Firewall missconfiguration, or something is wrong?!

Hey,

I need some feed back. I'm running OpenWrt 19.07-SNAPSHOT r10560-92953ae99f on my primary router, and i tried to firewall some chinese IP cams from connecting to the interenets with the following rules:

config rule
	option enabled '1'
	option src 'lan'
	option dest 'wan'
	option name 'Cam1 block'
	option family 'ipv4'
	option proto 'all'
	option src_ip '192.168.1.51'
	option target 'DROP'

However this fella' found himself some cosy firmware upgrades, which is mighty strange to me. Even after changing to

option target 'REJECT'

Am I missing something?

Just checked my rules, none of them have the option enabled '1' part.

Try like this maybe:

config rule
	option name 'Cam-block-1'
	option src 'lan'
	option dest 'wan'
	option proto 'tcp udp icmp'
	option family 'any'
	option target 'DROP'
    option dest_ip '0.0.0.0/0'
    option src_ip '192.168.1.51/24'

Enabled 1 is fine.

Also proto any was OK.

I was going to suggest option dest '*'

Need to be /32

dest '*' would also block LAN, wouldn't it?

Why not check your logs to see if anything is blocked:

logread | grep -Eo "SRC=192.168.1.248 DST=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}"
  • LAN to LAN traffic does not pass the firewall.
  • It's a traffic rule, not input

Welp, I did not think of this at first... Thinking about it - kinda makes sense, LAN would basically talk via layer-2 wouldn't it? Hence not going via firewall.

Rip my rules to block forwarding to/from Samsung TV to LAN hosts... will need to actually put it into a separate vlan I suppose.

Edit

It's a traffic rule, not input

Thanks, makes sense now. I've always found zone-based firewalls confusing.

1 Like

It may be worth to use src_mac, so you can avoid static lease configuration and block both IPv4 and IPv6 with a single rule.

1 Like