After searching for updated nftable rules for TTL, I came across these links:
1.) put this in /etc/config/firewall
config include
option path '/etc/firewall.user'
option fw4_compatible '1'
2.) create the file '/etc/firewall.user'
3.) put this line in it:
nft add rule inet fw4 mangle_forward oifname usb0 ip ttl set 65
4.) restart the firewall
/etc/init.d/firewall restart
Not much info is available yet on fw4 and I am still waiting for updates on the gl.inet x750 and opal to be upgraded to 22.03, but have an rpi testing some of changes until then.
Tried several nftables.d configs for TTL, but the above code seems to be a lot easier using a firewall.user file to add quick rules.
Using basic keywords, search engines are now showing two working configs for setting TTL using fw4 in the 1st few results.
Hopefully openwrt will implement custom firewall rules again using the firewall.user file from inside of luci, making it easier to enable/disable nft add rule lines as needed.
Thanks again for the mangle_postrouting_ttl65 rules as well!
Thanks for the suggestion, but sadly, I was already doing that - I should have been more clear in my post. Here's a complete example of one of the variations I tried:
chain mangle_postrouting_ttl65 {
type filter hook postrouting priority 300; policy accept;
oifname "eth2" counter ip ttl set 65
}
chain mangle_prerouting_ttl65 {
type filter hook prerouting priority 300; policy accept;
iifname "eth2" counter ip ttl set 65
}
I test it by logging into the router and pinging the router address. Without the interface restriction to 'eth2', the pings return 'ttl=65". When I try to restrict it, I get 'ttl=64".
Let’s examine your test results in more detail. Do you have a more realistic test than pinging the router address from the router itself? Ping something external from a LAN client?
Perfect, that's what I needed to know. When I log into the router and run the above command, I show a TTL of 65 for traffic moving from my router address to the gateway address, which is what I wanted to confirm.
Thanks! Here's the rule that seems to be working for me:
chain mangle_postrouting_ttl65 {
type filter hook postrouting priority 300; policy accept;
oifname "eth2" counter ip ttl set 65
}
chain mangle_prerouting_ttl65 {
type filter hook prerouting priority 300; policy accept;
iifname "eth2" counter ip ttl set 65
}
Don't you only need the top one? Is this to try to make ISP think there's no tethering? I imagine that trick relates more to superstition than reality but I could be wrong.
Yeah, I really only need the top one for tethering, which I only use as backup in case my ISP goes down. And you're right, it's probably part of networking folklore and doesn't even make a difference.