Modify

Opened 3 years ago

Last modified 3 years ago

#20032 new defect

Custom Firewall Rules Only Load on System Reboot

Reported by: anonymous357 Owned by:
Priority: normal Milestone: Barrier Breaker 14.07
Component: luci Version: Barrier Breaker 14.07
Keywords: custom firewall rule Cc:

Description

The Custom Rules page in LuCI reads:
'"The commands are executed after each firewall restart, right after the default ruleset has been loaded."'

Steps to reproduce:

  1. In LuCI, create custom firewall DNAT rule for single a NON TCP/UDP/ICMP IP protocol by navigating to 'Network' > 'Firewall' > 'Custom Rules':

Static:
iptables -t nat -I PREROUTING 1 -p <IP.PROTO_NO> -d <WAN_IP> -j DNAT --to-destination <LAN_IP>
iptables -t filter -I FORWARD 1 -p <IP.PROTO_NO> -d <LAN_IP> -j ACCEPT

Or Dynamic:
iptables -t nat -I PREROUTING 1 -p 4 -i eth0.2 -j DNAT --to-destination 192.168.7.5
iptables -t filter -I FORWARD 1 -p 4 -d 192.168.7.5 -j ACCEPT

  1. Click "Submit"
  2. Navigate to 'Status'> 'Firewall'
  3. Click "Restart Firewall"

Changes do not appear.

In order to apply rules:

  1. Navigate to 'System' > 'Reboot'
  2. Click 'Perform reboot'
  3. After reboot, log in
  4. Navigate to 'Status'> 'Firewall'

Changes appear.

Image used: barrier_breaker/14.07/ar71xx/generic/openwrt-ar71xx-generic-mynet-n750-squashfs-factory.bin

Device: Western Digital - My Net N750

Attachments (0)

Change History (6)

comment:1 Changed 3 years ago by anonymous

Also, to note: Adding NON TCP/UDP/ICMP IP protocols in the Web GUI worked in previous versions of OpenWRT - inserting custom rules at top of the PREROUTING and FORWARD chains was not required.

comment:2 Changed 3 years ago by jow

Why don't custom protocols work anymore? I don't see a problem with that here. Can you clarify the actual problem?

comment:3 Changed 3 years ago by anonymous

To clarify: Specific to the WD My Net N750, I experience this issue using openwrt-ar71xx-generic-mynet-n750-squashfs-factory.bin, which is Barrier Breaker 14.07. Custom protocols NEVER worked for me using the LuCI-GUI on Barrier Breaker 14.07 on the WD My Net N750.

I have only previously used OpenWRT Attitude Kamikaze 8.09 and Backfire 10.03 on Linksys WRT54G-type devices; adding Port Forwards by IP.proto.number and adding Custom Rules in LuCI-GUI work on those devices.

In my use of OpenWRT on WRT54G-type devices, the GUI has never worked for entering NON TCP/UDP/ICMP entries in Backfire 10.03 or above - as a work around (because I have seen many ticket opened and closed regarding this issue) I used the Custom Rules option; that workaround does not work on the WD My Net N750.

comment:4 Changed 3 years ago by anonymous

Clarifications:

  • (in my experience using WRT45G-type devices, and now, the WD My Net N750) the GUI never worked for entering NON TCP/UDP/ICMP entries in Backfire 10.03.1 or above - as a work around, I used Customs Rules to insert the two rules above;
  • but, this Custom Rules workaround does not work with Barrier Breaker 14.07 on the WD My Net N750.

comment:5 Changed 3 years ago by anonymous

edit:

  • but, this Custom Rules workaround does not work with Barrier Breaker 14.07 on the WD My Net N750 until the OS is rebooted

Previously, a system reboot was not required to apply a custom firewall rule

comment:6 Changed 3 years ago by anonymous

I've done further troubleshooting.

It appears that when making changes to existing NON-TCP/UDP/ICMP forwarding entries in LuCI - that a reboot is required. This reboot is required regardless if the entry is added in Custom Rules, or on the Port Forwards menu.

How to recreate:

I created an entry for IP.PROTO-4 in the Port Forwards menu and hit 'Save & Apply,' it worked. I went to edit the entry and selected 'Save and Apply.' Despite LuCI showing the firewall having been edited, the traffic was still going to the host specified before the edit was made. This behavior was verified using Wireshark

In order to commit the change, I had to reboot the router, I verified that the traffic was no longer going to the previous host, and that the new host was receiving the traffic.

Prior to Backfire, reboots were not needed to commit NON-TCP/UDP/ICMP forwarding rules.

Image used: barrier_breaker/14.07/ar71xx/generic/openwrt-ar71xx-generic-mynet-n750-squashfs-factory.bin

Device: Western Digital - My Net N750

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.