Firewall rules input = reject on multiple zones with access to DHCP and DNS

Hello!

Im looking for a solution to put 3 vlan zones in a firewall input = reject zone but both being abel to access router or any other vlans. Setting 1 zone and forwarding the ports for DHCP and DNS works great, but doing it on 2 zones did not work so i need to configure some rules to access the internet. Masquering is not really a big know how so not sure how to go.

I have an untrused IoT, trusted IoT and a guest network.
I do not want any of these to have access to the router.
Setting firewall rule input=reject will just disable the internet.
I also tried to block all the gateways but that also blocks the internet.

Not sure how to fix this. Any input? :slight_smile:

Can you clarify these seemingly conflicting statements?

1 Like

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

You need to allow port 53 for DNS and ports 67-68 for dhcp.

Add the following in your /etc/config/firewall
Change the SRC as needed.

config rule
        option src 'iot'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'
        option name 'iot-DNS'

config rule
        option src 'iot'
        option src_port '67-68'
        option dest_port '67-68'
        option proto 'udp'
        option target 'ACCEPT'
        option name 'iot-DHCP'

config rule
        option target 'ACCEPT'
        option proto 'udp'
        option name 'iot-DHCPv6'
        option family 'ipv6'
        option src 'iot'
        option src_port '546'
        option dest_port '547'

config rule
        option target 'ACCEPT'
        option name 'iot-SLAAC'
        option family 'ipv6'
        option src 'iot'
        option proto 'icmp'
        list icmp_type 'router-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'neighbour-advertisement'
        list icmp_type '141'
        list icmp_type '142'
        list icmp_type '148'
        list icmp_type '149'

Just to clarify, to port forward works like i charm, say when you have only a guest network. Ive done it and works flawlessly.

But i got multiple zones and vlans.
Adding another firewall rule to port 53 and 67-68 wont apply to to both? Only 1 zone can have this applied? Or am i misstaking???

Adding the interface to the same zone seems not possible due to it having compleatly diffrent dhcp servers?

Im curious will this work with multiple zones and vlans?

So to clarify

Vlan 10 - has a firewall zone for iot trusted
Vlan 20 - has a frewall zone for iot untrusted
Vlan 30 - haz a firewall zone for guest network
Vlan 40 - home network

I forwarded dns and dhcp on the vlan 30.
Works flawlessly.

Vlan 10 and vlan 20 has firewall input as rejected . Which means its out of reach for dhcp. Forward dns and dhcp to vlan 10 and 20 i could not get it to work...

I want to do this:
Vlan 40 has full access to all of these networks.
Vlan 30 has only internet access and isolated. This vlan should have router access denied and any other vlan access of above mentioned.
Vlan 20 has internet access like vlan 30, but i would like to access it from vlan 40.
Vlan 10 has internet access, this vlan should be abel to crosstalk with vlan 40 in and out. No access to the router.

Well first of all, this topic seems to have a big confusion about what is what for firewall zones (a zone is a group of one or more interfaces), vlan (L2 data management) and interfaces (L3 data management).

You can not have a vlan in a zone since firewall work only with logical data on L3, not bit data on L2.
So you can only have interfaces in firewall zones.

And the concept of firewall forward (traffic between interfaces inside a zone), input (traffic from interfaces in zone to device) and output (traffic from device to interfaces inside zone).

Unless you show us your config files according to one earlier post this will tread will go nowhere.

2 Likes

Hi!

My apologies, here is the config. As a note i have not yet setup the Lan network properly. Ive been only tinkering with guest, iot untrusted and iot trusted.

Also want to inform i added multiple rules of this to the untrusted and trusted, but changed the zone and then noted i could not do so cause it would only apply to 1 of the networks.
config rule
option src 'Guest'
option dest_port '53 67 68'
option target 'ACCEPT'
option name 'DHCP+DNS Guest'

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdaa:70a6:35a0::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.8.8.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config interface 'vlan10'
        option device 'eth1.10'
        option proto 'static'
        option ipaddr '10.128.64.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'vlan20'
        option device 'eth1.20'
        option proto 'static'
        option ipaddr '10.13.129.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'vlan30'
        option device 'eth1.30'
        option proto 'static'
        option ipaddr '10.13.128.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'vlan40'
        option device 'eth1.40'
        option proto 'static'
        option ipaddr '10.5.15.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'vlan50'
        option device 'eth1.50'
        option proto 'static'
        option ipaddr '10.200.145.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'DummyEmpty'
        option proto 'static'
        option device 'eth1.999'
        option ipaddr '10.1.10.1'
        option netmask '255.255.255.252'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '3'
        option limit '40'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'vlan10'
        option interface 'vlan10'
        option start '30'
        option limit '70'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'vlan20'
        option interface 'vlan20'
        option start '30'
        option limit '50'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'vlan30'
        option interface 'vlan30'
        option start '20'
        option limit '20'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'vlan40'
        option interface 'vlan40'
        option start '10'
        option limit '30'
        option leasetime '12h'
        option dhcpv4 'server'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'Guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vlan30'

config forwarding
        option src 'Guest'
        option dest 'wan'

config rule
        option src 'Guest'
        option dest_port '53 67 68'
        option target 'ACCEPT'
        option name 'DHCP+DNS Guest'

config zone
        option name 'IoTTrusted'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vlan10'

config forwarding
        option src 'IoTTrusted'
        option dest 'wan'

config zone
        option name 'IoTUntrusted'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vlan20'

config forwarding
        option src 'IoTUntrusted'
        option dest 'wan'