Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OMR-Bypass doesn't work for subdomains (or only works for top-level domains) #3693

Closed
Schinkentanz opened this issue Dec 1, 2024 · 29 comments
Closed

OMR-Bypass doesn't work for subdomains (or only works for top-level domains) #3693

Schinkentanz opened this issue Dec 1, 2024 · 29 comments
Assignees
@Ysurac
Labels
bug

Comments

@Schinkentanz
Copy link

Expected Behavior

When using OMR-Bypass with netflix enabled in "Protocols and services" or nflxvideo.net configured as a domain in "Domains", the bypass should work not only for the top-level domain, but also for any subdomain (e.g. random.sub.domain.name.nflxvideo.net).

Note

Netflix is just an example, it's the same for any other subdomain.
It also doesn't work, if only one bypass option is used.

Current Behavior

When running traceroute nflxvideo.net on a device where the MPTCP router is configured as the DNS server, the request is correctly routed through the configured master interface:

❯ traceroute nflxvideo.net
traceroute: Warning: nflxvideo.net has multiple addresses; using 107.20.175.192
traceroute to nflxvideo.net (107.20.175.192), 64 hops max, 40 byte packets
 1  192.168.0.1 (192.168.0.1)  6.355 ms  3.000 ms  2.871 ms
 2  openmptcprouter.lan (192.168.42.1)  3.322 ms  3.011 ms  3.210 ms
 3  192.168.178.1 (192.168.178.1)  6.758 ms  5.734 ms  5.293 ms
.... <redacted>

When running traceroute ipv4-c088-ord001-dev-ix.1.oca.nflxvideo.net on the same device, the request will not be routed through the configured master interface, but will use the VPS:

❯ traceroute ipv4-c088-ord001-dev-ix.1.oca.nflxvideo.net
traceroute to ipv4-c088-ord001-dev-ix.1.oca.nflxvideo.net (198.38.109.219), 64 hops max, 40 byte packets
 1  192.168.0.1 (192.168.0.1)  6.151 ms  3.118 ms  2.984 ms
 2  openmptcprouter.lan (192.168.42.1)  3.307 ms  3.451 ms  4.952 ms
 3  10.255.252.1 (10.255.252.1)  18.369 ms  17.544 ms  17.893 ms
.... <redacted>

Steps to Reproduce the Problem

Note

Tested at time of issue creation

  1. Install the latest snapshot on a fresh VPS (as described in Wiki)
  2. Install the latest snapshot squashfs image for RPI5 on an empty SD card
  3. Setup router in a minimal way
    1. Add server IP & key
    2. Add 2 WAN interfaces
    3. Setup OMR-Bypass as described above
    4. Use traceroute on any connected client

Specifications

  • OpenMPTCProuter version: openmptcprouter-v0.62-snapshot-6.6-r0+28016-48028cd102-bcm27xx-bcm2712-rpi-5-squashfs-factory
  • OpenMPTCProuter VPS version: 0.1032-test 6.6.36-x64v2-xanmod1
  • OpenMPTCProuter platform: RPI5
@Ysurac
Copy link
Owner

Ysurac commented Dec 2, 2024

Are you sure you are using only OpenMPTCProuter IP address as DNS ?

@Schinkentanz
Copy link
Author

Yes, the IP address of the OpenMPTCProuter is the only configured DNS server:

❯ scutil --dns | grep nameserver
  nameserver[0] : 192.168.42.1

❯ dig +noall +stats ipv4-c088-ord001-dev-ix.1.oca.nflxvideo.net
;; Query time: 27 msec
;; SERVER: 192.168.42.1#53(192.168.42.1)
;; WHEN: Mon Dec 02 14:23:50 CET 2024
;; MSG SIZE  rcvd: 88

❯ dig +noall +stats nflxvideo.net
;; Query time: 56 msec
;; SERVER: 192.168.42.1#53(192.168.42.1)
;; WHEN: Mon Dec 02 14:23:54 CET 2024
;; MSG SIZE  rcvd: 90

@Ysurac
Copy link
Owner

Ysurac commented Dec 3, 2024

What is the result of /etc/init.d/omr-bypass restart and /etc/init.d/firewall restart via SSH on the router ?
I would also need the result of nft list ruleset

@Schinkentanz
Copy link
Author

Sure, thanks for taking a closer look!

root@OpenMPTCProuter:~# /etc/init.d/omr-bypass restart
root@OpenMPTCProuter:~#

root@OpenMPTCProuter:~# /etc/init.d/firewall restart
Section omr_dst_bypass_eth0_dstip_4 (omr_dst_bypass_eth0_rule) is disabled, ignoring section
Section omr_dst_bypass_eth0_dstip_4_accept (omr_dst_bypass_eth0_rule_accept) is disabled, ignoring section
Section omr_dst_bypass_eth0_srcip_4 (omr_dst_bypass_eth0_srcip) is disabled, ignoring section
Section omr_dst_bypass_eth0_mac_4 (omr_dst_bypass_eth0_mac) is disabled, ignoring section
Section omr_dst_bypass_eth0_srcport_tcp_4 (omr_dst_bypass_eth0_srcport_tcp) is disabled, ignoring section
Section omr_dst_bypass_eth0_srcport_udp_4 (omr_dst_bypass_eth0_srcport_udp) is disabled, ignoring section
Section omr_dst_bypass_eth0_dstport_tcp_4 (omr_dst_bypass_eth0_dstport_tcp) is disabled, ignoring section
Section omr_dst_bypass_eth0_dstport_udp_4 (omr_dst_bypass_eth0_dstport_udp) is disabled, ignoring section
Section omr_dst_bypass_wan1_dstip_4 (omr_dst_bypass_wan1_rule) is disabled, ignoring section
Section omr_dst_bypass_wan1_dstip_4_accept (omr_dst_bypass_wan1_rule_accept) is disabled, ignoring section
Section omr_dst_bypass_wan1_srcip_4 (omr_dst_bypass_wan1_srcip) is disabled, ignoring section
Section omr_dst_bypass_wan1_mac_4 (omr_dst_bypass_wan1_mac) is disabled, ignoring section
Section omr_dst_bypass_wan1_srcport_tcp_4 (omr_dst_bypass_wan1_srcport_tcp) is disabled, ignoring section
Section omr_dst_bypass_wan1_srcport_udp_4 (omr_dst_bypass_wan1_srcport_udp) is disabled, ignoring section
Section omr_dst_bypass_wan1_dstport_tcp_4 (omr_dst_bypass_wan1_dstport_tcp) is disabled, ignoring section
Section omr_dst_bypass_wan1_dstport_udp_4 (omr_dst_bypass_wan1_dstport_udp) is disabled, ignoring section
Section omr_dst_bypass_wan2_dstip_4 (omr_dst_bypass_wan2_rule) is disabled, ignoring section
Section omr_dst_bypass_wan2_dstip_4_accept (omr_dst_bypass_wan2_rule_accept) is disabled, ignoring section
Section omr_dst_bypass_wan2_srcip_4 (omr_dst_bypass_wan2_srcip) is disabled, ignoring section
Section omr_dst_bypass_wan2_mac_4 (omr_dst_bypass_wan2_mac) is disabled, ignoring section
Section omr_dst_bypass_wan2_srcport_tcp_4 (omr_dst_bypass_wan2_srcport_tcp) is disabled, ignoring section
Section omr_dst_bypass_wan2_srcport_udp_4 (omr_dst_bypass_wan2_srcport_udp) is disabled, ignoring section
Section omr_dst_bypass_wan2_dstport_tcp_4 (omr_dst_bypass_wan2_dstport_tcp) is disabled, ignoring section
Section omr_dst_bypass_wan2_dstport_udp_4 (omr_dst_bypass_wan2_dstport_udp) is disabled, ignoring section
Section omr_dst_bypass_tun0_dstip_4 (omr_dst_bypass_tun0_rule) is disabled, ignoring section
Section omr_dst_bypass_tun0_dstip_4_accept (omr_dst_bypass_tun0_rule_accept) is disabled, ignoring section
Section omr_dst_bypass_tun0_srcip_4 (omr_dst_bypass_tun0_srcip) is disabled, ignoring section
Section omr_dst_bypass_tun0_mac_4 (omr_dst_bypass_tun0_mac) is disabled, ignoring section
Section omr_dst_bypass_tun0_srcport_tcp_4 (omr_dst_bypass_tun0_srcport_tcp) is disabled, ignoring section
Section omr_dst_bypass_tun0_srcport_udp_4 (omr_dst_bypass_tun0_srcport_udp) is disabled, ignoring section
Section omr_dst_bypass_tun0_dstport_tcp_4 (omr_dst_bypass_tun0_dstport_tcp) is disabled, ignoring section
Section omr_dst_bypass_tun0_dstport_udp_4 (omr_dst_bypass_tun0_dstport_udp) is disabled, ignoring section
Section omr_dst_bypass_all_srcip_4 (omr_dst_bypass_all_srcip) is disabled, ignoring section
Section omr_dst_bypass_all_mac_4 (omr_dst_bypass_all_mac) is disabled, ignoring section
Section omr_dst_bypass_all_srcport_tcp_4 (omr_dst_bypass_all_srcport_tcp) is disabled, ignoring section
Section omr_dst_bypass_all_srcport_udp_4 (omr_dst_bypass_all_srcport_udp) is disabled, ignoring section
Section omr_dst_bypass_all_dstport_tcp_4 (omr_dst_bypass_all_dstport_tcp) is disabled, ignoring section
Section omr_dst_bypass_all_dstport_udp_4 (omr_dst_bypass_all_dstport_udp) is disabled, ignoring section
Section user specifies unreachable path '/etc/firewall.user', ignoring section
Section omr_bypass option 'reload' is not supported by fw4
Automatically including '/usr/share/nftables.d/table-post/20-miniupnpd.nft'
Automatically including '/usr/share/nftables.d/chain-post/dstnat/20-miniupnpd.nft'
Automatically including '/usr/share/nftables.d/chain-post/forward/20-miniupnpd.nft'
Automatically including '/usr/share/nftables.d/chain-post/srcnat/20-miniupnpd.nft'
root@OpenMPTCProuter:~#

root@OpenMPTCProuter:~# nft list ruleset
table ip mangle {
	chain PREROUTING {
		type filter hook prerouting priority mangle; policy accept;
	}

	chain INPUT {
		type filter hook input priority mangle; policy accept;
		counter packets 10115 bytes 10363839 jump omr-bypass-dpi
	}

	chain FORWARD {
		type filter hook forward priority mangle; policy accept;
		counter packets 278 bytes 101655 jump omr-bypass-dpi
	}

	chain OUTPUT {
		type route hook output priority mangle; policy accept;
	}

	chain POSTROUTING {
		type filter hook postrouting priority mangle; policy accept;
	}

	chain omr-bypass-dpi {
	}
}
table inet fw4 {
	ct helper amanda {
		type "amanda" protocol udp
		l3proto inet
	}

	ct helper ftp {
		type "ftp" protocol tcp
		l3proto inet
	}

	ct helper RAS {
		type "RAS" protocol udp
		l3proto inet
	}

	ct helper Q.931 {
		type "Q.931" protocol tcp
		l3proto inet
	}

	ct helper irc {
		type "irc" protocol tcp
		l3proto ip
	}

	ct helper netbios-ns {
		type "netbios-ns" protocol udp
		l3proto ip
	}

	ct helper pptp {
		type "pptp" protocol tcp
		l3proto ip
	}

	ct helper sane {
		type "sane" protocol tcp
		l3proto inet
	}

	ct helper sip {
		type "sip" protocol udp
		l3proto inet
	}

	ct helper snmp {
		type "snmp" protocol udp
		l3proto ip
	}

	ct helper tftp {
		type "tftp" protocol udp
		l3proto inet
	}

	set bypass_netflix {
		type ipv4_addr
		elements = { 23.246.0.0, 37.77.184.0,
			     45.57.0.0, 64.120.128.0,
			     66.197.128.0, 69.53.224.0,
			     108.175.32.0, 185.2.220.0,
			     185.9.188.0, 192.173.64.0,
			     198.38.96.0, 198.45.48.0,
			     207.45.72.0, 208.75.76.0 }
	}

	set bypass6_netflix {
		type ipv6_addr
	}

	set omr_dscp_cs0_4 {
		type ipv4_addr
	}

	set omr_dscp_cs1_4 {
		type ipv4_addr
	}

	set omr_dscp_cs2_4 {
		type ipv4_addr
		elements = { 74.125.206.188, 142.251.36.238 }
	}

	set omr_dscp_cs3_4 {
		type ipv4_addr
	}

	set omr_dscp_cs4_4 {
		type ipv4_addr
	}

	set omr_dscp_cs5_4 {
		type ipv4_addr
	}

	set omr_dscp_cs6_4 {
		type ipv4_addr
	}

	set omr_dscp_cs7_4 {
		type ipv4_addr
	}

	set omr_dscp_ef_4 {
		type ipv4_addr
	}

	set omr_dst_bypass_eth0_4 {
		type ipv4_addr
	}

	set omr_dst_bypass_eth0_6 {
		type ipv6_addr
	}

	set omr_dst_bypass_wan1_4 {
		type ipv4_addr
	}

	set omr_dst_bypass_wan1_6 {
		type ipv6_addr
	}

	set omr_dst_bypass_wan2_4 {
		type ipv4_addr
	}

	set omr_dst_bypass_wan2_6 {
		type ipv6_addr
	}

	set omr_dst_bypass_tun0_4 {
		type ipv4_addr
	}

	set omr_dst_bypass_tun0_6 {
		type ipv6_addr
	}

	set omr_dst_bypass_all_4 {
		type ipv4_addr
		elements = { 3.251.50.149, 18.236.7.30,
			     23.218.165.59, 34.160.111.145,
			     34.252.74.1, 54.74.73.31,
			     54.155.178.5, 107.20.175.192,
			     207.45.72.215 }
	}

	set omr_dst_bypass_all_6 {
		type ipv6_addr
	}

	set ss_rules_src_bypass {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_src_bypass {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_src_forward {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_src_forward {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_src_checkdst {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_src_checkdst {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_remote_servers {
		type ipv4_addr
		flags interval
		auto-merge
		elements = { <redacted - vps ip> }
	}

	set ss_rules6_remote_servers {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_dst_bypass {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_dst_bypass {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_dst_bypass_ {
		type ipv4_addr
		flags interval
		auto-merge
		elements = { 0.0.0.0/8, 10.0.0.0/8,
			     100.64.0.0/10, 127.0.0.0/8,
			     169.254.0.0/16, 172.16.0.0/12,
			     192.0.0.0/24, 192.0.2.0/24,
			     192.31.196.0/24, 192.52.193.0/24,
			     192.88.99.0/24, 192.168.0.0/16,
			     192.175.48.0/24, 198.18.0.0/15,
			     198.51.100.0/24, 203.0.113.0/24,
			     224.0.0.0/3 }
	}

	set ss_rules6_dst_bypass_ {
		type ipv6_addr
		flags interval
		auto-merge
		elements = { ::/127,
			     ::ffff:0.0.0.0/96,
			     64:ff9b:1::/48,
			     100::/64,
			     2001::/23,
			     fc00::/7,
			     fe80::/10 }
	}

	set ss_rules_dst_forward {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_dst_forward {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_dst_forward_rrst_ {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_dst_forward_rrst_ {
		type ipv6_addr
		flags interval
		auto-merge
	}

	chain ss_rules_pre_tcp {
		type nat hook prerouting priority filter + 1; policy accept;
		meta mark 0x00004539 accept
		ip daddr @omr_dst_bypass_all_4 accept
		meta mark 0x45391500 accept
		ip daddr @omr_dst_bypass_tun0_4 accept
		meta mark 0x00045397 accept
		ip daddr @omr_dst_bypass_wan2_4 accept
		meta mark 0x00045396 accept
		ip daddr @omr_dst_bypass_wan1_4 accept
		meta mark 0x45399999 accept
		ip daddr @omr_dst_bypass_eth0_4 accept
		meta l4proto tcp iifname { "lo", "eth0" } goto ss_rules_pre_src_tcp
	}

	chain ss_rules_pre_src_tcp {
		ip daddr @ss_rules_dst_bypass_ accept
		ip6 daddr @ss_rules6_dst_bypass_ accept
		goto ss_rules_src_tcp
	}

	chain ss_rules_src_tcp {
		ip saddr @ss_rules_src_bypass accept
		ip saddr @ss_rules_src_forward goto ss_rules_forward_tcp
		ip saddr @ss_rules_src_checkdst goto ss_rules_dst_tcp
		ip6 saddr @ss_rules6_src_bypass accept
		ip6 saddr @ss_rules6_src_forward goto ss_rules_forward_tcp
		ip6 saddr @ss_rules6_src_checkdst goto ss_rules_dst_tcp
		goto ss_rules_forward_tcp
	}

	chain ss_rules_dst_tcp {
		ip daddr @ss_rules_dst_bypass accept
		ip daddr @ss_rules_remote_servers accept
		ip daddr @ss_rules_dst_forward goto ss_rules_forward_tcp
		ip6 daddr @ss_rules6_dst_bypass accept
		ip6 daddr @ss_rules6_remote_servers accept
		ip6 daddr @ss_rules6_dst_forward goto ss_rules_forward_tcp
		goto ss_rules_forward_tcp
	}

	chain ss_rules_forward_tcp {
		meta l4proto tcp redirect to :1100
	}

	chain ss_rules_local_out {
		type nat hook output priority filter - 1; policy accept;
		meta mark 0x00004539 accept
		ip daddr @omr_dst_bypass_all_4 accept
		meta mark 0x45391500 accept
		ip daddr @omr_dst_bypass_tun0_4 accept
		meta mark 0x00045397 accept
		ip daddr @omr_dst_bypass_wan2_4 accept
		meta mark 0x00045396 accept
		ip daddr @omr_dst_bypass_wan1_4 accept
		meta mark 0x45399999 accept
		ip daddr @omr_dst_bypass_eth0_4 accept
		meta l4proto != tcp accept
		ip daddr @ss_rules_remote_servers accept
		ip daddr @ss_rules_dst_bypass_ accept
		ip daddr @ss_rules_dst_bypass accept
		ip6 daddr @ss_rules6_remote_servers accept
		ip6 daddr @ss_rules6_dst_bypass_ accept
		ip6 daddr @ss_rules6_dst_bypass accept
		goto ss_rules_forward_tcp
	}

	chain input {
		type filter hook input priority filter; policy drop;
		iif "lo" accept comment "!fw4: Accept traffic from loopback"
		ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
		tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
		iifname "eth0" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
		iifname { "wan1", "wan2" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
		iifname "tun0" jump input_vpn comment "!fw4: Handle vpn IPv4/IPv6 input traffic"
		jump handle_reject
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
		icmp type echo-request limit rate 1000/second counter packets 11 bytes 15048 accept comment "!fw4: Allow-All-Ping"
		icmpv6 type echo-request limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-All-Ping"
		udp dport 443 counter packets 0 bytes 0 drop comment "!fw4: Block QUIC All"
		iifname "eth0" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
		iifname { "wan1", "wan2" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
		iifname "tun0" jump forward_vpn comment "!fw4: Handle vpn IPv4/IPv6 forward traffic"
		jump upnp_forward comment "Hook into miniupnpd forwarding chain"
		jump handle_reject
	}

	chain output {
		type filter hook output priority filter; policy drop;
		oif "lo" accept comment "!fw4: Accept traffic towards loopback"
		ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
		meta nfproto ipv4 meta mark 0x00004539 counter packets 0 bytes 0 accept comment "!fw4: omr_dst_bypass_all_rule_accept"
		oifname "eth0" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
		oifname { "wan1", "wan2" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
		oifname "tun0" jump output_vpn comment "!fw4: Handle vpn IPv4/IPv6 output traffic"
		jump handle_reject
	}

	chain prerouting {
		type filter hook prerouting priority filter; policy accept;
		icmp type echo-request limit rate 1000/second counter packets 21 bytes 19740 accept comment "!fw4: Allow-All-Ping"
		icmpv6 type echo-request limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-All-Ping"
		udp dport 443 counter packets 12 bytes 15356 drop comment "!fw4: Block QUIC All"
		counter packets 7483 bytes 7922806 jump accept_to_vpn comment "!fw4: Allow-All-LAN-to-VPN"
		counter packets 7483 bytes 7922806 jump accept_to_wan comment "!fw4: Allow-Lan-to-Wan"
		jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
		jump accept_to_vpn comment "!fw4: Accept lan to vpn forwarding"
		iifname "eth0" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
		udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
	}

	chain handle_reject {
		meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
		reject comment "!fw4: Reject any other traffic"
	}

	chain syn_flood {
		limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
		drop comment "!fw4: Drop excess packets"
	}

	chain input_lan {
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 1 bytes 216 accept comment "!fw4: ICMPv6-Lan-to-OMR"
		udp dport 443 counter packets 0 bytes 0 drop comment "!fw4: Block QUIC Proxy"
		ct status dnat accept comment "!fw4: Accept port redirections"
		jump accept_from_lan
	}

	chain output_lan {
		jump accept_to_lan
	}

	chain forward_lan {
		counter packets 44 bytes 2331 jump accept_to_vpn comment "!fw4: Allow-All-LAN-to-VPN"
		counter packets 13 bytes 520 jump accept_to_wan comment "!fw4: Allow-Lan-to-Wan"
		jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
		jump accept_to_vpn comment "!fw4: Accept lan to vpn forwarding"
		ct status dnat accept comment "!fw4: Accept port forwards"
		jump accept_to_lan
	}

	chain helper_lan {
		udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto"
		tcp dport 21 ct helper set "ftp" comment "!fw4: FTP passive connection tracking"
		udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking"
		tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking"
		meta nfproto ipv4 tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking"
		meta nfproto ipv4 udp dport 137 ct helper set "netbios-ns" comment "!fw4: NetBIOS name service broadcast tracking"
		meta nfproto ipv4 tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking"
		tcp dport 6566 ct helper set "sane" comment "!fw4: SANE scanner connection tracking"
		udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking"
		meta nfproto ipv4 udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking"
		udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
	}

	chain accept_from_lan {
		iifname "eth0" counter packets 33 bytes 2263 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	}

	chain accept_to_lan {
		oifname "eth0" counter packets 0 bytes 0 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	}

	chain input_wan {
		meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
		icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
		meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
		meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
		ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
		icmpv6 type { nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 2 bytes 432 accept comment "!fw4: Allow IPv6 ICMP"
		icmpv6 type . icmpv6 code { nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow IPv6 ICMP"
		meta nfproto ipv6 udp sport 546 udp dport 547 counter packets 0 bytes 0 accept comment "!fw4: Allow DHCPv6 (546-to-547)"
		meta nfproto ipv6 udp sport 547 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow DHCPv6 (547-to-546)"
		ct status dnat accept comment "!fw4: Accept port redirections"
		jump reject_from_wan
	}

	chain output_wan {
		jump accept_to_wan
	}

	chain forward_wan {
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
		udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
		ct status dnat accept comment "!fw4: Accept port forwards"
		jump reject_to_wan
	}

	chain accept_to_wan {
		meta nfproto ipv4 oifname { "wan1", "wan2" } ct state invalid counter packets 1 bytes 64 drop comment "!fw4: Prevent NAT leakage"
		oifname { "wan1", "wan2" } counter packets 96 bytes 19112 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
	}

	chain reject_from_wan {
		iifname { "wan1", "wan2" } counter packets 2 bytes 278 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
	}

	chain reject_to_wan {
		oifname { "wan1", "wan2" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
	}

	chain input_vpn {
		meta l4proto { icmp, ipv6-icmp } counter packets 0 bytes 0 accept comment "!fw4: Allow-VPN-ICMP"
		ct status dnat accept comment "!fw4: Accept port redirections"
		jump reject_from_vpn
	}

	chain output_vpn {
		jump accept_to_vpn
	}

	chain forward_vpn {
		ct status dnat accept comment "!fw4: Accept port forwards"
		jump accept_to_vpn
	}

	chain accept_to_vpn {
		meta nfproto ipv4 oifname "tun0" ct state invalid counter packets 8 bytes 519 drop comment "!fw4: Prevent NAT leakage"
		oifname "tun0" counter packets 96 bytes 6885 accept comment "!fw4: accept vpn IPv4/IPv6 traffic"
	}

	chain reject_from_vpn {
		iifname "tun0" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject vpn IPv4/IPv6 traffic"
	}

	chain dstnat {
		type nat hook prerouting priority dstnat; policy accept;
		jump upnp_prerouting comment "Hook into miniupnpd prerouting chain"
	}

	chain srcnat {
		type nat hook postrouting priority srcnat; policy accept;
		oifname { "wan1", "wan2" } jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
		oifname "tun0" jump srcnat_vpn comment "!fw4: Handle vpn IPv4/IPv6 srcnat traffic"
		jump upnp_postrouting comment "Hook into miniupnpd postrouting chain"
	}

	chain srcnat_wan {
		meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
	}

	chain srcnat_vpn {
		meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 vpn traffic"
	}

	chain raw_prerouting {
		type filter hook prerouting priority raw; policy accept;
	}

	chain raw_output {
		type filter hook output priority raw; policy accept;
	}

	chain mangle_prerouting {
		type filter hook prerouting priority mangle; policy accept;
		iifname "eth0" ip daddr @bypass_netflix counter packets 0 bytes 0 meta mark set 0x00004539 comment "!fw4: bypass_"
		iifname "eth0" ip6 daddr @bypass6_netflix counter packets 0 bytes 0 meta mark set 0x00006539 comment "!fw4: bypass6_"
		iifname "eth0" ip daddr @omr_dst_bypass_all_4 counter packets 16 bytes 640 meta mark set 0x00004539 comment "!fw4: omr_dst_bypass_all_rule"
	}

	chain mangle_postrouting {
		type filter hook postrouting priority mangle; policy accept;
		oifname "eth0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone lan IPv4/IPv6 egress MTU fixing"
		oifname { "wan1", "wan2" } tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
		oifname "tun0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone vpn IPv4/IPv6 egress MTU fixing"
	}

	chain mangle_input {
		type filter hook input priority mangle; policy accept;
	}

	chain mangle_output {
		type route hook output priority mangle; policy accept;
	}

	chain mangle_forward {
		type filter hook forward priority mangle; policy accept;
		meta l4proto tcp ip daddr @omr_dscp_cs0_4 counter packets 0 bytes 0 ip dscp set cs0 comment "!fw4: omr_dscp_cs0_4"
		meta l4proto udp ip daddr @omr_dscp_cs0_4 counter packets 0 bytes 0 ip dscp set cs0 comment "!fw4: omr_dscp_cs0_4"
		meta l4proto tcp ip daddr @omr_dscp_cs1_4 counter packets 0 bytes 0 ip dscp set cs1 comment "!fw4: omr_dscp_cs1_4"
		meta l4proto udp ip daddr @omr_dscp_cs1_4 counter packets 0 bytes 0 ip dscp set cs1 comment "!fw4: omr_dscp_cs1_4"
		meta l4proto tcp ip daddr @omr_dscp_cs2_4 counter packets 0 bytes 0 ip dscp set cs2 comment "!fw4: omr_dscp_cs2_4"
		meta l4proto udp ip daddr @omr_dscp_cs2_4 counter packets 0 bytes 0 ip dscp set cs2 comment "!fw4: omr_dscp_cs2_4"
		meta l4proto tcp ip daddr @omr_dscp_cs3_4 counter packets 0 bytes 0 ip dscp set cs3 comment "!fw4: omr_dscp_cs3_4"
		meta l4proto udp ip daddr @omr_dscp_cs3_4 counter packets 0 bytes 0 ip dscp set cs3 comment "!fw4: omr_dscp_cs3_4"
		meta l4proto tcp ip daddr @omr_dscp_cs4_4 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_cs4_4"
		meta l4proto udp ip daddr @omr_dscp_cs4_4 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_cs4_4"
		meta l4proto tcp ip daddr @omr_dscp_cs5_4 counter packets 0 bytes 0 ip dscp set cs5 comment "!fw4: omr_dscp_cs5_4"
		meta l4proto udp ip daddr @omr_dscp_cs5_4 counter packets 0 bytes 0 ip dscp set cs5 comment "!fw4: omr_dscp_cs5_4"
		meta l4proto tcp ip daddr @omr_dscp_cs6_4 counter packets 0 bytes 0 ip dscp set cs6 comment "!fw4: omr_dscp_cs6_4"
		meta l4proto udp ip daddr @omr_dscp_cs6_4 counter packets 0 bytes 0 ip dscp set cs6 comment "!fw4: omr_dscp_cs6_4"
		meta l4proto tcp ip daddr @omr_dscp_cs7_4 counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_cs7_4"
		meta l4proto udp ip daddr @omr_dscp_cs7_4 counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_cs7_4"
		meta l4proto tcp ip daddr @omr_dscp_ef_4 counter packets 0 bytes 0 ip dscp set ef comment "!fw4: omr_dscp_ef_4"
		meta l4proto udp ip daddr @omr_dscp_ef_4 counter packets 0 bytes 0 ip dscp set ef comment "!fw4: omr_dscp_ef_4"
		meta l4proto icmp ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 counter packets 43 bytes 26256 ip dscp set cs7 comment "!fw4: omr_dscp_rule1"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 udp sport { 53, 123, 5353 } udp dport 0-65535 counter packets 12 bytes 912 ip dscp set cs4 comment "!fw4: omr_dscp_rule2"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport { 53, 5353 } tcp dport 0-65535 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_rule3"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport 0-65535 tcp dport 65500 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_rule4"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport 0-65535 tcp dport { 65001, 65011, 65301, 65401 } counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_rule5"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 udp sport 0-65535 udp dport { 65001, 65301 } counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_rule6"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport 0-65535 tcp dport { 65101, 65228 } counter packets 0 bytes 0 ip dscp set cs6 comment "!fw4: omr_dscp_rule7"
		iifname "eth0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone lan IPv4/IPv6 ingress MTU fixing"
		iifname { "wan1", "wan2" } tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
		iifname "tun0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone vpn IPv4/IPv6 ingress MTU fixing"
	}

	chain upnp_forward {
	}

	chain upnp_prerouting {
	}

	chain upnp_postrouting {
	}
}
root@OpenMPTCProuter:~#

@Ysurac Ysurac self-assigned this Dec 4, 2024
@Ysurac
Copy link
Owner

Ysurac commented Dec 5, 2024

Can you try latest snapshots ? I fixed some issues.

@Schinkentanz
Copy link
Author

Thanks for the update @Ysurac. I've tried the latest snapshot and it fixes the initial problem, but when adding the amazon_aws or whatsapp services, the routing for netflix no longer works (the configured domains are still routed correctly (e.g. ifconfig.me)). I've also installed Pi-Hole, but the behaviour is the same with or without it. If I remove these services, the routing works correctly again.

❯ ✅ traceroute nflxvideo.net
 1  192.168.0.1 (192.168.0.1)  14.499 ms  3.236 ms  3.097 ms
 2  openmptcprouter.lan (192.168.42.1)  3.622 ms  3.193 ms  3.210 ms
 3  192.168.178.1 (192.168.178.1)  6.173 ms  4.882 ms  7.659 ms
.... <redacted>

❯ ❌ traceroute ipv4-c088-ord001-dev-ix.1.oca.nflxvideo.net
 1  192.168.0.1 (192.168.0.1)  5.764 ms  3.356 ms  2.895 ms
 2  openmptcprouter.lan (192.168.42.1)  4.613 ms  3.508 ms  3.238 ms
 3  10.255.252.1 (10.255.252.1)  19.042 ms  18.521 ms  18.231 ms

❯ ✅ traceroute ifconfig.me
 1  192.168.0.1 (192.168.0.1)  17.401 ms  5.172 ms  2.744 ms
 2  openmptcprouter.lan (192.168.42.1)  3.666 ms  3.492 ms  3.403 ms
 3  192.168.178.1 (192.168.178.1)  6.686 ms  5.141 ms  5.029 ms

❯ ✅ traceroute random.subdomain.ifconfig.me
traceroute to random.subdomain.ifconfig.me (34.160.111.145), 64 hops max, 40 byte packets
 1  192.168.0.1 (192.168.0.1)  5.068 ms  3.177 ms  3.054 ms
 2  openmptcprouter.lan (192.168.42.1)  3.916 ms  3.745 ms  3.351 ms
 3  192.168.178.1 (192.168.178.1)  5.865 ms  10.092 ms  11.031 ms

❯ ✅ traceroute email-smtp.eu-west-1.amazonaws.com
 1  192.168.0.1 (192.168.0.1)  95.632 ms  3.041 ms  3.114 ms
 2  openmptcprouter.lan (192.168.42.1)  3.851 ms  3.352 ms  3.226 ms
 3  192.168.178.1 (192.168.178.1)  5.643 ms  6.034 ms  5.265 ms

Note

The output for nft list ruleset also includes rules for whatsapp, even though I've completely removed the service.
The configured domains are:

  • ifconfig.me

The configured services are:

  • netflix
  • amazon_aws
Click here to see output of "nft list ruleset" 
table ip mangle {
	chain PREROUTING {
		type filter hook prerouting priority mangle; policy accept;
	}

	chain INPUT {
		type filter hook input priority mangle; policy accept;
		counter packets 15418 bytes 2577720 jump omr-bypass-dpi
	}

	chain FORWARD {
		type filter hook forward priority mangle; policy accept;
		counter packets 1273 bytes 222381 jump omr-bypass-dpi
	}

	chain OUTPUT {
		type route hook output priority mangle; policy accept;
	}

	chain POSTROUTING {
		type filter hook postrouting priority mangle; policy accept;
	}

	chain omr-bypass-dpi {
	}
}
table inet fw4 {
	ct helper amanda {
		type "amanda" protocol udp
		l3proto inet
	}

	ct helper ftp {
		type "ftp" protocol tcp
		l3proto inet
	}

	ct helper RAS {
		type "RAS" protocol udp
		l3proto inet
	}

	ct helper Q.931 {
		type "Q.931" protocol tcp
		l3proto inet
	}

	ct helper irc {
		type "irc" protocol tcp
		l3proto ip
	}

	ct helper netbios-ns {
		type "netbios-ns" protocol udp
		l3proto ip
	}

	ct helper pptp {
		type "pptp" protocol tcp
		l3proto ip
	}

	ct helper sane {
		type "sane" protocol tcp
		l3proto inet
	}

	ct helper sip {
		type "sip" protocol udp
		l3proto inet
	}

	ct helper snmp {
		type "snmp" protocol udp
		l3proto ip
	}

	ct helper tftp {
		type "tftp" protocol udp
		l3proto inet
	}

	set bypass_netflix {
		type ipv4_addr
		flags interval
		auto-merge
		elements = { 23.246.0.0/18, 37.77.184.0/21,
			     45.57.0.0/17, 64.120.128.0/17,
			     66.197.128.0/17, 69.53.224.0/19,
			     108.175.32.0/20, 185.2.220.0/22,
			     185.9.188.0/22, 192.173.64.0/18,
			     198.38.96.0/19, 198.45.48.0/20,
			     207.45.72.0/22, 208.75.76.0/22 }
	}

	set bypass6_netflix {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set bypass_whatsapp {
		type ipv4_addr
		flags interval
		auto-merge
		elements = { 3.33.221.48, 3.33.252.61,
			     15.197.206.217, 15.197.210.208,
			     31.13.64.60/31, 31.13.65.49-31.13.65.50,
			     31.13.66.51, 31.13.66.56,
			     31.13.67.52/31, 31.13.68.60/31,
			     31.13.69.60/31, 31.13.70.49-31.13.70.50,
			     31.13.71.49-31.13.71.50, 31.13.72.48,
			     31.13.72.52, 31.13.73.52/31,
			     31.13.74.52/31, 31.13.75.60/31,
			     31.13.76.60/31, 31.13.77.60/31,
			     31.13.78.60/31, 31.13.79.53-31.13.79.54,
			     31.13.80.48, 31.13.80.53,
			     31.13.81.48, 31.13.81.53,
			     31.13.82.51, 31.13.82.55,
			     31.13.83.49, 31.13.83.51,
			     31.13.84.49, 31.13.84.51,
			     31.13.85.49, 31.13.85.51,
			     31.13.86.49, 31.13.86.51,
			     31.13.87.48, 31.13.87.51,
			     31.13.88.60/31, 31.13.89.53-31.13.89.54,
			     31.13.90.60/31, 31.13.91.60/31,
			     31.13.92.48, 31.13.92.52,
			     31.13.93.53-31.13.93.54, 31.13.94.52,
			     31.13.94.54, 31.13.95.60/31,
			     34.192.181.12, 34.193.38.112,
			     34.194.71.217, 34.194.255.230,
			     69.171.250.60/31, 102.132.96.54/31,
			     102.132.97.54/31, 102.132.98.60/31,
			     102.132.99.60/31, 102.132.100.60/31,
			     102.132.101.60/31, 102.132.102.60/31,
			     102.132.103.60/31, 102.132.104.60/31,
			     102.132.105.60/31, 102.132.106.60/31,
			     102.132.107.60/31, 102.132.108.60/31,
			     102.132.109.60/31, 102.132.110.60/31,
			     102.132.111.60/31, 157.240.0.60/31,
			     157.240.1.60/31, 157.240.2.53-157.240.2.54,
			     157.240.3.54/31, 157.240.4.60/31,
			     157.240.5.60/31, 157.240.6.53-157.240.6.54,
			     157.240.7.53-157.240.7.54, 157.240.8.53-157.240.8.54,
			     157.240.9.53-157.240.9.54, 157.240.10.53-157.240.10.54,
			     157.240.11.53-157.240.11.54, 157.240.12.53-157.240.12.54,
			     157.240.13.54/31, 157.240.14.52/31,
			     157.240.15.60/31, 157.240.16.52/31,
			     157.240.17.60/31, 157.240.18.52/31,
			     157.240.19.53-157.240.19.54, 157.240.20.52/31,
			     157.240.21.52/31, 157.240.22.53-157.240.22.54,
			     157.240.23.53-157.240.23.54, 157.240.24.60/31,
			     157.240.25.60/31, 157.240.26.54/31,
			     157.240.27.54/31, 157.240.28.51,
			     157.240.28.55, 157.240.29.60/31,
			     157.240.30.54/31, 157.240.31.60/31,
			     157.240.192.52, 157.240.192.55,
			     157.240.193.60/31, 157.240.194.54/31,
			     157.240.195.54, 157.240.195.56,
			     157.240.196.60/31, 157.240.197.60/31,
			     157.240.198.60/31, 157.240.199.60/31,
			     157.240.200.60/31, 157.240.201.60/31,
			     157.240.202.60/31, 157.240.203.60/31,
			     157.240.204.60/31, 157.240.205.60/31,
			     157.240.206.60/31, 157.240.207.60/31,
			     157.240.208.60/31, 157.240.209.60/31,
			     157.240.210.60/31, 157.240.211.60/31,
			     157.240.212.60/31, 157.240.213.60/31,
			     157.240.214.60/31, 157.240.215.60/31,
			     157.240.216.60/31, 157.240.217.60/31,
			     157.240.218.60/31, 157.240.219.60/31,
			     157.240.220.60/31, 157.240.221.60/31,
			     157.240.222.60/31, 157.240.223.60/31,
			     157.240.224.60/31, 157.240.225.60/31,
			     157.240.226.60/31, 157.240.227.60/31,
			     157.240.228.60/31, 157.240.229.60/31,
			     157.240.231.60/31, 157.240.232.60/31,
			     157.240.233.60/31, 157.240.234.60/31,
			     157.240.235.60/31, 157.240.236.60/31,
			     157.240.237.60/31, 157.240.238.60/31,
			     157.240.239.60/31, 157.240.240.60/31,
			     157.240.241.60/31, 157.240.242.60/31,
			     157.240.243.60/31, 157.240.244.60/31,
			     157.240.245.60/31, 157.240.246.60/31,
			     157.240.247.60/31, 157.240.248.60/31,
			     157.240.249.60/31, 157.240.250.60/31,
			     157.240.251.60/31, 157.240.252.60/31,
			     157.240.253.60/31, 157.240.254.60/31,
			     163.70.128.60/31, 163.70.129.60/31,
			     163.70.130.60/31, 163.70.131.60/31,
			     163.70.132.60/31, 163.70.133.60/31,
			     163.70.134.60/31, 163.70.135.60/31,
			     163.70.136.60/31, 163.70.137.60/31,
			     163.70.138.60/31, 163.70.139.60/31,
			     163.70.140.60/31, 163.70.141.60/31,
			     163.70.142.60/31, 163.70.143.60/31,
			     163.70.144.60/31, 163.70.145.60/31,
			     163.70.146.60/31, 163.70.147.60/31,
			     163.70.148.60/31, 163.70.149.60/31,
			     163.70.150.60/31, 163.70.151.60/31,
			     163.70.152.60/31, 163.70.153.60/31,
			     163.70.154.60/31, 163.70.155.60/31,
			     163.70.156.60/31, 163.70.157.60/31,
			     163.70.158.60/31, 163.70.159.60/31,
			     179.60.192.49, 179.60.192.51,
			     179.60.193.60/31, 179.60.194.53-179.60.194.54,
			     179.60.195.49, 179.60.195.51,
			     185.60.216.53-185.60.216.54, 185.60.217.53-185.60.217.54,
			     185.60.218.53-185.60.218.54, 185.60.219.60/31 }
	}

	set bypass6_whatsapp {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set bypass_amazon_aws {
		type ipv4_addr
		flags interval
		auto-merge
		elements = { 3.0.0.0-3.2.5.255, 3.2.8.0/21,
			     3.2.48.0-3.2.56.255, 3.3.0.0-3.3.2.255,
			     3.3.5.0-3.3.33.255, 3.4.0.0-3.4.4.255,
			     3.4.6.0/24, 3.4.8.0-3.4.10.255,
			     3.4.15.0/28, 3.4.16.0-3.4.47.255,
			     3.5.0.0-3.5.59.255, 3.5.64.0-3.5.73.255,
			     3.5.76.0-3.5.87.255, 3.5.128.0-3.5.169.255,
			     3.5.172.0/22, 3.5.180.0-3.5.191.255,
			     3.5.202.0-3.32.255.255, 3.33.34.0/23,
			     3.33.40.0/21, 3.33.128.0-3.39.255.255,
			     3.64.0.0-3.99.255.255, 3.101.0.0/16,
			     3.104.0.0-3.115.255.255, 3.120.0.0-3.151.255.255,
			     3.160.0.0-3.172.63.255, 3.208.0.0-3.239.255.255,
			     3.248.0.0/13, 13.32.0.0/15,
			     13.35.0.0-13.43.255.255, 13.48.0.0/12,
			     13.112.0.0/14, 13.124.0.0/14,
			     13.184.0.0-13.215.255.255, 13.224.0.0/12,
			     13.244.0.0-13.248.73.255, 13.248.75.0/24,
			     13.248.96.0-13.251.255.255, 15.145.0.0-15.145.5.255,
			     15.145.8.0-15.145.25.255, 15.152.0.0/16,
			     15.156.0.0-15.158.255.255, 15.160.0.0/15,
			     15.164.0.0/15, 15.168.0.0/16,
			     15.177.0.0-15.177.100.255, 15.181.0.0-15.181.254.255,
			     15.184.0.0/15, 15.188.0.0/16,
			     15.190.0.0-15.190.11.255, 15.190.16.0-15.190.63.255,
			     15.193.0.0/19, 15.197.0.0-15.197.39.255,
			     15.197.64.0/19, 15.197.128.0/17,
			     15.200.0.0/16, 15.205.0.0-15.207.255.255,
			     15.220.0.0-15.220.207.255, 15.220.208.128/26,
			     15.220.216.0-15.221.53.255, 15.221.128.0/21,
			     15.221.144.0-15.221.153.255, 15.221.160.0/21,
			     15.222.0.0/15, 15.228.0.0/15,
			     15.230.0.4-15.230.0.9, 15.230.0.12-15.230.0.14,
			     15.230.1.0/24, 15.230.3.0/24,
			     15.230.4.19, 15.230.4.128/30,
			     15.230.4.148-15.230.4.167, 15.230.4.176/28,
			     15.230.5.0-15.230.6.255, 15.230.9.10-15.230.9.15,
			     15.230.9.44/30, 15.230.9.248,
			     15.230.9.252/31, 15.230.10.0/24,
			     15.230.14.0-15.230.15.0, 15.230.15.3-15.230.15.11,
			     15.230.15.13-15.230.15.16, 15.230.15.24-15.230.15.195,
			     15.230.15.200-15.230.15.219, 15.230.15.254-15.230.16.255,
			     15.230.18.0/23, 15.230.21.0-15.230.32.255,
			     15.230.35.0-15.230.43.255, 15.230.48.0-15.230.63.6,
			     15.230.63.8/30, 15.230.64.0-15.230.79.191,
			     15.230.80.0-15.230.100.2, 15.230.101.0-15.230.107.0,
			     15.230.107.2/31, 15.230.108.0-15.230.117.1,
			     15.230.118.0-15.230.119.1, 15.230.120.0/31,
			     15.230.121.0-15.230.121.9, 15.230.129.0-15.230.138.255,
			     15.230.140.0-15.230.145.255, 15.230.147.0-15.230.149.5,
			     15.230.149.8/30, 15.230.150.0-15.230.169.7,
			     15.230.170.0/23, 15.230.173.0-15.230.174.255,
			     15.230.176.0-15.230.177.4, 15.230.178.0-15.230.179.23,
			     15.230.180.0-15.230.190.255, 15.230.192.0-15.230.199.15,
			     15.230.200.0-15.230.202.3, 15.230.203.0-15.230.204.127,
			     15.230.205.0-15.230.216.13, 15.230.217.0-15.230.223.7,
			     15.230.240.0-15.230.251.7, 15.230.252.0-15.230.254.4,
			     15.230.255.0/24, 15.236.0.0/15,
			     15.248.8.0/22, 15.248.16.0-15.248.43.255,
			     15.248.48.0-15.248.71.255, 15.248.80.0/20,
			     15.248.104.0/24, 15.248.136.0/24,
			     15.251.0.0/28, 15.251.0.20-15.251.0.29,
			     15.251.0.33-15.251.0.34, 15.251.0.47-15.251.0.48,
			     15.253.0.0-15.254.255.255, 16.12.0.0-16.12.2.255,
			     16.12.4.0-16.12.21.255, 16.12.24.0-16.12.44.255,
			     16.12.48.0-16.12.67.255, 16.12.74.0/24,
			     16.15.0.0/21, 16.15.176.0-16.16.255.255,
			     16.24.0.0/13, 16.50.0.0-16.56.63.255,
			     16.56.128.0/18, 16.57.0.0/18,
			     16.62.0.0-16.67.255.255, 16.78.0.0/15,
			     16.154.0.0-16.159.255.255, 16.162.0.0/15,
			     16.168.0.0/14, 16.176.0.0/14,
			     16.182.0.0/16, 16.184.0.0/14,
			     18.34.0.0/19, 18.34.48.0/20,
			     18.34.72.0/21, 18.34.232.0/21,
			     18.34.244.0/22, 18.34.252.0/22,
			     18.60.0.0/15, 18.64.0.0-18.68.255.255,
			     18.88.0.0/18, 18.88.128.0/18,
			     18.89.0.0/18, 18.89.128.0/18,
			     18.96.0.0-18.96.2.255, 18.96.16.0-18.97.63.255,
			     18.97.128.0-18.102.255.255, 18.116.0.0/14,
			     18.130.0.0/16, 18.132.0.0-18.136.255.255,
			     18.138.0.0-18.145.255.255, 18.153.0.0-18.173.255.255,
			     18.175.0.0-18.185.255.255, 18.188.0.0-18.239.255.255,
			     18.244.0.0-18.246.255.255, 18.252.0.0-18.254.255.255,
			     23.20.0.0/14, 23.160.0.0/24,
			     27.0.0.0/22, 34.192.0.0/10,
			     35.71.64.0-35.71.75.255, 35.71.96.0-35.71.121.255,
			     35.71.128.0-35.96.1.255, 35.96.16.0-35.96.159.255,
			     35.152.0.0-35.183.255.255, 36.103.232.0-36.103.232.191,
			     40.164.0.0/14, 40.172.0.0-40.181.255.255,
			     40.192.0.0/14, 43.192.0.0-43.193.63.255,
			     43.194.0.0-43.196.255.255, 43.198.0.0-43.207.255.255,
			     43.216.0.0-43.218.255.255, 43.249.44.0/22,
			     43.250.192.0/23, 44.192.0.0/10,
			     45.113.128.0/22, 46.51.128.0-46.51.211.255,
			     46.51.216.0-46.51.255.255, 46.137.0.0/16,
			     47.128.0.0/14, 50.16.0.0/14,
			     50.112.0.0/16, 51.0.0.0-51.0.29.15,
			     51.0.29.128/28, 51.0.80.0-51.0.119.255,
			     51.0.128.0/21, 51.16.0.0/15,
			     51.20.0.0/15, 51.24.0.0/16,
			     51.34.0.0/15, 51.44.0.0/14,
			     51.84.0.0/14, 51.92.0.0-51.96.255.255,
			     51.100.0.0/15, 51.112.0.0/16,
			     51.118.0.0/15, 51.224.0.0/14,
			     52.0.0.0-52.46.159.255, 52.46.164.0-52.46.187.255,
			     52.46.192.0-52.46.243.255, 52.46.249.0-52.82.169.31,
			     52.82.170.0/23, 52.82.176.0-52.82.185.255,
			     52.82.187.0-52.93.12.255, 52.93.14.0/24,
			     52.93.16.0-52.93.21.255, 52.93.22.48-52.93.22.71,
			     52.93.23.0-52.93.31.255, 52.93.32.176,
			     52.93.32.179-52.93.32.180, 52.93.32.183-52.93.32.184,
			     52.93.33.224/31, 52.93.34.0-52.93.45.255,
			     52.93.47.0-52.93.51.255, 52.93.55.144-52.93.55.149,
			     52.93.55.152-52.93.55.167, 52.93.56.0-52.93.69.255,
			     52.93.70.40/29, 52.93.70.128/25,
			     52.93.71.37-52.93.71.47, 52.93.72.0-52.93.83.255,
			     52.93.87.96/27, 52.93.91.96-52.93.91.115,
			     52.93.92.0-52.93.101.255, 52.93.111.0-52.93.113.255,
			     52.93.115.0-52.93.116.255, 52.93.119.144/30,
			     52.93.120.176/30, 52.93.121.187-52.93.121.190,
			     52.93.121.195-52.93.121.198, 52.93.122.131,
			     52.93.122.202/31, 52.93.122.218,
			     52.93.122.255, 52.93.123.6,
			     52.93.123.11, 52.93.123.98/31,
			     52.93.123.136, 52.93.123.255,
			     52.93.124.14/31, 52.93.124.96/31,
			     52.93.124.210-52.93.124.213, 52.93.125.42/31,
			     52.93.126.76, 52.93.126.122/31,
			     52.93.126.130-52.93.126.139, 52.93.126.144/30,
			     52.93.126.198/31, 52.93.126.204/30,
			     52.93.126.212/30, 52.93.126.234/31,
			     52.93.126.244/31, 52.93.126.250/31,
			     52.93.127.17-52.93.127.19, 52.93.127.24/30,
			     52.93.127.68/30, 52.93.127.92-52.93.127.133,
			     52.93.127.138/31, 52.93.127.146-52.93.127.149,
			     52.93.127.152-52.93.127.169, 52.93.127.172-52.93.127.185,
			     52.93.127.194-52.93.127.207, 52.93.127.216-52.93.127.221,
			     52.93.127.232, 52.93.127.237-52.93.127.239,
			     52.93.127.244-52.93.127.255, 52.93.129.95,
			     52.93.131.217, 52.93.133.127,
			     52.93.133.129, 52.93.133.131,
			     52.93.133.133, 52.93.133.153,
			     52.93.133.155, 52.93.133.175,
			     52.93.133.177, 52.93.133.179,
			     52.93.133.181, 52.93.134.181,
			     52.93.135.195, 52.93.136.0-52.93.140.255,
			     52.93.141.128/25, 52.93.146.0-52.93.148.191,
			     52.93.149.0-52.93.151.255, 52.93.153.80,
			     52.93.153.148/31, 52.93.153.168-52.93.153.179,
			     52.93.156.0/22, 52.93.178.128-52.93.178.235,
			     52.93.182.128/26, 52.93.183.64/27,
			     52.93.193.192-52.93.193.203, 52.93.198.0/25,
			     52.93.199.24-52.93.199.47, 52.93.199.88-52.93.199.111,
			     52.93.201.80-52.93.201.111, 52.93.229.148/31,
			     52.93.236.0-52.93.245.255, 52.93.246.216/29,
			     52.93.247.0/25, 52.93.248.0/22,
			     52.93.254.0-52.94.20.255, 52.94.22.0-52.94.30.255,
			     52.94.32.0-52.94.69.255, 52.94.72.0-52.94.146.255,
			     52.94.148.0/22, 52.94.152.3,
			     52.94.152.9, 52.94.152.11-52.94.152.12,
			     52.94.152.44, 52.94.152.60-52.94.152.69,
			     52.94.152.176-52.94.152.195, 52.94.160.0-52.94.198.159,
			     52.94.199.0-52.94.201.127, 52.94.204.0-52.94.248.239,
			     52.94.249.32-52.94.250.63, 52.94.250.80/28,
			     52.94.252.0-52.95.29.63, 52.95.30.0/23,
			     52.95.34.0-52.95.42.255, 52.95.48.0-52.95.219.255,
			     52.95.224.0-52.95.230.255, 52.95.235.0/24,
			     52.95.239.0-52.95.255.159, 52.119.128.0-52.119.199.255,
			     52.119.205.0-52.119.249.255, 52.119.252.0/22,
			     52.124.128.0/17, 52.129.130.0/23,
			     52.144.133.32/27, 52.144.192.0-52.144.193.191,
			     52.144.194.0-52.144.195.63, 52.144.196.192/26,
			     52.144.197.128/25, 52.144.199.128/26,
			     52.144.200.64-52.144.200.191, 52.144.201.64-52.144.201.191,
			     52.144.205.0/26, 52.144.208.0/30,
			     52.144.208.64-52.144.211.203, 52.144.212.64/26,
			     52.144.212.192/26, 52.144.213.64/26,
			     52.144.214.128/26, 52.144.215.0/30,
			     52.144.215.192-52.144.215.203, 52.144.216.0-52.144.216.11,
			     52.144.218.0/25, 52.144.223.64-52.144.223.191,
			     52.144.224.64-52.144.225.191, 52.144.227.64/26,
			     52.144.227.192-52.144.228.3, 52.144.228.64-52.144.229.127,
			     52.144.230.0/26, 52.144.230.204-52.144.230.211,
			     52.144.231.64/26, 52.144.233.64/29,
			     52.144.233.128/29, 52.144.233.192/26,
			     52.192.0.0-52.219.20.255, 52.219.24.0-52.219.47.255,
			     52.219.56.0-52.219.75.255, 52.219.80.0-52.219.221.255,
			     52.219.224.0-52.219.235.255, 52.219.254.0-52.223.127.255,
			     52.223.192.0/18, 54.20.0.0/15,
			     54.25.15.0/24, 54.25.20.0/24,
			     54.25.82.0/24, 54.26.166.0/24,
			     54.46.0.0/15, 54.64.0.0/11,
			     54.112.0.0/18, 54.116.0.0/15,
			     54.144.0.0-54.222.39.255, 54.222.48.0/21,
			     54.222.57.0-54.222.58.15, 54.222.58.32/27,
			     54.222.64.0/24, 54.222.66.0-54.222.71.255,
			     54.222.76.0-54.222.103.255, 54.222.112.0-54.239.39.255,
			     54.239.40.152/29, 54.239.48.0-54.239.71.255,
			     54.239.96.0/24, 54.239.98.0-54.239.103.191,
			     54.239.104.0-54.239.114.191, 54.239.115.0/25,
			     54.239.116.0-54.239.223.255, 54.240.128.0-54.240.200.255,
			     54.240.202.0-54.240.223.255, 54.240.225.0-54.240.235.255,
			     54.240.236.1-54.240.236.2, 54.240.236.5-54.240.236.6,
			     54.240.236.9-54.240.236.10, 54.240.236.13-54.240.236.14,
			     54.240.236.17-54.240.236.18, 54.240.236.21-54.240.236.22,
			     54.240.236.25-54.240.236.26, 54.240.236.29-54.240.236.30,
			     54.240.236.33-54.240.236.34, 54.240.236.37-54.240.236.38,
			     54.240.236.41-54.240.236.42, 54.240.236.45-54.240.236.46,
			     54.240.236.49-54.240.236.50, 54.240.236.53-54.240.236.54,
			     54.240.236.57-54.240.236.58, 54.240.236.61-54.240.236.62,
			     54.240.236.65-54.240.236.66, 54.240.236.69-54.240.236.70,
			     54.240.236.73-54.240.236.74, 54.240.236.77-54.240.236.78,
			     54.240.236.81-54.240.236.82, 54.240.236.85-54.240.236.86,
			     54.240.236.89-54.240.236.90, 54.240.236.93-54.240.236.94,
			     54.240.241.0-54.255.255.255, 56.48.0.0/13,
			     56.68.0.0/14, 56.96.0.0/14,
			     56.112.0.0/14, 56.124.0.0-56.131.255.255,
			     56.136.0.0/14, 56.155.0.0-56.157.255.255,
			     56.159.0.0/16, 56.162.0.0/16,
			     56.164.0.0/16, 56.184.0.0/14,
			     56.228.0.0/14, 56.240.0.0/14,
			     57.180.0.0/14, 58.254.138.0-58.254.138.191,
			     63.32.0.0/14, 63.176.0.0/12,
			     63.246.112.0/22, 63.246.119.0-63.246.127.255,
			     64.187.128.0/20, 64.252.64.0-64.252.191.255,
			     65.0.0.0/14, 65.8.0.0-65.9.191.255,
			     65.176.0.0/14, 67.202.0.0/18,
			     67.220.224.0/19, 68.66.112.0/20,
			     68.79.0.0/18, 69.107.3.176/28,
			     69.107.6.112/28, 69.107.6.160/28,
			     69.107.6.200-69.107.6.231, 69.107.7.0-69.107.7.23,
			     69.107.7.32-69.107.7.143, 69.230.192.0/18,
			     69.231.128.0/18, 69.234.192.0/18,
			     69.235.128.0/18, 70.132.0.0/18,
			     70.224.192.0/18, 70.232.64.0/18,
			     71.131.192.0-71.132.63.255, 71.136.64.0/18,
			     71.137.0.0/18, 71.141.0.0/20,
			     71.152.0.0/17, 72.21.192.0/19,
			     72.41.0.0/20, 72.44.32.0/19,
			     75.2.0.0/17, 75.79.0.0/16,
			     75.101.128.0/17, 76.223.0.0/17,
			     76.223.168.0-76.223.170.15, 76.223.170.32/28,
			     76.223.172.0/22, 79.125.0.0/17,
			     83.118.240.0/21, 83.119.128.0/18,
			     87.238.80.0/21, 96.0.0.0-96.0.108.255,
			     96.0.110.0-96.0.175.255, 96.127.0.0/17,
			     98.80.0.0/12, 98.130.0.0/15,
			     99.77.0.0/18, 99.77.128.0/18,
			     99.77.232.0-99.77.254.255, 99.78.128.0-99.78.172.255,
			     99.78.176.0-99.78.199.255, 99.78.208.0/20,
			     99.78.228.0-99.82.3.255, 99.82.8.0/21,
			     99.82.128.0/18, 99.83.64.0-99.83.104.255,
			     99.83.112.0-99.83.123.255, 99.83.128.0-99.84.255.255,
			     99.86.0.0-99.87.35.255, 99.150.0.0/17,
			     99.151.64.0-99.151.175.255, 99.151.184.0/21,
			     99.181.64.0/18, 100.20.0.0-100.31.255.255,
			     103.4.8.0/21, 103.8.172.0/22,
			     103.53.48.0/22, 103.246.148.0/22,
			     104.153.112.0-104.153.116.255, 104.153.118.0/24,
			     104.255.56.11-104.255.56.12, 104.255.56.15-104.255.56.20,
			     104.255.56.23-104.255.56.29, 104.255.59.81-104.255.59.83,
			     104.255.59.85-104.255.59.88, 104.255.59.91,
			     104.255.59.101-104.255.59.106, 104.255.59.114/31,
			     104.255.59.118/31, 104.255.59.122-104.255.59.127,
			     104.255.59.130-104.255.59.139, 104.255.59.196-104.255.59.201,
			     107.20.0.0/14, 107.176.0.0/15,
			     108.128.0.0-108.139.255.255, 108.156.0.0/14,
			     108.166.224.0/19, 108.175.48.0/20,
			     111.13.171.128/25, 111.13.185.32-111.13.185.95,
			     116.129.226.0-116.129.226.191, 118.193.97.64-118.193.97.255,
			     119.147.182.0-119.147.182.191, 120.52.12.64/26,
			     120.52.22.96/27, 120.52.39.128/27,
			     120.52.153.192/26, 120.232.236.0-120.232.236.191,
			     120.253.240.192/26, 120.253.241.160/27,
			     120.253.245.128-120.253.245.223, 122.248.192.0/18,
			     130.176.0.0-130.176.239.255, 130.176.254.0/23,
			     136.8.0.0/15, 136.18.0.0/23,
			     136.18.18.0-136.18.23.255, 136.18.32.0-136.18.34.255,
			     136.18.50.0/23, 136.18.128.0-136.18.141.255,
			     136.18.254.0/23, 139.56.16.0-139.56.34.255,
			     140.179.0.0/16, 142.4.177.0-142.4.180.255,
			     143.204.0.0/16, 144.220.0.0/16,
			     150.222.0.0-150.222.14.255, 150.222.15.124-150.222.15.133,
			     150.222.26.0-150.222.45.95, 150.222.45.128-150.222.53.31,
			     150.222.64.0/22, 150.222.68.116/31,
			     150.222.69.0-150.222.123.255, 150.222.129.0/24,
			     150.222.133.0-150.222.138.255, 150.222.139.116-150.222.139.127,
			     150.222.140.0/22, 150.222.164.208/29,
			     150.222.164.220-150.222.164.222, 150.222.176.0-150.222.180.255,
			     150.222.182.14-150.222.182.17, 150.222.196.0/24,
			     150.222.199.0/25, 150.222.200.60/31,
			     150.222.202.0-150.222.208.255, 150.222.210.0-150.222.224.255,
			     150.222.226.0-150.222.234.87, 150.222.234.96-150.222.234.143,
			     150.222.235.0-150.222.239.255, 150.222.242.84/31,
			     150.222.242.214/31, 150.222.245.122/31,
			     150.222.252.244-150.222.252.251, 151.148.8.0-151.148.16.6,
			     151.148.16.8/30, 151.148.17.0-151.148.20.255,
			     151.148.32.0-151.148.41.255, 155.146.0.0/16,
			     156.4.0.0/15, 157.175.0.0/16,
			     157.241.0.0/16, 159.248.200.0/21,
			     159.248.216.0-159.248.247.255, 160.1.0.0/16,
			     161.178.0.0/18, 161.178.128.0/18,
			     161.188.0.0-161.188.47.255, 161.188.127.0/24,
			     161.189.0.0/16, 161.193.0.0/18,
			     161.193.128.0/18, 162.208.121.0/24,
			     162.213.232.0/22, 162.222.148.0/22,
			     162.250.236.0/22, 168.185.4.0/23,
			     172.96.97.0-172.96.98.255, 172.96.110.0/24,
			     173.83.192.0-173.83.198.255, 173.83.200.0-173.83.214.255,
			     173.83.216.0-173.83.220.255, 174.129.0.0/16,
			     175.41.128.0/17, 176.32.64.0-176.32.123.255,
			     176.32.124.128-176.32.125.255, 176.34.0.0/16,
			     177.71.128.0/17, 177.72.240.0/21,
			     178.236.0.0/20, 180.163.57.0-180.163.57.191,
			     182.24.0.0-182.30.255.255, 184.32.0.0/12,
			     184.72.0.0/15, 184.169.128.0/17,
			     185.42.204.0/22, 185.48.120.0/22,
			     185.143.16.0/24, 192.16.64.0/21,
			     192.31.212.0/23, 192.43.175.0/24,
			     192.43.184.0/24, 192.108.239.0/24,
			     192.157.32.0-192.157.34.255, 192.157.72.0/23,
			     192.189.196.0/24, 195.17.0.0/24,
			     198.99.2.0/24, 199.9.248.0/21,
			     199.127.232.0/22, 203.83.220.0/22,
			     204.87.185.0/24, 204.236.128.0/17,
			     204.246.160.0/19, 205.251.192.0/19,
			     205.251.225.0-205.251.226.255, 205.251.228.0-205.251.254.255,
			     207.171.160.0/19, 208.78.128.0/21,
			     208.86.88.0/22, 208.110.48.0/20,
			     209.54.176.0/20, 216.39.136.0/21,
			     216.39.152.0-216.39.175.255, 216.137.32.0/19,
			     216.182.224.0/20 }
	}

	set bypass6_amazon_aws {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set omr_dscp_cs0_4 {
		type ipv4_addr
	}

	set omr_dscp_cs1_4 {
		type ipv4_addr
	}

	set omr_dscp_cs2_4 {
		type ipv4_addr
		elements = { 142.251.36.164, 142.251.36.170,
			     142.251.36.202, 142.251.36.227,
			     142.251.36.234, 142.251.36.238,
			     142.251.37.10, 172.217.16.170,
			     173.194.76.84 }
	}

	set omr_dscp_cs3_4 {
		type ipv4_addr
	}

	set omr_dscp_cs4_4 {
		type ipv4_addr
		elements = { 18.236.7.30, 34.252.74.1,
			     45.57.105.141, 107.20.175.192,
			     198.38.109.219 }
	}

	set omr_dscp_cs5_4 {
		type ipv4_addr
	}

	set omr_dscp_cs6_4 {
		type ipv4_addr
	}

	set omr_dscp_cs7_4 {
		type ipv4_addr
	}

	set omr_dscp_ef_4 {
		type ipv4_addr
	}

	set omr_dst_bypass_eth0_4 {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set omr_dst_bypass_eth0_6 {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set omr_dst_bypass_wan1_4 {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set omr_dst_bypass_wan1_6 {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set omr_dst_bypass_wan2_4 {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set omr_dst_bypass_wan2_6 {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set omr_dst_bypass_tun0_4 {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set omr_dst_bypass_tun0_6 {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set omr_dst_bypass_all_4 {
		type ipv4_addr
		flags interval
		auto-merge
		elements = { 18.200.8.190, 18.236.7.30,
			     23.218.165.59, 34.160.111.145,
			     34.252.74.1, 54.73.148.110,
			     54.155.246.232, 107.20.175.192,
			     207.45.72.215 }
	}

	set omr_dst_bypass_all_6 {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_src_bypass {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_src_bypass {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_src_forward {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_src_forward {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_src_checkdst {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_src_checkdst {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_remote_servers {
		type ipv4_addr
		flags interval
		auto-merge
		elements = { <redacted - vps ip> }
	}

	set ss_rules6_remote_servers {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_dst_bypass {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_dst_bypass {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_dst_bypass_ {
		type ipv4_addr
		flags interval
		auto-merge
		elements = { 0.0.0.0/8, 10.0.0.0/8,
			     100.64.0.0/10, 127.0.0.0/8,
			     169.254.0.0/16, 172.16.0.0/12,
			     192.0.0.0/24, 192.0.2.0/24,
			     192.31.196.0/24, 192.52.193.0/24,
			     192.88.99.0/24, 192.168.0.0/16,
			     192.175.48.0/24, 198.18.0.0/15,
			     198.51.100.0/24, 203.0.113.0/24,
			     224.0.0.0/3 }
	}

	set ss_rules6_dst_bypass_ {
		type ipv6_addr
		flags interval
		auto-merge
		elements = { ::/127,
			     ::ffff:0.0.0.0/96,
			     64:ff9b:1::/48,
			     100::/64,
			     2001::/23,
			     fc00::/7,
			     fe80::/10 }
	}

	set ss_rules_dst_forward {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_dst_forward {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_dst_forward_rrst_ {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_dst_forward_rrst_ {
		type ipv6_addr
		flags interval
		auto-merge
	}

	chain ss_rules_pre_tcp {
		type nat hook prerouting priority filter + 1; policy accept;
		meta mark 0x00004539 accept
		ip daddr @omr_dst_bypass_all_4 accept
		meta mark 0x45391500 accept
		ip daddr @omr_dst_bypass_tun0_4 accept
		meta mark 0x00045397 accept
		ip daddr @omr_dst_bypass_wan2_4 accept
		meta mark 0x00045396 accept
		ip daddr @omr_dst_bypass_wan1_4 accept
		meta mark 0x45399999 accept
		ip daddr @omr_dst_bypass_eth0_4 accept
		meta mark 0x00004539 accept
		ip daddr @omr_dst_bypass_all_4 accept
		meta mark 0x45391500 accept
		ip daddr @omr_dst_bypass_tun0_4 accept
		meta mark 0x00045397 accept
		ip daddr @omr_dst_bypass_wan2_4 accept
		meta mark 0x00045396 accept
		ip daddr @omr_dst_bypass_wan1_4 accept
		meta mark 0x45399999 accept
		ip daddr @omr_dst_bypass_eth0_4 accept
		meta l4proto tcp iifname { "lo", "eth0" } goto ss_rules_pre_src_tcp
	}

	chain ss_rules_pre_src_tcp {
		ip daddr @ss_rules_dst_bypass_ accept
		ip6 daddr @ss_rules6_dst_bypass_ accept
		goto ss_rules_src_tcp
	}

	chain ss_rules_src_tcp {
		ip saddr @ss_rules_src_bypass accept
		ip saddr @ss_rules_src_forward goto ss_rules_forward_tcp
		ip saddr @ss_rules_src_checkdst goto ss_rules_dst_tcp
		ip6 saddr @ss_rules6_src_bypass accept
		ip6 saddr @ss_rules6_src_forward goto ss_rules_forward_tcp
		ip6 saddr @ss_rules6_src_checkdst goto ss_rules_dst_tcp
		goto ss_rules_forward_tcp
	}

	chain ss_rules_dst_tcp {
		ip daddr @ss_rules_dst_bypass accept
		ip daddr @ss_rules_remote_servers accept
		ip daddr @ss_rules_dst_forward goto ss_rules_forward_tcp
		ip6 daddr @ss_rules6_dst_bypass accept
		ip6 daddr @ss_rules6_remote_servers accept
		ip6 daddr @ss_rules6_dst_forward goto ss_rules_forward_tcp
		goto ss_rules_forward_tcp
	}

	chain ss_rules_forward_tcp {
		meta l4proto tcp redirect to :1100
	}

	chain ss_rules_local_out {
		type nat hook output priority filter - 1; policy accept;
		meta mark 0x00004539 accept
		ip daddr @omr_dst_bypass_all_4 accept
		meta mark 0x45391500 accept
		ip daddr @omr_dst_bypass_tun0_4 accept
		meta mark 0x00045397 accept
		ip daddr @omr_dst_bypass_wan2_4 accept
		meta mark 0x00045396 accept
		ip daddr @omr_dst_bypass_wan1_4 accept
		meta mark 0x45399999 accept
		ip daddr @omr_dst_bypass_eth0_4 accept
		meta mark 0x00004539 accept
		ip daddr @omr_dst_bypass_all_4 accept
		meta mark 0x45391500 accept
		ip daddr @omr_dst_bypass_tun0_4 accept
		meta mark 0x00045397 accept
		ip daddr @omr_dst_bypass_wan2_4 accept
		meta mark 0x00045396 accept
		ip daddr @omr_dst_bypass_wan1_4 accept
		meta mark 0x45399999 accept
		ip daddr @omr_dst_bypass_eth0_4 accept
		meta l4proto != tcp accept
		ip daddr @ss_rules_remote_servers accept
		ip daddr @ss_rules_dst_bypass_ accept
		ip daddr @ss_rules_dst_bypass accept
		ip6 daddr @ss_rules6_remote_servers accept
		ip6 daddr @ss_rules6_dst_bypass_ accept
		ip6 daddr @ss_rules6_dst_bypass accept
		goto ss_rules_forward_tcp
	}

	chain input {
		type filter hook input priority filter; policy drop;
		iif "lo" accept comment "!fw4: Accept traffic from loopback"
		ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
		tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
		iifname "eth0" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
		iifname { "wan1", "wan2" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
		iifname "tun0" jump input_vpn comment "!fw4: Handle vpn IPv4/IPv6 input traffic"
		jump handle_reject
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
		icmp type echo-request limit rate 1000/second counter packets 4 bytes 192 accept comment "!fw4: Allow-All-Ping"
		icmpv6 type echo-request limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-All-Ping"
		udp dport 443 counter packets 0 bytes 0 drop comment "!fw4: Block QUIC All"
		iifname "eth0" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
		iifname { "wan1", "wan2" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
		iifname "tun0" jump forward_vpn comment "!fw4: Handle vpn IPv4/IPv6 forward traffic"
		jump upnp_forward comment "Hook into miniupnpd forwarding chain"
		jump handle_reject
	}

	chain output {
		type filter hook output priority filter; policy drop;
		oif "lo" accept comment "!fw4: Accept traffic towards loopback"
		ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
		meta nfproto ipv4 meta mark 0x00004539 counter packets 0 bytes 0 accept comment "!fw4: omr_dst_bypass_all_rule_accept"
		oifname "eth0" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
		oifname { "wan1", "wan2" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
		oifname "tun0" jump output_vpn comment "!fw4: Handle vpn IPv4/IPv6 output traffic"
		jump handle_reject
	}

	chain prerouting {
		type filter hook prerouting priority filter; policy accept;
		icmp type echo-request limit rate 1000/second counter packets 67 bytes 5484 accept comment "!fw4: Allow-All-Ping"
		icmpv6 type echo-request limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-All-Ping"
		udp dport 443 counter packets 69 bytes 85688 drop comment "!fw4: Block QUIC All"
		counter packets 14956 bytes 2498465 jump accept_to_vpn comment "!fw4: Allow-All-LAN-to-VPN"
		counter packets 14956 bytes 2498465 jump accept_to_wan comment "!fw4: Allow-Lan-to-Wan"
		jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
		jump accept_to_vpn comment "!fw4: Accept lan to vpn forwarding"
		iifname "eth0" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 1 bytes 145 accept comment "!fw4: Allow-ICMPv6-Forward"
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
		udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
	}

	chain handle_reject {
		meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
		reject comment "!fw4: Reject any other traffic"
	}

	chain syn_flood {
		limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
		drop comment "!fw4: Drop excess packets"
	}

	chain input_lan {
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 8 bytes 1712 accept comment "!fw4: ICMPv6-Lan-to-OMR"
		udp dport 443 counter packets 0 bytes 0 drop comment "!fw4: Block QUIC Proxy"
		ct status dnat accept comment "!fw4: Accept port redirections"
		jump accept_from_lan
	}

	chain output_lan {
		jump accept_to_lan
	}

	chain forward_lan {
		counter packets 280 bytes 14332 jump accept_to_vpn comment "!fw4: Allow-All-LAN-to-VPN"
		counter packets 181 bytes 7664 jump accept_to_wan comment "!fw4: Allow-Lan-to-Wan"
		jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
		jump accept_to_vpn comment "!fw4: Accept lan to vpn forwarding"
		ct status dnat accept comment "!fw4: Accept port forwards"
		jump accept_to_lan
	}

	chain helper_lan {
		udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto"
		tcp dport 21 ct helper set "ftp" comment "!fw4: FTP passive connection tracking"
		udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking"
		tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking"
		meta nfproto ipv4 tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking"
		meta nfproto ipv4 udp dport 137 ct helper set "netbios-ns" comment "!fw4: NetBIOS name service broadcast tracking"
		meta nfproto ipv4 tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking"
		tcp dport 6566 ct helper set "sane" comment "!fw4: SANE scanner connection tracking"
		udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking"
		meta nfproto ipv4 udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking"
		udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
	}

	chain accept_from_lan {
		iifname "eth0" counter packets 320 bytes 21987 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	}

	chain accept_to_lan {
		oifname "eth0" counter packets 3 bytes 228 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	}

	chain input_wan {
		meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
		icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
		meta nfproto ipv4 meta l4proto igmp counter packets 12 bytes 432 accept comment "!fw4: Allow-IGMP"
		meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
		ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
		icmpv6 type { nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 16 bytes 3424 accept comment "!fw4: Allow IPv6 ICMP"
		icmpv6 type . icmpv6 code { nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow IPv6 ICMP"
		meta nfproto ipv6 udp sport 546 udp dport 547 counter packets 0 bytes 0 accept comment "!fw4: Allow DHCPv6 (546-to-547)"
		meta nfproto ipv6 udp sport 547 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow DHCPv6 (547-to-546)"
		ct status dnat accept comment "!fw4: Accept port redirections"
		jump reject_from_wan
	}

	chain output_wan {
		jump accept_to_wan
	}

	chain forward_wan {
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
		udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
		ct status dnat accept comment "!fw4: Accept port forwards"
		jump reject_to_wan
	}

	chain accept_to_wan {
		meta nfproto ipv4 oifname { "wan1", "wan2" } ct state invalid counter packets 0 bytes 0 drop comment "!fw4: Prevent NAT leakage"
		oifname { "wan1", "wan2" } counter packets 686 bytes 90764 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
	}

	chain reject_from_wan {
		iifname { "wan1", "wan2" } counter packets 10 bytes 966 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
	}

	chain reject_to_wan {
		oifname { "wan1", "wan2" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
	}

	chain input_vpn {
		meta l4proto { icmp, ipv6-icmp } counter packets 0 bytes 0 accept comment "!fw4: Allow-VPN-ICMP"
		ct status dnat accept comment "!fw4: Accept port redirections"
		jump reject_from_vpn
	}

	chain output_vpn {
		jump accept_to_vpn
	}

	chain forward_vpn {
		ct status dnat accept comment "!fw4: Accept port forwards"
		jump accept_to_vpn
	}

	chain accept_to_vpn {
		meta nfproto ipv4 oifname "tun0" ct state invalid counter packets 30 bytes 3048 drop comment "!fw4: Prevent NAT leakage"
		oifname "tun0" counter packets 395 bytes 26833 accept comment "!fw4: accept vpn IPv4/IPv6 traffic"
	}

	chain reject_from_vpn {
		iifname "tun0" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject vpn IPv4/IPv6 traffic"
	}

	chain dstnat {
		type nat hook prerouting priority dstnat; policy accept;
		jump upnp_prerouting comment "Hook into miniupnpd prerouting chain"
	}

	chain srcnat {
		type nat hook postrouting priority srcnat; policy accept;
		oifname { "wan1", "wan2" } jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
		oifname "tun0" jump srcnat_vpn comment "!fw4: Handle vpn IPv4/IPv6 srcnat traffic"
		jump upnp_postrouting comment "Hook into miniupnpd postrouting chain"
	}

	chain srcnat_wan {
		meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
	}

	chain srcnat_vpn {
		meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 vpn traffic"
	}

	chain raw_prerouting {
		type filter hook prerouting priority raw; policy accept;
	}

	chain raw_output {
		type filter hook output priority raw; policy accept;
	}

	chain mangle_prerouting {
		type filter hook prerouting priority mangle; policy accept;
		iifname "eth0" ip daddr @bypass_amazon_aws counter packets 1646 bytes 170696 meta mark set 0x00004539 comment "!fw4: bypass_"
		iifname "eth0" ip6 daddr @bypass6_amazon_aws counter packets 0 bytes 0 meta mark set 0x00006539 comment "!fw4: bypass6_"
		iifname "eth0" ip daddr @omr_dst_bypass_all_4 counter packets 162 bytes 6480 meta mark set 0x00004539 comment "!fw4: omr_dst_bypass_all_rule"
	}

	chain mangle_postrouting {
		type filter hook postrouting priority mangle; policy accept;
		oifname "eth0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone lan IPv4/IPv6 egress MTU fixing"
		oifname { "wan1", "wan2" } tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
		oifname "tun0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone vpn IPv4/IPv6 egress MTU fixing"
	}

	chain mangle_input {
		type filter hook input priority mangle; policy accept;
	}

	chain mangle_output {
		type route hook output priority mangle; policy accept;
	}

	chain mangle_forward {
		type filter hook forward priority mangle; policy accept;
		meta l4proto tcp ip daddr @omr_dscp_cs0_4 counter packets 0 bytes 0 ip dscp set cs0 comment "!fw4: omr_dscp_cs0_4"
		meta l4proto udp ip daddr @omr_dscp_cs0_4 counter packets 0 bytes 0 ip dscp set cs0 comment "!fw4: omr_dscp_cs0_4"
		meta l4proto tcp ip daddr @omr_dscp_cs1_4 counter packets 0 bytes 0 ip dscp set cs1 comment "!fw4: omr_dscp_cs1_4"
		meta l4proto udp ip daddr @omr_dscp_cs1_4 counter packets 0 bytes 0 ip dscp set cs1 comment "!fw4: omr_dscp_cs1_4"
		meta l4proto tcp ip daddr @omr_dscp_cs2_4 counter packets 36 bytes 3525 ip dscp set cs2 comment "!fw4: omr_dscp_cs2_4"
		meta l4proto udp ip daddr @omr_dscp_cs2_4 counter packets 0 bytes 0 ip dscp set cs2 comment "!fw4: omr_dscp_cs2_4"
		meta l4proto tcp ip daddr @omr_dscp_cs3_4 counter packets 0 bytes 0 ip dscp set cs3 comment "!fw4: omr_dscp_cs3_4"
		meta l4proto udp ip daddr @omr_dscp_cs3_4 counter packets 0 bytes 0 ip dscp set cs3 comment "!fw4: omr_dscp_cs3_4"
		meta l4proto tcp ip daddr @omr_dscp_cs4_4 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_cs4_4"
		meta l4proto udp ip daddr @omr_dscp_cs4_4 counter packets 69 bytes 2760 ip dscp set cs4 comment "!fw4: omr_dscp_cs4_4"
		meta l4proto tcp ip daddr @omr_dscp_cs5_4 counter packets 0 bytes 0 ip dscp set cs5 comment "!fw4: omr_dscp_cs5_4"
		meta l4proto udp ip daddr @omr_dscp_cs5_4 counter packets 0 bytes 0 ip dscp set cs5 comment "!fw4: omr_dscp_cs5_4"
		meta l4proto tcp ip daddr @omr_dscp_cs6_4 counter packets 0 bytes 0 ip dscp set cs6 comment "!fw4: omr_dscp_cs6_4"
		meta l4proto udp ip daddr @omr_dscp_cs6_4 counter packets 0 bytes 0 ip dscp set cs6 comment "!fw4: omr_dscp_cs6_4"
		meta l4proto tcp ip daddr @omr_dscp_cs7_4 counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_cs7_4"
		meta l4proto udp ip daddr @omr_dscp_cs7_4 counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_cs7_4"
		meta l4proto tcp ip daddr @omr_dscp_ef_4 counter packets 0 bytes 0 ip dscp set ef comment "!fw4: omr_dscp_ef_4"
		meta l4proto udp ip daddr @omr_dscp_ef_4 counter packets 0 bytes 0 ip dscp set ef comment "!fw4: omr_dscp_ef_4"
		meta l4proto icmp ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 counter packets 213 bytes 19328 ip dscp set cs7 comment "!fw4: omr_dscp_rule1"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 udp sport { 53, 123, 5353 } udp dport 0-65535 counter packets 26 bytes 2136 ip dscp set cs4 comment "!fw4: omr_dscp_rule2"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport { 53, 5353 } tcp dport 0-65535 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_rule3"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport 0-65535 tcp dport 65500 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_rule4"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport 0-65535 tcp dport { 65001, 65011, 65301, 65401 } counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_rule5"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 udp sport 0-65535 udp dport { 65001, 65301 } counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_rule6"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport 0-65535 tcp dport { 65101, 65228 } counter packets 0 bytes 0 ip dscp set cs6 comment "!fw4: omr_dscp_rule7"
		iifname "eth0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone lan IPv4/IPv6 ingress MTU fixing"
		iifname { "wan1", "wan2" } tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
		iifname "tun0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone vpn IPv4/IPv6 ingress MTU fixing"
	}

	chain upnp_forward {
	}

	chain upnp_prerouting {
	}

	chain upnp_postrouting {
	}
}

@Ysurac
Copy link
Owner

Ysurac commented Dec 7, 2024

There is some issues on whatapps and aws ranges...

@Ysurac
Copy link
Owner

Ysurac commented Dec 10, 2024

Should be better in latest snapshot

@Schinkentanz
Copy link
Author

Thanks for the update @Ysurac. Today I got around to testing the OMR bypass configuration with a freshly installed VPS and the latest RPI5 snapshot, but it seems that the bypass mechanism isn't working at all at the moment. I also don't see (via htop) the usual work happening on the router after applying new rules

  • OpenMPTCProuter version:
    openmptcprouter-v0.62-snapshot-6.6-r0+28194-cc69be0c13-bcm27xx-bcm2712-rpi-5-squashfs-factory
  • OpenMPTCProuter VPS version:
    0.1032-test 6.6.36-x64v2-xanmod1
root@OpenMPTCProuter:~# /etc/init.d/omr-bypass restart
root@OpenMPTCProuter:~#

root@OpenMPTCProuter:~# /etc/init.d/omr-bypass status
active with no instances
root@OpenMPTCProuter:~#

root@OpenMPTCProuter:~# /etc/init.d/firewall restart
Section user specifies unreachable path '/etc/firewall.user', ignoring section
Section omr_bypass option 'reload' is not supported by fw4
Section omr_bypass is disabled, ignoring section
Automatically including '/usr/share/nftables.d/table-post/20-miniupnpd.nft'
Automatically including '/usr/share/nftables.d/chain-post/dstnat/20-miniupnpd.nft'
Automatically including '/usr/share/nftables.d/chain-post/forward/20-miniupnpd.nft'
Automatically including '/usr/share/nftables.d/chain-post/srcnat/20-miniupnpd.nft'
root@OpenMPTCProuter:~#
Click here to see output of "nft list ruleset" 
root@OpenMPTCProuter:~# nft list ruleset
table ip mangle {
	chain PREROUTING {
		type filter hook prerouting priority mangle; policy accept;
	}

	chain INPUT {
		type filter hook input priority mangle; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority mangle; policy accept;
	}

	chain OUTPUT {
		type route hook output priority mangle; policy accept;
	}

	chain POSTROUTING {
		type filter hook postrouting priority mangle; policy accept;
	}
}
table inet fw4 {
	ct helper amanda {
		type "amanda" protocol udp
		l3proto inet
	}

	ct helper ftp {
		type "ftp" protocol tcp
		l3proto inet
	}

	ct helper RAS {
		type "RAS" protocol udp
		l3proto inet
	}

	ct helper Q.931 {
		type "Q.931" protocol tcp
		l3proto inet
	}

	ct helper irc {
		type "irc" protocol tcp
		l3proto ip
	}

	ct helper netbios-ns {
		type "netbios-ns" protocol udp
		l3proto ip
	}

	ct helper pptp {
		type "pptp" protocol tcp
		l3proto ip
	}

	ct helper sane {
		type "sane" protocol tcp
		l3proto inet
	}

	ct helper sip {
		type "sip" protocol udp
		l3proto inet
	}

	ct helper snmp {
		type "snmp" protocol udp
		l3proto ip
	}

	ct helper tftp {
		type "tftp" protocol udp
		l3proto inet
	}

	set omr_dscp_cs0_4 {
		type ipv4_addr
	}

	set omr_dscp_cs1_4 {
		type ipv4_addr
	}

	set omr_dscp_cs2_4 {
		type ipv4_addr
	}

	set omr_dscp_cs3_4 {
		type ipv4_addr
	}

	set omr_dscp_cs4_4 {
		type ipv4_addr
	}

	set omr_dscp_cs5_4 {
		type ipv4_addr
	}

	set omr_dscp_cs6_4 {
		type ipv4_addr
	}

	set omr_dscp_cs7_4 {
		type ipv4_addr
	}

	set omr_dscp_ef_4 {
		type ipv4_addr
	}

	set ss_rules_src_bypass {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_src_bypass {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_src_forward {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_src_forward {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_src_checkdst {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_src_checkdst {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_remote_servers {
		type ipv4_addr
		flags interval
		auto-merge
		elements = { <redacted - vps ip> }
	}

	set ss_rules6_remote_servers {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_dst_bypass {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_dst_bypass {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_dst_bypass_ {
		type ipv4_addr
		flags interval
		auto-merge
		elements = { 0.0.0.0/8, 10.0.0.0/8,
			     100.64.0.0/10, 127.0.0.0/8,
			     169.254.0.0/16, 172.16.0.0/12,
			     192.0.0.0/24, 192.0.2.0/24,
			     192.31.196.0/24, 192.52.193.0/24,
			     192.88.99.0/24, 192.168.0.0/16,
			     192.175.48.0/24, 198.18.0.0/15,
			     198.51.100.0/24, 203.0.113.0/24,
			     224.0.0.0/3 }
	}

	set ss_rules6_dst_bypass_ {
		type ipv6_addr
		flags interval
		auto-merge
		elements = { ::/127,
			     ::ffff:0.0.0.0/96,
			     64:ff9b:1::/48,
			     100::/64,
			     2001::/23,
			     fc00::/7,
			     fe80::/10 }
	}

	set ss_rules_dst_forward {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_dst_forward {
		type ipv6_addr
		flags interval
		auto-merge
	}

	set ss_rules_dst_forward_rrst_ {
		type ipv4_addr
		flags interval
		auto-merge
	}

	set ss_rules6_dst_forward_rrst_ {
		type ipv6_addr
		flags interval
		auto-merge
	}

	chain ss_rules_pre_tcp {
		type nat hook prerouting priority filter + 1; policy accept;
		meta l4proto tcp iifname { "lo", "eth0", "tun0" } goto ss_rules_pre_src_tcp
	}

	chain ss_rules_pre_src_tcp {
		ip daddr @ss_rules_dst_bypass_ accept
		ip6 daddr @ss_rules6_dst_bypass_ accept
		goto ss_rules_src_tcp
	}

	chain ss_rules_src_tcp {
		ip saddr @ss_rules_src_bypass accept
		ip saddr @ss_rules_src_forward goto ss_rules_forward_tcp
		ip saddr @ss_rules_src_checkdst goto ss_rules_dst_tcp
		ip6 saddr @ss_rules6_src_bypass accept
		ip6 saddr @ss_rules6_src_forward goto ss_rules_forward_tcp
		ip6 saddr @ss_rules6_src_checkdst goto ss_rules_dst_tcp
		goto ss_rules_forward_tcp
	}

	chain ss_rules_dst_tcp {
		ip daddr @ss_rules_dst_bypass accept
		ip daddr @ss_rules_remote_servers accept
		ip daddr @ss_rules_dst_forward goto ss_rules_forward_tcp
		ip6 daddr @ss_rules6_dst_bypass accept
		ip6 daddr @ss_rules6_remote_servers accept
		ip6 daddr @ss_rules6_dst_forward goto ss_rules_forward_tcp
		goto ss_rules_forward_tcp
	}

	chain ss_rules_forward_tcp {
		meta l4proto tcp redirect to :1100
	}

	chain ss_rules_local_out {
		type nat hook output priority filter - 1; policy accept;
		meta l4proto != tcp accept
		ip daddr @ss_rules_remote_servers accept
		ip daddr @ss_rules_dst_bypass_ accept
		ip daddr @ss_rules_dst_bypass accept
		ip6 daddr @ss_rules6_remote_servers accept
		ip6 daddr @ss_rules6_dst_bypass_ accept
		ip6 daddr @ss_rules6_dst_bypass accept
		goto ss_rules_forward_tcp
	}

	chain input {
		type filter hook input priority filter; policy drop;
		iif "lo" accept comment "!fw4: Accept traffic from loopback"
		ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
		tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
		iifname "eth0" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
		iifname { "wan1", "wan2" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
		iifname { "tun0", "tun1", "tun2", "tun3" } jump input_vpn comment "!fw4: Handle vpn IPv4/IPv6 input traffic"
		jump handle_reject
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
		icmp type echo-request limit rate 1000/second counter packets 8 bytes 528 accept comment "!fw4: Allow-All-Ping"
		icmpv6 type echo-request limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-All-Ping"
		udp dport 443 counter packets 0 bytes 0 drop comment "!fw4: Block QUIC All"
		iifname "eth0" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
		iifname { "wan1", "wan2" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
		iifname { "tun0", "tun1", "tun2", "tun3" } jump forward_vpn comment "!fw4: Handle vpn IPv4/IPv6 forward traffic"
		jump upnp_forward comment "Hook into miniupnpd forwarding chain"
		jump handle_reject
	}

	chain output {
		type filter hook output priority filter; policy drop;
		oif "lo" accept comment "!fw4: Accept traffic towards loopback"
		ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
		oifname "eth0" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
		oifname { "wan1", "wan2" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
		oifname { "tun0", "tun1", "tun2", "tun3" } jump output_vpn comment "!fw4: Handle vpn IPv4/IPv6 output traffic"
		jump handle_reject
	}

	chain prerouting {
		type filter hook prerouting priority filter; policy accept;
		icmp type echo-request limit rate 1000/second counter packets 12 bytes 864 accept comment "!fw4: Allow-All-Ping"
		icmpv6 type echo-request limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-All-Ping"
		udp dport 443 counter packets 4 bytes 5512 drop comment "!fw4: Block QUIC All"
		counter packets 1447 bytes 303689 jump accept_to_vpn comment "!fw4: Allow-All-LAN-to-VPN"
		counter packets 1447 bytes 303689 jump accept_to_wan comment "!fw4: Allow-Lan-to-Wan"
		jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
		jump accept_to_vpn comment "!fw4: Accept lan to vpn forwarding"
		iifname "eth0" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
		udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
	}

	chain handle_reject {
		meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
		reject comment "!fw4: Reject any other traffic"
	}

	chain syn_flood {
		limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
		drop comment "!fw4: Drop excess packets"
	}

	chain input_lan {
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: ICMPv6-Lan-to-OMR"
		udp dport 443 counter packets 0 bytes 0 drop comment "!fw4: Block QUIC Proxy"
		ct status dnat accept comment "!fw4: Accept port redirections"
		jump accept_from_lan
	}

	chain output_lan {
		jump accept_to_lan
	}

	chain forward_lan {
		counter packets 9 bytes 455 jump accept_to_vpn comment "!fw4: Allow-All-LAN-to-VPN"
		counter packets 0 bytes 0 jump accept_to_wan comment "!fw4: Allow-Lan-to-Wan"
		jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
		jump accept_to_vpn comment "!fw4: Accept lan to vpn forwarding"
		ct status dnat accept comment "!fw4: Accept port forwards"
		jump accept_to_lan
	}

	chain helper_lan {
		udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto"
		tcp dport 21 ct helper set "ftp" comment "!fw4: FTP passive connection tracking"
		udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking"
		tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking"
		meta nfproto ipv4 tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking"
		meta nfproto ipv4 udp dport 137 ct helper set "netbios-ns" comment "!fw4: NetBIOS name service broadcast tracking"
		meta nfproto ipv4 tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking"
		tcp dport 6566 ct helper set "sane" comment "!fw4: SANE scanner connection tracking"
		udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking"
		meta nfproto ipv4 udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking"
		udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
	}

	chain accept_from_lan {
		iifname "eth0" counter packets 20 bytes 1361 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	}

	chain accept_to_lan {
		oifname "eth0" counter packets 0 bytes 0 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	}

	chain input_wan {
		meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
		icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
		meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
		meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
		ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
		icmpv6 type { nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow IPv6 ICMP"
		icmpv6 type . icmpv6 code { nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow IPv6 ICMP"
		meta nfproto ipv6 udp sport 546 udp dport 547 counter packets 0 bytes 0 accept comment "!fw4: Allow DHCPv6 (546-to-547)"
		meta nfproto ipv6 udp sport 547 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow DHCPv6 (547-to-546)"
		ct status dnat accept comment "!fw4: Accept port redirections"
		jump reject_from_wan
	}

	chain output_wan {
		jump accept_to_wan
	}

	chain forward_wan {
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
		udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
		ct status dnat accept comment "!fw4: Accept port forwards"
		jump reject_to_wan
	}

	chain accept_to_wan {
		meta nfproto ipv4 oifname { "wan1", "wan2" } ct state invalid counter packets 1 bytes 64 drop comment "!fw4: Prevent NAT leakage"
		oifname { "wan1", "wan2" } counter packets 71 bytes 11889 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
	}

	chain reject_from_wan {
		iifname { "wan1", "wan2" } counter packets 5 bytes 935 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
	}

	chain reject_to_wan {
		oifname { "wan1", "wan2" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
	}

	chain input_vpn {
		meta l4proto { icmp, ipv6-icmp } counter packets 0 bytes 0 accept comment "!fw4: Allow-VPN-ICMP"
		ct status dnat accept comment "!fw4: Accept port redirections"
		jump reject_from_vpn
	}

	chain output_vpn {
		jump accept_to_vpn
	}

	chain forward_vpn {
		ct status dnat accept comment "!fw4: Accept port forwards"
		jump accept_to_vpn
	}

	chain accept_to_vpn {
		meta nfproto ipv4 oifname { "tun0", "tun1", "tun2", "tun3" } ct state invalid counter packets 2 bytes 92 drop comment "!fw4: Prevent NAT leakage"
		oifname { "tun0", "tun1", "tun2", "tun3" } counter packets 67 bytes 5127 accept comment "!fw4: accept vpn IPv4/IPv6 traffic"
	}

	chain reject_from_vpn {
		iifname { "tun0", "tun1", "tun2", "tun3" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject vpn IPv4/IPv6 traffic"
	}

	chain dstnat {
		type nat hook prerouting priority dstnat; policy accept;
		jump upnp_prerouting comment "Hook into miniupnpd prerouting chain"
	}

	chain srcnat {
		type nat hook postrouting priority srcnat; policy accept;
		oifname { "wan1", "wan2" } jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
		oifname { "tun0", "tun1", "tun2", "tun3" } jump srcnat_vpn comment "!fw4: Handle vpn IPv4/IPv6 srcnat traffic"
		jump upnp_postrouting comment "Hook into miniupnpd postrouting chain"
	}

	chain srcnat_wan {
		meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
	}

	chain srcnat_vpn {
		meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 vpn traffic"
	}

	chain raw_prerouting {
		type filter hook prerouting priority raw; policy accept;
	}

	chain raw_output {
		type filter hook output priority raw; policy accept;
	}

	chain mangle_prerouting {
		type filter hook prerouting priority mangle; policy accept;
	}

	chain mangle_postrouting {
		type filter hook postrouting priority mangle; policy accept;
		oifname "eth0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone lan IPv4/IPv6 egress MTU fixing"
		oifname { "wan1", "wan2" } tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
		oifname { "tun0", "tun1", "tun2", "tun3" } tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone vpn IPv4/IPv6 egress MTU fixing"
	}

	chain mangle_input {
		type filter hook input priority mangle; policy accept;
	}

	chain mangle_output {
		type route hook output priority mangle; policy accept;
	}

	chain mangle_forward {
		type filter hook forward priority mangle; policy accept;
		meta l4proto tcp ip daddr @omr_dscp_cs0_4 counter packets 0 bytes 0 ip dscp set cs0 comment "!fw4: omr_dscp_cs0_4"
		meta l4proto udp ip daddr @omr_dscp_cs0_4 counter packets 0 bytes 0 ip dscp set cs0 comment "!fw4: omr_dscp_cs0_4"
		meta l4proto tcp ip daddr @omr_dscp_cs1_4 counter packets 0 bytes 0 ip dscp set cs1 comment "!fw4: omr_dscp_cs1_4"
		meta l4proto udp ip daddr @omr_dscp_cs1_4 counter packets 0 bytes 0 ip dscp set cs1 comment "!fw4: omr_dscp_cs1_4"
		meta l4proto tcp ip daddr @omr_dscp_cs2_4 counter packets 0 bytes 0 ip dscp set cs2 comment "!fw4: omr_dscp_cs2_4"
		meta l4proto udp ip daddr @omr_dscp_cs2_4 counter packets 0 bytes 0 ip dscp set cs2 comment "!fw4: omr_dscp_cs2_4"
		meta l4proto tcp ip daddr @omr_dscp_cs3_4 counter packets 0 bytes 0 ip dscp set cs3 comment "!fw4: omr_dscp_cs3_4"
		meta l4proto udp ip daddr @omr_dscp_cs3_4 counter packets 0 bytes 0 ip dscp set cs3 comment "!fw4: omr_dscp_cs3_4"
		meta l4proto tcp ip daddr @omr_dscp_cs4_4 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_cs4_4"
		meta l4proto udp ip daddr @omr_dscp_cs4_4 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_cs4_4"
		meta l4proto tcp ip daddr @omr_dscp_cs5_4 counter packets 0 bytes 0 ip dscp set cs5 comment "!fw4: omr_dscp_cs5_4"
		meta l4proto udp ip daddr @omr_dscp_cs5_4 counter packets 0 bytes 0 ip dscp set cs5 comment "!fw4: omr_dscp_cs5_4"
		meta l4proto tcp ip daddr @omr_dscp_cs6_4 counter packets 0 bytes 0 ip dscp set cs6 comment "!fw4: omr_dscp_cs6_4"
		meta l4proto udp ip daddr @omr_dscp_cs6_4 counter packets 0 bytes 0 ip dscp set cs6 comment "!fw4: omr_dscp_cs6_4"
		meta l4proto tcp ip daddr @omr_dscp_cs7_4 counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_cs7_4"
		meta l4proto udp ip daddr @omr_dscp_cs7_4 counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_cs7_4"
		meta l4proto tcp ip daddr @omr_dscp_ef_4 counter packets 0 bytes 0 ip dscp set ef comment "!fw4: omr_dscp_ef_4"
		meta l4proto udp ip daddr @omr_dscp_ef_4 counter packets 0 bytes 0 ip dscp set ef comment "!fw4: omr_dscp_ef_4"
		meta l4proto icmp ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 counter packets 25 bytes 1812 ip dscp set cs7 comment "!fw4: omr_dscp_rule1"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 udp sport { 53, 123, 5353 } udp dport 0-65535 counter packets 1 bytes 76 ip dscp set cs4 comment "!fw4: omr_dscp_rule2"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport { 53, 5353 } tcp dport 0-65535 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_rule3"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport 0-65535 tcp dport 65500 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_rule4"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport 0-65535 tcp dport { 65001, 65011, 65301, 65401 } counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_rule5"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 udp sport 0-65535 udp dport { 65001, 65301 } counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_rule6"
		ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport 0-65535 tcp dport { 65101, 65228 } counter packets 0 bytes 0 ip dscp set cs6 comment "!fw4: omr_dscp_rule7"
		iifname "eth0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone lan IPv4/IPv6 ingress MTU fixing"
		iifname { "wan1", "wan2" } tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
		iifname { "tun0", "tun1", "tun2", "tun3" } tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone vpn IPv4/IPv6 ingress MTU fixing"
	}

	chain upnp_forward {
	}

	chain upnp_prerouting {
	}

	chain upnp_postrouting {
	}
}
root@OpenMPTCProuter:~#

@SpencerXZX
Copy link

I'm seeing this as well on the 6.6 snapshot, I think the "Section omr_bypass is disabled, ignoring section" is relevant. None of OMR Bypass is working.

@Ysurac
Copy link
Owner

Ysurac commented Dec 23, 2024

I would need the result of uci show omr-bypass and of uci show firewall via SSH on the router

@SpencerXZX
Copy link

Router version: 0.62-snapshot-6.6
VPS Version: 0.1032-test 6.6.36-x64v3-xanmod1

uci show omr-bypass:

omr-bypass.all=interface
omr-bypass.m6replay=proto
omr-bypass.m6replay.url='m6web.fr' '6play.fr' '6cloud.fr'
omr-bypass.mycanal=proto
omr-bypass.mycanal.url='mycanal.fr' 'canal-plus.com' 'canalplus.com' 'canalplus-                                                                                                                                   cdn.net' 'canalplus.pro' 'canal-plus.net'
omr-bypass.minecraft=proto
omr-bypass.minecraft.url='authserver.mojang.com'
omr-bypass.lesnumeriques=proto
omr-bypass.lesnumeriques.url='lesnumeriques.com' 'botscorner.com' 'app.botscorne                                                                                                                                   r.com'
omr-bypass.disneyplus=proto
omr-bypass.disneyplus.url='bamgrid.com' 'disney-plus.net'
omr-bypass.amazonvideo=proto
omr-bypass.amazonvideo.url='cloudfront.net' 'llnw.net'
omr-bypass.free=proto
omr-bypass.free.url='free.fr' 'freebox.fr' 'oqee.tv' 'oqee.net' 'proxad.net'
omr-bypass.orange=proto
omr-bypass.orange.url='orange.fr' 'sosh.fr' 'liveperson.net' 'liveperson.com' 'l                                                                                                                                   psn.net' 'lpsnmedia.net' 'francetelecom.fr'
omr-bypass.sky=proto
omr-bypass.sky.url='sky.com' 'skycdp.com' 'skyanywhere.com' 'epgsky.com' 'skycdn                                                                                                                                   .it'
omr-bypass.captive_portal=proto
omr-bypass.captive_portal.url='captive.apple.com' 'connectivitycheck.gstatic.com                                                                                                                                   ' 'clients3.google.com' 'www.msftconnecttest.com' 'www.msftncsi.com' 'nmcheck.gn                                                                                                                                   ome.org' 'networkcheck.kde.org'
omr-bypass.eth0=interface
omr-bypass.eth0.id='9999'
omr-bypass.eth1=interface
omr-bypass.eth1.id='3'
omr-bypass.eth2=interface
omr-bypass.eth2.id='4'
omr-bypass.eth3=interface
omr-bypass.eth3.id='5'
omr-bypass.tun0=interface
omr-bypass.tun0.id='1500'
omr-bypass.global=global
omr-bypass.global.vpn_ipv4_md5='68b329da9893e34099c7d8ad5cb9c940'
omr-bypass.global.vpn_ipv6_md5='68b329da9893e34099c7d8ad5cb9c940'
omr-bypass.@domains[0]=domains
omr-bypass.@domains[0].name='bestbuy.com'
omr-bypass.@domains[0].interface='eth2'
omr-bypass.@domains[0].family='ipv4ipv6'

uci show firewall:

firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='REJECT'
firewall.@defaults[0].output='REJECT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].fullcone='0'
firewall.@defaults[0].flow_offloading='0'
firewall.@defaults[0].flow_offloading_hw='0'
firewall.zone_lan=zone
firewall.zone_lan.name='lan'
firewall.zone_lan.network='lan'
firewall.zone_lan.input='ACCEPT'
firewall.zone_lan.output='ACCEPT'
firewall.zone_lan.forward='ACCEPT'
firewall.zone_lan.auto_helper='1'
firewall.zone_lan.mtu_fix='1'
firewall.zone_wan=zone
firewall.zone_wan.name='wan'
firewall.zone_wan.input='REJECT'
firewall.zone_wan.output='ACCEPT'
firewall.zone_wan.forward='REJECT'
firewall.zone_wan.fullcone4='0'
firewall.zone_wan.fullcone6='0'
firewall.zone_wan.masq='1'
firewall.zone_wan.mtu_fix='1'
firewall.zone_wan.auto_helper='1'
firewall.zone_wan.network='wan1' 'wan2'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Forward'
firewall.@rule[5].src='wan'
firewall.@rule[5].dest='*'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-IPSec-ESP'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='lan'
firewall.@rule[6].proto='esp'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-ISAKMP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].dest_port='500'
firewall.@rule[7].proto='udp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].enabled='1'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[8].name='Allow-All-LAN-to-VPN'
firewall.@rule[8].dest='vpn'
firewall.@rule[8].src='lan'
firewall.@rule[8].proto='all'
firewall.zone_vpn=zone
firewall.zone_vpn.name='vpn'
firewall.zone_vpn.masq='1'
firewall.zone_vpn.input='REJECT'
firewall.zone_vpn.forward='ACCEPT'
firewall.zone_vpn.output='ACCEPT'
firewall.zone_vpn.network='omrvpn' 'omr6in4'
firewall.zone_vpn.mtu_fix='1'
firewall.zone_vpn.device='tun1' 'tun2' 'tun3'
firewall.zone_vpn.auto_helper='1'
firewall.@rule[9]=rule
firewall.@rule[9].enabled='1'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].name='Allow-All-Ping'
firewall.@rule[9].proto='icmp'
firewall.@rule[9].dest='*'
firewall.@rule[9].src='*'
firewall.@rule[9].icmp_type='echo-request'
firewall.@rule[9].limit='1000/sec'
firewall.@rule[10]=rule
firewall.@rule[10].enabled='1'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].name='Allow-VPN-ICMP'
firewall.@rule[10].proto='icmp'
firewall.@rule[10].src='vpn'
firewall.@rule[11]=rule
firewall.@rule[11].enabled='1'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].name='Allow-Lan-to-Wan'
firewall.@rule[11].dest='wan'
firewall.@rule[11].src='lan'
firewall.@rule[11].proto='all'
firewall.@rule[12]=rule
firewall.@rule[12].enabled='1'
firewall.@rule[12].target='ACCEPT'
firewall.@rule[12].name='ICMPv6-Lan-to-OMR'
firewall.@rule[12].src='lan'
firewall.@rule[12].family='ipv6'
firewall.@rule[12].proto='icmp'
firewall.@rule[12].limit='1000/sec'
firewall.@rule[12].icmp_type='echo-reply destination-unreachable echo-request router-advertisement router-solicitation time-exceeded'
firewall.omr_server=include
firewall.omr_server.path='/etc/firewall.omr-server'
firewall.gre_tunnel=include
firewall.gre_tunnel.path='/etc/firewall.gre-tunnel'
firewall.ttl=include
firewall.ttl.path='/etc/firewall.ttl'
firewall.ttl.type='script'
firewall.ttl.fw4_compatible='1'
firewall.upnp=include
firewall.upnp.path='/etc/firewall.upnp'
firewall.upnp.type='script'
firewall.upnp.fw4_compatible='1'
firewall.fwlantovpn=forwarding
firewall.fwlantovpn.src='lan'
firewall.fwlantovpn.dest='vpn'
firewall.blockquicproxy=rule
firewall.blockquicproxy.name='Block QUIC Proxy'
firewall.blockquicproxy.proto='udp'
firewall.blockquicproxy.dest_port='443'
firewall.blockquicproxy.target='DROP'
firewall.blockquicproxy.src='lan'
firewall.blockquicall=rule
firewall.blockquicall.name='Block QUIC All'
firewall.blockquicall.proto='udp'
firewall.blockquicall.src='*'
firewall.blockquicall.dest='*'
firewall.blockquicall.dest_port='443'
firewall.blockquicall.target='DROP'
firewall.allowicmpipv6=rule
firewall.allowicmpipv6.proto='icmp'
firewall.allowicmpipv6.target='ACCEPT'
firewall.allowicmpipv6.src='wan'
firewall.allowicmpipv6.name='Allow IPv6 ICMP'
firewall.allowicmpipv6.family='ipv6'
firewall.allowicmpipv6.limit='1000/sec'
firewall.allowicmpipv6.icmp_type='neighbour-advertisement neighbour-solicitation router-advertisement router-solicitation'
firewall.allowdhcpv6546=rule
firewall.allowdhcpv6546.target='ACCEPT'
firewall.allowdhcpv6546.src='wan'
firewall.allowdhcpv6546.proto='udp'
firewall.allowdhcpv6546.dest_port='547'
firewall.allowdhcpv6546.name='Allow DHCPv6 (546-to-547)'
firewall.allowdhcpv6546.family='ipv6'
firewall.allowdhcpv6546.src_port='546'
firewall.allowdhcpv6547=rule
firewall.allowdhcpv6547.target='ACCEPT'
firewall.allowdhcpv6547.src='wan'
firewall.allowdhcpv6547.proto='udp'
firewall.allowdhcpv6547.dest_port='546'
firewall.allowdhcpv6547.name='Allow DHCPv6 (547-to-546)'
firewall.allowdhcpv6547.family='ipv6'
firewall.allowdhcpv6547.src_port='547'
firewall.user=include
firewall.user.path='/etc/firewall.user'
firewall.user.enabled='1'
firewall.user.type='script'
firewall.user.fw4_compatible='1'
firewall.omr_bypass=include
firewall.omr_bypass.path='/etc/firewall.omr-bypass'
firewall.omr_bypass.reload='0'
firewall.omr_bypass.enabled='0'
firewall.omr_bypass.type='script'
firewall.omr_bypass.fw4_compatible='1'
firewall.omr_dscp_cs0_4=ipset
firewall.omr_dscp_cs0_4.name='omr_dscp_cs0_4'
firewall.omr_dscp_cs0_4.match='dest_ip'
firewall.omr_dscp_rule_cs0_4=rule
firewall.omr_dscp_rule_cs0_4.name='omr_dscp_cs0_4'
firewall.omr_dscp_rule_cs0_4.ipset='omr_dscp_cs0_4'
firewall.omr_dscp_rule_cs0_4.set_dscp='CS0'
firewall.omr_dscp_rule_cs0_4.target='DSCP'
firewall.omr_dscp_rule_cs0_4.enabled='1'
firewall.omr_dscp_rule_cs0_4.src='*'
firewall.omr_dscp_rule_cs0_4.dest='*'
firewall.omr_dscp_cs1_4=ipset
firewall.omr_dscp_cs1_4.name='omr_dscp_cs1_4'
firewall.omr_dscp_cs1_4.match='dest_ip'
firewall.omr_dscp_rule_cs1_4=rule
firewall.omr_dscp_rule_cs1_4.name='omr_dscp_cs1_4'
firewall.omr_dscp_rule_cs1_4.ipset='omr_dscp_cs1_4'
firewall.omr_dscp_rule_cs1_4.set_dscp='CS1'
firewall.omr_dscp_rule_cs1_4.target='DSCP'
firewall.omr_dscp_rule_cs1_4.enabled='1'
firewall.omr_dscp_rule_cs1_4.src='*'
firewall.omr_dscp_rule_cs1_4.dest='*'
firewall.omr_dscp_cs2_4=ipset
firewall.omr_dscp_cs2_4.name='omr_dscp_cs2_4'
firewall.omr_dscp_cs2_4.match='dest_ip'
firewall.omr_dscp_rule_cs2_4=rule
firewall.omr_dscp_rule_cs2_4.name='omr_dscp_cs2_4'
firewall.omr_dscp_rule_cs2_4.ipset='omr_dscp_cs2_4'
firewall.omr_dscp_rule_cs2_4.set_dscp='CS2'
firewall.omr_dscp_rule_cs2_4.target='DSCP'
firewall.omr_dscp_rule_cs2_4.enabled='1'
firewall.omr_dscp_rule_cs2_4.src='*'
firewall.omr_dscp_rule_cs2_4.dest='*'
firewall.omr_dscp_cs3_4=ipset
firewall.omr_dscp_cs3_4.name='omr_dscp_cs3_4'
firewall.omr_dscp_cs3_4.match='dest_ip'
firewall.omr_dscp_rule_cs3_4=rule
firewall.omr_dscp_rule_cs3_4.name='omr_dscp_cs3_4'
firewall.omr_dscp_rule_cs3_4.ipset='omr_dscp_cs3_4'
firewall.omr_dscp_rule_cs3_4.set_dscp='CS3'
firewall.omr_dscp_rule_cs3_4.target='DSCP'
firewall.omr_dscp_rule_cs3_4.enabled='1'
firewall.omr_dscp_rule_cs3_4.src='*'
firewall.omr_dscp_rule_cs3_4.dest='*'
firewall.omr_dscp_cs4_4=ipset
firewall.omr_dscp_cs4_4.name='omr_dscp_cs4_4'
firewall.omr_dscp_cs4_4.match='dest_ip'
firewall.omr_dscp_rule_cs4_4=rule
firewall.omr_dscp_rule_cs4_4.name='omr_dscp_cs4_4'
firewall.omr_dscp_rule_cs4_4.ipset='omr_dscp_cs4_4'
firewall.omr_dscp_rule_cs4_4.set_dscp='CS4'
firewall.omr_dscp_rule_cs4_4.target='DSCP'
firewall.omr_dscp_rule_cs4_4.enabled='1'
firewall.omr_dscp_rule_cs4_4.src='*'
firewall.omr_dscp_rule_cs4_4.dest='*'
firewall.omr_dscp_cs5_4=ipset
firewall.omr_dscp_cs5_4.name='omr_dscp_cs5_4'
firewall.omr_dscp_cs5_4.match='dest_ip'
firewall.omr_dscp_rule_cs5_4=rule
firewall.omr_dscp_rule_cs5_4.name='omr_dscp_cs5_4'
firewall.omr_dscp_rule_cs5_4.ipset='omr_dscp_cs5_4'
firewall.omr_dscp_rule_cs5_4.set_dscp='CS5'
firewall.omr_dscp_rule_cs5_4.target='DSCP'
firewall.omr_dscp_rule_cs5_4.enabled='1'
firewall.omr_dscp_rule_cs5_4.src='*'
firewall.omr_dscp_rule_cs5_4.dest='*'
firewall.omr_dscp_cs6_4=ipset
firewall.omr_dscp_cs6_4.name='omr_dscp_cs6_4'
firewall.omr_dscp_cs6_4.match='dest_ip'
firewall.omr_dscp_rule_cs6_4=rule
firewall.omr_dscp_rule_cs6_4.name='omr_dscp_cs6_4'
firewall.omr_dscp_rule_cs6_4.ipset='omr_dscp_cs6_4'
firewall.omr_dscp_rule_cs6_4.set_dscp='CS6'
firewall.omr_dscp_rule_cs6_4.target='DSCP'
firewall.omr_dscp_rule_cs6_4.enabled='1'
firewall.omr_dscp_rule_cs6_4.src='*'
firewall.omr_dscp_rule_cs6_4.dest='*'
firewall.omr_dscp_cs7_4=ipset
firewall.omr_dscp_cs7_4.name='omr_dscp_cs7_4'
firewall.omr_dscp_cs7_4.match='dest_ip'
firewall.omr_dscp_rule_cs7_4=rule
firewall.omr_dscp_rule_cs7_4.name='omr_dscp_cs7_4'
firewall.omr_dscp_rule_cs7_4.ipset='omr_dscp_cs7_4'
firewall.omr_dscp_rule_cs7_4.set_dscp='CS7'
firewall.omr_dscp_rule_cs7_4.target='DSCP'
firewall.omr_dscp_rule_cs7_4.enabled='1'
firewall.omr_dscp_rule_cs7_4.src='*'
firewall.omr_dscp_rule_cs7_4.dest='*'
firewall.omr_dscp_ef_4=ipset
firewall.omr_dscp_ef_4.name='omr_dscp_ef_4'
firewall.omr_dscp_ef_4.match='dest_ip'
firewall.omr_dscp_rule_ef_4=rule
firewall.omr_dscp_rule_ef_4.name='omr_dscp_ef_4'
firewall.omr_dscp_rule_ef_4.ipset='omr_dscp_ef_4'
firewall.omr_dscp_rule_ef_4.set_dscp='EF'
firewall.omr_dscp_rule_ef_4.target='DSCP'
firewall.omr_dscp_rule_ef_4.enabled='1'
firewall.omr_dscp_rule_ef_4.src='*'
firewall.omr_dscp_rule_ef_4.dest='*'
firewall.omr_dscp_rule1=rule
firewall.omr_dscp_rule1.name='omr_dscp_rule1'
firewall.omr_dscp_rule1.target='DSCP'
firewall.omr_dscp_rule1.set_dscp='CS7'
firewall.omr_dscp_rule1.src='*'
firewall.omr_dscp_rule1.dest='*'
firewall.omr_dscp_rule1.src_ip='0.0.0.0/0'
firewall.omr_dscp_rule1.dest_ip='0.0.0.0/0'
firewall.omr_dscp_rule1.proto='icmp'
firewall.omr_dscp_rule1.enabled='1'
firewall.omr_dscp_rule1.src_port='0-65535'
firewall.omr_dscp_rule1.dest_port='0-65535'
firewall.omr_dscp_rule2=rule
firewall.omr_dscp_rule2.name='omr_dscp_rule2'
firewall.omr_dscp_rule2.target='DSCP'
firewall.omr_dscp_rule2.set_dscp='CS4'
firewall.omr_dscp_rule2.src='*'
firewall.omr_dscp_rule2.dest='*'
firewall.omr_dscp_rule2.src_ip='0.0.0.0/0'
firewall.omr_dscp_rule2.dest_ip='0.0.0.0/0'
firewall.omr_dscp_rule2.proto='udp'
firewall.omr_dscp_rule2.enabled='1'
firewall.omr_dscp_rule2.src_port='53' '123' '5353'
firewall.omr_dscp_rule2.dest_port='0-65535'
firewall.omr_dscp_rule3=rule
firewall.omr_dscp_rule3.name='omr_dscp_rule3'
firewall.omr_dscp_rule3.target='DSCP'
firewall.omr_dscp_rule3.set_dscp='CS4'
firewall.omr_dscp_rule3.src='*'
firewall.omr_dscp_rule3.dest='*'
firewall.omr_dscp_rule3.src_ip='0.0.0.0/0'
firewall.omr_dscp_rule3.dest_ip='0.0.0.0/0'
firewall.omr_dscp_rule3.proto='tcp'
firewall.omr_dscp_rule3.enabled='1'
firewall.omr_dscp_rule3.src_port='53' '5353'
firewall.omr_dscp_rule3.dest_port='0-65535'
firewall.omr_dscp_rule4=rule
firewall.omr_dscp_rule4.name='omr_dscp_rule4'
firewall.omr_dscp_rule4.target='DSCP'
firewall.omr_dscp_rule4.set_dscp='CS4'
firewall.omr_dscp_rule4.src='*'
firewall.omr_dscp_rule4.dest='*'
firewall.omr_dscp_rule4.src_ip='0.0.0.0/0'
firewall.omr_dscp_rule4.dest_ip='0.0.0.0/0'
firewall.omr_dscp_rule4.proto='tcp'
firewall.omr_dscp_rule4.enabled='1'
firewall.omr_dscp_rule4.src_port='0-65535'
firewall.omr_dscp_rule4.dest_port='65500'
firewall.omr_dscp_rule5=rule
firewall.omr_dscp_rule5.name='omr_dscp_rule5'
firewall.omr_dscp_rule5.target='DSCP'
firewall.omr_dscp_rule5.set_dscp='CS7'
firewall.omr_dscp_rule5.src='*'
firewall.omr_dscp_rule5.dest='*'
firewall.omr_dscp_rule5.src_ip='0.0.0.0/0'
firewall.omr_dscp_rule5.dest_ip='0.0.0.0/0'
firewall.omr_dscp_rule5.proto='tcp'
firewall.omr_dscp_rule5.enabled='1'
firewall.omr_dscp_rule5.src_port='0-65535'
firewall.omr_dscp_rule5.dest_port='65001' '65301' '65401' '65011'
firewall.omr_dscp_rule6=rule
firewall.omr_dscp_rule6.name='omr_dscp_rule6'
firewall.omr_dscp_rule6.target='DSCP'
firewall.omr_dscp_rule6.set_dscp='CS7'
firewall.omr_dscp_rule6.src='*'
firewall.omr_dscp_rule6.dest='*'
firewall.omr_dscp_rule6.src_ip='0.0.0.0/0'
firewall.omr_dscp_rule6.dest_ip='0.0.0.0/0'
firewall.omr_dscp_rule6.proto='udp'
firewall.omr_dscp_rule6.enabled='1'
firewall.omr_dscp_rule6.src_port='0-65535'
firewall.omr_dscp_rule6.dest_port='65001' '65301'
firewall.omr_dscp_rule7=rule
firewall.omr_dscp_rule7.name='omr_dscp_rule7'
firewall.omr_dscp_rule7.target='DSCP'
firewall.omr_dscp_rule7.set_dscp='CS6'
firewall.omr_dscp_rule7.src='*'
firewall.omr_dscp_rule7.dest='*'
firewall.omr_dscp_rule7.src_ip='0.0.0.0/0'
firewall.omr_dscp_rule7.dest_ip='0.0.0.0/0'
firewall.omr_dscp_rule7.proto='tcp'
firewall.omr_dscp_rule7.enabled='1'
firewall.omr_dscp_rule7.src_port='0-65535'
firewall.omr_dscp_rule7.dest_port='65101' '65228'
firewall.omr_dscp_rule8=rule
firewall.omr_dscp_rule8.name='omr_dscp_rule8'
firewall.omr_dscp_rule8.target='DSCP'
firewall.omr_dscp_rule8.set_dscp='EF'
firewall.omr_dscp_rule8.src='*'
firewall.omr_dscp_rule8.dest='*'
firewall.omr_dscp_rule8.src_ip='0.0.0.0/0'
firewall.omr_dscp_rule8.dest_ip='0.0.0.0/0'
firewall.omr_dscp_rule8.proto='tcp'
firewall.omr_dscp_rule8.enabled='1'
firewall.omr_dscp_rule8.src_port='0-65535'
firewall.omr_dscp_rule8.dest_port='21360'

I've verified that OMR is the DNS server assigned to my PC. Domains added to OMR-Bypass still go through the proxy.

@Ysurac
Copy link
Owner

Ysurac commented Dec 23, 2024

As it's a domain bypass, I would also need the uci show dhcp result.
For the firewall.omr_bypass.enabled it's set to 1 when omr-bypass service is started and set to 0 when the service is stopped. It's set directly by init script.

@SpencerXZX
Copy link

uci show dhcp:

dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='1'
dhcp.@dnsmasq[0].cachesize='1000'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].ednspacket_max='1232'
dhcp.@dnsmasq[0].filter_aaaa='0'
dhcp.@dnsmasq[0].filter_a='0'
dhcp.@dnsmasq[0].server='127.0.0.1#5353' '/lan/' '/use-application-dns.net/'
dhcp.@dnsmasq[0].noresolv='1'
dhcp.@dnsmasq[0].rebind_domain='plex.direct'
dhcp.@dnsmasq[0].dnsforwardmax='1500'
dhcp.@dnsmasq[0].interface='loopback' 'lan'
dhcp.@dnsmasq[0].notinterface='wan3' 'wan1' 'wan2'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv4='server'
dhcp.lan.ra_slaac='1'
dhcp.lan.ra_flags='managed-config' 'other-config'
dhcp.lan.force='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.omr_dscp_cs0=ipset
dhcp.omr_dscp_cs0.name='omr_dscp_cs0_4'
dhcp.omr_dscp_cs1=ipset
dhcp.omr_dscp_cs1.name='omr_dscp_cs1_4'
dhcp.omr_dscp_cs1.domain='download.qq.com' 'steamcontent.com' 'gs2.ww.prod.dl.pl                                                                                                                                   aystation.net' 'dropbox.com' 'dropboxstatic.com' 'dropbox-dns.com' 'log.getdropb                                                                                                                                   ox.com' 'drive.google.com' 'drive-thirdparty.googleusercontent.com' 'docs.google                                                                                                                                   .com' 'docs.googleusercontent.com' 'gvt1.com' 'mmg-fna.whatsapp.net' 'upload.you                                                                                                                                   tube.com' 'upload.video.google.com' 'windowsupdate.com' 'update.microsoft.com'
dhcp.omr_dscp_cs2=ipset
dhcp.omr_dscp_cs2.name='omr_dscp_cs2_4'
dhcp.omr_dscp_cs2.domain='googletagmanager.com' 'googleusercontent.com' 'google.                                                                                                                                   com' 'fbcdn.net' 'akamaihd.net' 'whatsapp.net' 'whatsapp.com' 'zoom.us' 'googlea                                                                                                                                   pis.com' '1e100.net' 'hwcdn.net'
dhcp.omr_dscp_cs3=ipset
dhcp.omr_dscp_cs3.name='omr_dscp_cs3_4'
dhcp.omr_dscp_cs4=ipset
dhcp.omr_dscp_cs4.name='omr_dscp_cs4_4'
dhcp.omr_dscp_cs4.domain='googlevideo.com' 'nflxvideo.net' 's3.ll.dash.row.aiv-c                                                                                                                                   dn.net' 'd25xi40x97liuc.cloudfront.net' 'aiv-delivery.net' 'fbcdn.net' 'ttvnw.ne                                                                                                                                   t' 'vevo.com' 'audio-fa.scdn.com' 'deezer.com' 'sndcdn.com' 'last.fm' 'v.redd.it                                                                                                                                   '
dhcp.omr_dscp_cs5=ipset
dhcp.omr_dscp_cs5.name='omr_dscp_cs5_4'
dhcp.omr_dscp_cs5.domain='tv.milkywan.fr'
dhcp.omr_dscp_cs6=ipset
dhcp.omr_dscp_cs6.name='omr_dscp_cs6_4'
dhcp.omr_dscp_cs7=ipset
dhcp.omr_dscp_cs7.name='omr_dscp_cs7_4'
dhcp.omr_dscp_ef=ipset
dhcp.omr_dscp_ef.name='omr_dscp_ef_4'

@hle5128
Copy link

hle5128 commented Dec 24, 2024
edited
Loading

also keep getting these errors idk if they are related to it

traceroute: Warning: ring.com has multiple addresses; using 52.46.150.230
traceroute to ring.com (52.46.150.230), 64 hops max, 40 byte packets
 1  192.168.100.1 (192.168.100.1)  53.818 ms  2.027 ms  1.849 ms
 2  10.255.252.1 (10.255.252.1)  171.467 ms  82.744 ms  139.467 ms
 3  VPS IP  53.106 ms  35.573 ms  59.518 ms
 4  te0-0-1-2.nr11.b002802-4.mia01.atlas.cogentco.com (38.142.42.161)  120.556 ms  26.665 ms  50.520 ms
 5  te0-6-0-7.rcr21.b002802-2.mia01.atlas.cogentco.com (154.24.4.217)  123.570 ms
    te0-1-0-7.rcr21.b002802-2.mia01.atlas.cogentco.com (154.24.1.93)  71.330 ms
    te0-6-0-7.rcr21.b002802-2.mia01.atlas.cogentco.com (154.24.4.217)  45.836 ms
 6  be3411.ccr22.mia01.atlas.cogentco.com (154.54.26.41)  51.008 ms

Dec 24 03:52:45 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_eth0_4 Error: No such file or directory
Dec 24 03:52:45 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_eth0_4 Error: No such file or directory
Dec 24 03:52:45 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_eth0_4 Error: No such file or directory
Dec 24 03:52:45 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_eth0_4 Error: No such file or directory
Dec 24 03:52:45 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_eth0_4 Error: No such file or directory
Dec 24 03:52:45 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_eth0_4 Error: No such file or directory
Dec 24 03:53:39 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_all_6 Error: No such file or directory
Dec 24 03:53:39 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_all_6 Error: No such file or directory
Dec 24 03:53:39 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_all_6 Error: No such file or directory
Dec 24 03:53:39 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_all_6 Error: No such file or directory
Dec 24 03:53:39 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_all_4 Error: No such file or directory
Dec 24 03:53:39 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_all_4 Error: No such file or directory
Dec 24 03:53:39 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_all_4 Error: No such file or directory
Dec 24 03:53:39 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_all_4 Error: No such file or directory```

@Ysurac
Copy link
Owner

Ysurac commented Dec 24, 2024

OMR-ByPass doesn't seems to be running in both case. Maybe it crash... I will check after christmas.

@Ysurac
Copy link
Owner

Ysurac commented Dec 26, 2024

Should be better in latest snapshot. It's still compiling...

@SpencerXZX
Copy link

Hi Ysurac,
I have to run:

/etc/init.d/omr-bypass restart

after making changes in omr-bypass in order to get it to work. It then works until I make another change, such as adding a domain. Then I have to restart again. I manually applied the omr bypass patch, didn't see an updated snapshot for x86.

@Ysurac
Copy link
Owner

Ysurac commented Dec 26, 2024

The changes seems to work, it was due to an "exit 0" in stop part of init script. Now after a /etc/init.d/omr-bypass reload, uci get firewall.omr_bypass.enabled should return 1.
Else this can be another issue...

@SpencerXZX
Copy link

uci get firewall.omr_bypass.enabled does return 1 for me.

However, after I hit "Save and Apply" I run a traceroute on one of the domains, and it goes through my VPS. I then execute:

/etc/init.d/omr-bypass restart

And traceroute again, and it properly goes straight to my WAN ISP and not through VPS.

@SpencerXZX
Copy link

Update: This also has to be done on first boot otherwise the rule does not work. I ran /etc/init.d/omr-bypass restart between these traceroute tests after a fresh reboot on the December 27th snapshot for x86_64.

image

@sieade245
Copy link

Update: This also has to be done on first boot otherwise the rule does not work. I ran /etc/init.d/omr-bypass restart between these traceroute tests after a fresh reboot on the December 27th snapshot for x86_64.

image

Hi just wanted to say thanks for the fault diagnosis work on this. I've been tearing my hair out myself trying to set up the bypass. I've received several hundreds of negative wife points as netflix would work then not work then work as I was working on it. Like you I was sure I had the settings correct. I was forcing the restart a different way by changing the default proxy method each time which seemed to fix it..until I made another change to the rules. Really glad to see it wasn't just me doing it wrong!

@hle5128
Copy link

hle5128 commented Dec 29, 2024

i noticed that more often bypass stopped working, i have to restart command "/etc/init.d/omr-bypass restart" make it work again, i would said they crashed more often

@Ysurac
Copy link
Owner

Ysurac commented Dec 29, 2024

Check latest snapshot, reload and restart is now the same. This can be slow to start on some services bypass (for example amazon)

@hle5128
Copy link

hle5128 commented Dec 30, 2024

Check latest snapshot, reload and restart is now the same. This can be slow to start on some services bypass (for example amazon)

I'm using the latest snapshot: [openmptcprouter-v0.62-snapshot-6.6-r0+28194-cc69be0c13-rockchip-armv8-friendlyarm_nanopi-r5s], which is causing the omrbypass to crash frequently.

Notice a sample log below:
at Dec 29 23:11:28 OpenMPTCProuter user.notice omr-bypass: OMR-ByPass is running when I restart the firewall manually /etc/init.d/omr-bypass restart
success curl ifconfig.me reveals the ip of the WAN.
During this time, everything worked, then
at Dec 29 23:19:33 OpenMPTCProuter user.notice omr-bypass: Starting OMR-ByPass...
when the omr-bypass auto-crashed and restarted and stopped working,
then it crashed again auto-reload Dec 29 23:31:58 OpenMPTCProuter user.notice omr-bypass: OMR-ByPass is running

but when it auto-reload, the omr-bypass said running but omr-bypass is not working (confirmed by ifconfig.me).
We have to manually execute /etc/init.d/omr-bypass restart to work again, but then it will go to a loop crash again.

Here is the full log of 3 cycles crashed, even though it restarted bypass itself, but it didn’t work until we had to execute the /etc/init.d/omr-bypass restart

Dec 29 23:11:28 OpenMPTCProuter user.notice omr-bypass: OMR-ByPass is running
Dec 29 23:11:59 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(eth1) cc:db:a7:0c:f6:54 
Dec 29 23:11:59 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPOFFER(eth1) 192.168.100.120 cc:db:a7:0c:f6:54 
Dec 29 23:11:59 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.120 cc:db:a7:0c:f6:54 
Dec 29 23:11:59 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.120 cc:db:a7:0c:f6:54 espressif
Dec 29 23:12:11 OpenMPTCProuter user.notice post-tracking-002-error: wan2 (eth2) switched off because check error and ping from 192.168.6.27 error (1.0.0.1,114.114.115.115,1.2.4.8)
Dec 29 23:12:12 OpenMPTCProuter user.notice post-tracking-002-error: Delete default route to VPS IP dev eth2
Dec 29 23:13:00 OpenMPTCProuter user.notice post-tracking-003-up: wan2 (eth2) switched up
Dec 29 23:13:01 OpenMPTCProuter user.notice post-tracking-003-up: Interface route not yet set, set route ip r add default via 192.168.6.1 dev eth2 metric 6
Dec 29 23:13:01 OpenMPTCProuter user.notice post-tracking-003-up: Status change, reload MPTCP config for eth2
Dec 29 23:13:06 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.200 60:e8:5b:7e:89:82 
Dec 29 23:13:06 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.200 60:e8:5b:7e:89:82 airthings-view
Dec 29 23:13:06 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.200 60:e8:5b:7e:89:82 
Dec 29 23:13:06 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.200 60:e8:5b:7e:89:82 airthings-view
Dec 29 23:13:38 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.200 60:e8:5b:7e:89:82 
Dec 29 23:13:38 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.200 60:e8:5b:7e:89:82 airthings-view
Dec 29 23:14:28 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.183 64:52:99:a3:0c:cb 
Dec 29 23:14:28 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.183 64:52:99:a3:0c:cb MyQ-90A
Dec 29 23:14:31 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.200 60:e8:5b:7e:89:82 
Dec 29 23:14:31 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.200 60:e8:5b:7e:89:82 airthings-view
Dec 29 23:14:31 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.200 60:e8:5b:7e:89:82 
Dec 29 23:14:31 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.200 60:e8:5b:7e:89:82 airthings-view
Dec 29 23:15:01 OpenMPTCProuter user.notice post-tracking-002-error: wan1 (eth0) switched off because check error and ping from 192.168.5.122 error (4.2.2.1,8.8.8.8,80.67.169.12)
Dec 29 23:15:01 OpenMPTCProuter user.notice post-tracking-002-error: Delete default route to VPS IP dev eth0
Dec 29 23:15:24 OpenMPTCProuter user.notice post-tracking-003-up: wan1 (eth0) switched up
Dec 29 23:15:25 OpenMPTCProuter user.notice post-tracking-003-up: Interface route not yet set, set route ip r add default via 192.168.5.1 dev eth0 metric 5
Dec 29 23:15:26 OpenMPTCProuter user.notice post-tracking-003-up: Status change, reload MPTCP config for eth0
Dec 29 23:16:08 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.200 60:e8:5b:7e:89:82 
Dec 29 23:16:08 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.200 60:e8:5b:7e:89:82 airthings-view
Dec 29 23:17:04 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(eth1) cc:db:a7:0c:f6:54 
Dec 29 23:17:04 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPOFFER(eth1) 192.168.100.120 cc:db:a7:0c:f6:54 
Dec 29 23:17:04 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.120 cc:db:a7:0c:f6:54 
Dec 29 23:17:04 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.120 cc:db:a7:0c:f6:54 espressif
Dec 29 23:17:06 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.120 cc:db:a7:0c:f6:54 
Dec 29 23:17:06 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.120 cc:db:a7:0c:f6:54 espressif
Dec 29 23:17:37 OpenMPTCProuter user.notice post-tracking-002-error: wan1 (eth0) switched off because check error and ping from 192.168.5.122 error (208.67.222.222,208.67.222.220,4.2.2.1)
Dec 29 23:17:38 OpenMPTCProuter user.notice post-tracking-002-error: Delete default route to VPS IP dev eth0
Dec 29 23:18:07 OpenMPTCProuter user.notice post-tracking-003-up: wan1 (eth0) switched up
Dec 29 23:18:08 OpenMPTCProuter user.notice post-tracking-003-up: Interface route not yet set, set route ip r add default via 192.168.5.1 dev eth0 metric 5
Dec 29 23:18:08 OpenMPTCProuter user.notice post-tracking-003-up: Status change, reload MPTCP config for eth0
Dec 29 23:18:12 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.178 ce:be:3c:bc:22:dc 
Dec 29 23:18:12 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.178 ce:be:3c:bc:22:dc iPhone
Dec 29 23:18:38 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(eth1) 60:e8:5b:7e:89:82 
Dec 29 23:18:38 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPOFFER(eth1) 192.168.100.200 60:e8:5b:7e:89:82 
Dec 29 23:18:38 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.200 60:e8:5b:7e:89:82 
Dec 29 23:18:38 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.200 60:e8:5b:7e:89:82 airthings-view
Dec 29 23:18:48 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.178 ce:be:3c:bc:22:dc 
Dec 29 23:18:48 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.178 ce:be:3c:bc:22:dc iPhone
Dec 29 23:18:50 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.178 ce:be:3c:bc:22:dc 
Dec 29 23:18:50 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.178 ce:be:3c:bc:22:dc iPhone
Dec 29 23:18:50 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(eth1) 60:e8:5b:7e:89:82 
Dec 29 23:18:50 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPOFFER(eth1) 192.168.100.200 60:e8:5b:7e:89:82 
Dec 29 23:18:50 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.200 60:e8:5b:7e:89:82 
Dec 29 23:18:50 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.200 60:e8:5b:7e:89:82 airthings-view
Dec 29 23:18:52 OpenMPTCProuter user.notice post-tracking-002-error: wan1 (eth0) switched off because check error and ping from 192.168.5.122 error (80.67.169.40,114.114.114.114,1.1.1.1)
Dec 29 23:18:53 OpenMPTCProuter user.notice post-tracking-002-error: Delete default route to VPS IP dev eth0
Dec 29 23:19:16 OpenMPTCProuter user.notice post-tracking-003-up: wan1 (eth0) switched up
Dec 29 23:19:17 OpenMPTCProuter user.notice post-tracking-003-up: Interface route not yet set, set route ip r add default via 192.168.5.1 dev eth0 metric 5
Dec 29 23:19:17 OpenMPTCProuter user.notice post-tracking-003-up: Status change, reload MPTCP config for eth0
Dec 29 23:19:18 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.133 10:b9:c4:5b:a4:e9 
Dec 29 23:19:18 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.133 10:b9:c4:5b:a4:e9 Ques-iMac
Dec 29 23:19:22 OpenMPTCProuter user.notice post-tracking-002-error: omrvpn down because IPv4 gateway down
Dec 29 23:19:23 OpenMPTCProuter user.notice post-tracking-002-error: OpenVPN down, restart it
Dec 29 23:19:23 OpenMPTCProuter daemon.err openvpn(omr)[12835]: event_wait : Interrupted system call (fd=-1,code=4)
Dec 29 23:19:23 OpenMPTCProuter daemon.notice openvpn(omr)[12835]: /usr/libexec/openvpn-hotplug route-pre-down omr tun0 1420 0 10.255.252.2 255.255.255.0 init
Dec 29 23:19:23 OpenMPTCProuter daemon.notice openvpn(omr)[12835]: net_addr_v4_del: 10.255.252.2 dev tun0
Dec 29 23:19:23 OpenMPTCProuter daemon.notice ttyd[19397]: [2024/12/29 23:19:23:7233] N: rops_handle_POLLIN_netlink: DELADDR
Dec 29 23:19:23 OpenMPTCProuter daemon.notice ttyd[19397]: [2024/12/29 23:19:23:7255] N: rops_handle_POLLIN_netlink: DELADDR
Dec 29 23:19:23 OpenMPTCProuter user.notice NET: hotplug (iface): action='remove' interface='tun0'
Dec 29 23:19:23 OpenMPTCProuter daemon.info ModemManager[18452]: hotplug: remove network interface tun0: event processed
Dec 29 23:19:23 OpenMPTCProuter daemon.notice openvpn(omr)[12835]: /usr/libexec/openvpn-hotplug down omr tun0 1420 0 10.255.252.2 255.255.255.0 init
Dec 29 23:19:23 OpenMPTCProuter daemon.notice openvpn(omr)[12835]: SIGTERM[hard,] received, process exiting
Dec 29 23:19:23 OpenMPTCProuter daemon.notice openvpn(omr)[18556]: OpenVPN 2.6.12 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
Dec 29 23:19:23 OpenMPTCProuter daemon.notice openvpn(omr)[18556]: library versions: OpenSSL 3.0.15 3 Sep 2024, LZO 2.10
Dec 29 23:19:23 OpenMPTCProuter daemon.notice openvpn(omr)[18556]: DCO version: N/A
Dec 29 23:19:23 OpenMPTCProuter daemon.warn openvpn(omr)[18556]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Dec 29 23:19:23 OpenMPTCProuter daemon.warn openvpn(omr)[18556]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 29 23:19:23 OpenMPTCProuter daemon.notice openvpn(omr)[18556]: TCP/UDP: Preserving recently used remote address: [AF_INET]VPS IP:65301
Dec 29 23:19:23 OpenMPTCProuter daemon.notice openvpn(omr)[18556]: Attempting to establish TCP connection with [AF_INET]VPS IP:65301
Dec 29 23:19:24 OpenMPTCProuter daemon.notice openvpn(omr)[18556]: TCP connection established with [AF_INET]VPS IP:65301
Dec 29 23:19:24 OpenMPTCProuter daemon.warn openvpn(omr)[18556]: Note: enable extended error passing on TCP/UDP socket failed (IP_RECVERR): Not supported (errno=95)
Dec 29 23:19:24 OpenMPTCProuter daemon.notice openvpn(omr)[18556]: TCPv4_CLIENT link local: (not bound)
Dec 29 23:19:24 OpenMPTCProuter daemon.notice openvpn(omr)[18556]: TCPv4_CLIENT link remote: [AF_INET]VPS IP:65301
Dec 29 23:19:24 OpenMPTCProuter daemon.notice openvpn(omr)[18556]: [server] Peer Connection Initiated with [AF_INET]VPS IP:65301
Dec 29 23:19:24 OpenMPTCProuter daemon.notice netifd: Interface 'omrvpn' is disabled
Dec 29 23:19:24 OpenMPTCProuter daemon.notice netifd: Network device 'tun0' link is down
Dec 29 23:19:24 OpenMPTCProuter daemon.notice netifd: Interface 'omrvpn' has link connectivity loss
Dec 29 23:19:24 OpenMPTCProuter daemon.notice netifd: omrvpn (13169): udhcpc: SIOCGIFINDEX: No such device
Dec 29 23:19:24 OpenMPTCProuter daemon.notice netifd: omrvpn (13169): udhcpc: read error: Network is down, reopening socket
Dec 29 23:19:24 OpenMPTCProuter daemon.notice netifd: omrvpn (13169): udhcpc: bind: No such device
Dec 29 23:19:24 OpenMPTCProuter daemon.notice netifd: Interface 'omrvpn' is now down
Dec 29 23:19:24 OpenMPTCProuter daemon.notice openvpn(omr)[18556]: TUN/TAP device tun0 opened
Dec 29 23:19:24 OpenMPTCProuter daemon.notice openvpn(omr)[18556]: net_iface_mtu_set: mtu 1420 for tun0
Dec 29 23:19:24 OpenMPTCProuter daemon.notice openvpn(omr)[18556]: net_iface_up: set tun0 up
Dec 29 23:19:24 OpenMPTCProuter daemon.notice openvpn(omr)[18556]: net_addr_v4_add: 10.255.252.2/24 dev tun0
Dec 29 23:19:24 OpenMPTCProuter daemon.notice openvpn(omr)[18556]: /usr/libexec/openvpn-hotplug up omr tun0 1420 0 10.255.252.2 255.255.255.0 init
Dec 29 23:19:24 OpenMPTCProuter user.notice NET: hotplug (iface): action='add' interface='tun0'
Dec 29 23:19:24 OpenMPTCProuter daemon.notice netifd: Interface 'omrvpn' is enabled
Dec 29 23:19:24 OpenMPTCProuter daemon.notice netifd: Network device 'tun0' link is up
Dec 29 23:19:24 OpenMPTCProuter daemon.notice netifd: Interface 'omrvpn' has link connectivity 
Dec 29 23:19:24 OpenMPTCProuter daemon.notice netifd: Interface 'omrvpn' is setting up now
Dec 29 23:19:24 OpenMPTCProuter daemon.notice netifd: omrvpn (18848): udhcpc: started, v1.36.1
Dec 29 23:19:24 OpenMPTCProuter daemon.info ModemManager[18719]: hotplug: add network interface tun0: event processed
Dec 29 23:19:24 OpenMPTCProuter daemon.notice netifd: omrvpn (18848): udhcpc: broadcasting discover
Dec 29 23:19:27 OpenMPTCProuter user.notice post-tracking-003-up: Tunnel up : Replace default route by 10.255.252.1 dev tun0 (was 192.168.5.1)
Dec 29 23:19:27 OpenMPTCProuter daemon.notice netifd: omrvpn (18848): udhcpc: broadcasting discover
Dec 29 23:19:29 OpenMPTCProuter daemon.notice openvpn(omr)[18556]: Initialization Sequence Completed
Dec 29 23:19:30 OpenMPTCProuter daemon.notice netifd: omrvpn (18848): udhcpc: broadcasting discover
Dec 29 23:19:33 OpenMPTCProuter user.notice firewall.omr-server: Firewall reload, set server part firewall reloading
Dec 29 23:19:33 OpenMPTCProuter user.notice omr-bypass: Starting OMR-ByPass...
Dec 29 23:19:38 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_all_4 Error: No such file or directory
Dec 29 23:19:38 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_all_4 Error: No such file or directory
Dec 29 23:19:38 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_all_4 Error: No such file or directory
Dec 29 23:19:38 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_all_4 Error: No such file or directory
Dec 29 23:19:39 OpenMPTCProuter user.notice firewall.omr-server: Firewall reload, set server part firewall reloading
Dec 29 23:19:39 OpenMPTCProuter user.notice omr-bypass: Reload dnsmasq...
Dec 29 23:19:40 OpenMPTCProuter daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Dec 29 23:19:40 OpenMPTCProuter daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 2 names
Dec 29 23:19:40 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Dec 29 23:19:40 OpenMPTCProuter user.notice omr-bypass: OMR-ByPass is running
Dec 29 23:19:42 OpenMPTCProuter user.notice firewall.omr-server: Firewall reload, set server part firewall reloading
Dec 29 23:21:09 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.200 60:e8:5b:7e:89:82 
Dec 29 23:21:09 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.200 60:e8:5b:7e:89:82 airthings-view
Dec 29 23:21:09 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.200 60:e8:5b:7e:89:82 
Dec 29 23:21:09 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.200 60:e8:5b:7e:89:82 airthings-view
Dec 29 23:21:10 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.200 60:e8:5b:7e:89:82 
Dec 29 23:21:10 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.200 60:e8:5b:7e:89:82 airthings-view
Dec 29 23:21:30 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.201 54:44:a3:53:13:f2 
Dec 29 23:21:30 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.201 54:44:a3:53:13:f2 Samsung
Dec 29 23:21:30 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.201 54:44:a3:53:13:f2 
Dec 29 23:21:30 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.201 54:44:a3:53:13:f2 Samsung
Dec 29 23:22:12 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(eth1) cc:db:a7:0c:f6:54 
Dec 29 23:22:12 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPOFFER(eth1) 192.168.100.120 cc:db:a7:0c:f6:54 
Dec 29 23:22:12 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.120 cc:db:a7:0c:f6:54 
Dec 29 23:22:12 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.120 cc:db:a7:0c:f6:54 espressif
Dec 29 23:22:41 OpenMPTCProuter daemon.notice netifd: wan2 (30927): udhcpc: sending renew to server 192.168.6.1
Dec 29 23:22:41 OpenMPTCProuter daemon.notice netifd: wan2 (30927): udhcpc: lease of 192.168.6.27 obtained from 192.168.6.1, lease time 43200
Dec 29 23:23:16 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.129 d0:3f:27:98:4f:72 
Dec 29 23:23:16 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.129 d0:3f:27:98:4f:72 HL_PAN3-D03F27984F72
Dec 29 23:23:38 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.200 60:e8:5b:7e:89:82 
Dec 29 23:23:38 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.200 60:e8:5b:7e:89:82 airthings-view
Dec 29 23:23:50 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(eth1) 60:e8:5b:7e:89:82 
Dec 29 23:23:50 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPOFFER(eth1) 192.168.100.200 60:e8:5b:7e:89:82 
Dec 29 23:23:50 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.200 60:e8:5b:7e:89:82 
Dec 29 23:23:50 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.200 60:e8:5b:7e:89:82 airthings-view
Dec 29 23:23:56 OpenMPTCProuter user.notice post-tracking-002-error: wan1 (eth0) switched off because check error and ping from 192.168.5.122 error (1.2.4.8,80.67.169.40,114.114.114.114)
Dec 29 23:23:56 OpenMPTCProuter user.notice post-tracking-002-error: Delete default route to VPS IP dev eth0
Dec 29 23:23:59 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.199 9c:53:22:94:22:28 
Dec 29 23:23:59 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.199 9c:53:22:94:22:28 HS103
Dec 29 23:24:20 OpenMPTCProuter user.notice post-tracking-003-up: wan1 (eth0) switched up
Dec 29 23:24:21 OpenMPTCProuter user.notice post-tracking-003-up: Status change, reload MPTCP config for eth0
Dec 29 23:24:23 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.155 00:22:6c:0f:32:00 
Dec 29 23:24:23 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.155 00:22:6c:0f:32:00 Fosi
Dec 29 23:24:48 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.135 34:3e:a4:9d:b1:07 
Dec 29 23:24:48 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.135 34:3e:a4:9d:b1:07 ChimePro-07
Dec 29 23:26:08 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.200 60:e8:5b:7e:89:82 
Dec 29 23:26:08 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.200 60:e8:5b:7e:89:82 airthings-view
Dec 29 23:27:19 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(eth1) cc:db:a7:0c:f6:54 
Dec 29 23:27:19 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPOFFER(eth1) 192.168.100.120 cc:db:a7:0c:f6:54 
Dec 29 23:27:19 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.120 cc:db:a7:0c:f6:54 
Dec 29 23:27:19 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.120 cc:db:a7:0c:f6:54 espressif
Dec 29 23:28:38 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.200 60:e8:5b:7e:89:82 
Dec 29 23:28:38 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.200 60:e8:5b:7e:89:82 airthings-view
Dec 29 23:28:49 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.212 44:6f:f8:07:ff:49 
Dec 29 23:28:49 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.212 44:6f:f8:07:ff:49 X1F-US-RJA5426A
Dec 29 23:29:01 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.119 7c:78:b2:87:84:b4 
Dec 29 23:29:01 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.119 7c:78:b2:87:84:b4 HL_PAN2-7C78B28784B4
Dec 29 23:30:22 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(eth1) d8:8b:4c:fd:53:08 
Dec 29 23:30:22 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPOFFER(eth1) 192.168.100.108 d8:8b:4c:fd:53:08 
Dec 29 23:30:22 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.108 d8:8b:4c:fd:53:08 
Dec 29 23:30:22 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.108 d8:8b:4c:fd:53:08 YS-L1603025308
Dec 29 23:31:08 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(eth1) 192.168.100.200 60:e8:5b:7e:89:82 
Dec 29 23:31:08 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: DHCPACK(eth1) 192.168.100.200 60:e8:5b:7e:89:82 airthings-view
Dec 29 23:31:29 OpenMPTCProuter user.notice post-tracking-002-error: wan1 (eth0) switched off because check error and ping from 192.168.5.122 error (114.114.114.114,1.1.1.1,208.67.222.222)
Dec 29 23:31:29 OpenMPTCProuter user.notice post-tracking-002-error: Delete default route to VPS IP dev eth0
Dec 29 23:31:32 OpenMPTCProuter user.notice post-tracking-002-error: wan2 (eth2) switched off because check error and ping from 192.168.6.27 error (1.0.0.1,114.114.115.115,1.2.4.8)
Dec 29 23:31:32 OpenMPTCProuter user.notice post-tracking-002-error: Delete default route to VPS IP dev eth2
Dec 29 23:31:35 OpenMPTCProuter user.notice post-tracking-002-error: omrvpn down because IPv4 gateway down
Dec 29 23:31:36 OpenMPTCProuter user.notice post-tracking-002-error: OpenVPN down, restart it
Dec 29 23:31:36 OpenMPTCProuter daemon.err openvpn(omr)[18556]: event_wait : Interrupted system call (fd=-1,code=4)
Dec 29 23:31:36 OpenMPTCProuter daemon.notice openvpn(omr)[18556]: /usr/libexec/openvpn-hotplug route-pre-down omr tun0 1420 0 10.255.252.2 255.255.255.0 init
Dec 29 23:31:36 OpenMPTCProuter daemon.notice openvpn(omr)[18556]: net_addr_v4_del: 10.255.252.2 dev tun0
Dec 29 23:31:36 OpenMPTCProuter daemon.notice ttyd[19397]: [2024/12/29 23:31:36:3274] N: rops_handle_POLLIN_netlink: DELADDR
Dec 29 23:31:36 OpenMPTCProuter daemon.notice netifd: Network device 'tun0' link is down
Dec 29 23:31:36 OpenMPTCProuter daemon.notice netifd: Interface 'omrvpn' has link connectivity loss
Dec 29 23:31:36 OpenMPTCProuter daemon.notice ttyd[19397]: [2024/12/29 23:31:36:3298] N: rops_handle_POLLIN_netlink: DELADDR
Dec 29 23:31:36 OpenMPTCProuter daemon.notice netifd: omrvpn (18848): udhcpc: read error: Network is down, reopening socket
Dec 29 23:31:36 OpenMPTCProuter user.notice NET: hotplug (iface): action='remove' interface='tun0'
Dec 29 23:31:36 OpenMPTCProuter daemon.info ModemManager[8267]: hotplug: remove network interface tun0: event processed
Dec 29 23:31:36 OpenMPTCProuter daemon.notice openvpn(omr)[18556]: /usr/libexec/openvpn-hotplug down omr tun0 1420 0 10.255.252.2 255.255.255.0 init
Dec 29 23:31:36 OpenMPTCProuter daemon.notice openvpn(omr)[18556]: SIGTERM[hard,] received, process exiting
Dec 29 23:31:36 OpenMPTCProuter daemon.notice openvpn(omr)[8363]: OpenVPN 2.6.12 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
Dec 29 23:31:36 OpenMPTCProuter daemon.notice openvpn(omr)[8363]: library versions: OpenSSL 3.0.15 3 Sep 2024, LZO 2.10
Dec 29 23:31:36 OpenMPTCProuter daemon.notice openvpn(omr)[8363]: DCO version: N/A
Dec 29 23:31:36 OpenMPTCProuter daemon.warn openvpn(omr)[8363]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Dec 29 23:31:36 OpenMPTCProuter daemon.warn openvpn(omr)[8363]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 29 23:31:36 OpenMPTCProuter daemon.notice openvpn(omr)[8363]: TCP/UDP: Preserving recently used remote address: [AF_INET]VPS IP:65301
Dec 29 23:31:36 OpenMPTCProuter daemon.notice openvpn(omr)[8363]: Attempting to establish TCP connection with [AF_INET]VPS IP:65301
Dec 29 23:31:36 OpenMPTCProuter daemon.notice netifd: Interface 'omrvpn' is disabled
Dec 29 23:31:36 OpenMPTCProuter daemon.notice netifd: omrvpn (18848): udhcpc: bind: No such device
Dec 29 23:31:36 OpenMPTCProuter daemon.notice netifd: Interface 'omrvpn' is now down
Dec 29 23:31:47 OpenMPTCProuter daemon.notice openvpn(omr)[8363]: TCP connection established with [AF_INET]VPS IP:65301
Dec 29 23:31:47 OpenMPTCProuter daemon.warn openvpn(omr)[8363]: Note: enable extended error passing on TCP/UDP socket failed (IP_RECVERR): Not supported (errno=95)
Dec 29 23:31:47 OpenMPTCProuter daemon.notice openvpn(omr)[8363]: TCPv4_CLIENT link local: (not bound)
Dec 29 23:31:47 OpenMPTCProuter daemon.notice openvpn(omr)[8363]: TCPv4_CLIENT link remote: [AF_INET]VPS IP:65301
Dec 29 23:31:48 OpenMPTCProuter daemon.notice openvpn(omr)[8363]: [server] Peer Connection Initiated with [AF_INET]VPS IP:65301
Dec 29 23:31:48 OpenMPTCProuter daemon.notice openvpn(omr)[8363]: TUN/TAP device tun0 opened
Dec 29 23:31:48 OpenMPTCProuter daemon.notice openvpn(omr)[8363]: net_iface_mtu_set: mtu 1420 for tun0
Dec 29 23:31:48 OpenMPTCProuter daemon.notice openvpn(omr)[8363]: net_iface_up: set tun0 up
Dec 29 23:31:48 OpenMPTCProuter daemon.notice openvpn(omr)[8363]: net_addr_v4_add: 10.255.252.3/24 dev tun0
Dec 29 23:31:48 OpenMPTCProuter daemon.notice netifd: Interface 'omrvpn' is enabled
Dec 29 23:31:48 OpenMPTCProuter daemon.notice openvpn(omr)[8363]: /usr/libexec/openvpn-hotplug up omr tun0 1420 0 10.255.252.3 255.255.255.0 init
Dec 29 23:31:48 OpenMPTCProuter daemon.notice netifd: Network device 'tun0' link is up
Dec 29 23:31:48 OpenMPTCProuter daemon.notice netifd: Interface 'omrvpn' has link connectivity 
Dec 29 23:31:48 OpenMPTCProuter daemon.notice netifd: Interface 'omrvpn' is setting up now
Dec 29 23:31:48 OpenMPTCProuter daemon.notice netifd: omrvpn (10825): udhcpc: started, v1.36.1
Dec 29 23:31:48 OpenMPTCProuter user.notice NET: hotplug (iface): action='add' interface='tun0'
Dec 29 23:31:48 OpenMPTCProuter daemon.notice netifd: omrvpn (10825): udhcpc: broadcasting discover
Dec 29 23:31:48 OpenMPTCProuter daemon.info ModemManager[10792]: hotplug: add network interface tun0: event processed
Dec 29 23:31:49 OpenMPTCProuter user.notice post-tracking-003-up: Tunnel up : Replace default route by 10.255.252.1 dev tun0 (was 192.168.5.1)
Dec 29 23:31:49 OpenMPTCProuter user.notice firewall.omr-server: Firewall reload, set server part firewall reloading
Dec 29 23:31:50 OpenMPTCProuter user.notice omr-bypass: Starting OMR-ByPass...
Dec 29 23:31:50 OpenMPTCProuter daemon.notice netifd: omrvpn (10825): udhcpc: broadcasting discover
Dec 29 23:31:53 OpenMPTCProuter daemon.notice openvpn(omr)[8363]: Initialization Sequence Completed
Dec 29 23:31:53 OpenMPTCProuter user.notice post-tracking-003-up: wan1 (eth0) switched up
Dec 29 23:31:53 OpenMPTCProuter daemon.notice netifd: omrvpn (10825): udhcpc: broadcasting discover
Dec 29 23:31:54 OpenMPTCProuter user.notice post-tracking-003-up: Status change, reload MPTCP config for eth0
Dec 29 23:31:54 OpenMPTCProuter user.notice OMR-VPS: Can't get vps token, try later
Dec 29 23:31:55 OpenMPTCProuter user.notice post-tracking-003-up: wan2 (eth2) switched up
Dec 29 23:31:55 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_all_4 Error: No such file or directory
Dec 29 23:31:55 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_all_4 Error: No such file or directory
Dec 29 23:31:55 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_all_4 Error: No such file or directory
Dec 29 23:31:55 OpenMPTCProuter daemon.err dnsmasq[1]: nftset inet fw4 omr_dst_bypass_all_4 Error: No such file or directory
Dec 29 23:31:55 OpenMPTCProuter user.notice post-tracking-020-status: New public ip detected for wan1 (eth0): 172.56.100.32 (previous: 172.56.98.206)
Dec 29 23:31:56 OpenMPTCProuter user.notice firewall.omr-server: Firewall reload, set server part firewall reloading
Dec 29 23:31:56 OpenMPTCProuter user.notice post-tracking-003-up: Status change, reload MPTCP config for eth2
Dec 29 23:31:57 OpenMPTCProuter user.notice omr-bypass: Reload dnsmasq...
Dec 29 23:31:58 OpenMPTCProuter daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Dec 29 23:31:58 OpenMPTCProuter daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 2 names
Dec 29 23:31:58 OpenMPTCProuter daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Dec 29 23:31:58 OpenMPTCProuter user.notice omr-bypass: OMR-ByPass is running

@hle5128
Copy link

hle5128 commented Dec 31, 2024

It appears there is an ongoing issue. The omrvpn and the system frequently crash or restart. It seems that whenever a restart occurs, the bypass is expected to run, but it doesn't. As a result, each time the system restarts, we need to manually run /etc/init.d/omr-bypass restart to get it working again. We are uncertain why the router keeps restarting the connection.

@Ysurac
Copy link
Owner

Ysurac commented Jan 1, 2025

I removed OMR-ByPass restart in latest snapshot, but I will test asap.

@hle5128
Copy link

hle5128 commented Jan 3, 2025
edited
Loading

I removed OMR-ByPass restart in latest snapshot, but I will test asap.

So far, the version [openmptcprouter-v0.62-snapshot-6.6-r0+28194-cc69be0c13-rockchip-armv8-friendlyarm_nanopi-r5s-ext4..>] has resolved the restart issue, and it has been running without any crashes omr-bypass or problems for over half a day. I will continue to report if any crashes occur for the rest of the day.

but the subdomain remain not working still.

@Schinkentanz
Copy link
Author

Tested again today with the latest snapshot (openmptcprouter-v0.62-snapshot-6.6-r0+28308-c06d4df974-bcm27xx-bcm2712-rpi-5-squashfs-factory) and a fresh VPS install. Everything now works as intended for me:

  • OMR-Bypass handles subdomains & TLDs
  • Port forwarding & SNAT (combined with a FQDN resolver)
  • Pi-Hole

Thanks @Ysurac. Closing this for now. If anyone is still experiencing problems, feel free to comment or start a new issue. Thanks to all who contributed!

@spirillen spirillen mentioned this issue Feb 19, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Ysurac Ysurac

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Schinkentanz @Ysurac @hle5128 @sieade245 @SpencerXZX