config defaults
option syn_flood 1
option input REJECT
option output ACCEPT
option forward REJECT
Uncomment this line to disable ipv6 rules
option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
list network 'br-lan'
list network 'lan1'
list network 'lan2'
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
We need to accept udp packets on port 68,
see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
Allow DHCPv6 replies
see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
EXAMPLE CONFIG SECTIONS
do not allow a specific ip to access wan
#config rule
option src lan
option src_ip 192.168.45.2
option dest wan
option proto tcp
option target REJECT
block a specific mac on wan
#config rule
option dest wan
option src_mac 00:11:22:33:44:66
option target REJECT
block incoming ICMP traffic on a zone
#config rule
option src lan
option proto ICMP
option target DROP
port redirect port coming in on wan to lan
#config redirect
option src wan
option src_dport 80
option dest lan
option dest_ip 192.168.16.235
option dest_port 80
option proto tcp
port redirect of remapped ssh port (22001) on wan
#config redirect
option src wan
option src_dport 22001
option dest lan
option dest_port 22
option proto tcp
FULL CONFIG SECTIONS
#config rule
option src lan
option src_ip 192.168.45.2
option src_mac 00:11:22:33:44:55
option src_port 80
option dest wan
option dest_ip 194.25.2.129
option dest_port 120
option proto tcp
option target REJECT
#config redirect
option src lan
option src_ip 192.168.45.2
option src_mac 00:11:22:33:44:55
option src_port 1024
option src_dport 80
option dest_ip 194.25.2.129
option dest_port 120
option proto tcp
config zone
option name 'dmz'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
list device 'lan1.1'
config forwarding
option src 'lan'
option dest 'dmz'
config forwarding
option src 'dmz'
option dest 'wan'
config redirect
option name 'Https1'
option target DNAT
option src wan
option dest lan
option proto tcp
option src_dport 443
option dest_ip 192.168.179.3
option dest_port 443
option enabled 1
Now: what is the problem? I have an external dhcp server (in same lan of router of course) and works fine, but when I connect my pc to the port (lan3 or lan4) of router no dhcp works. I had to “open” or “forward” the port 67 with apposite rule?
As alternative I can use bridge and assign it ip 192.168.0.1 (router main ip)?
I think about something like this
config interface 'lan1'
option type 'br-lan1'
option proto 'static'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
config device
option name 'br-lan1'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
What is the desired port-vlan membership? Or in other words, to which port(s) should each network be assigned. If two VLANs are going to be assigned to the same physical port (creating a trunk port), at least one of them must be tagged (or both, which is often recommended). So please indicate the tagging status for any ports that will be used as a trunk.
I have two ports available (the lan3 and 4 don’t work on my 7490). Before I think to obtain a dmz configuration the lan1 must be “separate” from bridge, is not true, is also possible to use a dmz network using the standard br-lan
This is my network config now
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '****'
config atm-bridge 'atm'
option vpi '1'
option vci '32'
option encaps 'llc'
option payload 'bridged'
option nameprefix 'dsl'
config dsl 'dsl'
option annex 'b'
option tone 'av'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'lan1'
option macaddr '***'
config device
option name 'lan2'
option macaddr '***'
config device
option name 'lan3'
option macaddr '***'
config device
option name 'lan4'
option macaddr '***'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.0.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '192.168.0.4'
list dns_search 'my.priv'
config device
option name 'dsl0'
option macaddr '****'
config interface 'wan'
option device 'dsl0.835'
option proto 'pppoe'
option peerdns '0'
option ipv6 '1'
option username 'username'
option password 'password'
#config interface 'wan6'
# option device '@wan'
# option proto 'dhcpv6'
config device
option type '8021q'
option ifname 'br-lan'
option vid '1'
option name 'br-lan1.1'
config interface 'dmz'
option proto 'static'
option device 'br-lan1.1'
option ipaddr '192.168.179.1'
option netmask '255.255.255.0'
This is the firewall config
config defaults
option syn_flood 1
option input REJECT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
list network 'br-lan'
list network 'br-lan1.1'
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip ******
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# block a specific mac on wan
#config rule
# option dest wan
# option src_mac 00:11:22:33:44:66
# option target REJECT
# block incoming ICMP traffic on a zone
#config rule
# option src lan
# option proto ICMP
# option target DROP
# port redirect port coming in on wan to lan
#config redirect
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
# port redirect of remapped ssh port (22001) on wan
#config redirect
# option src wan
# option src_dport 22001
# option dest lan
# option dest_port 22
# option proto tcp
### FULL CONFIG SECTIONS
#config rule
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 80
# option dest wan
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option target REJECT
#config redirect
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 1024
# option src_dport 80
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
config zone
option name 'dmz'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
list device 'br-lan1.1'
config forwarding
option src 'lan'
option dest 'dmz'
config forwarding
option src 'dmz'
option dest 'wan'
config redirect
option name 'Https1'
option target DNAT
option src wan
option dest lan
option proto tcp
option src_dport 443
option dest_ip 192.168.179.3
option dest_port 443
option enabled 1
config redirect
option name 'Https2'
option target DNAT
option src wan
option dest lan
option proto tcp
option src_dport 80
option dest_ip 192.168.179.3
option dest_port 80
option enabled 1
p.s=of course dhcp in port2 (lan2) works fine now, without needing of use vlan tagging
This is not a proper implementation of VLANs. With a DSA device, you need to use bridge-vlans.
The last two lines below are also wrong...
those are devices, not networks. The only time that devices should be listed in the firewall is when you're working with VPN tunnels.
Likewise here... this isn't correct, and also puts the same device (which shouldn't be defined as device here anyway) in 2 firewall zones. You cannot put a network/device into more than one zone without causing problems:
The following lines are standard redirects... but with issues:
Notice that you are using the lan zone as the destination zone, but your redirect IP address is in the dmz network. Again, this is incorrectly architected.
But the overarching point is that a standard redirect firewall rule is all you needed, so you can remove the DMZ network, zone, and devices, and just redirect to the correct host in the lan.
Thanks for clarifications. But As I see the config is working fine. For example.
From lan I try to ping dmz
ping http PING http.my.priv (192.168.179.3) 56(84) bytes of data. 64 bytes from http.my.priv (192.168.179.3): icmp_seq=1 ttl=63 time=10.6 ms 64 bytes from http.my.priv (192.168.179.3): icmp_seq=2 ttl=63 time=11.3 ms
from dmz I cannot reach lan
ping 192.168.0.2 PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data. From 192.168.179.1 icmp_seq=1 Destination Port Unreachable From 192.168.179.1 icmp_seq=2 Destination Port Unreachable
but I can reach internet
ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=114 time=38.2 ms
I ever follow this “rule” “If work, use it and don’t change” Maybe in the future if stop to work I will try other solutions
You may well run into odd issues at some point in the future. Please trust me when I tell you that this is not the correct way to configure things. You've stumbled upon something that appears to work, but it's likely to be quite fragile and could fail at any time.
Can you tell me a good how-to, guide, pdf, site..with some examples of dmz? So I can study a good configuration. If I use luci and copied the modified files? Tonight I will test the snapshot openwrt and I see if luci produce different configurations.
Specifically addressing the word "DMZ", please read this thread for a bit of a discussion about trying to disambiguate the term. It is often used in marketing material or in ISP/consumer grade routers, but is typically not the best approach for exposing a host to the internet.
It would be best if you described your actual goal in plan language (rather than code) as to how those hosts should be exposed to the internet and what access they have to the other devices on your network and vice versa.
That said:
if your goal is to expose ports 80 and 443 from a given host to the internet, you only need port forwarding.
If you want to also isolate those hosts from your main network, you'll setup a separate subnet for those devices (using DSA syntax). You can actually start with the guest network tutorial (which creates an isolated guest wifi network; a few minor tweaks gets it to work on ethernet). The port forwarding would still apply here, except forwarded to a different destination zone.
Maybe... there are tons of examples on this forum -- search should surface many of those quickly. However, they may or may not be exactly setup to reach your own goals... so it might be easier for us to help you arrive there within this thread rather than pointing you to what might end up being partial or patchwork solutions.
I'm not sure what you're asking here, but no, don't try to directly apply settings from another device/situation to yours unless you can verify that it's the correct solution for you and that you can properly adapt for potential differences.
Why? I wouldn't recommend using snapshot in your situation... for this case, there's no benefit and there are plenty of downsides.