OpenWrt/LEDE Project

  • Status Closed
  • Percent Complete
  • Task Type Bug Report
  • Category Base system
  • Assigned To No-one
  • Operating System All
  • Severity High
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by Mauro Mozzarelli - 11.01.2017
Last edited by Felix Fietkau - 14.01.2017

FS#382 - Simple static routes not working when firewall+masquerading is active

Supply the following if possible:
- Device problem occurs on: all devices
- Software versions of LEDE release, packages, etc. trunk all releases up to the latest
- Steps to reproduce: see below:

When I switched from OpenWrt to LEDE static routes configured on my network stopped working.

My configuration is as follows (please use fixed characters size to read the diagram below):

                         Internet ADSL

Internet ADSL Router C
[Dynamic IP] [Public Subnet P]

     |                         |
     |                 Address on Subnet P
 Router B                   Router A -------------- VPN to     
     |                         |
     |                         |
     --------------------------- [Private LAN]
    Host X
   Default Router

Router A is configured to Masquerade traffic from through its port on Subnet P
Router C is the default router for Public Subnet P
Router B is configured with a static route to Public Subnet P through
I want traffic from Hosts with default route to Public Subnet P to go via (instead of through the internet)
I want traffic from Hosts with default route to VPN to go via
On Router B I configure a static route directing traffic for Public Subnet P through
On Router B I configure a static route directing traffic for VPN through

Behaviour from Host X:

- Using OpenWRT (any version including latest trunk):

 I can ping any host on Public Subnet P or VPN
 I can http/https, use any protocol to any host on Public Subnet P or VPN

- Using LEDE up to build r2713 (the latest i tried)

 I can ping any host on Public Subnet or VPN
 Any attempt to connect using any other internet protocol to any host in Public Subnet P or VPN fails.
 However if I disable the firewall altogether in Router B my connections succeed.

It looks as if in LEDE response packets are somehow blocked by the firewall
before they reach Host X (I can see connections coming on the hosts in Public Subnet P, and responses returning, but not reaching Host X).

I tried to add s specific directive to the Router B firewall to let through packets from Public Subnet P, but it is not working.
The only workaround I found working is to create a SNAT rule on Router B to Rewrite the source IP to with destination Public Subnet P. This however should be un-necessary if the routing worked properly.

This simple static routing configuration should work seamlessly as it does in OpenWRT and any Linux flavour.

Closed by  Felix Fietkau
14.01.2017 15:07
Reason for closing:  Fixed
Mauro Mozzarelli commented on 11.01.2017 14:07

Unfortunately the character based diagram is not rendered properly above.

I rewrite the top section here horizontally:

Router B —> [Dynamic IP] Internet ADSL B

Router C —> [Public Subnet P] Internet ADSL A

Jo-Philipp Wich commented on 11.01.2017 14:22

Please provide the network and firewall config of router B.

Arjen de Korte commented on 11.01.2017 14:38

Assuming Host X receives an address through DHCP, rather than attempting to fix this have you considered adding DHCP option 121 to add the static routing in the clients instead? This would bypass Router B entirely when the traffic should go through Router A in the first place (

Mauro Mozzarelli commented on 13.01.2017 14:36

Yes I have considered setting the routes statically on every host, however this defeats the purpose of a "router" which should take care of routing on behalf of the network's hosts.

The primary purpose of a router is to "route" packets according to rules configured into the router.

This issue practically turns off routing capabilities in LEDE.

Mauro Mozzarelli commented on 13.01.2017 14:40

Jo-Phillip, please provide a secure eMail where to post the configuration files.
I prefer not to post publicly my live network configuration.

Jo-Philipp Wich commented on 13.01.2017 14:44

LEDE has a stricter firewall rule layout compared to OpenWrt CC which will likely drop unrelated return traffic by default.

Unrelated return traffic might occur after ICMP redirects.

If this is the case you should add firewall accept rules for both directions and not rely on established/related processing to catch return packets.

You can find secure contact details at

Mauro Mozzarelli commented on 13.01.2017 15:47


I sent you the original configuration files by eMail, please let me know should you not receive them.

I tried too to add firewall accept rules for both directions. It does not work and in fact it can't work unless I open every port because responses can use unpredictable ports.

Jo-Philipp Wich commented on 13.01.2017 15:49


  config rule
    option src foo
    option dest bar
    option proto all
    option target ACCEPT
  config rule
    option src bar
    option dest foo
    option proto all
    option target ACCEPT
Mauro Mozzarelli commented on 13.01.2017 15:51


You will see that I had to add SNAT rules in the firewall to make routing work. This is NOT a correct configuration because in this way hosts reached by packets no longer can run ACL rules based on the client IP as the source IP becomes the same for every packet.

I am considering seriously to go back to OpenWRT as this issue affects seriously the purpose of the router. If it weren't because I have just moved to a BT Home Hub 5 which is not properly supported in OpenWRT, I would have already done it.

Jo-Philipp Wich commented on 13.01.2017 15:53

The fact that SANT rules make things work only underlines my assumption that you're dealing with assymetrical routing and ICMP redirects here.

Mauro Mozzarelli commented on 13.01.2017 16:07

I tried the configuration posted above, unfortunately it does not work in my case.

config rule
    option target 'ACCEPT'
    option proto 'all'
    option name 'my-dmz-subnet'
    option src '*'
    option src_ip 'A.B.C.D/28'
    option dest '*'

So far it worked only with SNAT.

Mauro Mozzarelli commented on 13.01.2017 16:22

I restored OpenWrt on my Netgear router. Sad because LEDE is quite good, but I cannot do without proper routing and the firewall workarounds are a nightmare with network routing complexity beyond a simple home/office single router configuration.

I am now considering the same on BtHomeHub5.

Please let me know when the issue is fixed.

Jo-Philipp Wich commented on 13.01.2017 17:37

Thank you for the configuration files.

I tracked down the problem to the fact that forwarded local subnet traffic carries conntrack state INVALID, which causes it to get rejected since the zone_*_dest_ACCEPT chains only consider NEW and UNTRACKED traffic.

I applied updates to the firewall source ( and package ( which will address the local subnet forwarding problem.

Updated firewall binary packages should be available within the next 24 hours.

Dave Täht commented on 13.01.2017 18:22

cool. I think I was seeing something like this. will fiddle.

Mauro Mozzarelli commented on 13.01.2017 19:42

I just built LEDE r2960 for BtHomeHub5. The release includes your patch.
Routing works fine now.

Many thanks Jo. Thank you for this fast fix!


Available keyboard shortcuts


Task Details

Task Editing