Firewall port forwarding (OpenVPN) to VLAN interface device

Installing and Using OpenWrt
1

Hey,

I have recently came up with an issue after re-configuring my OpenVPN setup a bit.

I have my main gateway router that used to have a port forwarding rule set in a firewall to another lan OpenVPN router, (i.e. let's say downstream OpenVPN router). In this way, I simply used public IP to connect to my downstream VPN router and all was fine all this time. It is important to say that this lan interface is part of multiple VLANs (thus multiple interfaces). Up until now, all worked fine.

Recently I decided that in order to improve security and add more control, I moved that downstream VPN router to a dedicated VLAN. Firewall only allows traffic to WAN from this VPN VLAN, i.e. it cannot reach lan zone etc. On the other hand, lan zone, can access this dedicated VPN VLAN. From the hardware point of view, it is implemented in the following way: gateway router -> dump tagger router (which just tags and un-tags incoming or outgoing packets) -> downstream VPN router.

The problem now is that port forwarding from WAN to that downstream router does not work. I explicitly stated in the config that forwarding should be to that VPN VLAN zone, to a specific IP, but wan packets are just rejected (I observed that when I turn on loggin on WAN zone). For debugging purposes, if I moved that router back to lan zone, port forwarding works fine as expected.

Is there something more I have to do in order firewall was able to forward incoming connections to my downstream VPN router that is in its own VLAN?

P.S. it is important to say that there is also VPN connection to main gateway router that has a firewall rule, but of obviously, does not have any port forwarding.

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan.10'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config device
        option name 'wan'
        option macaddr ''
        option ipv6 '0'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'Guest'
        option proto 'static'
        option ipaddr '172.24.20.1'
        option netmask '255.255.255.0'
        option device 'br-lan.20'
        list dns '192.168.10.1'

config interface 'IoT'
        option proto 'static'
        option ipaddr '10.10.30.1'
        option netmask '255.255.255.0'
        option device 'br-lan.30'
        list dns '192.168.10.1'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan1'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan4'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan2:t'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'lan2:t'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '40'
        list ports 'lan2:t'
        list ports 'lan3:t'

config device
        option name 'br-lan.10'
        option type '8021q'
        option ifname 'br-lan'
        option vid '10'
        option ipv6 '0'

config device
        option name 'br-lan.20'
        option type '8021q'
        option ifname 'br-lan'
        option vid '20'
        option ipv6 '0'

config device
        option name 'br-lan.30'
        option type '8021q'
        option ifname 'br-lan'
        option vid '30'
        option ipv6 '0'

config interface 'TUN0'
        option proto 'none'
        option device 'tun0'

config bridge-vlan
        option device 'br-lan'
        option vlan '99'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        option local '0'

config interface 'vpn_srv'
        option proto 'static'
        option device 'br-lan.40'
        option ipaddr '192.168.40.1'
        option netmask '255.255.255.0'
        list dns '192.168.10.1'
        option delegate '0'

/etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list device 'tun0'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        option log '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'GuestZone'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Guest'

config zone
        option name 'IoTZone'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'IoT'

config forwarding
        option src 'lan'
        option dest 'IoTZone'

config rule
        option name 'AL-Allow Guest DHCP and DNS '
        option src 'GuestZone'
        option dest_port '53 67 68'
        option target 'ACCEPT'

config rule
        option name 'AL-Allow-VPN'
        option src 'wan'
        option dest_port '1193'
        option target 'ACCEPT'
        list proto 'udp'

config forwarding
        option src 'GuestZone'
        option dest 'wan'

config zone
        option name 'vpn_srv'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vpn_srv'
        option log '1'

config forwarding
        option src 'vpn_srv'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'vpn_srv'

config redirect
        option target 'DNAT'
        option name 'vpn'
        list proto 'udp'
        option src 'wan'
        option src_dport '1192'
        option dest_ip '192.168.40.2'
        option dest_port '1192'
        option dest 'vpn_srv'

Thanks for any help, I have been struggling with this for a couple of days now...

2

Haven't looked into this much, but maybe just try:

Editing:

To:

If that works then maybe that's how it's supposed to be for you. Maybe setting the input and forward back to reject as well is the move if it works.

3

Thanks for replay, but these quick changes did not help, it still cannot connect.

read UDPv4 [ECONNREFUSED]: Connection refused (fd=3,code=111)
4

Perhaps you need a rule to accept the traffic before it is redirected

config rule
        option name 'test'
        option src 'wan'
        option dest 'vpn_srv'
        option dest_port '1192'
        option target 'ACCEPT'

Something like that.

5

I am not sure either. I think I should not add any rules that allow traffic to specific zones, but even this quick test did not solve the issue. It is becoming really disturbing.

Thanks

6

What's the output of nft list ruleset?

7

It is as follows:

table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
                ct state established,related accept comment "!fw4: Allow inbound established and related flows"
                tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
                iifname { "tun0", "br-lan.10" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
                iifname "wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
                iifname "br-lan.20" jump input_GuestZone comment "!fw4: Handle GuestZone IPv4/IPv6 input traffic"
                iifname "br-lan.30" jump input_IoTZone comment "!fw4: Handle IoTZone IPv4/IPv6 input traffic"
                iifname "br-lan.40" jump input_vpn_srv comment "!fw4: Handle vpn_srv IPv4/IPv6 input traffic"
                jump handle_reject
        }

        chain forward {
                type filter hook forward priority filter; policy drop;
                ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
                iifname { "tun0", "br-lan.10" } jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
                iifname "wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
                iifname "br-lan.20" jump forward_GuestZone comment "!fw4: Handle GuestZone IPv4/IPv6 forward traffic"
                iifname "br-lan.30" jump forward_IoTZone comment "!fw4: Handle IoTZone IPv4/IPv6 forward traffic"
                iifname "br-lan.40" jump forward_vpn_srv comment "!fw4: Handle vpn_srv IPv4/IPv6 forward traffic"
                jump handle_reject
        }

        chain output {
                type filter hook output priority filter; policy accept;
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
                ct state established,related accept comment "!fw4: Allow outbound established and related flows"
                oifname { "tun0", "br-lan.10" } jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
                oifname "wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
                oifname "br-lan.20" jump output_GuestZone comment "!fw4: Handle GuestZone IPv4/IPv6 output traffic"
                oifname "br-lan.30" jump output_IoTZone comment "!fw4: Handle IoTZone IPv4/IPv6 output traffic"
                oifname "br-lan.40" jump output_vpn_srv comment "!fw4: Handle vpn_srv IPv4/IPv6 output traffic"
        }

        chain prerouting {
                type filter hook prerouting priority filter; policy accept;
                iifname { "tun0", "br-lan.10" } jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
                iifname "br-lan.20" jump helper_GuestZone comment "!fw4: Handle GuestZone IPv4/IPv6 helper assignment"
                iifname "br-lan.30" jump helper_IoTZone comment "!fw4: Handle IoTZone IPv4/IPv6 helper assignment"
                iifname "br-lan.40" jump helper_vpn_srv comment "!fw4: Handle vpn_srv IPv4/IPv6 helper assignment"
        }

        chain handle_reject {
                meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
                reject comment "!fw4: Reject any other traffic"
        }

        chain syn_flood {
                limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
                drop comment "!fw4: Drop excess packets"
        }

        chain input_lan {
                ct status dnat accept comment "!fw4: Accept port redirections"
                jump accept_from_lan
        }

        chain output_lan {
                jump accept_to_lan
        }

        chain forward_lan {
                jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
                jump accept_to_IoTZone comment "!fw4: Accept lan to IoTZone forwarding"
                jump accept_to_vpn_srv comment "!fw4: Accept lan to vpn_srv forwarding"
                ct status dnat accept comment "!fw4: Accept port forwards"
                jump accept_to_lan
        }

        chain helper_lan {
        }

        chain accept_from_lan {
                iifname { "tun0", "br-lan.10" } counter packets 1614 bytes 97744 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain accept_to_lan {
                oifname { "tun0", "br-lan.10" } counter packets 0 bytes 0 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain input_wan {
                meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
                icmp type echo-request counter packets 3 bytes 204 accept comment "!fw4: Allow-Ping"
                meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
                meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
                ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
                udp dport 1193 counter packets 0 bytes 0 accept comment "!fw4: AL-Allow-VPN"
                ct status dnat accept comment "!fw4: Accept port redirections"
                jump reject_from_wan
        }

        chain output_wan {
                jump accept_to_wan
        }

        chain forward_wan {
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
                udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
                ct status dnat accept comment "!fw4: Accept port forwards"
                jump reject_to_wan
                log prefix "reject wan forward: "
        }

        chain accept_to_wan {
                meta nfproto ipv4 oifname "wan" ct state invalid counter packets 0 bytes 0 log prefix "drop wan invalid ct state: " drop comment "!fw4: Prevent NAT leakage"
                oifname "wan" counter packets 69 bytes 20958 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
        }

        chain reject_from_wan {
                iifname "wan" counter packets 4 bytes 204 log prefix "reject wan in: " jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain reject_to_wan {
                oifname "wan" counter packets 0 bytes 0 log prefix "reject wan out: " jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain input_GuestZone {
                tcp dport { 53, 67, 68 } counter packets 0 bytes 0 accept comment "!fw4: AL-Allow Guest DHCP and DNS "
                udp dport { 53, 67, 68 } counter packets 0 bytes 0 accept comment "!fw4: AL-Allow Guest DHCP and DNS "
                jump reject_from_GuestZone
        }

        chain output_GuestZone {
                jump accept_to_GuestZone
        }

        chain forward_GuestZone {
                jump accept_to_wan comment "!fw4: Accept GuestZone to wan forwarding"
                jump reject_to_GuestZone
        }

        chain helper_GuestZone {
        }

        chain accept_to_GuestZone {
                oifname "br-lan.20" counter packets 0 bytes 0 accept comment "!fw4: accept GuestZone IPv4/IPv6 traffic"
        }

        chain reject_from_GuestZone {
                iifname "br-lan.20" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject GuestZone IPv4/IPv6 traffic"
        }

        chain reject_to_GuestZone {
                oifname "br-lan.20" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject GuestZone IPv4/IPv6 traffic"
        }

        chain input_IoTZone {
                jump accept_from_IoTZone
        }

        chain output_IoTZone {
                jump accept_to_IoTZone
        }

        chain forward_IoTZone {
                meta l4proto tcp ip saddr 10.10.30.18 counter packets 0 bytes 0 jump accept_to_wan comment "!fw4: AL-Allow NAS to WAN"
                meta l4proto udp ip saddr 10.10.30.18 counter packets 0 bytes 0 jump accept_to_wan comment "!fw4: AL-Allow NAS to WAN"
                meta l4proto tcp ip saddr { 10.10.30.13, 10.10.30.14, 10.10.30.15, 10.10.30.16, 10.10.30.17, 10.10.30.21, 10.10.30.22 } ip daddr 192.168.10.15 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: AL-Allow IoT to srv-openvpn"
                meta l4proto udp ip saddr { 10.10.30.13, 10.10.30.14, 10.10.30.15, 10.10.30.16, 10.10.30.17, 10.10.30.21, 10.10.30.22 } ip daddr 192.168.10.15 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: AL-Allow IoT to srv-openvpn"
                meta l4proto tcp ip saddr 10.10.30.26 ip daddr 192.168.10.21 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Projector to NAS"
                meta l4proto udp ip saddr 10.10.30.26 ip daddr 192.168.10.21 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Projector to NAS"
                meta l4proto icmp ip saddr 10.10.30.26 ip daddr 192.168.10.21 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Projector to NAS"
                jump reject_to_IoTZone
        }

        chain helper_IoTZone {
        }

        chain accept_from_IoTZone {
                iifname "br-lan.30" counter packets 125 bytes 6832 accept comment "!fw4: accept IoTZone IPv4/IPv6 traffic"
        }

        chain accept_to_IoTZone {
                oifname "br-lan.30" counter packets 201 bytes 15459 accept comment "!fw4: accept IoTZone IPv4/IPv6 traffic"
        }

        chain reject_to_IoTZone {
                oifname "br-lan.30" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject IoTZone IPv4/IPv6 traffic"
        }

        chain input_vpn_srv {
                ct status dnat accept comment "!fw4: Accept port redirections"
                jump accept_from_vpn_srv
        }

        chain output_vpn_srv {
                jump accept_to_vpn_srv
        }

        chain forward_vpn_srv {
                jump accept_to_wan comment "!fw4: Accept vpn_srv to wan forwarding"
                ct status dnat accept comment "!fw4: Accept port forwards"
                jump accept_to_vpn_srv
                log prefix "reject vpn_srv forward: "
        }

        chain helper_vpn_srv {
        }

        chain accept_from_vpn_srv {
                iifname "br-lan.40" counter packets 1 bytes 76 accept comment "!fw4: accept vpn_srv IPv4/IPv6 traffic"
        }

        chain accept_to_vpn_srv {
                oifname "br-lan.40" counter packets 0 bytes 0 accept comment "!fw4: accept vpn_srv IPv4/IPv6 traffic"
        }

        chain dstnat {
                type nat hook prerouting priority dstnat; policy accept;
                iifname { "tun0", "br-lan.10" } jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
                iifname "wan" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
                iifname "br-lan.40" jump dstnat_vpn_srv comment "!fw4: Handle vpn_srv IPv4/IPv6 dstnat traffic"
        }

        chain srcnat {
                type nat hook postrouting priority srcnat; policy accept;
                oifname { "tun0", "br-lan.10" } jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic"
                oifname "wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
                oifname "br-lan.40" jump srcnat_vpn_srv comment "!fw4: Handle vpn_srv IPv4/IPv6 srcnat traffic"
        }

        chain dstnat_lan {
                ip saddr 192.168.10.0/24 ip daddr my_ip udp dport 1194 dnat ip to 192.168.10.15:1194 comment "!fw4: WAN to srv-openvpn (reflection)"
        }

        chain srcnat_lan {
                ip saddr 192.168.10.0/24 ip daddr 192.168.10.15 udp dport 1194 snat ip to 192.168.10.1 comment "!fw4: WAN to srv-openvpn (reflection)"
        }

        chain dstnat_wan {
                meta nfproto ipv4 udp dport 1194 counter packets 0 bytes 0 dnat ip to 192.168.10.15:1194 comment "!fw4: WAN to srv-openvpn"
                meta nfproto ipv4 udp dport 1192 counter packets 0 bytes 0 dnat ip to 192.168.40.2:1192 comment "!fw4: vpn"
        }

        chain srcnat_wan {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
        }

        chain dstnat_vpn_srv {
                ip saddr 192.168.40.0/24 ip daddr my_ip udp dport 1192 dnat ip to 192.168.40.2:1192 comment "!fw4: vpn (reflection)"
        }

        chain srcnat_vpn_srv {
                ip saddr 192.168.40.0/24 ip daddr 192.168.40.2 udp dport 1192 snat ip to 192.168.40.1 comment "!fw4: vpn (reflection)"
        }

        chain raw_prerouting {
                type filter hook prerouting priority raw; policy accept;
        }

        chain raw_output {
root@main-router:~# nft list ruleset
table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
                ct state established,related accept comment "!fw4: Allow inbound established and related flows"
                tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
                iifname { "tun0", "br-lan.10" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
                iifname "wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
                iifname "br-lan.20" jump input_GuestZone comment "!fw4: Handle GuestZone IPv4/IPv6 input traffic"
                iifname "br-lan.30" jump input_IoTZone comment "!fw4: Handle IoTZone IPv4/IPv6 input traffic"
                iifname "br-lan.40" jump input_vpn_srv comment "!fw4: Handle vpn_srv IPv4/IPv6 input traffic"
                jump handle_reject
        }

        chain forward {
                type filter hook forward priority filter; policy drop;
                ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
                iifname { "tun0", "br-lan.10" } jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
                iifname "wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
                iifname "br-lan.20" jump forward_GuestZone comment "!fw4: Handle GuestZone IPv4/IPv6 forward traffic"
                iifname "br-lan.30" jump forward_IoTZone comment "!fw4: Handle IoTZone IPv4/IPv6 forward traffic"
                iifname "br-lan.40" jump forward_vpn_srv comment "!fw4: Handle vpn_srv IPv4/IPv6 forward traffic"
                jump handle_reject
        }

        chain output {
                type filter hook output priority filter; policy accept;
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
                ct state established,related accept comment "!fw4: Allow outbound established and related flows"
                oifname { "tun0", "br-lan.10" } jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
                oifname "wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
                oifname "br-lan.20" jump output_GuestZone comment "!fw4: Handle GuestZone IPv4/IPv6 output traffic"
                oifname "br-lan.30" jump output_IoTZone comment "!fw4: Handle IoTZone IPv4/IPv6 output traffic"
                oifname "br-lan.40" jump output_vpn_srv comment "!fw4: Handle vpn_srv IPv4/IPv6 output traffic"
        }

        chain prerouting {
                type filter hook prerouting priority filter; policy accept;
                iifname { "tun0", "br-lan.10" } jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
                iifname "br-lan.20" jump helper_GuestZone comment "!fw4: Handle GuestZone IPv4/IPv6 helper assignment"
                iifname "br-lan.30" jump helper_IoTZone comment "!fw4: Handle IoTZone IPv4/IPv6 helper assignment"
                iifname "br-lan.40" jump helper_vpn_srv comment "!fw4: Handle vpn_srv IPv4/IPv6 helper assignment"
        }

        chain handle_reject {
                meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
                reject comment "!fw4: Reject any other traffic"
        }

        chain syn_flood {
                limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
                drop comment "!fw4: Drop excess packets"
        }

        chain input_lan {
                jump accept_from_lan
        }

        chain output_lan {
                jump accept_to_lan
        }

        chain forward_lan {
                jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
                jump accept_to_IoTZone comment "!fw4: Accept lan to IoTZone forwarding"
                jump accept_to_vpn_srv comment "!fw4: Accept lan to vpn_srv forwarding"
                jump accept_to_lan
        }

        chain helper_lan {
        }

        chain accept_from_lan {
                iifname { "tun0", "br-lan.10" } counter packets 389 bytes 23530 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain accept_to_lan {
                oifname { "tun0", "br-lan.10" } counter packets 0 bytes 0 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain input_wan {
                meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
                icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
                meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
                meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
                ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
                udp dport 1193 counter packets 0 bytes 0 accept comment "!fw4: AL-Allow-VPN"
                ct status dnat accept comment "!fw4: Accept port redirections"
                jump reject_from_wan
        }

        chain output_wan {
                jump accept_to_wan
        }

        chain forward_wan {
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
                udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
                ct status dnat accept comment "!fw4: Accept port forwards"
                jump reject_to_wan
                log prefix "reject wan forward: "
        }

        chain accept_to_wan {
                meta nfproto ipv4 oifname "wan" ct state invalid counter packets 0 bytes 0 log prefix "drop wan invalid ct state: " drop comment "!fw4: Prevent NAT leakage"
                oifname "wan" counter packets 55 bytes 21598 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
        }

        chain reject_from_wan {
                iifname "wan" counter packets 4 bytes 180 log prefix "reject wan in: " jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain reject_to_wan {
                oifname "wan" counter packets 0 bytes 0 log prefix "reject wan out: " jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain input_GuestZone {
                tcp dport { 53, 67, 68 } counter packets 0 bytes 0 accept comment "!fw4: AL-Allow Guest DHCP and DNS "
                udp dport { 53, 67, 68 } counter packets 0 bytes 0 accept comment "!fw4: AL-Allow Guest DHCP and DNS "
                jump reject_from_GuestZone
        }

        chain output_GuestZone {
                jump accept_to_GuestZone
        }

        chain forward_GuestZone {
                jump accept_to_wan comment "!fw4: Accept GuestZone to wan forwarding"
                jump reject_to_GuestZone
        }

        chain helper_GuestZone {
        }

        chain accept_to_GuestZone {
                oifname "br-lan.20" counter packets 0 bytes 0 accept comment "!fw4: accept GuestZone IPv4/IPv6 traffic"
        }

        chain reject_from_GuestZone {
                iifname "br-lan.20" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject GuestZone IPv4/IPv6 traffic"
        }

        chain reject_to_GuestZone {
                oifname "br-lan.20" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject GuestZone IPv4/IPv6 traffic"
        }

        chain input_IoTZone {
                jump accept_from_IoTZone
        }

        chain output_IoTZone {
                jump accept_to_IoTZone
        }

        chain forward_IoTZone {
                meta l4proto tcp ip saddr 10.10.30.18 counter packets 0 bytes 0 jump accept_to_wan comment "!fw4: AL-Allow NAS to WAN"
                meta l4proto udp ip saddr 10.10.30.18 counter packets 0 bytes 0 jump accept_to_wan comment "!fw4: AL-Allow NAS to WAN"
                meta l4proto tcp ip saddr { 10.10.30.13, 10.10.30.14, 10.10.30.15, 10.10.30.16, 10.10.30.17, 10.10.30.21, 10.10.30.22 } ip daddr 192.168.10.15 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: AL-Allow IoT to srv-openvpn"
                meta l4proto udp ip saddr { 10.10.30.13, 10.10.30.14, 10.10.30.15, 10.10.30.16, 10.10.30.17, 10.10.30.21, 10.10.30.22 } ip daddr 192.168.10.15 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: AL-Allow IoT to srv-openvpn"
                meta l4proto tcp ip saddr 10.10.30.26 ip daddr 192.168.10.21 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Projector to NAS"
                meta l4proto udp ip saddr 10.10.30.26 ip daddr 192.168.10.21 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Projector to NAS"
                meta l4proto icmp ip saddr 10.10.30.26 ip daddr 192.168.10.21 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Projector to NAS"
                jump reject_to_IoTZone
        }

        chain helper_IoTZone {
        }

        chain accept_from_IoTZone {
                iifname "br-lan.30" counter packets 88 bytes 5600 accept comment "!fw4: accept IoTZone IPv4/IPv6 traffic"
        }

        chain accept_to_IoTZone {
                oifname "br-lan.30" counter packets 35 bytes 2369 accept comment "!fw4: accept IoTZone IPv4/IPv6 traffic"
        }

        chain reject_to_IoTZone {
                oifname "br-lan.30" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject IoTZone IPv4/IPv6 traffic"
        }

        chain input_vpn_srv {
                ct status dnat accept comment "!fw4: Accept port redirections"
                jump accept_from_vpn_srv
        }

        chain output_vpn_srv {
                jump accept_to_vpn_srv
        }

        chain forward_vpn_srv {
                jump accept_to_wan comment "!fw4: Accept vpn_srv to wan forwarding"
                ct status dnat accept comment "!fw4: Accept port forwards"
                jump accept_to_vpn_srv
                log prefix "reject vpn_srv forward: "
        }

        chain helper_vpn_srv {
        }

        chain accept_from_vpn_srv {
                iifname "br-lan.40" counter packets 0 bytes 0 accept comment "!fw4: accept vpn_srv IPv4/IPv6 traffic"
        }

        chain accept_to_vpn_srv {
                oifname "br-lan.40" counter packets 0 bytes 0 accept comment "!fw4: accept vpn_srv IPv4/IPv6 traffic"
        }

        chain dstnat {
                type nat hook prerouting priority dstnat; policy accept;
                iifname "wan" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
                iifname "br-lan.40" jump dstnat_vpn_srv comment "!fw4: Handle vpn_srv IPv4/IPv6 dstnat traffic"
        }

        chain srcnat {
                type nat hook postrouting priority srcnat; policy accept;
                oifname "wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
                oifname "br-lan.40" jump srcnat_vpn_srv comment "!fw4: Handle vpn_srv IPv4/IPv6 srcnat traffic"
        }

        chain dstnat_lan {
        }

        chain srcnat_lan {
        }

        chain dstnat_wan {
                meta nfproto ipv4 udp dport 1192 counter packets 0 bytes 0 dnat ip to 192.168.40.2:1192 comment "!fw4: vpn"
        }

        chain srcnat_wan {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
        }

        chain dstnat_vpn_srv {
                ip saddr 192.168.40.0/24 ip daddr my_ip udp dport 1192 dnat ip to 192.168.40.2:1192 comment "!fw4: vpn (reflection)"
        }

        chain srcnat_vpn_srv {
                ip saddr 192.168.40.0/24 ip daddr 192.168.40.2 udp dport 1192 snat ip to 192.168.40.1 comment "!fw4: vpn (reflection)"
        }

        chain raw_prerouting {
                type filter hook prerouting priority raw; policy accept;
        }

        chain raw_output {
                type filter hook output priority raw; policy accept;
        }

        chain mangle_prerouting {
                type filter hook prerouting priority mangle; policy accept;
        }

        chain mangle_postrouting {
                type filter hook postrouting priority mangle; policy accept;
        }

        chain mangle_input {
                type filter hook input priority mangle; policy accept;
        }

        chain mangle_output {
                type route hook output priority mangle; policy accept;
        }

        chain mangle_forward {
                type filter hook forward priority mangle; policy accept;
                iifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
                oifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
        }

        chain reject_from_vpn_srv {
        }

        chain reject_to_vpn_srv {
        }
}
8

There is not a single hit on any of the so called vpn rules.
Are you sure you are using the correct public wan IP?
And what is the correct port used, 1192, 93 or 94?

Where did that come from? There is no such rule in the posted firewall configuration.

9

Sorry, I stripped that output to remove some really not useful things. However, I updated my message with full output now. Sorry if that caused confusion.

I am pretty sure that external IP is correct as I just can connect to main gateway router without any problems.

Right now, port is set to 1192. VPN to main gw router is with 1193.

Thanks

10

It turns out after some debugging that it works (I can connect to router in its dedicated VPN interface) if I am connecting from real WAN, i.e. external network. For example using cell phone's hot spot.

I do not understand why this way it works and does not work if I connect from local network via public IP. My old way used to work fine when I connect from within LAN via public IP back to VPN router which was in LAN interface, not its dedicated one.

Is there something I miss with the settings of vpn interface?

11

To be able to connect to a service locally but using the wan IP address, you need nat reflection (aka loopback or hairpin) rules like the ones you have for the lan zone:

By default, they are only created for the destination zone in the DNAT rule, so currently you should be able to connect to the vpn via the wan IP from another device located in the vpn_srv zone.

To do it from another zone, you must explicitly specify that zone in the rule.

config redirect
        option target 'DNAT'
        option name 'vpn'
        list proto 'udp'
        option src 'wan'
        option src_dport '1192'
        option dest_ip '192.168.40.2'
        option dest_port '1192'
        option dest 'vpn_srv'
	    list reflection_zone 'lan'
12

That was actually the cause of the problem. I made the change and it seems to be working fine.

Appreciate your time and help.

1 Like
13

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.