[OpenWrt-Devel] Port forwarding strangely broken w/ multi-uplink setup + flow offloading (mt7621)

Ivan Shapovalov intelfx at intelfx.name
Thu Dec 20 21:07:12 EST 2018


Hey,

(I'm sorry if I'm writing to a wrong list but I don't see any other
channels apart from #openwrt which is likely not watched by anyone.)

I have a multi-uplink setup on a mt7621-based router (Xiaomi R3G).
This setup uses two routing tables and connmark rules in mangle:

== 8< ==

# cat /etc/iproute2/rt_tables
<...>
1       onl
2       rtk

# cat /etc/config/network
<...>
config interface 'onl'
	<...>
	option ip4table 'onl'

config interface 'rtk'
	<...>
	option ip4table 'rtk'

config rule
        option priority '40000'
        option mark '1'
        option lookup 'onl'

config rule
        option priority '40001'
        option mark '2'
        option lookup 'rtk'

config rule
        option priority '40002'
        option mark '0'
        option lookup 'rtk'

# cat /etc/firewall.user
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -N PREROUTING-NEW

iptables -t mangle -A PREROUTING -m conntrack --ctstate NEW -j PREROUTING-NEW
iptables -t mangle -A PREROUTING-NEW -i eth0.2 -j CONNMARK --set-mark 1 # onl
iptables -t mangle -A PREROUTING-NEW -i eth0.3 -j CONNMARK --set-mark 2 # rtk
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark

== 8< ==

("onl" and "rtk" are ISP names)

Then, let's suppose we have two port forwarding rules:

== 8< ==

# cat /etc/config/firewall
<...>
config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option src_dport '12345'
        option dest_ip '10.196.254.2'
        option dest_port '12345'
        option name 'test'
        option proto 'tcp'

config redirect
        option target 'DNAT'
        option src 'wan'
    
    option dest 'lan'
        option src_dport '80'
        option
dest_ip '10.196.254.2'
        option dest_port '80'
        option name
'test'
        option proto 'tcp'

== 8< ==

Port 80 is handled by Nginx, port 12345 is handled by `python3 -m
http.server 12345` (this is significant).

The problem is: requests on port 12345 on both uplinks are correctly
handled, but requests on port 80 are only responded on "rtk" uplink and
time-out on "onl" uplink.

Observations:

If I change the catch-all routing rule (priority 40002) to point to
"onl" table, the situation reverses.

If I kill the Nginx worker (e. g. issue a reload), the response goes
through.

Everything works fine when offloading is completely disabled. (The
problem manifests with either software or hardware offloading.)

Any clues?

Thanks,
-- 
Ivan Shapovalov / intelfx /
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20181221/99301486/attachment.sig>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list