Security bug : Administration reachable over WAN

[Zuultroet]

I'm confused by this part. If that were the case, then your Asus router's shouldn't have a 192.168.0.x as its WAN IP, but the actual ISP WAN IP. Did you configure any particular routing rules on either devices? All netmasks are left to 255.255.255.0

Sorry, I'll try to be more clear :

my initial configuration was :
[ISP's router] -> 192.168.0.x -> [ASUS] -> 192.168.1.x -> LAN
I did this for testing purposes, to be able to configure the Asus without exposing it to the Internet.

Then a few posts later, to be able to scan the Asus from grc.com, I switched the ISP's router as a simple modem, which was to be my setup, once I had validated the Asus :
[ISP's modem] -> 78.217.x.x -> [ASUS] ->192.168.x.x -> LAN


Hence, at the beginning of this thread, scanning while connected to the ISP's router allowed me to scan the WAN side of the Asus. Subsequently I made the changes mentioned to make the discussion simpler.

Make sure your phone isn't also connected to Wifi (I've seen a user previously mention having firewalling issues while testing with his phone, until he realized his phone was actually connected to his Wifi network and not 3G).

I'm pretty sure the phone is on 3G : To make sure of if, when I try to connect to the Admin page of the router from the LAN while already connected to it from my phone, I get :
"Login user IP: 37.161.xx.xx
You cannot Login unless logout another user first."

sites such as ipchicken.com show that this is effectively the external IP address of my phone, quite different from the 78.217.x.x of my DSL line, or the 192.168.x.x of my LAN.

Besides, a scan from grc.com, which is definitely out of my LAN, does confirm the opening and closing of port 80.

Also make sure it didn't automatically connect to the OpenVPN server, as that would allow your phone to totally bypass the firewall. That might explain why the issue only appears when the OpenVPN server is started.

I'm quite sure of that too : I only enabled OpenVPN server 1 on the router without further settings, I have not even installed yet the OpenVPN client on my phone.

Can you post the current firewall rules on your Asus router while you are seeing port 80 being reachable? Go to the Tools -> Run Cmd page, and run the following command:


iptables -L -v


This would confirm whether your firewall is properly working, or if it failed to properly get applied (that can happen when there is an invalid rule, for instance).

here it is, with openVPN server 1 activated, Firewall enabled, and port 80 checked available on WAN :

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tap21 any anywhere anywhere
2378 219K ACCEPT tcp -- any any anywhere anywhere tcp dpt:www
5 231 DROP all -- any any anywhere anywhere state INVALID
24 8879 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- lo any anywhere anywhere state NEW
196 19020 ACCEPT all -- br0 any anywhere anywhere state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc
25 5720 DROP all -- any any anywhere anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP ipv6-auth-- br0 eth0 anywhere anywhere
0 0 ACCEPT all -- tap21 any anywhere anywhere
0 0 DROP ipv6-crypt-- br0 eth0 anywhere anywhere
0 0 DROP gre -- br0 eth0 anywhere anywhere
0 0 DROP udp -- br0 eth0 anywhere anywhere udp dpt:4500
0 0 DROP udp -- br0 eth0 anywhere anywhere udp dpt:500
0 0 DROP udp -- br0 eth0 anywhere anywhere udp dpt:1701
0 0 DROP tcp -- br0 eth0 anywhere anywhere tcp dpt:1723
52 2200 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 DROP all -- !br0 eth0 anywhere anywhere
0 0 DROP all -- any any anywhere anywhere state INVALID
0 0 ACCEPT all -- br0 br0 anywhere anywhere
0 0 DROP icmp -- eth0 any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT
49 2496 ACCEPT all -- br0 any anywhere anywhere

Chain OUTPUT (policy ACCEPT 3179 packets, 3641K bytes)
pkts bytes target prot opt in out source destination

Chain FUPNP (0 references)
pkts bytes target prot opt in out source destination

Chain PControls (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere

Chain logaccept (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
0 0 ACCEPT all -- any any anywhere anywhere

Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
0 0 DROP all -- any any anywhere anywhere

 

[Zuultroet]

What is your ISP and what model ISP modem/router are u using?

The ISP is called "Free" (it is not ! ;-) ), and the modem, called Freebox, is proprietary to it.

 

[Ford Prefect]

here it is, with openVPN server 1 activated, Firewall enabled, and port 80 checked available on WAN :

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tap21 any anywhere anywhere
[....]

....OK, you *enable* port 80 on WAN (checked)?...again, no reason to call this a bug when it is available

...and you are using a bridged interface (tap, not tun) for openVPN Server?
Is your openVPN client connected when you do the tests?

 

[speedingcheetah]

The ISP is called "Free" (it is not ! ;-) ), and the modem, called Freebox, is proprietary to it.

Never heard of it....

Where are u located....country etc?

Edit: o...found Free on wikipedia.....France then?

http://en.wikipedia.org/wiki/Free_(ISP)

 

[Zuultroet]

....OK, you *enable* port 80 on WAN (checked)?...again, no reason to call this a bug when it is available

...and you are using a bridged interface (tap, not tun) for openVPN Server?
Is your openVPN client connected when you do the tests?

This was the setup I originally wanted, port 80 being able to go through most restrictive connections, and TAP being my favorite.

The problem occurs even when OpenVPN is on its default port, 1194 : port 80 still gives you access to the Asus's Admin page, not an OpenVPN related port.

The OpenVPN client is not yet even installed on the phone.

Here is an iptables -L -v with openVPN back on its default port, and admin page checked available from the WAN :

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tap21 any anywhere anywhere
7532 782K ACCEPT tcp -- any any anywhere anywhere tcp dpt:www
17 864 DROP all -- any any anywhere anywhere state INVALID
34 10528 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
2 236 ACCEPT all -- lo any anywhere anywhere state NEW
240 24275 ACCEPT all -- br0 any anywhere anywhere state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc
264 19270 DROP all -- any any anywhere anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP ipv6-auth-- br0 eth0 anywhere anywhere
0 0 ACCEPT all -- tap21 any anywhere anywhere
0 0 DROP ipv6-crypt-- br0 eth0 anywhere anywhere
0 0 DROP gre -- br0 eth0 anywhere anywhere
0 0 DROP udp -- br0 eth0 anywhere anywhere udp dpt:4500
0 0 DROP udp -- br0 eth0 anywhere anywhere udp dpt:500
0 0 DROP udp -- br0 eth0 anywhere anywhere udp dpt:1701
0 0 DROP tcp -- br0 eth0 anywhere anywhere tcp dpt:1723
829 36043 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 DROP all -- !br0 eth0 anywhere anywhere
7 280 DROP all -- any any anywhere anywhere state INVALID
0 0 ACCEPT all -- br0 br0 anywhere anywhere
0 0 DROP icmp -- eth0 any anywhere anywhere
41 1800 ACCEPT all -- any any anywhere anywhere ctstate DNAT
192 9920 ACCEPT all -- br0 any anywhere anywhere

Chain OUTPUT (policy ACCEPT 9450 packets, 9834K bytes)
pkts bytes target prot opt in out source destination

Chain FUPNP (0 references)
pkts bytes target prot opt in out source destination

Chain PControls (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere

Chain logaccept (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
0 0 ACCEPT all -- any any anywhere anywhere

Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
0 0 DROP all -- any any anywhere anywhere

 

[Zuultroet]

To be more complete, I tested the behavior :

- both Merlin's 3.0.0.4_374.39_0 and Asus's 3.0.0.4_374_4561 firmwares,
- both with my current settings and right after a NVRAM clear (On+WPS), which I did after each flashing.

Each time the bug was present.

 

[speedingcheetah]

To be more complete, I tested the behavior :

- both Merlin's 3.0.0.4_374.39_0 and Asus's 3.0.0.4_374_4561 firmwares,
- both with my current settings and right after a NVRAM clear (On+WPS), which I did after each flashing.

Is this Admin page open issue only happening with this Asus router....and not some other brand and model?

Only thing I can surmise is there is something with the OpenVPN being enabled that your ISP router seems to do weird things as far as routing goes....or something....either way...ISP routers....are often finicky....

 

[lancer73]

If you telnet into the modem, you can use the netstat command to get information about what is listening on what port.

On top of that, with the iptables command you can see what is allowed and what not (iptables -L and iptables -t nat -L). So you can see if there is any traffic that is routed to a running on another port than the WAN port.


Sent from my iPhone using Tapatalk

 

[speedingcheetah]

If you telnet into the modem, you can use the netstat command to get information about what is listening on what port.

On top of that, with the iptables command you can see what is allowed and what not (iptables -L and iptables -t nat -L). So you can see if there is any traffic that is routed to a running on another port than the WAN port.


Sent from my iPhone using Tapatalk

Good point.... tables from both the Asus router and the ISP modem would help i guess.....maybe someone with an understanding of all of that can spot the issue.

 

[Zuultroet]

If you telnet into the modem, you can use the netstat command to get information about what is listening on what port.

Alas the router's version of netstat does not know -p :-( It understands :
-r Routing table
-a All sockets
-l Listening sockets
Else: connected sockets
-t TCP sockets
-u UDP sockets
-w Raw sockets
-x Unix sockets
Else: all socket types
-e Other/more information
-n Don't resolve names
-W Wide display

here is netstat -l -e, which is the most I could get of it :

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:5473 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:18017 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3394 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0rinter 0.0.0.0:* LISTEN
tcp 0 0 localhost.localdomain:netbios-ssn 0.0.0.0:* LISTEN
tcp 0 0 router.asus.com:netbios-ssn 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:laserjet 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:9998 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:www 0.0.0.0:* LISTEN
tcp 0 0 localhost.localdomain:domain 0.0.0.0:* LISTEN
tcp 0 0 router.asus.com:domain 0.0.0.0:* LISTEN
tcp 0 0 localhost.localdomain:445 0.0.0.0:* LISTEN
tcp 0 0 router.asus.com:445 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3838 0.0.0.0:* LISTEN
udp 0 0 router.asus.com:netbios-ns 0.0.0.0:*
udp 0 0 0.0.0.0:netbios-ns 0.0.0.0:*
udp 0 0 router.asus.com:netbios-dgm 0.0.0.0:*
udp 0 0 0.0.0.0:netbios-dgm 0.0.0.0:*
udp 0 0 0.0.0.0:9999 0.0.0.0:*
udp 0 0 localhost.localdomain:38032 0.0.0.0:*
udp 0 0 0.0.0.0:42000 0.0.0.0:*
udp 0 0 localhost.localdomain:42032 0.0.0.0:*
udp 0 0 localhost.localdomain:domain 0.0.0.0:*
udp 0 0 router.asus.com:domain 0.0.0.0:*
udp 0 0 0.0.0.0:bootps 0.0.0.0:*
udp 0 0 0.0.0.0:5474 0.0.0.0:*
udp 0 0 0.0.0.0:18018 0.0.0.0:*
udp 0 0 0.0.0.0:38000 0.0.0.0:*
udp 0 0 0.0.0.0:43000 0.0.0.0:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path

I can't draw any conclusion from it :-(

On top of that, with the iptables command you can see what is allowed and what not (iptables -L and iptables -t nat -L). So you can see if there is any traffic that is routed to a running on another port than the WAN port.

Here is Iptable -L :

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:1194
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
DROP ipv6-auth-- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP ipv6-crypt-- anywhere anywhere
DROP gre -- anywhere anywhere
DROP udp -- anywhere anywhere udp dpt:4500
DROP udp -- anywhere anywhere udp dpt:500
DROP udp -- anywhere anywhere udp dpt:1701
DROP tcp -- anywhere anywhere tcp dpt:1723
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
DROP icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate DNAT
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain FUPNP (0 references)
target prot opt source destination

Chain PControls (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain logaccept (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT all -- anywhere anywhere

Chain logdrop (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP all -- anywhere anywhere



... AND here is iptables -t nat -L :

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:1194
VSERVER all -- anywhere mez2a-1-78-217-80-56.fbx.proxad.net

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- !mez2a-1-78-217-80-56.fbx.proxad.net anywhere
MASQUERADE all -- anywhere anywhere MARK match 0xd001

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain DNSFILTER (0 references)
target prot opt source destination

Chain LOCALSRV (0 references)
target prot opt source destination

Chain VSERVER (1 references)
target prot opt source destination
VUPNP all -- anywhere anywhere

Chain VUPNP (1 references)
target prot opt source destination


The ISP's modem is in pure transparent, bridging mode, with no other routing rules. It is not connected to the LAN, and so should not be able to reach port 80 on the LAN side... I guess

 

[RMerlin]

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tap21 any anywhere anywhere
2378 219K ACCEPT tcp -- any any anywhere anywhere tcp dpt:www

That last rule there is what is opening port 80 access to the WAN. That rule should not be there - there is something that is adding that rule to your firewall.

Can you provide the result of these commands (there will be a lot of noise in them, but I want to see if anything is configured on your router to forward port 80):

nvram show | grep 80
grep -r 80 /jffs

Did you install Download Master, or any external package through Optware?

 

[lancer73]

Is Openvpn configured to be at port 80 by any chance? I see port 1723 in the firewall, but not in the running services.


Sent from my iPhone using Tapatalk

 

[Zuultroet]

Can you provide the result of these commands (there will be a lot of noise in them, but I want to see if anything is configured on your router to forward port 80):



nvram show | grep 80

wl0_rxchain_pwrsave_quiet_time=1800
wl_acs_dfsr_deferred=604800 5
wan_gateway=78.217.80.254
qos_rulelist=<Web Surf>>80>tcp>0~512>0<HTTPS>>443>tcp>0~512>0<File Transfer>>80>tcp>512~>3<File Transfer>>443>tcp>512~>3
login_port=80
wl0_acs_dfsr_deferred=604800 5
wl1_rxchain_pwrsave_quiet_time=1800
pci/2/1/sb40and80lr5gmpo=0
lan_port=80
pci/2/1/sb20in80and160lr5gmpo=0
pci/2/1/mcsbw805gmpo=0x99975333
pci/2/1/sb40and80hr5gmpo=0
wl_rxchain_pwrsave_quiet_time=1800
pci/2/1/sb20in80and160hr5gmpo=0
wl1_acs_dfsr_deferred=604800 5
pci/2/1/pa2ga1=0xfe80,0x1472,0xfabc
wl1_radio_pwrsave_quiet_time=1800
pci/2/1/sb40and80lr5glpo=0
webdav_http_port=8082
pci/2/1/sb20in80and160lr5glpo=0
pci/2/1/sb40and80lr5ghpo=0
pci/2/1/mcsbw805glpo=0x99975333
pci/2/1/sb20in80and160lr5ghpo=0
wan_ipaddr=78.217.80.56
pci/2/1/mcsbw805ghpo=0x99975333
pci/2/1/sb40and80hr5glpo=0
pci/2/1/sb20in80and160hr5glpo=0
pci/2/1/sb40and80hr5ghpo=0
pci/2/1/sb20in80and160hr5ghpo=0
qos_orates=80-100,10-100,5-100,3-100,2-95,0-0,0-0,0-0,0-0,0-0
wl_radio_pwrsave_quiet_time=1800
wl0_radio_pwrsave_quiet_time=1800
misc_httpport_x=8080
ct_udp_timeout=30 180

Did you install Download Master, or any external package through Optware?

Download master is not installed (no USB drive connected anyway), and no package was installed via Optware.

The behavior can even be observed right after a Flash + NVRAM clear, with everything left by default, save Router mode + OpenVPN server 1 enabled. I flashed to Asuswrt then back to your (great !) firmware to check.

 

[Zuultroet]

grep -r 80 /jffs

/jffs/syslog.log-1:Feb 20 22:46:12 kernel: usbcore: deregistering interface driver net1080
/jffs/syslog.log-1:Jan 1 01:00:11 kernel: memory: 08000000 @ 87fff000 (usable)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: eth2: Broadcom BCM4360 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Feb 20 22:48:34 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Feb 20 22:48:34 kernel: eth2: Broadcom BCM4360 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Feb 20 23:44:57 kernel: usbcore: deregistering interface driver net1080
/jffs/syslog.log-1:Jan 1 01:00:11 kernel: memory: 08000000 @ 87fff000 (usable)
/jffs/syslog.log-1:Jan 1 01:00:11 kernel: Memory: 238480k/131068k available (2629k kernel code, 22772k reserved, 538k data, 196k init, 131072k highmem)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: eth2: Broadcom BCM4360 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: ehci_hcd 0000:00:04.1: irq 6, io mem 0x18004000
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: ohci_hcd 0000:00:04.0: irq 6, io mem 0x18009000
/jffs/syslog.log-1:Jan 1 01:00:13 kernel: usbcore: registered new interface driver net1080
/jffs/syslog.log-1:Jan 1 01:00:11 kernel: memory: 08000000 @ 87fff000 (usable)
/jffs/syslog.log-1:Jan 1 01:00:11 kernel: Memory: 238480k/131068k available (2629k kernel code, 22772k reserved, 538k data, 196k init, 131072k highmem)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: eth2: Broadcom BCM4360 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: ehci_hcd 0000:00:04.1: irq 6, io mem 0x18004000
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: ohci_hcd 0000:00:04.0: irq 6, io mem 0x18009000
/jffs/syslog.log-1:Jan 1 01:00:13 kernel: usbcore: registered new interface driver net1080
/jffs/syslog.log-1:Jan 1 01:00:11 kernel: memory: 08000000 @ 87fff000 (usable)
/jffs/syslog.log-1:Jan 1 01:00:11 kernel: Memory: 238480k/131068k available (2629k kernel code, 22772k reserved, 538k data, 196k init, 131072k highmem)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: eth2: Broadcom BCM4360 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: ehci_hcd 0000:00:04.1: irq 6, io mem 0x18004000
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: ohci_hcd 0000:00:04.0: irq 6, io mem 0x18009000
/jffs/syslog.log-1:Jan 1 01:00:13 kernel: usbcore: registered new interface driver net1080
/jffs/syslog.log-1:Feb 23 13:15:33 dnsmasq-dhcp[382]: DHCPACK(br0) 192.168.68.112 d0:22:be:66:9a:ab android-3e7803591ef14e21
/jffs/syslog.log-1:Feb 23 13:19:33 dnsmasq-dhcp[382]: DHCPACK(br0) 192.168.68.112 d0:22:be:66:9a:ab android-3e7803591ef14e21
/jffs/syslog.log-1:Feb 23 13:38:22 openvpn[639]: Socket Buffers: R=[87380->131072] S=[16384->131072]
/jffs/syslog.log-1:Feb 23 13:46:00 openvpn[691]: Socket Buffers: R=[87380->131072] S=[16384->131072]
/jffs/syslog.log-1:Jan 1 00:00:15 kernel: memory: 08000000 @ 87fff000 (usable)
/jffs/syslog.log-1:Jan 1 00:00:15 kernel: Memory: 238480k/131068k available (2629k kernel code, 22772k reserved, 538k data, 196k init, 131072k highmem)
/jffs/syslog.log-1:Jan 1 00:00:16 kernel: 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
/jffs/syslog.log-1:Jan 1 00:00:16 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 00:00:16 kernel: eth2: Broadcom BCM4360 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 00:00:16 kernel: ehci_hcd 0000:00:04.1: irq 6, io mem 0x18004000
/jffs/syslog.log-1:Jan 1 00:00:16 kernel: ohci_hcd 0000:00:04.0: irq 6, io mem 0x18009000
/jffs/syslog.log-1:Jan 1 00:00:17 kernel: usbcore: registered new interface driver net1080
/jffs/syslog.log-1:Jan 1 00:00:30 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 00:00:30 kernel: eth2: Broadcom BCM4360 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 00:00:14 kernel: memory: 08000000 @ 87fff000 (usable)
/jffs/syslog.log-1:Jan 1 00:00:14 kernel: Memory: 238480k/131068k available (2629k kernel code, 22772k reserved, 538k data, 196k init, 131072k highmem)
/jffs/syslog.log-1:Jan 1 00:00:15 kernel: 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
/jffs/syslog.log-1:Jan 1 00:00:15 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 00:00:15 kernel: eth2: Broadcom BCM4360 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 00:00:15 kernel: ehci_hcd 0000:00:04.1: irq 6, io mem 0x18004000
/jffs/syslog.log-1:Jan 1 00:00:15 kernel: ohci_hcd 0000:00:04.0: irq 6, io mem 0x18009000
/jffs/syslog.log-1:Jan 1 00:00:16 kernel: usbcore: registered new interface driver net1080
/jffs/syslog.log-1:Jan 1 00:00:27 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 00:00:27 kernel: eth2: Broadcom BCM4360 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 01:02:42 kernel: usbcore: deregistering interface driver net1080
/jffs/syslog.log-1:Jan 1 01:00:11 kernel: memory: 08000000 @ 87fff000 (usable)
/jffs/syslog.log-1:Jan 1 01:00:11 kernel: Memory: 238480k/131068k available (2629k kernel code, 22772k reserved, 538k data, 196k init, 131072k highmem)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: eth2: Broadcom BCM4360 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: ehci_hcd 0000:00:04.1: irq 6, io mem 0x18004000
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: ohci_hcd 0000:00:04.0: irq 6, io mem 0x18009000
/jffs/syslog.log-1:Jan 1 01:00:13 kernel: usbcore: registered new interface driver net1080
/jffs/syslog.log-1:Jan 1 01:01:47 kernel: usbcore: deregistering interface driver net1080
/jffs/syslog.log-1:Jan 1 01:00:11 kernel: memory: 08000000 @ 87fff000 (usable)
/jffs/syslog.log-1:Jan 1 01:00:11 kernel: Memory: 238480k/131068k available (2629k kernel code, 22772k reserved, 538k data, 196k init, 131072k highmem)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: eth2: Broadcom BCM4360 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: ehci_hcd 0000:00:04.1: irq 6, io mem 0x18004000
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: ohci_hcd 0000:00:04.0: irq 6, io mem 0x18009000
/jffs/syslog.log-1:Jan 1 01:00:13 kernel: usbcore: registered new interface driver net1080
/jffs/syslog.log-1:Jan 1 01:00:11 kernel: memory: 08000000 @ 87fff000 (usable)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: Memory: 238480k/131068k available (2629k kernel code, 22772k reserved, 538k data, 196k init, 131072k highmem)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
/jffs/syslog.log-1:Jan 1 01:00:13 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 01:00:13 kernel: eth2: Broadcom BCM4360 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 01:00:13 kernel: ehci_hcd 0000:00:04.1: irq 6, io mem 0x18004000
/jffs/syslog.log-1:Jan 1 01:00:13 kernel: ohci_hcd 0000:00:04.0: irq 6, io mem 0x18009000
/jffs/syslog.log-1:Jan 1 01:00:13 kernel: usbcore: registered new interface driver net1080
/jffs/syslog.log-1:Jan 1 01:00:40 openvpn[422]: Socket Buffers: R=[87380->131072] S=[16384->131072]
/jffs/syslog.log-1:Feb 23 18:11:39 kernel: usbcore: deregistering interface driver net1080
/jffs/syslog.log-1:Jan 1 01:00:11 kernel: memory: 08000000 @ 87fff000 (usable)
/jffs/syslog.log-1:Jan 1 01:00:11 kernel: Memory: 238480k/131068k available (2629k kernel code, 22772k reserved, 538k data, 196k init, 131072k highmem)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>

continued - was too long for one post....

 

[Zuultroet]

...continued - was too long for one post

grep -r 80 /jffs

/jffs/syslog.log-1:Jan 1 01:00:12 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: eth2: Broadcom BCM4360 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: ehci_hcd 0000:00:04.1: irq 6, io mem 0x18004000
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: ohci_hcd 0000:00:04.0: irq 6, io mem 0x18009000
/jffs/syslog.log-1:Jan 1 01:00:13 kernel: usbcore: registered new interface driver net1080
/jffs/syslog.log-1:Feb 23 18:12:43 openvpn[432]: Socket Buffers: R=[87380->131072] S=[16384->131072]
/jffs/syslog.log-1:Feb 23 18:13:04 kernel: usbcore: deregistering interface driver net1080
/jffs/syslog.log-1:Jan 1 01:00:11 kernel: Memory: 238480k/131068k available (2629k kernel code, 22772k reserved, 538k data, 196k init, 131072k highmem)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: eth2: Broadcom BCM4360 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: ehci_hcd 0000:00:04.1: irq 6, io mem 0x18004000
/jffs/syslog.log-1:Jan 1 01:00:13 kernel: ohci_hcd 0000:00:04.0: irq 6, io mem 0x18009000
/jffs/syslog.log-1:Jan 1 01:00:13 kernel: usbcore: registered new interface driver net1080
/jffs/syslog.log-1:Jan 1 01:00:39 openvpn[421]: Socket Buffers: R=[87380->131072] S=[16384->131072]
/jffs/syslog.log-1:Feb 23 18:19:19 kernel: usbcore: deregistering interface driver net1080
/jffs/syslog.log-1:Jan 1 01:00:11 kernel: memory: 08000000 @ 87fff000 (usable)
/jffs/syslog.log-1:Jan 1 01:00:11 kernel: Memory: 238480k/131068k available (2629k kernel code, 22772k reserved, 538k data, 196k init, 131072k highmem)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: eth2: Broadcom BCM4360 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 01:00:13 kernel: ehci_hcd 0000:00:04.1: irq 6, io mem 0x18004000
/jffs/syslog.log-1:Jan 1 01:00:13 kernel: ohci_hcd 0000:00:04.0: irq 6, io mem 0x18009000
/jffs/syslog.log-1:Jan 1 01:00:13 kernel: usbcore: registered new interface driver net1080
/jffs/syslog.log-1:Jan 1 01:00:38 openvpn[421]: Socket Buffers: R=[87380->131072] S=[16384->131072]
/jffs/syslog.log-1:Feb 23 19:04:33 kernel: usbcore: deregistering interface driver net1080
/jffs/syslog.log-1:Jan 1 01:00:11 kernel: memory: 08000000 @ 87fff000 (usable)
/jffs/syslog.log-1:Jan 1 01:00:11 kernel: Memory: 238480k/131068k available (2629k kernel code, 22772k reserved, 538k data, 196k init, 131072k highmem)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 01:00:12 kernel: eth2: Broadcom BCM4360 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log-1:Jan 1 01:00:13 kernel: ehci_hcd 0000:00:04.1: irq 6, io mem 0x18004000
/jffs/syslog.log-1:Jan 1 01:00:13 kernel: ohci_hcd 0000:00:04.0: irq 6, io mem 0x18009000
/jffs/syslog.log-1:Jan 1 01:00:13 kernel: usbcore: registered new interface driver net1080
/jffs/syslog.log-1:Jan 1 01:00:39 openvpn[421]: Socket Buffers: R=[87380->131072] S=[16384->131072]
/jffs/syslog.log-1:Feb 23 19:38:41 dnsmasq-dhcp[638]: DHCPACK(br0) 192.168.1.165 d0:22:be:66:9a:ab android-3e7803591ef14e21
/jffs/syslog.log-1:Feb 23 19:40:37 dnsmasq[680]: started, version 2.68 cachesize 1500
/jffs/syslog.log-1:Feb 23 19:40:37 dnsmasq[680]: asynchronous logging enabled, queue limit is 5 messages
/jffs/syslog.log-1:Feb 23 19:40:37 dnsmasq-dhcp[680]: DHCP, IP range 192.168.1.2 -- 192.168.1.254, lease time 1d
/jffs/syslog.log-1:Feb 23 19:40:37 dnsmasq-dhcp[680]: DHCP, sockets bound exclusively to interface br0
/jffs/syslog.log-1:Feb 23 19:40:37 dnsmasq[680]: read /etc/hosts - 5 addresses
/jffs/syslog.log-1:Feb 23 19:40:37 dnsmasq[680]: using nameserver 212.27.40.240#53
/jffs/syslog.log-1:Feb 23 19:40:37 dnsmasq[680]: using nameserver 212.27.40.241#53
/jffs/syslog.log-1:Feb 23 19:41:56 dnsmasq[680]: exiting on receipt of SIGTERM
/jffs/syslog.log-1:Feb 23 19:43:43 openvpn[898]: Socket Buffers: R=[87380->131072] S=[16384->131072]
/jffs/syslog.log-1:Feb 23 19:56:55 dnsmasq-dhcp[701]: DHCPACK(br0) 192.168.1.165 d0:22:be:66:9a:ab android-3e7803591ef14e21
/jffs/syslog.log:Feb 23 22:34:55 kernel: usbcore: deregistering interface driver net1080
/jffs/syslog.log:Jan 1 01:00:11 kernel: memory: 08000000 @ 87fff000 (usable)
/jffs/syslog.log:Jan 1 01:00:11 kernel: Memory: 238480k/131068k available (2629k kernel code, 22772k reserved, 538k data, 196k init, 131072k highmem)
/jffs/syslog.log:Jan 1 01:00:12 kernel: 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
/jffs/syslog.log:Jan 1 01:00:12 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log:Jan 1 01:00:12 kernel: eth2: Broadcom BCM4360 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log:Jan 1 01:00:12 kernel: ehci_hcd 0000:00:04.1: irq 6, io mem 0x18004000
/jffs/syslog.log:Jan 1 01:00:12 kernel: ohci_hcd 0000:00:04.0: irq 6, io mem 0x18009000
/jffs/syslog.log:Jan 1 01:00:13 kernel: usbcore: registered new interface driver net1080
/jffs/syslog.log:Jan 1 01:00:33 dhcp client: bound 78.217.80.56 via 78.217.80.254 during 604800 seconds.
/jffs/syslog.log:Jan 1 01:00:39 openvpn[421]: Socket Buffers: R=[87380->131072] S=[16384->131072]
/jffs/syslog.log:Feb 23 23:30:17 kernel: usbcore: deregistering interface driver net1080
/jffs/syslog.log:Jan 1 01:00:11 kernel: memory: 08000000 @ 87fff000 (usable)
/jffs/syslog.log:Jan 1 01:00:11 kernel: Memory: 238480k/131068k available (2629k kernel code, 22772k reserved, 538k data, 196k init, 131072k highmem)
/jffs/syslog.log:Jan 1 01:00:12 kernel: 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
/jffs/syslog.log:Jan 1 01:00:12 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log:Jan 1 01:00:12 kernel: eth2: Broadcom BCM4360 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log:Jan 1 01:00:12 kernel: ehci_hcd 0000:00:04.1: irq 6, io mem 0x18004000
/jffs/syslog.log:Jan 1 01:00:12 kernel: ohci_hcd 0000:00:04.0: irq 6, io mem 0x18009000
/jffs/syslog.log:Jan 1 01:00:13 kernel: usbcore: registered new interface driver net1080
/jffs/syslog.log:Jan 1 01:00:34 dhcp client: bound 78.217.80.56 via 78.217.80.254 during 604800 seconds.
/jffs/syslog.log:Jan 1 01:00:40 openvpn[420]: Socket Buffers: R=[87380->131072] S=[16384->131072]
/jffs/syslog.log:Jan 1 01:00:11 kernel: memory: 08000000 @ 87fff000 (usable)
/jffs/syslog.log:Jan 1 01:00:11 kernel: Memory: 238480k/131068k available (2629k kernel code, 22772k reserved, 538k data, 196k init, 131072k highmem)
/jffs/syslog.log:Jan 1 01:00:12 kernel: 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
/jffs/syslog.log:Jan 1 01:00:12 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log:Jan 1 01:00:12 kernel: eth2: Broadcom BCM4360 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log:Jan 1 01:00:12 kernel: ehci_hcd 0000:00:04.1: irq 6, io mem 0x18004000
/jffs/syslog.log:Jan 1 01:00:12 kernel: ohci_hcd 0000:00:04.0: irq 6, io mem 0x18009000
/jffs/syslog.log:Jan 1 01:00:13 kernel: usbcore: registered new interface driver net1080
/jffs/syslog.log:Jan 1 01:00:39 openvpn[420]: Socket Buffers: R=[87380->131072] S=[16384->131072]
/jffs/syslog.log:Jan 1 01:00:11 kernel: memory: 08000000 @ 87fff000 (usable)
/jffs/syslog.log:Jan 1 01:00:11 kernel: Memory: 238480k/131068k available (2629k kernel code, 22772k reserved, 538k data, 196k init, 131072k highmem)
/jffs/syslog.log:Jan 1 01:00:12 kernel: 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
/jffs/syslog.log:Jan 1 01:00:12 kernel: eth1: Broadcom BCM4331 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log:Jan 1 01:00:12 kernel: eth2: Broadcom BCM4360 802.11 Wireless Controller 6.30.163.2002 (r382208)
/jffs/syslog.log:Jan 1 01:00:12 kernel: Empty flash at 0x00dc2098 ends at 0x00dc2800
/jffs/syslog.log:Jan 1 01:00:12 kernel: ehci_hcd 0000:00:04.1: irq 6, io mem 0x18004000
/jffs/syslog.log:Jan 1 01:00:13 kernel: ohci_hcd 0000:00:04.0: irq 6, io mem 0x18009000
/jffs/syslog.log:Jan 1 01:00:13 kernel: usbcore: registered new interface driver net1080
/jffs/syslog.log:Jan 1 01:00:39 openvpn[420]: Socket Buffers: R=[87380->131072] S=[16384->131072]

 

[Zuultroet]

Is Openvpn configured to be at port 80 by any chance? I see port 1723 in the firewall, but not in the running services.

My goal it to set OpenVPN to port 80 : It was set on port 80 on the first iptables -L -v.

I set it back to 1194 and posted the result from http://forums.smallnetbuilder.com/showpost.php?p=106956&postcount=45 : Admin is still accessible from the WAN side.

I'm afraid this is not crucial to the problem : Admin is accessible on port 80, WAN side, even right after a NVRAM clear, with as only settings changed :

-router mode enabled
-OpenVPN server 1 enabled, with all its settings left at default (port1194)

 

[RMerlin]

My goal it to set OpenVPN to port 80 : It was set on port 80 on the first iptables -L -v.

Which was why port 80 was wide open in the firewall. You can't use port 80 for the OpenVPN server at the same time you have the internal web interface sitting on the same port. The router will have to open port 80 for the OpenVPN server, which will fail to start since it will conflict with the web interface. This is why you end up with the web interface being accessible over WAN.

I set it back to 1194 and posted the result from http://forums.smallnetbuilder.com/showpost.php?p=106956&postcount=45 : Admin is still accessible from the WAN side.

My guess is your firewall wasn't properly reconfigured after you switched OpenVPN back to port 1194. Reboot your router, and check again with iptables -L -v. The port 80 rule should be gone then.

I'm afraid this is not crucial to the problem : Admin is accessible on port 80, WAN side, even right after a NVRAM clear, with as only settings changed :

-router mode enabled
-OpenVPN server 1 enabled, with all its settings left at default (port1194)

There is definitely something in your configuration adding that port 80 rule, since it's not part of the firmware normal rules. This is how a normal INPUT chain looks like:

admin@stargate4:/tmp/home/root# iptables -L INPUT -vn
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1194
  904  128K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
73606   13M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
  957  116K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
23210 2168K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
 6847 2378K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
    4   200 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
13551  932K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

As you can see, I don't have any rule for port 80 there (or dstp:www as in your case).

I'm fairly sure this was caused by your OpenVPN server configuration attempt.

 

[Ford Prefect]

As you can see, I don't have any rule for port 80 there (or dstp:www as in your case).

I'm fairly sure this was caused by your OpenVPN server configuration attempt.

Just to second this...here's mine:

admin@RT-AC68U:/tmp/home/root# iptables -L INPUT -vn
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
38945 4402K ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0
62183   11M ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194
  422 21646 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
1014K  925M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 2279  296K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
 102K 8028K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
 9850  437K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
admin@RT-AC68U:/tmp/home/root#

again, the OP is using TAP interface with openVPN-server, whilst the standard config is using TUN...maybe there is another bug/thing hiding behind the effect we investigate here?

 

[Zuultroet]

I am currently at work and will test as soon as I can.

I did reboot the Asus several times, flash and clear the NVRAM without any changes to the behavior : I will attempt more severe resetting, possibly by flashing Shibby's, using its thorough NVRAM wipe, and reflash back your firmware and test. I'll keep you posted!

 

[speedingcheetah]

J
again, the OP is using TAP interface with openVPN-server, whilst the standard config is using TUN...maybe there is another bug/thing hiding behind the effect we investigate here?

I use TAP mode as it allows me to use my HDHomeRun Prime remotely. TUN does not work for me.