TTL modification for outgoing traffic with OpenWRT 22.03 and firewall4
This is an admittedly belated post given the fact that the first stable build of OpenWRT 22.03 was released in September 2022, but I'm sure it will come in handy for users who primarily use OpenWRT to facilitate 4G/LTE/5G mobile tethering using their smartphone. As users of this latest version will know, firewall3 has been upgraded to firewall4, which uses nftables instead of iptables. In addition, OpenWRT 22.03's LuCI web interface doesn't include a text box for custom firewall rules, which means we'll have to get our hands dirty with the command line. Per the release notes:
Including custom firewall rules through /etc/firewall.user still works, but requires marking the file as compatible first, otherwise it is ignored. Firewall4 additionally allows to include nftables snippets.
Log in to your OpenWRT router with your favorite SSH client and create the file /etc/firewall.user
with the following contents:
nft add rule inet fw4 mangle_forward oifname usb0 ip ttl set 65
nft add rule inet fw4 mangle_forward oifname usb0 ip6 hoplimit set 65
Assuming your tethered WAN device is usb0
, these two rules will be added to the main fw4 table's mangle_forward
chain, ensuring that all packets forwarded out of usb0
will have their time-to-live (TTL, for IPv4) or hop limit (HL, for IPv6) set to 65.
Next, we need to add the appropriate include options to let the firewall module know about our additions. At the command line, enter the following:
uci add firewall include
uci set firewall.@include[-1].enabled=1
uci set firewall.@include[-1].type='script'
uci set firewall.@include[-1].path='/etc/firewall.user'
uci set firewall.@include[-1].fw4_compatible=1
uci commit firewall
/etc/init.d/firewall restart
If you've done this correctly, you should be able to see the corresponding additions to /etc/config/firewall
as well as the new rules in LuCI under Status → Firewall in the "mangle_forward" chain.
Alternatively, if you're using the OpenWRT image builder and looking to preconfigure device(s) out of the box, simply stick the above commands into a file in /etc/uci-defaults
such as 91_mangle_ttl
.
At first glance, this certainly seems a bit more complicated than the single iptables rule needed with firewall3 on OpenWRT 21.02 and older, but once you become familiar with nftables, it's really not too difficult at all. It's also worth mentioning that unlike with iptables/firewall3, no additional OpenWRT packages are required.
See my previous post for older versions of OpenWRT using firewall3.