I’m working with a network router which runs this Linux firmware
Linux SNR-CPE-ME2-SFP-Lite 3.4.113.185 #1 SMP Wed Mar 19 13:55:06 +05 2025 mips GNU/Linux
I’m trying to set up a traffic redirection for a single client which is connected to this router.
Here’s what I have so far:
[SNR-CPE-ME2-SFP-Lite@/etc]# iptables-save -c
# Generated by iptables-save v1.4.16.3 on Wed Dec 3 23:02:43 2025
*nat
:PREROUTING ACCEPT [14161:1394904]
:INPUT ACCEPT [9023:610860]
:OUTPUT ACCEPT [4666:316649]
:POSTROUTING ACCEPT [4666:316649]
:XRAY - [0:0]
[6109:448580] -A PREROUTING -s 192.168.1.59/32 -j XRAY
[153:23948] -A POSTROUTING -s 192.168.1.59/32 -o eth3 -j SNAT --to-source X.X.X.X //IP from ISP
[29248:3781575] -A POSTROUTING -s 192.168.1.0/24 -o eth3 -j SNAT --to-source X.X.X.X //IP from ISP
[1806:123581] -A XRAY -d 192.168.1.0/24 -j RETURN
[969:58140] -A XRAY -p tcp -j REDIRECT --to-ports 10833
[124:25767] -A XRAY -p udp -j REDIRECT --to-ports 10833
COMMIT
# Completed on Wed Dec 3 23:02:43 2025
# Generated by iptables-save v1.4.16.3 on Wed Dec 3 23:02:43 2025
*mangle
:PREROUTING ACCEPT [211593:26997200]
:INPUT ACCEPT [132408:18851042]
:FORWARD ACCEPT [63941:6009939]
:OUTPUT ACCEPT [86725:6908041]
:POSTROUTING ACCEPT [153255:13000828]
[37851:2271044] -A FORWARD ! -o br0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Dec 3 23:02:43 2025
# Generated by iptables-save v1.4.16.3 on Wed Dec 3 23:02:43 2025
*filter
:INPUT ACCEPT [7931:1233869]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7225:721782]
:servicelimit - [0:0]
[0:0] -A INPUT -i lo -j ACCEPT
[11:1607] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -m state --state INVALID -j DROP
[91599:15487437] -A INPUT -j servicelimit
[1783:173437] -A INPUT -s 192.168.1.59/32 -j ACCEPT
[0:0] -A FORWARD -d 224.0.0.0/4 -o br0 -j ACCEPT
[0:0] -A FORWARD -s 224.0.0.0/4 -i br0 -j ACCEPT
[42817:4627428] -A FORWARD -s 192.168.1.0/24 -i br0 -j ACCEPT
[39:2704] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
[2732:88032] -A servicelimit -i br0 -p igmp -j ACCEPT
[1362:43584] -A servicelimit -d 224.0.0.0/4 -i eth3 -j ACCEPT
[0:0] -A servicelimit -s 224.0.0.0/4 -i eth3 -j ACCEPT
[38:12744] -A servicelimit -i br0 -p udp -m udp --dport 67 -j ACCEPT
[10348:712841] -A servicelimit -i br0 -p udp -m udp --dport 53 -j ACCEPT
[25:1420] -A servicelimit -i br0 -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
[0:0] -A servicelimit -p tcp -m tcp --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with icmp-port-unreachable
[0:0] -A servicelimit -p tcp -m tcp --dport 443 -m connlimit --connlimit-above 16 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with icmp-port-unreachable
[8:480] -A servicelimit -i br0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
[0:0] -A servicelimit -i br0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
[0:0] -A servicelimit -p tcp -m state --state NEW -m tcp --dport 22 -m connlimit --connlimit-above 4 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with icmp-port-unreachable
[7:420] -A servicelimit -i br0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
[0:0] -A servicelimit -p tcp -m state --state NEW -m tcp --dport 23 -m connlimit --connlimit-above 4 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with icmp-port-unreachable
[0:0] -A servicelimit -i br0 -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
[10713:884971] -A servicelimit -p icmp -m icmp --icmp-type 8 -m limit --limit 25/sec -j ACCEPT
[0:0] -A servicelimit -p icmp -m icmp --icmp-type 8 -j DROP
[0:0] -A servicelimit -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
COMMIT
# Completed on Wed Dec 3 23:02:43 2025
And here’s interfaces I have:
[SNR-CPE-ME2-SFP-Lite@/etc]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 160
link/ether f8:f0:82:7d:a6:74 brd ff:ff:ff:ff:ff:ff
inet X.X.X.X/24 brd X.X.X.255 scope global eth3
3: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UNKNOWN qlen 160
link/ether f8:f0:82:7e:bb:2b brd ff:ff:ff:ff:ff:ff
5: ra0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UP qlen 50
link/ether f8:f0:82:f4:bb:d7 brd ff:ff:ff:ff:ff:ff
6: rai0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UP qlen 50
link/ether f8:f0:82:0f:18:c5 brd ff:ff:ff:ff:ff:ff
7: wds0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 160
link/ether f8:f0:82:f4:bb:d7 brd ff:ff:ff:ff:ff:ff
8: wds1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 160
link/ether f8:f0:82:f4:bb:d7 brd ff:ff:ff:ff:ff:ff
9: wds2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 160
link/ether f8:f0:82:f4:bb:d7 brd ff:ff:ff:ff:ff:ff
10: wds3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 160
link/ether f8:f0:82:f4:bb:d7 brd ff:ff:ff:ff:ff:ff
11: apcli0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 160
link/ether fa:f0:82:04:bb:d7 brd ff:ff:ff:ff:ff:ff
12: apclii0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 160
link/ether fe:e0:82:0f:18:c5 brd ff:ff:ff:ff:ff:ff
13: wdsi0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 160
link/ether f8:f0:82:0f:18:c5 brd ff:ff:ff:ff:ff:ff
14: wdsi1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 160
link/ether f8:f0:82:0f:18:c5 brd ff:ff:ff:ff:ff:ff
15: wdsi2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 160
link/ether f8:f0:82:0f:18:c5 brd ff:ff:ff:ff:ff:ff
16: wdsi3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 160
link/ether f8:f0:82:0f:18:c5 brd ff:ff:ff:ff:ff:ff
17: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 160
link/ether f8:f0:82:7e:bb:2b brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global br0
[SNR-CPE-ME2-SFP-Lite@/etc]# ip r
default via X.X.X.(X-1) dev eth3
default dev eth3 scope link metric 100
X.X.X.0/24 dev eth3 proto kernel scope link src X.X.X.X
X.X.X.(X-1) dev eth3 metric 100
127.0.0.0/8 dev lo scope link
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
212.49.103.2 via X.X.X.(X-1) dev eth3
212.49.118.2 via X.X.X.(X-1) dev eth3
224.0.0.0/4 dev eth3 scope link
Here’s my xray config file:
{
"log": {
"logLevel": "debug"
},
"inbounds": [
{
"port": 10833,
"listen": "0.0.0.0",
"protocol": "dokodemo-door",
"settings": {
"network": "tcp,udp",
"followRedirect": true
}
}
],
"outbounds": [
{
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "y.y.y.y",
"port": 10087,
"users": [
{
"id": "00000000-0000-0000-0000-000000000000"
}
]
}
]
},
"streamSettings": {
"sockopt": {
"mark": 255
}
}
}
]
}
Note that I have tested this configuration separately with input as SOCKS on my laptop and it’s working perfectly fine.
Here’s what I have in network configuration:
So on the client side it looks like every webpage infinitely loading. In tcpdump I can see that client is able to resolve addresses and is trying to send requests, and also receiving responses, but for some reason nothing works on client side.
Here’s a sample of tcpdump output:
22:53:23.200103 ethertype IPv4, IP 192.168.1.59.35356 > 188.40.167.82.80: Flags [.], seq 1:1461, ack 1, win 65535, length 1460: HTTP: GET / HTTP/1.1
22:53:23.200183 IP 192.168.1.59.35356 > 188.40.167.82.80: Flags [.], seq 1:1461, ack 1, win 65535, length 1460: HTTP: GET / HTTP/1.1
22:53:23.200198 IP 192.168.1.59.35356 > 188.40.167.82.80: Flags [.], seq 1:1461, ack 1, win 65535, length 1460: HTTP: GET / HTTP/1.1
22:53:23.200256 ethertype IPv4, IP 192.168.1.59.42130 > 188.40.167.82.443: Flags [.], seq 1:1461, ack 1, win 65535, length 1460
22:53:23.200324 IP 192.168.1.59.42130 > 188.40.167.82.443: Flags [.], seq 1:1461, ack 1, win 65535, length 1460
22:53:23.200332 IP 192.168.1.59.42130 > 188.40.167.82.443: Flags [.], seq 1:1461, ack 1, win 65535, length 1460
22:53:23.386456 IP 188.40.167.82.80 > 192.168.1.59.35356: Flags [S.], seq 3543424316, ack 89005551, win 14600, options [mss 1460,nop,nop,sackOK], length 0
22:53:23.386478 IP 188.40.167.82.80 > 192.168.1.59.35356: Flags [S.], seq 3543424316, ack 89005551, win 14600, options [mss 1460,nop,nop,sackOK], length 0
22:53:23.386642 IP 188.40.167.82.443 > 192.168.1.59.42130: Flags [S.], seq 4072887407, ack 1061928278, win 14600, options [mss 1460,nop,nop,sackOK], length 0
22:53:23.386648 IP 188.40.167.82.443 > 192.168.1.59.42130: Flags [S.], seq 4072887407, ack 1061928278, win 14600, options [mss 1460,nop,nop,sackOK], length 0
22:53:23.391444 ethertype IPv4, IP 192.168.1.59.35356 > 188.40.167.82.80: Flags [.], ack 1, win 65535, length 0
22:53:23.391524 IP 192.168.1.59.35356 > 188.40.167.82.80: Flags [.], ack 1, win 65535, length 0
22:53:23.391528 ethertype IPv4, IP 192.168.1.59.42130 > 188.40.167.82.443: Flags [.], ack 1, win 65535, length 0
22:53:23.391562 IP 192.168.1.59.35356 > 188.40.167.82.80: Flags [.], ack 1, win 65535, length 0
22:53:23.391575 IP 192.168.1.59.42130 > 188.40.167.82.443: Flags [.], ack 1, win 65535, length 0
22:53:23.391581 IP 192.168.1.59.42130 > 188.40.167.82.443: Flags [.], ack 1, win 65535, length 0
