I've got a guest network that I keep breaking as I gradually get a handle on how the firewall works. (I've found the post at Recommended firewall settings - #11 by Thinkcat helpful as well as realizing that unless I'm mistaken the LuCI/UCI configuration is ultimately just controlling standard Linux iptables which opens up additional "howto finding" possibilities!)
Anyway, one lingering mystery that I can't quite figure out revolves around keeping DHCP working for devices in the guest zone. I've been using https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface as the basis but what throws me is why the "Output" (from the router to the zone) needs to be set to accept. What's especially weird is that if I set it to reject the devices keep working — until they need to reconnect. At that point the clients don't get any DHCP, even though I have rules set up to allow both DNS and DHCP requests!
My guess is that maybe the firewall is indeed working on a packet level? That is, my rule allowing from guest
to [this device]
on the DHCP port allows the request packet in, but the response packet gets rejected on its way back from the router into the zone?
This doesn't explain why DNS seems to keep working, and it also doesn't totally explain why wan
packets can get back to the guest
network either.
If I'm on the right track at all here, is this merely a difference between UDP vs. TCP (and DNS is perhaps falling back to TCP when UDP requests go unanswered)? Is the firewall actually somewhat connection-based rather than purely per-packet in the case of TCP? Would setting up an "assign conntrack helper" on my DHCP rule let me allow UDP responses to go back out automatically or is that something completely different?