Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

coova-chilli: Download Speed Capped at 40-50 Mbps with CoovaChilli on OpenWrt 23.05.5 (MT7621 + xt_coova) #25703

Open
aswanthk07 opened this issue Jan 7, 2025 · 7 comments
Open

coova-chilli: Download Speed Capped at 40-50 Mbps with CoovaChilli on OpenWrt 23.05.5 (MT7621 + xt_coova) #25703

aswanthk07 opened this issue Jan 7, 2025 · 7 comments

Comments

@aswanthk07
Copy link

aswanthk07 commented Jan 7, 2025
edited
Loading

Issue: CoovaChilli Performance and Errors with xt_coova on OpenWrt 23.05.5

Setup Details

  • CoovaChilli Version: 1.6
  • Platform: OpenWrt 23.05.5
  • Architecture: MT7621
  • Firewall: firewall3 + iptables_zz_legacy
  • Additional Support: xt_coova
  • ISP Speed: 100 Mbps (Real-world)

Problem 1: Speed Capping on Download

When performing a speed test via CoovaChilli:

  • Download Speed: 30-40 Mbps (tested using Ookla)
  • Upload Speed: 100 Mbps (matches ISP speed)
  • On the regular network (without CoovaChilli), both download and upload speeds match the ISP-provided 100 Mbps.

Additional Testing

Performed an iperf test:

  • Setup: Iperf server on one CoovaChilli client, Iperf client on another CoovaChilli client.
  • Result: Download and upload speeds via CoovaChilli WAN were approximately 300-400 Mbps, indicating no bottleneck in internal data flow.

Problem 2: Errors When Using kname="chilli"

After setting kname="chilli" in the configuration, the following errors are observed in the logs:

Tue Jan  7 10:47:43 2025 daemon.err chilli[8361]: chilli[8361]: PID 8361 reloaded binary options file
Tue Jan  7 10:47:43 2025 daemon.info chilli[8361]: CoovaChilli 1.6. Copyright 2002-2005 Mondru AB. Licensed under GPL. Copyright 2006-2012 David Bird (Coova Technologies). Licensed under GPL. See http://coova.github.io/ for details.
Tue Jan  7 10:47:43 2025 daemon.info chilli[8361]: TX queue length set to 100
Tue Jan  7 10:47:43 2025 kern.info kernel: [  204.445245] device br-network4 entered promiscuous mode
Tue Jan  7 10:47:43 2025 daemon.err chilli[8361]: No such file or directory: could not open /proc/net/coova/chilli
Tue Jan  7 10:47:43 2025 kern.info kernel: [  204.605612] xt_coova: looking for chilli
Tue Jan  7 10:47:43 2025 kern.info kernel: [  204.609731] xt_coova: created chilli refcnt=1
Tue Jan  7 10:47:43 2025 kern.info kernel: [  204.614072] xt_coova: match ret=0
Tue Jan  7 10:47:43 2025 kern.info kernel: [  204.632326] xt_coova: looking for chilli
Tue Jan  7 10:47:43 2025 kern.info kernel: [  204.636280] xt_coova: found chilli refcnt=2
Tue Jan  7 10:47:43 2025 kern.info kernel: [  204.640524] xt_coova: match ret=0
Tue Jan  7 10:47:43 2025 daemon.err chilli[8361]: bad idx (-1)
Tue Jan  7 10:47:43 2025 daemon.warn chilli[8361]: RADIUS id 0 was not found in queue!
Tue Jan  7 10:47:52 2025 kern.info kernel: [  213.969309] seq_file: buggy .next function 0x835ee0d8 did not update position index
Tue Jan  7 10:47:53 2025 kern.info kernel: [  214.978726] seq_file: buggy .next function 0x835ee0d8 did not update position index
Tue Jan  7 10:47:54 2025 kern.info kernel: [  215.988028] seq_file: buggy .next function 0x835ee0d8 did not update position index

Problem 3: Upload Speed is Unlimited, Bandwidth Limitation Not Working

  • Observation: Upload speeds through CoovaChilli are now unlimited and match the ISP-provided speed (100 Mbps). However, any bandwidth limit (set manually or from RADIUS) for the upload is ignored.
  • This issue occurs even when download bandwidth limitations are applied correctly.
  • No errors appear in the logs specific to this problem, but the bandwidth control feature for uploads seems to be bypassed.

Configuration Details

Custom up.sh Script changes for xt_coova:

set_xt_coova_rules() {
    case $TUNTAP in
        "tun1") NETWORK_RANGE="172.21.100.0/24" ;;
        "tun2") NETWORK_RANGE="172.22.100.0/24" ;;
        "tun3") NETWORK_RANGE="172.23.100.0/24" ;;
        "tun4") NETWORK_RANGE="172.24.100.0/24" ;;
        *) echo "Unknown TUNTAP device: $TUNTAP"; return ;;
    esac
    ipt -I FORWARD -o wan --src $NETWORK_RANGE -m coova --name chilli -j ACCEPT
    ipt -I FORWARD -i wan --dst $NETWORK_RANGE -m coova --name chilli --dest -j ACCEPT
    ipt -I FORWARD --src $NETWORK_RANGE -j ACCEPT
    ipt -I FORWARD --dst $NETWORK_RANGE -j ACCEPT
}
run_up() {
    if [ -n "$TUNTAP" ]; then
        if [ "$KNAME" != "" ]; then
            ipt -I FORWARD -i $DHCPIF -m coova --name $KNAME -j ACCEPT 
            ipt -I FORWARD -o $DHCPIF -m coova --name $KNAME --dest -j ACCEPT
        fi
        set_xt_coova_rules
    fi
    [ -e /etc/chilli/ipup.sh ] && . /etc/chilli/ipup.sh
}

Chilli Configuration:

tundev="tun4"
net="172.24.100.0/24"
dynip="172.24.100.0/24"
dns1="8.8.8.8"
dns2="8.8.4.4"
ipup="/etc/chilli/up.sh"
ipdown="/etc/chilli/down.sh"
radiusserver1="x.x.x.x"
radiusserver2="x.x.x.x"
radiussecret="xxxxx"
dhcpif="br-network4"
uamserver="https://example.com"
uamlisten="172.24.100.1"
uamallowed="example.com"
uamdomain=".example.com"
wwwdir="/etc/chilli/www"
wwwbin="/etc/chilli/wwwsh"
radiusnasid="x-x-x"
kname="chilli"

@brada4 @sevan @pparent76 could you guys please look into this and help if you find anything wrong?
@aswanthk07 aswanthk07 changed the title <coova-chilli>: Download Speed Capped at 40-50 Mbps with CoovaChilli on OpenWrt 23.05.5 (MT7621 + xt_coova) coova-chilli: Download Speed Capped at 40-50 Mbps with CoovaChilli on OpenWrt 23.05.5 (MT7621 + xt_coova) Jan 7, 2025
@brada4
Copy link

brada4 commented Jan 7, 2025

can you show fragments from
4 lines via iptables-save
all lines with xt and related chain/table headers from nft list ruleset

@aswanthk07
Copy link
Author

aswanthk07 commented Jan 7, 2025
edited
Loading

can you show fragments from 4 lines via iptables-save all lines with xt and related chain/table headers from nft list ruleset

Hi @brada4 , thanks for you reply. This is the output from iptables-save

# Generated by iptables-save v1.8.8 on Tue Jan  7 11:36:50 2025
*mangle
:PREROUTING ACCEPT [107391:85317361]
:INPUT ACCEPT [3423:238520]
:FORWARD ACCEPT [103783:85006879]
:OUTPUT ACCEPT [3543:1048978]
:POSTROUTING ACCEPT [96079:84688373]
-A FORWARD -o wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Jan  7 11:36:50 2025
# Generated by iptables-save v1.8.8 on Tue Jan  7 11:36:50 2025
*nat
:PREROUTING ACCEPT [3050:316942]
:INPUT ACCEPT [60:3646]
:OUTPUT ACCEPT [121:9315]
:POSTROUTING ACCEPT [31:2222]
:postrouting_lan_rule - [0:0]
:postrouting_network1_rule - [0:0]
:postrouting_network2_rule - [0:0]
:postrouting_network3_rule - [0:0]
:postrouting_network4_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_network1_rule - [0:0]
:prerouting_network2_rule - [0:0]
:prerouting_network3_rule - [0:0]
:prerouting_network4_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_network1_postrouting - [0:0]
:zone_network1_prerouting - [0:0]
:zone_network2_postrouting - [0:0]
:zone_network2_prerouting - [0:0]
:zone_network3_postrouting - [0:0]
:zone_network3_prerouting - [0:0]
:zone_network4_postrouting - [0:0]
:zone_network4_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i br-network3 -m comment --comment "!fw3" -j zone_network3_prerouting
-A PREROUTING -i br-network4 -m comment --comment "!fw3" -j zone_network4_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o br-network3 -m comment --comment "!fw3" -j zone_network3_postrouting
-A POSTROUTING -o br-network4 -m comment --comment "!fw3" -j zone_network4_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_network1_postrouting -m comment --comment "!fw3: Custom network1 postrouting rule chain" -j postrouting_network1_rule
-A zone_network1_prerouting -m comment --comment "!fw3: Custom network1 prerouting rule chain" -j prerouting_network1_rule
-A zone_network2_postrouting -m comment --comment "!fw3: Custom network2 postrouting rule chain" -j postrouting_network2_rule
-A zone_network2_prerouting -m comment --comment "!fw3: Custom network2 prerouting rule chain" -j prerouting_network2_rule
-A zone_network3_postrouting -m comment --comment "!fw3: Custom network3 postrouting rule chain" -j postrouting_network3_rule
-A zone_network3_prerouting -m comment --comment "!fw3: Custom network3 prerouting rule chain" -j prerouting_network3_rule
-A zone_network4_postrouting -m comment --comment "!fw3: Custom network4 postrouting rule chain" -j postrouting_network4_rule
-A zone_network4_prerouting -m comment --comment "!fw3: Custom network4 prerouting rule chain" -j prerouting_network4_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Tue Jan  7 11:36:50 2025
# Generated by iptables-save v1.8.8 on Tue Jan  7 11:36:50 2025
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_network1_rule - [0:0]
:forwarding_network2_rule - [0:0]
:forwarding_network3_rule - [0:0]
:forwarding_network4_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_network1_rule - [0:0]
:input_network2_rule - [0:0]
:input_network3_rule - [0:0]
:input_network4_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_network1_rule - [0:0]
:output_network2_rule - [0:0]
:output_network3_rule - [0:0]
:output_network4_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_network1_dest_ACCEPT - [0:0]
:zone_network1_forward - [0:0]
:zone_network1_input - [0:0]
:zone_network1_output - [0:0]
:zone_network1_src_ACCEPT - [0:0]
:zone_network2_dest_ACCEPT - [0:0]
:zone_network2_forward - [0:0]
:zone_network2_input - [0:0]
:zone_network2_output - [0:0]
:zone_network2_src_ACCEPT - [0:0]
:zone_network3_dest_ACCEPT - [0:0]
:zone_network3_forward - [0:0]
:zone_network3_input - [0:0]
:zone_network3_output - [0:0]
:zone_network3_src_ACCEPT - [0:0]
:zone_network4_dest_ACCEPT - [0:0]
:zone_network4_forward - [0:0]
:zone_network4_input - [0:0]
:zone_network4_output - [0:0]
:zone_network4_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i br-network4 -j DROP
-A INPUT -d 172.24.100.1/32 -i tun4 -p icmp -j ACCEPT
-A INPUT -d 172.24.100.1/32 -i tun4 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d 172.24.100.1/32 -i tun4 -p udp -m udp --dport 67:68 -j ACCEPT
-A INPUT -d 255.255.255.255/32 -i tun4 -p udp -m udp --dport 67:68 -j ACCEPT
-A INPUT -d 172.24.100.1/32 -i tun4 -p tcp -m tcp --dport 3991 -j ACCEPT
-A INPUT -d 172.24.100.1/32 -i tun4 -p tcp -m tcp --dport 3990 -j ACCEPT
-A INPUT -d 172.24.100.1/32 -i tun4 -j DROP
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i br-network3 -m comment --comment "!fw3" -j zone_network3_input
-A INPUT -i br-network4 -m comment --comment "!fw3" -j zone_network4_input
-A INPUT -m comment --comment "!fw3" -j reject
-A FORWARD -d 172.24.100.0/24 -j ACCEPT
-A FORWARD -s 172.24.100.0/24 -j ACCEPT
-A FORWARD -d 172.24.100.0/24 -i wan -m coova--name chilli --dest  -j ACCEPT
-A FORWARD -s 172.24.100.0/24 -o wan -m coova--name chilli --source  -j ACCEPT
-A FORWARD -i tun4 -o wan -j ACCEPT
-A FORWARD -i tun4 ! -o wan -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun4 -j ACCEPT
-A FORWARD -i tun4 -j ACCEPT
-A FORWARD -o br-network4 -j DROP
-A FORWARD -i br-network4 -j DROP
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i br-network3 -m comment --comment "!fw3" -j zone_network3_forward
-A FORWARD -i br-network4 -m comment --comment "!fw3" -j zone_network4_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o br-network3 -m comment --comment "!fw3" -j zone_network3_output
-A OUTPUT -o br-network4 -m comment --comment "!fw3" -j zone_network4_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_network1_forward -m comment --comment "!fw3: Custom network1 forwarding rule chain" -j forwarding_network1_rule
-A zone_network1_forward -m comment --comment "!fw3: Zone network1 to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_network1_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_network1_forward -m comment --comment "!fw3" -j zone_network1_dest_ACCEPT
-A zone_network1_input -m comment --comment "!fw3: Custom network1 input rule chain" -j input_network1_rule
-A zone_network1_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_network1_input -m comment --comment "!fw3" -j zone_network1_src_ACCEPT
-A zone_network1_output -m comment --comment "!fw3: Custom network1 output rule chain" -j output_network1_rule
-A zone_network1_output -m comment --comment "!fw3" -j zone_network1_dest_ACCEPT
-A zone_network2_forward -m comment --comment "!fw3: Custom network2 forwarding rule chain" -j forwarding_network2_rule
-A zone_network2_forward -m comment --comment "!fw3: Zone network2 to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_network2_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_network2_forward -m comment --comment "!fw3" -j zone_network2_dest_ACCEPT
-A zone_network2_input -m comment --comment "!fw3: Custom network2 input rule chain" -j input_network2_rule
-A zone_network2_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_network2_input -m comment --comment "!fw3" -j zone_network2_src_ACCEPT
-A zone_network2_output -m comment --comment "!fw3: Custom network2 output rule chain" -j output_network2_rule
-A zone_network2_output -m comment --comment "!fw3" -j zone_network2_dest_ACCEPT
-A zone_network3_dest_ACCEPT -o br-network3 -m comment --comment "!fw3" -j ACCEPT
-A zone_network3_forward -m comment --comment "!fw3: Custom network3 forwarding rule chain" -j forwarding_network3_rule
-A zone_network3_forward -m comment --comment "!fw3: Zone network3 to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_network3_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_network3_forward -m comment --comment "!fw3" -j zone_network3_dest_ACCEPT
-A zone_network3_input -m comment --comment "!fw3: Custom network3 input rule chain" -j input_network3_rule
-A zone_network3_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_network3_input -m comment --comment "!fw3" -j zone_network3_src_ACCEPT
-A zone_network3_output -m comment --comment "!fw3: Custom network3 output rule chain" -j output_network3_rule
-A zone_network3_output -m comment --comment "!fw3" -j zone_network3_dest_ACCEPT
-A zone_network3_src_ACCEPT -i br-network3 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_network4_dest_ACCEPT -o br-network4 -m comment --comment "!fw3" -j ACCEPT
-A zone_network4_forward -m comment --comment "!fw3: Custom network4 forwarding rule chain" -j forwarding_network4_rule
-A zone_network4_forward -m comment --comment "!fw3: Zone network4 to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_network4_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_network4_forward -m comment --comment "!fw3" -j zone_network4_dest_ACCEPT
-A zone_network4_input -m comment --comment "!fw3: Custom network4 input rule chain" -j input_network4_rule
-A zone_network4_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_network4_input -m comment --comment "!fw3" -j zone_network4_src_ACCEPT
-A zone_network4_output -m comment --comment "!fw3: Custom network4 output rule chain" -j output_network4_rule
-A zone_network4_output -m comment --comment "!fw3" -j zone_network4_dest_ACCEPT
-A zone_network4_src_ACCEPT -i br-network4 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o wan -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i wan -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue Jan  7 11:36:50 2025

Also regarding nft list ruleset, I'm using iptables-zz-legacy as iptables-nft didn't gave me redirection. Thanks

@aswanthk07
Copy link
Author

aswanthk07 commented Jan 7, 2025
edited
Loading

@brada4 , sharing iptables output as well if this help in anyways.

:~# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   23  3643 DROP       all  --  br-network4 *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  tun4   *       0.0.0.0/0            172.24.100.1        
    0     0 ACCEPT     udp  --  tun4   *       0.0.0.0/0            172.24.100.1         udp dpt:53
    0     0 ACCEPT     udp  --  tun4   *       0.0.0.0/0            172.24.100.1         udp dpts:67:68
    0     0 ACCEPT     udp  --  tun4   *       0.0.0.0/0            255.255.255.255      udp dpts:67:68
    0     0 ACCEPT     tcp  --  tun4   *       0.0.0.0/0            172.24.100.1         tcp dpt:3991
  142 14944 ACCEPT     tcp  --  tun4   *       0.0.0.0/0            172.24.100.1         tcp dpt:3990
    0     0 DROP       all  --  tun4   *       0.0.0.0/0            172.24.100.1        
  154 13302 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
 3614  291K input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom input rule chain */
 3502  269K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
    0     0 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 /* !fw3 */
    1   326 zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
  107 20506 zone_wan_input  all  --  wan    *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_network3_input  all  --  br-network3 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_network4_input  all  --  br-network4 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    4  1360 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
32840   40M ACCEPT     all  --  *      *       0.0.0.0/0            172.24.100.0/24     
40408   24M ACCEPT     all  --  *      *       172.24.100.0/24      0.0.0.0/0           
    0     0 ACCEPT     all  --  wan    *       0.0.0.0/0            172.24.100.0/24     coova: name: chilli side: dest
    0     0 ACCEPT     all  --  *      wan     172.24.100.0/24      0.0.0.0/0           coova: name: chilli side: source 
    0     0 ACCEPT     all  --  tun4   wan     0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  tun4   !wan    0.0.0.0/0            0.0.0.0/0           
  244 14600 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    0     0 ACCEPT     all  --  *      tun4    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tun4   *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-network4  0.0.0.0/0            0.0.0.0/0           
    1    80 DROP       all  --  br-network4 *       0.0.0.0/0            0.0.0.0/0           
13933 6091K forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom forwarding rule chain */
12386 5970K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
 1547  121K zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_forward  all  --  wan    *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_network3_forward  all  --  br-network3 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_network4_forward  all  --  br-network4 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  154 13302 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            /* !fw3 */
 4151 1150K output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom output rule chain */
 3962 1136K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
    1   341 zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
  188 13779 zone_wan_output  all  --  *      wan     0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_network3_output  all  --  *      br-network3  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_network4_output  all  --  *      br-network4  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_network1_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_network2_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_network3_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_network4_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_network1_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_network2_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_network3_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_network4_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_network1_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_network2_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_network3_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_network4_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain reject (4 references)
 pkts bytes target     prot opt in     out     source               destination         
    5   406 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with tcp-reset
   94 21076 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 25/sec burst 50 /* !fw3 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_dest_ACCEPT (4 references)
 pkts bytes target     prot opt in     out     source               destination         
    1   341 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1547  121K forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan forwarding rule chain */
 1547  121K zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Zone lan to wan forwarding policy */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1   326 input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan input rule chain */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
    1   326 zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1   341 output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan output rule chain */
    1   341 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1   326 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_network1_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_network1_forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_network1_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom network1 forwarding rule chain */
    0     0 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Zone network1 to wan forwarding policy */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_network1_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_network1_input (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 input_network1_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom network1 input rule chain */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
    0     0 zone_network1_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_network1_output (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 output_network1_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom network1 output rule chain */
    0     0 zone_network1_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_network1_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_network2_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_network2_forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_network2_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom network2 forwarding rule chain */
    0     0 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Zone network2 to wan forwarding policy */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_network2_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_network2_input (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 input_network2_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom network2 input rule chain */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
    0     0 zone_network2_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_network2_output (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 output_network2_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom network2 output rule chain */
    0     0 zone_network2_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_network2_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_network3_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      br-network3  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_network3_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_network3_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom network3 forwarding rule chain */
    0     0 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Zone network3 to wan forwarding policy */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_network3_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_network3_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 input_network3_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom network3 input rule chain */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
    0     0 zone_network3_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_network3_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 output_network3_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom network3 output rule chain */
    0     0 zone_network3_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_network3_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  br-network3 *       0.0.0.0/0            0.0.0.0/0            ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_network4_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      br-network4  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_network4_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_network4_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom network4 forwarding rule chain */
    0     0 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Zone network4 to wan forwarding policy */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_network4_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_network4_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 input_network4_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom network4 input rule chain */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
    0     0 zone_network4_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_network4_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 output_network4_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom network4 output rule chain */
    0     0 zone_network4_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_network4_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  br-network4 *       0.0.0.0/0            0.0.0.0/0            ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_wan_dest_ACCEPT (6 references)
 pkts bytes target     prot opt in     out     source               destination         
   27  2909 DROP       all  --  *      wan     0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3: Prevent NAT leakage */
 1708  132K ACCEPT     all  --  *      wan     0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  *      wan     0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan forwarding rule chain */
    0     0 zone_lan_dest_ACCEPT  esp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Allow-IPSec-ESP */
    0     0 zone_lan_dest_ACCEPT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500 /* !fw3: Allow-ISAKMP */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  107 20506 input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan input rule chain */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68 /* !fw3: Allow-DHCP-Renew */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* !fw3: Allow-Ping */
   12   384 ACCEPT     2    --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Allow-IGMP */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
   95 20122 zone_wan_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  188 13779 output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan output rule chain */
  188 13779 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   95 20122 reject     all  --  wan    *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

@brada4
Copy link

brada4 commented Jan 7, 2025

There is space char missing.

-A FORWARD -s 172.24.100.0/24 -o wan -m coova--name chilli --source  -j ACCEPT
--------------------------------------------^^

@aswanthk777
Copy link

There is space char missing.

-A FORWARD -s 172.24.100.0/24 -o wan -m coova--name chilli --source  -j ACCEPT
--------------------------------------------^^

Thanks @brada4 for the findings, as I mentioned above these are the commands I'm using for xt_coova to kick in.

    ipt -I FORWARD -o wan --src $NETWORK_RANGE -m coova --name chilli -j ACCEPT
    ipt -I FORWARD -i wan --dst $NETWORK_RANGE -m coova --name chilli --dest -j ACCEPT
    ipt -I FORWARD --src $NETWORK_RANGE -j ACCEPT
    ipt -I FORWARD --dst $NETWORK_RANGE -j ACCEPT

There is already a space char between them in my up.sh and tried adding one more space char but didn't make any change. Will this be an issue of iptables-zz-legacy version I'm using? Also can you please suggest if I can use iptables-nft instead of iptables-zz-legacy for coova if this is the issue?

@aswanthk07
Copy link
Author

There is space char missing.

-A FORWARD -s 172.24.100.0/24 -o wan -m coova--name chilli --source  -j ACCEPT
--------------------------------------------^^

Thanks @brada4 for the findings, as I mentioned above these are the commands I'm using for xt_coova to kick in.

    ipt -I FORWARD -o wan --src $NETWORK_RANGE -m coova --name chilli -j ACCEPT
    ipt -I FORWARD -i wan --dst $NETWORK_RANGE -m coova --name chilli --dest -j ACCEPT
    ipt -I FORWARD --src $NETWORK_RANGE -j ACCEPT
    ipt -I FORWARD --dst $NETWORK_RANGE -j ACCEPT

There is already a space char between them in my up.sh and tried adding one more space char but didn't make any change. Will this be an issue of iptables-zz-legacy version I'm using? Also can you please suggest if I can use iptables-nft instead of iptables-zz-legacy for coova if this is the issue?

:~# iptables -L -v -n | grep chilli
    0     0 ACCEPT     all  --  wan    *       0.0.0.0/0            172.24.100.0/24     coova: name: chilli side: dest
    0     0 ACCEPT     all  --  *      wan     172.24.100.0/24      0.0.0.0/0           coova: name: chilli side: source 
:~# iptables-save | grep chilli
-A FORWARD -d 172.24.100.0/24 -i wan -m coova--name chilli --dest  -j ACCEPT
-A FORWARD -s 172.24.100.0/24 -o wan -m coova--name chilli --source  -j ACCEPT

Also looking into iptables the name and coova module initialized correctly it seems despite the space char issue still persist on iptables-save.

@brada4
Copy link

brada4 commented Jan 8, 2025

You see youroutput is a new issue, try forums, or opennds first.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@brada4 @aswanthk777 @aswanthk07