This is an admittedly belated post given the fact that the first stable build of OpenWRT 22.03 was released in September 2022, but I'm sure it will come in handy for users who primarily use OpenWRT to facilitate 4G/LTE/5G mobile tethering using their smartphone. As users of this latest version will know, firewall3 has been upgraded to firewall4, which uses nftables instead of iptables. In addition, OpenWRT 22.03's LuCI web interface doesn't include a text box for custom firewall rules, which means we'll have to get our hands dirty with the command line. Per the release notes:
Including custom firewall rules through /etc/firewall.user still works, but requires marking the file as compatible first, otherwise it is ignored. Firewall4 additionally allows to include nftables snippets.
Log in to your OpenWRT router with your favorite SSH client and create the file
/etc/firewall.user with the following contents:
nft add rule inet fw4 mangle_forward oifname usb0 ip ttl set 65 nft add rule inet fw4 mangle_forward oifname usb0 ip6 hoplimit set 65
Assuming your tethered WAN device is
usb0, these two rules will be added to the main fw4 table's
mangle_forward chain, ensuring that all packets forwarded out of
usb0 will have their time-to-live (TTL, for IPv4) or hop limit (HL, for IPv6) set to 65.
Next, we need to add the appropriate include options to let the firewall module know about our additions. At the command line, enter the following:
uci add firewall include uci set firewall.@include[-1].enabled=1 uci set firewall.@include[-1].type='script' uci set firewall.@include[-1].path='/etc/firewall.user' uci set firewall.@include[-1].fw4_compatible=1 uci commit firewall /etc/init.d/firewall restart
If you've done this correctly, you should be able to see the corresponding additions to
/etc/config/firewall as well as the new rules in LuCI under Status → Firewall in the "mangle_forward" chain.
Alternatively, if you're using the OpenWRT image builder and looking to preconfigure device(s) out of the box, simply stick the above commands into a file in
/etc/uci-defaults such as
At first glance, this certainly seems a bit more complicated than the single iptables rule needed with firewall3 on OpenWRT 21.02 and older, but once you become familiar with nftables, it's really not too difficult at all. It's also worth mentioning that unlike with iptables/firewall3, no additional OpenWRT packages are required.
See my previous post for older versions of OpenWRT using firewall3.