Config for OpenWrt Firewall on a Raspberry Pi 3

Hello,

I want to use Openwrt on a Raspberry Pi 3 as a Firewall between to router. I have Problems with the configuration since my configuration does not work. No traffic is passing through the firewall.

My /etc/config/firewall looks like this

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'LWAN'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

and my /etc/config/network looks like this

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd6:f494:8b3c::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.5.5'
	option gateway '192.168.5.1'

config interface 'LWAN'
	option device 'eth1'
	option proto 'static'
	option ipaddr '10.0.0.23'
	option netmask '255.255.255.0'
	option gateway '10.0.0.1'
	option broadcast '10.0.0.255'
	option ip6assign '60'

Could somebody give me a hint what is wrong in my configuration.

These no longer exist, remove them.

This is definitely wrong if you want Internet.

This seems like an unnecessary addition to your network -- you already have a router on the internet connection and another router in the system as well -- that's a double-NAT situation.

Why not replace the router connected to the internet with the Pi (running OpenWrt) and then configure the WLAN router as a simple dumb AP?

Furthermore, it is wrong to have 2 gateways. Only the interface to ISP router must use the gateway. The link to WLAN router doesn't connect to the internet.

Hello

thank you for your answer. I have removed the lines but the problems remain.
By the way somehow I can only logon the pi (e.g. luci) if i connect the cable to a LAN Port of the WLAN router. If i connect the cable of the pi with the WAN Port of the WLAN router i could not logon to the pi via 192.168.5.5.
But ether way by connection the pi with the WAN Port or LAN Port of the WLAN router (192.168.5.1) I have no internet.
Where do I go wrong?

I guess it would be correct to have the usb-ethernet adapter 10.0.0.23 connected to a LAN Port of the ISP router (10.0.0.1) and the internal NIC/ br-lan (192.168.5.5) conntected with the WAN Port of my WLAN router (192.168.5.5)? Is this correct?

@psherman
Maybe you are right.
But I do not really trust my ISPs router. Some ISP are quit interested about thiere costumers LAN.
I want to have a chain of to firewalls that i trust between my LAN and the internet.

You don't need a "chain" of firewalls -- you just need one that you trust.

If you don't trust it, can you entirely remove your ISP provided router? If so, get rid of it. Plug your incoming internet connection directly into the Pi (running OpenWrt which has a firewall you can trust). Then, reconfigure the WLAN router to operate purely as a dumb AP -- it simply becomes a bridge device to handle wired <-> wifi connectivity. This makes your network easier to manage and more efficient.