Blocking communication between subnets

doremifajb · April 21, 2022, 8:05pm

Hello!
I have three subnets: S_n=192.168.n.0/24, where n=1, 2, 3, and clients of S_2 and S_3 shouldn't see anything outside its own subnet. Clients of S_1 can see the others. Each subnet belongs to an interface, I_n, n=1,2,3.

Now, I thought it should be taken care of by setting three firewall zones for each interface, say F_n, and
say, "students" is F_3 (and I_3 for the interface)

config zone
	option name 'students'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'students'

config forwarding
	option src 'students'
	option dest 'wan'

Then the only allowed outbound-forwarding is "wan", so the clients in S_3 shouldn't be able to see anything on S_1 and S_2.
But, it seems it's not working that way. If I just leave it and get onto S_3, use IP scanner to browse S_2, I can see the names of the devices on S_2. The separation is realized only after I put a traffic rule

config rule
	option name 'Students don'\''t see the others'
	option src 'students'
	option dest '*'
	option target 'DROP'
	list proto 'all'
	list dest_ip '192.168.0.0/16'

Then I can't see the device on S_2 from S_3 anymore.
I don't understand why the first general rule about forwarding only to wan was not sufficient.

Another question is, if I have this traffic rule, suppose a client on my net is using wireguard or whatever to access to his own network at home, where the subnet belongs to 192.168.n.0/24. Is my rule blocking him from browsing his own home network?

I appreciate if someone could please explain that to me.

trendy · April 21, 2022, 9:11pm

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user

WereCatf · April 21, 2022, 9:39pm

No. You have zero control over what's happening inside someone else's Wireguard-tunnel, since it create a completely separate network. The 192.168.0.0/16 subnet you're talking about can exist both inside the tunnel and outside it, but it won't be the same actual network -- it'll be two different networks.

doremifajb · April 22, 2022, 6:56am

@trendy

thank you for checking! Here below. Note that there are quite a few things that are not in use.
And @WereCatf
thanks for the clarification! I thought it must be that way, but wasn't sure.

ubus call system board; \
> uci export network; uci export firewall; \
> head -n -0 /etc/firewall.user
{
	"kernel": "5.4.124",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 3",
	"model": "Raspberry Pi 4 Model B Rev 1.4",
	"board_name": "raspberrypi,4-model-b",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02.0-rc3",
		"revision": "r16172-2aba3e9784",
		"target": "bcm27xx/bcm2711",
		"description": "OpenWrt 21.02.0-rc3 r16172-2aba3e9784"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fde4:e3d5:8959::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'eth0.16'

config interface 'WAN'
	option proto 'pppoe'
	option username '0023242xxx@t-online.de'
	option password '6763xxxxxxxx’
	option ipv6 'auto'
	option metric '10'
	option peerdns '0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	list dns '208.67.222.123'
	list dns '208.67.220.123'
	option device 'eth1.7'

config interface 'guest'
	option proto 'static'
	option device 'eth0.11'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config interface 'students'
	option proto 'static'
	option device 'eth0.15'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config interface 'lan12admin'
	option proto 'static'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'
	option device 'eth0.12'

config interface 'WAN_nat'
	option proto 'dhcp'
	option metric '20'
	option device 'eth0.8'

config interface 'telefon'
	option device 'eth0.17'
	option proto 'static'
	list ipaddr '192.168.5.1/24'

config device
	option type 'bridge'
	option name 'br-12'
	list ports 'eth0.12'

config interface 'vpn'
	option proto 'wireguard'
	option listen_port '51821'
	option private_key 'aFDNDFVfWxnOz9h/sxxxxxxxxx0YIjnkKbzA34='
	list addresses '192.168.9.3/24'

config wireguard_vpn 'wgserver'
	option public_key 'L1/ozA3HqMKy7KR/lASzzzzzzzzcgNiEmv6LxY='
	list allowed_ips '192.168.9.2/32'
	option description 'win8.1'

config route
	option interface 'WAN'
	option netmask '255.255.255.0'
	option gateway '192.168.1.33'
	option target '192.168.8.0'

config route
	option interface 'lan'
	option target '192.168.10.0'
	option netmask '255.255.255.0'
	option gateway '192.168.1.33'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'lan12admin'
	list network ''
	list network 'vpn'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'WAN'
	list network 'modem'
	list network 'WAN_nat'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'IPv6 anyzone drop'
	option family 'ipv6'
	list proto 'all'
	option src '*'
	option dest '*'
	option target 'DROP'

config rule
	option name 'IPv6 device block'
	option family 'ipv6'
	list proto 'all'
	option src '*'
	option target 'DROP'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config zone
	option name 'students'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'students'
	list network 'telefon'

config forwarding
	option src 'students'
	option dest 'wan'

config rule
	option name 'Guest DHCP+DNS'
	option family 'ipv4'
	option src 'guest'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'Student DHCP+DNS'
	option family 'ipv4'
	option src 'students'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'LAN access all'
	option src 'lan'
	option dest '*'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'all'

config zone
	option name 'Telefon'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'Telefon'

config forwarding
	option src 'Telefon'
	option dest 'wan'

config rule
	option name 'Telefon DNS DHCP'
	option src 'Telefon'
	option dest_port '53 67 68'
	option target 'ACCEPT'
	option family 'ipv4'

config zone
	option name 'IoT'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'IoT'

config rule
	option name 'guests cant access others'
	list proto 'all'
	option src 'guest'
	option dest '*'
	list dest_ip '192.168.1.0/24'
	list dest_ip '192.168.3.0/24'
	list dest_ip '192.168.4.0/24'
	option target 'DROP'

config rule
	option name 'Students don'\''t see the others'
	option src 'students'
	option dest '*'
	option target 'DROP'
	list proto 'all'
	list dest_ip '192.168.0.0/16'

config zone
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option name 'testrules'

config forwarding
	option dest 'wan'
	option src 'testrules'

config rule
	option name 'vlan12 dhcp dns'
	option family 'ipv4'
	option dest_port '53 67 68'
	option target 'ACCEPT'
	option src 'testrules'

config rule
	option name 'vlan 12 can'\''t see the others'
	option dest '*'
	option target 'DROP'
	list proto 'all'
	list dest_ip '192.168.0.0/16'
	option src 'testrules'

config forwarding
	option src 'lan'
	option dest 'guest'

config include 'opennds'
	option type 'script'
	option path '/usr/lib/opennds/restart.sh'

config redirect
	option target 'DNAT'
	option name 'Port forwarding '
	option src 'wan'
	option src_dport '51820'
	option dest 'lan'
	list proto 'udp'
	option dest_ip '192.168.1.33'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option proto 'udp'
	option target 'ACCEPT'
	option dest_port '51821'

config rule
	option dest '*'
	option target 'ACCEPT'
	list dest_ip '192.168.0.0/16'
	list src_mac '20:C9:D0:CA:xxxx’
	option src '*'
	option name 'my laptop forward'
	list proto 'all'

config rule
	option name 'my laptop device input'
	list proto 'all'
	option src '*'
	list src_mac '20:C9:D0:Cxxxxx’
	option target 'ACCEPT'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

trendy · April 22, 2022, 8:20am

I don't see any major issues with the configuration.
lan zone has a blanc interface, remove that.
Also cleanup the interfaces not existing in wan zone.
Zones IoT and Telefon don't have any member interface.
You have a couple of rules at the bottom to allow your laptop from any zone to reach any zone and the device, which can explain the allowed packets.

doremifajb · April 22, 2022, 11:40am

Thanks for checking ! The last "allow" for my laptop are something new, I didn't have that when I was checking the isolation of subnets (and deactivate it when I check it again). I put that so that I don't have to be broadcasting admin SSID everywhere.

So do you mean that I should have achieved separation of subnets without an extra traffic rule to drop forwarding to ```
'192.168.0.0/16'

Right now the things are alright, I just don't understand why it was necessary.

trendy · April 22, 2022, 1:21pm

The global forward is set to reject, so any zones without forwardings are not able to communicate. If you still have issues, you can post the iptables-save -c as well.

doremifajb · April 22, 2022, 2:18pm

Yeah, I checked now, fixed a few things and tried again, i.e. I unclicked drop to forwarding of 192.168.0.0/16 from 2.0/24 and 3.0/24, and allowing my laptop to access anything. I got on 2.0/24 and ran IP scan for 1.0/24 and 3.0/24, I can see the devices on these nets, even though the forwarding zone from these range is only wan. Here is the iptable -save. Thanks for checking!

root@OpenWrt:~# iptables-save -c
# Generated by iptables-save v1.8.7 on Fri Apr 22 16:13:41 2022
*nat
:PREROUTING ACCEPT [7185:649692]
:INPUT ACCEPT [1268:109171]
:OUTPUT ACCEPT [1511:109839]
:POSTROUTING ACCEPT [4657:261648]
:postrouting_IoT_rule - [0:0]
:postrouting_Telefon_rule - [0:0]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_students_rule - [0:0]
:postrouting_testrules_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_IoT_rule - [0:0]
:prerouting_Telefon_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_students_rule - [0:0]
:prerouting_testrules_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_IoT_postrouting - [0:0]
:zone_IoT_prerouting - [0:0]
:zone_Telefon_postrouting - [0:0]
:zone_Telefon_prerouting - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_students_postrouting - [0:0]
:zone_students_prerouting - [0:0]
:zone_testrules_postrouting - [0:0]
:zone_testrules_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[7185:649692] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[4060:414363] -A PREROUTING -i eth0.16 -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i eth0.12 -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i vpn -m comment --comment "!fw3" -j zone_lan_prerouting
[95:5358] -A PREROUTING -i pppoe-WAN -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i eth0.8 -m comment --comment "!fw3" -j zone_wan_prerouting
[2893:220490] -A PREROUTING -i eth0.11 -m comment --comment "!fw3" -j zone_guest_prerouting
[137:9481] -A PREROUTING -i eth0.15 -m comment --comment "!fw3" -j zone_students_prerouting
[0:0] -A PREROUTING -i eth0.17 -m comment --comment "!fw3" -j zone_students_prerouting
[6995:567128] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[325:29352] -A POSTROUTING -o eth0.16 -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o eth0.12 -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o vpn -m comment --comment "!fw3" -j zone_lan_postrouting
[2338:305480] -A POSTROUTING -o pppoe-WAN -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth0.8 -m comment --comment "!fw3" -j zone_wan_postrouting
[3287:165624] -A POSTROUTING -o eth0.11 -m comment --comment "!fw3" -j zone_guest_postrouting
[940:60360] -A POSTROUTING -o eth0.15 -m comment --comment "!fw3" -j zone_students_postrouting
[0:0] -A POSTROUTING -o eth0.17 -m comment --comment "!fw3" -j zone_students_postrouting
[0:0] -A zone_IoT_postrouting -m comment --comment "!fw3: Custom IoT postrouting rule chain" -j postrouting_IoT_rule
[0:0] -A zone_IoT_prerouting -m comment --comment "!fw3: Custom IoT prerouting rule chain" -j prerouting_IoT_rule
[0:0] -A zone_Telefon_postrouting -m comment --comment "!fw3: Custom Telefon postrouting rule chain" -j postrouting_Telefon_rule
[0:0] -A zone_Telefon_prerouting -m comment --comment "!fw3: Custom Telefon prerouting rule chain" -j prerouting_Telefon_rule
[3287:165624] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
[2893:220490] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
[325:29352] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.33/32 -p udp -m udp --dport 51820 -m comment --comment "!fw3: Port forwarding  (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.4.0/24 -d 192.168.1.33/32 -p udp -m udp --dport 51820 -m comment --comment "!fw3: Port forwarding  (reflection)" -j SNAT --to-source 192.168.4.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.1.33/32 -p udp -m udp --dport 51820 -m comment --comment "!fw3: Port forwarding  (reflection)" -j SNAT --to-source 192.168.9.3
[4060:414363] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 79.254.124.74/32 -p udp -m udp --dport 51820 -m comment --comment "!fw3: Port forwarding  (reflection)" -j DNAT --to-destination 192.168.1.33:51820
[0:0] -A zone_lan_prerouting -s 192.168.4.0/24 -d 79.254.124.74/32 -p udp -m udp --dport 51820 -m comment --comment "!fw3: Port forwarding  (reflection)" -j DNAT --to-destination 192.168.1.33:51820
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 79.254.124.74/32 -p udp -m udp --dport 51820 -m comment --comment "!fw3: Port forwarding  (reflection)" -j DNAT --to-destination 192.168.1.33:51820
[940:60360] -A zone_students_postrouting -m comment --comment "!fw3: Custom students postrouting rule chain" -j postrouting_students_rule
[137:9481] -A zone_students_prerouting -m comment --comment "!fw3: Custom students prerouting rule chain" -j prerouting_students_rule
[0:0] -A zone_testrules_postrouting -m comment --comment "!fw3: Custom testrules postrouting rule chain" -j postrouting_testrules_rule
[0:0] -A zone_testrules_prerouting -m comment --comment "!fw3: Custom testrules prerouting rule chain" -j prerouting_testrules_rule
[2338:305480] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[2338:305480] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[95:5358] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 51820 -m comment --comment "!fw3: Port forwarding " -j DNAT --to-destination 192.168.1.33:51820
COMMIT
# Completed on Fri Apr 22 16:13:41 2022
# Generated by iptables-save v1.8.7 on Fri Apr 22 16:13:41 2022
*raw
:PREROUTING ACCEPT [125956:84392623]
:OUTPUT ACCEPT [9999:1099929]
:zone_IoT_helper - [0:0]
:zone_Telefon_helper - [0:0]
:zone_guest_helper - [0:0]
:zone_lan_helper - [0:0]
:zone_students_helper - [0:0]
:zone_testrules_helper - [0:0]
[41619:11878143] -A PREROUTING -i eth0.16 -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[0:0] -A PREROUTING -i eth0.12 -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[0:0] -A PREROUTING -i vpn -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[7322:1012256] -A PREROUTING -i eth0.11 -m comment --comment "!fw3: guest CT helper assignment" -j zone_guest_helper
[1291:343451] -A PREROUTING -i eth0.15 -m comment --comment "!fw3: students CT helper assignment" -j zone_students_helper
[0:0] -A PREROUTING -i eth0.17 -m comment --comment "!fw3: students CT helper assignment" -j zone_students_helper
COMMIT
# Completed on Fri Apr 22 16:13:41 2022
# Generated by iptables-save v1.8.7 on Fri Apr 22 16:13:41 2022
*mangle
:PREROUTING ACCEPT [125956:84392623]
:INPUT ACCEPT [5875:626812]
:FORWARD ACCEPT [120081:83765811]
:OUTPUT ACCEPT [9999:1099929]
:POSTROUTING ACCEPT [127890:84719939]
[796:43516] -A FORWARD -o pppoe-WAN -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[796:42560] -A FORWARD -i pppoe-WAN -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o eth0.8 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth0.8 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Apr 22 16:13:41 2022
# Generated by iptables-save v1.8.7 on Fri Apr 22 16:13:41 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_IoT_rule - [0:0]
:forwarding_Telefon_rule - [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_students_rule - [0:0]
:forwarding_testrules_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_IoT_rule - [0:0]
:input_Telefon_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_students_rule - [0:0]
:input_testrules_rule - [0:0]
:input_wan_rule - [0:0]
:output_IoT_rule - [0:0]
:output_Telefon_rule - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_students_rule - [0:0]
:output_testrules_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_IoT_dest_ACCEPT - [0:0]
:zone_IoT_dest_REJECT - [0:0]
:zone_IoT_forward - [0:0]
:zone_IoT_input - [0:0]
:zone_IoT_output - [0:0]
:zone_IoT_src_ACCEPT - [0:0]
:zone_Telefon_dest_ACCEPT - [0:0]
:zone_Telefon_forward - [0:0]
:zone_Telefon_input - [0:0]
:zone_Telefon_output - [0:0]
:zone_Telefon_src_REJECT - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_students_dest_ACCEPT - [0:0]
:zone_students_dest_REJECT - [0:0]
:zone_students_forward - [0:0]
:zone_students_input - [0:0]
:zone_students_output - [0:0]
:zone_students_src_REJECT - [0:0]
:zone_testrules_dest_ACCEPT - [0:0]
:zone_testrules_dest_REJECT - [0:0]
:zone_testrules_forward - [0:0]
:zone_testrules_input - [0:0]
:zone_testrules_output - [0:0]
:zone_testrules_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[308:18781] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[5567:608031] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[3799:457991] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[72:3133] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[946:89764] -A INPUT -i eth0.16 -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth0.12 -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i vpn -m comment --comment "!fw3" -j zone_lan_input
[137:7046] -A INPUT -i pppoe-WAN -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i eth0.8 -m comment --comment "!fw3" -j zone_wan_input
[574:44877] -A INPUT -i eth0.11 -m comment --comment "!fw3" -j zone_guest_input
[111:8353] -A INPUT -i eth0.15 -m comment --comment "!fw3" -j zone_students_input
[0:0] -A INPUT -i eth0.17 -m comment --comment "!fw3" -j zone_students_input
[120081:83765811] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[111740:83021365] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[5932:556679] -A FORWARD -i eth0.16 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.12 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i vpn -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i pppoe-WAN -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth0.8 -m comment --comment "!fw3" -j zone_wan_forward
[2380:185931] -A FORWARD -i eth0.11 -m comment --comment "!fw3" -j zone_guest_forward
[29:1836] -A FORWARD -i eth0.15 -m comment --comment "!fw3" -j zone_students_forward
[0:0] -A FORWARD -i eth0.17 -m comment --comment "!fw3" -j zone_students_forward
[2190:146398] -A FORWARD -m comment --comment "!fw3" -j reject
[308:18781] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[9691:1081148] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[7684:932965] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[334:32325] -A OUTPUT -o eth0.16 -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth0.12 -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o vpn -m comment --comment "!fw3" -j zone_lan_output
[1659:112106] -A OUTPUT -o pppoe-WAN -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o eth0.8 -m comment --comment "!fw3" -j zone_wan_output
[10:2720] -A OUTPUT -o eth0.11 -m comment --comment "!fw3" -j zone_guest_output
[4:1032] -A OUTPUT -o eth0.15 -m comment --comment "!fw3" -j zone_students_output
[0:0] -A OUTPUT -o eth0.17 -m comment --comment "!fw3" -j zone_students_output
[1994:125113] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[433:37887] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[72:3133] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_IoT_forward -m comment --comment "!fw3: Custom IoT forwarding rule chain" -j forwarding_IoT_rule
[0:0] -A zone_IoT_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_IoT_forward -m comment --comment "!fw3" -j zone_IoT_dest_REJECT
[0:0] -A zone_IoT_input -m comment --comment "!fw3: Custom IoT input rule chain" -j input_IoT_rule
[0:0] -A zone_IoT_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_IoT_input -m comment --comment "!fw3" -j zone_IoT_src_ACCEPT
[0:0] -A zone_IoT_output -m comment --comment "!fw3: Custom IoT output rule chain" -j output_IoT_rule
[0:0] -A zone_IoT_output -m comment --comment "!fw3" -j zone_IoT_dest_ACCEPT
[0:0] -A zone_Telefon_forward -m comment --comment "!fw3: Custom Telefon forwarding rule chain" -j forwarding_Telefon_rule
[0:0] -A zone_Telefon_forward -m comment --comment "!fw3: Zone Telefon to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_Telefon_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_Telefon_forward -m comment --comment "!fw3" -j zone_Telefon_dest_ACCEPT
[0:0] -A zone_Telefon_input -m comment --comment "!fw3: Custom Telefon input rule chain" -j input_Telefon_rule
[0:0] -A zone_Telefon_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Telefon DNS DHCP" -j ACCEPT
[0:0] -A zone_Telefon_input -p tcp -m tcp --dport 67 -m comment --comment "!fw3: Telefon DNS DHCP" -j ACCEPT
[0:0] -A zone_Telefon_input -p tcp -m tcp --dport 68 -m comment --comment "!fw3: Telefon DNS DHCP" -j ACCEPT
[0:0] -A zone_Telefon_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Telefon DNS DHCP" -j ACCEPT
[0:0] -A zone_Telefon_input -p udp -m udp --dport 67 -m comment --comment "!fw3: Telefon DNS DHCP" -j ACCEPT
[0:0] -A zone_Telefon_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Telefon DNS DHCP" -j ACCEPT
[0:0] -A zone_Telefon_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_Telefon_input -m comment --comment "!fw3" -j zone_Telefon_src_REJECT
[0:0] -A zone_Telefon_output -m comment --comment "!fw3: Custom Telefon output rule chain" -j output_Telefon_rule
[0:0] -A zone_Telefon_output -m comment --comment "!fw3" -j zone_Telefon_dest_ACCEPT
[10:2720] -A zone_guest_dest_ACCEPT -o eth0.11 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guest_dest_REJECT -o eth0.11 -m comment --comment "!fw3" -j reject
[2380:185931] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
[2380:185931] -A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[2189:146334] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
[574:44877] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
[0:0] -A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Guest DHCP+DNS" -j ACCEPT
[0:0] -A zone_guest_input -p tcp -m tcp --dport 67 -m comment --comment "!fw3: Guest DHCP+DNS" -j ACCEPT
[0:0] -A zone_guest_input -p tcp -m tcp --dport 68 -m comment --comment "!fw3: Guest DHCP+DNS" -j ACCEPT
[510:35507] -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Guest DHCP+DNS" -j ACCEPT
[8:2660] -A zone_guest_input -p udp -m udp --dport 67 -m comment --comment "!fw3: Guest DHCP+DNS" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Guest DHCP+DNS" -j ACCEPT
[0:0] -A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[56:6710] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
[10:2720] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
[10:2720] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[56:6710] -A zone_guest_src_REJECT -i eth0.11 -m comment --comment "!fw3" -j reject
[334:32325] -A zone_lan_dest_ACCEPT -o eth0.16 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o eth0.12 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o vpn -m comment --comment "!fw3" -j ACCEPT
[5932:556679] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[5932:556679] -A zone_lan_forward -m comment --comment "!fw3: LAN access all" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to Telefon forwarding policy" -j zone_Telefon_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to IoT forwarding policy" -j zone_IoT_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to guest forwarding policy" -j zone_guest_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to students forwarding policy" -j zone_students_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[946:89764] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[946:89764] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[334:32325] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[334:32325] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[946:89764] -A zone_lan_src_ACCEPT -i eth0.16 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i eth0.12 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i vpn -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[4:1032] -A zone_students_dest_ACCEPT -o eth0.15 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_students_dest_ACCEPT -o eth0.17 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_students_dest_REJECT -o eth0.15 -m comment --comment "!fw3" -j reject
[0:0] -A zone_students_dest_REJECT -o eth0.17 -m comment --comment "!fw3" -j reject
[29:1836] -A zone_students_forward -m comment --comment "!fw3: Custom students forwarding rule chain" -j forwarding_students_rule
[29:1836] -A zone_students_forward -m comment --comment "!fw3: Zone students to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_students_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[1:64] -A zone_students_forward -m comment --comment "!fw3" -j zone_students_dest_REJECT
[111:8353] -A zone_students_input -m comment --comment "!fw3: Custom students input rule chain" -j input_students_rule
[0:0] -A zone_students_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Student DHCP+DNS" -j ACCEPT
[0:0] -A zone_students_input -p tcp -m tcp --dport 67 -m comment --comment "!fw3: Student DHCP+DNS" -j ACCEPT
[0:0] -A zone_students_input -p tcp -m tcp --dport 68 -m comment --comment "!fw3: Student DHCP+DNS" -j ACCEPT
[36:2411] -A zone_students_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Student DHCP+DNS" -j ACCEPT
[3:984] -A zone_students_input -p udp -m udp --dport 67 -m comment --comment "!fw3: Student DHCP+DNS" -j ACCEPT
[0:0] -A zone_students_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Student DHCP+DNS" -j ACCEPT
[0:0] -A zone_students_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[72:4958] -A zone_students_input -m comment --comment "!fw3" -j zone_students_src_REJECT
[4:1032] -A zone_students_output -m comment --comment "!fw3: Custom students output rule chain" -j output_students_rule
[4:1032] -A zone_students_output -m comment --comment "!fw3" -j zone_students_dest_ACCEPT
[72:4958] -A zone_students_src_REJECT -i eth0.15 -m comment --comment "!fw3" -j reject
[0:0] -A zone_students_src_REJECT -i eth0.17 -m comment --comment "!fw3" -j reject
[0:0] -A zone_testrules_forward -m comment --comment "!fw3: Custom testrules forwarding rule chain" -j forwarding_testrules_rule
[0:0] -A zone_testrules_forward -d 192.168.0.0/16 -m comment --comment "!fw3: vlan 12 can\'t see the others" -j DROP
[0:0] -A zone_testrules_forward -m comment --comment "!fw3: Zone testrules to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_testrules_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_testrules_forward -m comment --comment "!fw3" -j zone_testrules_dest_REJECT
[0:0] -A zone_testrules_input -m comment --comment "!fw3: Custom testrules input rule chain" -j input_testrules_rule
[0:0] -A zone_testrules_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: vlan12 dhcp dns" -j ACCEPT
[0:0] -A zone_testrules_input -p tcp -m tcp --dport 67 -m comment --comment "!fw3: vlan12 dhcp dns" -j ACCEPT
[0:0] -A zone_testrules_input -p tcp -m tcp --dport 68 -m comment --comment "!fw3: vlan12 dhcp dns" -j ACCEPT
[0:0] -A zone_testrules_input -p udp -m udp --dport 53 -m comment --comment "!fw3: vlan12 dhcp dns" -j ACCEPT
[0:0] -A zone_testrules_input -p udp -m udp --dport 67 -m comment --comment "!fw3: vlan12 dhcp dns" -j ACCEPT
[0:0] -A zone_testrules_input -p udp -m udp --dport 68 -m comment --comment "!fw3: vlan12 dhcp dns" -j ACCEPT
[0:0] -A zone_testrules_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_testrules_input -m comment --comment "!fw3" -j zone_testrules_src_REJECT
[0:0] -A zone_testrules_output -m comment --comment "!fw3: Custom testrules output rule chain" -j output_testrules_rule
[0:0] -A zone_testrules_output -m comment --comment "!fw3" -j zone_testrules_dest_ACCEPT
[2:80] -A zone_wan_dest_ACCEPT -o pppoe-WAN -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[1876:153395] -A zone_wan_dest_ACCEPT -o pppoe-WAN -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.8 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.8 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o pppoe-WAN -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o eth0.8 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[137:7046] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[28:2112] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 51821 -m comment --comment "!fw3: Allow-WireGuard" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[109:4934] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[1659:112106] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[1659:112106] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[109:4934] -A zone_wan_src_REJECT -i pppoe-WAN -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i eth0.8 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Apr 22 16:13:41 2022
root@OpenWrt:~#

krazeh · April 22, 2022, 2:36pm

Can you connect to any of the devices on a different subnet?

trendy · April 22, 2022, 3:06pm

This is the flow of packets coming from guest:

[120081:83765811] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[111740:83021365] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2380:185931] -A FORWARD -i eth0.11 -m comment --comment "!fw3" -j zone_guest_forward

[2380:185931] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
[2380:185931] -A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[2189:146334] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT

[0:0] -A zone_guest_dest_REJECT -o eth0.11 -m comment --comment "!fw3" -j reject

[2190:146398] -A FORWARD -m comment --comment "!fw3" -j reject

forwarding_rule is empty and I suppose the packets are not related or established somehow.
There were 2380 packets to be forwarded, about 200 went to wan successfully and the rest 2189 to the rule to reject intrazone packets. No hits there. zone_guest_forward is finished, so packets will be rejected with the last rule in the FORWARD chain.
As @krazeh suggested, can you actually connect or get a ping response?

doremifajb · April 22, 2022, 8:38pm

Yes, not direct "ping" from the terminal, but the "angry" IP scanner is scanning using ping, and I get the names of the host with their IP addresses. So I suppose it's getting ping-response?
I haven't tried to connect the devices.... now I installed ftp on samsung and trying, but there is something wrong with my AP (or my setup: it's unifi), I can't test it very well: ftp won't work when they are on 1.0/24 net.

Samsung on 3.0/24 net:
Laptop 3.0/24: ftp works (it's meant to be so, no client isolation on AP)
Laptop 2.0/24: ftp doesn't work (as desired)
Laptop 1.0/24 (from a non-unifi AP): ftp does work: also desired.

So in terms of ftp-ability, the isolation of the subnets seem to be working as intended. But I don't understand why it is not that way with angry IP scanner. Is it something more invasive ? (like nmap? nmap seems to be able to scan anything)

anon89577378 · April 22, 2022, 9:17pm

See the Angry IP Scanner FAQ on pinging techniques.

https://angryip.org/faq/pinging.html

doremifajb · April 23, 2022, 7:28am

@OldNavy thanks for the tip about angry IP scanner. Now I looked at the configuration of it for the first time: I was just using it with default setting without changing anything except IP range. It says pinging method is java-built-in: I think this means ICMP first, and if it doesn't work, UDP, and TCP. Ports are also specified: 80, 443, 8080. The ftp server on samsung I installed uses 2221.

So, when I block the traffic to other subnets explicitly on traffic rules, I choose "any protocol", so it is probably all blocked. But it seems that when I choose "wan" on general forwarding, meaning that forwarding shouldn't take place for any other zone as a destination, not everything gets blocked.... I would like to know what's blocked and what's not....

Another question in this context is, am I right to think that, if I drop forwarding to 192.168.2.0/24, and my router is 192.168.2.1, then 2.1 will be automatically excluded from drop, since it is "device". Is it right?
And, if I set drop forwarding to any zone with 192.168.0.0/16 from the zone with interface 192.168.2.0/24, then actually the dropping is effective only to 192.168.n.0/24, where n is not 2, since the traffic within 192.168.2.0/24 doesn't go through the router (just through switches or AP or so). Is it right?
It does look like what's happening, but I would appreciate confirmation/correction!

anon89577378 · April 23, 2022, 7:45am

I can tell you what I do for my guest WiFi networks.

Each guest is on its own subnet.

Example -

Guest1      192.168.2.1

Guest2      192.168.3.1

The Zones are set as follows -

Guest1 ==> wan    Input - Drop   Output - Accept   Forward - Drop

Guest2 ==> wan    Input - Drop   Output - Accept   Forward - Drop

Each has their own DHCP and DNS traffic rules.

Each guest wireless interface is set to Isolate clients, so that clients can't talk to each other on the same subnet.

The Zone rules prevents guests from talking to each other on different subnets, and with the main network.

Don't know if that's exactly what you're trying to do, but it's what works for my use cases (Guest/IoT).

VLANs might be a better choice, but my network is pretty straightforward, and I'm not quite there yet on my knowledge of how to use them correctly.

doremifajb · April 23, 2022, 12:07pm

@anon89577378
Yeah... that's what I have, too. (But I have VLANs, too, with several APs) with the same general rule as you have. But it doesn't seem to separate the zones as I expected, unless I put additional separation rules. That's what I don't understand.

trendy · April 23, 2022, 12:11pm

You can always use tcpdump on the router to capture the packets received and sent to verify if the firewall works or not.

WereCatf · April 23, 2022, 12:11pm

Have you checked with traceroute what path the packets actually travel? It sounds to me like they're possibly traveling through some other device on your network.

doremifajb · April 23, 2022, 8:21pm

Now I checked traceroute: my laptop on 3.1/24, Samsung on 1.1/24, and I get this:
albertus:etc johanna$ traceroute 192.168.1.220
traceroute to 192.168.1.220 (192.168.1.220), 64 hops max, 52 byte packets
1 openwrt (192.168.3.1) 3.934 ms 0.945 ms 0.985 ms
2 openwrt (192.168.3.1) 1.129 ms 0.964 ms 1.083 ms

So it looks like there is no other device on the way.

I got ssh on Samsung, put it on 1.1/24, ssh to OpenWRT, my laptop on 2.1/24 (wanted to use 3.1 but there are a lot more other traffic than 2.1), ran Angry IP, and checked tcpdump -i eth0.11 (it's for 2.1/24), and tcpdump -it eth0.16 (it's for 1.1/24). Are these the right things to check?

And now, a lot of things are there. Could you tell me what to look for, to see if firewall is working?

psherman · April 23, 2022, 9:03pm

My recommendation is the following: Simplify.

reset your router to defaults.
Set up 1 additional network/VLAN
create a new firewall zone for that network
test the inter-VLAN routing.

That should not have any unexplained connectivity between the networks, but if it does, we need to look at your whole network infrastructure to understand more.
If it works as expected, repeat the process of creating additional networks and firewall zones/rules with the formula as shown above.

trendy · April 23, 2022, 9:56pm

You should filter the captured packets to only the interesting ones. For example:
tcpdump -i eth0.11 -n host 192.168.1.220 and host 192.168.3.100
tcpdump -i eth0.16 -n host 192.168.1.220 and host 192.168.3.100
If you don't understand what you see you can post it here.