adp-router.json spoofing error
The anti-spoofing filter in adp-router.json looks like this:
"filter": [
{
"in": "adp-wan",
"dest": "$adp_lan_private_addrs",
"action": "drop"
}
]
but this has the side effect of dropping any port forwarding rules also, as dnat (for port forward rules) happens in pre-routing and so the packet ends up being processed in the in/forward/out as having an in interface of WAN and a dest of an internal IP - matching this drop rule! This can be worked around by adding "before": "adp-router",
to any port-forwarding rules.
Unfortunately the above also breaks the default icmp-routing rules that are supposed to allow icmp types 3, 11, and 12 - but get added to the chains after the above supposed anti-spoofing rule and as such get blocked by it.
Shouldn't anti-spoofing be "src": "$adp_lan_private_addrs",
anyway? A packet with a dest addr of your private IP would never be routed to your WAN interface in the first place, spoofing attacks normally use a forged "src", not "dest".