_ACCEPT
-A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_input -m comment --comment "!fw3: user chain for input" -j input_vpn_rule
-A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
-A zone_vpn_output -m comment --comment "!fw3: user chain for output" -j output_vpn_rule
-A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_src_ACCEPT -i wg0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: forwarding wan -> DCVPN" -j zone_DCVPN_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: forwarding wan -> lan" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: forwarding wan -> vpn" -j zone_vpn_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_input -m comment --comment "!fw3: user chain for input" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN-Inbound" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Allow-OpenVPN-Inbound" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
-A zone_wan_output -m comment --comment "!fw3: user chain for output" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_ACCEPT -i eth1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Mon Jul  5 21:02:37 2021

NFTables is not installed.

vgaetera · July 5, 2021, 2:10pm

The OpenConnect VPN interface is not assigned to the respective zone for some reason.
Check the following:

uci show firewall.@zone[3]; fw3 network dc0; fw3 device vpn-dc0; \
/etc/init.d/firewall restart; iptables-save -t nat | grep -e vpn-dc0

This might be related to the disabled VPN autostart in your network config.
Make sure to update firmware to the latest stable OpenWrt release.

spunky · July 5, 2021, 8:02pm

I suspected the OC IF autostart as well, but enabled it, rebooted and unfortunately the same thing.

I'm trying that, but seems it doesn't work:

# uci show firewall.@zone[3]; fw3 network dc0; fw3 device vpn-dc0; \
> /etc/init.d/firewall restart; iptables-save -t nat | grep -e vpn-dc0
firewall.cfg26dc81=zone
firewall.cfg26dc81.name='DCVPN'
firewall.cfg26dc81.input='ACCEPT'
firewall.cfg26dc81.output='ACCEPT'
firewall.cfg26dc81.network='dc0'
firewall.cfg26dc81.masq='1'
firewall.cfg26dc81.forward='ACCEPT'
Warning: Section @zone[3] (DCVPN) cannot resolve device of network 'dc0'
DCVPN
Warning: Section @zone[3] (DCVPN) cannot resolve device of network 'dc0'
Warning: Section @zone[3] (DCVPN) cannot resolve device of network 'dc0'
Warning: Section @zone[3] (DCVPN) has no device, network, subnet or extra options
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
   * Zone 'DCVPN'
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'Allow-OpenVPN-Inbound'
   * Rule 'Allow-OpenVPN-Inbound'
   * Rule 'Allow-Wireguard-Inbound'
   * Forward 'vpn' -> 'lan'
   * Forward 'DCVPN' -> 'lan'
   * Forward 'lan' -> 'DCVPN'
   * Forward 'wan' -> 'DCVPN'
   * Forward 'wan' -> 'lan'
   * Forward 'wan' -> 'vpn'
   * Forward 'DCVPN' -> 'wan'
   * Forward 'lan' -> 'wan'
   * Forward 'vpn' -> 'wan'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
   * Zone 'DCVPN'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
   * Zone 'DCVPN'
 * Populating IPv6 filter table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
   * Zone 'DCVPN'
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'Allow-OpenVPN-Inbound'
   * Rule 'Allow-OpenVPN-Inbound'
   * Rule 'Allow-Wireguard-Inbound'
   * Forward 'vpn' -> 'lan'
   * Forward 'DCVPN' -> 'lan'
   * Forward 'lan' -> 'DCVPN'
   * Forward 'wan' -> 'DCVPN'
   * Forward 'wan' -> 'lan'
   * Forward 'wan' -> 'vpn'
   * Forward 'DCVPN' -> 'wan'
   * Forward 'lan' -> 'wan'
   * Forward 'vpn' -> 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
   * Zone 'DCVPN'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'

# iptables-save -t nat
# Generated by iptables-save v1.4.21 on Tue Jul  6 03:54:13 2021
*nat
:PREROUTING ACCEPT [1:426]
:INPUT ACCEPT [1:426]
:OUTPUT ACCEPT [1:89]
:POSTROUTING ACCEPT [0:0]
:postrouting_DCVPN_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_DCVPN_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_DCVPN_postrouting - [0:0]
:zone_DCVPN_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: user chain for prerouting" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting
-A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_vpn_prerouting
-A POSTROUTING -m comment --comment "!fw3: user chain for postrouting" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting
-A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_vpn_postrouting
-A zone_DCVPN_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_DCVPN_rule
-A zone_DCVPN_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_DCVPN_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_DCVPN_rule
-A zone_lan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_lan_rule
-A zone_vpn_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_vpn_rule
-A zone_vpn_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_vpn_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_vpn_rule
-A zone_wan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_wan_rule
COMMIT
# Completed on Tue Jul  6 03:54:13 2021

Do you have any suggestions?

I'd love to update to the latest firmware, but unfortunately 17.01.5 is the latest i can get for now for my device.

vgaetera · July 5, 2021, 8:37pm

uci set firewall.@zone[3].device="vpn-dc0"
uci commit firewall
/etc/init.d/firewall restart

spunky · July 5, 2021, 9:54pm

Seems the same:

#service firewall restart
Warning: Section @zone[3] (DCVPN) cannot resolve device of network 'dc0'
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
   * Zone 'DCVPN'
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'Allow-OpenVPN-Inbound'
   * Rule 'Allow-OpenVPN-Inbound'
   * Rule 'Allow-Wireguard-Inbound'
   * Forward 'vpn' -> 'lan'
   * Forward 'DCVPN' -> 'lan'
   * Forward 'lan' -> 'DCVPN'
   * Forward 'wan' -> 'DCVPN'
   * Forward 'wan' -> 'lan'
   * Forward 'wan' -> 'vpn'
   * Forward 'DCVPN' -> 'wan'
   * Forward 'lan' -> 'wan'
   * Forward 'vpn' -> 'wan'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
   * Zone 'DCVPN'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
   * Zone 'DCVPN'
 * Populating IPv6 filter table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
   * Zone 'DCVPN'
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'Allow-OpenVPN-Inbound'
   * Rule 'Allow-OpenVPN-Inbound'
   * Rule 'Allow-Wireguard-Inbound'
   * Forward 'vpn' -> 'lan'
   * Forward 'DCVPN' -> 'lan'
   * Forward 'lan' -> 'DCVPN'
   * Forward 'wan' -> 'DCVPN'
   * Forward 'wan' -> 'lan'
   * Forward 'wan' -> 'vpn'
   * Forward 'DCVPN' -> 'wan'
   * Forward 'lan' -> 'wan'
   * Forward 'vpn' -> 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
   * Zone 'DCVPN'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'

vgaetera · July 5, 2021, 11:36pm

uci show firewall.@zone[3]; fw3 zone DCVPN; \
iptables-save -t nat | grep -e vpn-dc0

spunky · July 6, 2021, 5:26am

# uci show firewall.@zone[3]; fw3 zone DCVPN; \
> iptables-save -t nat | grep -e vpn-dc0
firewall.cfg26dc81=zone
firewall.cfg26dc81.name='DCVPN'
firewall.cfg26dc81.input='ACCEPT'
firewall.cfg26dc81.output='ACCEPT'
firewall.cfg26dc81.network='dc0'
firewall.cfg26dc81.masq='1'
firewall.cfg26dc81.forward='ACCEPT'
firewall.cfg26dc81.device='vpn-dc0'
Warning: Section @zone[3] (DCVPN) cannot resolve device of network 'dc0'
vpn-dc0
-A PREROUTING -i vpn-dc0 -m comment --comment "!fw3" -j zone_DCVPN_prerouting
-A POSTROUTING -o vpn-dc0 -m comment --comment "!fw3" -j zone_DCVPN_postrouting