YazFi Is this a Bug created by YazFi, RMerlin, or an Asuswrt bug?

SomeWhereOverTheRainBow

Part of the Furniture
So I have openvpn site tunnel enabled, I also use Yaz-fi. Whenever Yaz-fi Rules apply I get double pre-routing rules for the vpn site tunnel created.

Code:
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1195
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1195
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194
   45  2970 YazFiDNSFILTER  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
129K   11M YazFiDNSFILTER  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 DNAT       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:123 to:192.168.1.1
  225 17100 DNAT       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0            udp dpt:123 to:192.168.1.1
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1195
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194

You can verify this by seeing a segment of my iptables-save. @Jack Yaz Does Yaz-fi re-insert these entries with some preappend code for setup of the nat tables or does
@RMerlin not delete the chains before re-adding new ones? or Is this an asuswrt bug in general?:eek::eek::eek: I checked earlier to day before a reboot and I swore I had 50 of these as entries

Code:
-A PREROUTING -i wl1.3 -p tcp -m tcp --dport 123 -j DNAT --to-destination 192.168.7.1
-A PREROUTING -i wl1.3 -p udp -m udp --dport 123 -j DNAT --to-destination 192.168.7.1
-A PREROUTING -i wl1.2 -p tcp -m tcp --dport 123 -j DNAT --to-destination 192.168.6.1
-A PREROUTING -i wl1.2 -p udp -m udp --dport 123 -j DNAT --to-destination 192.168.6.1
-A PREROUTING -i wl1.1 -p tcp -m tcp --dport 123 -j DNAT --to-destination 192.168.5.1
-A PREROUTING -i wl1.1 -p udp -m udp --dport 123 -j DNAT --to-destination 192.168.5.1
-A PREROUTING -i wl0.3 -p tcp -m tcp --dport 123 -j DNAT --to-destination 192.168.4.1
-A PREROUTING -i wl0.3 -p udp -m udp --dport 123 -j DNAT --to-destination 192.168.4.1
-A PREROUTING -i wl0.2 -p tcp -m tcp --dport 123 -j DNAT --to-destination 192.168.3.1
-A PREROUTING -i wl0.2 -p udp -m udp --dport 123 -j DNAT --to-destination 192.168.3.1
-A PREROUTING -i wl0.1 -p tcp -m tcp --dport 123 -j DNAT --to-destination 192.168.2.1
-A PREROUTING -i wl0.1 -p udp -m udp --dport 123 -j DNAT --to-destination 192.168.2.1
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -d 224.0.0.0/4 -i bond1 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -i wl1.3 -p udp -m udp --dport 123 -j DNAT --to-destination 192.168.7.1
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -d 224.0.0.0/4 -i bond1 -j ACCEPT
-A PREROUTING -i wl1.2 -p tcp -m tcp --dport 123 -j DNAT --to-destination 192.168.6.1
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 53 -j YazFiDNSFILTER
-A PREROUTING -p udp -m udp --dport 53 -j YazFiDNSFILTER
 

Jack Yaz

Part of the Furniture
So I have openvpn site tunnel enabled, I also use Yaz-fi. Whenever Yaz-fi Rules apply I get double pre-routing rules for the vpn site tunnel created.

Code:
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1195
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1195
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194
   45  2970 YazFiDNSFILTER  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
129K   11M YazFiDNSFILTER  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 DNAT       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:123 to:192.168.1.1
  225 17100 DNAT       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0            udp dpt:123 to:192.168.1.1
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1195
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194

You can verify this by seeing a segment of my iptables-save. @Jack Yaz Does Yaz-fi re-insert these entries with some preappend code for setup of the nat tables or does
@RMerlin not delete the chains before re-adding new ones? or Is this an asuswrt bug in general?:eek::eek::eek: I checked earlier to day before a reboot and I swore I had 50 of these as entries

Code:
-A PREROUTING -i wl1.3 -p tcp -m tcp --dport 123 -j DNAT --to-destination 192.168.7.1
-A PREROUTING -i wl1.3 -p udp -m udp --dport 123 -j DNAT --to-destination 192.168.7.1
-A PREROUTING -i wl1.2 -p tcp -m tcp --dport 123 -j DNAT --to-destination 192.168.6.1
-A PREROUTING -i wl1.2 -p udp -m udp --dport 123 -j DNAT --to-destination 192.168.6.1
-A PREROUTING -i wl1.1 -p tcp -m tcp --dport 123 -j DNAT --to-destination 192.168.5.1
-A PREROUTING -i wl1.1 -p udp -m udp --dport 123 -j DNAT --to-destination 192.168.5.1
-A PREROUTING -i wl0.3 -p tcp -m tcp --dport 123 -j DNAT --to-destination 192.168.4.1
-A PREROUTING -i wl0.3 -p udp -m udp --dport 123 -j DNAT --to-destination 192.168.4.1
-A PREROUTING -i wl0.2 -p tcp -m tcp --dport 123 -j DNAT --to-destination 192.168.3.1
-A PREROUTING -i wl0.2 -p udp -m udp --dport 123 -j DNAT --to-destination 192.168.3.1
-A PREROUTING -i wl0.1 -p tcp -m tcp --dport 123 -j DNAT --to-destination 192.168.2.1
-A PREROUTING -i wl0.1 -p udp -m udp --dport 123 -j DNAT --to-destination 192.168.2.1
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -d 224.0.0.0/4 -i bond1 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -i wl1.3 -p udp -m udp --dport 123 -j DNAT --to-destination 192.168.7.1
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -d 224.0.0.0/4 -i bond1 -j ACCEPT
-A PREROUTING -i wl1.2 -p tcp -m tcp --dport 123 -j DNAT --to-destination 192.168.6.1
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 53 -j YazFiDNSFILTER
-A PREROUTING -p udp -m udp --dport 53 -j YazFiDNSFILTER
doesn't repro on 2 routers here. i would start by removing all custom scripts and adding them back 1 at a time
 

Jack Yaz

Part of the Furniture
and it doesn't apply any of this sort of rule at all
Code:
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
have you added any of your own scripts that get called by YazFi?
 

SomeWhereOverTheRainBow

Part of the Furniture
and it doesn't apply any of this sort of rule at all
Code:
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
have you added any of your own scripts that get called by YazFi?
Nope. I actually am attempting to add a -D version to see if it resolves the issue. It appears it might actually be related to a bug with the openvpn-server code, I am running openvpn-server.postconf scripts, but those lines are not added by .postconf scripts either.
 

SomeWhereOverTheRainBow

Part of the Furniture
and it doesn't apply any of this sort of rule at all
Code:
-A PREROUTING -p udp -m udp --dport 1195 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
have you added any of your own scripts that get called by YazFi?
It is plain as day why it is happening, because /etc/openvpn/server1/fw.sh and /etc/openvpn/server2/fw.sh only list the -I rules. The nat table must not get cleared every single time the firewall restarts. So the rules must just keep getting re-added.

Code:
#!/bin/sh
iptables -t nat -I PREROUTING -p udp --dport 1194 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
ip6tables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -I OVPN -i tun21 -j ACCEPT
ip6tables -I OVPN -i tun21 -j ACCEPT
 

ColinTaylor

Part of the Furniture
The iptables rules are normally removed (when the openvpn server is stopped) without the need for any extra scripts. If you're finding that's not happening check your own custom scripts as they could be stopping that happening.
 
Last edited:

SomeWhereOverTheRainBow

Part of the Furniture
The iptables rules are normally removed (when the openvpn server is stopped) without the need for any extra scripts. If you're finding that's not happening check your own custom scripts as they could be stopping that happening.
Colin, I have nothing custom in this regard. The only firewall rules I am using now is
Code:
#!/bin/sh

sh /jffs/addons/flexqos/flexqos.sh -start & # FlexQoS Addition
sh /jffs/scripts/firewall start skynetloc=/tmp/mnt/My_Part/skynet # Skynet
/jffs/scripts/YazFi runnow & # YazFi Guest Networks

The issue is still present if i remove the nat-rule to delete the duplicate.

So it would have to be one of these scripts causing the issue if that is the case. I don't have a script running on the side that is adding the duplicate rules either.
 

ZebMcKayhan

Very Senior Member
The nat table must not get cleared every single time the firewall restarts. So the rules must just keep getting re-added.
Found the same thing some time ago:

Back in the days when WGM was initiated/restarted from nat-start when YazFi restart the firewall the filter tables gets flushed but not the mangle and nat tables and consequently you dont get a nat-start event.

Great find on OpenVPN not cleaning the rules properly, perhaps a manual service restart_firewall is not considered properly and/or when the firmware does the same thing it somehow does it differently?
 

SomeWhereOverTheRainBow

Part of the Furniture
Found the same thing some time ago:

Back in the days when WGM was initiated/restarted from nat-start when YazFi restart the firewall the filter tables gets flushed but not the mangle and nat tables and consequently you dont get a nat-start event.

Great find on OpenVPN not cleaning the rules properly, perhaps a manual service restart_firewall is not considered properly and/or when the firmware does the same thing it somehow does it differently?
I came up with a one-liner fix i put at the end of my firewall-start file.

Code:
iptables-save | awk '/^COMMIT$/ { delete x; }; !x[$0]++' | iptables-restore; ip6tables-save | awk '/^COMMIT$/ { delete x; }; !x[$0]++' | ip6tables-restore
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top