Drop_invalid prevent connection to a static routed network

ebhb010 · December 14, 2024, 9:09am

I setup a static route to allow connections to VM network on a server.

the setup is like this:

server0 eth ip 192.168.1.111/24, ipv4 forward enabled.

vm0 virtual network gateway ip 192.168.200.1/24 inside server 0

static route on router 192.168.1.1/24

target 192.168.200.0/24 gateway 192.168.1.111 auto auto

when drop_invalid is enabled on the router, I can not make any connections to the vm network.

firewall file entry

config defaults
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '1'
        option flow_offloading_hw '1'
        option fullcone '1'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq_allow_invalid '1'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option masq_allow_invalid '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'
        option limit '20/sec'
        option limit_burst '8'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        option limit '900/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'packet-too-big'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'
        option limit_burst '36'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        option limit '900/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option limit_burst '40'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'fragmentation-needed'
        list icmp_type 'network-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'port-unreachable'
        list icmp_type 'required-option-missing'
        list icmp_type 'time-exceeded'
        list icmp_type 'timestamp-reply'
        list icmp_type 'timestamp-request'
        list icmp_type 'unknown-header-type'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'BT'
        option src 'wan'
        option dest 'lan'
        option dest_port '13276'
        option target 'ACCEPT'
        option family 'ipv6'
        list dest_ip '::91c/-64'

config rule
        option name 'sunshine'
        option src 'wan'
        option dest 'lan'
        option dest_port '47998-48000 47984 47989 48010'
        option target 'ACCEPT'
        option family 'ipv6'
        list dest_ip '::91c/-64'

config rule
        option name 'ssh'
        option family 'ipv6'
        list proto 'tcp'
        option src 'wan'
        option dest 'lan'
        option dest_port '22'
        option target 'ACCEPT'

config rule
        option name 'vnc'
        option src 'wan'
        option dest 'lan'
        option dest_port '13333'
        option target 'ACCEPT'
        option family 'ipv6'
        list proto 'tcp'
        list dest_ip '::91c/-64'

is my config wrong or need more work?
or do i need more work on the server besides enabling ipv4 forward?

brada4 · December 14, 2024, 9:25am

Please post output of

ubus call system board
cat /etc/config/network

ebhb010 · December 14, 2024, 2:29pm

Here it is.

root@ImmortalWrt:~# ubus call system board
{
        "kernel": "6.6.60",
        "hostname": "ImmortalWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Xiaomi Mi Router AX3000T",
        "board_name": "xiaomi,mi-router-ax3000t",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "ImmortalWrt",
                "version": "SNAPSHOT",
                "revision": "r32409+8-c0c480daa7",
                "target": "mediatek/filogic",
                "description": "ImmortalWrt SNAPSHOT r32409+8-c0c480daa7",
                "builddate": "1731515374"
        }
}

root@ImmortalWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdfd:bcdf:73a9::/48'
        option packet_steering '2'
        option steering_flows '128'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option txqueuelen '2000'
        option igmp_snooping '1'
        option acceptlocal '1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '64'

config device
        option name 'wan'
        option macaddr 'cc:d8:43:14:c6:6c'
        option txqueuelen '1600'

config interface 'wan'
        option device 'wan'
        option proto 'pppoe'
        option username '[R]'
        option password '[R]'
        option ipv6 'auto'
        option peerdns '0'
        list dns '119.29.29.29'
        list dns '64.6.65.6'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '2402:4e00::'
        list dns '2400:3200::'
        option norelease '1'

config device
        option name 'pppoe-wan'
        option txqueuelen '368'

config device
        option name 'eth0'
        option txqueuelen '1920'

config route
        option target '192.168.200.0/24'
        option gateway '192.168.1.111'
        option interface 'lan'

config route
        option interface 'lan'
        option target '192.168.233.0/30'
        option gateway '192.168.1.114'

config device
        option name 'phy1-ap0'
        option txqueuelen '1400'
        option multicast_router '1'
        option multicast_fast_leave '1'

config device
        option name 'phy0-ap0'
        option txqueuelen '1280'
        option multicast_router '1'
        option multicast_fast_leave '1'

brada4 · December 14, 2024, 4:19pm

What does it have to do with OpenWRT?
Ask Immortalwrt about their fool cones firewall, it is not from here.

psherman · December 14, 2024, 4:27pm

As stated above, the firmware in use here is not from the official OpenWrt project. Please ask your questions on the support channels for immortalwrt.

psherman · December 14, 2024, 6:27pm

This topic was automatically closed after 2 hours. New replies are no longer allowed.