Firewall Default Settings Blocking Device Communication in LAN Zone

benjaminlevine · November 6, 2024, 9:10pm

Hi all,

I'm experiencing issues on my Banana Pi R4 running OpenWrt (snapshot) with a Banana Pi Wifi 7 card (BPI-R4-NIC-BE14). My firewall settings on the LAN zone seem to block Wi-Fi devices from communicating with each other, as well as with wired devices, despite all of them being in the LAN zone.

Here's a summary of my setup and the issue:

Setup:

LAN zone vlan for wired devices and wifi
Guest zone vlan with separate wifi ssid
Additional software: Tailscale and Docker, which have configurations in the firewall settings

Problem:

With default firewall settings (input: reject, output: accept, forward: reject), Wi-Fi devices on the LAN zone can't communicate with each other or with wired devices.
When I change the forward setting in the LAN zone to accept, this issue is resolved, and devices on the LAN zone can communicate without issue.
I'm unsure if the problem lies with my configuration, the snapshot state of OpenWrt, or the compatibility with this new Wi-Fi card.

Is setting forward to accept in the LAN zone safe, or could this lead to security issues? Is there a better way to allow LAN zone device communication?

Any advice or insights would be greatly appreciated!

root@router1:~# ubus call system board
{
	"kernel": "6.6.58",
	"hostname": "router1",
	"system": "ARMv8 Processor rev 0",
	"model": "Bananapi BPI-R4",
	"board_name": "bananapi,bpi-r4",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"description": "OpenWrt SNAPSHOT",
		"revision": "r27992-a85f11f191",
		"target": "mediatek/filogic",
		"builddate": "1730443380"
	}
}


root@router1:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'redacted'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan.101'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

#Need to include the MAC address of the ISP router for my ISP to issue an IPv6 address
config device
	option name 'br-wan'
	option type 'bridge'
	list ports 'eth2'
	list ports 'wan'
	option macaddr 'redacted'

config device
	option name 'wan'
	option macaddr 'redacted'

config device
	option name 'eth2'
	option macaddr 'redacted'

config interface 'wan'
	option device 'br-wan'
	option proto 'dhcp'
	option hostname '*'
	option peerdns '0'
	list dns '208.67.222.222'
	list dns '208.67.220.220'

config interface 'wan6'
	option device 'br-wan'
	option proto 'dhcpv6'

config interface 'docker'
	option device 'docker0'
	option proto 'none'
	option auto '0'

config device
	option type 'bridge'
	option name 'docker0'

config bridge-vlan
	option device 'br-lan'
	option vlan '101'
	list ports 'eth1:u*'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '102'

config interface 'guest'
	option proto 'static'
	option device 'br-lan.102'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config interface 'tailscale'
	option proto 'none'
	option device 'tailscale0'


root@router1:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/11300000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '2g'
	option channel 'auto'
	option htmode 'EHT40'
	option country 'GB'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid '2G'
	option encryption 'sae-mixed'
	option key 'password'
	option ocv '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'soc/11300000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0+1'
	option band '5g'
	option channel 'auto'
	option htmode 'EHT80'
	option cell_density '0'
	option country 'GB'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid '5G'
	option encryption 'sae-mixed'
	option key 'password'
	option ocv '0'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'soc/11300000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0+2'
	option band '6g'
	option channel 'auto'
	option htmode 'EHT320'
	option cell_density '0'
	option country 'GB'
	option disabled '1'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid '6G'
	option encryption 'sae-mixed'
	option key 'password'
	option ocv '0'
	option disabled '1'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid 'guest'
	option encryption 'sae-mixed'
	option key 'password'
	option ocv '0'
	option network 'guest'
	option isolate '1'

root@router1:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone 'docker'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option name 'docker'
	list network 'docker'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config zone
	option name 'tailscale'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	list network 'tailscale'
	option masq '1'

config rule
	option name 'Guest DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Guest DHCP'
	list proto 'udp'
	option target 'ACCEPT'
	option src 'guest'
	option dest_port '67-68'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'tailscale'

config forwarding
	option src 'tailscale'
	option dest 'lan'

config forwarding
	option src 'tailscale'
	option dest 'wan'

config redirect 'adblock_lan53'
	option name 'Adblock DNS (lan, 53)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option family 'any'

config redirect 'adblock_lan853'
	option name 'Adblock DNS (lan, 853)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '853'
	option dest_port '853'
	option target 'DNAT'
	option family 'any'

config redirect 'adblock_lan5353'
	option name 'Adblock DNS (lan, 5353)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '5353'
	option dest_port '5353'
	option target 'DNAT'
	option family 'any'

brada4 · November 6, 2024, 9:44pm

Wireless devices bridged to br-lan communicate with other devices in all networks in LAN zone without disruption. You need to prove anything blocked with logging rule appended to each generated chain.

andyboeh · November 7, 2024, 5:38am

The default settings for the LAN zone are to accept all traffic, there should be no need to change the general default settings as you did. The defaults on my BPI R3-Mini are:

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

benjaminlevine · November 14, 2024, 10:43am

This turned out to be something related to Docker. Simply installing the docker packages (docker, dockerd, docker-compose) caused the issue.

I replaced docker with podman and the problem has gone away

system · November 24, 2024, 10:44am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.