Bug in wanduck and apparent loss of Internet

[ASAT]

Whenever I unplug my cable modem, the router magically replaces my DNS redirect rules:

DNAT  udp  --  192.168.1.0/24  0.0.0.0/0  udp dpt:53 to:192.168.1.1
DNAT  tcp  --  192.168.1.0/24  0.0.0.0/0  tcp dpt:53 to:192.168.1.1

with these ones here:

DNAT  tcp  --  0.0.0.0/0  !192.168.1.0/24  tcp dpt:80 to:192.168.1.1:18017
DNAT  udp  --  0.0.0.0/0  0.0.0.0/0  udp dpt:53 to:192.168.1.1:18018

When power is restored to the cable modem, the router restores my original DNS redirect rules... most of the time!

If it fails to restore my DNS redirect rules, it breaks DNS name resolution for the entire network. The Internet appears to be down because the router is unable to resolve DNS names. This happens quite frequently for me.

I assume it's bug in /sbin/wanduck. This feature can be turned off in the WebUI and it apparently fixes the problem, but the wanduck process is always running for some reason. I don't like programs that mess with my NAT rules.
Administration -> System -> Enable WAN down browser redirect notice = No

What else does wanduck do besides redirect HTTP and DNS upon loss of the Internet connection? Can wanduck be killed safely at router startup time?

Special thanks to ryzhov_al for these commands:

lsof -i | grep LISTEN
lsof -iUDP

SOURCE: http://www.snbforums.com/threads/whats-up-with-all-the-open-ports.25349/

 

[RMerlin]

Wanduck manages the WAN interface. It detects and handles things when the WAN goes down, takes care of failover management when in Dual WAN mode, manages the WAN LED state, etc...

If your firewall rules don't get re-applied, then you are probably not applying them in the correct location. These should probably be in nat-start (depending on where you apply them). Ideall tho, you should be using DNSFilter if your goal is simply to redirect DNS queries to the router. Enable DNSFilter, and set its global mode to "Router". That will redirect all DNS queries to the router's IP.

 

[ASAT]

If your firewall rules don't get re-applied, then you are probably not applying them in the correct location. These should probably be in nat-start (depending on where you apply them)

When I power cycle the cable modem, the following custom scripts are always run:

/jffs/scripts/wan-start
/jffs/scripts/nat-start
/jffs/scripts/firewall-start
/jffs/scripts/dnsmasq.postconf

Therefore, I moved my NAT rules from firewall-start to nat-start.

And, in wan-start I added a check to run it only at router start up time. It starts dnscrypt-proxy and handles the special case of using hostip to resolve the NTP server name at router start up time. These operations need not be done every time the cable modem is power cycled or the WAN link is restored. I simply check 'pidof dnscrypt-proxy' to know if the router has just powered up, OR if it is a restored WAN link.

 

[RMerlin]

When I power cycle the cable modem, the following custom scripts are always run:

/jffs/scripts/wan-start
/jffs/scripts/nat-start
/jffs/scripts/firewall-start
/jffs/scripts/dnsmasq.postconf

Therefore, I moved my NAT rules from firewall-start to nat-start.

And, in wan-start I added a check to run it only at router start up time. It starts dnscrypt-proxy and handles the special case of using hostip to resolve the NTP server name at router start up time. These operations need not be done every time the cable modem is power cycled or the WAN link is restored. I simply check 'pidof dnscrypt-proxy' to know if the router has just powered up, OR if it is a restored WAN link.

Any iptables change you make in wan-start will most likely be overwritten by nat-start (mangle table) and firewall-start (filter table). That's why the location is critical when modifying iptable rules, as each stage will overwrite the firewall tables it's meant to manage.