has the 'masquerade' tick set. However, I don't understand how
lan => wan
would not be masquerade. I'm sure that my lan traffic must be masqueraded to get out to wan (otherwise local ips would be leaving to the internet, which makes no sense).
However, everything works fine without masquerading this 'lan=>wan', can someone explain this to me?
sorry, what do you want me to check? if ticking masquerade in
lan => wan
would not work?
It does work! I wanted to understand,
1st - what is the difference?
2nd - how can it work without being masqueraded?
I saw in tcpdump that the traffic is indeed leaveing masquerading (of course, it would leave as a local address for sure...). So the question is only, what does the tick does and should I tick it? or it does nothing?
You don't need to masquerade traffic to pass it between the LAN and WAN interfaces. It's all still in the router and can use private IP address. It only needs to masquerade when it leaves the WAN interface to the public internet, which is why that's the only one ticked by default.
The OpenWRT firewall works on the basis of zones, in which you put the various interfaces you might need.
When it says X => Y it means traffic can forward from zone X to zone Y. So in the default OpenWRT setup all traffic can flow from the LAN zone to the WAN zone, but not the other way round.
The 'input', 'output', and 'forward' options are the default rules for traffic entering and exiting a zone or passing between interfaces in a zone.
And the zone is X ? is this right ? (ANY matches all zones)
"ACCEPT" "INPUT" means accept traffic going from ANY to X,
"ACCEPT" "Output" means accept traffic going from X to ANY
"ACCEPT" "FORWARD" means accept traffic going from X to Y
I understand this, I want to understand the 'X => Y' syntax. I guess my choice of words was bad, I meant they were the same (analogous) to ACCEPT, not REJECT=DROP. I interpret it as I said above
INPUT refers to any traffic entering the router on an interface in the zone. OUTPUT refers to any traffic leaving the router on an interface in the zone. FORWARD refers to any traffic passing between interfaces within the zone.
So, in the default OpenWRT setup:
LAN - traffic can enter or leave the router on any interfaces within the LAN zone. It can also be forwarded between interfaces in the zone.
WAN - traffic can leave the router from interfaces within the WAN zone. Any traffic entering the router on an interface within the WAN zone will be rejected (unless there's a firewall rule allowing entry). The same is the case for any traffic forwarded between interfaces in the WAN zone.
This is all separate to the Zone ⇒ Forwardings which you see in Luci. That column relates to what traffic can be internally (i.e. within the router) forwarded between zones. So again, in a default setup, traffic can freely be forwarded from the LAN zone to the WAN zone, but no traffic can be forwarded out of the WAN zone (unless there are firewall rules allowing entry).
Thanks, I didn't understand the X=>Y was separate from INPUT/OUTPUT/FORWARD. So indeed this relate to zone X only, correct?
However, I still don't understand what does it mean forwarding traffic within the router, is there other way to forward it? The router is the one which forwards/routes stuff.
I guess the final think I don't understand is the differnece between FORWARD REJECT and X=>Y. If I reject FORWARD, how can there be "internal forward between the zones"?
I think you're getting stuck in the idea that LAN and WAN (as defined by the OpenWRT firewall) are single interfaces. They're not, they're a construct designed to logically set out various 'zones' and can contain multiple interfaces. A common example for this is the LAN zone containing LAN and VPN interfaces.
FORWARD is for traffic in the zone, so is only applicable if you have multiple interfaces in that zone. Traffic passing between zones is controlled by the zone forwarding rules, i.e. X=>Y.
Right, but in the end the zone is the interfaces that are inside it, or not? And, the zone is X, if the syntax is Zone => Forwardings (while the Forwardings are Y - in my example)?
Last reject rule is based on the General Settings, which apply when an interface does not belong to a zone.
From there actions depend according to what you have configured.
[10935:891784] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[740:72143] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to iot forwarding policy" -j zone_iot_dest_ACCEPT
[740:72143] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to roadwarrior forwarding policy" -j zone_roadwarrior_dest_ACCEPT
[26:1759] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[714:70384] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
If you look at a zone itself then it is like you said and others confirmed already. All devices within a zone are subject of zone rules. Look at those zones like on a black box:
--------- ---------
---->| LAN |----> ---->| WAN |---->
IN -------- OUT IN --------- OUT
Masquerading is just a technique to bridge/(route between) different subnets. So if your traffic is passed from lan => (to) wan then it is still transparent (not masqued) until the traffic is passed from wan => (to) ISP-LAN. If the package is leaving wan zone then it is getting masqued/tagged. So wan has the same possible chains as LAN or any other zone.