Firewall on WAN or LAN zone?

Hello community,
Should I setup the firewall rules over the WAN zone which get eth1.2 interface or on the LAN zone which get br-lan interface
AFAIK OpenWRT does the abstraction of the interfaces but I want to work with IPTABLES

I am confused about the difference between setting the rules on the WAN zone and on the LAN zone.

"Zones" are a good abstraction for firewall rules that allow people to think about "traffic from (or to) what's plugged into my WAN" (or "LAN", or ...). The base rules that implement this abstraction are pretty tightly woven in, so sticking with that abstraction is a good idea for even expert users (unless they're going to completely rewrite all the rules and not use UCI/LuCI to manage their firewall).

You can use iptables rules within the framework established by the default OpenWrt install.

1 Like

So, in order to use the framework established by default I only have to use the chains provided right ?

You have not yet explained what you're wishing to make a rule for - so we cannot guess where you should place the rule.

That would make sense, that's why they're there.

  • Custom commands go to /etc/firewall.user in iptables format (here, you can speify physical VLANs, interfaces, etc.)
  • In OpenWrt format, you enter firewall commands on the UCI (using UCI syntax), or in /etc/config/firewall (here you use zones)

I think you should use the chains marked with "!fw3: Custom .. rule chain" in your custom rules. Other chains are managed by the firewall package.

1 Like

Yes the script will be under /etc/firewall.user in IPTABLES format

Do I have to add the shabang in the firewall.user file : #!/bin/sh ?

If I use the fw3 rules by default I imagine won't have to specify the interfaces like "eth1.2" or "br-lan" if there is already "input_wan_rule" or "input_lan_rule" ?

I want to setup a drop policy by default and open few ports


OK, you're confusing the UCI chains and using the firewall.user file.

If you use /etc/firewall.user - do not use any of those chains. Only use normal INPUT, FORWARD, etc.

If you wish to use those, you'd employ the UCI syntax in /etc/config/firewall like normal.


I'd advise the UCI for this (much easier -see link above); but it can be done in firewal.user too.

Okey thank you.
I used the firewall.user and the rules where added to the present rules, it is okey to flush everything at the beginning of the firewall.user script ?
And so if I use the UCI, should I REJECT on the WAN zone or on the LAN zone to block everything by default ?
What rules should I add to not be locked out (I use a computer to connect to the router through SSH) ?

No, you'll wipe most of the other firewall setup by fw3.

We don't know what your intentions are, so no clue how you should block. FYI, OpenWrt sets up WAN INPUT to block by default anyways. I'm truly confused why you want to block everything on LAN.

Input to LAN is permitted by default, so you shouldn't need rules (unless you change or remove them). Then you would have to allow things like DNS, DHCP, etc.

  • I really think you should try to understand the UCI firewall, instead of piecemeal iptables rules.
  • I think you should use the Firewall page on the LuCI web GUI if you're having difficulty
1 Like

I tried with the UCI firewall but I don't know on which zone I have to reject everything : WAN or LAN ?

I tried to use the LuCI web GUI also but still don't understand about WAN and LAN.
I want to block everything and ACCEPT only few ports and domains (I will use IPSET for this I think)

In IPTABLES I see the input_rule, is it a chain I have to create because I can't see it anywhere in the default rules ?

 84188   8.95 MB  input_rule  all  *  * /* !fw3: Custom input rule chain */

LOL...I've told you twice, we don't know what your're trying to block, so no clue what it means to "reject everything." Perhaps you don't clearly understand what what "reject everything" means on a Linux device.

:warning: WARNING, THIS WILL REJECT EVERYTHING - once applied you will loose connection to your OpenWrt device:

# in /etc/config/firewall

config rule
	option name 'Block-Everything'
	option src '*'
	option proto 'all'
	option family 'any'
	option target 'REJECT'

Okey sorry. But it's very complex to explain so I tried to make the problem smaller.
By rejecting everything it's -everything- EXCEPT ports 443TCP, 123UDP, 53UDP,,,, and
Is this possible ?

If I add ACCEPT rules before this one, can it works ?

The domains may be difficult...I also don't know why you want access to other DNS servers if you're blocking so much...

In this case, it seems you want to REJECT FORWARDING from LAN to WAN, except for the above. This will be separate from blocking clients access to LAN side of router and blocking from WAN to router (probably were your zone confusion is coming from).

  • Remove rule allowing forward from LAN to WAN
  • Add rules allowing forward to the listed ports
  • Simply edit the rule I posted above - so it blocks from SRC LAN to DST WAN



1 Like

It's probably a point I misunderstand, could you precise more your idea behind this ? Is there a method to put directly the URL and then the firewall will reload it to see if the addresses have changed OR I have to find every address for each URL and use an IPSET configuration?

If I reject the access from the WAN zone to the LAN zone I will still have access to the router through SSH (In the case I don't make a rule that accept it) ?

You mean it will be different ?

thank you, you're helping me a lot :slight_smile:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.