Hi everyone,
I am using a GL.iNet Mango MT300N-v2 with OpenWrt 23.05.5, r24106-10cc5fcd00.
I need to block all UDP traffic to port 10000 from passing between switch ports on my GL.iNet. I have successfully configured firewall rules, and everything works perfectly once the system is fully up and running.
Current Configuration
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option bridge_vlan_filtering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
list ports 'eth0.2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 6t'
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Block-UDP-10000-LAN'
option proto 'udp'
option src 'lan'
option dest '*'
option dest_port '10000'
option target 'DROP'
option log '1'
/etc/nftables.conf
table inet filter {
chain forward {
type filter hook forward priority 0;
meta l4proto udp th dport 10000 drop
}
}
/etc/sysctl.conf
net.bridge.bridge-nf-call-iptables=1
The Problem
Even though the firewall rules correctly block UDP traffic between switch ports after boot, I've noticed that for about 1.5 seconds during boot, UDP packets on port 10000 are allowed to pass between switch ports. Checking logread, I see:
- 4.5 seconds after power on → The switch is activated:
Sat Feb 1 09:22:47 2025 kern.info kernel: [ 4.575060] rt3050-esw 10110000.esw: port 1 link up - 6.2 seconds after power on → The switch is deactivated:
Sat Feb 1 09:22:47 2025 kern.info kernel: [ 6.247007] rt3050-esw 10110000.esw: port 1 link down - 10.4 seconds after power on → The switch is activated:
Sat Feb 1 09:22:47 2025 kern.info kernel: [ 10.436324] rt3050-esw 10110000.esw: port 1 link up - 18 seconds after previous messages → The firewall is loaded:
Sat Feb 1 09:23:05 2025 user.notice firewall: Reloading firewall due to ifup of lan (br-lan)
It seems that somewhere within this interval, before the firewall is fully loaded, packets are able to pass between ports.
Question
Since the firewall already blocks this traffic perfectly after boot, is there a way to prevent the switch from being activated until the firewall is fully ready?
Has anyone encountered this issue before or found a way to delay switch activation?
Thanks!