OTBR Firewall issue

[ninowd]

Describe the issue you are experiencing

this is the original form "/usr/share/hassio/addons/core/openthread_border_router/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent/run" which not work !

ip6tables -N $otbr_forward_ingress_chain
ip6tables -I FORWARD 1 -o $thread_if -j $otbr_forward_ingress_chain

ip6tables -A $otbr_forward_ingress_chain -m pkttype --pkt-type unicast -i ${thread_if} -j DROP
ip6tables -A $otbr_forward_ingress_chain -m set --match-set otbr-ingress-deny-src src -j DROP
ip6tables -A $otbr_forward_ingress_chain -m set --match-set otbr-ingress-allow-dst dst -j ACCEPT
ip6tables -A $otbr_forward_ingress_chain -m pkttype --pkt-type unicast -j DROP
ip6tables -A $otbr_forward_ingress_chain -j ACCEPT

ip6tables -N $otbr_forward_egress_chain
ip6tables -I FORWARD 2 -i $thread_if -j $otbr_forward_egress_chain
ip6tables -A $otbr_forward_egress_chain -j ACCEPT

this is the original form the "open thread website" which work

ip6tables -N $OTBR_FORWARD_INGRESS_CHAIN
ip6tables -I FORWARD 1 -o $THREAD_IF -j $OTBR_FORWARD_INGRESS_CHAIN

ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -m pkttype --pkt-type unicast -i $THREAD_IF -j DROP
ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -m set --match-set otbr-ingress-deny-src src -j DROP
ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -m set --match-set otbr-ingress-allow-dst dst -j ACCEPT
ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -m pkttype --pkt-type unicast -j DROP
ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -j ACCEPT

What type of installation are you running?

Home Assistant OS

Which operating system are you running on?

Home Assistant Operating System

Which add-on are you reporting an issue with?

Almond

What is the version of the add-on?

Current version: 2.3.1

Steps to reproduce the issue

1. changed it then it works
2. changet it back and was not workin again

...

System Health information

System Information

version	core-2023.8.2
installation_type	Home Assistant Supervised
dev	false
hassio	true
docker	true
user	root
virtualenv	false
python_version	3.11.4
os_name	Linux
os_version	5.10.160-rk35xx
arch	aarch64
timezone	Europe/Berlin
config_dir	/config

Home Assistant Cloud

logged_in	false
can_reach_cert_server	ok
can_reach_cloud_auth	ok
can_reach_cloud	ok

Home Assistant Supervisor

host_os	Armbian 23.08.0-trunk bookworm
update_channel	beta
supervisor_version	supervisor-2023.08.1
agent_version	1.5.1
docker_version	24.0.5
disk_total	907.9 GB
disk_used	8.0 GB
healthy	true
supported	failed to load: Unsupported
supervisor_api	ok
version_api	ok
installed_addons	Studio Code Server (5.10.0), Portainer (2.18.4), Matter Server (4.9.0), OpenThread Border Router (2.3.1)

Dashboards

dashboards	1
resources	0
mode	auto-gen

Recorder

oldest_recorder_run	12. August 2023 um 08:54
current_recorder_run	16. August 2023 um 20:28
estimated_db_size	4.09 MiB
database_engine	sqlite
database_version	3.41.2

Anything in the Supervisor logs that might be useful for us?

No response

Anything in the add-on logs that might be useful for us?

No response

Additional information

No response

[agners]

this is the original form "/usr/share/hassio/addons/core/openthread_border_router/rootfs/etc/s6-overlay/s6-rc.d/otbr-agent/run" which not work !

Can you elaborate? What does not work?

The additional egress lines just accept forwarding everything from the Thread network to the outside world. This shouldn't prevent any packet flow, if anything, it should allow packets to flow from the Thread interface in all cases.

[ninowd]

i was able to connect to the thread network but i can't connect to the matter server via the "android home assistant apk" with an esp32c6

then i set the "otbr firewall" to off and it works without need of a "matter hub"

[agners]

And when you used the original firewall configuration it worked?

What harware/host system are you on?

Also, I had sporadic onboarding troubles with Espressif devices before. Did you try multiple times with both configurations?

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.