Cant block traffic to/from AWS and Denon AVR

OpenWrt 23.05.0

I have a Denon AVR that connects to vlan3 (10.10.20.n) via wifi
The Denon wants to talk to AWS (Amazon World Services) . I do not want this to occur as all media is locally sourced .
So I create a firewall rule via LUCI

config rule
option name 'denon-to-wan'
list src_ip '10.10.20.26'
option dest 'wan'
option target 'REJECT'
option family 'ipv4'
list src_mac '00:05:CD:DA:92:56'
option src 'vlan3'
list proto 'all'

I ensure that the Denon is powering up from scratch , I see it request a DHCP address .

But then I see this

13:47:27.633923 IP (tos 0x0, ttl 64, id 61351, offset 0, flags [DF], proto TCP (6), length 60)
denonav.evinrude.net.40145 > ec2-35-171-34-102.compute-1.amazonaws.com.443: Flags [S], cksum 0x3c51 (correct), seq 3213981182, win 14600, options [mss 1460,sackOK,TS val 4294941273 ecr 0,nop,wscale 3], length 0
13:47:27.634221 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
ec2-35-171-34-102.compute-1.amazonaws.com.443 > denonav.evinrude.net.40145: Flags [R.], cksum 0x644f (incorrect -> 0x777e), seq 0, ack 3213981183, win 0, length 0

I can make a similar rule with my workstations ip and it completely blocks me from 'wan'

I moved the Denon to vlan1 and it behaves the same way .

I am mystified

I'd recommend specifying the IP address only, and using DHCP reservations to ensure that the AVR gets the same address at all times.

But beyond that, we'd have to see your full config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

OK. Since the original post I made a couple of changes . I moved the denon to vlan 1 and made a rule 'block-to-wan' with my tablets ip . This is identical to the rule 'denon-to-wan' . I verified that my tablet can no longer reach the www. I also removed the mac's from the rules and verified the denon has a static ip . Here is the latest tcpdump snippet

08:27:59.570256 IP (tos 0x0, ttl 64, id 13606, offset 0, flags [DF], proto TCP (6), length 60)
denonav.evinrude.net.37190 > ec2-34-198-27-248.compute-1.amazonaws.com.443: Flags [S], cksum 0x9dea (correct), seq 1097183095, win 14600, options [mss 1460,sackOK,TS val 4294941265 ecr 0,nop,wscale 3], length 0
08:27:59.570539 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
ec2-34-198-27-248.compute-1.amazonaws.com.443 > denonav.evinrude.net.37190: Flags [R.], cksum 0x52fc (incorrect -> 0xd90f), seq 0, ack 1097183096, win 0, length 0

And here is my config

{
"kernel": "5.15.134",
"hostname": "shadow",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "Ubiquiti EdgeRouter X",
"board_name": "ubnt,edgerouter-x",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.0",
"revision": "r23497-6637af95aa",
"target": "ramips/mt7621",
"description": "OpenWrt 23.05.0 r23497-6637af95aa"
}
}

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd97:0191:ac00::/48'
option packet_steering '1'

config device
option name 'br-lan'
option type 'bridge'
option acceptlocal '1'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
list ports 'eth4'

config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '10.10.10.1'

config interface 'wan'
option device 'eth0'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
option hostname 'DTES'

config interface 'wan6'
option device 'eth0'
option proto 'none'

config device
option name 'eth1'
option acceptlocal '1'

config device
option name 'eth2'
option acceptlocal '1'

config device
option name 'eth3'
option acceptlocal '1'

config device
option name 'eth4'
option acceptlocal '1'

config route
option interface 'lan'
option gateway '10.10.10.109'
option target '192.168.1.0/24'

config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'eth1:u*'
list ports 'eth2:t'
list ports 'eth3:t'
list ports 'eth4:t'

config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'eth1:t'
list ports 'eth2:t'
list ports 'eth3:t'
list ports 'eth4:t'

config interface 'lan3'
option proto 'static'
option device 'br-lan.3'
option ipaddr '10.10.20.1'
option netmask '255.255.255.0'
option ip6ifaceid '::1'
option ip6assign '64'

config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '0'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option local '/evinrude.net/'
option domain 'evinrude.net'
option filterwin2k '1'
option cachesize '10000'
option min_cache_ttl '3600'
option nonegcache '1'
option quietdhcp '1'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
list dhcp_option '42,10.10.10.1'
option ra 'server'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '3'

config host
option mac 'C4:2C:03:22:5F:21'
option name 'maclaptop'
option dns '1'
option ip '10.10.10.114'

config host
option mac '00:05:CD:DA:92:56'
option dns '1'
option ip '10.10.10.26'
option name 'denonav'

config host
option name 'linux-laptop'
option dns '1'
option mac 'A0:D3:7A:8D:BC:6A'
option ip '10.10.10.108'

config domain
option name 'shadow'
option ip '10.10.10.1'

config domain
option ip '10.10.10.4'
option name 'ollie'

config domain
option name 'timeserver'
option ip '10.10.10.1'

config domain
option ip '10.10.10.8'
option name 'kitten'

config dhcp 'lan3'
option interface 'lan3'
option start '10'
option limit '30'
option leasetime '12h'
list dhcp_option '42,10.10.20.1'
option ra 'server'

config host
option name 'hs200studiooutside'
option dns '1'
option mac '6C:5A:B0:EE:9B:F1'
option ip '10.10.20.38'

config host
option name 'hs200shopoutside'
option dns '1'
option mac '6C:5A:B0:EE:BA:91'
option ip '10.10.20.21'

config domain
option name 'tiberius'
option ip '10.10.10.7'

config host
option name 'brotherprinter'
option dns '1'
option mac '60:6D:C7:69:40:EB'
option ip '10.10.20.27'

config host
option name 'beelink'
option dns '1'
option mac 'E0:2E:0B:91:E9:07'
option ip '10.10.10.109'

config host
option name 'ccALivingroom'
option dns '1'
option ip '10.10.20.35'
option mac '54:60:09:FD:A4:80'

config domain
option name 'tootie'
option ip '10.10.10.3'

config domain
option name 'elog6'
option ip 'fd97:191:ac00::1010:1003'

config domain
option name 'mediaserver'
option ip '10.10.10.3'

config domain
option name 'gallery'
option ip '10.10.10.3'

config host
option name 'ccAShop'
option dns '1'
option mac '54:60:09:EA:34:DA'
option ip '10.10.20.22'

config host
option name 'ccLivingroom'
option dns '1'
option mac 'E4:F0:42:A1:D2:36'
option ip '10.10.20.11'

config domain
option name 'tootie'
option ip '10.10.20.3'

config host
option name 'HDHR-10913E38'
option dns '1'
option mac '00:18:DD:09:13:E3'
option ip '10.10.20.12'

config domain
option name 'beelink-6'
option ip 'fd97:191:ac00:0:625b:b8b9:97bc:7105'

config domain
option name 'shares'
option ip '10.10.10.3'

config domain
option name 'nfs'
option ip 'fd97:191:ac00::1010:1003'

config domain
option name 'webdav'
option ip '10.10.10.3'

config domain
option name 'elog4'
option ip '10.10.10.3'

config domain
option name 'gallery4'
option ip '10.10.10.3'

config domain
option name 'gallery6'
option ip 'fd97:191:ac00::1010:1003'

config domain
option name 'webdav6'
option ip 'fd97:191:ac00::1010:1003'

config domain
option name 'webdav4'
option ip '10.10.10.3'

config domain
option name 'time.apple.com'
option ip '10.10.10.1'

config domain
option name 'time.google.com'
option ip '10.10.10.1'

config domain
option name 'time1.google.com'
option ip '10.10.10.1'

config domain
option name 'time2.google.com'
option ip '10.10.10.1'

config domain
option name 'time3.google.com'
option ip '10.10.10.1'

config domain
option name 'time4.google.com'
option ip '10.10.10.1'

config domain
option name 'time1.apple.com'
option ip '10.10.10.1'

config domain
option name 'time2.apple.com'
option ip '10.10.10.1'

config domain
option name 'time3.apple.com'
option ip '10.10.10.1'

config domain
option name 'time4.apple.com'
option ip '10.10.10.1'

config domain
option name 'time5.apple.com'
option ip '10.10.10.1'

config domain
option name 'time6.apple.com'
option ip '10.10.10.1'

config domain
option name 'time7.apple.com'
option ip '10.10.10.1'

config domain
option name 'biscuit'
option ip '10.10.20.12'

config host
option name 'buster'
option dns '1'
option ip '10.10.10.221'
option mac '80:4E:70:0A:51:60'

config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
option drop_invalid '1'

config zone
option name 'vlan1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'

config forwarding
option src 'vlan1'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping-Wan'
option family 'ipv4'
list proto 'icmp'
list icmp_type 'echo-request'
option src 'wan'
option target 'ACCEPT'
option enabled '0'

config rule
option name '3-to-dns-dhcp'
option src 'vlan3'
option dest_port '53 67'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'denon-to-wan'
option src 'vlan1'
option dest 'wan'
option target 'REJECT'
list src_ip '10.10.10.26'
option family 'ipv4'

config rule
option name 'block-to-wan'
option src 'vlan1'
option dest 'wan'
option target 'REJECT'
option family 'ipv4'
list src_ip '10.10.10.221'

config rule
option name 'Allow mdns'
option src_port '5353'
option dest_port '5353'
option target 'ACCEPT'
option device 'br-lan'
option direction 'in'
option src '*'
list proto 'udp'
list dest_ip '224.0.0.251'
list dest_ip 'ff02::fb'

config zone
option name 'vlan3'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan3'

config forwarding
option src 'vlan3'
option dest 'wan'

config rule
option name 'hdhr-to-1'
option src 'vlan3'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
list src_ip '10.10.20.12'
option family 'ipv4'
option src_port '1900'
option dest 'vlan1'

config rule
option name 'cc-to-vlan1'
option src 'vlan3'
option dest 'vlan1'
option target 'ACCEPT'
list proto 'tcp'
option dest_port '32768-61000'
option family 'ipv4'
option ipset 'ChromeCasts'

config forwarding
option src 'vlan1'
option dest 'vlan3'

config rule
option name 'beelink-3-to-1'
option src 'vlan3'
option dest 'vlan1'
option target 'ACCEPT'
list src_ip '10.10.20.109'
option family 'ipv4'

config redirect
option target 'DNAT'
option name 'dns-redirect-vlan3'
option family 'ipv4'
option src 'vlan3'
option src_ip '!10.10.20.1'
option src_dport '53'
option dest_ip '10.10.20.1'
option dest_port '53'
option src_dip '!10.10.20.1'
option reflection '0'
list proto 'tcp'
list proto 'udp'
option dest 'vlan3'

config redirect
option target 'DNAT'
option name 'dns-redirect-vlan1'
option family 'ipv4'
option src 'vlan1'
option src_ip '!10.10.10.1'
option src_dip '!10.10.10.1'
option src_dport '53'
option dest_ip '10.10.10.1'
option dest_port '53'
option reflection '0'
list proto 'tcp'
list proto 'udp'
option dest 'vlan1'

config redirect
option target 'DNAT'
option name 'ntp-redirect-vlan1'
option src 'vlan1'
option src_ip '!10.10.10.1'
option src_dip '!10.10.10.1'
option src_dport '123'
option dest_ip '10.10.10.1'
option dest_port '123'
list proto 'udp'
option reflection '0'
option dest 'vlan1'

config redirect
option target 'DNAT'
option name 'ntp-redirect-vlan3'
option src 'vlan3'
option src_ip '!10.10.20.1'
option src_dport '123'
option dest_ip '10.10.20.1'
option dest_port '123'
option src_dip '!10.10.20.1'
list proto 'udp'
option reflection '0'
option dest 'vlan3'

config ipset
option name 'ChromeCasts'
option family 'ipv4'
list match 'ip'
list entry '10.10.20.11'
list entry '10.10.20.22'
list entry '10.10.20.35'

Blockquote

At this point I'm pretty sure this isnt a firewall isuue but the fact the the denon is keeping the aws session open . If the firewall rule is off and the denon reaches out to aws that connection persists until , well , Im not sure .Struggling with conntrack to understand the situation .

Disconnect the power from the Denon to ensure that the device goes completely offline. This will cause all connections to be closed. Then, when you power it back on, test to see if it is able to reach the internet or not.

I unplugged it for 5 minutes and still get

15:05:55.972042 IP (tos 0x0, ttl 64, id 34321, offset 0, flags [DF], proto TCP (6), length 60)
denonav.evinrude.net.51813 > ec2-107-21-232-175.compute-1.amazonaws.com.80: Flags [S], cksum 0x0b3b (correct), seq 449190402, win 14600, options [mss 1460,sackOK,TS val 4294941715 ecr 0,nop,wscale 3], length 0
15:05:55.972367 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
ec2-107-21-232-175.compute-1.amazonaws.com.80 > denonav.evinrude.net.51813: Flags [R.], cksum 0x684a (incorrect -> 0x4822), seq 0, ack 449190403, win 0, length 0

nft list ruleset shows

chain forward_vlan1 {
ip saddr 10.10.10.97 counter packets 253 bytes 83759 jump reject_to_wan comment "!fw4: denon-to-wan"
jump accept_to_wan comment "!fw4: Accept vlan1 to wan forwarding"
jump accept_to_vlan3 comment "!fw4: Accept vlan1 to vlan3 forwarding"
ct status dnat accept comment "!fw4: Accept port forwards"
jump accept_to_vlan1
}

I changed its ip to a fixed 10.10.10.97 since I started this thread

Try repeating the process, but this time reboot the router, too, then reapply power to the AVR.

left it powered off over night no change in symptom .
I'm not sure what other debug/logging etc options I can use to understand what is going on here

Marked as 'solved' . Dont ask

You know that this will have piqued our interest.

But, beyond just the silly curiosity, it is appreciated if you can elaborate because this will help people solve similar problems in the future.

When running tcpdump / wireshark its best to make note of whether your firewall rule is 'dropping' or 'rejecting'

Ah... lol, indeed.

See. Now the entire Openwrt world is laughing at me . Oh well , with 70 trips around the sun and 51 years of dealing with computers in one way or another I think I'm entitled to a massive brain fart now and then :}

Ok....you're allowed one for now.... but no more this year :rofl:

In all seriousness, though, this is one of many types of traps that do have the potential to trip us up (I say us because it happens to everyone!).

Glad you found it, though!