Firewall: accepting (DHCP) output from router vs. connection tracking?

I've got a guest network that I keep breaking as I gradually get a handle on how the firewall works. (I've found the post at Recommended firewall settings - #11 by Thinkcat helpful as well as realizing that unless I'm mistaken the LuCI/UCI configuration is ultimately just controlling standard Linux iptables which opens up additional "howto finding" possibilities!)

Anyway, one lingering mystery that I can't quite figure out revolves around keeping DHCP working for devices in the guest zone. I've been using https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface as the basis but what throws me is why the "Output" (from the router to the zone) needs to be set to accept. What's especially weird is that if I set it to reject the devices keep working — until they need to reconnect. At that point the clients don't get any DHCP, even though I have rules set up to allow both DNS and DHCP requests!

My guess is that maybe the firewall is indeed working on a packet level? That is, my rule allowing from guest to [this device] on the DHCP port allows the request packet in, but the response packet gets rejected on its way back from the router into the zone?

This doesn't explain why DNS seems to keep working, and it also doesn't totally explain why wan packets can get back to the guest network either.

If I'm on the right track at all here, is this merely a difference between UDP vs. TCP (and DNS is perhaps falling back to TCP when UDP requests go unanswered)? Is the firewall actually somewhat connection-based rather than purely per-packet in the case of TCP? Would setting up an "assign conntrack helper" on my DHCP rule let me allow UDP responses to go back out automatically or is that something completely different?

This is typically not considered a threat.

2 Likes

A DHCP Discovery packet is broadcast without source IP, not directed to the router specifically. There is no connection, nor a specific flow to track.
On the contrary, DHCP Request, Reply, Renew are unicast, so a flow can be tracked by the firewall.
If you feel like you want to reject the output on the guest zone, create a rule to allow udp/67 towards 68. But that is not necessary as @vgaetera explained earlier.

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.