Access LAN services through real IP with active VPN client

Technical Support for Routers
21

A package is missed while we switch mwan3 to kmwan:

opkg update
opkg install iptables-mod-conntrack-extra
/etc/init.d/firewall restart
1 Like
22

Hi @hansome
Unfortunately, it didn’t work. On my Flint, it broke the internet. It became EXTREMELY SLOW, to the point most webpages won’t even load. I tried restarting the router, no help.

Then I ran opkg remove iptables-mod-conntrack-extra; /etc/init.d/firewall restart, then, it fixed the problem of slow internet.

In both cases, I still can’t access LAN services through real IP with active VPN client ON.

23

Please export log for analysis. http://192.168.8.1/#/logview

24

@hansome

Please see attached log. Please note that some sensitive information are redacted.
logread.zip (31.8 KB)

25

These commands are not necessary to manually input for firmware 4.5:

uci set firewall.wan_in_conn_mark=rule
...
uci set firewall.wan_in_conn_mark.set_xmark='0x80000/0x80000'
...

To revert that:

sh /rom/etc/uci-defaults/99-vpnpolicy
uci commit
/etc/init.d/firewall reload

See if it fixes your issue.

26

Was this specific to @briar-spoon-celibate’s configuration, or does this need to be updated for everyone in addition to installing the iptables-mod-conntrack-extra package?

1 Like
27

Only need to install iptables-mod-conntrack-extra package
The correct firewall mark is 0x8000/0xc000 like the following:

root@GL-AX1800:~# uci get firewall.wan_in_conn_mark.set_xmark
0x8000/0xc000
28

It worked. Thanks.
Do you mind expanding why we no longer need those rules?

29

We have those rules written in firewall since firmware 4.4.6, but miss that supporting package(iptables-mod-conntrack-extra) in firmware 4.5. :sweat:
And 4.5 change the mark 0x80000 to 0x8000, to make it compatible with upstream tailscale.

30

Hotfix when?                      

3 Likes
31

We’ll evaluate to release a minor version to address this ASAP.

4 Likes