17 Aug
2016
17 Aug
'16
12:23 p.m.
On 2016-08-17 09:12 AM, Rob Janssen wrote:
(Please trim inclusions from previous messages)
_______________________________________________
Hi Rob,
It is behind my ISP cable modem, I had to get it setup in bridging mode
after the last time they upgraded it. My router is showing all the
tunnel traffic (via tcpdump) so I'm fairly certain the modem isn't the
issue.
The latest reboot had me digging deeper to try to
find the real problem
and I have discovered that only the rule in FORWARD chain of the filter
table is firing, not the DNAT in the nat table. I suspect the firewall
is only working when some connection (outgoing ?) wakes up the
masquerade rules but haven't actually found the rule that is active.
Are you sure the OpenWRT box is actually seeing the incoming packets?
Is it directly on the internet, or is there another box before it, e.g.
an ISP
provided modem/router?
Even though you might have forwarded the protocol or even set the OpenWRT
box as the "DMZ device", it may still do stateful firewalling on
non-TCP/UDP
protocols. That is a known problem with NAT routers.
Try to run a trace on the OpenWRT box to verify that you can receive IPIP
traffic from sources that you have not recently contacted with outgoing
traffic.
I'm guessing one of the reasons that my setup usually works for a while
is that the background noise of probes/spammers/etc on 44net is constant
enough to keep the connection alive once it is up. It is only after a
power failure of extended duration that I have trouble getting it
started again.
Central to my confusion at the moment is the rule in the nat PREROUTING
isn't counting packets. After zeroing and sending 10 pings to my 44net
gateway (successful responses for each) I see this:
Chain PREROUTING (policy ACCEPT 289 packets, 58657 bytes)
pkts bytes target prot opt in out source
destination
0 0 DNAT ipencap-- any any anywhere
anywhere to:192.168.99.66
207 37119 zone_dmz_prerouting all -- br-dmz any anywhere
anywhere
1 60 zone_wan_prerouting all -- eth0.1 any anywhere
anywhere
81 21478 zone_lan_prerouting all -- eth0.0 any anywhere
anywhere
289 58657 prerouting_rule all -- any any anywhere
anywhere
ie nothing on the first rule which should catch all the ipencap, and
even not enough on the 3rd which should catch all packets coming into
the external interface, yet chain FORWARD has
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
11 1144 ACCEPT ipencap-- eth0.1 any anywhere
anywhere
as expected. Chain PREROUTING is not working as I'm expecting from my
read of the documentation, it isn't counting packets it should and yet
the DNAT address rewrite is still happening somewhere or the packets
wouldn't make it to the FORWARD chain.
... Niall