Guest Wifi loses internet after reboot Errant iptable rules added after reboot

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

drewski22785

Occasional Visitor
So I have been trying to run this issue down for days now thinking it was related to a unique router setup, a couple of you have been helping me work through those issues.

It turns out my issue was with the guest wifi itself, after reboot, and possibly other services restarts the iptables get changed and blocks all guest wifi to the internet. I do have the guest wifi set to internet only as well.

Initially I thought this was related to YazFi guest wifi addon but even with that completely uninstalled I still experienced the same issue. Non-Guest wifi continues to operate normally.

Before Reboot IPTABLES:

Chain INPUT (policy ACCEPT 958 packets, 186K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- br2 tun+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br2 eth0 0.0.0.0/0 0.0.0.0/0
0 0 other2wan all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 br0 LAN_SUBNET 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 NSFW all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 OVPN all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW




After Reboot IPTABLES:
Chain INPUT (policy DROP 2 packets, 120 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- br2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
6 1968 ACCEPT udp -- br2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT udp -- br2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
131 10596 DROP all -- br2 * 0.0.0.0/0 0.0.0.0/0
2099 340K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
1884 443K PTCSRVWAN all -- !br0 * 0.0.0.0/0 0.0.0.0/0
343 69032 PTCSRVLAN all -- br0 * 0.0.0.0/0 0.0.0.0/0
343 69032 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
1882 442K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW

Chain FORWARD (policy DROP 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo lo 0.0.0.0/0 0.0.0.0/0


Is anyone else experiencing this with their guest wifi after a reboot? I have no scripts running besides ntp refresh. Merlin 386.3.2
 

ColinTaylor

Part of the Furniture
Your iptables rules, both before and after the reboot look completely messed up. Before the reboot it almost looks like you have disabled the firewall and NAT. Even after the reboot there appears to be missing rules, or have you omitted some of the output? Are you in "router mode"?
 

drewski22785

Occasional Visitor
Your iptables rules, both before and after the reboot look completely messed up. Before the reboot it almost looks like you have disabled the firewall. Even after the reboot there appears to be missing rules, or have you omitted some of the output? Are you in "router mode"?
Yes I am in router mode, and you are right I do have the fw disabled. This router sits behind another fw but was ultimately decided to disable because of some of the router testing I was doing
 

ColinTaylor

Part of the Furniture
I suggest that you set "Enable JFFS custom scripts and configs" to No and reboot the router. Then look at the output of iptables-save.
 

drewski22785

Occasional Visitor
Okay update on the iptables changes after reboot. I disabled guest wifi completely and did a reboot from the earlier "before reboot" state to see if it was just having guest wifi that cause the drastic before after reboot changes:

Before Reboot without guest wifi:
Chain INPUT (policy ACCEPT 894 packets, 193K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 other2wan all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 br0 10.67.54.0/24 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 NSFW all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 OVPN all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW




After Reboot without guest wifi:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3866 552K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
4798 1105K PTCSRVWAN all -- !br0 * 0.0.0.0/0 0.0.0.0/0
647 161K PTCSRVLAN all -- br0 * 0.0.0.0/0 0.0.0.0/0
647 161K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
4798 1105K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo lo 0.0.0.0/0 0.0.0.0/0





After Reboot, Re-enable Guest Wifi:
Chain INPUT (policy ACCEPT 774 packets, 147K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- br2 tun+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br2 eth0 0.0.0.0/0 0.0.0.0/0
0 0 other2wan all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 br0 10.67.54.0/24 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 NSFW all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 OVPN all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
 

ColinTaylor

Part of the Furniture
Can you post your terminal output within a CODE block please. It's difficult to read tabulated output when the whitespace has been removed.
 

drewski22785

Occasional Visitor
So I disabled the custom scripts and here is the output, it is going to be LONG

Bash:
# Generated by iptables-save v1.4.15 on Wed Oct  6 10:43:33 2021
*raw
:PREROUTING ACCEPT [4844:1026544]
:OUTPUT ACCEPT [2997:753875]
COMMIT
# Completed on Wed Oct  6 10:43:33 2021
# Generated by iptables-save v1.4.15 on Wed Oct  6 10:43:33 2021
*nat
:PREROUTING ACCEPT [615:191561]
:INPUT ACCEPT [203:31753]
:OUTPUT ACCEPT [428:90138]
:POSTROUTING ACCEPT [721:231757]
:DNSFILTER - [0:0]
:PUPNP - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
-A PREROUTING ! -d LAN_SUBNET -p tcp -m tcp --dport 80 -j DNAT --to-destination ROUTER_IP:18017
-A PREROUTING -p udp -m udp --dport 53 -j DNAT --to-destination ROUTER_IP:18018
COMMIT
# Completed on Wed Oct  6 10:43:33 2021
# Generated by iptables-save v1.4.15 on Wed Oct  6 10:43:33 2021
*mangle
:PREROUTING ACCEPT [4844:1026544]
:INPUT ACCEPT [3618:816278]
:FORWARD ACCEPT [1060:189455]
:OUTPUT ACCEPT [2997:753875]
:POSTROUTING ACCEPT [4144:964384]
COMMIT
# Completed on Wed Oct  6 10:43:33 2021
# Generated by iptables-save v1.4.15 on Wed Oct  6 10:43:33 2021
*filter
:INPUT DROP [14:1364]
:FORWARD DROP [1:52]
:OUTPUT ACCEPT [2866:688731]
:ACCESS_RESTRICTION - [0:0]
:FUPNP - [0:0]
:OVPN - [0:0]
:PTCSRVLAN - [0:0]
:PTCSRVWAN - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i lo -o lo -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Wed Oct  6 10:43:33 2021



Here is the code after enabling guest wifi:
Bash:
# Generated by iptables-save v1.4.15 on Wed Oct  6 10:48:14 2021
*raw
:PREROUTING ACCEPT [9184:1938845]
:OUTPUT ACCEPT [7113:4152647]
COMMIT
# Completed on Wed Oct  6 10:48:14 2021
# Generated by iptables-save v1.4.15 on Wed Oct  6 10:48:14 2021
*nat
:PREROUTING ACCEPT [38:3824]
:INPUT ACCEPT [37:3763]
:OUTPUT ACCEPT [12:1985]
:POSTROUTING ACCEPT [12:1985]
:DNSFILTER - [0:0]
:LOCALSRV - [0:0]
:PCREDIRECT - [0:0]
:PUPNP - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
-A PREROUTING -d ROUTER_IP -j VSERVER
-A VSERVER -p tcp -m tcp --dport 8443 -j DNAT --to-destination ROUTER_IP:8443
COMMIT
# Completed on Wed Oct  6 10:48:14 2021
# Generated by iptables-save v1.4.15 on Wed Oct  6 10:48:14 2021
*mangle
:PREROUTING ACCEPT [963:178337]
:INPUT ACCEPT [962:178276]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [888:912963]
:POSTROUTING ACCEPT [898:917348]
COMMIT
# Completed on Wed Oct  6 10:48:14 2021
# Generated by iptables-save v1.4.15 on Wed Oct  6 10:48:14 2021
*filter
:INPUT ACCEPT [962:178276]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [888:912963]
:ACCESS_RESTRICTION - [0:0]
:DNSFILTER_DOT - [0:0]
:FUPNP - [0:0]
:ICAccept - [0:0]
:ICDrop - [0:0]
:INPUT_ICMP - [0:0]
:INPUT_PING - [0:0]
:NSFW - [0:0]
:OVPN - [0:0]
:PControls - [0:0]
:PTCSRVLAN - [0:0]
:PTCSRVWAN - [0:0]
:SECURITY - [0:0]
:default_block - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
:other2wan - [0:0]
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br2 -o tun+ -j ACCEPT
-A FORWARD -i br2 -o eth0 -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j other2wan
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -s LAN_SUBNET -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -j NSFW
-A FORWARD -m state --state NEW -j OVPN
-A ICAccept -j ACCEPT
-A ICDrop -j DROP
-A PControls -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
-A other2wan -i tun+ -j RETURN
-A other2wan -j DROP
COMMIT





After Reboot with GUEST WIFI:
Bash:
# Generated by iptables-save v1.4.15 on Wed Oct  6 10:59:08 2021
*raw
:PREROUTING ACCEPT [3310:795074]
:OUTPUT ACCEPT [2790:768548]
COMMIT
# Completed on Wed Oct  6 10:59:08 2021
# Generated by iptables-save v1.4.15 on Wed Oct  6 10:59:08 2021
*nat
:PREROUTING ACCEPT [276:55417]
:INPUT ACCEPT [59:9894]
:OUTPUT ACCEPT [396:82394]
:POSTROUTING ACCEPT [396:82394]
:DNSFILTER - [0:0]
:PUPNP - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
-A PREROUTING ! -d LAN_SUBNET -p tcp -m tcp --dport 80 -j DNAT --to-destination ROUTER_IP:18017
-A PREROUTING -p udp -m udp --dport 53 -j DNAT --to-destination ROUTER_IP:18018
COMMIT
# Completed on Wed Oct  6 10:59:08 2021
# Generated by iptables-save v1.4.15 on Wed Oct  6 10:59:08 2021
*mangle
:PREROUTING ACCEPT [3311:795114]
:INPUT ACCEPT [3172:764899]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2790:768548]
:POSTROUTING ACCEPT [2891:789629]
COMMIT
# Completed on Wed Oct  6 10:59:08 2021
# Generated by iptables-save v1.4.15 on Wed Oct  6 10:59:08 2021
*filter
:INPUT DROP [80:15388]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2668:705025]
:ACCESS_RESTRICTION - [0:0]
:FUPNP - [0:0]
:OVPN - [0:0]
:PTCSRVLAN - [0:0]
:PTCSRVWAN - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -i br2 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i br2 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i br2 -p udp -m udp --dport 68 -j ACCEPT
-A INPUT -i br2 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i lo -o lo -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Wed Oct  6 10:59:08 2021
 
Last edited:

drewski22785

Occasional Visitor
Clearly enabling guest wifi completely changes the entire iptable set. Does that mean After reboot is the correct setup?

This line here appears to be the one that is breaking the communication since it is being entered top in the list of rules before any accepts are possible?

-A INPUT -i br2 -j DROP

From what I can see I am dropping before an "ESTABLISHED" connection can be allowed through. I think I am reading that right.
 

ColinTaylor

Part of the Furniture
Go to the router's Administration - System and change Enable WAN down browser redirect notice to No.
 

drewski22785

Occasional Visitor
Go to the router's Administration - System and change Enable WAN down browser redirect notice to No.
Okay, I did this, it as well rebuilt the entire iptables ruleset to look like I had just enabled guest wifi (see above). After reboot though it changed all the rules to my previous post (see above).
 

ColinTaylor

Part of the Furniture
Okay, I did this, it as well rebuilt the entire iptables ruleset to look like I had just enabled guest wifi (see above). After reboot though it changed all the rules to my previous post (see above).
Sorry you've lost me. Your fist and third outputs in post #7 show the WAN redirect is activated. If you've disabled that option you shouldn't have that anymore.
 

drewski22785

Occasional Visitor
Sorry you've lost me. Your fist and third outputs in post #7 show the WAN redirect is activated. If you've disabled that option you shouldn't have that anymore.
Okay I rebooted to get you the full chain, I was only looking at INPUT and FORWARD tables when I made that statement.

Bash:
# Generated by iptables-save v1.4.15 on Wed Oct  6 11:59:04 2021
*raw
:PREROUTING ACCEPT [2751:666908]
:OUTPUT ACCEPT [2193:665489]
COMMIT
# Completed on Wed Oct  6 11:59:04 2021
# Generated by iptables-save v1.4.15 on Wed Oct  6 11:59:04 2021
*nat
:PREROUTING ACCEPT [329:56861]
:INPUT ACCEPT [67:9883]
:OUTPUT ACCEPT [318:62960]
:POSTROUTING ACCEPT [318:62960]
COMMIT
# Completed on Wed Oct  6 11:59:04 2021
# Generated by iptables-save v1.4.15 on Wed Oct  6 11:59:04 2021
*mangle
:PREROUTING ACCEPT [2751:666908]
:INPUT ACCEPT [2553:633530]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2193:665489]
:POSTROUTING ACCEPT [2295:686690]
COMMIT
# Completed on Wed Oct  6 11:59:04 2021
# Generated by iptables-save v1.4.15 on Wed Oct  6 11:59:04 2021
*filter
:INPUT DROP [66:13680]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2071:601966]
:ACCESS_RESTRICTION - [0:0]
:FUPNP - [0:0]
:OVPN - [0:0]
:PTCSRVLAN - [0:0]
:PTCSRVWAN - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -i br2 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i br2 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i br2 -p udp -m udp --dport 68 -j ACCEPT
-A INPUT -i br2 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i lo -o lo -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Wed Oct  6 11:59:04 2021
 

ColinTaylor

Part of the Furniture
OK that looks about correct ***given that you've turned off the firewall and NAT***.

If you're still having problems I suggest you trying re-enabling the firewall and NAT, or use a guest network in slots 2 or 3 instead of slot 1.
 

drewski22785

Occasional Visitor
OK that looks about correct ***given that you've turned off the firewall and NAT***.

If you're still having problems I suggest you trying re-enabling the firewall and NAT, or use a guest network in slots 2 or 3 instead of slot 1.
I have heard of issues with G1 before so I am trying this first.

I moved the SSID to G2, and have it set to access intranet disabled, But it is still binding it to BR0 for some reason and actually giving out an ip from the local lan instead of 192.168.x.x like G1.

Is this expected or is there something else broken? I can install yazfi again and see if maybe that fixes it...
 

drewski22785

Occasional Visitor
Yes this is exactly as expected.
Well to give you an update I believe I figured out some of the issue and at the least a workaround.

Initially I was running this with YazFi before I uninstalled it and tried working the issue with no add on, why the rules for G1 change after a reboot is still beyond me.

It turns out with YazFi, it becomes an order of operations issue. On G1 5G and 2G (doesnt exist on G2 and G3 as a true option), you are able to toggle the access intranet at the main guest page. If you have it disabled on the main guest page but have two-way enabled on the Yazfi page, is when you can run into this. Ultimately on reboot the asus guest sees disabled and puts them into a BR1/2. YazFi adds rules independent of being in the bridge. So now there are blocking rules for the BR1/2 and accept rules for other traffic etc...

So long story short, if using YazFi, make sure you specifically set access intranet to disable and let YazFi control the rules. This worked repeatedly after reboot, and when i set G1 back to disable I would run into the issue of blocking again after reboot.

Unfortunately i wasted 10+ hours troubleshooting other stuff when it was an order of operation issue the entire time... Fun Fun, i know my routers well now though!
 

Jack Yaz

Part of the Furniture
So long story short, if using YazFi, make sure you specifically set access intranet to disable and let YazFi control the rules. This worked repeatedly after reboot, and when i set G1 back to disable I would run into the issue of blocking again after reboot.
YazFi sets Access Intranet to True, to specifically avoid Asus' code creating extra bridges and firewall rules
 

drewski22785

Occasional Visitor
YazFi sets Access Intranet to True, to specifically avoid Asus' code creating extra bridges and firewall rules
Hi @Jack Yaz yes I see that but in the AC88U this setting is still changeable on G1's. I was able to replicate the issue once I found it. Moving it to G2's or G3's the issue did not occur. This behavior however did not happen on my AX88U though so it might be a specific issue with that model/generation?
 

Jack Yaz

Part of the Furniture
Hi @Jack Yaz yes I see that but in the AC88U this setting is still changeable on G1's. I was able to replicate the issue once I found it. Moving it to G2's or G3's the issue did not occur. This behavior however did not happen on my AX88U though so it might be a specific issue with that model/generation?
yazfi runs a persistence check every 10minutes so should reset it
 

drewski22785

Occasional Visitor
yazfi runs a persistence check every 10minutes so should reset it
That is true, but I also tried running the check separate and it didn't fix the issue. The issue only occurs after a reboot specifically with G1's. Somehow this option seems to re-appear after reboot. Just for your reference here is what a before and after reboot would occur on the AC88U when your script was enabled.

Before reboot(working):
Bash:
# Generated by iptables-save v1.4.15 on Wed Oct  6 09:09:06 2021
*raw
:PREROUTING ACCEPT [37373:7339649]
:OUTPUT ACCEPT [33800:63902431]
COMMIT
# Completed on Wed Oct  6 09:09:06 2021
# Generated by iptables-save v1.4.15 on Wed Oct  6 09:09:06 2021
*nat
:PREROUTING ACCEPT [461:44035]
:INPUT ACCEPT [342:32677]
:OUTPUT ACCEPT [278:20927]
:POSTROUTING ACCEPT [386:31727]
:DNSFILTER - [0:0]
:LOCALSRV - [0:0]
:PCREDIRECT - [0:0]
:PUPNP - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
:YazFiDNSFILTER - [0:0]
-A PREROUTING -p tcp -m tcp --dport 53 -j YazFiDNSFILTER
-A PREROUTING -p udp -m udp --dport 53 -j YazFiDNSFILTER
-A VSERVER -p tcp -m tcp --dport 8443 -j DNAT --to-destination ROUTER_IP:8443
COMMIT
# Completed on Wed Oct  6 09:09:06 2021
# Generated by iptables-save v1.4.15 on Wed Oct  6 09:09:06 2021
*mangle
:PREROUTING ACCEPT [8772:2000001]
:INPUT ACCEPT [7690:1528970]
:FORWARD ACCEPT [1071:470473]
:OUTPUT ACCEPT [7038:2877086]
:POSTROUTING ACCEPT [8142:3361053]
COMMIT
# Completed on Wed Oct  6 09:09:06 2021
# Generated by iptables-save v1.4.15 on Wed Oct  6 09:09:06 2021
*filter
:INPUT ACCEPT [7576:1488460]
:FORWARD ACCEPT [108:10800]
:OUTPUT ACCEPT [6927:2838636]
:ACCESS_RESTRICTION - [0:0]
:DNSFILTER_DOT - [0:0]
:FUPNP - [0:0]
:ICAccept - [0:0]
:ICDrop - [0:0]
:INPUT_ICMP - [0:0]
:INPUT_PING - [0:0]
:NSFW - [0:0]
:OVPN - [0:0]
:PControls - [0:0]
:PTCSRVLAN - [0:0]
:PTCSRVWAN - [0:0]
:SECURITY - [0:0]
:YazFiDNSFILTER_DOT - [0:0]
:YazFiFORWARD - [0:0]
:YazFiINPUT - [0:0]
:YazFiREJECT - [0:0]
:default_block - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
:other2wan - [0:0]
-A INPUT -j YazFiINPUT
-A FORWARD -p tcp -m tcp --dport 853 -j YazFiDNSFILTER_DOT
-A FORWARD -j YazFiFORWARD
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br2 -o tun+ -j ACCEPT
-A FORWARD -i br2 -o eth0 -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j other2wan
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -s LAN_SUBNET/24 -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -j NSFW
-A FORWARD -m state --state NEW -j OVPN
-A ICAccept -j ACCEPT
-A ICDrop -j DROP
-A PControls -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
-A SECURITY -j RETURN
-A YazFiREJECT -j REJECT --reject-with icmp-port-unreachable
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
-A other2wan -i tun+ -j RETURN
-A other2wan -j DROP
COMMIT
# Completed on Wed Oct  6 09:09:06 2021


After Reboot when G1 was not set in the gui first to disable:
Bash:
# Generated by iptables-save v1.4.15 on Wed Oct  6 09:19:36 2021
*raw
:PREROUTING ACCEPT [3189:767809]
:OUTPUT ACCEPT [2680:780860]
COMMIT
# Completed on Wed Oct  6 09:19:36 2021
# Generated by iptables-save v1.4.15 on Wed Oct  6 09:19:36 2021
*nat
:PREROUTING ACCEPT [85:19745]
:INPUT ACCEPT [60:17364]
:OUTPUT ACCEPT [278:57162]
:POSTROUTING ACCEPT [278:57162]
:DNSFILTER - [0:0]
:PUPNP - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
:YazFiDNSFILTER - [0:0]
-A PREROUTING -p tcp -m tcp --dport 53 -j YazFiDNSFILTER
-A PREROUTING -p udp -m udp --dport 53 -j YazFiDNSFILTER
-A PREROUTING ! -d 10.67.54.0/24 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.67.54.2:18017
-A PREROUTING -p udp -m udp --dport 53 -j DNAT --to-destination 10.67.54.2:18018
COMMIT
# Completed on Wed Oct  6 09:19:36 2021
# Generated by iptables-save v1.4.15 on Wed Oct  6 09:19:36 2021
*mangle
:PREROUTING ACCEPT [3189:767809]
:INPUT ACCEPT [3162:764731]
:FORWARD ACCEPT [18:1965]
:OUTPUT ACCEPT [2681:780952]
:POSTROUTING ACCEPT [2759:798010]
COMMIT
# Completed on Wed Oct  6 09:19:36 2021
# Generated by iptables-save v1.4.15 on Wed Oct  6 09:19:36 2021
*filter
:INPUT DROP [0:0]
:FORWARD DROP [18:1965]
:OUTPUT ACCEPT [2023:519084]
:ACCESS_RESTRICTION - [0:0]
:FUPNP - [0:0]
:OVPN - [0:0]
:PTCSRVLAN - [0:0]
:PTCSRVWAN - [0:0]
:YazFiDNSFILTER_DOT - [0:0]
:YazFiFORWARD - [0:0]
:YazFiINPUT - [0:0]
:YazFiREJECT - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -j YazFiINPUT
-A INPUT -i br2 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i br2 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i br2 -p udp -m udp --dport 68 -j ACCEPT
-A INPUT -i br2 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 853 -j YazFiDNSFILTER_DOT
-A FORWARD -j YazFiFORWARD
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i lo -o lo -j ACCEPT
-A YazFiREJECT -j REJECT --reject-with icmp-port-unreachable
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Wed Oct  6 09:19:36 2021

As you can see BR2 still gets created and does some funk... Now if i disable your script, remove and apply the G1 setting specifically setting lab access enable, BR2 never gets created again even after reboot. This doesnt happen on G2/G3 probably as expected I would presume.. Def a weird behavior and all based on the order in which you set it up.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top