Guest wifi network drops internet packets when Tailscale Custom Exit Node is enabled

Technical Support for Routers
1

I have a Slate AX (GL-AXT1800) running firmware 4.5.16. When Tailscale > Custom Exit Node is enabled, internet access from the guest wifi network starts dropping 50% of packets. However, Internet access from the main wifi network, as well as access to the Tailscale network devices and advertised subnets on the Tailscale network, continue to work.

I have reviewed similar threads on this, though it's not always clear whether the other issues relate to internet access via the main wifi network (which is routed to the exit node via Tailscale) or via the guest wifi network (which should go directly to the internet):

I am seeing this issue when using firmware versions 4.5.0, 4.5.16 and the 4.6.0 beta. It doesn't occur with 4.4.6, but that firmware has a very old version of Tailscale that doesn't support setting specific IPs for Tailscale nodes so I can't use this version.

I have reproduced this issue with my AXT1800 from a factory default config running 4.5.16, using a network with internet access connected to the WAN port and using the default subnets for both main and guest wifi networks (192.168.8.0/24 and 192.168.9.0/24 respectively). A quick diagram of the test setup is as follows:

image
image2964×1284 190 KB

Here are the steps that I took to set up the test network:

  1. Reset AXT1800 to factory defaults, change password and sync time with browser
  2. Enable the 5G guest network
  3. Check that the internet is reachable from a device connected to both main and guest wifi networks by ping to 4.2.2.2 (ok)
  4. Enable Tailscale and connect the AXT1800 to the Tailscale network using the device bind link. Approve the new device on the Tailscale admin console
  5. Enable Tailscale > Remote Access LAN option. Check internet is still reachable from both main and guest wifi networks (ok)
  6. Enable Tailscale > Custom Exit Node

At this point, the main wifi network could still reach the internet via the exit node. But the guest wifi network started dropping 50% of packets to the internet.

The exit node on my Tailscale network advertises 5 internal routes into Tailscale. It is a small VM on my network running a recent version of Tailscale (1.66.4), and is also used by other devices as a remote access gateway and exit node and they work fine. The 5 advertised routes are all within 192.168/16 space, and do not overlap with the default 192.168.8.0/24 and 192.168.9.0/24 networks used by the AXT1800. There is a route for 192.168.8.0/24 on the network beyond the Tailscale exit node to the AXT1800 via Tailscale, and I can ping the AXT1800 at 192.168.8.1 from a host on one of those networks via the Tailscale network. After Tailscale is connected, hosts associated to the main wifi network can access servers on the 5 internal networks without NAT, so the Tailscale part of the configuration is working as expected.

Access to the internet from the main wifi network also works fine when Custom Exit Node is both on and off. When Custom Exit Node is off, the internet is accessed directly, and when the setting is on, the internet is reached via the exit node as expected. This is verified using a Google search for my ip address showing the public IP address that is expected for each path.

However, from a host connected to the guest wifi network, I see 50% packet loss once Custom Exit Node is enabled. In the ping output below from such a host, Custom Exit Node was enabled after icmp_seq=6:

% ping 4.2.2.2
PING 4.2.2.2 (4.2.2.2): 56 data bytes
64 bytes from 4.2.2.2: icmp_seq=0 ttl=52 time=21.915 ms
64 bytes from 4.2.2.2: icmp_seq=1 ttl=52 time=42.802 ms
64 bytes from 4.2.2.2: icmp_seq=2 ttl=52 time=18.757 ms
64 bytes from 4.2.2.2: icmp_seq=3 ttl=52 time=36.834 ms
64 bytes from 4.2.2.2: icmp_seq=4 ttl=52 time=18.757 ms
64 bytes from 4.2.2.2: icmp_seq=5 ttl=52 time=18.471 ms
64 bytes from 4.2.2.2: icmp_seq=6 ttl=52 time=18.894 ms
64 bytes from 4.2.2.2: icmp_seq=7 ttl=52 time=18.552 ms
Request timeout for icmp_seq 8
64 bytes from 4.2.2.2: icmp_seq=9 ttl=52 time=18.525 ms
Request timeout for icmp_seq 10
64 bytes from 4.2.2.2: icmp_seq=11 ttl=52 time=18.538 ms
Request timeout for icmp_seq 12
64 bytes from 4.2.2.2: icmp_seq=13 ttl=52 time=18.968 ms
Request timeout for icmp_seq 14
64 bytes from 4.2.2.2: icmp_seq=15 ttl=52 time=93.318 ms
Request timeout for icmp_seq 16
64 bytes from 4.2.2.2: icmp_seq=17 ttl=52 time=18.844 ms
Request timeout for icmp_seq 18
64 bytes from 4.2.2.2: icmp_seq=19 ttl=52 time=19.271 ms
^C

When Custom Exit Node is disabled, the IP rule and route tables are as follows (192.168.5.0/24 is the network connected to the WAN port):

root@GL-AXT1800:~# ip rule
0:	from all lookup local
48:	from all to 192.168.5.0/24 lookup main
49:	from all to 192.168.8.0/24 lookup main
50:	from all to 100.100.100.100 lookup 52
1099:	from all fwmark 0x80000/0xc0000 lookup main
1100:	from all lookup main suppress_prefixlength 0
1101:	not from all fwmark 0x8000/0xc000 lookup 8000
5210:	from all fwmark 0x80000/0xff0000 lookup main
5230:	from all fwmark 0x80000/0xff0000 lookup default
5250:	from all fwmark 0x80000/0xff0000 unreachable
5270:	from all lookup 52
32766:	from all lookup main
32767:	from all lookup default
root@GL-AXT1800:~# ip route show
default via 192.168.5.1 dev eth0 proto static src 192.168.5.245 metric 10
100.64.0.0/10 dev tailscale0 scope link
192.168.5.0/24 dev eth0 proto static scope link metric 10
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1
192.168.9.0/24 dev br-guest proto kernel scope link src 192.168.9.1

ip route show table 52 contains the expected Tailscale network host routes and the subnet routes advertised by the exit node.

When Custom Exit Node is enabled, the IP rule and route tables are as follows:

0:	from all lookup local
47:	from 192.168.9.0/24 lookup main
48:	from all to 192.168.5.0/24 lookup main
49:	from all to 192.168.8.0/24 lookup main
50:	from all to 100.100.100.100 lookup 52
1099:	from all fwmark 0x80000/0xc0000 lookup main
1100:	from all lookup main suppress_prefixlength 0
1101:	not from all fwmark 0x8000/0xc000 lookup 8000
5210:	from all fwmark 0x80000/0xff0000 lookup main
5230:	from all fwmark 0x80000/0xff0000 lookup default
5250:	from all fwmark 0x80000/0xff0000 unreachable
5269:	from all fwmark 0x80000/0x80000 lookup main
5270:	from all lookup 52
32766:	from all lookup main
32767:	from all lookup default

I note that extra rules with priority 47 and 5269 are added when Custom Exit Node is enabled.

I used tcpdump running on the internet gateway connected to the WAN port of the AXT1800 and saw that only 50% of the ping request packets from a host on the guest wifi network via the AXT1800 were reaching the gateway. I could see the responses from the internet for those requests. Note that the timestamps are 2 seconds apart, the ping is sending a request every 1 second:

# tcpdump -ni igb3_vlan5 host 4.2.2.2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb3_vlan5, link-type EN10MB (Ethernet), capture size 262144 bytes
10:14:50.882955 IP 192.168.5.245 > 4.2.2.2: ICMP echo request, id 3847, seq 353, length 64
10:14:50.897594 IP 4.2.2.2 > 192.168.5.245: ICMP echo reply, id 3847, seq 353, length 64
10:14:52.894171 IP 192.168.5.245 > 4.2.2.2: ICMP echo request, id 3847, seq 355, length 64
10:14:52.909108 IP 4.2.2.2 > 192.168.5.245: ICMP echo reply, id 3847, seq 355, length 64
10:14:54.907378 IP 192.168.5.245 > 4.2.2.2: ICMP echo request, id 3847, seq 357, length 64
10:14:54.922108 IP 4.2.2.2 > 192.168.5.245: ICMP echo reply, id 3847, seq 357, length 64

When Custom Exit Node is enabled, it looks to me that IP rule 47 should send all guest wifi network traffic directly to the internet and avoid all Tailscale routing. But there seems to be something else happening to routed packets before it hits this rule. I can't see anything obvious in the iptables rules that would cause half of the packets to be dropped, but the rulebase is quite difficult to follow.

I have also tried to update Tailscale on the AXT1800 Script: Update Tailscale on (nearly) all devices to the latest version (currently 1.68.1), but this didn't make a difference.

Has anyone seen this issue before, and if so are there any workarounds? I have tried the suggestions from similar posts suggesting modifying the WAN firewall zone covered devices, MSS clamping and masquerading settings, but none of these helped with this issue.

2

Hi,

Thanks for your feedback!

I will try to reproduce this issue, and will further submit if this issue occurred.

Update: have reproduce this situation, and submitted, thanks again.

3

Hi,

Please execute these commands to bring it for temporary work well:

iptables -t mangle -I PREROUTING -i br-guest -j MARK --set-mark 0X80000/0X4000
ip rule add from all fwmark 0X80000/0X4000 lookup main
4

Thanks Bruce for the suggested workaround.

Whilst the workaround resolves the issue of 50% of the packets being dropped when connected via the guest network, it also breaks Tailscale functionality for the main network. Internet bound traffic from the main network is now being routed directly to the internet from the AXT1800, rather than routed via the exit node before the workaround commands were executed. Also, I am no longer able to reach devices on the 5 internal routes that are advertised to the Tailnet by the exit node.

Running the command ip rule delete from all fwmark 0X80000/0X4000 lookup main to remove the rule that was added restores the previous functionality.

Would you be able to have another look? Thanks.

5

On further investigation, I noticed that after running the workaround commands above, then running the ip rule delete from all fwmark 0X80000/0X4000 lookup main command to revert the IP rule, the guest network can successfully ping and access the internet without packet loss, plus the main network retains all of the Tailscale functionality including routing all internet traffic via the custom exit node.

So it looks like only the iptables command is needed to fix the original issue.

I added the iptables command to the custom firewall rules at System > Advanced Settings > Network > Firewall > Custom Rules to apply the prerouting rule at startup, and everything now seems to work after a cold boot without further intervention.

I hope that this issue can be resolved permanently in a future firmware release. Can you advise whether custom firewall rules are reset on firmware upgrade, or will I need to manually remove the workaround when installing a firmware that includes the permanent fix?

6

As this feature also related to VPN/Adg, and so on, we need to think carefully. Improve it but not affect other features.

I would like to know what commands you executed. Please show me these return:

  ip rule
  ip route show t 8000
  ip rule
  ip route
  ip route show table 52
  iptables -nvL
  iptables -t nat -nvL
  iptables -t raw -nvL
  iptables -t mangle -nvL
7

The iptables command that you provided in post #3 was added to /etc/firewall.user via the LuCI GUI: Network > Firewall > Custom Rules, so that it ran on every boot:

root@GL-AXT1800:~# cat /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

iptables -t mangle -I PREROUTING -i br-guest -j MARK --set-mark 0X80000/0X4000

The ip rule command from that post was not added because this rule caused internet access to break for both the main and guest networks to stop working properly, as previously mentioned.

Here is the command output as requested from the working production configuration. The AXT-1800 is currently running firmware v4.5.16. The above modification has been applied, and the router has been rebooted with no further changes made to its configuration. (Local subnet details have been removed):

BusyBox v1.33.2 (2024-03-21 14:19:45 UTC) built-in shell (ash)

  _______                     ________ __ ______ __
 |       |.-----.-----.-----.|  |  |  |__|   ___|__|
 |   -   ||  _  |  -__|     ||  |  |  |  |   ___|  |
 |_______||   __|_____|__|__||________|__|__|   |__|
          |__| W I R E L E S S   F R E E D O M
 ---------------------------------------------------
 ApNos-b85cfe67-devel
 OpenWrt 21.02-SNAPSHOT, r16399+165-c67509efd7
 ---------------------------------------------------
root@GL-AXT1800:~# ip rule
0:	from all lookup local
47:	from 192.168.<GUEST_WIFI>.0/24 lookup main
48:	from all to 192.168.5.0/24 lookup main
49:	from all to 192.168.<MAIN_WIFI>.0/24 lookup main
50:	from all to 100.100.100.100 lookup 52
1099:	from all fwmark 0x80000/0xc0000 lookup main
1100:	from all lookup main suppress_prefixlength 0
1101:	not from all fwmark 0x8000/0xc000 lookup 8000
5210:	from all fwmark 0x80000/0xff0000 lookup main
5230:	from all fwmark 0x80000/0xff0000 lookup default
5250:	from all fwmark 0x80000/0xff0000 unreachable
5269:	from all fwmark 0x80000/0x80000 lookup main
5270:	from all lookup 52
32766:	from all lookup main
32767:	from all lookup default
root@GL-AXT1800:~# ip route show table 8000
root@GL-AXT1800:~# ip route show table 52
default dev tailscale0
100.100.<TS_NET>.1 dev tailscale0
100.100.<TS_NET>.2 dev tailscale0
100.100.<TS_NET>.3 dev tailscale0
[...]
100.100.<TS_NET>.<CUSTOM_EXIT_GW> dev tailscale0
100.100.100.100 dev tailscale0
throw 127.0.0.0/8
192.168.1.0/24 dev tailscale0
throw 192.168.5.0/24
throw 192.168.<GUEST_WIFI>.0/24
throw 192.168.<MAIN_WIFI>.0/24
<TS_ADV_ROUTE_1> dev tailscale0
<TS_ADV_ROUTE_2> dev tailscale0
<TS_ADV_ROUTE_3> dev tailscale0
<TS_ADV_ROUTE_4> dev tailscale0
<TS_ADV_ROUTE_5> dev tailscale0
root@GL-AXT1800:~# ip route show
default via 192.168.5.1 dev eth0 proto static src 192.168.5.233 metric 1
100.64.0.0/10 dev tailscale0 scope link
192.168.5.0/24 dev eth0 proto static scope link metric 1
192.168.<GUEST_WIFI>.0/24 dev br-guest proto kernel scope link src 192.168.<GUEST_WIFI>.1
192.168.<MAIN_WIFI>.0/24 dev br-lan proto kernel scope link src 192.168.<MAIN_WIFI>.1
root@GL-AXT1800:~# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
15526 8415K ts-input   all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
 1329  125K input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom input rule chain */
  592 89085 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
   21  1264 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 /* !fw3 */
  113 18756 zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
  624 17472 zone_wan_input  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_guest_input  all  --  br-guest *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
19665   10M ts-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set GL_MAC_BLOCK src
    0     0 forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom forwarding rule chain */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
    0     0 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_forward  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_guest_forward  all  --  br-guest *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain OUTPUT (policy ACCEPT 64 packets, 4293 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            /* !fw3 */
 8775 3283K output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom output rule chain */
  534  106K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
    5   916 zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
 8172 3171K zone_wan_output  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_guest_output  all  --  *      br-guest  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain forwarding_guest_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_guest_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_guest_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain reject (4 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination
   21  1264 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain ts-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
10682 7183K MARK       all  --  tailscale0 *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x40000/0xff0000
10682 7183K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x40000/0xff0000
    0     0 DROP       all  --  *      tailscale0  100.64.0.0/10        0.0.0.0/0
 8983 2981K ACCEPT     all  --  *      tailscale0  0.0.0.0/0            0.0.0.0/0

Chain ts-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     *       100.100.<TS_NET>.1         0.0.0.0/0
    0     0 RETURN     all  --  !tailscale0 *       100.115.92.0/23      0.0.0.0/0
    0     0 DROP       all  --  !tailscale0 *       100.64.0.0/10        0.0.0.0/0
  173 29316 ACCEPT     all  --  tailscale0 *       0.0.0.0/0            0.0.0.0/0
12341 8107K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:41641

Chain zone_guest_dest_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      br-guest  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_guest_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 reject     all  --  *      br-guest  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_guest_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 forwarding_guest_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom guest forwarding rule chain */
    0     0 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Zone guest to wan forwarding policy */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_guest_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_guest_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 input_guest_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom guest input rule chain */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:67:68 /* !fw3: Allow-DHCP */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* !fw3: Allow-DNS */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* !fw3: Allow-DNS */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
    0     0 zone_guest_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_guest_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 output_guest_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom guest output rule chain */
    0     0 zone_guest_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_guest_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 reject     all  --  br-guest *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_dest_ACCEPT (4 references)
 pkts bytes target     prot opt in     out     source               destination
    5   916 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan forwarding rule chain */
    0     0 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Zone lan to wan forwarding policy */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
  113 18756 input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan input rule chain */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
  113 18756 zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
    5   916 output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan output rule chain */
    5   916 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination
  113 18756 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_wan_dest_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      eth0    0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3: Prevent NAT leakage */
 8172 3171K ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 reject     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan forwarding rule chain */
    0     0 zone_lan_dest_ACCEPT  esp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Allow-IPSec-ESP */
    0     0 zone_lan_dest_ACCEPT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500 /* !fw3: Allow-ISAKMP */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
  624 17472 input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan input rule chain */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68 /* !fw3: Allow-DHCP-Renew */
    0     0 ACCEPT     2    --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Allow-IGMP */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
  624 17472 zone_wan_src_DROP  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
 8172 3171K output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan output rule chain */
 8172 3171K zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_src_DROP (1 references)
 pkts bytes target     prot opt in     out     source               destination
  624 17472 DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
root@GL-AXT1800:~# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 484 packets, 144K bytes)
 pkts bytes target     prot opt in     out     source               destination
  484  144K prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom prerouting rule chain */
  452  142K zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
   32  1792 zone_wan_prerouting  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_guest_prerouting  all  --  br-guest *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain INPUT (policy ACCEPT 80 packets, 5608 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 146 packets, 10612 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 393 packets, 113K bytes)
 pkts bytes target     prot opt in     out     source               destination
  698  184K ts-postrouting  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  472  119K postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom postrouting rule chain */
    2   416 zone_lan_postrouting  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
   79  5827 zone_wan_postrouting  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_guest_postrouting  all  --  *      br-guest  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain postrouting_guest_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_guest_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ts-postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x40000/0xff0000

Chain zone_guest_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 postrouting_guest_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom guest postrouting rule chain */

Chain zone_guest_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 prerouting_guest_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom guest prerouting rule chain */

Chain zone_lan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
    2   416 postrouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan postrouting rule chain */

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
  452  142K prerouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan prerouting rule chain */

Chain zone_wan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
   79  5827 postrouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan postrouting rule chain */
   79  5827 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
   32  1792 prerouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan prerouting rule chain */
root@GL-AXT1800:~# iptables -t raw -nvL
Chain PREROUTING (policy ACCEPT 25115 packets, 9006K bytes)
 pkts bytes target     prot opt in     out     source               destination
 8779 2802K zone_lan_helper  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3: lan CT helper assignment */
    0     0 zone_guest_helper  all  --  br-guest *       0.0.0.0/0            0.0.0.0/0            /* !fw3: guest CT helper assignment */

Chain OUTPUT (policy ACCEPT 9240 packets, 3417K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_guest_helper (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_lan_helper (1 references)
 pkts bytes target     prot opt in     out     source               destination
root@GL-AXT1800:~# iptables -t mangle -nvL
Chain PREROUTING (policy ACCEPT 25670 packets, 9113K bytes)
 pkts bytes target     prot opt in     out     source               destination
    6   846 MARK       all  --  br-guest *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x80000/0x84000
25670 9113K VPN_SER_POLICY  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 9858 packets, 3563K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 15731 packets, 5520K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TCPMSS     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 /* !fw3: Zone wan MTU fixing */ TCPMSS clamp to PMTU
    0     0 TCPMSS     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 /* !fw3: Zone wan MTU fixing */ TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT 9461 packets, 3471K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner GID match 65533 /* !fw3: process_mark */ MARK xset 0x8000/0xc000
 9461 3471K ROUTE_POLICY_DNS  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 25192 packets, 8991K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain ROUTE_POLICY_DNS (1 references)
 pkts bytes target     prot opt in     out     source               destination
    8   590 MARK       all  --  *      *       0.0.0.0/0            8.8.8.8              MARK xset 0x8000/0xc000
   46  3105 MARK       all  --  *      *       0.0.0.0/0            8.8.4.4              MARK xset 0x8000/0xc000

Chain VPN_SER_POLICY (1 references)
 pkts bytes target     prot opt in     out     source               destination
1 Like
8

Thanks so much, we will try to analysis what changes of your router, to bring that the guest wifi back to available.