[OpenWrt-Devel] Port forwarding strangely broken w/ multi-uplink setup + flow offloading (mt7621)

Ivan Shapovalov intelfx at intelfx.name
Wed Dec 26 23:45:39 EST 2018 

On 2018-12-21 at 05:07 +0300, Ivan Shapovalov wrote:
> Hey,
> 
> (I'm sorry if I'm writing to a wrong list but I don't see any other
> channels apart from #openwrt which is likely not watched by anyone.)
> 
> I have a multi-uplink setup on a mt7621-based router (Xiaomi R3G).
> This setup uses two routing tables and connmark rules in mangle:
> 
> == 8< ==
> 
> # cat /etc/iproute2/rt_tables
> <...>
> 1       onl
> 2       rtk
> 
> # cat /etc/config/network
> <...>
> config interface 'onl'
> 	<...>
> 	option ip4table 'onl'
> 
> config interface 'rtk'
> 	<...>
> 	option ip4table 'rtk'
> 
> config rule
>         option priority '40000'
>         option mark '1'
>         option lookup 'onl'
> 
> config rule
>         option priority '40001'
>         option mark '2'
>         option lookup 'rtk'
> 
> config rule
>         option priority '40002'
>         option mark '0'
>         option lookup 'rtk'
> 
> # cat /etc/firewall.user
> iptables -t mangle -F
> iptables -t mangle -X
> iptables -t mangle -N PREROUTING-NEW
> 
> iptables -t mangle -A PREROUTING -m conntrack --ctstate NEW -j
> PREROUTING-NEW
> iptables -t mangle -A PREROUTING-NEW -i eth0.2 -j CONNMARK --set-mark 
> 1 # onl
> iptables -t mangle -A PREROUTING-NEW -i eth0.3 -j CONNMARK --set-mark 
> 2 # rtk
> iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
> 
> == 8< ==
> 
> ("onl" and "rtk" are ISP names)
> 
> Then, let's suppose we have two port forwarding rules:
> 
> == 8< ==
> 
> # cat /etc/config/firewall
> <...>
> config redirect
>         option target 'DNAT'
>         option src 'wan'
>         option dest 'lan'
>         option src_dport '12345'
>         option dest_ip '10.196.254.2'
>         option dest_port '12345'
>         option name 'test'
>         option proto 'tcp'
> 
> config redirect
>         option target 'DNAT'
>         option src 'wan'
>     
>     option dest 'lan'
>         option src_dport '80'
>         option
> dest_ip '10.196.254.2'
>         option dest_port '80'
>         option name
> 'test'
>         option proto 'tcp'
> 
> == 8< ==
> 
> Port 80 is handled by Nginx, port 12345 is handled by `python3 -m
> http.server 12345` (this is significant).
> 
> The problem is: requests on port 12345 on both uplinks are correctly
> handled, but requests on port 80 are only responded on "rtk" uplink
> and
> time-out on "onl" uplink.
> 
> Observations:
> 
> If I change the catch-all routing rule (priority 40002) to point to
> "onl" table, the situation reverses.
> 
> If I kill the Nginx worker (e. g. issue a reload), the response goes
> through.
> 
> Everything works fine when offloading is completely disabled. (The
> problem manifests with either software or hardware offloading.)
> 
> Any clues?
> 
> Thanks,

Anyone?

Thanks,
-- 
Ivan Shapovalov / intelfx /
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20181227/bbcbbcb1/attachment.sig>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list