I have recently switched from dd-wrt to openWrt.
I am using a Turris MOX Classic which is running TurrisOS 4.0.5 ab9d1bf.
What I need to do is restricting a VLAN which is bound to LAN4 on two different levels:
- Allow Internet Access for one special MAC
- Allow only one special IP and port combination for other all other devices and block the rest of the internet
I had this perfectly working with dd-wrt and tried to apply the same idea on open-wrt firewall builder.
The rules I used on dd-wrt where as following (VLAN2 = WAN interface, VLAN3 my own VLAN)
iptables -I FORWARD -i vlan3 -o vlan2 -p tcp -d XX.XX.XX.XX --dport 443 -m state --state NEW,ESTABLISHED -j logaccept
iptables -I FORWARD -i vlan2 -o vlan3 -p tcp -s XX.XX.XX.XX -m state --state ESTABLISHED -j logaccept
(1.) is working as intended.somehow
(2.) is not working i.e. internet access is blocked for all destination addresses.
Below I have attached my firewall rules. Can someone advice what am I doing wrong?
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone 'guest_turris'
option enabled '1'
option name 'guest_turris'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
option network 'guest_turris'
config forwarding 'guest_turris_forward_wan'
option enabled '1'
option name 'guest to wan forward'
option src 'guest_turris'
option dest 'wan'
config rule 'guest_turris_dns_rule'
option name 'guest dns rule'
option src 'guest_turris'
option proto 'tcpudp'
option dest_port '53'
option target 'ACCEPT'
config rule 'guest_turris_dhcp_rule'
option name 'guest dhcp rule'
option src 'guest_turris'
option proto 'udp'
option src_port '67-68'
option dest_port '67-68'
option target 'ACCEPT'
config rule 'wan_ssh_turris_rule'
option name 'wan_ssh_turris_rule'
option target 'ACCEPT'
option dest_port '22'
option proto 'tcp'
option src 'wan'
option enabled '0'
config rule 'wan_http_turris_rule'
option name 'wan_http_turris_rule'
option enabled '0'
option target 'ACCEPT'
option dest_port '80'
option proto 'tcp'
option src 'wan'
config rule 'wan_https_turris_rule'
option name 'wan_https_turris_rule'
option enabled '0'
option target 'ACCEPT'
option dest_port '443'
option proto 'tcp'
option src 'wan'
config rule 'turris_wan_6in4_rule'
option enabled '0'
config zone
option name 'smartvpn_fw'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'VPN'
config forwarding
option dest 'smartvpn_fw'
option src 'lan'
config zone
option name 'vlan1'
option network 'VLAN1'
option forward 'REJECT'
option input 'ACCEPT'
option output 'ACCEPT'
config forwarding
option dest 'wan'
option src 'vlan1'
config rule
option src 'vlan1'
option target 'ACCEPT'
option name 'VLAN Allow Internet for MAC'
option src_mac 'XX:XX:XX:XX:XX:XX'
option dest 'wan'
config rule
option target 'ACCEPT'
option src 'vlan1'
option dest_ip 'XX.XX.XX.XX'
option dest_port '443'
option name 'MDevice Outbound'
option proto 'tcp'
option dest 'wan'
config rule
option target 'ACCEPT'
option src 'wan'
option name 'MDevice Inbound'
option src_ip 'XX.XX.XX.XX'
option proto 'tcp'
option dest 'vlan1'
config rule
option src 'vlan1'
option name 'VLAN Block Internet Access'
option target 'REJECT'
option proto 'all'
option dest 'wan'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '22'
option dest_ip '192.168.11.1'
option dest_port '2525'
option name 'haas'
Side Question: On dd-wrt I allowed only incoming connection for ESTABLISHED connections. How can I set this in Firewall builder?
I tried it with
option extra "-S ESTABLISHED"
but that did not work.