I have an interface (192.168.1.1/24) of device type eth0 named 'cams' with a separate firewall zone named 'cams' that has logging enabled. To keep the camera's from phoning home.
config zone
option name 'cams'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'cams'
option log '1'
config rule
option name 'Allow-WAN-camshost'
list proto 'all'
option src 'cams'
list src_ip '192.168.1.99'
option dest 'wan'
option target 'ACCEPT'
config rule
option name 'Allow-DNS-camshost'
list proto 'udp'
option src 'cams'
list src_ip '192.168.1.99'
option dest_port '53'
option target 'ACCEPT'
Try as I might I can't get the security host (192.168.1.99) to be able to access the internet.
When trying to ping the interface ip address 192.168.1.1 I get destination net unreachable
suggesting it is rejected but nothing shows up in the system log and kernel log.
where can I find the firewall log?
fw3 -4 print
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @zone[1] (wan) cannot resolve device of network 'wan6'
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t filter -N reject
iptables -t filter -N input_rule
iptables -t filter -N output_rule
iptables -t filter -N forwarding_rule
iptables -t filter -N syn_flood
iptables -t filter -N zone_lan_input
iptables -t filter -N zone_lan_output
iptables -t filter -N zone_lan_forward
iptables -t filter -N zone_lan_src_ACCEPT
iptables -t filter -N zone_lan_dest_ACCEPT
iptables -t filter -N input_lan_rule
iptables -t filter -N output_lan_rule
iptables -t filter -N forwarding_lan_rule
iptables -t filter -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
iptables -t filter -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
iptables -t filter -N zone_wan_input
iptables -t filter -N zone_wan_output
iptables -t filter -N zone_wan_forward
iptables -t filter -N zone_wan_src_REJECT
iptables -t filter -N zone_wan_dest_ACCEPT
iptables -t filter -N zone_wan_dest_REJECT
iptables -t filter -N input_wan_rule
iptables -t filter -N output_wan_rule
iptables -t filter -N forwarding_wan_rule
iptables -t filter -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
iptables -t filter -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
iptables -t filter -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
iptables -t filter -N zone_cams_input
iptables -t filter -N zone_cams_output
iptables -t filter -N zone_cams_forward
iptables -t filter -N zone_cams_src_ACCEPT
iptables -t filter -N zone_cams_dest_ACCEPT
iptables -t filter -N zone_cams_dest_REJECT
iptables -t filter -N input_cams_rule
iptables -t filter -N output_cams_rule
iptables -t filter -N forwarding_cams_rule
iptables -t filter -A zone_cams_input -m comment --comment "!fw3: Custom cams input rule chain" -j input_cams_rule
iptables -t filter -A zone_cams_output -m comment --comment "!fw3: Custom cams output rule chain" -j output_cams_rule
iptables -t filter -A zone_cams_forward -m comment --comment "!fw3: Custom cams forwarding rule chain" -j forwarding_cams_rule
iptables -t filter -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
iptables -t filter -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
iptables -t filter -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
iptables -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
iptables -t filter -A syn_flood -m comment --comment "!fw3" -j DROP
iptables -t filter -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
iptables -t filter -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
iptables -t filter -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
iptables -t filter -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
iptables -t filter -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
iptables -t filter -A zone_wan_input -p 2 -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
iptables -t filter -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_cams_forward -s 192.168.1.99/255.255.255.255 -m comment --comment "!fw3: Allow-WAN-camshost" -j zone_wan_dest_ACCEPT
iptables -t filter -A zone_cams_input -p udp -s 192.168.1.99/255.255.255.255 -m udp --dport 53 -m comment --comment "!fw3: Allow-DNS-camshost" -j ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
iptables -t filter -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
iptables -t filter -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
iptables -t filter -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
iptables -t filter -D zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -D OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -D FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -D zone_lan_src_ACCEPT -i eth0.3 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_src_ACCEPT -i eth0.3 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_lan_dest_ACCEPT -o eth0.3 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_dest_ACCEPT -o eth0.3 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D INPUT -i eth0.3 -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -A INPUT -i eth0.3 -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -D OUTPUT -o eth0.3 -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -A OUTPUT -o eth0.3 -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -D FORWARD -i eth0.3 -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -A FORWARD -i eth0.3 -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
iptables -t filter -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
iptables -t filter -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
iptables -t filter -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
iptables -t filter -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -D zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -D INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -D OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -D FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A zone_cams_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
iptables -t filter -A zone_cams_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
iptables -t filter -A zone_cams_input -m comment --comment "!fw3" -j zone_cams_src_ACCEPT
iptables -t filter -A zone_cams_forward -m comment --comment "!fw3" -j zone_cams_dest_REJECT
iptables -t filter -A zone_cams_output -m comment --comment "!fw3" -j zone_cams_dest_ACCEPT
iptables -t filter -D zone_cams_src_ACCEPT -i eth0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_cams_src_ACCEPT -i eth0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_cams_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_cams_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_cams_dest_REJECT -o eth0 -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT cams out: "
iptables -t filter -A zone_cams_dest_REJECT -o eth0 -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT cams out: "
iptables -t filter -D zone_cams_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_cams_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
iptables -t filter -D INPUT -i eth0 -m comment --comment "!fw3" -j zone_cams_input
iptables -t filter -A INPUT -i eth0 -m comment --comment "!fw3" -j zone_cams_input
iptables -t filter -D OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_cams_output
iptables -t filter -A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_cams_output
iptables -t filter -D FORWARD -i eth0 -m comment --comment "!fw3" -j zone_cams_forward
iptables -t filter -A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_cams_forward
iptables -t filter -A FORWARD -m comment --comment "!fw3" -j reject
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule
iptables -t nat -N zone_lan_postrouting
iptables -t nat -N zone_lan_prerouting
iptables -t nat -N prerouting_lan_rule
iptables -t nat -N postrouting_lan_rule
iptables -t nat -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
iptables -t nat -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
iptables -t nat -N zone_wan_postrouting
iptables -t nat -N zone_wan_prerouting
iptables -t nat -N prerouting_wan_rule
iptables -t nat -N postrouting_wan_rule
iptables -t nat -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
iptables -t nat -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
iptables -t nat -N zone_cams_postrouting
iptables -t nat -N zone_cams_prerouting
iptables -t nat -N prerouting_cams_rule
iptables -t nat -N postrouting_cams_rule
iptables -t nat -A zone_cams_prerouting -m comment --comment "!fw3: Custom cams prerouting rule chain" -j prerouting_cams_rule
iptables -t nat -A zone_cams_postrouting -m comment --comment "!fw3: Custom cams postrouting rule chain" -j postrouting_cams_rule
iptables -t nat -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
iptables -t nat -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
iptables -t nat -D PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -D POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -D PREROUTING -i eth0.3 -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -A PREROUTING -i eth0.3 -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -D POSTROUTING -o eth0.3 -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -A POSTROUTING -o eth0.3 -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
iptables -t nat -D PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -D POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -D PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_cams_prerouting
iptables -t nat -A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_cams_prerouting
iptables -t nat -D POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_cams_postrouting
iptables -t nat -A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_cams_postrouting
iptables -t mangle -D FORWARD -p tcp -o eth1 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A FORWARD -p tcp -o eth1 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -D FORWARD -p tcp -i eth1 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A FORWARD -p tcp -i eth1 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
trendy
July 19, 2021, 1:33pm
2
Better post iptables-save -c
The firewall log is in the logread
1 Like
logread shows nothing firewall related.
and when i logread -f nothing shows up when I do a ping openwrt.org from a device that is on the cams interface in the cams firewall zone
>ping openwrt.org
Ping request could not find host openwrt.org. Please check the name and try again.
iptables-save -c
# Generated by iptables-save v1.8.7 on Mon Jul 19 15:50:03 2021
*nat
:PREROUTING ACCEPT [1500:143420]
:INPUT ACCEPT [477:38733]
:OUTPUT ACCEPT [213:16838]
:POSTROUTING ACCEPT [293:20063]
:postrouting_cams_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_cams_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_cams_postrouting - [0:0]
:zone_cams_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[1500:143420] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[841:85646] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[60:10969] -A PREROUTING -i eth0.3 -m comment --comment "!fw3" -j zone_lan_prerouting
[599:46805] -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_cams_prerouting
[676:66251] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[95:8159] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[195:11700] -A POSTROUTING -o eth0.3 -m comment --comment "!fw3" -j zone_lan_postrouting
[383:46188] -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_cams_postrouting
[0:0] -A zone_cams_postrouting -m comment --comment "!fw3: Custom cams postrouting rule chain" -j postrouting_cams_rule
[0:0] -A zone_cams_prerouting -m comment --comment "!fw3: Custom cams prerouting rule chain" -j prerouting_cams_rule
[290:19859] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[901:96615] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[383:46188] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[383:46188] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[599:46805] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Mon Jul 19 15:50:03 2021
# Generated by iptables-save v1.8.7 on Mon Jul 19 15:50:03 2021
*mangle
:PREROUTING ACCEPT [38625:39105060]
:INPUT ACCEPT [1927:178639]
:FORWARD ACCEPT [36652:38913605]
:OUTPUT ACCEPT [2414:505758]
:POSTROUTING ACCEPT [39036:39413510]
[75:4500] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[56:3320] -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Jul 19 15:50:03 2021
# Generated by iptables-save v1.8.7 on Mon Jul 19 15:50:03 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_cams_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_cams_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_cams_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_cams_dest_ACCEPT - [0:0]
:zone_cams_dest_REJECT - [0:0]
:zone_cams_forward - [0:0]
:zone_cams_input - [0:0]
:zone_cams_output - [0:0]
:zone_cams_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[21:2328] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[1912:176623] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[788:88057] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[76:3220] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[446:37801] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[28:1788] -A INPUT -i eth0.3 -m comment --comment "!fw3" -j zone_lan_input
[650:48977] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i eth0 -m comment --comment "!fw3" -j zone_cams_input
[36652:38913605] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[31435:37990450] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[5206:922447] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[11:708] -A FORWARD -i eth0.3 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_cams_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[21:2328] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[2399:504558] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[2184:487144] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[6:1698] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth0.3 -m comment --comment "!fw3" -j zone_lan_output
[209:15716] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_cams_output
[128:5772] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[514:41938] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[76:3220] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_cams_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_cams_dest_REJECT -o eth0 -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT cams out: "
[0:0] -A zone_cams_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_cams_forward -m comment --comment "!fw3: Custom cams forwarding rule chain" -j forwarding_cams_rule
[0:0] -A zone_cams_forward -s 192.168.1.99/32 -m comment --comment "!fw3: Allow-WAN-camshost" -j zone_wan_dest_ACCEPT
[0:0] -A zone_cams_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_cams_forward -m comment --comment "!fw3" -j zone_cams_dest_REJECT
[0:0] -A zone_cams_input -m comment --comment "!fw3: Custom cams input rule chain" -j input_cams_rule
[0:0] -A zone_cams_input -s 192.168.1.99/32 -p udp -m udp --dport 53 -m comment --comment "!fw3: Allow-DNS-camshost" -j ACCEPT
[0:0] -A zone_cams_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_cams_input -m comment --comment "!fw3" -j zone_cams_src_ACCEPT
[0:0] -A zone_cams_output -m comment --comment "!fw3: Custom cams output rule chain" -j output_cams_rule
[0:0] -A zone_cams_output -m comment --comment "!fw3" -j zone_cams_dest_ACCEPT
[0:0] -A zone_cams_src_ACCEPT -i eth0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[4794:873328] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[303:18180] -A zone_lan_dest_ACCEPT -o eth0.3 -m comment --comment "!fw3" -j ACCEPT
[5217:923155] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[5217:923155] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[5091:889810] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[474:39589] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[474:39589] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[6:1698] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[6:1698] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[446:37801] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[28:1788] -A zone_lan_src_ACCEPT -i eth0.3 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[26:5741] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[309:43320] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[650:48977] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[3:991] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[5:276] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[642:47710] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[209:15716] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[209:15716] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[642:47710] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Mon Jul 19 15:50:03 2021
trendy
July 19, 2021, 1:54pm
4
It is kinda obvious that the host cannot resolve the hostname and not a firewall issue. Is there a working nameserver configured?
1 Like
i think so yes
ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : eyes
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Red Hat VirtIO Ethernet Adapter
Physical Address. . . . . . . . . : {mac address redacted}
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.99(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled
trendy
July 19, 2021, 2:11pm
6
There is some other problem here, as I don't see any hits/bytes in the firewall for this zone:
[0:0] -A zone_cams_input -m comment --comment "!fw3: Custom cams input rule chain" -j input_cams_rule
[0:0] -A zone_cams_input -s 192.168.1.99/32 -p udp -m udp --dport 53 -m comment --comment "!fw3: Allow-DNS-camshost" -j ACCEPT
[0:0] -A zone_cams_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_cams_input -m comment --comment "!fw3" -j zone_cams_src_ACCEPT
Check that connectivity between the router and the host is working, e.g vlans, switches, wifi.
looks like there is connectivity
ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
nslookup openwrt.org
Server: UnKnown
Address: 192.168.1.1
*** UnKnown can't find openwrt.org: Query refused
but logread -f remains silent
Run tcpdump on OpenWrt and verify incoming DNS queries from the client.
Then run netstat and verify that dnsmasq is listening on the respective socket.
1 Like
trendy
July 19, 2021, 7:57pm
11
diversity:
Query refused
You have some filtering in dnsmasq.
uci export dhcp
I've added a second virtual NIC to the offending client. it has gotten a DHCP lease from 10.0.0.254 (LAN interface on OpenWrt) and thus has full access.
then I run on the client
nslookup openwrt.org 10.0.0.254
Server: OpenWrt.lan
Address: 10.0.0.254
Non-authoritative answer:
Name: openwrt.org
Addresses: 2a03:b0c0:3:d0::1af1:1
139.59.209.225
tcpdump on openwrt shows
10.18:19.614636 IP OpenWrt.lan.53 > eyes.62153: 2 NXDomain 0/0/0 (33)
10:18:19.614826 IP eyes.62154 > OpenWrt.lan.53: 3+ AAAA? openwrt.org.lan. (33)
10:18:19.614859 IP OpenWrt.lan.53 > eyes.62154: 3 NXDomain 0/0/0 (33)
10:18:19.615050 IP eyes.62155 > OpenWrt.lan.53: 4+ A? openwrt.org. (29)
10:18:19.615082 IP OpenWrt.lan.53 > eyes.62155: 4 1/0/0 A 139.59.209.225 (45)
10:18:19.617743 IP eyes.62156 > OpenWrt.lan.53: 5+ AAAA? openwrt.org. (29)
10:18:19.617782 IP OpenWrt.lan.53 > eyes.62156: 5 1/0/0 AAAA 2a03:b0c0:3:d0::1af1:1 (
When I run on the client
nslookup openwrt.org
Server: UnKnown
Address: 192.168.1.1
*** UnKnown can't find openwrt.org: Query refused
nothing shows up on the OpenWrt tcpdump
when running netstat on OpenWrt
root@OpenWrt:~# netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 OpenWrt.lan:https rootpad.lan:35664 ESTABLISHED
tcp 0 200 OpenWrt.lan:ssh rootpad.lan:39684 ESTABLISHED
tcp 0 0 OpenWrt.lan:ssh rootpad.lan:39472 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 7 [ ] DGRAM 686 /dev/log
unix 3 [ ] STREAM CONNECTED 1794
unix 3 [ ] STREAM CONNECTED 1795 /var/run/ubus/ubus.sock
unix 3 [ ] STREAM CONNECTED 1464
unix 3 [ ] STREAM CONNECTED 1465 /var/run/ubus/ubus.sock
unix 3 [ ] STREAM CONNECTED 1399 /var/run/ubus/ubus.sock
unix 2 [ ] DGRAM 1447
unix 2 [ ] DGRAM 5981
unix 3 [ ] STREAM CONNECTED 1398
unix 2 [ ] DGRAM 5984
unix 2 [ ] DGRAM 1234
unix 2 [ ] DGRAM 2504
unix 3 [ ] STREAM CONNECTED 746
unix 3 [ ] STREAM CONNECTED 747 /var/run/ubus/ubus.sock
unix 3 [ ] STREAM CONNECTED 5979 /var/run/ubus/ubus.sock
unix 3 [ ] STREAM CONNECTED 5978
unix 3 [ ] STREAM CONNECTED 688
unix 2 [ ] DGRAM 1396
unix 3 [ ] STREAM CONNECTED 689 /var/run/ubus/ubus.sock
unix 2 [ ] DGRAM 445
unix 3 [ ] STREAM CONNECTED 447 /var/run/ubus/ubus.sock
unix 3 [ ] STREAM CONNECTED 446
and the uci export dhcp shows
root@OpenWrt:~# uci export dhcp
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'data'
option interface 'data'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
config dhcp 'cams'
option interface 'cams'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
netstat -lnp
(sanitize/obfuscate publicip if present)
1 Like
it looks dnsmasq is running. also on 192.168.1.1
I am beginning to suspect it is the client's fault. I am going to test with a different client.
anon50098793:
netstat -lnp
root@OpenWrt:~# netstat -lnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2445/uhttpd
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 5694/dnsmasq
tcp 0 0 192.168.1.1:53 0.0.0.0:* LISTEN 5694/dnsmasq
tcp 0 0 xx.xx.xx.xx:53 0.0.0.0:* LISTEN 5694/dnsmasq
tcp 0 0 10.0.0.254:53 0.0.0.0:* LISTEN 5694/dnsmasq
tcp 0 0 10.1.0.254:53 0.0.0.0:* LISTEN 5694/dnsmasq
tcp 0 0 10.2.0.254:53 0.0.0.0:* LISTEN 5694/dnsmasq
tcp 0 0 10.3.0.254:53 0.0.0.0:* LISTEN 5694/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1971/dropbear
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2445/uhttpd
tcp 0 0 :::80 :::* LISTEN 2445/uhttpd
tcp 0 0 ::1:53 :::* LISTEN 5694/dnsmasq
tcp 0 0 fe80::d250:99ff:fed8:dbd8:53 :::* LISTEN 5694/dnsmasq
tcp 0 0 fe80::b0e9:56ff:fe4f:e5d5:53 :::* LISTEN 5694/dnsmasq
tcp 0 0 fe80::b0e9:56ff:fe4f:e5d5:53 :::* LISTEN 5694/dnsmasq
tcp 0 0 :::22 :::* LISTEN 1971/dropbear
tcp 0 0 :::443 :::* LISTEN 2445/uhttpd
udp 0 0 127.0.0.1:53 0.0.0.0:* 5694/dnsmasq
udp 0 0 192.168.1.1:53 0.0.0.0:* 5694/dnsmasq
udp 0 0 xx.xx.xx.xx:53 0.0.0.0:* 5694/dnsmasq
udp 0 0 10.0.0.254:53 0.0.0.0:* 5694/dnsmasq
udp 0 0 10.1.0.254:53 0.0.0.0:* 5694/dnsmasq
udp 0 0 10.2.0.254:53 0.0.0.0:* 5694/dnsmasq
udp 0 0 10.3.0.254:53 0.0.0.0:* 5694/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 5694/dnsmasq
udp 0 0 :::547 :::* 2144/odhcpd
udp 0 0 ::1:53 :::* 5694/dnsmasq
udp 0 0 fe80::d250:99ff:fed8:dbd8:53 :::* 5694/dnsmasq
udp 0 0 fe80::b0e9:56ff:fe4f:e5d5:53 :::* 5694/dnsmasq
udp 0 0 fe80::b0e9:56ff:fe4f:e5d5:53 :::* 5694/dnsmasq
raw 0 0 ::%26:58 :::* 58 2144/odhcpd
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 443 1312/ubusd /var/run/ubus/ubus.sock
1 Like
when configuring a fresh linux client with an ip address of 192.168.1.98/24 gateway and dns 192.168.1.1
I can ping 192.168.1.1 but nslookup fails with
connection timed out;; no servers could be reached
I think this rules out the hypotheses that it is a client issue as both a fresh linux and a windows server without a firewall seem to have difficulties
restore a less restrictive/modified set of firewall rules and try again until solved...
or run tcpdump on the client too...
you can also enable log_queries in dnsmasq...
i find your statement about no tcpdump output unusual... and only something like client port based redirections really explain that if true...
are you 1000% sure no other fancy service mwan3/vpnpbr etc. is running on your router and mangling traffic paths...?
1 Like
scouts honor. I installed a fresh OpenWrt 20.2.rc3 image and worked from there>
Added interfaces one by one.
The firewall is still default + minor additions to allow the camera host to access internet (at least I tried enabling that)
root@OpenWrt:~# uci export firewall
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option log '1'
list network 'lan'
list network 'ipmi'
list network 'virt'
list network 'data'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option name 'cams'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'cams'
option log '1'
config rule
option name 'Allow-WAN-camshost'
list proto 'all'
option src 'cams'
list src_ip '192.168.1.99'
option dest 'wan'
option target 'ACCEPT'
config rule
option name 'Allow-DNS-camshost'
list proto 'udp'
option src 'cams'
list src_ip '192.168.1.99'
option dest_port '53'
option target 'ACCEPT'
So I am assuming it does not get anymore default setting than this.
Regarding the firewall rules. Should I simply clear the whole firewall config file and start again with less than default? Or would that make the router unusable?
depends how lost you are... the smartest thing to do is go back somewhere 'known'...
then permit everything (that zone/subnet/interface) and test to exclude any mess ups there... (temporarily)
1 Like
Note that tcpdump overrides firewall configuration.
So, if you cannot capture traffic with tcpdump, the problem is unrelated to firewall.
2 Likes
trendy
July 20, 2021, 9:44am
20
Try this one on OpenWrt: tcpdump -i any -evn host 192.168.1.98 and port 53
1 Like