Firewall function

Annoyed · March 30, 2025, 6:53pm

ip -4 route show

192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1

ip -4 rule show

0: from all lookup local
32766: from all lookup main
32767: from all lookup default

flebourse · March 30, 2025, 6:56pm

There is no default route for outputting packets. The mobile interface doesn’t seem to be up ???.
What is the output of ifconfig on the RUT ?

Annoyed · March 31, 2025, 5:13pm

Well that was irritating. The forum software told me that I had hit the maximum posts for the day.

Anyway…

ifconfig

br-lan
Link encap:Ethernet HWaddr 20:97:27:58:BB:F7
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::2297:27ff:fe58:bbf7/64 Scope:Link
inet6 addr: 2a00:23ee:2930:1df2::1/64 Scope:Global
inet6 addr: fdef:489d:ef9b::1/60 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8587 errors:0 dropped:0 overruns:0 frame:0
TX packets:52761 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1366080 (1.3 MiB) TX bytes:47001027 (44.8 MiB)

eth0
Link encap:Ethernet HWaddr 20:97:27:58:BB:F7
inet6 addr: fe80::2297:27ff:fe58:bbf7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1504 Metric:1
RX packets:301959 errors:0 dropped:0 overruns:0 frame:0
TX packets:745755 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:65986657 (62.9 MiB) TX bytes:1065725639 (1016.3 MiB)
Interrupt:21

lan1
Link encap:Ethernet HWaddr 20:97:27:58:BB:F7
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:301406 errors:0 dropped:0 overruns:0 frame:0
TX packets:745093 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:60481542 (57.6 MiB) TX bytes:1059670859 (1010.5 MiB)

lan2
Link encap:Ethernet HWaddr 20:97:27:58:BB:F7
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:553 errors:0 dropped:0 overruns:0 frame:0
TX packets:395 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:69853 (68.2 KiB) TX bytes:66908 (65.3 KiB)

lan3
Link encap:Ethernet HWaddr 20:97:27:58:BB:F7
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

lan4
Link encap:Ethernet HWaddr 20:97:27:58:BB:F7
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

lo
Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:1218 errors:0 dropped:0 overruns:0 frame:0
TX packets:1218 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:119536 (116.7 KiB) TX bytes:119536 (116.7 KiB)

usb0
Link encap:Ethernet HWaddr 96:B2:BD:B9:D0:D6
inet6 addr: fe80::94b2:bdff:feb9:d0d6/64 Scope:Link
inet6 addr: 2a00:23ee:2930:1df2:94b2:bdff:feb9:d0d6/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:744642 errors:0 dropped:44 overruns:0 frame:0
TX packets:303287 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1048642163 (1000.0 MiB) TX bytes:65513975 (62.4 MiB)

wan
Link encap:Ethernet HWaddr 20:97:27:58:BB:F8
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:21

wlan0-1
Link encap:Ethernet HWaddr 20:97:27:58:BB:F9
inet6 addr: fe80::2297:27ff:fe58:bbf9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:439 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:103731 (101.2 KiB)

wlan1-1
Link encap:Ethernet HWaddr 20:97:27:58:BB:FA
inet6 addr: fe80::2297:27ff:fe58:bbfa/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:440 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:103884 (101.4 KiB)

Also, I’ve spoken to the UK vendor for the router and they have passed some debugging files to the manufacturer. I’m waiting to hear back from them.

flebourse · March 31, 2025, 5:27pm

The public IP address you have is an IPv6 one on usb0, there is no connection on wan nor mobile interfaces.
You need to activate either the wan interface or one mobile first.

Annoyed · April 1, 2025, 8:21am

I understand, but if that were the fault, how would it explain the fact that I have web and email traffic but not WireGuard or OpenVPN?

It’s a long time since I did networking professionally, but back then you either had a route or you didn’t. Certainly, we didn’t have default routes for some services but not others.

Things may have changed since then, but this still seems to me like a traffic filtering issue.

Annoyed · April 1, 2025, 12:13pm

Incidentally, I just found out that, while I can send and receive text emails, attachments are blocked.

This suggests to me again that there is some form of filtering taking place on the router, with transfer of attachments not using SMTP.

flebourse · April 1, 2025, 12:41pm

You have a public IPv6 address on usb0 so some exchanges are possible. Where does it comes from ? Can you make a drawing of the physical connections ?

Annoyed · April 1, 2025, 1:14pm

There’s really nothing to draw.

Four coaxial cables come from the antenna on the roof and they are plugged into the four inputs labelled “mobile”.
On the LAN side, my devices are plugged into the RJ45 sockets labelled “LAN1” and “LAN2”.
The only other connection is the power supply.

flebourse · April 1, 2025, 1:27pm

Ok I think I understand your mobile connection appears on usb0 and is IPv6 only.
What is the output of:

ip -6 route show
ip -6 rule show

From the UI go to Network->wan edit the usb0 interface set the PDP type to IPv4/IPv6 if it doesn’t already have this value. Restart then recheck with ifconfig if the ISP has assigned an IPv4 address.

Annoyed · April 1, 2025, 1:55pm

ip -6 route show

default from 2a00:23ee:2928:771b::/64 via fe80::d006:cff:fe4c:cdf dev usb0 proto static metric 512 pref medium
2a00:23ee:2928:771b::/64 dev br-lan proto static metric 1024 pref medium
unreachable 2a00:23ee:2928:771b::/64 dev lo proto static metric 4294967295 pref medium
fdef:489d:ef9b::/64 dev br-lan proto static metric 1024 pref medium
unreachable fdef:489d:ef9b::/48 dev lo proto static metric 4294967295 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wlan1-1 proto kernel metric 256 pref medium
fe80::/64 dev wlan0-1 proto kernel metric 256 pref medium
fe80::/64 dev usb0 proto kernel metric 256 pref medium

ip -6 rule show

0: from all lookup local
32766: from all lookup main
4200000000: from 2a00:23ee:2928:771b::1/64 iif br-lan unreachable

There is no Network->wan option.
There are only…
Network->Mobile
Network->LAN
Network->Firewall
Network->Topology

flebourse · April 1, 2025, 2:10pm

Your IPv6 address is public the router should be reachable. As the prefix is a /64 your local server should have its own IPv6 address and be reachable.
Check the /etc/config/network file, do you have option pdptype lines somewhere ?
I have to go now I’ll be back late.

Annoyed · April 1, 2025, 2:19pm

The chars ‘pdptype’ appear as follows:

config interface ‘mob1s1a1’
option pdptype ‘ipv4v6’

config interface ‘mob1s2a1’
option pdptype ‘ipv4v6’

Annoyed · April 2, 2025, 12:38pm

UPDATE: I’m in contact with Teltonika support and the router was indeed using IPv6 only on the antenna interface.
This has now been changed to IPv4, which has enabled OpenVPN but still not WireGuard.
Unfortunately, the change also locked me out of the router and I can no longer access it either by SSH or the Web UI.

Currently waiting for further advice from Teltonika.

flebourse · April 2, 2025, 3:30pm

How ?

What is the IPv4 address of your workstation ? Do an arp -an on it it should show you the reachable IP and mac addresses present on the local network.

Annoyed · April 2, 2025, 4:37pm

How ?

There’s a menu option.

Do an arp -an on it…

In anticipation of ARP problems, I did hardware resets on workstation and router.
I’m going to try again in a little bit, to give anything which needs to age out a chance to do so.

Annoyed · April 3, 2025, 6:49pm

Right now, all protocols work.

This was achieved by changing the WAN interface from IPv6 only to IPv4.

There is a new problem though. Whenever I make the change via the Web UI, it freezes and I can no longer access it nor SSH into the router.

I’ve let the support guys know about this and am waiting to hear back from them.

flebourse · April 3, 2025, 7:14pm

Have you performed a renew of the IP address of the workstation after changing the PDP type ?

Annoyed · April 3, 2025, 7:39pm

I’m not sure I understand “renew of the IP address”. Are you referring to DHCP?

flebourse · April 3, 2025, 7:53pm

Yes. The address / routes / dns of the router may have changed.

Annoyed · April 3, 2025, 8:36pm

Ok, but I can’t get into the router to check. If I reset (not restart) the router, I’m back where I started.