-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello,
1. I want to thank to all developers for their effort on this project.
2. I want to say that I use the firmware for several years and until now I
didn't have any major issues with it.
3. Here is where my current problems start :)
After the upgrade of my TP-Link 1043ND to 14.07 I have very strange
connectivity problems:
- I have a bridge wich includes my wireless interface, an OpenVPN tap
device and the switch.
- I have several devices connected to the router in my LAN, and all of
them are connected through Wi-Fi, I have also a PC which is connected
through the VPN. For better exaplnation I will use the following names below: A
(is a destktop PC wirelessly connected to the router), B (a laptop
wirelessly connected to the router) and C (a VPN client connected on the tap
inetrface).
- One of the problems is that an SSH connection from A to B or C cannot
be establised. The reverse connection however has no problems (from C to A,
from C or B to A, from C to B).
- Client B cannot establish an HTTP connection to C but has no problems
with the same (HTTP) connection to A.
After some examination of these problems it seems that the router misses some
of the packets (and more specifically the ACK from the server to which
I'm trying to connect) and the connection stays in an UNREPLIED state. The odd
thing is the above happens every time in the specified directions.
This in conjunction with the default firewall rules which drops the INVALID
packets are the cause for my connectivity problems. I want also to say
that the ACK from the server is seen on the client. This was determined with
several tcpdump captures and after enabling of the logging on the
netfilter (echo 255 > /proc/sys/net/netfilter/nf_conntrack_log_invalid ), which
in turn shows the follwoing messages in syslog:
kernel: [14475.210000] nf_ct_tcp: invalid state IN= OUT= SRC= ....
To overcome this problems I have added the following forwarding rule in
/etc/firewall.user
iptables -A forwarding_rule -i br-lan -o br-lan -m conntrack --ctstate INVALID
-j ACCEPT
the counter for which is increased of course after each connection as those
specified above.
This howver is not the end sadly, it seems that packets (ACK ?) are lost/missed
and on my internet connection too, which in turn results in
disconnecting when watching a streaming video for example. The counters on the
firewall rules which drop the INVALID packets however are not
triggered and frankly I don't know where else to look. The syslog shows that
such packets are ignored. For example:
kernel: [ 3500.560000] nf_ct_tcp: invalid packet ignored in state SYN_SENT IN=
OUT= SRC=124.122.106.69 DST=77.71.120.205 LEN=52 TOS=0x00 PREC=0x20
TTL=112
ID=20249 DF PROTO=TCP SPT=27162 DPT=40850 SEQ=1244027285 ACK=3005719584
WINDOW=65535 RES=0x00 ACK URGP=0 OPT (0101080A0000F12F024E3F72)
... or ...
kernel: [ 7570.330000] nf_ct_tcp: invalid packet ignored in state SYN_RECV IN=
OUT= SRC=173.194.44.39 DST=77.71.120.205 LEN=60 TOS=0x00 PREC=0x20
TTL=52 ID
=56615 PROTO=TCP SPT=443 DPT=58624 SEQ=2577414535 ACK=568552512 WINDOW=42540
RES=0x00 ACK SYN URGP=0 OPT (020405960402080A601171340120133101030307)
I didn't have such problems with 12.09. Any help will be appreciated.
Thank you in advance.
Best Regards,
I. Petrov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVNWLvAAoJEH8sJoKRFRU5QnoQAJpv3gMRWbZoX+RbjknaV0tz
3EbmFMqt95Ph+IBLVerJm26cMz9aLt4FU+peTlvKrthlpIN3Jk+7axVXxh/rcQty
ctpdHGl0SUe4n4qk4xP+nnt7+rgPeEGs3KhmlYPGaV1ko0s5z+YlWX9aR8nBSvv/
nO1eBfhXxXQNOA/5lLX4XL11GrSpEpwAidRrOtU8vhwVpkk0uK4yzNJHBKJd27Nl
xoRRJJ0RvfBcsburTNZvNhXFZw9yxlNPREtnXspZahwMF8rlqalLn8RyTxZNJ12u
2j9xl3xYv+AhGz8t798C1CEL2WkdWvjc0yewg0L8Vz6TEBHJd4SMCWkbI/Q66Hx9
rimOaC4YRWIx1NrFUxZF0GSH44FKYE8OrKFhs2I5wNyfre7Ce2yXnFIWq22oz6YO
V0GVDCo3ZTb5GGiA2ELo2y3Fiyb+R1M7I6pxUeZqg9P220Dr129JX5nj/JeS30q8
yyKvnAwZBWFlJmHNyMTlDvTbuEW+1QsDbWQ3kSDPVICiENPo3U7kiWMi10RL8NX2
Clrj3hZxCkrc12TkDWtzg1h93P/1vxlg5AqD+YHtRmsRrrQ4mKSS8vZbksUhB8Po
3SvFLWXeUSJ7QaljR+0TQrhFSqIYRpLZJdWTSho37obk5B5yB9pu140VsbQ7Mvsk
pOPXDBxu2s9oXV11xLOB
=2GAF
-----END PGP SIGNATURE-----
_______________________________________________
openwrt-users mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users
