Hello all,
I am most probably making one of those very stupid beginner's mistakes - I have set up my router with openWrt 19.07.2 with lan and wan attached. Now I was defining some traffic rules in the firewall - and I noticed that even extreme rules like: Source WAN to LAN address of my PC: reject all protocols and ports have no effect - I also used different positions of the rule just to be sure. Also a single forwarded ssh port is not going through.
What locations could I check for dumb mistakes.
Thanks all!
Please copy the output of the following commands and post it here using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx:xxxx:xxxx::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'dhcp'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr 'xx:xx:xx:xx:xx:xx'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
option reqprefix 'auto'
option reqaddress 'try'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0'
option htmode 'VHT80'
option txpower '23'
option channel 'auto'
option disabled '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
option encryption 'psk2'
option wpa_disable_eapol_key_retries '1'
option ssid 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx'
option disabled '1'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11g'
option path 'platform/ahb/18100000.wmac'
option channel 'auto'
option htmode 'HT40'
option country 'US'
option disabled '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option key 'xxxxxxxxxxxxxxxxxxxxxxxxx'
option encryption 'psk2'
option ssid 'xxxxxxxxxxxxxxxxxxxxx'
option wpa_disable_eapol_key_retries '1'
/etc/config/dhcp (there is a sep. pihole on a rpi3)
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
option forward 'DROP'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option dest_port '22'
option src 'wan'
option name 'SSH'
option src_dport '123456'
option target 'DNAT'
option dest_ip '192.168.1.183'
option dest 'lan'
config rule
option src 'wan'
option name 'Test Block'
list dest_ip '192.168.1.10'
list dest_ip 'xxxx::xxxx:xxxx:1xxx:xxxx'
option target 'REJECT'
option dest 'lan'
config rule
option dest_port '123'
option src 'wan'
option name 'Allow NTP'
list src_ip '192.168.1.2'
option dest 'lan'
option target 'ACCEPT'
config rule
option src 'wan'
option name 'Block Single Devices'
list src_ip '192.168.1.2'
option dest 'lan'
option target 'DROP'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
See firewall example from documentation: https://openwrt.org/docs/guide-user/firewall/firewall_configuration#rules
config rule
option name 'Reject LAN to WAN for custom IP'
option src 'lan'
option src_ip '192.168.1.2'
option src_mac '00:11:22:33:44:55'
option src_port '80'
option dest 'wan'
option dest_ip '194.25.2.129'
option dest_port '120'
option proto 'tcp'
option target 'REJECT'
totally - I might have flipped source and destination in the process of copying those rules from my old router - thanks for the hint! And 123456 - I edited my real ssh substitute
Thanks! I appear to have flipped source and destination in the process of copying those rules from my old router - thanks for the hint!
Your firewall rules are structured incorrectly. What is your goal (in simple terms, if possible). We can help clean up and fix your rules to achieve the goal(s).
Example goals:
Block a computer at a certain address from accessing the internet at all.
Or allow that computer to access the web, but no other protocols.
Or block the web but allow everything else from that computer.
mk24
May 25, 2020, 8:24pm
9
LAN should not be a DHCP client, leave it as the default of a static IP.
By default, incoming connections from the Internet to the router or any of the LAN computers are blocked. Outgoing connections are allowed. If you want to block a LAN computer from reaching the Internet, set up a rule with source lan and the device's IP address. Do not specify a source port, since a PC will originate connections from a random port. Since all the conditions have to match for a rule to have effect, the fewer conditions you have the more likely it will match.
1 Like
Easiest option - reset the router to defaults. Change only the essentials (WiFi ssid and password, admin password, etc). Leave everything else alone unless there is a reason to change it.
Then, work on a single firewall rule (Or sometimes a small set is there are some dependencies) to achieve a specific goal. Describe your goal and we will help you.
system
Closed
June 4, 2020, 8:34pm
11
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.