2 min read

TTL modification for outgoing traffic with OpenWRT 22.03 and firewall4

TTL modification for outgoing traffic with OpenWRT 22.03 and firewall4
Photo by Stephen Phillips - Hostreviews.co.uk / Unsplash

This is an admittedly belated post given the fact that the first stable build of OpenWRT 22.03 was released in September 2022, but I'm sure it will come in handy for users who primarily use OpenWRT to facilitate 4G/LTE/5G mobile tethering using their smartphone. As users of this latest version will know, firewall3 has been upgraded to firewall4, which uses nftables instead of iptables. In addition, OpenWRT 22.03's LuCI web interface doesn't include a text box for custom firewall rules, which means we'll have to get our hands dirty with the command line. Per the release notes:

Including custom firewall rules through /etc/firewall.user still works, but requires marking the file as compatible first, otherwise it is ignored. Firewall4 additionally allows to include nftables snippets.

Log in to your OpenWRT router with your favorite SSH client and create the file /etc/firewall.user with the following contents:

nft add rule inet fw4 mangle_forward oifname usb0 ip ttl set 65
nft add rule inet fw4 mangle_forward oifname usb0 ip6 hoplimit set 65

Assuming your tethered WAN device is usb0, these two rules will be added to the main fw4 table's mangle_forward chain, ensuring that all packets forwarded out of usb0 will have their time-to-live (TTL, for IPv4) or hop limit (HL, for IPv6) set to 65.

Next, we need to add the appropriate include options to let the firewall module know about our additions. At the command line, enter the following:

uci add firewall include
uci set firewall.@include[-1].enabled=1
uci set firewall.@include[-1].type='script'
uci set firewall.@include[-1].path='/etc/firewall.user'
uci set firewall.@include[-1].fw4_compatible=1
uci commit firewall
/etc/init.d/firewall restart

If you've done this correctly, you should be able to see the corresponding additions to /etc/config/firewall as well as the new rules in LuCI under Status → Firewall in the "mangle_forward" chain.

Alternatively, if you're using the OpenWRT image builder and looking to preconfigure device(s) out of the box, simply stick the above commands into a file in /etc/uci-defaults such as 91_mangle_ttl.

At first glance, this certainly seems a bit more complicated than the single iptables rule needed with firewall3 on OpenWRT 21.02 and older, but once you become familiar with nftables, it's really not too difficult at all. It's also worth mentioning that unlike with iptables/firewall3, no additional OpenWRT packages are required.


See my previous post for older versions of OpenWRT using firewall3.

TTL modification for outgoing traffic with OpenWRT
IntroductionDo you often find yourself in the position of having to access the internet bytethering your 4G/LTE smartphone? I sure do, because my local cable ISP sucksass. Unfortunately, however, cellular carriers have a number of tricks up theirsleeve to detect (and potentially block you from)