DMZ without VLAN not working

I have purchased recently a router with OpenWrt and I've upgraded its firmware to a standard version (the one included by the manufacturer had too many unnecessary stuff and was using around 95% of the flash).

Overall everything seems to be working fine but I can't forward all the incoming traffic from the wan side (in my case wwan since it's a wifi interface configured in Client mode, doing NAT) to a well-known IP address in the lan interface. That's a traditional DMZ configuration and I thought it would be enough by forwarding all the incoming traffic in the firewall section as explained in some topic but for some reason it doesn't work.

In the Firewall / General Settings section, I've opened everything, just to try:

general settings1908×1174 126 KB

The forwarding rule I've created looks like this:

port forwarding1778×1131 131 KB

On the other hand, I've added both lan and wan ports to the br-lan device (both lans). I don't think that's a problem though.

My /etc/config/firewall file looks like this (pretty much the standard config + the redirect entry at the end):

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wan'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan6'
        list network 'wwan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option target 'DNAT'
        option name 'DMZ'
        option family 'ipv4'
        option src 'wan'
        option src_dport '1-65535'
        option dest_ip '192.168.1.209'
        list proto 'tcp'
        list proto 'udp'
        option dest 'lan'

If I try to enter (telnet, for example) through the external interface to the internal machine (192.168.1.209), I don't get any response. I've also tried to add icmp to the redirection and still no response. How can I check what is happening?

Regards

Set input and forward to reject. This should solve the issue, but will also fix a security issue that you’ve caused by accepting input - this means that all of the upstream network can reach your router itself (admin control, etc).

And remove the wan network from the lan firewall zone.

Finally, make sure you specify the dest port (1-65535) in the redirect stanza.

Ok, now it's working. I restricted the forwarding to a single port to make sure the DNAT was done correctly (similar to -j DNAT --to IP:PORT in iptables), switched to REJECT the default policies for INPUT and FORWARD and activated the log in this interface.

As a result, I couldn't see any rejected packet in the log and that meant the packets were actually entering the nat table as expected (traveling through the PREROUTING chain and so on). Digging a bit more in the client side (209), it turns out its firewall was blocking incoming TCP connections, that's why I couldn't get an answer (I could see the SYN requests in this machine with wireshark but not response).

Once this was fixed and confirmed that it worked by opening the firewall in the client, I switched the log off and changed to DROP the policies for INPUT and FORWARD in the wan interface. However, I haven't configured the dest_port option in the redirection as you mentioned since leaving this parameter empty, the forwarding maintains the original destination port (that's what I read somewhere and it looks like it's working as expected).

Now I'm curious about the actual purpose of the default policies for INPUT, OUTPUT and FORWARD in the config defaults section since you can configure them separately for each zone. I mean, I don't see the point of the routing decision path in which these defaults are really going to be used.

Regards

Reject is the preferred rule type. Drop can result in resent traffic which is not good.

Input = access to the router itself.
Output = traffic allowed out of the firewall destined for other networks.
Forward = infra-zone forwarding. Applies if you have 2 or more networks associated with the same firewall zone.

general settings1908×1174 126 KB

So going back to the General Settings screenshot, this is what we have:

• lan => wan includes packets that in my case are going outside, since NAT is active (and the firewall as usual will keep track of the connections so that their responses enter as well).

• wan is only for incoming connections to the wan interface.

• defaults will handle incoming/outgoing packets to/from the router from the lan (since the lan => wan previous entry is only related to forwarding). And well, the FORWARD in defaults looks a bit more tricky for most of the cases since the common case scenario is to create a separate firewall zone per network and this forwarding would be configured in a specific entry from the section below (like lan => wan, for example).

Ok, thx for the info.

Regards

Defaults covers the networks that are not associated with a firewall zone (and I believe it is the default config for any new firewall zones that that are created via luci/uci)

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.