I have OpenWRT installed on some of my routers and to add additional storage for settings as well as programs that might be installed on the router and maybe logs, OpenWRT recommends you plug storage into it and use an overlayfs. I also have a SBC where I just mount an external drive overtop of my home directory on boot to store the home directory externally off of the SD Card that the bootloader and OS are installed on; since the storage on the external drive is more reliable than the SD Card, despite running slower. What is the difference between these two strategies? They are both basically Single Board computers with Linux, and when the external drive fails to mount, in both cases we're left with a directory full of the content of the original directory, where the drive would have been mounted before. The only think I can think of that is different, is that the settings directory for OpenWRT (/etc) is being mounted on the external drive, where this is not the case on the SBC.

I'm running a router that is using linux; I want to see connection statistics from internal network to external network(s) (NAT router); how do I do this? I've tried using netstat but of course its only the local router connections. I can see the connection information if I setup something like an IDS and mirror; but I do not want to do this.

I've set up a fresh Debian 12 system today and wanted to try out IPv6 in my network a bit. So I set up an IPv6 ULA on my router and created a new Debian VM for testing. The Debian VM picks up the ULA address through SLAAC just fine, but it also generates a strange and seemingly incorrect IPv6 address alongside it, one that appears to be just the EUI-64 interface identifier without any of the network prefix bits set. The output of ip address looks like this:

inet6 ::be24:11ff:fe59:4e73/64 scope global
   valid_lft 2591891sec preferred_lft 604691sec
inet6 fdf2:e2f0:3d5b:0:be24:11ff:fe59:4e73/64 scope global deprecated dynamic mngtmpaddr
   valid_lft 2591893sec preferred_lft 0sec
inet6 fdf2:e2f0:3d5b:1:be24:11ff:fe59:4e73/64 scope global dynamic mngtmpaddr
   valid_lft 2591893sec preferred_lft 604693sec
inet6 fe80::be24:11ff:fe59:4e73/64 scope link
   valid_lft forever preferred_lft forever

Although the ULA address is generated just fine, this non-routable address :be24:11ff:fe59:4e73/64 breaks my internet access as its used as the source IP of ping or curl for example. Output of rdisk6

Soliciting ff02::2 (ff02::2) on eth0...

Hop limit                 :    undefined (      0x00)
Stateful address conf.    :          Yes
Stateful other conf.      :           No
Mobile home agent         :           No
Router preference         :       medium
Neighbor discovery proxy  :           No
Router lifetime           :         1800 (0x00000708) seconds
Reachable time            :  unspecified (0x00000000)
Retransmit time           :  unspecified (0x00000000)
 Source link-layer address: 78:9A:18:94:4A:B4
 Recursive DNS server     : fdf2:e2f0:3d5b:1:be24:11ff:fe59:4e73
 Recursive DNS server     : fdf2:e2f0:3d5b:1:be24:11ff:feb6:90f
  DNS servers lifetime    :         1800 (0x00000708) seconds
 Prefix                   : fdf2:e2f0:3d5b:1::/64
  On-link                 :          Yes
  Autonomous address conf.:          Yes
  Valid time              :      2592000 (0x00278d00) seconds
  Pref. time              :       604800 (0x00093a80) seconds
 Prefix                   : fdf2:e2f0:3d5b::/64
  On-link                 :          Yes
  Autonomous address conf.:          Yes
  Valid time              :      2592000 (0x00278d00) seconds
  Pref. time              :            0 (0x00000000) seconds
 from fe80::7a9a:18ff:fe94:4ab4

Router address setup:

[gateway] > /ipv6/address/print detail  
Flags: X - disabled, I - invalid, D - dynamic; G - global, L - link-local; S - slave; d - deprecated 
 1  G   address=fdf2:e2f0:3d5b:1::/64 from-pool=private-pool interface= VLAN010 actual-interface=VLAN010 eui-64=no advertise=yes no-dad=no 
 
[gateway] > /ipv6/nd/print 
Flags: X - disabled, I - invalid; * - default 
 0  * interface=all ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified retransmit-interval=unspecified ra-lifetime=30m ra-preference=medium hop-limit=unspecified advertise-mac-address=yes advertise-dns=yes 
      managed-address-configuration=yes other-configuration=no dns=fdf2:e2f0:3d5b:1:be24:11ff:fe59:4e73,fdf2:e2f0:3d5b:1:be24:11ff:feb6:90f

Does anyone know why this address is being generated and how I can disable it?

Is there any way to install Debian sid on Mikrotik RB 2011? Seems to Debian MIPS port not support this type of cpu (Atheros 600MHz 74K MIPS big-endian), I already install OpenWRT on this device, need to install Debian. List of Debian images: https://d-i.debian.org/daily-images/ Debian MIPS port: https://www.debian.org/ports/mips/

I try to connect to my WLAN repeater (FRITZ!Repeater 6000). It fails. dmesg shows me > AP appears to change mode (expected HE, found HT), disconnect But what does work is that I can connect to my base router: FRITZ!Box 6590 Cable. My OS: Ubuntu 24.04.2 LTS

I have just been watching a video which explains UDP holepunching. - https://www.youtube.com/watch?v=GfRLNg6DOnI In this video, some processes which create entries in a router NAT table are explained. This got me thinking. What process or event may cause an entry in a routers NAT table to be removed? - Do these entries expire after a certain period of time? (TTL) - Does a "connection closed" type packet typically cause the removal of a NAT table entry? (I don't recall if UDP has this kind of message. TCP does.) - Some other cause? It's easy to see what would create a NAT table entry - a connection from a source IP and port starting to transmit to a remote server via a NAT'ed router. What isn't so obvious is what would remove these entries from a NAT table. Presumably they do not exist forever.

I have a web managed switch on my network. It is connected to a router, along with the host PC i am on. I cannot ping it through the router. Router is Fedora server. the router's applicable interfaces are: enp3s0 wan interface enp4s0 with static IP 192.168.2.2/24 enp6s0 with static IP 10.2.4.1/24 routing table on the router has applicable entries: Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.2.2 0.0.0.0 UG 100 0 0 enp4s0 0.0.0.0 10.2.4.1 0.0.0.0 UG 103 0 0 enp6s0 10.2.4.0 0.0.0.0 255.255.255.0 U 103 0 0 enp6s0 192.168.2.0 0.0.0.0 255.255.255.0 U 100 0 0 enp4s0 the hosts are directly attached to these interfaces with these ips: IP MAC attached if switch 192.168.2.1 (static) 60:be:b4:13:28:e1 enp4s0 pc 10.2.4.5 (dhcp) 1c:2a:a3:1e:74:df enp6s0 when i ping from the host pc, i get timeouts. so i ran tcpdump from the router on enp4s0 sudo tcpdump -i enp4s0 -n 16:18:06.345052 IP 10.2.4.5 > 192.168.2.1: ICMP echo request, id 48, seq 430, length 64 16:18:07.334961 ARP, Request who-has 192.168.2.2 tell 192.168.2.2, length 28 16:18:07.369062 IP 10.2.4.5 > 192.168.2.1: ICMP echo request, id 48, seq 431, length 64 16:18:08.361151 ARP, Request who-has 192.168.2.2 tell 192.168.2.2, length 28 16:18:08.393080 IP 10.2.4.5 > 192.168.2.1: ICMP echo request, id 48, seq 432, length 64 16:18:09.385150 ARP, Request who-has 192.168.2.2 tell 192.168.2.2, length 28 16:18:09.417072 IP 10.2.4.5 > 192.168.2.1: ICMP echo request, id 48, seq 433, length 64 [ ... ] 16:18:17.609124 IP 10.2.4.5 > 192.168.2.1: ICMP echo request, id 48, seq 441, length 64 16:18:18.601152 ARP, Request who-has 192.168.2.1 tell 192.168.2.2, length 28 16:18:18.601366 ARP, Reply 192.168.2.1 is-at 1c:2a:a3:1e:74:df, length 46 16:18:18.633088 IP 10.2.4.5 > 192.168.2.1: ICMP echo request, id 48, seq 442, length 64 discernible facts: * the packets travel the router's nftables forward chain from enp6s0 to enp4s0 * the switch then asks who has 192.168.2.2, the gateway. it gets no response. * the router later asks who has 192.168.2.1. the switch responds with its mac. * the router's arp table records it. * the switch still does not know who has 192.168.2.2 routers applicable arp entries Address HWtype HWaddress Flags Mask Iface 192.168.2.1 ether 1c:2a:a3:1e:74:df C enp4s0 10.2.4.5 ether 04:7c:16:4d:0a:84 C enp6s0 the switch is not responding to pings, and furthermore, to my web requests to manage it. when i send a web request from the browser, i immediately get a bunch more "Request who-has 192.168.2.2", which reveals that the http request reached the switch and knows to reply to that IP, but it still doesn't know who has that IP. it keeps asking. here is the host pc applicable arp table entries, showing the router responded to the PC's arp request, so why not then to the switch? Address HWtype HWaddress Flags Mask Iface 10.2.4.1 ether 60:be:b4:13:28:e3 C enp12s0 This is the only 192.168. network. all other interfaces start with 10. what would cause the router not to reply to the switch's arp request so i can eventually ping and manage it.

My Turris Omnia cannot resolve t.co, but has no problems with other domains such as twitter.com or x.co. Local names (hpdisk.lan) also work: ~~~ root@turris:~# ping t.co ping: t.co: Name does not resolve root@turris:~# ping twitter.com PING twitter.com (104.244.42.193) 56(84) bytes of data. 64 bytes from 104.244.42.193 (104.244.42.193): icmp_seq=1 ttl=58 time=11.5 ms tange@turris:~$ ping x.co PING x.co (148.72.51.157) 56(84) bytes of data. 64 bytes from 157.51.72.148.host.secureserver.net (148.72.51.157): icmp_seq=1 ttl=42 time=139 ms tange@turris:~$ ping hpdisk.lan PING hpdisk.lan (192.168.1.30) 56(84) bytes of data. 64 bytes from 192.168.1.30 (192.168.1.30): icmp_seq=1 ttl=64 time=0.374 ms ~~~ The router has no problem querying the auth name servers, so it is not caused by some network filtering or routing problem: ~~~ root@turris:/tmp/log# dig @a.r06.twtrdns.net. t.co ; > DiG 9.18.24 > @a.r06.twtrdns.net. t.co ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER 156.154.105.25.53: 20216% [1au] A? U.CO. (33) 14:36:00.484396 IP 156.154.105.25.53 > 100.100.246.190.51757: 20216- 0/6/1 (639) 14:36:00.485495 IP 100.100.246.190.55245 > 193.108.91.245.53: 25634% [1au] A? Ns50.DoMAInCoNtROL.COm. (51) 14:36:00.500380 IP 193.108.91.245.53 > 100.100.246.190.55245: 25634*- 1/0/1 A 173.201.72.25 (67) 14:36:00.500659 IP 100.100.246.190.60650 > 173.201.72.25.53: 49104% [1au] A? U.Co. (33) 14:36:00.513975 IP 173.201.72.25.53 > 100.100.246.190.60650: 49104*- 2/2/1 A 15.197.142.173, A 3.33.152.147 (120) ~~~ Looking up t.co causes no traffic. It smells as if Knot Resolver thinks it is auth for t.co I have tried rebooting the router. This did not fix the issue. ~~~ root@turris:~# uname -a Linux turris 5.15.148 #0 SMP Tue Apr 2 01:04:13 2024 armv7l GNU/Linux root@turris:~# kresd --version Knot Resolver, version 5.7.1 root@turris:~# netstat -anp |grep 0:53 tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 18768/kresd udp 0 0 0.0.0.0:53 0.0.0.0:* 18768/kresd tange@turris:~$ cat /etc/resolv.conf search lan nameserver 127.0.0.1 nameserver ::1 root@turris:/tmp/log# cat /var/log/resolver Apr 27 11:52:30 turris kresd: [system] warning: hard limit for number of file-descriptors is only 4096 but recommended value is 524288 Apr 27 11:52:50 turris kresd: [system] warning: hard limit for number of file-descriptors is only 4096 but recommended value is 524288 ~~~

I've been setting up a linux box as my router. And my networking is fairly simple at this point: 1. I have the router connected to my fiber box, which authenticates with my ISP using pppd. 2. I have an ethernet interface, enp2s0, which is the gateway on the router:

enp2s0: flags=4163  mtu 1500
        inet 10.1.1.1  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::20d:b9ff:fe5a:2f91  prefixlen 64  scopeid 0x20
        ether 00:0d:b9:5a:2f:91  txqueuelen 1000  (Ethernet)
        RX packets 57348511  bytes 31510953543 (29.3 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 116229180  bytes 129467792313 (120.5 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device memory 0xf7a00000-f7a1ffff

3. I have a wireless interface:

wlp4s0: flags=4163  mtu 1500
        inet 10.1.1.2  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::6f0:21ff:fe91:cf90  prefixlen 64  scopeid 0x20
        ether 04:f0:21:91:cf:90  txqueuelen 1000  (Ethernet)
        RX packets 493730  bytes 595814115 (568.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 355275  bytes 344035494 (328.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Which I'd like clients to connect to. 4. I have nftables and some basic routing rules to route traffic. My clients can connect to the ethernet interface all right. And internet etc. works as expected. However, when connecting to the wireless interface, and pinging:

-> % ping -I wlp65s0 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 10.1.1.48 wlp65s0: 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
60 packets transmitted, 0 received, 100% packet loss, time 60428ms

I don't seem to get any replies back. On the router, I see the following when enabling nftables trace:

trace id 85cd7345 ip filter trace_chain packet: iif "ppp0" ip saddr 8.8.8.8 ip daddr 10.1.1.48 ip dscp af21 ip ecn not-ect ip ttl 61 ip id 0 ip length 84 icmp type echo-reply icmp code net-unreachable icmp id 12 icmp sequence 59 @th,64,96 0xd9d22c6700000000d1790900 
trace id 85cd7345 ip filter forward packet: iif "ppp0" oif "enp2s0" ip saddr 8.8.8.8 ip daddr 10.1.1.48 ip dscp af21 ip ecn not-ect ip ttl 60 ip id 0 ip length 84 icmp type echo-reply icmp code net-unreachable icmp id 12 icmp sequence 59 @th,64,96 0xd9d22c6700000000d1790900 
trace id 3626e73a ip filter trace_chain packet: iif "wlp4s0" ether saddr 48:ad:9a:9d:5e:a4 ether daddr 04:f0:21:91:cf:90 ip saddr 10.1.1.48 ip daddr 8.8.8.8 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 52040 ip length 84 icmp type echo-request icmp code net-unreachable icmp id 12 icmp sequence 60 @th,64,96 0xdad22c67000000006cd70900 
trace id 3626e73a ip filter forward packet: iif "wlp4s0" oif "ppp0" ether saddr 48:ad:9a:9d:5e:a4 ether daddr 04:f0:21:91:cf:90 ip saddr 10.1.1.48 ip daddr 8.8.8.8 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 52040 ip length 84 icmp type echo-request icmp code net-unreachable icmp id 12 icmp sequence 60 @th,64,96 0xdad22c67000000006cd70900 
trace id a6c3e760 ip filter trace_chain packet: iif "ppp0" ip saddr 8.8.8.8 ip daddr 10.1.1.48 ip dscp af21 ip ecn not-ect ip ttl 61 ip id 0 ip length 84 icmp type echo-reply icmp code net-unreachable icmp id 12 icmp sequence 60 @th,64,96 0xdad22c67000000006cd70900 
trace id a6c3e760 ip filter forward packet: iif "ppp0" oif "enp2s0" ip saddr 8.8.8.8 ip daddr 10.1.1.48 ip dscp af21 ip ecn not-ect ip ttl 60 ip id 0 ip length 84 icmp type echo-reply icmp code net-unreachable icmp id 12 icmp sequence 60 @th,64,96 0xdad22c67000000006cd70900

Which I am unable to understand. Any pointers here will be very helpful. --- If I change the wireless interface address to 10.1.2.1, I am able to connect to other hosts on the LAN/WAN.

I'm trying to reboot a Teltonika RTU950 using ssh. I can log in as root via ssh and then reboot the router fine. However if i try to send the reboot command over ssh it does not work. ssh root@routerip 'reboot' This returns the error: ash: reboot: not found I've tried using shutdown -r instead. Also tried using absolute path. Always gives me the same error. To be noted that the error says: ash: and not bash:. The router runs on a linux os. uname gives: Linux Teltonika-RUT950.com 3.18.44 #1 Any idea what could be causing this?

My ISP provides a pre-configured Asus router running Linaro GCC 4.6-2012.02 which connects to ONT (fibre box) via Ethernet cable. I can SSH into the router and see the WAN interface:

18: vlan10@eth0:  mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether fc:34:97:59:**:** brd ff:ff:ff:ff:ff:ff
    inet ***.***.176.118/30 brd ***.***.176.119 scope global vlan10
       valid_lft forever preferred_lft forever
    inet6 ****:****:2600:24d0::1/128 scope global 
       valid_lft forever preferred_lft forever
    inet6 ****::****:97ff:fe59:ee10/64 scope link 
       valid_lft forever preferred_lft forever

The goal is to configure a custom router running Debian 11 to do the same thing so that I could get rid of the ISP-provided router. The ISP provides some details how to configure custom routers: - Connection type: IPoE or DHCP - Internet IP Address: Get Dynamically from ISP - Domain Name Server (DNS): Get Automatically from ISP - VLAN Tagging (sometimes called IPTV settings): VID: 10 / PRIO: 0 - SIP ALG: Disabled - Connection Type: DHCP (with Prefix Delegation) - Domain Name Server (DNS): Get Automatically from ISP - Prefix length (or delegation size / ID): 56 - DHCPv6: Checked or ON The Debian box has already been configured to use VLAN. So, for this fibre WAN I tried:

auto eth0.10
iface eth0.10 inet6 dhcp
    accept_ra 2
    request_prefix 1

But it gets stuck in requesting DHCP info and never obtains an IP address from the ISP. How to approach this problem? The funny thing is that I have root SSH access to a Linux machine (the Asus router) which already does it, so I should by all means be able to translate its settings into Debian. But how?

The problem is this: The only officially supported router configuration for nordvpn is to use a static config file and openvpn. That doesn't work for me. The question: Using linux, how does one setup a nordvpn router/gateway that allows use of dynamic connections, nordlynx, and whatever other options available in the native nordvpn apps?

I have my ISP gateway (which is a regular wifi router) which is 192.168.178.1. This is connected to a DD-WRT router (using it's WAN port). I've had this setup for a while now and pretty much the default settings (Connection type Automatic/DHCP) worked. I set the local IP of the dd-wrt router to 192.168.0.1 and set DHCP to use the 192.168.0.xxx subnet aswell. This worked fine and I had an **isolated** subnet. That is: The 192.168.178.xxx subnet could not access machines on my 192.168.0.1 subnet, including the router, and vice versa. Now I got a new router, fresh dd-wrt installation, exactly the same settings and subnets, and suddenly I'm able to access 192.168.178.1 from my PC (which is on the dd-wrt subnet). Which setting is responsible for this, and how do I change that? Also, the new router displays the ISP router's domain name under WAN domain name (LAN domain name is empty). The old dd-wrt router did that too, but devices on the network where **not** on that domain (they were on an empty one instead). Now with this router, devices connected to it are automatically on that domain. I would really like to prevent that aswell. I hope my question is clear enough, and here are some more of my dd-wrt router's settings: Connection Type: Automatic Configuration - DHCP Hostname: Domain name: Shortcut Forwarding Engine: Enable STP: Disable Local IP Address: 192.168.0.1 Subnet Mask: 255.255.255.0 Gateway: 0.0.0.0 Local DNS: 0.0.0.0 DHCP Type: Server Start IP Address: 192.168.0.100 DNSMasq for DNS: Enabled DHCP-Authoritative: Enabled Forced DNS redirection: Disabled NTP Client: Enabled IPv6: Disabled entirely Advanced routing, Switch Config, Networking and Tunnels all on their defaults

We have one central server which functions as an internet gateway. This server is connected to the internet, and using iptables we forward traffic and share the internet connection among all computers in the network. This works just fine. However, sometimes internet gets really slow. Most likely one of the users is downloading videos or other large files. I want to pinpoint the culprit. I'm thinking of installing a tool that can monitor the network traffic that passes through the server, by IP. Preferably in real time as well as an accumulated total (again by IP). Any tool that is recommended for this? Preferably something in the Ubuntu repositories.

Ive got a routing issue on my pfSense box that shows the response to a ping request being routed to a IP in a separate subnet/vlan. 10:25:13.239238 IP 10.2.0.2 > 8.8.8.8: ICMP echo request, id 9374, seq 15401, length 9 10:25:13.369458 IP 8.8.8.8 > 192.168.20.21: ICMP echo reply, id 9374, seq 15401, length 9 I've recently added a wireguard VPN to the box, and assigned it an interface (VPN). The internet gateway is set to send a health check to 8.8.8.8, its reporting down based on 100% packet loss based on this routing issue. I also believe that I am seeing: - the response come through the WAN interface and not the VPN interface. - the packet doesnt appear to have the reply-to flag (cant find anywhere to set this from the IG) - the wireguard tunnel remains active throughout - the VPN provider is PRotonVPN I cant explain why this would happen, and have checked - Nat rules - UPNP - Firewall rules - Interface Why would a ping response not return to its point of origin?

I have squid proxy server running in centos 8 i want to setup proxy server in wifi router or wireless access point which i can force wireless clients to go through proxy server.

I have a H68K Linkstar router with an Openwrt snapshot installed. My clients attempt to manually connect when they so choose, but the router SSID does not appear in the list of available networks. Upon refreshing, every 10 or 15 seconds for about four or five seconds, the SSID appears and the client can connect to it. However, if the client waits too long it disappears again. Connecting to it as a hidden network does not work. Any connection, once established, is maintained. The only problem is the painful discovery process. I have tried shortening the beacon interval on the Luci web UI but it should work as it was left default. More info: Wifi module: M7921 (Wifi 6) Openwrt config:

config wifi-device 'radio0'
       option type 'mac80211'
       option path '3c0000000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
       option channel '153'
       option band '5g'
       option htmode 'HT40'
       option cell_density '0'
       option country 'US'

config wifi-iface 'default_radio0'
       option device 'radio0'
       option network 'lan'
       option mode 'ap'
       option ssid 'H68K'
       option encryption 'psk'
       option key 'XXX'

This occurs with all clients across Android, Windows, Linux (wpa_supplicant) etc. It occurs both with a static frequency broadcasting and auto frequency switching. It has occured on both a 2022 and 2023 snapshot of Openwrt. I really hope this is a config setting I can change, but I fear it is a firmware bug with the out-of-tree patches to the M7921 wifi module. Is there any tips on what setting could be causing the router to disappear from scans often? Otherwise perhaps a log that could show what the wifi driver is doing during these times.

I'm on Dell Latitude 3420, Devuan Daedalus GNU/Linux (based on Debian Bookworm, without systemd), I connect to internet via mobile hotspot (using Android Phone's mobile data) at home and through a router installed by a service provider at office. Recently, I have not been able to connect to internet at office, both ethernet and WiFi. WiFi and LAN icons show that they are connected to the router, but no internet access. Can someone please help me out? What further information would be needed from my end? I'm a Linux user since 2010. Quite used to CLI commands. Windows OS on other office PCs connect well to the router. Please edit tags if necessary. Regards, **EDIT** *resolvconf.conf*

# Configuration for resolvconf(8)
# See resolvconf.conf(5) for details

resolv_conf=/etc/resolv.conf
# If you run a local name server, you should uncomment the below line and
# configure your subscribers configuration files below.
#name_servers=127.0.0.1


# Mirror the Debian package defaults for the below resolvers
# so that resolvconf integrates seemlessly.
dnsmasq_resolv=/var/run/dnsmasq/resolv.conf
pdnsd_conf=/etc/pdnsd.conf
unbound_conf=/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf

I'm trying to set up a simple router in Ubuntu. There are two network interfaces: eth0 - a wired network interface connected to the internet, and wlan0 - configured as an AP with IP address 10.0.9.1. IPv4 forwarding is enabled. I'm using dnsmasq with the following configuration:

interface=wlan0
dhcp-range=10.0.9.2,10.0.9.30,255.255.255.0,12h
dhcp-host=40:a3:6b:c1:9a:54,10.0.9.100

The devices connect to my AP and get assigned IP addresses correctly. Now configuring the NAT. My nftables config looks like this:

table ip nat {
        chain prerouting {
                type nat hook prerouting priority dstnat; policy accept;
                iif "eth0" tcp dport 8010 dnat to 10.0.9.100:80
                iif "eth0" tcp dport 9001 dnat to 10.0.9.100:9001
        }

        chain postrouting {
                type nat hook postrouting priority srcnat; policy accept;
                oif "eth0" masquerade
        }
}

This setup works as expected: * Devices connected to wlan0 can reach the internet via eth0 * Devices connected to wlan0 can connect to a server on the router at 10.0.9.1 * Device with IP 10.0.9.1.100 can be reached on port 8010 and 9001 thru eth0 However, I'd like to set up a simple firewall to protect the devices from unauthorized access. This is what I have added to my nftables config:

table inet filter {
        chain input {
                type filter hook input priority filter; policy drop;
                ct state vmap { established : accept, related : accept, invalid : drop }
                iifname lo accept
                icmp type echo-request limit rate 5/second accept
                ip protocol icmp drop

                iif "eth0" tcp dport { ssh, 8080 } accept
        }

        chain forward {
                type filter hook forward priority 0; policy drop;

                ct status dnat accept
                iif "wlan0" oif "wlan0" accept
                iif "wlan0" oif "eth0" accept
                iif "eth0" oif "wlan0" ct state established,related accept
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }
}

This setup does not work as expected: * Devices connected to wlan0 **can't** reach the internet via eth0 * Devices connected to wlan0 **can't** connect to a server on the router at 10.0.9.1 * Device with IP 10.0.9.1.100 can be reached on port 8010 and 9001 thru eth0 If I disable all protection in nfconfig it works as expected:

table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;
        }

        chain forward {
                type filter hook forward priority 0; policy accept;
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }
}

When I edit the

input

section, things stop working. I'm completely new to nftables, and I have been spending the whole day trying to figure out how to get it working. Any ideas? Thanks!

The log of an Asus router with Padavan firmware (might be similar to OpenWrt) showed: Dec 4 16:06:20 NTP Client: Synchronizing time to 0.nl.pool.ntp.org. Oct 24 18:18:18 NTP Client: System time changed, offset: -1107989283.092767s Oct 24 18:18:33 pppd: System time change detected. Something is wrong with the NTP update, because the current date is December 4th, not October 24th. The graphical user interface has no option to update the system date/time using NTP. How to make NTP to force updating the date/time?