GL-AX1800 (Flint) NAT hairpin/loopback troubles

jinx · August 16, 2022, 1:37pm

I am seeing some strange behavior with respect to NAT loopback and wired vs wireless clients.

It appears that the default behavior is that NAT loopback is enabled on port forwarding rules. I verified this by checking the advanced settings (LuCI) interface.

Wireless clients seem to be able to reach an internal reverse proxy pointed to by a dns name that resolves to my WAN IP. (To me this indicates that NAT loopback is working to some degree.)

Wired clients do not have the same success.

I have discovered a workaround while attempting to troubleshoot the issue. If I connect to the router via SSH and run tcpdump; wired clients can now resolve the name correctly.

How do I go about resolving this issue so I no longer need to manually intervene for packets to route correctly on and off my LAN?

It also seems very strange that tcpdump would affect routing in this way. Has anyone seen that sort of thing happen before? I have been under the impression that tcpdump was passive.

dengxinfa · August 18, 2022, 11:01am

You can try stopping qca-nss-ecm to see if it works

/etc/init.d/qca-nss-ecm stop

jinx · August 25, 2022, 3:43pm

Stopping qca-nss-ecm by executing /etc/init.d/qca-nss-ecm stop seems to result in success. The NAT loopback functionality appears to be routing correctly.

Prior to this I was not familiar with qca-nss-ecm. It seems to be a “enhanced connection management” kernel module provided by Qualcomm Atheros for the NSS linux subsystem.

Does that mean there is a bug in the module or can some config just be edited to correct a firewall issue? If I leave it disable at boot what functionality would I miss? Hardware acceleration of packet routing?

jinx · January 9, 2023, 8:18pm

After a quick bit of testing, it seems no work-around is needed after upgrading to v4.1.0