Firewall problems with /29 network on Turris Omnia

Hello All --

I have set up my OpenWRT router (a Turris Omnia) with a /29 public network and several VLANs and DMZs.There are two servers behind this and my home network LAN. Unfortunately, my firewall is a mess. This is the basic configuration:

I got to where I am by following these tutorials and examples:

Really there are two problems with the firewall, depending on what redirects I turn on.

  1. The multiple-IPs configuration I got from the OpenWRT documentation specifies a DNAT block like this for each added WAN interface:

config redirect
option name 'dnat_230'
option src_dip 'xxx.xxx.xxx.230'
option proto 'all'
option target 'DNAT'
option dest_ip '192.168.3.3'
option src 'wan_230'
option dest 'dmz_230'

However, if I use this method, I get no firewalling at all -- while the server hosts are are correctly masqueraraded, they are also completely exposed. I don't want this.

  1. So, alternatively, I tried a bunch of service-specific redirects, like this:

config redirect
option target 'DNAT'
option proto 'tcp'
option src_dport '22'
option dest_port '22'
option name 'ssh-hoh'
option dest_ip '192.168.3.3'
option dest 'dmz_230'
option src 'wan'
option enabled '0'

But when I do that, the IPs are not distinguished correctly, and one of the IPs grabs all the traffic meant for the other one if, for instance, they both need SSH to work.

I have posted my complete /etc/config/network and /etc/config/firewall files here:

Configuration file content

Any help would be much appreciated.

Thanks,

David Robinson

I'm not a expert in those WAN setups.
But I can see that your firewall for WAN is just open.

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'
	option input 'ACCEPT'
	option forward 'ACCEPT'

This is like DMZ for your whole device.

If you want device in like a dmz. I would create a seperate fw zone/rules for each vlan.

EDIT: After reading a bit more about this specific setup I see a bit clearer. The FW rule I copied from your current setup is making your whole device open. Like I said already.

But I have to say that I cannot help more. But this setup looks interesting to me and I was not aware about. Maybe someone like @trendy will have a look on this.

The Howto is telling:

Each VLAN should be a unique firewall zone. So create one for the DMZ. Nothing is initiated from the DM zone so the policy is to REJECT everything.

config 'zone'
       option 'name' 'dmz'
       option 'input' 'REJECT'
       option 'output' 'REJECT'
       option 'forward' 'REJECT'
       option 'network' 'dmz'

Basically a firewall setup is looking like:

1st Deny All for the specific zone
2nd Allow specific port on Device
3rd Redirect to dest IP

The 2nd step is not mentioned it this tutorial. Maybe I'm completely wrong and to noobish. So sorry for polluting your thread. I will stop posting here.

Thanks for the suggestions. I ended up trying REJECT settings on every WAN-related zone in the whole configuration, and it didn't alter the the behavior noticeably. I think something is more fundamentally wrong with, or missing from, the guidance in the Using multiple public IPs on wan interface use case.

For example, should the multiple WAN interfaces be bridged with the main WAN? Is the current configuration with interface > interface> VLAN > DMZ more complicated than it needs to be?

My day job is technical writing for a big cloud company, and once I get this problem solved, I would be happy to expand the use case into a complete tutorial. I apparently need more help getting there.

Thanks,

David

Yes, I had the same feeling that parts are missing. But that could mean that the writer presumes knowledge what I'm lacking also. That scared me a bit. I'm not a network expert.

As I saw your setup I was first thinking it is mwan what you want. I was not aware of such a solution. And according to the tutorials I would say you don't need to create/use multiple wan interfaces as you did in your configuration. That confused me a bit because I'm not fimilar with such a setup and I want to avoid writing wrong things.

From a logical point:

  • You can have 3 wan interfaces with n IPs and route traffic with firewall rules.
  • You can have 1 wan interface witn n IPs and redirect traffic with firewall rules.

https://openwrt.org/docs/guide-user/network/wan/multiple_public_ips
That would be the 1st case.

So now on top of that the VLANs kicking in and it's getting complicated. :smiley:
Based on "multiple_public_ips" you have already DNAT/SNAT rules routing your traffic to their desired internal IP's (with configuration "all"). So you would not need the rules for redirecting specific ports to reach the server. But the "DMZ configuration/VLANs" is telling you that. And I think there is the error. Because I think this tutorial is more like sperate the LAN devices and redirecting WAN traffic from 1 WAN interface to the target LAN interface.

I'm not a firewall/network guru who can tell you ad hoc wether merging both concepts is possible or not. It might be that I'm completely wrong also.

2 Likes

This guide should be good enough for @oneeyedman to fulfill his desired configuration.

This setup is good enough. You don't need to reject everything on the output, or you'll need to define every possible flow you'll need. Also careful with DHCP, DNS, IPv6.

2 Likes

Let me narrow the question. Suppose I have set up DNAT/SNAT for a public IP as recommended above. The target host is completely exposed to the Internet. Using OpenWRT zones, rules, whatever, how do I block a specific port on the host, for example, TCP 445 (SMB)?

Thanks,

David

You cat use a specific port and proto instead of proto=all in the DNAT rule.

I'm happy to report I got /29 working correctly on my router. The suggestion here to try more restrictive DNAT redirects was helpful. I had tried lots of configurations of these already, but I tried some more, and finally got it right. The sources of much of the trouble were lack of models for /29 wan binding, and my use of individual VLANs per IP address, and the complexity of chaining together the necessary interfaces: wan, wan_xx1, dmz_xx1. I made various mistakes about gateways in particular. I also finally mastered the LuCi approach to port forwards, and ended up preferring that to editing the firewall directly. LuCi actually has things to tell me!

Those wide-open traditional DNAT redirects recommended by the OpenWRT documentation? I deleted them with some pleasure.

Since I am a technical writer anyway, I plan to write an account of the working configuration I found, maybe in anticipation that others will improve on it. Setting up multiple public wan IPs is not trivial if you aren't a trained network engineer, and I even saw plenty of Cisco users around the web floundering around with questions as stupid as mine.

Regards,

David Robinson

3 Likes