V386.4 and (possibly odd) iptables forward rule

[GWB]

Been lurking in background for many years. Greatly appreciate all the help and the fantastic Asus Merlin Firmware. Learned a lot reading these forums - thanks. First post

While reconfiguring my AC86U after 386.4 upgrade ( full wipe) , i noticed what I thought was an unusual entry in my iptables filter table forward chain ( rule #1 in image below). At the moment, my set up is pretty basic. No qos, no ai protect, no other AMTM scripts installed (yet). FIOS isp ( internet only). No custom scripts installed (yet). I dont use IPTV etc. I’ll freely admit, I’m far from an expert at multicast and iptables so.. this could be a legit entry. I just don’t recall seeing this rule in the past, Didn’t know if it’s indicative of a compromise, or bug, or is this normal and I just never noticed? Any insight would be greatly appreciated. It’s injected upon bringing wan up but isn’t “persistent“ as The entry disappears after a service restart_firewall.. Just thought it seemed odd?

 

[dave14305]

I know nothing of IPTV or multicast myself, but this rule will be created if "Enable multicast routing" is Enabled on the LAN / IPTV page.

EDIT: But if it comes from that setting, it should be a udp only rule without an interface specified. So maybe it's still a mystery.

 

[GWB]

Thanks for quick reply Dave . “Enable Multicast Routing“ is unfortunately currently disabled in GUI. Nit sure if there’s corresponding NVRAM var might be out of sync.

 

[dave14305]

Thanks for quick reply Dave . “Enable Multicast Routing“ is unfortunately currently disabled in GUI. Nit sure if there’s corresponding NVRAM var might be out of sync.

You can run nvram get mr_enable_x but as I edited my post above, that rule doesn't completely match what the firmware would add to the firewall.

I just setup my AC86U from scratch tonight and I have no such rule in my FORWARD chain. It feels like it would be a custom rule that's inserted at the top of the CHAIN instead of appended at the bottom, but that's just speculation. Maybe someone smarter will come along.

EDIT: Check the file cat /tmp/filter_rules to see if the rule is firmware-generated or not.

 

[GWB]

Thanks very much. For grins, I decided to enable and disable said routing. As you mentioned, the firewall rule from firmware is different. I have no idea where this is coming from?

with multicast enabled:

Without

 

[GWB]

You can run nvram get mr_enable_x but as I edited my post above, that rule doesn't completely match what the firmware would add to the firewall.

I just setup my AC86U from scratch tonight and I have no such rule in my FORWARD chain. It feels like it would be a custom rule that's inserted at the top of the CHAIN instead of appended at the bottom, but that's just speculation. Maybe so

EDIT: Check the file cat /tmp/filter_rules to see if the rule is firmware-generated or not.

It does not appear in /tmp/filter_rules.