Hi,
In my firewall rules I set a test rule for device A with mac-addr XYZ to block internet access. These is the rule as it show in LUCI:
Fowarded IPv4 and IPv6
From *lan*, MAC: XYZ
To *wan*
(Protocol any)
Reject foward
The device A has an update feature to fetch last release from github, so I try to get last update and it still was able to fetch it.
What am I doing wrong here?
post the actual rule from /etc/config/firewall ?
config rule
option src 'lan'
option dest 'wan'
option name 'BLOCK - TEST'
list src_mac 'XYZ'
list proto 'all'
option target 'REJECT'
Try changing option src from 'lan' to '*'. If doing it through LuCI, change the source zone to Any zone (forward)
I tried changing it to
config rule
option name 'BLOCK - TEST'
option dest 'wan'
option target 'REJECT'
list src_mac 'XYZ'
option src '*'
but nothing changed (just to be sure I tried with ping command and I was able to reach internet from device). I tried also using the device IP:
config rule
option name 'BLOCK - TEST'
option dest 'wan'
option target 'REJECT'
list src_mac 'XYZ'
option src '*'
list src_ip '192.168.1.x'
but nothing...
This sounds very weird to me, is there any way to check a sort of logs from firewall?
Did you reload the firewall between making these changes?
I use a similar rule without issue:
config rule
option dest 'wan'
option src '*'
option proto 'all'
option target 'DROP'
option src_mac 'ABC'
I press saved on LUCI, so I think firewall should be automatically refreshed by that.
By the way I manually restarted with service firewall restart, still nothing...
Right, let's see the full contents of:
/etc/config/network
/etc/config/firewall
/etc/config/dhcp
Remember to redact passwords, MAC addresses and any public IP addresses you may have. 'Private' IP addresses (e.g. anything beginning 192.168) should be left unredacted.
I will try to post them asap (right now I have not enough time to clean them from all private data unfortunately), but I'm a bit worried: is there any chance some malware or similar tampered the firewall?
May I check any suspect activity/files/etc to exclude this?
There's always a chance, but it's unlikely. The easiest way to check is to post the configs here and let us take a look, it'll be obvious quickly enough if there's something in them that shouldn't be.
Hi, I tried to clean up the requested files
=== /etc/config/network ===
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '.../48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.1'
option delegate '0'
config device
option name 'eth0.2'
option macaddr '...'
config interface 'wan'
option proto 'pppoe'
option device 'eth0.XYZ'
option ipv6 '0'
option peerdns '0'
list dns '192.168.1.2' --> i'm using pihole as dns
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
list dns '192.168.1.2' --> i'm using pihole as dns
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 2 3 4 5'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 1'
option vid '2'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid 'XYZ'
option ports '0t 1t'
=== /etc/config/firewall ===
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
option input 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option family 'ipv4'
list icmp_type 'echo-request'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config redirect
option target 'DNAT'
option name 'Redirect all DNS requests to PiHole'
option src 'lan'
option src_dport '53'
option dest_ip '192.168.1.2'
option dest_port '53'
option src_ip '!192.168.1.2'
option dest 'lan'
config nat
option name 'Prevents DNS error on devices harcoded DNS when redirected to PiHole'
list proto 'tcp'
list proto 'udp'
option src 'lan'
option dest_ip '192.168.1.2'
option dest_port '53'
option target 'MASQUERADE'
# The new rule for device I testing to block
# (I already tried to move it upper to check if can affect result but nothing changed)
config rule
option name 'BLOCK TEST'
option dest 'wan'
option target 'REJECT'
list src_mac 'XYZ'
option src '*'
=== /etc/config/dhcp===
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option rebind_protection '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
list dhcp_option '6,192.168.1.2'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
list ra_flags 'none'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
# then I have all devices static IP configuration
# nothing strange here except that some devices has the "option dns '1'" and some not
# I noticed the devices I add from LUCI has this extra field and the devices I set using
# the "add_lease ..." command does not have it
# (the device I want to block does not have it, but I don't think this can be related with firewall)
config host
option ip '192.168.1.x'
option name '...'
option mac '...'
config host
option ip '192.168.1.y'
option name '...'
option mac '...'
option dns '1'
any suggestion to spot the problem?
Maybe the test device has a random mac address?
No the device is a linux device I'm using for test so no automatic random MAC feature. I also checked in the "Summary" screen on LUCI and the MAC is the same I put in the firewall rule.
If you go to the firewall screen in LuCI you should be able to find your rule in the 'Traffic filter chain "forward"' section. If you mouseover the boxes at the start of the rule it should tell you how much traffic has been matched by the rule. Is that higher than 0?
You mean from LUCI home
Status > Firewall?
In this case I can find my rule under:
Chain *FORWARD* (Policy: *DROP*, 0 Packets, 0 B Traffic)
but it show me
Pkts: 0
Trafic: 0 B
Target: zone_wan_dest_REJECT
for both TCP and UDP
What's the output of ubus call system board?
Try to block everything:
config rule
option name 'block-device'
option src '*'
list src_mac 'MAC_ADDRESS'
option dest '*'
option target 'REJECT'
Reboot router and after that reboot device.
Make sure the device is actually using the router
I'm using OpenWrt 21.02 on Archer C7
21.02 has reached end of life so I would strongly recommend upgrading to 23.05. It will also assist troubleshooting as the firewall has changed between 21.02 and 23.05.