[LEDE-DEV] LEDE static routes not working when masquerade/firewall is on

[Mauro Mozzarelli]

Hello,

When I switched from OpenWrt to LEDE static routes configured on my 
network stopped working.

My configuration is as follows:


                           Internet ADSL
                                 |
                                 |
Internet ADSL                Router C
[Dynamic IP]              [Public Subnet P]
       |                         |
       |                 Address on Subnet P
   Router B                   Router A -------------- VPN to 192.168.2.0
  192.168.1.5               192.168.1.1
       |                         |
       |                         |
       --------------------------- [Private LAN 192.168.1.0]
         |
      Host X
     Default Router 192.168.1.5


Router A is configured to Masquerade traffic from 192.168.1.0 through 
its port on Subnet P
Router C is the default router for Public Subnet P
Router B is configured with a static route to Public Subnet P through 
192.168.1.1
I want traffic from Hosts with 192.168.1.5 default route to Public 
Subnet P to go via 192.168.1.1 (instead of through the internet)
I want traffic from Hosts with 192.168.1.5 default route to VPN 
192.168.2.0 to go via 192.168.1.1
On Router B I configure a static route directing traffic for Public 
Subnet P through 192.168.1.1
On Router B I configure a static route directing traffic for VPN 
192.168.2.0 through 192.168.1.1

Behaviour from Host X:

- Using OpenWRT (any version including latest trunk):
   I can ping any host on Public Subnet P or VPN 192.168.2.0
   I can http/https, use any protocol to any host on Public Subnet P or 
VPN 192.168.2.0

- Using LEDE up to build r2713 (the latest i tried)
I can ping any host on Public Subnet or VPN 192.168.2.0
   Any attempt to connect using any other internet protocol to any host 
in Public Subnet P or VPN 192.168.2.0 fails.

However if I disable Masquerading or the firewall altogether in Router B 
my connections succeed.

It looks as if response packets are somehow blocked by the firewall 
before they reach Host X (I can see connections coming on the hosts in 
Public Subnet P, and responses returning, but not reaching Host X).

I tried to add s specific directive to the Router B firewall to let 
through packets from Public Subnet P, but it is not working.
The only workaround I found working is to create a SNAT rule on Router B 
to Rewrite the source IP to 192.168.1.5 with destination Public Subnet 
P. This however should be un-necessary if the routing worked properly.

When I use OperWRT and I ping hosts on Subnet P from Host X I get an 
initial notification that the router is 192.168.1.1.
With LEDE installed I do not get such notification.


Are you aware of what was changed in LEDE that makes static routes no 
longer work properly?

Thank you in advance.