Default masquerade policies

I see that, by default, only the firewall rule

wan => Reject

has the 'masquerade' tick set. However, I don't understand how

lan => wan

would not be masquerade. I'm sure that my lan traffic must be masqueraded to get out to wan (otherwise local ips would be leaving to the internet, which makes no sense).

However, everything works fine without masquerading this 'lan=>wan', can someone explain this to me?

Interesting, I have masquerading checked on lan=>wan but I configured it myself on a Raspberry Pi4.
I'm also interested in the answer.

OP: can you check the other one and verify it doesn't work?

1 Like

sorry, what do you want me to check? if ticking masquerade in

lan => wan

would not work?
It does work! I wanted to understand,
1st - what is the difference?
2nd - how can it work without being masqueraded?

I saw in tcpdump that the traffic is indeed leaveing masquerading (of course, it would leave as a local address for sure...). So the question is only, what does the tick does and should I tick it? or it does nothing?

You don't need to masquerade traffic to pass it between the LAN and WAN interfaces. It's all still in the router and can use private IP address. It only needs to masquerade when it leaves the WAN interface to the public internet, which is why that's the only one ticked by default.


so what does the syntax

X => Y


This is, what does "Input", "Output", "Forward" (for accept/reject/drop) mean in this syntax?

The OpenWRT firewall works on the basis of zones, in which you put the various interfaces you might need.

When it says X => Y it means traffic can forward from zone X to zone Y. So in the default OpenWRT setup all traffic can flow from the LAN zone to the WAN zone, but not the other way round.

The 'input', 'output', and 'forward' options are the default rules for traffic entering and exiting a zone or passing between interfaces in a zone.


And the zone is X ? is this right ? (ANY matches all zones)
"ACCEPT" "INPUT" means accept traffic going from ANY to X,
"ACCEPT" "Output" means accept traffic going from X to ANY
"ACCEPT" "FORWARD" means accept traffic going from X to Y

with the DROP and REJECT being the same

am I understading this right?

With the REJECT rule, the machine that tried to initiate the connection receives a rejection, and it knows immediately that the port is closed.

With the DROP rule, all traffic is silently ignored.


I understand this, I want to understand the 'X => Y' syntax. I guess my choice of words was bad, I meant they were the same (analogous) to ACCEPT, not REJECT=DROP. I interpret it as I said above

is the right interpretation?

INPUT refers to any traffic entering the router on an interface in the zone. OUTPUT refers to any traffic leaving the router on an interface in the zone. FORWARD refers to any traffic passing between interfaces within the zone.

So, in the default OpenWRT setup:

  • LAN - traffic can enter or leave the router on any interfaces within the LAN zone. It can also be forwarded between interfaces in the zone.

  • WAN - traffic can leave the router from interfaces within the WAN zone. Any traffic entering the router on an interface within the WAN zone will be rejected (unless there's a firewall rule allowing entry). The same is the case for any traffic forwarded between interfaces in the WAN zone.

This is all separate to the Zone ⇒ Forwardings which you see in Luci. That column relates to what traffic can be internally (i.e. within the router) forwarded between zones. So again, in a default setup, traffic can freely be forwarded from the LAN zone to the WAN zone, but no traffic can be forwarded out of the WAN zone (unless there are firewall rules allowing entry).

1 Like

Thanks, I didn't understand the X=>Y was separate from INPUT/OUTPUT/FORWARD. So indeed this relate to zone X only, correct?

However, I still don't understand what does it mean forwarding traffic within the router, is there other way to forward it? The router is the one which forwards/routes stuff.

I guess the final think I don't understand is the differnece between FORWARD REJECT and X=>Y. If I reject FORWARD, how can there be "internal forward between the zones"?

I think you're getting stuck in the idea that LAN and WAN (as defined by the OpenWRT firewall) are single interfaces. They're not, they're a construct designed to logically set out various 'zones' and can contain multiple interfaces. A common example for this is the LAN zone containing LAN and VPN interfaces.

FORWARD is for traffic in the zone, so is only applicable if you have multiple interfaces in that zone. Traffic passing between zones is controlled by the zone forwarding rules, i.e. X=>Y.

1 Like

This quote was very helpful, thanks!

However I still want to know if the INPUT/OUTPUT/FORWARD apply to the interfaces in zone X ? I think this is the last of my questions.

As I've already said, the rules for INPUT/OUTPUT/FORWARD apply to the zone. So INPUT into the zone, OUTPUT from the zone, and FORWARD inside the zone.

Right, but in the end the zone is the interfaces that are inside it, or not? And, the zone is X, if the syntax is Zone => Forwardings (while the Forwardings are Y - in my example)?

I have no idea what you're asking

Yes, the zone represents a set of interfaces, for which the firewall will generate a set of rules.
See for yourself:

iptables -S INPUT
iptables -S FORWARD
iptables -S OUTPUT

Pick a zone with multiple interfaces and follow the target chains. For example:

iptables -S zone_wan_input
iptables -S zone_wan_src_REJECT
1 Like

iptables-save -c -t filter | grep FORWARD
Input interfaces are assigned to the zone forward chain.

[27011684:26629729240] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[27000094:26628810901] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i tun1 -m comment --comment "!fw3" -j zone_lan_forward
[10312:814520] -A FORWARD -i eth0.4 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i elvetias -m comment --comment "!fw3" -j zone_lan_forward
[378:48972] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_lan_forward
[10:584] -A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wwan0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_guest_forward
[890:54263] -A FORWARD -i eth0.3 -m comment --comment "!fw3" -j zone_iot_forward
[0:0] -A FORWARD -i roadwarrior -m comment --comment "!fw3" -j zone_roadwarrior_forward
[10:760] -A FORWARD -m comment --comment "!fw3" -j reject

Last reject rule is based on the General Settings, which apply when an interface does not belong to a zone.
From there actions depend according to what you have configured.

[10935:891784] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[740:72143] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to iot forwarding policy" -j zone_iot_dest_ACCEPT
[740:72143] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to roadwarrior forwarding policy" -j zone_roadwarrior_dest_ACCEPT
[26:1759] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[714:70384] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
1 Like

If you look at a zone itself then it is like you said and others confirmed already. All devices within a zone are subject of zone rules. Look at those zones like on a black box:

      ---------                 ---------
---->|    LAN   |---->   ---->|    WAN   |---->
  IN   --------   OUT     IN    ---------  OUT

Masquerading is just a technique to bridge/(route between) different subnets. So if your traffic is passed from lan => (to) wan then it is still transparent (not masqued) until the traffic is passed from wan => (to) ISP-LAN. If the package is leaving wan zone then it is getting masqued/tagged. So wan has the same possible chains as LAN or any other zone.

1 Like

And by default the zones don't talk to one another unless you set them as Forwardings?

Because I have lan INPUT=ACCEPT, and guest OUTPUT=ACCEPT. but guest cannot talk to lan