Network Services Filter Table whitelist CIDR format

[msallal]

Hi,

I noticed some 522 errors on my website, the log shows
May 16 11:24:38 kernel: DROP IN=eth0 OUT=br0 MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=172.70.126.246 DST=10.0.0.4 LEN=52 TOS=0x0C PREC=0x60 TTL=53 ID=23384 DF PROTO=TCP SPT=49570 DPT=443 SEQ=79665149 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010104020103030A) MARK=0x8000000
May 16 11:24:38 kernel: DROP IN=eth0 OUT=br0 MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=172.70.127.23 DST=10.0.0.4 LEN=52 TOS=0x0C PREC=0x60 TTL=53 ID=4183 DF PROTO=TCP SPT=54430 DPT=443 SEQ=1792437153 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010104020103030A) MARK=0x8000000


to fix this I am trying to add whitelist those IP Ranges | Cloudflare Cloudflare IPs in CIDR format to point to my webserver, but I got this error

any advice please

 

[ColinTaylor]

The network services filter is for blocking LAN to WAN traffic, not the other way around.

 

[msallal]

The network services filter is for blocking LAN to WAN traffic, not the other way around.

yes, I just noticed that, thank you for that.
but how to whitelist a specific subnet through firewall, any idea

 

[dave14305]

The false error message is going to be fixed in the next release. Doesn’t help your problem though.

webui: fix missing brace on Network Service Filter page (from last GP… · RMerl/asuswrt-merlin.ng@27063f4

…L merge)

github.com

 

[eibgrad]

Why are those 522 so-called errors considered errors at all?! Presumably those are just attempts to access the external (public) IP and port of your router, which blocks them by default. All perfectly normal. If instead you want to allow access, you enable port forwarding. And if you want to limit access to those port forwards to specific public IP/networks, you include the Source IP field in your port forwards.

 

[msallal]

Why are those 522 so-called errors considered errors at all?! Presumably those are just attempts to access the external (public) IP and port of your router, which blocks them by default. All perfectly normal. If instead you want to allow access, you enable port forwarding. And if you want to limit access to those port forwards to specific public IP/networks, you include the Source IP field in your port forwards.

I already enabled port forwarding for those Cloudflare IPs, but still having this 522 error sometime, not always.
after a lot of reading, it seems blocked by DDOS and firewall, that's why I need to whitelist those IPs through firewall

 

[ColinTaylor]

I already enabled port forwarding for those Cloudflare IPs, but still having this 522 error sometime, not always.
after a lot of reading, it seems blocked by DDOS and firewall, that's why I need to whitelist those IPs through firewall

As @eibgrad said, you need to specify the source on the Virtual Server / Port Forwarding page. If you've already done this then there's nothing else to do as the firewall will already be dropping packets from other sources.



But my guess is that this is an issue with your server rather than the router. You can check that Enable DoS protection is disabled on the Firewall > General page and see if that makes a difference.

 

[msallal]

As @eibgrad said, you need to specify the source on the Virtual Server / Port Forwarding page. If you've already done this then there's nothing else to do as the firewall will already be dropping packets from other sources.

View attachment 41283

But my guess is that this is an issue with your server rather than the router. You can check that Enable DoS protection is disabled on the Firewall > General page and see if that makes a difference.

It seems when I turn off the firewall, this issue no longer showing.
the question here, how to determine the reason for this packet to drop from this log

May 16 11:24:38 kernel: DROP IN=eth0 OUT=br0 MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=172.70.126.246 DST=10.0.0.4 LEN=52 TOS=0x0C PREC=0x60 TTL=53 ID=23384 DF PROTO=TCP SPT=49570 DPT=443 SEQ=79665149 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010104020103030A) MARK=0x8000000
May 16 11:24:38 kernel: DROP IN=eth0 OUT=br0 MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=172.70.127.23 DST=10.0.0.4 LEN=52 TOS=0x0C PREC=0x60 TTL=53 ID=4183 DF PROTO=TCP SPT=54430 DPT=443 SEQ=1792437153 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010104020103030A) MARK=0x8000000


Thank you

 

[dave14305]

It seems when I turn off the firewall, this issue no longer showing.
the question here, how to determine the reason for this packet to drop from this log

What rule have you setup to allow it? Did you setup a Port Forward like in Colin’s screenshot?

 

[ColinTaylor]

It seems when I turn off the firewall, this issue no longer showing.
the question here, how to determine the reason for this packet to drop from this log

Did you also remove any rules from NSF and disable it?

 

[msallal]

What rule have you setup to allow it? Did you setup a Port Forward like in Colin’s screenshot?

yes, here is my port forwarding, I replaced TCP with Both to see if it will make any difference

 

[msallal]

Did you also remove any rules from NSF and disable it?

yes, nothing in NSF I cleared everything

 

[ColinTaylor]

yes, nothing in NSF I cleared everything

I think the quickest way to understand what's happening is for you to SSH into the router and post the output of the iptables-save command. Replace your public IP address in the output with a bogus address. The output of iptables -L -v -n would also be useful.

 

[msallal]

I think the quickest way to understand what's happening is for you to SSH into the router and post the output of the iptables-save command. Replace your public IP address in the output with a bogus address. The output of iptables -L -v -n would also be useful.

you are right, please check my exported iptables

Thank you so much
Appreciate your time

 

[msallal]

another question here, when i changed the Port forwarding from TCP to with Both (UDP and TCP), I saw better performance than before with little 522 errors, my understanding is http using TCP only, is that correct

 

[ColinTaylor]

Did you turn off Enable DoS protection in Firewall > General?

my understanding is http using TCP only, is that correct

Correct, if we're talking about a web server.

 

[dave14305]

you are right, please check my exported iptables

Thank you so much
Appreciate your time

Can you run iptables-save -c to get the rule hit counts?

What VPN is configured on your router?

 

[msallal]

Can you run iptables-save -c to get the rule hit counts?

What VPN is configured on your router?

sure, please check the attached

 

[ColinTaylor]

Did you turn off Enable DoS protection in Firewall > General?

^ This ^

 

[msallal]

^ This ^

yes, I did, disabled it for an hour and enabled it again