Firewall rules for Routed Client

cmonty14 · August 15, 2020, 6:50am

Hi,
I have setup my router following this docu.
The routing works as expected if the firewall is off.

After enabling firewall rules the following error occurs:

Router cannot access internet
Connected client cannot access internet

This is my current configuration:

root@net3-tplwr841:~# cat /etc/config/network 

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fda9:80a1:832c::/48'

config interface 'wan'
	option proto 'static'
	option ipaddr '192.168.1.3'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ip6assign '60'
	option netmask '255.255.255.224'
	option ipaddr '172.16.20.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0t'

root@net3-tplwr841:~# cat /etc/config/firewall 

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option masq_dest !192.168.1.0/24
	option masq '1'

config forwarding
	option src 'wan'
	option dest 'lan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

Can you please advise the firewall rules for the following demand:

Any communication from AP network to Client network must be accepted
Any communication from Client network to AP network must be rejected
Communication from Client network to internet must be rejected with exception of client 172.16.20.5 (this client must be accepted)

THX

trendy · August 15, 2020, 6:21pm

If I understand properly AP is the wan and client is the lan.
Therefore in firewall allow wan->lan forwarding, don't allow (defaults to reject) lan->wan and add a rule to allow IP 20.5 from lan to wan.

cmonty14 · August 16, 2020, 12:59pm

I managed to define firewall rules that allow all clients access to

AP network
internet

However I don't want this; only specific clients should have access to AP network and internet.

This is my configuration now:

root@net3-tplwr841:~# cat /etc/config/network 

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fda8:35e4:06e6::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ip6assign '60'
	option netmask '255.255.255.224'
	option ipaddr '172.16.20.1'
	list dns '192.168.1.1'

config switch
	option name 'switch0'
	option reset '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2 3 4 1'
	option vid '1'

config interface 'wwan'
	option proto 'static'
	option netmask '255.255.0.0'
	option ipaddr '192.168.1.3'
	list dns '192.168.1.1'
	option gateway '192.168.1.1'

root@net3-tplwr841:~# cat /etc/config/firewall 

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option masq_dest '!192.168.1.0/24'
	option mtu_fix '1'
	option network 'wwan'

config forwarding
	option src 'wan'
	option dest 'lan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option src 'lan'
	option family 'ipv4'
	option target 'ACCEPT'
	option dest 'wan'
	list proto 'tcp'
	option name 'Allow pc5-loxberry'
	list src_ip '172.16.20.5'
	list src_mac 'B8:27:EB:FB:D9:7E'
	option enabled '0'

What I know about iptable rules is that the default rule should be
Input: dropped
Output: dropped
Forward: dropped

Please advise.

vgaetera · August 16, 2020, 4:10pm

uci -q delete firewall.lan_fwd
uci set firewall.lan_fwd="rule"
uci set firewall.lan_fwd.name="Allow-LAN-Forward"
uci set firewall.lan_fwd.src="lan"
uci set firewall.lan_fwd.src_ip="172.16.20.5/32"
uci set firewall.lan_fwd.dest="wan"
uci set firewall.lan_fwd.dest_ip="!192.168.1.0/24"
uci set firewall.lan_fwd.proto="all"
uci set firewall.lan_fwd.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

cmonty14 · August 16, 2020, 7:47pm

Thanks.

What about other (pre-) defined rules?
Must I keep the other rules?
And can I set default rules DROP?

vgaetera · August 16, 2020, 8:13pm

Your minimal config should allow DHCP requests and DNS queries similar to guest WLAN:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan#firewall
The other rules are optional and depend on your needs as well as default zone policies.

cmonty14 · August 16, 2020, 8:54pm

OK.
But I would actually need a DMZ, means

all incoming traffic is allowed
all local traffic is allowed (clients can communicate with each other in client network)
only for selected clients outgoing traffic is allowed

vgaetera · August 16, 2020, 9:23pm

See the rule from above.

cmonty14 · August 16, 2020, 9:37pm

What about

config defaults                                 
        option syn_flood '1'                    
        option input 'ACCEPT'                   
        option output 'ACCEPT'                  
        option forward 'ACCEPT'

?
Why is the default rule ACCEPT and not DROP?

vgaetera · August 16, 2020, 9:47pm

These defaults apply to traffic that does not belong to any zone, or when you have no zones.
It works as a failover if you rename network interfaces but forget to update the firewall configuration.

cmonty14 · August 17, 2020, 8:08pm

Well, I have started some "fine-tuning" of my firewall rules; I was checking the fw3 configuration examples here.

The rules should follow this guideline:

default rules are input-reject, output-reject, forward-reject
reject any outgoing of LAN
allow output and input of wan with masquerade, but not for network 192.168.1.0/24
allow ping to router and clients
allow SSH to router and clients from network 192.168.1.0/24
allow DNS requests from clients
allow NTP requests from clients
allow HTTP(S) request to router and clients from 192.168.1.0/24
allow access to network 192.168.1.0/24 from client 172.16.20.5

Do you think these rules will work as expected?

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'REJECT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option masq_dest '!192.168.1.0/24'
	option mtu_fix '1'
	option network 'wwan'

config rule
	option name 'Allow-Ping'
	option target 'ACCEPT'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'

config	rule
	option name 'Allow-SSH-Internal-Device'
	option target 'ACCEPT'
	option src 'wan'
	option family 'ipv4'
	option proto 'tcp'
	list src_ip '192.168.1.0/24'
	option dest_port '22'

config 'rule'
	option name 'Allow-DNS-LAN'
	option target 'ACCEPT'
	option src 'lan'
	option proto 'tcpudp'
	option dest 'wan'
	option dest_port 53

config 'rule'                                      
	option name 'Allow-NTP-LAN'
	option target 'ACCEPT'                     
	option src 'lan'                           
	option proto 'tcpudp'                      
	option dest 'wan'                          
	option dest_port 123

config  rule                                    
	option name 'Allow-HTTP(S)-Internal-Device'
	option target 'ACCEPT'                  
	option src 'wan'                        
	option family 'ipv4'                    
	option proto 'tcp'                      
	list src_ip '192.168.1.0/24'            
	option dest_port '80 443'                  

config rule
	option name 'Allow-LAN-Forward'
	option target 'ACCEPT'
	option src 'lan'
	option dest 'wan'
	option proto 'all'
	list dest_ip '192.168.1.0/24'
	list src_ip '172.16.20.5'

config include                                  
	option path '/etc/firewall.user'

THX

vgaetera · August 17, 2020, 9:02pm

I don't really recommend to change the section defaults, unless you really know what you are doing.
But, you can restrict the input for LAN and WAN zones.
In addition, add a DHCP rule for LAN clients if required.
Also, NTP should be just udp, not tcpudp.