Firewall and two WAN

pe0067 · November 25, 2020, 7:30am

Hi, I'm beginner in the world of Openwrt. Since few day, I trying configure, firewall for 2 WAN.
My planned scheme.
1.wanb -> Firewall(allow all network without youtube, facebook, twitter, and more social) -> lan
2.wan -> Firewall(reject all network with excluding youtube, facebook, twitter, and more social) -> lan

I installed mwan3, and configured like (point 1.) this working ok.

My configuration:

=================WAN B==================
in /etc/config/dhcp

dnsmasq
     list ipset '/youtube.com/social'
     list ipset '/facebook.com/social'
     ...

/etc/config/firewall:

config ipset
        option name 'social'
        option match 'src_ip'
        option storage 'hash'
        option enabled 1
config rule
	option name ''wanb denny social'
	option src 'lan'
	option dest 'wanb'
	option proto 'all'
	option ipset 'social'
	option target 'REJECT'

I have problem with configuration (point 2)

=================WAN==================

in /etc/config/dhcp

dnsmasq
     list ipset '/youtube.com/social2'
     list ipset '/facebook.com/social2'
     ...

/etc/config/firewall:

config ipset
        option name 'social2'
        option match 'dest_ip'
        option storage 'hash'
        option enabled 1

config rule
	option name ''accept DNS'
	option src 'lan'
	option dest 'wan'
	option proto 'tcp udp'
	option dest_port '53-67'
	option target 'ACCEPT'

config rule
	option name ''wan allow social2'
	option src 'lan'
	option dest 'wan'
	option proto 'all'
	option ipset 'social2'
	option target 'ACCEPT'

config rule
	option name ''reject rest'
	option src 'lan'
	option dest 'wan'
	option proto 'all'
	option target 'REJECT'

This configuration blocking all network, but if configuration look like below, all working correctly.


/etc/config/firewall:

config rule
	option name ''accept DNS'
	option src 'lan'
	option dest 'wan'
	option proto 'tcp udp'
	option dest_port '53-67'
	option target 'ACCEPT'

config rule
	option name ''wan allow youtube'
	option src 'lan'
	option dest 'wan'
	option proto 'all'
	option dest_ip '216.58.207.46'
	option target 'ACCEPT'

config rule
	option name ''reject rest'
	option src 'lan'
	option dest 'wan'
	option proto 'all'
	option target 'REJECT'

I am asking for help, I am struggling with this for a week

trendy · November 25, 2020, 9:21am

Have you taken into consideration that youtube and facebook are using domains other than the ones you have in the iplist?

This rule is obviously a mistake. There is no reason to forward dhcp packets to the internet. In general lan-> wan traffic is allowed.

Other than that I am not sure I understand what your problem is from configuration snippets. Write clearly what problem are you facing, what would you like to do and what is the behavior. The post the whole configuration files:

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; uci export mwan3; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

pe0067 · November 25, 2020, 9:52am

I have two LTE modem,
First with limited transfer, second with non-limited transfer for (youtube, facebook, and other social).
This modems are connected to rapsberry pi with openwrt firmware, and configured.
I need setup multiwan connection with two rules.

First modem allow all traffic without my exception (social pages).
Second modem allow only traffic from/to social pages.

Is it possibe?

trendy · November 25, 2020, 10:43am

Yes, it is possible. However as I mentioned earlier the content of facebook and youtube is not limited to these two domains.

pe0067 · November 25, 2020, 11:17am

Ok, mayby exist methode (package, sowtware, script) like adblock to resolve my problem.
I found on github block lists https://github.com/jmdugan/blocklists/tree/master/corporations.

trendy · November 25, 2020, 11:21am

Luckily for you ipsets are supported in mwan3 so if you can compile one with the interesting traffic you can route it accordingly over the desired interface.

pe0067 · December 2, 2020, 12:34pm

My problem resolved. The setup was ok. I just had to add metric gateway to my wan's interfaces.
Subject to close.

trendy · December 2, 2020, 6:04pm

This is the first step before setting up mwan3 actually.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

system · December 12, 2020, 6:04pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.