Gargoyle 1.15.x OpenWrt 24.10 beta - 2025-07-13

[rg66]

OK, thanks for having a look.

[Lantis]

If you have the time, installing OpenWrt 24.10.2 and verifying that it behaves correctly may be worthwhile.
If yes, listing installed packages and comparing between the two would be another step.

[rg66]

If you have the time, installing OpenWrt 24.10.2 and verifying that it behaves correctly may be worthwhile.

I might actually do that, if only to get an installed package list.

Cheers

[Lantis]

New version posted which resolves a bunch of bugs since the first beta. Thanks for the feedback thus far.

[angus]

New version posted which resolves a bunch of bugs since the first beta. Thanks for the feedback thus far.

Testing firewall access restriction via MAC and this is still an issue. Looking forward to having a solution soon. Thanks.

[Lantis]

Using the same test case as before? That should be resolved…
Can you inspect your firewall config and find out what rule it is (e.g. rule_3) and then run
make_nftables_rules -p firewall -s rule_X -t “inet fw4” -c egress_restrictions -g reject

And post back the generated rules.
Probably also include the firewall config for the rule for cross reference.

Output of “nft list ruleset” is probably also helpful. If you’re concerned about revealing data you can PM me that part.

And confirming you’re running 957881fd (visible on the overview page)?

[angus]

Using the same test case as before?

Sure, the same test case as before. The link below has data for debugging. Please let me know if anything else is required. Thanks.

• https://mega.nz/file/fZAQzAyb#xs5htV_Ul ... cDs6gF00UY

[Lantis]

Using the same test case as before?

Sure, the same test case as before. The link below has data for debugging. Please let me know if anything else is required. Thanks.

• https://mega.nz/file/fZAQzAyb#xs5htV_Ul ... cDs6gF00UY

Your rules work fine on my end.
I noted in the files you sent your firewall did not have any egress_restrictions active.
When you hit save on the GUI, can you give it 60 seconds then do a logread and see if there's any complaints from the log?
It would also be worth doing

Code: Select all

root@Gargoyle:~# nft list chain inet fw4 egress_restrictions
table inet fw4 {
        chain egress_restrictions {
                jump egress_whitelist
                meta l4proto tcp ether saddr { 6e:2a:a8:dc:14:b1, 6e:2a:a8:dc:14:b2 } timerange hours "0-36000,79200-86340" reject with tcp reset
                ether saddr { 6e:2a:a8:dc:14:b1, 6e:2a:a8:dc:14:b2 } timerange hours "0-36000,79200-86340" reject
        }
}

I would expect to see the same output on your end (mac addresses matching your setup instead).

[angus]

I noted in the files you sent your firewall did not have any egress_restrictions active.
When you hit save on the GUI, can you give it 60 seconds then do a logread and see if there's any complaints from the log?

Fine to see egress_restrictions actives at run time after disabling/enabling my restriction (i.e. rule_3) from GUI. But things go wrong after rebooting the router. Firewall will not have any egress_restrictions actives again. In the meantime, I see an error via logread.

Code: Select all

root@MyWRT:~# logread | grep firewall
Tue Jul 15 21:42:56 2025 daemon.notice procd: /etc/rc.d/S19firewall: Error: syntax error, unexpected newline
Tue Jul 15 21:42:56 2025 daemon.notice procd: /etc/rc.d/S19firewall: add rule inet fw4 srcnat oifname wan mmasquerade
Tue Jul 15 21:42:56 2025 daemon.notice procd: /etc/rc.d/S19firewall:                                                 ^
Tue Jul 15 21:42:56 2025 daemon.notice procd: /etc/rc.d/S19firewall: udhcpc: started, v1.36.1
Tue Jul 15 21:42:56 2025 daemon.notice procd: /etc/rc.d/S19firewall: udhcpc: broadcasting discover
Tue Jul 15 21:42:59 2025 daemon.notice procd: /etc/rc.d/S19firewall: udhcpc: broadcasting discover
Tue Jul 15 21:43:02 2025 daemon.notice procd: /etc/rc.d/S19firewall: udhcpc: broadcasting discover
Tue Jul 15 21:43:05 2025 daemon.notice procd: /etc/rc.d/S19firewall: udhcpc: no lease, failing
Tue Jul 15 21:43:08 2025 user.notice firewall: Reloading firewall due to ifup of lan (br-lan)
Tue Jul 15 21:44:13 2025 user.notice firewall: Reloading firewall due to ifup of wan (pppoe-wan)
Tue Jul 15 21:44:17 2025 user.notice gargoyle_firewall: Reloading gargoyle_firewall due to ifup of wan (pppoe-wan)
Tue Jul 15 21:44:40 2025 user.notice firewall: Reloading firewall due to ifup of wan_6 (pppoe-wan)

[Lantis]

Ahh!
Find the gargoyle firewall hotplug script
/etc/hotplug.d/iface/gargoyle_firewall (I think)

Very first line add another OR statement || to detect “wan_6”
So just copy the wan6 one and put an underscore in.
This should solve the rules disappearing.

This new OpenWrt firewall is super tricky. It fully dismantles itself every time an interface changes state. We have to jump in and do the same and I forgot that PPPoE sets up a virtual wan6 with a different name.

Oh and /usr/lib/gargoyle-firewall-util/gargoyle_firewall_util.sh
Has a typo on line 645. Remove the extra M from masquerade