[OpenWrt-Devel] iptables NAT not being updated on WAN changes

[Nuno Gonçalves]

I have internet connections at eth0.2 and eth1.

Config is like this:

config interface wan
        option ifname   eth1
        option proto    dhcp

After boot connection is ok. Computers behind router get NATed internet.
Then I do ifdown wan, change eth1 to eth0.2 and ifup wan.
Computers start getting "Destination port unreachable" to ping
request. Inside the router I can ping the internet.

Rebooting (with eth1 or eth0.2 selected, doesn't care) brings NATed
connection back.
/etc/init.d/network restart doesn't.

r...@openwrt:/# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
syn_flood  tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,ACK/SYN
input_rule  all  --  anywhere             anywhere
input      all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
zone_wan_MSSFIX  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
forwarding_rule  all  --  anywhere             anywhere
forward    all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
output_rule  all  --  anywhere             anywhere
output     all  --  anywhere             anywhere

Chain forward (1 references)
target     prot opt source               destination
zone_lan_forward  all  --  anywhere             anywhere
zone_wan_forward  all  --  anywhere             anywhere

Chain forwarding_lan (1 references)
target     prot opt source               destination

Chain forwarding_rule (1 references)
target     prot opt source               destination

Chain forwarding_wan (1 references)
target     prot opt source               destination

Chain input (1 references)
target     prot opt source               destination
zone_lan   all  --  anywhere             anywhere
zone_wan   all  --  anywhere             anywhere

Chain input_lan (1 references)
target     prot opt source               destination

Chain input_rule (1 references)
target     prot opt source               destination

Chain input_wan (1 references)
target     prot opt source               destination

Chain output (1 references)
target     prot opt source               destination
zone_lan_ACCEPT  all  --  anywhere             anywhere
zone_wan_ACCEPT  all  --  anywhere             anywhere

Chain output_rule (1 references)
target     prot opt source               destination

Chain reject (5 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere
reject-with tcp-reset
REJECT     all  --  anywhere             anywhere
reject-with icmp-port-unreachable

Chain syn_flood (1 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP       all  --  anywhere             anywhere

Chain zone_lan (1 references)
target     prot opt source               destination
input_lan  all  --  anywhere             anywhere
zone_lan_ACCEPT  all  --  anywhere             anywhere

Chain zone_lan_ACCEPT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain zone_lan_DROP (0 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain zone_lan_MSSFIX (0 references)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere            tcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU

Chain zone_lan_REJECT (1 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere

Chain zone_lan_forward (1 references)
target     prot opt source               destination
zone_wan_ACCEPT  all  --  anywhere             anywhere
forwarding_lan  all  --  anywhere             anywhere
zone_lan_REJECT  all  --  anywhere             anywhere

Chain zone_wan (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpt:68
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
input_wan  all  --  anywhere             anywhere
zone_wan_REJECT  all  --  anywhere             anywhere

Chain zone_wan_ACCEPT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain zone_wan_DROP (0 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain zone_wan_MSSFIX (1 references)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere            tcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU

Chain zone_wan_REJECT (2 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere

Chain zone_wan_forward (1 references)
target     prot opt source               destination
forwarding_wan  all  --  anywhere             anywhere
zone_wan_REJECT  all  --  anywhere             anywhere
r...@openwrt:/# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
zone_wan_prerouting  all  --  anywhere             anywhere
zone_lan_prerouting  all  --  anywhere             anywhere
prerouting_rule  all  --  anywhere             anywhere

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
postrouting_rule  all  --  anywhere             anywhere
zone_wan_nat  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain postrouting_rule (1 references)
target     prot opt source               destination

Chain prerouting_lan (1 references)
target     prot opt source               destination

Chain prerouting_rule (1 references)
target     prot opt source               destination

Chain prerouting_wan (1 references)
target     prot opt source               destination

Chain zone_lan_nat (0 references)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

Chain zone_lan_prerouting (1 references)
target     prot opt source               destination
prerouting_lan  all  --  anywhere             anywhere

Chain zone_wan_nat (1 references)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

Chain zone_wan_prerouting (1 references)
target     prot opt source               destination
prerouting_wan  all  --  anywhere             anywhere

-- 
+ Nuno Gonçalves
+ nuno...@gmail.com
+ http://nunoassimassim.blogspot.com/
+ PORTUGAL
E-mail sent directly from Google Mail webmail using HTTPS on behalf of
Nuno João Pinto Gonçalves, birth date 1986-11-16. E-mail headers
provide good assurance that this message was not tampered and
originates from nuno...@gmail.com. If you require additional security,
I may provide on request X509 electronic signature under Portuguese
government chain.
Se precisar de assinatura digital do Cartão de Cidadão, de uma apitadela.
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel