Firewall starts up too late!

Installing and Using OpenWrt
1

Check these messages from system log:

Fri Mar  9 20:46:47 2018 user.notice mwan3: ifup interface iptv (eth0.3)
Fri Mar  9 20:46:47 2018 daemon.info procd: - init complete -
Fri Mar  9 20:46:47 2018 user.notice firewall: Reloading firewall due to ifup of iptv (eth0.3)
Fri Mar  9 20:46:48 2018 user.warn igmpproxy[1403]: No interfaces found for source 100.70.45.19

Interface iptv should get an IP for itself by DHCP and then iptvbox in lan should get an IP(192.168.2.0/24) from the router.But now is that , when I reboot the router ,the box gets an IP(100.70.45.19) from outside (iptv zone) .I added a firewall rule below to prevent it :

 config rule
	option src 'iptv'
	option dest 'lan'
	option name 'REJECT-DHCP'
	option family 'ipv4'
	option proto 'udp'
	option dest_port '68'
	option target 'REJECT'

But it doesn't work at all!The box still got an IP from outside. Just a very very short time between interface iptv up and firewall working.In that time,iptv and lan were connected as bridge and the traffic could get through without any limitation?Was that a bug?
I also tried on other devices, the same issue came out.

2

This makes no sense. There's no way the DHCP packet is traveling across VLANs.

Perhaps, you have some other configuration issue or a relay enabled.

  • I surmise this means - you setup DHCP in both LANs?
  • Please describe this 'iptv zone,' is it the Internet...or another VLAN???
3

Sorry about my poor description.
I set 2 wan connections via 2 physical ports. One is for internet ,the other is for iptv.Iptv connection gets an IP from dhcp server.Internet connection is pppoe. When I reboot the router and devices in lan at the same time, devices in lan(my pc, phones,iptv box) will get IP(100.xxx.xxx.xxx) which should be assigned for iptv wan interface instead of lan IP (192.168.xxx.xxx).Then I reboot devices in lan ,they finally get correct IP(192.168.xxx.xxx).
.Is this werid?

Firewall settings:

firewall

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config rule
option target 'ACCEPT'
option proto 'udp'
option name 'IPTV-DHCP'
option family 'ipv4'
option src 'iptv'
option dest_port '68'
option enabled '0'

config rule
option target 'ACCEPT'
option name 'IPTV-IGMP'
option family 'ipv4'
option proto 'igmp'
option src 'iptv'

config rule
option target 'ACCEPT'
option dest 'lan'
option name 'ALLOW-MULTICAST'
option proto 'udp'
option dest_ip '224.0.0.0/4'
option family 'ipv4'
option src 'iptv'

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan'

config include
option path '/etc/firewall.user'

config zone
option name 'iptv'
option forward 'REJECT'
option output 'ACCEPT'
option network 'iptv'
option masq '1'
option mtu_fix '1'
option input 'REJECT'

config forwarding
option dest 'iptv'
option src 'lan'

config rule
option target 'ACCEPT'
option name 'udpxy'
option proto 'udp'
option dest_ip '224.0.0.0/4'
option src 'iptv'
option family 'ipv4'

config rule
option name 'IPTV-DHCP-Renew’
option src 'iptv'
option proto 'udp’
option dest_port '68’
option target 'ACCEPT’
option family ‘ipv4’

config include 'shadowsocks_libev'
option type 'script'
option path '/usr/share/shadowsocks-libev/firewall.include'
option reload '1'

config forwarding
option dest 'wan'
option src 'lan'

update:
It seems that I found the cause was this rule of firewall config
config rule
option name 'IPTV-DHCP-Renew’
option src 'iptv'
option proto 'udp’
option dest_port '68’
option target 'ACCEPT’
option family ‘ipv4’
After I remove this rule ,devices in lan didn't get the wrong IP(100.x.x.x) on booting of the router.
But it is for allowing the IPTV interface to renew its IP .It's an input rule instead of forward rule, how can it make effect in lan zone on the very first booting?

Now I have an temporary solution:add "sleep 60 && iptables -A input_iptv_rule -p udp -m udp --dport 68 -m comment --comment "IPTV-DHCP" -j ACCEPT" to webpage "system" - "startup" - "Local Startup".But another issue happened . The startup of some applications is delayed, like "igmpproxy".They doesn't start up on time.