I have problems with firewall. All other setting are default. One WAN one LAN.
First problem: I set port forwaring and gave it a ipset for src_ip.The connections get through even if the IP in not in allowed list. Sometimes. Restarted router.
Second: I disabled Ping in Traffic rules and can still ping my router. Also tried restaring router in both cases. I disabled all but "Allow-DHCP-Renew" traffic rule. Can still ping in with my phone with LTE connection.
Ping from LAN is always permitted
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
Doing this from where, connection wise.
I disabled the ipset for now, so it is not implemented, but setup like this I had problems.
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.167",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "Xiaomi Mi Router AX3000T (OpenWrt U-Boot layout)",
"board_name": "xiaomi,mi-router-ax3000t-ubootmod",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "mediatek/filogic",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'XXXX::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
list ipaddr '192.168.XX.254/24'
config device
option name 'wan'
option macaddr 'XXXX'
option ipv6 '0'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config route
option interface 'lan'
option target '192.168.0.0/24'
option gateway '192.168.XX.201'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option family 'ipv4'
option target 'ACCEPT'
list icmp_type 'echo-request'
option enabled '0'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'caddy 80'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.XX.203'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'caddy 443'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.XX.203'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'caddy hassio'
option src 'wan'
option src_dport 'XXXXX'
option dest_ip '192.168.XX.203'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'XXX IN'
list proto 'tcp'
option src 'wan'
option src_dport 'XXXX'
option dest_ip '192.168.XX.204'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'XXX OUT'
list proto 'tcp'
option src 'wan'
option src_dport 'XXXX'
option dest_ip '192.168.XX.204'
option enabled '0'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'wg c2v'
list proto 'udp'
option src 'wan'
option src_dport '51821'
option dest_ip '192.168.XX.201'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'wg'
list proto 'udp'
option src 'wan'
option src_dport '51820'
option dest_ip '192.168.XX.201'
config forwarding
option src 'lan'
option dest 'wan'
config ipset
option name 'allowed_ips_wg'
option family 'ipv4'
list match 'src_ip'
list entry 'X.X.X.X'
list entry 'X.X.X.X'
Connection is a LTE connection from my phone, with Wifi off. It has my mobile carrier IP. And I ping my home IP. I guess a port is still open.
There is a high probability that one or both of the following apply to your connection wrt IPv4:
What are the first two octets of your openwrt wan (in bold: aaa.bbb.ccc.ddd):
ifstatus wan | grep address
I guess I didnt tell all the info. My ISP modem has DMZ (192.168.100.X) for a OpenWRT WAN port. So all ports forward to OpenWRT.
I try to ping my home IP from my phone, not the other way around. I understand I cant ping CGNAT IP.
Problem is I CAN ping my home IP from anywhere, but this setting is disabled on OpenWRT.
No, it is not how it works.
Check with PC to mobile then via openwrt:
I don't understand how this apply to my problem. Problem is I CAN ping my home IP from anywhere, but this setting is disabled on OpenWRT(option Allow-Ping is off). This was not possible with my old router (FreshTomato).
Question is, are you really pinging your WAN IP, or the carriers/ISPs public end point IP ?
I will have to unplug OpenWRT and see. Maybe ISP router is responding. I was thinking since I DMZ my OpenWRT only router will respond.
If you answer @psherman's question from 2h ago, we'll know.
OpenWRT WAN: 192.168.100.X which is DMZ on ISP Router.
PS: I have tried unpluging OpenWRT. I guess ISP router is responding to Ping requests.
What about my first problem: Is it possible that if the connection is established before ipset is enabled it ignores those connections? I tried rebooting the router.
That's not your public IP though, Openwrt has nothing to do with it.
You can not open public port if you are fronted by ISP router with another nat.
Can you show nat type with pc behind provider's router? If it is 4th type there is no hope.
Type: Port Restricted Cone.
The only problem left is with ipset. With ping it was the ISP modem that was responding.
Please provide complete answers. There is no actionable info in ur onelines
The ping part of the question has been resolved. It was a reponse from ISP modem and not OpenWRT router. My bad, I thought DMZing a device meant ping requsts will also be forwarded. If I understand correctly IGMP is not forwarded. You learn every day.
PS: I have figure out the first part also. If the connection is already established (in my case Wireguard connection) and the ipset list is changed to exclude that IP the connection must first be killed (router restart helps but there is probably better solution).
Sorry for my post, I didn't research enough on my own and posted this too fast. 
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.