Opened 4 years ago

Last modified 2 years ago

#15440 accepted defect

firewall: fw3 restart caused access cut off from the wan side

Reported by: Damian Kaczkowski <damian.kaczkowski+openwrt@…> Owned by: jow
Priority: high Milestone: Chaos Calmer 15.05
Component: base system Version: Trunk
Keywords: Cc:




I have changed firewall config by manually editing file /etc/config/firewall . I have changed:

list masq_src 'x.x.x.x/24'


list masq_src 'x.x.x.x/30'

Nothing else. Then saved the file.

Then issued 'fw3 restart' and after this my ssh session was force dropped in the middle of firewall restart process.

After dc I was not able to reconnect to the remote router. Had to go to the remote site and restart the router from there (replug the power).

Tested the same thing once again but this time ssh session was not dropped when restarting fw3.

Seems that 'fw3 restart' was not finished after my ssh session was dropped. But its hard to say what goes wrong because the process is not reproducible.

Could we somehow tweak 'fw3 restart' process so it will always finish even if ssh session is dropped in the middle of the restart process? Make it background reloading or something.


Attachments (0)

Change History (6)

comment:1 Changed 4 years ago by duvi

I also experienced the same thing a couple of times.
Login from wan, restart firewall, then my ssh session dropped and couldn't log back in anymore.
And also users on the wan side couldn't reach the internet any more.

comment:2 Changed 4 years ago by jow

  • Owner changed from developers to jow
  • Status changed from new to accepted

I'll look into it

comment:3 Changed 4 years ago by Damian Kaczkowski <damian.kaczkowski+openwrt@…>

Maybe it's worth mentioning. The board on which I spot this error was RB750GL. I have some scripts in the include section of the firewall config in which I allow tcp/22 traffic and accept few of my IPs. Network config was very common, one static wan IP + one lan subnet. Default route was defined in route section, not as 'gateway' entry.

comment:4 Changed 4 years ago by Damian Kaczkowski <damian.kaczkowski+openwrt@…>

Ahh, and one more thing. When I was trying to ssh reconnect I was getting rejects, not timeouts.

comment:5 Changed 3 years ago by pdffs

Any time you flush and reload iptables, you should do it inside screen/tmux or detach it via some other method so that if your connection gets reset, and hence your shell dies, it doesn't take the child process with it that's meant to reload the rules.

This is general advice, not specific to OpenWRT.

Last edited 3 years ago by pdffs (previous) (diff)

comment:6 Changed 2 years ago by Damian Kaczkowski

Happend again on some 400km away remote site (r45314). This time I have added some 'list masq_dest' rule to existing tules and issued 'fw3 reload'. Then I was immediately disconnected in the middle of reload (log below). No timeout, just force disconnect. Very frustrating. It's getting more and more nervous when working with openwrt on remote sites...

jow did you managed to reproduce the problem?

log during dc:

fw3 restart
Warning: Unable to locate ipset utility, disabling ipset support
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing

Add Comment

Modify Ticket

as accepted .

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.