解决小米AX6端口转发失效问题

2022 / 3 / 10

技术记录

  • AX6固件版本:1.1.10,目前最新版本

  • 已通过另一台Openwrt路由器解锁ssh,AX6内只运行了shellclash,并未修改其他任何文件

  • 在端口转发页面设置自定义规则后,点击保存并生效,尝试用公网IP+端口访问不通

  • ssh登录AX6,手动执行/etc/init.d/firewall -reload

root@XiaoQiang:~# /etc/init.d/firewall reload
Warning: Section @zone[1] (wan) cannot resolve device of network 'wan6'
Warning: Section 'ready_zone' cannot resolve device of network 'ready'
Warning: Section 'guest_8999' refers to not existing zone 'guest'
Warning: Section 'guest_8300' refers to not existing zone 'guest'
Warning: Section 'guest_7080' refers to not existing zone 'guest'
Warning: Option 'wan15001rdr1'.ftype is unknown
Warning: Option 'wan15000rdr1'.ftype is unknown
Warning: Section @zone[2] (ready) has no device, network, subnet or extra options
 * Clearing IPv4 filter table
 * Clearing IPv4 nat table
 * Clearing IPv4 mangle table
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'DHCP for ready'
   * Rule 'DHCP for ready'
   * Rule 'minet ready'
   * Rule 'minet ready'
   * Redirect 'nas5001'
   * Redirect 'nas5000'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'ready'
 * Populating IPv4 nat table
   * Redirect 'nas5001'
   * Redirect 'nas5000'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'ready'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'ready'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/lib/firewall.sysapi.loader webinitrdr'
 * Running script '/lib/firewall.sysapi.loader dnsmiwifi'
 * Running script '/lib/firewall.sysapi.loader macfilter'
 * Running script '/lib/firewall.sysapi.loader ipv6_masq'
 * Running script '/lib/firewall.sysapi.loader set_tcpmss'
 * Running script '/lib/firewall.sysapi.loader miot'
 * Running script '/lib/firewall.sysapi.loader parentalctl'
 * Running script '/usr/share/miniupnpd/firewall.include'
 * Running script '/etc/firewall.d/qca-nss-ecm'
   ! Failed with exit code 1

发现在跑到qca-nss-ecm时报错,查了一下这个nss是给无线加速相关的,以下是防火墙内关于nss的配置:

ecm_type=`uci -q get ecm.global.acceleration_engine`
if [ $ecm_type = "nss" -o $ecm_type = "auto" ]; then
        chk=$(iptables -L FORWARD 2>/dev/null | grep -c 'PHYSDEV')
        if [ $chk -lt 1 ]; then
                iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
        fi
        ipv6_fw_disable=$(uci -q get firewall.@defaults[0].disable_ipv6)
        chk6=$(ip6tables -L FORWARD 2>/dev/null | grep -c 'PHYSDEV')
        if [ $chk6 -lt 1 -a "$ipv6_fw_disable" = "0" ]; then
                ip6tables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
        elif [ "$ipv6_fw_disable" = "1" ]; then
                ip6tables -D FORWARD -m physdev --physdev-is-bridged -j ACCEPT 2>/dev/null
        fi
else
        iptables -D FORWARD -m physdev --physdev-is-bridged -j ACCEPT 2>/dev/null
        ip6tables -D FORWARD -m physdev --physdev-is-bridged -j ACCEPT 2>/dev/null
fi

暂时不想多研究,就直接在/etc/config/firewall里找到nss相关的规则注释掉,重启防火墙:

root@XiaoQiang:~# vi /etc/config/firewall
root@XiaoQiang:~# /etc/init.d/firewall reload
Warning: Section @zone[1] (wan) cannot resolve device of network 'wan6'
Warning: Section 'ready_zone' cannot resolve device of network 'ready'
Warning: Section 'guest_8999' refers to not existing zone 'guest'
Warning: Section 'guest_8300' refers to not existing zone 'guest'
Warning: Section 'guest_7080' refers to not existing zone 'guest'
Warning: Option 'wan15001rdr1'.ftype is unknown
Warning: Option 'wan15000rdr1'.ftype is unknown
Warning: Section @zone[2] (ready) has no device, network, subnet or extra options
 * Clearing IPv4 filter table
 * Clearing IPv4 nat table
 * Clearing IPv4 mangle table
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'DHCP for ready'
   * Rule 'DHCP for ready'
   * Rule 'minet ready'
   * Rule 'minet ready'
   * Redirect 'nas5001'
   * Redirect 'nas5000'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'ready'
 * Populating IPv4 nat table
   * Redirect 'nas5001'
   * Redirect 'nas5000'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'ready'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'ready'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/lib/firewall.sysapi.loader webinitrdr'
 * Running script '/lib/firewall.sysapi.loader dnsmiwifi'
 * Running script '/lib/firewall.sysapi.loader macfilter'
 * Running script '/lib/firewall.sysapi.loader ipv6_masq'
 * Running script '/lib/firewall.sysapi.loader set_tcpmss'
 * Running script '/lib/firewall.sysapi.loader miot'
 * Running script '/lib/firewall.sysapi.loader parentalctl'
 * Running script '/usr/share/miniupnpd/firewall.include'
root@XiaoQiang:~#
  • 此时尝试访问转发的端口,公网IP+端口可以正常访问内网的NAS了: