OpenWrt Forum Archive

Hey all,

I'm moving from White Russian to Kamikaze. Until now I've been migrating scripts and the like but thought I'd attempt to assimilate somewhat and begin using the web interface, which appears to have matured quite nicely.

I managed to do everything I needed through the web interface except for:

- OpenVPN
- tap+/vpn access
- Transparent Proxy
- And surprisingly, MSS Clamping

It seems that when wanting to apply MSS clamping, you have to enable forwarding between two zones. Although this may seem logical (possibly), it contradicts the rules specified below it (lan forwarding -reject). Without MSS clamping my internet connection pretty much doesn't work. Needing to restrict what is forwarded from the LAN to the WAN means I can't enable MSS clamping. You wouldn't believe how confused this had me at first, I possibly screamed once or twice at the router

I thought there may be an option per interface, much like the MASQ option but I couldn't find one.

Below is the remainder of my firewall.user. If anyone knows how to translate it to the webinterface or the uci config files, let me know

Have to admit, pretty happy so far. Nice work on Kamikaze!

#Defaults - LAN 
#Input Accept - Output Accept - Forwarding Reject

#Defaults - WAN
#Input Reject - Output Accept - Forwarding Reject

#Defaults - General
#Input Reject - Output Reject - Forwarding Reject

#Without this, the connection is next to useless
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o ppp0 -j TCPMSS --clamp-mss-to-pmtu

# Transparent Proxy
iptables -t nat -A prerouting_lan   -i br-lan -d 192.168.211.1 -s 192.168.211.0/24 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A prerouting_lan   -i br-lan -d 192.168.18.0/24 -j ACCEPT
iptables -t nat -A prerouting_lan   -i br-lan -s ! 192.168.211.7 -p tcp --dport 80 -j REDIRECT --to-ports 8080

#Uncomment the following rule when the TProxy is out of order (an enable/disable rule LuCI opton would be nice ;)
#iptables        -A forwarding_lan -i br-lan -o ppp0 -p tcp --dport 80 -j ACCEPT

#VPN access
iptables -A forwarding_rule -o tap+ -j ACCEPT
iptables -A forwarding_rule -i tap+ -j ACCEPT

#Additionally, can't create interface in LuCI (overrides openvpn assigned IP) and therefore can't create a zone
#This is required to allow remote access
iptables -A input_rule -i tap+ -j ACCEPT
iptables -A output_rule -o tap+ -j ACCEPT