Bridge Firewall doesn't seem to catch all traffic?

So I've got a bridged firewall all setup and it seems to work for 99% of the cases out there. I've been testing it pretty thoroughly - and then caught something... odd.

I have a smart TV like anyone does these days. However, I have my firewall setup to where it blocks Internet access as well as any other network traffic for this TV. The only thing it can access is my media server. With this... I noticed that it was still making DNS queries to my local DNS server.

For context, I'm using iptables-nft since this is much cleaner and easier to read in my opinion. I've gone as far as putting in a critical rule to test things out with this TV as:
iptables-nft -I FORWARD -s (tv ip) ! -d (media server ip) -j DROP

I noticed the logs show it's dropping a bunch of packets, but when viewing my dnsmasq logs from the DNS server, I can confirm it's still receiving DNS requests. I then added on my DNS server iptables -I INPUT -s (tv ip) -j DROP and can clearly see it dropping tons of packets coming from the TV.

I have gone into the UI for OpenWRT and even added two rules in the firewall > traffic rules section. I had one that granted access to the media server, and then one after that denying all other traffic... No difference in behavior.

Is there a setting somewhere missing for the bridge mode to be more effective? Or is this just a bug?

Note: Running version 23.0.5

You need to install bridge firewall kmods and enable using sysctl. Typically bridge is filtered with bridge firewall not inet (cf ebtables(-nft))

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

Hi,

Yes I did install kmods (both kmod-br-netfilter and kmod-nft-bridge) and enabled in sysctl with net.bridge.bridge-nf-call-iptables=1. I don't think I'd even be able to say 99% of it worked if not for those, as they were required for the bridge firewall to work at all in the first place.

My previous version of 21.x.x seemed to have done everything fine, but it was also on regular iptables before 22.x.x moved it to "obsolete".

As the contents of those files together contain thousands of lines due to my configuration (many static leases, firewall containing many port forwards, etc), is there anything in particular you'd like me to share from them? Perhaps just the rules specific to this device that my example above is about?

Wrong answer in part 2. Telepathy and crystal ball not used to read your config and fix it.

Okay, let's keep this within the forum rules, please: "Be kind to your fellow community members." :slight_smile:

I did a fresh install on a separate box to simplify the configurations so I wouldn't be posting a cluster of details and have a harder time redacting information or overkilling those reviewing this. I was still able to reproduce it with the new system, which uses the exact same hardware.

Note there is no wireless on either device.
system info:

{
	"kernel": "5.15.150",
	"hostname": "router",
	"system": "Intel(R) Celeron(R) J6412 @ 2.00GHz",
	"model": "Protectli VP2420",
	"board_name": "protectli-vp2420",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "x86/64",
		"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
	}
}

network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.30.1'
	option netmask '255.255.254.0'
	list dns '192.168.30.5'
	option delegate '0'

config interface 'wan'
	option device 'eth0'
	option proto 'static'
	option ipaddr '172.25.0.2'
	option netmask '255.255.255.0'
	option gateway '172.25.0.1'

dhcp:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '0'
	option local '/lan/'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list interface 'lan'

config dhcp 'lan'
	option interface 'lan'
	option start '192.168.31.2'
	option limit '253'
	option leasetime '12h'
	option dhcpv4 'server'
	list dhcp_option '6,192.168.30.5'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option enabled '1'
	option type 'script'
	option path '/etc/firewall.user'
	option fw4_compatible '1'

Only contents of firewall.user on this fresh install (replaced ip with description of what they are):

iptables-nft -I FORWARD -s [tv ip] ! -d [local media server ip] -j DROP

iptables-nft output for FORWARD:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  315 72271 DROP       all  --  *      *       [tv ip]             ![local media server ip]

Contents of iptables on the DNS server (packet count different due to when I added the rule and reset iptables, but it did go up since adding the rule above):

 pkts bytes target     prot opt in     out     source               destination         
  675 47643 DROP       0    --  *      *       [tv ip]              0.0.0.0/0           

You can reformat user include to a fw4 rule...