First off… let me thank you for an outstanding extension of the already excellent Tomato!
I like to log some firewall events, and so in the setup page Administration -> Logging I set "Inbound" to "If allowed by Firewall" and "Outbound" to "If Blocked by Firewall."
After upgrade to 1.28.8751 ND vpn3.6, I found my syslog filling with events like this:
Oct 11 09:10:09 R9 user.warn kernel: ACCEPT IN=vlan1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:21:55:ca:a4:05:08:00:45:00:01:69 SRC=10.16.224.1 DST=255.255.255.255 LEN=361 TOS=0x00 PREC=0x00 TTL=255 ID=17587 PROTO=UDP SPT=67 DPT=68 LEN=341
These occur every few seconds, sometimes several per second, and rapidly fill the log buffer.
The MAC looks suspiciously malformed, but buried in there is the MAC of the upstream router that my system connects to, presumably the ISP's cable headend. Also note that the source IP is in the private 10.x.x.x block. The source and destination ports suggest that these events are DHCP requests that are broadcasted on the subnet that links my router's WAN port with the ISP's upstream gateway.
After a bit of poking around I discovered that the INPUT chain of the "filter" table is:
root@R9:/tmp/home/root# iptables -L -v Chain INPUT (policy DROP 2623 packets, 933K bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- tap21 any anywhere anywhere 71 6598 ACCEPT udp -- any any anywhere anywhere udp dpt:1194 0 0 DROP all -- br0 any anywhere x-x-x-x.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com 0 0 DROP all -- any any anywhere anywhere state INVALID 6821 1912K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 4535 302K ACCEPT all -- br0 any anywhere anywhere 5 338 ACCEPT all -- lo any anywhere anywhere 0 0 logaccept udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc
(I have edited this to obscure an entry that would reveal the public IP address of my router.)
That last entry is apparently the problem.
I have fixed it for now by adding the command:
iptables -D INPUT -p udp --dport bootpc --sport bootps -j logaccept
to the Firewall startup script, but I suspect this probably wasn't intended to be there in the first place.