GL.iNet Flint2 Guest WiFi blocked by hidden VPN kill-switch rules - Configuration help needed

isarlog · September 24, 2025, 10:19am

Problem Description

The Guest WiFi network on my GL.iNet Flint2 router periodically loses internet access every few hours. This happens automatically without any manual configuration changes or router reboots.

Router Information

Model: GL.iNet Flint2 (GL-MT6000)
No VPN configured or active
AdGuard Home enabled
Standard OpenWrt/GL.iNet firmware (4.8.2)

Root Cause Analysis

After investigating via SSH, I discovered the issue is caused by VPN policy blackhole rules that are automatically activated:

ip rule show
# Shows: 9920: from all iif guest blackhole

This blackhole rule blocks all internet traffic from the Guest interface, even though no VPN is configured.

Investigation Results

UCI Configuration Analysis

uci show network | grep vpn_block_guest_leak

Shows:

network.vpn_block_guest_leak=rule
network.vpn_block_guest_leak.gl_vpn_rules='1'
network.vpn_block_guest_leak.priority='9920'
network.vpn_block_guest_leak.action='blackhole'
network.vpn_block_guest_leak.in='guest'
network.vpn_block_guest_leak.disabled='0'  ← Problem: Should be '1'

VPN Script Triggers

The /usr/bin/rtp2.sh script automatically creates these blackhole rules triggered by:

Interface status changes
Hardware NAT events
Firewall reloads

Hardware NAT Connection

The dmesg logs show related MediaTek hardware NAT issues:

Unknown case of dp, iif=b --> ra0
skb_to_hnat_info: callbacks suppressed

Temporary Fix (Works but not permanent)

ip rule del from all iif guest blackhole

This restores Guest WiFi internet access immediately but the rule reappears after several hours.

Attempted Solutions

Router reboot: Problem returns after few hours
Guest network reconfiguration: No effect
Firewall rule analysis: Blackhole rules not visible in standard GUI
LuCI investigation: Policy rules not exposed in web interface

GUI Visibility Issues

The problematic VPN policy rules are not visible or configurable in:

Standard GL.iNet web interface
Advanced settings
LuCI network routing section
LuCI firewall rules

This makes the issue impossible to resolve through normal user interfaces.

Help needed!

bruce · September 25, 2025, 8:02am

Hello,

Please try to execute the following command in SSH:

uci set route_policy.global.enabled="0"
uci commit route_policy
rtp2.sh

This part of the policy route will be deleted after executing above, including blackhole, check if the issue is improved.

isarlog · September 25, 2025, 10:15am

But route_policy.global.enabled="0" would disable the entire policy routing system, not just the guest blackhole rule? Security issue?

bruce · September 26, 2025, 12:11pm

If the VPN is not configured/not enabled, there is no security issue.

BTW, we have not reproduced the issue you mentioned in my local side.

If possible, please export your configuration backup file and send it to me via PM. I will try to reproduce the issue.
BTW, please let me know the backup's Admin Panel password.