Using: DD-WRT Kong Mod for NETGEAR R7000 (2017-06-11)
My ADSL modem cannot work in Bridge mode, and I want to avoid double-NAT (i.e. router does NAT and modem does NAT).
So, I've set the router into Router mode (Setup -> Advanced Routing -> Operating Mode = Router).
It turns out the iptables rules are incorrect. Specifically the FORWARD chain:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT 47 -- * vlan2 192.168.0.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- * vlan2 192.168.0.0/24 0.0.0.0/0 tcp dpt:1723
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
992 126K lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- vlan2 * 0.0.0.0/0 224.0.0.0/4
0 0 TRIGGER 0 -- vlan2 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
992 126K trigger_out 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
992 126K DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
The DROP rule at the bottom catches incoming packets from the modem and drops them.
Removing the DROP rule fixes the problem, but I'll write back with an alternative once I figure out a more secure alternative (if required.)
The correct solution is probably to disable the firewall on the router, and rely on the firewall in the modem.