Ysurac / openmptcprouter

OpenMPTCProuter is an open source solution to aggregate multiple internet connections using Multipath TCP (MPTCP) on OpenWrt
https://www.openmptcprouter.com/
GNU General Public License v3.0
1.86k stars 269 forks source link

OMR-bypass issues after upgrading to latest version #3274

Closed darthclide closed 3 months ago

darthclide commented 7 months ago

Expected Behavior

After setting port or domain name in OMR-bypass, it should go over interface. And visa versa, if I disable an OMR-bypass rule, it should no longer send traffic on that interface alone.

Current Behavior

When disabling OMR-bypass rules it does not change anything. Instead, I get this in the system log:

Apr 14 00:40:02 OpenMPTCProuter daemon.err omr-tracker[16495]: sh: 66.6667: bad number Apr 14 00:40:05 OpenMPTCProuter daemon.err omr-tracker[16495]: sh: 66.6667: bad number Apr 14 00:40:10 OpenMPTCProuter user.notice omr-schedule-010-services: Can't find omr-bypass rules, restart omr-bypass... Apr 14 00:40:10 OpenMPTCProuter user.notice omr-bypass: Starting OMR-ByPass... Apr 13 20:40:15 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_eth1_4 Error: No such file or directory Apr 13 20:40:15 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_eth1_4 Error: No such file or directory Apr 13 20:40:15 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_eth1_4 Error: No such file or directory Apr 13 20:40:15 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_eth1_4 Error: No such file or directory Apr 13 20:40:16 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_eth1_4 Error: No such file or directory Apr 13 20:40:16 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_eth1_4 Error: No such file or directory Apr 13 20:40:16 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_eth1_4 Error: No such file or directory Apr 13 20:40:16 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_eth1_4 Error: No such file or directory Apr 13 20:40:16 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_eth1_4 Error: No such file or directory Apr 13 20:40:17 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_eth1_4 Error: No such file or directory Apr 13 20:40:17 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_eth1_4 Error: No such file or directory Apr 13 20:40:17 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_eth1_4 Error: No such file or directory Apr 13 20:40:17 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_eth1_4 Error: No such file or directory Apr 13 20:40:18 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_eth1_4 Error: No such file or directory Apr 13 20:40:18 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_eth1_4 Error: No such file or directory Apr 13 20:40:18 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_eth1_4 Error: No such file or directory Apr 13 20:40:18 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_eth1_4 Error: No such file or directory Apr 13 20:40:19 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_eth1_4 Error: No such file or directory Apr 13 20:40:19 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_eth1_4 Error: No such file or directory

Possible Solution

I wonder if this is related to using your sysupgrade image and you changing the code over to nftables? I would prefer not nuking my 50 rules and starting over, and frankly "save and apply" should correctly change the rules anyway.

Steps to Reproduce the Problem

  1. Change anything in OMR-bypass
  2. Save and Apply
  3. Watch as incorrect interface is used depending on what I changed

Context (Environment)

I can no longer access some websites that require a residential IP address.

Specifications

darthclide commented 7 months ago

Extra info: I just tried deleting some rules, and there was no change. It is as if it is pulling OMR-bypass data from a different location than what is configured in Luci App.

jle1511 commented 7 months ago

im seeing the same issues, i also have over 50 rules, and bypass wont take effect anything, i did tried clean setup clear up everything and just apply on/off 1 rule only and still not effect.

darthclide commented 7 months ago

Additional info: Bonding is no longer working. Not sure if this is related to this OMR-bypass issue, but all traffic is only going over Master interface.

darthclide commented 7 months ago

Additional info: Bonding is resolved by changing master interface. However, I will leave the previous comment in the off chance it is related in some way to other issues you are seeing on this version.

darthclide commented 7 months ago

Additional info: I am now wondering if I should delete this issue because now OMR-bypass seems to be working correctly, but these errors in the system log are still concerning.

darthclide commented 7 months ago

Coming here to report that although OLD rules seem to be working. NEW rules don't seem to be working. I have added all ports/domains listed under CurrPorts application to my eth1 (DSL), and yet the ping inside of that application jumps around by 50-100ms. When using my DSL connection directly through a 2nd Ethernet port in my PC, the ping stays rock solid. Unless the application is able to make connections without a port required, this should be working.

darthclide commented 7 months ago

That being said, I found some 0.0.0.0 on local address, but with no remote address or remote port? I am not an expert, but this should mean that there is nothing to "bypass" if there is no remote address or port?

darthclide commented 7 months ago

On a whim I started putting those supposedly "local only" ports into OMR-bypass, and the game is running smoothly on pure interface connection with no VPN. Although every match the port changes, I just make the port range wider to cover that port number.

This still doesn't fix those weird errors showing up in system log, so I will keep this post up as "not resolved".

darthclide commented 7 months ago

Well... Spoke too soon. Switched applications and now this one that was just working yesterday is now broken... CurrPorts shows only one connection being used by this application and it is port 443. This is set in OMR-bypass. Also getting a ray ID error in Chrome when accessing secure.runescape.com even though this is also added in the domain section of OMR-Bypass.

darthclide commented 7 months ago

Apparently runescape lists their servers with nice domain names because in the "Remote Host Name" field in the CurrPorts, I see "world104.runescape.com". And yet even with this set in OMR-Bypass, it is still not connecting over my DSL. I guess I will just keep adding comments into the void while I lose my mind over OMR-bypass working for one game, but not another. Perhaps these errors are more serious than it seems:

nftset inet fw4 omr_dst_bypass_eth1_4 Error: No such file or directory nftset inet fw4 omr_dscp_cs2_4 Error: No such file or directory

Ysurac commented 7 months ago

Not sure if it's the best way to get help... There is many messages and only small part of a log in latest message, this doesn't really help... As domain you only have to put "runescape.com", all subdomains will be also bypassed. I would need the result of uci show omr-bypass via SSH on the router. Make sure that you use OpenMPTCProuter IP as DNS on client computer. I would need more logs.

darthclide commented 7 months ago

Not sure if it's the best way to get help... There is many messages and only small part of a log in latest message, this doesn't really help... As domain you only have to put "runescape.com", all subdomains will be also bypassed. I would need the result of uci show omr-bypass via SSH on the router. Make sure that you use OpenMPTCProuter IP as DNS on client computer. I would need more logs.

? I attached the logs in the first post and there has been no response about it. So I shifted my comments to talk about my troubleshooting process. I never touch DNS settings on the computer, I always leave that to any router I use (in this case openmptcprouter).

Here is the result of

omr-bypass.all=interface omr-bypass.m6replay=proto omr-bypass.m6replay.url='m6web.fr' '6play.fr' '6cloud.fr' omr-bypass.mycanal=proto omr-bypass.mycanal.url='mycanal.fr' 'canal-plus.com' omr-bypass.minecraft=proto omr-bypass.minecraft.url='authserver.mojang.com' omr-bypass.lesnumeriques=proto omr-bypass.lesnumeriques.url='lesnumeriques.com' 'botscorner.com' 'app.botscorner.com' omr-bypass.disneyplus=proto omr-bypass.disneyplus.url='bamgrid.com' 'disney-plus.net' omr-bypass.@domains[0]=domains omr-bypass.@domains[0].name='irc.chat.twitch.tv' omr-bypass.@domains[0].interface='eth1' omr-bypass.@domains[0].enabled='0' omr-bypass.@domains[1]=domains omr-bypass.@domains[1].name='www.bungie.net' omr-bypass.@domains[1].interface='eth1' omr-bypass.@domains[2]=domains omr-bypass.@domains[2].name='discordapp.com' omr-bypass.@domains[2].interface='eth1' omr-bypass.@domains[2].enabled='0' omr-bypass.@domains[3]=domains omr-bypass.@domains[3].name='discord.com' omr-bypass.@domains[3].interface='eth1' omr-bypass.@domains[3].enabled='0' omr-bypass.@domains[4]=domains omr-bypass.@domains[4].name='discord.gg' omr-bypass.@domains[4].interface='eth1' omr-bypass.@domains[4].enabled='0' omr-bypass.@domains[5]=domains omr-bypass.@domains[5].name='delta.com' omr-bypass.@domains[5].interface='eth1' omr-bypass.@ips[0]=ips omr-bypass.@ips[0].ip='167.114.26.81' omr-bypass.@ips[0].interface='eth1' omr-bypass.@ips[0].note='Psyber Minecraft' omr-bypass.@ips[0].enabled='0' omr-bypass.@src_port[0]=src_port omr-bypass.@src_port[0].sport='9427' omr-bypass.@src_port[0].proto='udp' omr-bypass.@src_port[0].note='Teamspeak' omr-bypass.@src_port[0].interface='eth1' omr-bypass.@src_port[0].enabled='0' omr-bypass.@src_port[1]=src_port omr-bypass.@src_port[1].proto='udp' omr-bypass.@src_port[1].interface='eth1' omr-bypass.@src_port[1].sport='27000:27031' omr-bypass.@src_port[1].note='Steam' omr-bypass.@src_port[2]=src_port omr-bypass.@src_port[2].sport='3478:3480' omr-bypass.@src_port[2].proto='udp' omr-bypass.@src_port[2].note='Steam Voice/War Thunder' omr-bypass.@src_port[2].interface='eth1' omr-bypass.@src_port[3]=src_port omr-bypass.@src_port[3].sport='4379' omr-bypass.@src_port[3].proto='udp' omr-bypass.@src_port[3].note='Steam Voice' omr-bypass.@src_port[3].interface='eth1' omr-bypass.@src_port[4]=src_port omr-bypass.@src_port[4].sport='4380' omr-bypass.@src_port[4].proto='udp' omr-bypass.@src_port[4].interface='eth1' omr-bypass.@src_port[4].note='Steam Voice' omr-bypass.@src_port[5]=src_port omr-bypass.@src_port[5].sport='27036' omr-bypass.@src_port[5].proto='udp' omr-bypass.@src_port[5].interface='eth1' omr-bypass.@src_port[5].note='Steam' omr-bypass.@src_port[6]=src_port omr-bypass.@src_port[6].sport='27015:27030' omr-bypass.@src_port[6].proto='tcp' omr-bypass.@src_port[6].interface='eth1' omr-bypass.@src_port[6].note='Steam' omr-bypass.@src_port[7]=src_port omr-bypass.@src_port[7].sport='27036:27037' omr-bypass.@src_port[7].proto='tcp' omr-bypass.@src_port[7].interface='eth1' omr-bypass.@src_port[7].note='Steam' omr-bypass.@domains[6]=domains omr-bypass.@domains[6].interface='eth1' omr-bypass.@domains[6].name='dailymotion.com' omr-bypass.lo=interface omr-bypass.lo.id='1' omr-bypass.eth0=interface omr-bypass.eth0.id='9999' omr-bypass.eth1=interface omr-bypass.eth1.id='3' omr-bypass.usb1=interface omr-bypass.usb1.id='6' omr-bypass.tun0=interface omr-bypass.tun0.id='1500' omr-bypass.usb0=interface omr-bypass.usb0.id='5' omr-bypass.eth2=interface omr-bypass.eth2.id='4' omr-bypass.usb2=interface omr-bypass.usb2.id='9' omr-bypass.@src_port[8]=src_port omr-bypass.@src_port[8].sport='5222' omr-bypass.@src_port[8].proto='tcp' omr-bypass.@src_port[8].interface='eth1' omr-bypass.@src_port[8].note='War Thunder' omr-bypass.@src_port[9]=src_port omr-bypass.@src_port[9].sport='7850:7854' omr-bypass.@src_port[9].proto='tcp' omr-bypass.@src_port[9].interface='eth1' omr-bypass.@src_port[9].note='War Thunder' omr-bypass.@src_port[10]=src_port omr-bypass.@src_port[10].sport='7800:7802' omr-bypass.@src_port[10].proto='tcp' omr-bypass.@src_port[10].interface='eth1' omr-bypass.@src_port[10].note='War Thunder' omr-bypass.@src_port[11]=src_port omr-bypass.@src_port[11].sport='20000:30000' omr-bypass.@src_port[11].proto='udp' omr-bypass.@src_port[11].interface='eth1' omr-bypass.@src_port[11].note='War Thunder' omr-bypass.@domains[7]=domains omr-bypass.@domains[7].name='cabelas.com' omr-bypass.@domains[7].interface='eth1' omr-bypass.@domains[8]=domains omr-bypass.@domains[8].name='autotrader.com' omr-bypass.@domains[8].interface='eth1' omr-bypass.@domains[9]=domains omr-bypass.@domains[9].name='lichess.org' omr-bypass.@domains[9].interface='eth1' omr-bypass.@src_port[12]=src_port omr-bypass.@src_port[12].sport='43594:43595' omr-bypass.@src_port[12].proto='tcp' omr-bypass.@src_port[12].interface='eth1' omr-bypass.@src_port[12].note='Runescape' omr-bypass.@src_port[13]=src_port omr-bypass.@src_port[13].sport='443' omr-bypass.@src_port[13].proto='tcp' omr-bypass.@src_port[13].interface='eth1' omr-bypass.@src_port[13].note='Runescape' omr-bypass.@src_port[13].enabled='0' omr-bypass.tun8=interface omr-bypass.tun8.id='13' omr-bypass.@domains[10]=domains omr-bypass.@domains[10].name='iforgot.apple.com' omr-bypass.@domains[10].interface='eth1' omr-bypass.@domains[11]=domains omr-bypass.@domains[11].name='apple.com' omr-bypass.@domains[11].interface='eth1' omr-bypass.@domains[12]=domains omr-bypass.@domains[12].name='appleid.apple.com' omr-bypass.@domains[12].interface='eth1' omr-bypass.eth3=interface omr-bypass.eth3.id='7' omr-bypass.@domains[13]=domains omr-bypass.@domains[13].name='vivid.mcs.cx' omr-bypass.@domains[13].interface='eth1' omr-bypass.@domains[13].note='Sim'\''s Server' omr-bypass.@domains[14]=domains omr-bypass.@domains[14].name='ts22.gameservers.com' omr-bypass.@domains[14].interface='eth1' omr-bypass.@domains[14].note='Teamspeak Server' omr-bypass.@domains[14].enabled='0' omr-bypass.amazonvideo=proto omr-bypass.amazonvideo.url='cloudfront.net' 'llnw.net' omr-bypass.wgWAN4=interface omr-bypass.wgWAN4.id='13' omr-bypass.@src_port[14]=src_port omr-bypass.@src_port[14].sport='3478:3480' omr-bypass.@src_port[14].proto='tcp' omr-bypass.@src_port[14].interface='eth1' omr-bypass.@src_port[14].note='CSGO' omr-bypass.@src_port[15]=src_port omr-bypass.@src_port[15].sport='5223' omr-bypass.@src_port[15].proto='tcp' omr-bypass.@src_port[15].interface='eth1' omr-bypass.@src_port[15].note='CSGO' omr-bypass.@src_port[16]=src_port omr-bypass.@src_port[16].sport='8080' omr-bypass.@src_port[16].proto='tcp' omr-bypass.@src_port[16].interface='eth1' omr-bypass.@src_port[16].note='CSGO' omr-bypass.@src_port[17]=src_port omr-bypass.@src_port[17].sport='3074' omr-bypass.@src_port[17].interface='eth1' omr-bypass.@src_port[17].note='CSGO' omr-bypass.@src_port[17].proto='udp' omr-bypass.@src_port[18]=src_port omr-bypass.@src_port[18].sport='3658' omr-bypass.@src_port[18].proto='udp' omr-bypass.@src_port[18].interface='eth1' omr-bypass.@src_port[18].note='CSGO' omr-bypass.@src_port[19]=src_port omr-bypass.@src_port[19].sport='88' omr-bypass.@src_port[19].proto='udp' omr-bypass.@src_port[19].interface='eth1' omr-bypass.@src_port[19].note='CSGO' omr-bypass.@src_port[20]=src_port omr-bypass.@src_port[20].sport='3074' omr-bypass.@src_port[20].proto='tcp' omr-bypass.@src_port[20].interface='eth1' omr-bypass.@src_port[20].note='CSGO' omr-bypass.@src_port[21]=src_port omr-bypass.@src_port[21].sport='50969:50970' omr-bypass.@src_port[21].proto='udp' omr-bypass.@src_port[21].interface='eth1' omr-bypass.@src_port[21].note='CSGO' omr-bypass.@domains[15]=domains omr-bypass.@domains[15].name='removed for posting on github issues to not reveal friend's home IP address' omr-bypass.@domains[15].interface='eth1' omr-bypass.@domains[15].note='Sim Server' omr-bypass.@src_port[22]=src_port omr-bypass.@src_port[22].sport='25566' omr-bypass.@src_port[22].proto='tcp' omr-bypass.@src_port[22].interface='eth1' omr-bypass.@src_port[22].note='Sim Server' omr-bypass.@src_port[23]=src_port omr-bypass.@src_port[23].sport='25565' omr-bypass.@src_port[23].proto='tcp' omr-bypass.@src_port[23].interface='eth1' omr-bypass.@src_port[23].note='Sim Server' omr-bypass.@src_port[24]=src_port omr-bypass.@src_port[24].sport='19132' omr-bypass.@src_port[24].proto='udp' omr-bypass.@src_port[24].interface='eth1' omr-bypass.@src_port[24].note='Sim Server' omr-bypass.@domains[16]=domains omr-bypass.@domains[16].interface='eth1' omr-bypass.@domains[16].name='world104.runescape.com' omr-bypass.@domains[16].family='ipv4ipv6' omr-bypass.@domains[17]=domains omr-bypass.@domains[17].name='prnt.sc' omr-bypass.@domains[17].interface='eth1' omr-bypass.@domains[18]=domains omr-bypass.@domains[18].name='prntscr.com' omr-bypass.@domains[18].interface='eth1' omr-bypass.@domains[19]=domains omr-bypass.@domains[19].name='menards.com' omr-bypass.@domains[19].interface='eth1' omr-bypass.@domains[20]=domains omr-bypass.@domains[20].name='evga.com' omr-bypass.@domains[20].interface='eth1' omr-bypass.@src_port[25]=src_port omr-bypass.@src_port[25].proto='tcp' omr-bypass.@src_port[25].interface='eth1' omr-bypass.@src_port[25].note='War Thunder' omr-bypass.@src_port[25].sport='8966' omr-bypass.@src_port[26]=src_port omr-bypass.@src_port[26].proto='tcp' omr-bypass.@src_port[26].interface='eth1' omr-bypass.@src_port[26].note='War Thunder' omr-bypass.@src_port[26].sport='8965' omr-bypass.tun3=interface omr-bypass.tun3.id='15' omr-bypass.@domains[21]=domains omr-bypass.@domains[21].name='reddit.com' omr-bypass.@domains[21].interface='eth1' omr-bypass.@domains[22]=domains omr-bypass.@domains[22].name='jagex.com' omr-bypass.@domains[22].interface='eth1' omr-bypass.@domains[23]=domains omr-bypass.@domains[23].name='bing.com' omr-bypass.@domains[23].interface='eth1' omr-bypass.@domains[24]=domains omr-bypass.@domains[24].name='vitacost.com' omr-bypass.@domains[24].interface='eth1' omr-bypass.@domains[25]=domains omr-bypass.@domains[25].name='amazonvideo.com' omr-bypass.@domains[25].interface='eth1' omr-bypass.@domains[26]=domains omr-bypass.@domains[26].name='primevideo.com' omr-bypass.@domains[26].interface='eth1' omr-bypass.@domains[27]=domains omr-bypass.@domains[27].name='amazon.com' omr-bypass.@domains[27].interface='eth1' omr-bypass.@domains[28]=domains omr-bypass.@domains[28].name='twitter.com' omr-bypass.@domains[28].interface='eth1' omr-bypass.@domains[29]=domains omr-bypass.@domains[29].name='lufthansa.com' omr-bypass.@domains[29].interface='eth1' omr-bypass.@domains[30]=domains omr-bypass.@domains[30].name='openai.com' omr-bypass.@domains[30].interface='eth1' omr-bypass.@domains[31]=domains omr-bypass.@domains[31].name='imgur.com' omr-bypass.@domains[31].interface='eth1' omr-bypass.@domains[32]=domains omr-bypass.@domains[32].name='instagram.com' omr-bypass.@domains[32].interface='eth1' omr-bypass.@domains[33]=domains omr-bypass.@domains[33].name='runeapps.org' omr-bypass.@domains[33].interface='eth1' omr-bypass.@domains[34]=domains omr-bypass.@domains[34].name='revenueuniverse.com' omr-bypass.@domains[34].interface='eth1' omr-bypass.free=proto omr-bypass.free.url='free.fr' 'freebox.fr' 'oqee.tv' 'oqee.net' omr-bypass.orange=proto omr-bypass.orange.url='orange.fr' 'sosh.fr' 'liveperson.net' 'liveperson.com' 'lpsn.net' 'lpsnmedia.net' 'francetelecom.fr' omr-bypass.global=global omr-bypass.global.vpn_ipv4_md5='68b329da9893e34099c7d8ad5cb9c940' omr-bypass.global.vpn_ipv6_md5='68b329da9893e34099c7d8ad5cb9c940' omr-bypass.@domains[35]=domains omr-bypass.@domains[35].name='amazonaws.com' omr-bypass.@domains[35].interface='eth1' omr-bypass.@domains[35].note='War Thunder' omr-bypass.@domains[35].family='ipv4ipv6' omr-bypass.@src_port[27]=src_port omr-bypass.@src_port[27].sport='16172' omr-bypass.@src_port[27].proto='udp' omr-bypass.@src_port[27].interface='eth1' omr-bypass.@src_port[27].note='War Thunder' omr-bypass.@src_port[28]=src_port omr-bypass.@src_port[28].sport='80' omr-bypass.@src_port[28].proto='tcp' omr-bypass.@src_port[28].interface='eth1' omr-bypass.@src_port[28].note='War Thunder' omr-bypass.@src_port[28].enabled='0' omr-bypass.@src_port[29]=src_port omr-bypass.@src_port[29].sport='8111' omr-bypass.@src_port[29].proto='tcp' omr-bypass.@src_port[29].interface='eth1' omr-bypass.@src_port[29].note='War Thunder Test' omr-bypass.@src_port[30]=src_port omr-bypass.@src_port[30].sport='50000:64000' omr-bypass.@src_port[30].proto='udp' omr-bypass.@src_port[30].interface='eth1' omr-bypass.@src_port[30].note='War Thunder Test' omr-bypass.@src_port[30].enabled='0' omr-bypass.@src_port[31]=src_port omr-bypass.@src_port[31].sport='1910' omr-bypass.@src_port[31].proto='tcp' omr-bypass.@src_port[31].interface='eth1' omr-bypass.@src_port[31].note='War Thunder Test'

darthclide commented 7 months ago

Before my changes for War Thunder yesterday, runescape.com was working just fine. Like you said, it should cover all subdomains. Since then I have been trying everything to get this to work.

Ysurac commented 7 months ago

Many bypass if source port, not so used in most case. What is the result of /etc/init.d/omr-bypass restart and /etc/init.d/firewall restart (this one should be verbose and should help to find some errors) ?

darthclide commented 7 months ago

Result of /etc/init.d/omr-bypass restart image

Result of /etc/init.d/firewall restart

Section @defaults[0] option 'disable_ipv6' is not supported by fw4
Section zone_lan (lan) fullcone in defaults not enabled, ignore zone fullcone settings
Section zone_wan (wan) fullcone in defaults not enabled, ignore zone fullcone settings
Section zone_vpn (vpn) fullcone in defaults not enabled, ignore zone fullcone settings
Section @rule[0] (Deny Twitch DSL) is disabled, ignoring section
Section @rule[8] (Support-UDP-Traceroute) is disabled, ignoring section
Section omr_dst_bypass_eth0_dstip_4 (omr_dst_bypass_eth0_rule) is disabled, ignoring section
Section omr_dst_bypass_eth0_dstip_4_accept (omr_dst_bypass_eth0_rule_accept) is disabled, ignoring section
Section omr_dst_bypass_eth0_srcip_4 (omr_dst_bypass_eth0_srcip) is disabled, ignoring section
Section omr_dst_bypass_eth0_mac_4 (omr_dst_bypass_eth0_mac) is disabled, ignoring section
Section omr_dst_bypass_eth0_srcport_tcp_4 (omr_dst_bypass_eth0_srcport) is disabled, ignoring section
Section omr_dst_bypass_eth0_srcport_udp_4 (omr_dst_bypass_eth0_srcport) is disabled, ignoring section
Section omr_dst_bypass_eth0_dstport_tcp_4 (omr_dst_bypass_eth0_dstport) is disabled, ignoring section
Section omr_dst_bypass_eth0_dstport_udp_4 (omr_dst_bypass_eth0_dstport) is disabled, ignoring section
Section omr_dst_bypass_eth1_dstip_4_accept (omr_dst_bypass_eth1_rule_accept) is disabled, ignoring section
Section omr_dst_bypass_eth1_srcip_4 (omr_dst_bypass_eth1_srcip) is disabled, ignoring section
Section omr_dst_bypass_eth1_mac_4 (omr_dst_bypass_eth1_mac) is disabled, ignoring section
Section omr_dst_bypass_eth1_dstport_tcp_4 (omr_dst_bypass_eth1_dstport) is disabled, ignoring section
Section omr_dst_bypass_eth1_dstport_udp_4 (omr_dst_bypass_eth1_dstport) is disabled, ignoring section
Section omr_dst_bypass_tun0_dstip_4 (omr_dst_bypass_tun0_rule) is disabled, ignoring section
Section omr_dst_bypass_tun0_dstip_4_accept (omr_dst_bypass_tun0_rule_accept) is disabled, ignoring section
Section omr_dst_bypass_tun0_srcip_4 (omr_dst_bypass_tun0_srcip) is disabled, ignoring section
Section omr_dst_bypass_tun0_mac_4 (omr_dst_bypass_tun0_mac) is disabled, ignoring section
Section omr_dst_bypass_tun0_srcport_tcp_4 (omr_dst_bypass_tun0_srcport) is disabled, ignoring section
Section omr_dst_bypass_tun0_srcport_udp_4 (omr_dst_bypass_tun0_srcport) is disabled, ignoring section
Section omr_dst_bypass_tun0_dstport_tcp_4 (omr_dst_bypass_tun0_dstport) is disabled, ignoring section
Section omr_dst_bypass_tun0_dstport_udp_4 (omr_dst_bypass_tun0_dstport) is disabled, ignoring section
Section omr_dst_bypass_eth2_dstip_4 (omr_dst_bypass_eth2_rule) is disabled, ignoring section
Section omr_dst_bypass_eth2_dstip_4_accept (omr_dst_bypass_eth2_rule_accept) is disabled, ignoring section
Section omr_dst_bypass_eth2_srcip_4 (omr_dst_bypass_eth2_srcip) is disabled, ignoring section
Section omr_dst_bypass_eth2_mac_4 (omr_dst_bypass_eth2_mac) is disabled, ignoring section
Section omr_dst_bypass_eth2_srcport_tcp_4 (omr_dst_bypass_eth2_srcport) is disabled, ignoring section
Section omr_dst_bypass_eth2_srcport_udp_4 (omr_dst_bypass_eth2_srcport) is disabled, ignoring section
Section omr_dst_bypass_eth2_dstport_tcp_4 (omr_dst_bypass_eth2_dstport) is disabled, ignoring section
Section omr_dst_bypass_eth2_dstport_udp_4 (omr_dst_bypass_eth2_dstport) is disabled, ignoring section
Section omr_dst_bypass_usb0_dstip_4 (omr_dst_bypass_usb0_rule) is disabled, ignoring section
Section omr_dst_bypass_usb0_dstip_4_accept (omr_dst_bypass_usb0_rule_accept) is disabled, ignoring section
Section omr_dst_bypass_usb0_srcip_4 (omr_dst_bypass_usb0_srcip) is disabled, ignoring section
Section omr_dst_bypass_usb0_mac_4 (omr_dst_bypass_usb0_mac) is disabled, ignoring section
Section omr_dst_bypass_usb0_srcport_tcp_4 (omr_dst_bypass_usb0_srcport) is disabled, ignoring section
Section omr_dst_bypass_usb0_srcport_udp_4 (omr_dst_bypass_usb0_srcport) is disabled, ignoring section
Section omr_dst_bypass_usb0_dstport_tcp_4 (omr_dst_bypass_usb0_dstport) is disabled, ignoring section
Section omr_dst_bypass_usb0_dstport_udp_4 (omr_dst_bypass_usb0_dstport) is disabled, ignoring section
Section omr_dst_bypass_usb1_dstip_4 (omr_dst_bypass_usb1_rule) is disabled, ignoring section
Section omr_dst_bypass_usb1_dstip_4_accept (omr_dst_bypass_usb1_rule_accept) is disabled, ignoring section
Section omr_dst_bypass_usb1_srcip_4 (omr_dst_bypass_usb1_srcip) is disabled, ignoring section
Section omr_dst_bypass_usb1_mac_4 (omr_dst_bypass_usb1_mac) is disabled, ignoring section
Section omr_dst_bypass_usb1_srcport_tcp_4 (omr_dst_bypass_usb1_srcport) is disabled, ignoring section
Section omr_dst_bypass_usb1_srcport_udp_4 (omr_dst_bypass_usb1_srcport) is disabled, ignoring section
Section omr_dst_bypass_usb1_dstport_tcp_4 (omr_dst_bypass_usb1_dstport) is disabled, ignoring section
Section omr_dst_bypass_usb1_dstport_udp_4 (omr_dst_bypass_usb1_dstport) is disabled, ignoring section
Section omr_dst_bypass_eth3_dstip_4 (omr_dst_bypass_eth3_rule) is disabled, ignoring section
Section omr_dst_bypass_eth3_dstip_4_accept (omr_dst_bypass_eth3_rule_accept) is disabled, ignoring section
Section omr_dst_bypass_eth3_srcip_4 (omr_dst_bypass_eth3_srcip) is disabled, ignoring section
Section omr_dst_bypass_eth3_mac_4 (omr_dst_bypass_eth3_mac) is disabled, ignoring section
Section omr_dst_bypass_eth3_srcport_tcp_4 (omr_dst_bypass_eth3_srcport) is disabled, ignoring section
Section omr_dst_bypass_eth3_srcport_udp_4 (omr_dst_bypass_eth3_srcport) is disabled, ignoring section
Section omr_dst_bypass_eth3_dstport_tcp_4 (omr_dst_bypass_eth3_dstport) is disabled, ignoring section
Section omr_dst_bypass_eth3_dstport_udp_4 (omr_dst_bypass_eth3_dstport) is disabled, ignoring section
Section omr_dst_bypass_all_dstip_4 (omr_dst_bypass_all_rule) is disabled, ignoring section
Section omr_dst_bypass_all_dstip_4_accept (omr_dst_bypass_all_rule_accept) is disabled, ignoring section
Section omr_dst_bypass_all_srcip_4 (omr_dst_bypass_all_srcip) is disabled, ignoring section
Section omr_dst_bypass_all_mac_4 (omr_dst_bypass_all_mac) is disabled, ignoring section
Section omr_dst_bypass_all_srcport_tcp_4 (omr_dst_bypass_all_srcport) is disabled, ignoring section
Section omr_dst_bypass_all_srcport_udp_4 (omr_dst_bypass_all_srcport) is disabled, ignoring section
Section omr_dst_bypass_all_dstport_tcp_4 (omr_dst_bypass_all_dstport) is disabled, ignoring section
Section omr_dst_bypass_all_dstport_udp_4 (omr_dst_bypass_all_dstport) is disabled, ignoring section
Section @redirect[0] (SRT) is disabled, ignoring section
Section @redirect[1] (Nginx) is disabled, ignoring section
Section @redirect[2] (Websocket) is disabled, ignoring section
Section @redirect[3] (SoundWire) is disabled, ignoring section
Section @redirect[4] (Torrent) is disabled, ignoring section
Section @include[0] option 'reload' is not supported by fw4
Section @include[0] is not marked as compatible with fw4, ignoring section
Section @include[0] requires 'option fw4_compatible 1' to be considered compatible
Section omr_server option 'reload' is not supported by fw4
Section gre_tunnel option 'reload' is not supported by fw4
Section omr_bypass option 'reload' is not supported by fw4
Section ttl option 'reload' is not supported by fw4
Section miniupnpd option 'family' is not supported by fw4
Section miniupnpd option 'reload' is not supported by fw4
Section miniupnpd specifies unreachable path '/usr/share/miniupnpd/firewall.include', ignoring section
Automatically including '/usr/share/nftables.d/table-post/20-miniupnpd.nft'
Automatically including '/usr/share/nftables.d/chain-post/dstnat/20-miniupnpd.nft'
Automatically including '/usr/share/nftables.d/chain-post/forward/20-miniupnpd.nft'
Automatically including '/usr/share/nftables.d/chain-post/srcnat/20-miniupnpd.nft'
# Warning: table ip6 mangle is managed by iptables-nft, do not touch!
# Warning: table ip mangle is managed by iptables-nft, do not touch!
darthclide commented 7 months ago

Ping results from OMR router to specific runescape world: image

Ping results from OMR router using my eth1 (DSL) interface. That you can see is set in my OMR-bypass with "runescape.com": image

Ysurac commented 7 months ago

I would need nft list ruleset

darthclide commented 7 months ago

Warning: table ip6 mangle is managed by iptables-nft, do not touch!

table ip6 mangle { chain PREROUTING { type filter hook prerouting priority mangle; policy accept; iifname "vtun*" meta l4proto tcp counter packets 0 bytes 0 xt target "MARK" iifname "eth1" xt match "dscp" counter packets 0 bytes 0 xt target "DSCP" }

    chain INPUT {
            type filter hook input priority mangle; policy accept;
    }

    chain FORWARD {
            type filter hook forward priority mangle; policy accept;
    }

    chain OUTPUT {
            type route hook output priority mangle; policy accept;
            meta l4proto udp xt match "multiport" counter packets 816 bytes 85807 xt target "DSCP"
    }

    chain POSTROUTING {
            type filter hook postrouting priority mangle; policy accept;
            oifname "eth1" meta mark & 0x000000ff == 0x00000000 counter packets 0 bytes 0 goto QOS_MARK_eth1
    }

    chain QOS_MARK_eth1 {
            counter packets 0 bytes 0 xt target "MARK"
            xt match "dscp" counter packets 0 bytes 0 xt target "MARK"
            xt match "dscp" counter packets 0 bytes 0 xt target "MARK"
            xt match "dscp" counter packets 0 bytes 0 xt target "MARK"
            xt match "dscp" counter packets 0 bytes 0 xt target "MARK"
            xt match "tos" counter packets 0 bytes 0 xt target "MARK"
    }

}

Warning: table ip mangle is managed by iptables-nft, do not touch!

table ip mangle { chain PREROUTING { type filter hook prerouting priority mangle; policy accept; iifname "vtun*" meta l4proto tcp counter packets 0 bytes 0 xt target "MARK" iifname "eth1" xt match "dscp" counter packets 4051260 bytes 4623327306 xt target "DSCP" }

    chain INPUT {
            type filter hook input priority mangle; policy accept;
            counter packets 718059 bytes 798380720 jump omr-bypass-dpi
    }

    chain FORWARD {
            type filter hook forward priority mangle; policy accept;
            counter packets 697279 bytes 720679728 jump omr-bypass-dpi
    }

    chain OUTPUT {
            type route hook output priority mangle; policy accept;
            meta l4proto udp xt match "multiport" counter packets 59551 bytes 6449910 xt target "DSCP"
    }

    chain POSTROUTING {
            type filter hook postrouting priority mangle; policy accept;
            oifname "usb1" counter packets 1919659 bytes 211653513 xt target "TTL"
            oifname "eth1" meta mark & 0x000000ff == 0x00000000 counter packets 968208 bytes 232105709 goto QOS_MARK_eth1
    }

    chain QOS_MARK_eth1 {
            counter packets 968208 bytes 232105709 xt target "MARK"
            xt match "dscp" counter packets 0 bytes 0 xt target "MARK"
            xt match "dscp" counter packets 1517 bytes 193181 xt target "MARK"
            xt match "dscp" counter packets 0 bytes 0 xt target "MARK"
            xt match "dscp" counter packets 0 bytes 0 xt target "MARK"
            xt match "tos" counter packets 0 bytes 0 xt target "MARK"
    }

    chain omr-bypass-dpi {
    }

} table inet fw4 { ct helper amanda { type "amanda" protocol udp l3proto inet }

    ct helper ftp {
            type "ftp" protocol tcp
            l3proto inet
    }

    ct helper RAS {
            type "RAS" protocol udp
            l3proto inet
    }

    ct helper Q.931 {
            type "Q.931" protocol tcp
            l3proto inet
    }

    ct helper irc {
            type "irc" protocol tcp
            l3proto ip
    }

    ct helper pptp {
            type "pptp" protocol tcp
            l3proto ip
    }

    ct helper sip {
            type "sip" protocol udp
            l3proto inet
    }

    ct helper snmp {
            type "snmp" protocol udp
            l3proto ip
    }

    ct helper tftp {
            type "tftp" protocol udp
            l3proto inet
    }

    set omr_dscp_cs0_4 {
            type ipv4_addr
    }

    set omr_dscp_cs1_4 {
            type ipv4_addr
            elements = { 23.63.78.171, 23.63.78.195,
                         23.63.78.201, 34.104.35.123,
                         142.250.191.206, 146.75.82.172 }
    }

    set omr_dscp_cs2_4 {
            type ipv4_addr
            elements = { 23.32.45.6, 23.32.45.36,
                         142.250.190.14, 142.250.190.46,
                         142.250.190.69, 142.250.190.78,
                         142.250.190.106, 142.250.190.110,
                         142.250.190.131, 142.250.190.132,
                         142.250.190.138, 142.250.190.142,
                         142.250.191.106, 142.250.191.110,
                         142.250.191.138, 142.250.191.142,
                         142.250.191.170, 142.250.191.174,
                         142.250.191.202, 142.250.191.206,
                         142.250.191.214, 142.250.191.234,
                         142.250.191.238, 142.251.32.1,
                         142.251.32.10, 142.251.32.14,
                         157.240.254.61, 172.217.0.170,
                         172.217.0.174, 172.217.1.110,
                         172.217.2.46, 172.217.4.42,
                         172.217.4.78, 172.217.4.200,
                         172.217.5.10, 172.217.5.14,
                         173.194.196.84, 173.194.197.84,
                         216.239.36.147 }
    }

    set omr_dscp_cs3_4 {
            type ipv4_addr
    }

    set omr_dscp_cs4_4 {
            type ipv4_addr
            elements = { 74.125.156.10, 142.250.190.142,
                         172.217.129.8, 173.194.191.42 }
    }

    set omr_dscp_cs5_4 {
            type ipv4_addr
    }

    set omr_dscp_cs6_4 {
            type ipv4_addr
    }

    set omr_dscp_cs7_4 {
            type ipv4_addr
    }

    set omr_dscp_ef_4 {
            type ipv4_addr
    }

    set omr_dst_bypass_eth0_4 {
            type ipv4_addr
    }

    set omr_dst_bypass_eth0_6 {
            type ipv6_addr
    }

    set omr_dst_bypass_eth1_4 {
            type ipv4_addr
            elements = { 3.5.20.215, 3.5.25.109,
                         3.5.27.135, 3.5.28.46,
                         8.26.16.141, 8.26.16.145,
                         8.26.16.156, 8.26.16.157,
                         8.26.16.159, 8.26.16.160,
                         8.26.16.161, 8.26.16.162,
                         8.26.16.168, 8.26.16.178,
                         8.26.16.179, 8.26.16.181,
                         8.26.16.182, 8.26.16.183,
                         8.26.16.184, 8.26.16.185,
                         8.26.16.186, 8.26.16.188,
                         8.26.41.134, 8.26.41.162,
                         8.26.41.163, 8.26.41.164,
                         8.26.41.165, 8.26.41.166,
                         8.26.41.168, 8.26.41.170,
                         8.26.41.171, 8.26.41.173,
                         8.26.41.176, 8.26.41.177,
                         8.26.41.178, 8.26.41.179,
                         8.26.41.180, 8.26.41.184,
                         8.26.41.185, 8.26.41.186,
                         8.26.41.187, 8.26.41.188,
                         8.42.17.196, 8.42.17.197,
                         8.42.17.198, 8.42.17.200,
                         8.42.17.201, 8.42.17.202,
                         8.42.17.203, 8.42.17.204,
                         8.42.17.205, 8.42.17.206,
                         8.42.17.207, 8.42.17.208,
                         8.42.17.209, 8.42.17.211,
                         8.42.17.212, 8.42.17.213,
                         8.42.17.214, 8.42.17.215,
                         8.42.17.216, 8.42.17.217,
                         8.42.17.218, 8.42.17.219,
                         8.42.17.220, 8.42.17.221,
                         8.42.17.222, 8.42.17.223,
                         8.42.17.225, 8.42.17.226,
                         8.42.17.227, 8.42.17.228,
                         8.42.17.236, 8.42.17.244,
                         8.42.17.245, 8.42.17.246,
                         8.42.17.247, 13.107.21.200,
                         13.107.213.51, 13.107.246.51,
                         17.32.194.5, 17.32.194.6,
                         17.32.194.36, 17.32.194.37,
                         17.253.144.10, 20.101.251.232,
                         23.32.45.4, 23.32.45.16,
                         23.63.167.90, 23.212.8.226,
                         23.215.11.229, 23.215.11.237,
                         37.187.205.99, 52.16.172.26,
                         52.17.164.214, 52.84.125.20,
                         52.84.125.59, 52.84.125.75,
                         52.84.125.97, 52.94.236.248,
                         52.216.36.89, 52.217.234.129,
                         54.231.163.89, 54.231.166.113,
                         54.239.28.85, 54.246.201.164,
                         72.21.206.80, 72.21.210.29,
                         81.31.201.9, 81.31.201.21,
                         81.31.201.23, 81.31.201.24,
                         81.31.201.25, 81.31.201.28,
                         81.31.201.29, 81.31.201.30,
                         81.31.201.31, 81.31.201.34,
                         81.31.201.35, 81.31.201.36,
                         81.31.201.37, 81.31.201.38,
                         81.31.201.39, 81.31.201.40,
                         81.31.201.41, 81.31.201.42,
                         81.31.201.43, 81.31.201.45,
                         81.31.201.46, 81.31.201.47,
                         81.31.201.48, 81.31.201.49,
                         81.31.201.50, 81.31.201.51,
                         81.31.201.52, 81.31.201.53,
                         81.31.201.54, 81.31.201.55,
                         81.31.201.57, 81.31.201.58,
                         81.31.203.21, 81.31.203.22,
                         81.31.203.23, 81.31.203.24,
                         81.31.203.31, 81.31.203.32,
                         81.31.203.33, 81.31.203.34,
                         81.31.203.35, 81.31.203.41,
                         81.31.203.42, 81.31.203.43,
                         81.31.203.44, 81.31.203.51,
                         81.31.203.53, 81.31.203.54,
                         81.31.203.119, 81.31.203.122,
                         91.235.140.148, 103.124.186.132,
                         103.124.186.133, 103.124.186.134,
                         103.124.186.135, 103.124.186.136,
                         103.124.186.137, 103.124.186.138,
                         103.124.186.139, 103.124.186.140,
                         103.124.186.141, 104.17.136.96,
                         104.18.40.92, 104.18.119.96,
                         104.23.139.12, 104.23.140.12,
                         104.26.14.80, 104.26.15.80,
                         104.244.42.193, 143.198.129.192,
                         149.202.93.88, 151.101.1.140,
                         151.101.65.140, 151.101.129.140,
                         151.101.193.140, 157.240.254.174,
                         172.64.147.164, 172.67.72.27,
                         173.198.58.32, 188.166.73.141,
                         195.8.215.136, 199.83.132.109,
                         199.83.134.109, 199.232.196.193,
                         204.74.99.103, 204.79.197.200,
                         205.251.242.103, 207.171.166.22 }
    }

    set omr_dst_bypass_eth1_6 {
            type ipv6_addr
    }

    set omr_dst_bypass_tun0_4 {
            type ipv4_addr
    }

    set omr_dst_bypass_tun0_6 {
            type ipv6_addr
    }

    set omr_dst_bypass_eth2_4 {
            type ipv4_addr
    }

    set omr_dst_bypass_eth2_6 {
            type ipv6_addr
    }

    set omr_dst_bypass_usb0_4 {
            type ipv4_addr
    }

    set omr_dst_bypass_usb0_6 {
            type ipv6_addr
    }

    set omr_dst_bypass_usb1_4 {
            type ipv4_addr
    }

    set omr_dst_bypass_usb1_6 {
            type ipv6_addr
    }

    set omr_dst_bypass_eth3_4 {
            type ipv4_addr
    }

    set omr_dst_bypass_eth3_6 {
            type ipv6_addr
    }

    set omr_dst_bypass_all_4 {
            type ipv4_addr
    }

    set omr_dst_bypass_all_6 {
            type ipv6_addr
    }

    set ss_rules_src_bypass {
            type ipv4_addr
            flags interval
            auto-merge
    }

    set ss_rules6_src_bypass {
            type ipv6_addr
            flags interval
            auto-merge
    }

    set ss_rules_src_forward {
            type ipv4_addr
            flags interval
            auto-merge
    }

    set ss_rules6_src_forward {
            type ipv6_addr
            flags interval
            auto-merge
    }

    set ss_rules_src_checkdst {
            type ipv4_addr
            flags interval
            auto-merge
    }

    set ss_rules6_src_checkdst {
            type ipv6_addr
            flags interval
            auto-merge
    }

    set ss_rules_remote_servers {
            type ipv4_addr
            flags interval
            auto-merge
            elements = { 149.28.122.251 }
    }

    set ss_rules6_remote_servers {
            type ipv6_addr
            flags interval
            auto-merge
    }

    set ss_rules_dst_bypass {
            type ipv4_addr
            flags interval
            auto-merge
    }

    set ss_rules6_dst_bypass {
            type ipv6_addr
            flags interval
            auto-merge
    }

    set ss_rules_dst_bypass_ {
            type ipv4_addr
            flags interval
            auto-merge
            elements = { 0.0.0.0/8, 10.0.0.0/8,
                         100.64.0.0/10, 127.0.0.0/8,
                         169.254.0.0/16, 172.16.0.0/12,
                         192.0.0.0/24, 192.0.2.0/24,
                         192.31.196.0/24, 192.52.193.0/24,
                         192.88.99.0/24, 192.168.0.0/16,
                         192.175.48.0/24, 198.18.0.0/15,
                         198.51.100.0/24, 203.0.113.0/24,
                         224.0.0.0/3 }
    }

    set ss_rules6_dst_bypass_ {
            type ipv6_addr
            flags interval
            auto-merge
            elements = { ::/127,
                         ::ffff:0.0.0.0/96,
                         64:ff9b:1::/48,
                         100::/64,
                         2001::/23,
                         fc00::/7,
                         fe80::/10 }
    }

    set ss_rules_dst_forward {
            type ipv4_addr
            flags interval
            auto-merge
    }

    set ss_rules6_dst_forward {
            type ipv6_addr
            flags interval
            auto-merge
    }

    set ss_rules_dst_forward_rrst_ {
            type ipv4_addr
            flags interval
            auto-merge
    }

    set ss_rules6_dst_forward_rrst_ {
            type ipv6_addr
            flags interval
            auto-merge
    }

    chain ss_rules_pre_tcp {
            type nat hook prerouting priority filter + 1; policy accept;
            meta mark 0x00004539 accept
            ip daddr @omr_dst_bypass_all_4 accept
            meta mark 0x00045397 accept
            ip daddr @omr_dst_bypass_eth3_4 accept
            meta mark 0x00045396 accept
            ip daddr @omr_dst_bypass_usb1_4 accept
            meta mark 0x00045395 accept
            ip daddr @omr_dst_bypass_usb0_4 accept
            meta mark 0x00045394 accept
            ip daddr @omr_dst_bypass_eth2_4 accept
            meta mark 0x45391500 accept
            ip daddr @omr_dst_bypass_tun0_4 accept
            meta mark 0x00045393 accept
            ip daddr @omr_dst_bypass_eth1_4 accept
            meta mark 0x45399999 accept
            ip daddr @omr_dst_bypass_eth0_4 accept
            meta l4proto tcp goto ss_rules_pre_src_tcp
    }

    chain ss_rules_pre_src_tcp {
            ip daddr @ss_rules_dst_bypass_ accept
            ip6 daddr @ss_rules6_dst_bypass_ accept
            goto ss_rules_src_tcp
    }

    chain ss_rules_src_tcp {
            ip saddr @ss_rules_src_bypass accept
            ip saddr @ss_rules_src_forward goto ss_rules_forward_tcp
            ip saddr @ss_rules_src_checkdst goto ss_rules_dst_tcp
            ip6 saddr @ss_rules6_src_bypass accept
            ip6 saddr @ss_rules6_src_forward goto ss_rules_forward_tcp
            ip6 saddr @ss_rules6_src_checkdst goto ss_rules_dst_tcp
            goto ss_rules_forward_tcp
    }

    chain ss_rules_dst_tcp {
            ip daddr @ss_rules_dst_bypass accept
            ip daddr @ss_rules_remote_servers accept
            ip daddr @ss_rules_dst_forward goto ss_rules_forward_tcp
            ip6 daddr @ss_rules6_dst_bypass accept
            ip6 daddr @ss_rules6_remote_servers accept
            ip6 daddr @ss_rules6_dst_forward goto ss_rules_forward_tcp
            goto ss_rules_forward_tcp
    }

    chain ss_rules_forward_tcp {
            meta l4proto tcp redirect to :1100-1101
    }

    chain ss_rules_local_out {
            type nat hook output priority filter - 1; policy accept;
            meta mark 0x00004539 accept
            ip daddr @omr_dst_bypass_all_4 accept
            meta mark 0x00045397 accept
            ip daddr @omr_dst_bypass_eth3_4 accept
            meta mark 0x00045396 accept
            ip daddr @omr_dst_bypass_usb1_4 accept
            meta mark 0x00045395 accept
            ip daddr @omr_dst_bypass_usb0_4 accept
            meta mark 0x00045394 accept
            ip daddr @omr_dst_bypass_eth2_4 accept
            meta mark 0x45391500 accept
            ip daddr @omr_dst_bypass_tun0_4 accept
            meta mark 0x00045393 accept
            ip daddr @omr_dst_bypass_eth1_4 accept
            meta mark 0x45399999 accept
            ip daddr @omr_dst_bypass_eth0_4 accept
            meta l4proto != tcp accept
            ip daddr @ss_rules_remote_servers accept
            ip daddr @ss_rules_dst_bypass_ accept
            ip daddr @ss_rules_dst_bypass accept
            ip6 daddr @ss_rules6_remote_servers accept
            ip6 daddr @ss_rules6_dst_bypass_ accept
            ip6 daddr @ss_rules6_dst_bypass accept
            goto ss_rules_forward_tcp
    }

    chain input {
            type filter hook input priority filter; policy drop;
            iif "lo" accept comment "!fw4: Accept traffic from loopback"
            ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
            tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
            iifname "eth0" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
            iifname { "usb0", "usb1", "eth1", "eth2", "eth3" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
            iifname "tun0" jump input_vpn comment "!fw4: Handle vpn IPv4/IPv6 input traffic"
            jump handle_reject
    }

    chain forward {
            type filter hook forward priority filter; policy drop;
            ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
            icmp type echo-request counter packets 136 bytes 3840 accept comment "!fw4: Allow-All-Ping"
            icmpv6 type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-All-Ping"
            udp dport 443 counter packets 0 bytes 0 drop comment "!fw4: Block QUIC All"
            iifname "eth0" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
            iifname { "usb0", "usb1", "eth1", "eth2", "eth3" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
            iifname "tun0" jump forward_vpn comment "!fw4: Handle vpn IPv4/IPv6 forward traffic"
            jump upnp_forward comment "Hook into miniupnpd forwarding chain"
            jump handle_reject
    }

    chain output {
            type filter hook output priority filter; policy drop;
            oif "lo" accept comment "!fw4: Accept traffic towards loopback"
            ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
            oifname "eth0" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
            oifname { "usb0", "usb1", "eth1", "eth2", "eth3" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
            oifname "tun0" jump output_vpn comment "!fw4: Handle vpn IPv4/IPv6 output traffic"
            jump handle_reject
    }

    chain prerouting {
            type filter hook prerouting priority filter; policy accept;
            icmp type echo-request counter packets 1146 bytes 45448 accept comment "!fw4: Allow-All-Ping"
            icmpv6 type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-All-Ping"
            udp dport 443 counter packets 134 bytes 171252 drop comment "!fw4: Block QUIC All"
            meta l4proto tcp counter packets 697140 bytes 779203994 jump accept_to_vpn comment "!fw4: Allow-All-LAN-to-VPN"
            meta l4proto udp counter packets 681075 bytes 703256851 jump accept_to_vpn comment "!fw4: Allow-All-LAN-to-VPN"
            meta l4proto tcp counter packets 697140 bytes 779203994 jump accept_to_wan comment "!fw4: Allow-Lan-to-Wan"
            meta l4proto udp counter packets 681075 bytes 703256851 jump accept_to_wan comment "!fw4: Allow-Lan-to-Wan"
            jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
            jump accept_to_vpn comment "!fw4: Accept lan to vpn forwarding"
            iifname "eth0" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
            meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
            udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
    }

    chain handle_reject {
            meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
            reject comment "!fw4: Reject any other traffic"
    }

    chain syn_flood {
            limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
            drop comment "!fw4: Drop excess packets"
    }

    chain input_lan {
            icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: ICMPv6-Lan-to-OMR"
            udp dport 443 counter packets 0 bytes 0 drop comment "!fw4: Block QUIC Proxy"
            ct status dnat accept comment "!fw4: Accept port redirections"
            jump accept_from_lan
    }

    chain output_lan {
            jump accept_to_lan
    }

    chain forward_lan {
            meta l4proto tcp counter packets 24 bytes 1164 jump accept_to_vpn comment "!fw4: Allow-All-LAN-to-VPN"
            meta l4proto udp counter packets 43 bytes 4478 jump accept_to_vpn comment "!fw4: Allow-All-LAN-to-VPN"
            meta l4proto tcp counter packets 13 bytes 676 jump accept_to_wan comment "!fw4: Allow-Lan-to-Wan"
            meta l4proto udp counter packets 0 bytes 0 jump accept_to_wan comment "!fw4: Allow-Lan-to-Wan"
            jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
            jump accept_to_vpn comment "!fw4: Accept lan to vpn forwarding"
            ct status dnat accept comment "!fw4: Accept port forwards"
            jump accept_to_lan
    }

    chain helper_lan {
            udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto"
            tcp dport 21 ct helper set "ftp" comment "!fw4: FTP passive connection tracking"
            udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking"
            tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking"
            meta nfproto ipv4 tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking"
            meta nfproto ipv4 tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking"
            udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking"
            meta nfproto ipv4 udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking"
            udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
    }

    chain accept_from_lan {
            iifname "eth0" counter packets 1295 bytes 81331 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
    }

    chain accept_to_lan {
            oifname "eth0" counter packets 0 bytes 0 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
    }

    chain input_wan {
            meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
            icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
            meta nfproto ipv4 meta l4proto igmp counter packets 9 bytes 324 accept comment "!fw4: Allow-IGMP"
            ip6 saddr fc00::/6 ip6 daddr fc00::/6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
            ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
            icmpv6 type { nd-router-solicit, nd-router-advert } counter packets 0 bytes 0 accept comment "!fw4: Allow IPv6 ICMP"
            icmpv6 type . icmpv6 code { nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow IPv6 ICMP"
            meta nfproto ipv6 udp sport 546 udp dport 547 counter packets 0 bytes 0 accept comment "!fw4: Allow DHCPv6 (546-to-547)"
            meta nfproto ipv6 udp sport 547 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow DHCPv6 (547-to-546)"
            ct status dnat accept comment "!fw4: Accept port redirections"
            jump reject_from_wan
    }

    chain output_wan {
            jump accept_to_wan
    }

    chain forward_wan {
            meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
            udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
            ct status dnat accept comment "!fw4: Accept port forwards"
            jump reject_to_wan
    }

    chain accept_to_wan {
            meta nfproto ipv4 oifname { "usb0", "usb1", "eth1", "eth2", "eth3" } ct state invalid counter packets 6 bytes 384 drop comment "!fw4: Prevent NAT leakage"
            oifname { "usb0", "usb1", "eth1", "eth2", "eth3" } counter packets 7336 bytes 568932 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
    }

    chain reject_from_wan {
            iifname { "usb0", "usb1", "eth1", "eth2", "eth3" } counter packets 26 bytes 2028 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
    }

    chain reject_to_wan {
            oifname { "usb0", "usb1", "eth1", "eth2", "eth3" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
    }

    chain input_vpn {
            meta l4proto { icmp, ipv6-icmp } counter packets 78 bytes 6552 accept comment "!fw4: Allow-VPN-ICMP"
            meta nfproto ipv4 udp dport 67 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Request-VPN"
            ct status dnat accept comment "!fw4: Accept port redirections"
            jump reject_from_vpn
    }

    chain output_vpn {
            jump accept_to_vpn
    }

    chain forward_vpn {
            ct status dnat accept comment "!fw4: Accept port forwards"
            jump accept_to_vpn
    }

    chain accept_to_vpn {
            meta nfproto ipv4 oifname "tun0" ct state invalid counter packets 11 bytes 488 drop comment "!fw4: Prevent NAT leakage"
            oifname "tun0" counter packets 1639 bytes 129342 accept comment "!fw4: accept vpn IPv4/IPv6 traffic"
    }

    chain reject_from_vpn {
            iifname "tun0" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject vpn IPv4/IPv6 traffic"
    }

    chain dstnat {
            type nat hook prerouting priority dstnat; policy accept;
            jump upnp_prerouting comment "Hook into miniupnpd prerouting chain"
    }

    chain srcnat {
            type nat hook postrouting priority srcnat; policy accept;
            oifname { "usb0", "usb1", "eth1", "eth2", "eth3" } jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
            oifname "tun0" jump srcnat_vpn comment "!fw4: Handle vpn IPv4/IPv6 srcnat traffic"
            jump upnp_postrouting comment "Hook into miniupnpd postrouting chain"
    }

    chain srcnat_wan {
            meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
    }

    chain srcnat_vpn {
            meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 vpn traffic"
    }

    chain raw_prerouting {
            type filter hook prerouting priority raw; policy accept;
    }

    chain raw_output {
            type filter hook output priority raw; policy accept;
    }

    chain mangle_prerouting {
            type filter hook prerouting priority mangle; policy accept;
            meta l4proto tcp iifname "eth0" ip daddr @omr_dscp_cs0_4 counter packets 0 bytes 0 ip dscp set cs0 comment "!fw4: omr_dscp_cs0_4"
            meta l4proto udp iifname "eth0" ip daddr @omr_dscp_cs0_4 counter packets 0 bytes 0 ip dscp set cs0 comment "!fw4: omr_dscp_cs0_4"
            meta l4proto tcp iifname "eth0" ip daddr @omr_dscp_cs1_4 counter packets 612 bytes 73852 ip dscp set cs1 comment "!fw4: omr_dscp_cs1_4"
            meta l4proto udp iifname "eth0" ip daddr @omr_dscp_cs1_4 counter packets 0 bytes 0 ip dscp set cs1 comment "!fw4: omr_dscp_cs1_4"
            meta l4proto tcp iifname "eth0" ip daddr @omr_dscp_cs2_4 counter packets 4066 bytes 2220495 ip dscp set cs2 comment "!fw4: omr_dscp_cs2_4"
            meta l4proto udp iifname "eth0" ip daddr @omr_dscp_cs2_4 counter packets 55 bytes 70290 ip dscp set cs2 comment "!fw4: omr_dscp_cs2_4"
            meta l4proto tcp iifname "eth0" ip daddr @omr_dscp_cs3_4 counter packets 0 bytes 0 ip dscp set cs3 comment "!fw4: omr_dscp_cs3_4"
            meta l4proto udp iifname "eth0" ip daddr @omr_dscp_cs3_4 counter packets 0 bytes 0 ip dscp set cs3 comment "!fw4: omr_dscp_cs3_4"
            meta l4proto tcp iifname "eth0" ip daddr @omr_dscp_cs4_4 counter packets 58 bytes 9032 ip dscp set cs4 comment "!fw4: omr_dscp_cs4_4"
            meta l4proto udp iifname "eth0" ip daddr @omr_dscp_cs4_4 counter packets 19 bytes 24282 ip dscp set cs4 comment "!fw4: omr_dscp_cs4_4"
            meta l4proto tcp iifname "eth0" ip daddr @omr_dscp_cs5_4 counter packets 0 bytes 0 ip dscp set cs5 comment "!fw4: omr_dscp_cs5_4"
            meta l4proto udp iifname "eth0" ip daddr @omr_dscp_cs5_4 counter packets 0 bytes 0 ip dscp set cs5 comment "!fw4: omr_dscp_cs5_4"
            meta l4proto tcp iifname "eth0" ip daddr @omr_dscp_cs6_4 counter packets 0 bytes 0 ip dscp set cs6 comment "!fw4: omr_dscp_cs6_4"
            meta l4proto udp iifname "eth0" ip daddr @omr_dscp_cs6_4 counter packets 0 bytes 0 ip dscp set cs6 comment "!fw4: omr_dscp_cs6_4"
            meta l4proto tcp iifname "eth0" ip daddr @omr_dscp_cs7_4 counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_cs7_4"
            meta l4proto udp iifname "eth0" ip daddr @omr_dscp_cs7_4 counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_cs7_4"
            meta l4proto tcp iifname "eth0" ip daddr @omr_dscp_ef_4 counter packets 0 bytes 0 ip dscp set ef comment "!fw4: omr_dscp_ef_4"
            meta l4proto udp iifname "eth0" ip daddr @omr_dscp_ef_4 counter packets 0 bytes 0 ip dscp set ef comment "!fw4: omr_dscp_ef_4"
            meta l4proto tcp iifname "eth0" ip daddr @omr_dst_bypass_eth1_4 counter packets 2116 bytes 634293 meta mark set 0x00045393 comment "!fw4: omr_dst_bypass_eth1_rule"
            meta l4proto udp iifname "eth0" ip daddr @omr_dst_bypass_eth1_4 counter packets 0 bytes 0 meta mark set 0x00045393 comment "!fw4: omr_dst_bypass_eth1_rule"
            iifname "eth0" tcp sport { 1910, 3074, 3478-3480, 5222-5223, 7800-7802, 7850-7854, 8080, 8111, 8965-8966, 25565-25566, 27015-27030, 27036-27037, 43594-43595 } counter packets 0 bytes 0 meta mark set 0x00045393 comment "!fw4: omr_dst_bypass_eth1_srcport"
            iifname "eth0" udp sport { 88, 3074, 3478-3480, 3658, 4379-4380, 16172, 19132, 20000-30000, 50969-50970 } counter packets 6 bytes 407 meta mark set 0x00045393 comment "!fw4: omr_dst_bypass_eth1_srcport"
    }

    chain mangle_postrouting {
            type filter hook postrouting priority mangle; policy accept;
            oifname "eth0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone lan IPv4/IPv6 egress MTU fixing"
            oifname { "usb0", "usb1", "eth1", "eth2", "eth3" } tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
            oifname "tun0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone vpn IPv4/IPv6 egress MTU fixing"
    }

    chain mangle_input {
            type filter hook input priority mangle; policy accept;
            meta l4proto icmp iifname "eth0" ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 counter packets 1 bytes 143 ip dscp set cs5 comment "!fw4: omr_dscp_rule1"
            iifname "eth0" ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 udp sport { 53, 123, 5353 } udp dport 0-65535 counter packets 0 bytes 0 ip dscp set cs5 comment "!fw4: omr_dscp_rule2"
            iifname "eth0" ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport { 53, 5353 } tcp dport 0-65535 counter packets 0 bytes 0 ip dscp set cs5 comment "!fw4: omr_dscp_rule3"
            iifname "eth0" ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport 0-65535 tcp dport { 65001, 65011, 65301 } counter packets 0 bytes 0 ip dscp set cs6 comment "!fw4: omr_dscp_rule4"
            iifname "eth0" ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 udp sport 0-65535 udp dport 65001 counter packets 0 bytes 0 ip dscp set cs6 comment "!fw4: omr_dscp_rule5"
            iifname "eth0" ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 udp sport 1935 udp dport 1935 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_rule6"
            iifname "eth0" ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 udp sport 10000 udp dport 10000 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_rule7"
            iifname "eth0" ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport 4444 tcp dport 4444 counter packets 0 bytes 0 ip dscp set cs3 comment "!fw4: omr_dscp_rule8"
    }

    chain mangle_output {
            type route hook output priority mangle; policy accept;
    }

    chain mangle_forward {
            type filter hook forward priority mangle; policy accept;
            iifname "eth0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone lan IPv4/IPv6 ingress MTU fixing"
            iifname { "usb0", "usb1", "eth1", "eth2", "eth3" } tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
            iifname "tun0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone vpn IPv4/IPv6 ingress MTU fixing"
    }

    chain upnp_forward {
    }

    chain upnp_prerouting {
    }

    chain upnp_postrouting {
    }

}

darthclide commented 7 months ago

I can put that in a pastebin if you need. I don't want to edit post if you are currently looking at it though.

Ysurac commented 7 months ago

All seems ok... What is the result of ip rule and ip route show table xxx (where xxx is the number after each word lookup in ip rule result)?

darthclide commented 7 months ago

ip rule 0: from all lookup local 0: from all fwmark 0x1 lookup 100 0: from 192.168.10.158 lookup 3 0: from all oif tun0 lookup 1500 0: from all oif usb0 lookup 5 0: from 192.168.82.194 lookup 6 0: from 172.20.10.3 lookup 4 0: from all oif eth1 lookup 3 0: from 10.255.255.2 lookup 1500 0: from all oif eth2 lookup 4 0: from 192.168.42.196 lookup 5 0: from all oif usb1 lookup 6 1: from all fwmark 0x45399999 lookup 9999 1: from all fwmark 0x45393 lookup 3 1: from all fwmark 0x45391500 lookup 1500 1: from all fwmark 0x45394 lookup 4 1: from all fwmark 0x45395 lookup 5 1: from all fwmark 0x45396 lookup 6 1: from all fwmark 0x45397 lookup 7 1: from all fwmark 0x4539 lookup 991337 100: from all lookup lan 10000: from 192.168.100.1 lookup lan 20000: from all to 192.168.100.1/24 lookup lan 32766: from all lookup main 32767: from all lookup default 90002: from all iif lo lookup lan

root@OpenMPTCProuter:~# ip route show table 100 local default dev lo scope host

root@OpenMPTCProuter:~# ip route show table 3 default via 192.168.10.1 dev eth1 192.168.10.0/24 dev eth1 scope link

root@OpenMPTCProuter:~# ip route show table 4 default via 172.20.10.2 dev eth2 172.20.10.0/24 dev eth2 scope link

root@OpenMPTCProuter:~# ip route show table 5 default via 192.168.42.129 dev usb0 192.168.42.0/24 dev usb0 scope link

root@OpenMPTCProuter:~# ip route show table 6 default via 192.168.82.21 dev usb1 192.168.82.0/24 dev usb1 scope link

root@OpenMPTCProuter:~# ip route show table 7 Dump terminated

root@OpenMPTCProuter:~# ip route show table 1500 default via 10.255.255.1 dev tun0 10.255.255.2 dev tun0 scope link

root@OpenMPTCProuter:~# ip route show table 9999 Dump terminated

root@OpenMPTCProuter:~# ip route show table 991337 root@OpenMPTCProuter:~#

root@OpenMPTCProuter:~# ip route show table lan 192.168.100.0/24 dev eth0 proto static scope link metric 9999

root@OpenMPTCProuter:~# ip route show table local local 10.255.255.2 dev tun0 proto kernel scope host src 10.255.255.2 local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 local 172.20.10.3 dev eth2 proto kernel scope host src 172.20.10.3 broadcast 172.20.10.255 dev eth2 proto kernel scope link src 172.20.10.3 local 192.168.10.158 dev eth1 proto kernel scope host src 192.168.10.158 broadcast 192.168.10.255 dev eth1 proto kernel scope link src 192.168.10.158 local 192.168.42.196 dev usb0 proto kernel scope host src 192.168.42.196 broadcast 192.168.42.255 dev usb0 proto kernel scope link src 192.168.42.196 local 192.168.82.194 dev usb1 proto kernel scope host src 192.168.82.194 broadcast 192.168.82.255 dev usb1 proto kernel scope link src 192.168.82.194 local 192.168.100.1 dev eth0 proto kernel scope host src 192.168.100.1 broadcast 192.168.100.255 dev eth0 proto kernel scope link src 192.168.100.1

root@OpenMPTCProuter:~# ip route show table main default via 10.255.255.1 dev tun0 default via 192.168.10.1 dev eth1 metric 3 default via 172.20.10.2 dev eth2 metric 4 default via 192.168.42.129 dev usb0 metric 5 default via 192.168.82.21 dev usb1 metric 6 default via 10.255.255.1 dev tun0 metric 1500 10.255.255.1 dev tun0 proto kernel scope link src 10.255.255.2 10.255.255.2 dev tun0 scope link metric 1500 127.0.0.0/8 dev lo proto static scope link metric 8 *.*..*** metric 1 nexthop via 192.168.10.1 dev eth1 weight 100 nexthop via 172.20.10.2 dev eth2 weight 1 nexthop via 192.168.42.129 dev usb0 weight 1 nexthop via 192.168.82.21 dev usb1 weight 1 172.20.10.0/24 dev eth2 scope link metric 4 192.168.10.0/24 dev eth1 scope link metric 3 192.168.42.0/24 dev usb0 scope link metric 5 192.168.82.0/24 dev usb1 scope link metric 6

(I removed my public IP from the previous command)

Ysurac commented 7 months ago

All seems to be ok. If you are using Shadowsocks-libev, can you try with Shadowsocks-Rust (System->OpenMPTCProuter, Wizard tab, "advanced settings" checkbox) and reboot ? I will make some tests tomorrow.

darthclide commented 7 months ago

All seems to be ok. If you are using Shadowsocks-libev, can you try with Shadowsocks-Rust (System->OpenMPTCProuter, Wizard tab, "advanced settings" checkbox) and reboot ? I will make some tests tomorrow.

Okay will do later when people are in bed.

darthclide commented 6 months ago

Before I did the tests you wanted me to do tonight, in the middle of a match in War Thunder, my ping suddenly jumped back to 100ms (when usually I get 30-35ms when on pure non-VPN DSL). So I opened CurrPorts to see what new port came, but nothing new was there. All ports reported are within my scope 49000:66000 set in OMR-bypass. So what happened? Here is a screenshot of what CurrPorts shows. Let me know if you see a port I might have missed:

image

As for Shadowsocks Rust, it had no impact. Both on my Runescape game, as well as War Thunder.

darthclide commented 6 months ago

Guess you got busy with other stuff, but just as a test I tried disabling all connections except for eth1, and as expected the ping didn't change. If anything the spikes got worse going up to 200ms at times. But as soon as I disable bonded internet and switch over to my 2nd ethernet port on pure DSL, my ping immediately drops and stays at 30-35ms. Based off these results in War Thunder I didn't even bother opening Runescape as there is clearly something going wrong in OMR-bypass.

Ysurac commented 6 months ago

As War Thunder is free, I will test it. Before testing, I have something to know ? We get latency where ?

darthclide commented 6 months ago

Oof, I refreshed page just as I went to bed. Just missed this message.

We have determined that overall ping issues can be mitigated with a different VPN (in the other github issue). The struggle in this github issue is that OMR-bypass seems to not work, or randomly quits working even after you have added all ports shown in CurrPorts or a straight up domain name (world104.runescape.com) to OMR-bypass.

I didn't realize you were offering to install the games, but if it isn't too late, I think runescape would be easier to test because it is much smaller in size. War Thunder even without HD textures is 26 GB I think. But if you are using War Thunder, you will know OMR-bypass it not working if the ping is jumping +25-50ms. Or you can do what I did and compare your best latency connection on its own, then compare it to OMR router.

Ysurac commented 6 months ago

When you have bypass not working, what do you have in Status->System log at the same time ? Anything about firewall or omr-bypass ?

darthclide commented 6 months ago

From launch of game to middle of match this is the only thing that appears in system log: Apr 20 22:10:04 OpenMPTCProuter daemon.err /usr/bin/ss-redir[31249]: send: Broken pipe Apr 20 22:13:02 OpenMPTCProuter daemon.notice netifd: WAN3 (31064): udhcpc: sending renew to server 192.168.82.21 Apr 20 22:13:02 OpenMPTCProuter daemon.notice netifd: WAN3 (31064): udhcpc: lease of 192.168.82.32 obtained from 192.168.82.21, lease time 3599 Apr 20 22:13:52 OpenMPTCProuter daemon.notice netifd: wan2 (31045): udhcpc: sending renew to server 192.168.42.129 Apr 20 22:13:52 OpenMPTCProuter daemon.notice netifd: wan2 (31045): udhcpc: lease of 192.168.42.170 obtained from 192.168.42.129, lease time 3600

Have you had any luck with either Runescape or War Thunder?

darthclide commented 6 months ago

Just happened to look at my clock in system log though. It says: Apr 20 23:05:11 OpenMPTCProuter user.notice

But in System -> System -> General Settings it says: image

Perhaps the update from .59 to .60 caused it? Would be nice to fix though to help troubleshoot problems since the time is off by 4 hours.

darthclide commented 6 months ago

I know this issue is far down on the list of priorities, but figured I would ask if you were able to test any games yet.

github-actions[bot] commented 3 months ago

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days