Hi,
I have setup my router following this docu.
The routing works as expected if the firewall is off.
After enabling firewall rules the following error occurs:
Router cannot access internet
Connected client cannot access internet
This is my current configuration:
root@net3-tplwr841:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fda9:80a1:832c::/48'
config interface 'wan'
option proto 'static'
option ipaddr '192.168.1.3'
option netmask '255.255.255.0'
option gateway '192.168.1.1'
list dns '192.168.1.1'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ip6assign '60'
option netmask '255.255.255.224'
option ipaddr '172.16.20.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'
root@net3-tplwr841:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option masq_dest !192.168.1.0/24
option masq '1'
config forwarding
option src 'wan'
option dest 'lan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
Can you please advise the firewall rules for the following demand:
Any communication from AP network to Client network must be accepted
Any communication from Client network to AP network must be rejected
Communication from Client network to internet must be rejected with exception of client 172.16.20.5 (this client must be accepted)
THX
trendy
August 15, 2020, 6:21pm
3
If I understand properly AP is the wan and client is the lan.
Therefore in firewall allow wan->lan forwarding, don't allow (defaults to reject) lan->wan and add a rule to allow IP 20.5 from lan to wan.
1 Like
I managed to define firewall rules that allow all clients access to
However I don't want this; only specific clients should have access to AP network and internet.
This is my configuration now:
root@net3-tplwr841:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fda8:35e4:06e6::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ip6assign '60'
option netmask '255.255.255.224'
option ipaddr '172.16.20.1'
list dns '192.168.1.1'
config switch
option name 'switch0'
option reset '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 2 3 4 1'
option vid '1'
config interface 'wwan'
option proto 'static'
option netmask '255.255.0.0'
option ipaddr '192.168.1.3'
list dns '192.168.1.1'
option gateway '192.168.1.1'
root@net3-tplwr841:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option masq_dest '!192.168.1.0/24'
option mtu_fix '1'
option network 'wwan'
config forwarding
option src 'wan'
option dest 'lan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option src 'lan'
option family 'ipv4'
option target 'ACCEPT'
option dest 'wan'
list proto 'tcp'
option name 'Allow pc5-loxberry'
list src_ip '172.16.20.5'
list src_mac 'B8:27:EB:FB:D9:7E'
option enabled '0'
What I know about iptable rules is that the default rule should be
Input: dropped
Output: dropped
Forward: dropped
Please advise.
uci -q delete firewall.lan_fwd
uci set firewall.lan_fwd="rule"
uci set firewall.lan_fwd.name="Allow-LAN-Forward"
uci set firewall.lan_fwd.src="lan"
uci set firewall.lan_fwd.src_ip="172.16.20.5/32"
uci set firewall.lan_fwd.dest="wan"
uci set firewall.lan_fwd.dest_ip="!192.168.1.0/24"
uci set firewall.lan_fwd.proto="all"
uci set firewall.lan_fwd.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart
1 Like
Thanks.
What about other (pre-) defined rules?
Must I keep the other rules?
And can I set default rules DROP?
Your minimal config should allow DHCP requests and DNS queries similar to guest WLAN:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan#firewall
The other rules are optional and depend on your needs as well as default zone policies.
1 Like
OK.
But I would actually need a DMZ, means
all incoming traffic is allowed
all local traffic is allowed (clients can communicate with each other in client network)
only for selected clients outgoing traffic is allowed
What about
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
?
Why is the default rule ACCEPT and not DROP?
These defaults apply to traffic that does not belong to any zone, or when you have no zones.
It works as a failover if you rename network interfaces but forget to update the firewall configuration.
1 Like
Well, I have started some "fine-tuning" of my firewall rules; I was checking the fw3 configuration examples here .
The rules should follow this guideline:
default rules are input-reject, output-reject, forward-reject
reject any outgoing of LAN
allow output and input of wan with masquerade, but not for network 192.168.1.0/24
allow ping to router and clients
allow SSH to router and clients from network 192.168.1.0/24
allow DNS requests from clients
allow NTP requests from clients
allow HTTP(S) request to router and clients from 192.168.1.0/24
allow access to network 192.168.1.0/24 from client 172.16.20.5
Do you think these rules will work as expected?
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'REJECT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'REJECT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option masq_dest '!192.168.1.0/24'
option mtu_fix '1'
option network 'wwan'
config rule
option name 'Allow-Ping'
option target 'ACCEPT'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
config rule
option name 'Allow-SSH-Internal-Device'
option target 'ACCEPT'
option src 'wan'
option family 'ipv4'
option proto 'tcp'
list src_ip '192.168.1.0/24'
option dest_port '22'
config 'rule'
option name 'Allow-DNS-LAN'
option target 'ACCEPT'
option src 'lan'
option proto 'tcpudp'
option dest 'wan'
option dest_port 53
config 'rule'
option name 'Allow-NTP-LAN'
option target 'ACCEPT'
option src 'lan'
option proto 'tcpudp'
option dest 'wan'
option dest_port 123
config rule
option name 'Allow-HTTP(S)-Internal-Device'
option target 'ACCEPT'
option src 'wan'
option family 'ipv4'
option proto 'tcp'
list src_ip '192.168.1.0/24'
option dest_port '80 443'
config rule
option name 'Allow-LAN-Forward'
option target 'ACCEPT'
option src 'lan'
option dest 'wan'
option proto 'all'
list dest_ip '192.168.1.0/24'
list src_ip '172.16.20.5'
config include
option path '/etc/firewall.user'
THX
I don't really recommend to change the section defaults
, unless you really know what you are doing.
But, you can restrict the input
for LAN and WAN zones.
In addition, add a DHCP rule for LAN clients if required.
Also, NTP should be just udp
, not tcpudp
.
1 Like