Firewall rule with modem

I have a pretty basic setup.

Just added a modem following this:

https://openwrt.org/docs/guide-user/network/wan/access.modem.through.nat

And now I want to restrict the access from the openWRT router to the modem (which is a fritzbox, and has a wifi etc.) with a firewall rule.

Since I do use the static IP of the modem 192.168.178.1 in the interface, I suppose I have to exclude this one.

Wanted to test it with 192.168.178.32, but I can still access it from my machine. Any ideas?

Reason for that. I want my IoT devices in a seperate Wifi and I have this router lying around. Want to start easy with openWRT and dive in deeper in the future.

Here is my firewall config:

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'modem'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Disallow Fritzbox'
	list proto 'tcp'
	option src 'lan'
	option dest 'lan'
	option target 'REJECT'
	list dest_ip '192.168.178.32'
	list src_ip '192.168.1.0/24'
	option src_port '80'
	option dest_port '80'

By the way, the internet connection is really random at the moment. What could that be? If I measure it sometimes its full speed (250mbit), sometimes completly gone, or very slow :thinking:

Hi

it is unclear what are you done?
OWRT is connected to fritz with WAN ?

you tried to access 178.1 with 178.32 which indicate that both device is in same L2 domain
in this case, OWRT firewall does not work

maybe some network diagram for start ?

ISP -> Fritzbox (subnet 192.168.178.0/24) -> openWRT (subnet 192.168.1.0/24)

It is not that complex tbh. I can add a network diagram after work if needed, those drag and drop type things take time (UML usage is long time ago)

I want to restrict all devices connected via the OWRT wifi (that uses the above mentioned subnet) to access everything that is handled by the Fritzbox.

So everything from 192.168.1.X can not access 192.168.178.X - vice versa is fine. I do want to connect from my laptop which is in the fritzbox subnet to open a wifi device web interface.

Thought this is easily configurable

You didn't post your network config... that would be useful to see.

But...

The modem network interface is probably not necessary in general and in the wan firewall zone.

Can you be more specific here... not sure what this means. An example would be good.

Meanwhile, to block your OpenWrt lan devices from reaching the fritz network, edit this rule:

make it look like this:

config rule
	option name 'Disallow-Fritzbox'
	list proto 'all'
	option src 'lan'
	option dest 'wan'
	option target 'REJECT'
	list dest_ip '192.168.178.0/24'

Then restart the firewall (or the whole router) and test again.

2 Likes

Ok, thank you, this works! :tada:

I will check the modem interface later. I am getting a managed switch today from the amazonas, so there might be a few changes on the way. Good tho that now all devices (lan and wifi) can not access that subnet. Weird tho that the above was more specific in terms of port and IP but did not work :thinking:

Pretty sure I tried the WAN dest as well, but failed :confused: But maybe smth else was missing / wrong then. Try and error does not always work.

happy that I don´t have to resell the Xiaomi AX3000T router now, it does have a great coverage in my house.

Well, there were multiple problems with the previous rule... it was operating with the same source and destination zones (lan), so it would never have been relevant. The destination zone needed to be the wan.

But yes, thx. Now I can't access the devices connected on the OWRT router from my Fritz subnet. Apperently I need to configure it not using NAT.

Man, I thought this is easier :sob:

Does your FB support static routes? Thats necessary if you want to disable NAT masqureading.

I am at luck, it does. So I added this rule as well, since the traffic was rejected

I suppose most germans are using fritz, so here is a link for fellow beginners

If you set a static route, you can disable masquerading on the wan zone. Then to allow access from the fb network the openwrt one, add forwarding from wan > lan (on openwrt in the firewall).

Yes, I did this already, thx. I will post the finished config later, there is def. room for improvement I suppose

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.