Filter devices from a network of 2 LAN connected via wifi with OpenWrt

virtualdj · January 7, 2019, 8:51pm

Hi, I'm asking for help about my configuration with OpenWrt Chaos Calmer 15.05.1. I've created a setup similar to this superuser question to "join" two LANs by means of an OpenWrt device configured as Wi-Fi client.

Specifically, this is my network diagram:

Network

I would like that each of the two networks has its own separate Internet access (through FirstRouter for LAN0 and SecondRouter for LAN1 which are the default gateways for each lan device) but the OpenWrt router should make the two LANs communicate. On the FirstRouter I set the static route to 192.168.1.0/24 via 192.168.0.253 and on the contrary SecondRouter has a static route to 192.168.0.0/24 via 192.168.1.253.

This setup works perfectly, but the problem is that I would like LAN0 to ping/access any IP on LAN1, but LAN1 should have access only to NAS2 (i.e. the IP address 192.168.0.20) and I'm not able to do this using the LuCI firewall configuration.

My current network setup is the following:


config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd05:bc45:cc82::/48'

config interface 'lan'
        option ifname 'eth0'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.253'
        option gateway '192.168.1.1'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 4'

config interface 'wwan'
        option proto 'dhcp'
        option defaultroute '0'

Cconsider that the wwan is now a DHCP client but its assignment is reserved on FirstRouter DHCP server to allow the static route to always work.

The firewall setup (created with the LuCI GUI but reported here as text) is the following:

root@OpenWrt:~# cat /etc/config/firewall

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option name 'Allow-SSH'
        option family 'ipv4'
        option dest_port '22'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option dest_port '80'
        option name 'Allow-Admin'
        option family 'ipv4'

config rule
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option dest_ip '192.168.0.20'
        option proto 'all'
        option src_ip '192.168.1.0/24'
        option name 'Allow-Forward'

config rule
        option src 'lan'
        option dest 'wan'
        option dest_ip '192.168.0.0/24'
        option target 'REJECT'
        option name 'OpenWrt-Basic'
        option proto 'all'
        option src_ip '192.168.1.0/24'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option mtu_fix '1'
        option network 'wan wan6 wwan'
        option forward 'ACCEPT'

config include
        option path '/etc/firewall.user'

config forwarding
        option dest 'wan'
        option src 'lan'

config forwarding
        option dest 'lan'
        option src 'wan'

With this configuration from LAN1 I can correctly ping or access only 192.168.0.20 as I want, but the problem is that from LAN0 I cannot ping any device with IP 192.168.1.x (apart from 192.168.1.253)!
If I disable the last "OpenWrt-Basic" rule, then I'm able to ping any host from LAN0 to LAN1 but then also from LAN1 to LAN0 my filter is not active anymore.

Can anyone please help me figuring out where's the error?

slh · January 7, 2019, 8:56pm

Really, do invest the time to upgrade to a security supported version of OpenWrt (18.06.1), before spending more time on your old/ unsupported version with serious known security issues.

virtualdj · January 7, 2019, 9:03pm

That's fair, but it is a lent device with low free RAM (TL-WR841N) and this (old) version is one that I found in a hurry here with LuCI already pre-compiled (if I remember well).

Anyway, I think the question is about the firewall rules, or does an old version of OpenWrt like mine affect how it handles the packets forwarding?

slh · January 7, 2019, 9:15pm

Yes, it's mostly a routing and firewall question - and while changes in those relatively basic features don't happen often/ over night, they do happen and no one remembers quirks of a two-releases back/ four-year-old system. While I realize that low-end 4/32 devices are more problematic than contemporary ones, the security implications (especially considering your use case) are critical and prohibit using a known-insecure version.

virtualdj · January 7, 2019, 9:19pm

OK, I will try to update to the 18.06.1 then and see if the same issue happens again.
Have you got any suggestion on where I can find a precompiled "bin" with LuCI included for TL-WR841N v11 without using the image generator (because it would need me a VM with Linux and all the "studying-stuff" to build one)?

slh · January 7, 2019, 9:21pm

https://downloads.openwrt.org/releases/18.06.1/targets/ar71xx/tiny/openwrt-18.06.1-ar71xx-tiny-tl-wr841-v11-squashfs-sysupgrade.bin

trendy · January 7, 2019, 10:32pm

These two rules are the exact opposite. The one that is higher in the list will work.
Remove them both, also remove the

and make one rule to allow traffic from LAN1 towards only 192.168.0.20

virtualdj · January 8, 2019, 8:56pm

I've updated to the version provided:

root@OpenWrt:~# cat /etc/openwrt_release
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='18.06.1'
DISTRIB_REVISION='r7258-5eb055306f'
DISTRIB_TARGET='ar71xx/tiny'
DISTRIB_ARCH='mips_24kc'
DISTRIB_DESCRIPTION='OpenWrt 18.06.1 r7258-5eb055306f'
DISTRIB_TAINTS=''

Unfortunately the same behaviour persists and now I have so little free memory that I cannot install nano and I have to use vi

virtualdj · January 8, 2019, 9:04pm

These two rules are the exact opposite.

If I enable the Wi-Fi client "out-of-the-box" all my LAN1 devices (i.e. with IP 192.168.1.x that are on the OpenWrt "lan") can ping/access every LAN0 devices (i.e. with IP 192.168.0.x that are on the OpenWrt "wwan" or Wi-Fi client).

So I though that I would need to add the first rule "Allow-Forward" to enable packets from 192.168.1.0/24 to 192.168.0.20 only and the second rule "OpenWrt-Basic" would instead block all the other hosts 192.168.0.0/24 not handled by the previous rule. Isn't the first rule with more priority/overriding the second one? Or how can I do that?

also remove the

config forwarding
option dest 'lan'
option src 'wan'

If I remove this, the reverse won't work, i.e. LAN0 cannot access any LAN1 device. With this rule, instead, I can ping for example Deskop2 (192.168.1.17) from Desktop1 (192.168.0.7). And that's what I want; LAN0 has to access LAN1, but LAN1 to LAN0 has to be filtered with only one host allowed (192.168.0.20).

trendy · January 9, 2019, 9:21am

Yes, you are right, I read your first post carelessly. The first rule has higher priority indeed.
The second deny rule though should not be needed. If you remove the following forwarding:

config forwarding
        option dest 'wan'
        option src 'lan'

the devices in LAN1 should not be able to access LAN0 anymore, only the 192.168.0.20 which has an explicit ALLOW rule. If it doesn't work after this, please post here the output of iptables. iptables -L -vn

virtualdj · January 9, 2019, 5:25pm

If you remove the following forwarding the devices in LAN1 should not be able to access LAN0 anymore

Yes, but after removing that forwarding I wasn't able to ping from LAN0 to LAN1 too. I'm pretty confused about my configuration because the firewall rules seem "easy" in my mind but then when applying them on the router the behaviour is not what I expect.

Anyway, if I do what you suggest I end with this firewall configuration (removed "config forwarding" lan to wan and "OpenWrt-Basic" rule that rejected the packets):

root@OpenWrt:~# cat /etc/config/firewall
config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option name 'Allow-SSH'
        option family 'ipv4'
        option dest_port '22'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option dest_port '80'
        option name 'Allow-Admin'
        option family 'ipv4'

config rule
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option dest_ip '192.168.0.20'
        option proto 'all'
        option src_ip '192.168.1.0/24'
        option name 'Allow-Forward'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option mtu_fix '1'
        option network 'wan wan6 wwan'
        option forward 'ACCEPT'

config include
        option path '/etc/firewall.user'

When I apply this I get these messages and iptables results:

root@OpenWrt:~# /etc/init.d/firewall restart
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @zone[1] (wan) cannot resolve device of network 'wan6'
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-SSH'
   * Rule 'Allow-Admin'
   * Rule #9
   * Rule #10
   * Rule 'Allow-Forward'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule #9
   * Rule #10
   * Rule 'Allow-Forward'
     ! Skipping due to different family of ip address
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'

root@OpenWrt:~# iptables -L -vn
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
  192 16080 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
  128 12741 input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom input rule chain */
  104  8453 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
    4   208 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 /* !fw3 */
    0     0 zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_input  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
   24  4288 zone_wan_input  all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
   26  1560 forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom forwarding rule chain */
   11   660 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
    6   360 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_forward  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    9   540 zone_wan_forward  all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
   14   840 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
  192 16080 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            /* !fw3 */
  262 73275 output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom output rule chain */
  142 65379 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
  120  7896 zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_output  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_output  all  --  *      wlan0   0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain reject (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with tcp-reset
   14   840 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    4   208 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_dest_ACCEPT (4 references)
 pkts bytes target     prot opt in     out     source               destination 
  120  7896 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    6   360 forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan forwarding rule chain */
    1    60 zone_wan_dest_ACCEPT  all  --  *      *       192.168.1.0/24       192.168.0.20         /* !fw3: Allow-Forward */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    5   300 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan input rule chain */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
    0     0 zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination 
  120  7896 output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan output rule chain */
  120  7896 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_wan_dest_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    1    60 ACCEPT     all  --  *      wlan0   0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_forward (2 references)
 pkts bytes target     prot opt in     out     source               destination 
    9   540 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan forwarding rule chain */
    0     0 zone_lan_dest_ACCEPT  esp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: @rule[9] */
    0     0 zone_lan_dest_ACCEPT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500 /* !fw3: @rule[10] */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    9   540 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_input (2 references)
 pkts bytes target     prot opt in     out     source               destination 
   24  4288 input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan input rule chain */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68 /* !fw3: Allow-DHCP-Renew */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* !fw3: Allow-Ping */
    0     0 ACCEPT     2    --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Allow-IGMP */
    1    52 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 /* !fw3: Allow-SSH */
    3   156 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 /* !fw3: Allow-Admin */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
   20  4080 zone_wan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_output (2 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan output rule chain */
    0     0 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            ctstate NEW,UNTRACKED /* !fw3 */
   20  4080 ACCEPT     all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0            ctstate NEW,UNTRACKED /* !fw3 */

The result is that from LAN1 I can effectively ping only 192.168.0.20 (and that's correct) but from LAN0 I cannot ping 192.168.1.17 (or any other host) which previously worked.
I also don't understand why it outputs:

* Rule 'Allow-Forward'
     ! Skipping due to different family of ip address

What does it mean? src = lan = 192.168.1.0/24 and dest = wan = 192.168.0.20 they are correct and of course they have to be different... ?!?

I also tried to make another addition to the end of your rules by adding also:

config rule
        option enabled '1'
        option target 'ACCEPT'
        option src 'lan'
        option name 'Allow-Forward2'
        option src_ip '192.168.1.0/24'
        option dest 'wan'
        option dest_ip '192.168.0.2'

With this rule technically I should be able to ping from LAN1 192.168.0.2 in addition to the previous 192.168.0.20, but it doesn't happen. I can ping 192.168.0.20 but NOT 192.168.0.2... it seems that the new rule is not applied correctly (tried restarting firewall and rebooting without success).

trendy · January 10, 2019, 12:57am

For a reason unknown to me, the rule is not added.
If you see for example the zone_lan_forward chain (packets to be forwarded, ingress from lan zone), second line is zone_wan_dest (egress is wan) and allows the 192.168.1.0/24 -> 192.168.0.20 (also has a hit from some ping you tried)
On the other hand the zone_wan_forward chain (packets to be forwarded, ingress from wan), second and third lines are zone_lan_dest_ACCEPT (egress to lan), which are the esp and udp/500 rules. However there is no rule to allow the traffic from LAN0 to LAN1
So if by now the only thing that doesn't work is the LAN0 to LAN1 I suggest you add this in /etc/firewall.user manually: iptables -I forwarding_wan_rule -s 192.168.0.0/24 -d 192.168.1.0/24 -j zone_lan_dest_ACCEPT

virtualdj:

I also don't understand why it outputs:
* Rule 'Allow-Forward'
     ! Skipping due to different family of ip address
What does it mean? src = lan = 192.168.1.0/24 and dest = wan = 192.168.0.20 they are correct and of course they have to be different... ?!?

This is not an issue, the rule has explicit IPv4 addresses and cannot be applied to IPv6 filter table.

virtualdj · January 10, 2019, 7:30pm

Thanks, I was blind enough to not see the error/warning was below the Populating IPv6 filter table category... sorry for the dumb question!

Believe it or not - I can hardly believe it - after clearing out the /etc/config/firewall file with vi, I copied and pasted in the command line editor the content of my original configuration above in the first post and restarted the firewall service again and... it worked!

Now I can ping 192.168.1.17 (LAN1) from LAN0 and also 192.168.0.20 (LAN0) from LAN1 and this is the only host I can reach, correctly.
Maybe @slh was right and something changed with 18.06.1 but it didn't work 3 days ago just after updating the firmware...

What I can confirm is that the LuCI web interface sometimes doesn't create the "correct" firewall rule as it displays on the web browser; for example, just for the sake of experimenting, after this configuration worked I tried to add another rule to allow also 192.168.0.2 from LAN1. The rule appeared on the web-ui exactly like my previous "Allow-Forward" but on the /etc/config/firewall file it was added like this:

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option dest_ip '192.168.0.2'
        option proto 'tcp udp'
        option src_ip '192.168.1.0/24'
        option name 'Allow-Forward2'

On the web UI, both the two rules Allow-Forward and Allow-Forward2 appear to apply to any traffic, while on the /etc/config/firewall the newly created rule has option proto 'tcp udp' instead of option proto 'any' and so if I try to ping 192.168.0.2 I get an error... but it is a "ping error" because IGMP is not allowed... accessing Samba works in fact.

So thank you very much for your help and lesson learned for me: never trust 100% the web interface.

For your info and anyone reading this in the future, this is the iptables output with the rules of my first post:

root@OpenWrt:~# iptables -L -vn
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
   48  3452 input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom input rule chain */
   43  2396 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
    0     0 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 /* !fw3 */
    1   240 zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_input  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    4   816 zone_wan_input  all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom forwarding rule chain */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
    0     0 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_forward  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_forward  all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            /* !fw3 */
   61  6320 output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom output rule chain */
   61  6320 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
    0     0 zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_output  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_output  all  --  *      wlan0   0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain reject (3 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_dest_ACCEPT (5 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan forwarding rule chain */
    0     0 zone_wan_dest_ACCEPT  all  --  *      *       192.168.1.0/24       192.168.0.20         /* !fw3: Allow-Forward */
    0     0 zone_wan_dest_REJECT  all  --  *      *       192.168.1.0/24       192.168.0.0/24       /* !fw3: OpenWrt-Basic */
    0     0 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Zone lan to wan forwarding policy */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    1   240 input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan input rule chain */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
    1   240 zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan output rule chain */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    1   240 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_wan_dest_ACCEPT (4 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 ACCEPT     all  --  *      wlan0   0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 reject     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 reject     all  --  *      wlan0   0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_forward (2 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan forwarding rule chain */
    0     0 zone_lan_dest_ACCEPT  esp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: @rule[9] */
    0     0 zone_lan_dest_ACCEPT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500 /* !fw3: @rule[10] */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Zone wan to lan forwarding policy */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_input (2 references)
 pkts bytes target     prot opt in     out     source               destination 
    4   816 input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan input rule chain */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68 /* !fw3: Allow-DHCP-Renew */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* !fw3: Allow-Ping */
    0     0 ACCEPT     2    --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Allow-IGMP */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 /* !fw3: Allow-SSH */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 /* !fw3: Allow-Admin */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
    4   816 zone_wan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_output (2 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan output rule chain */
    0     0 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            ctstate NEW,UNTRACKED /* !fw3 */
    4   816 ACCEPT     all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0            ctstate NEW,UNTRACKED /* !fw3 */

trendy · January 10, 2019, 10:28pm

Correct, ping is ICMP protocol, and in that rule only TCP and UDP is allowed.
Glad you made it work, even with that workaround

system · January 20, 2019, 10:32pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.