Firewall still allows traffic to pass although blocking rules are setup

Hi there,

I configured a new zone for my IoT devices, where I only allow certain flow and block all the rest

I've setup the zone to drop on INPUT,OUTPUT and FORWARD and only configured the traffic that is allowed through the traffic rules.

However when I connect my laptop to my IoT zone, it seems that the firewall rules are not applied properly, as some flows still go through...
for example, I still have access to my Synology NAS (192.168.5.250) that has one of the interfaces in the same subnet.

Can you please explain me what I'm doing wrong? I really need those firewall rules to work as expected to ensure security...

image950×218 13.9 KB

This is easier to diagnose if you post your configuration in text form (rather than screenshots). Also, how is the laptop connecting (wired or wireless), and what specific tests have you run.

This is expected behavior if the NAS has an interface on the same subnet as the IoT network that the laptop using. Traffic on the same subnet is switched (L2) and does not reach the firewall (which is only involved for routed/L3 connections).

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Below the files requested:

DHCP:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	option domain 'home'
	list notinterface 'wan'
	option sequential_ip '1'
	list server '192.168.0.250'
	list server '192.168.5.250'

config dhcp 'lan'
	option interface 'lan'
	option limit '150'
	option leasetime '12h'
	option start '50'
	list dhcp_option '6,192.168.0.250,1.1.1.1'
	option ra 'server'
	option dhcpv6 'server'
	option ra_management '1'
	list dns 'fe80::xxx:xxxx:xxxx:xxxx'
	list domain 'home'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'


config dhcp 'IoT'
	option interface 'IoT'
	option start '50'
	option leasetime '24h'
	option limit '100'
	list dhcp_option '"6,192.168.5.1"'
	option ra 'server'
	option dhcpv6 'server'
	option ra_management '1'


config dhcp 'iot'
	option leasetime '12h'
	option interface 'iot'
	list domain 'iot'
	list dhcp_option '6,192.168.5.250,1.1.1.1'
	list dhcp_option '15,iot'
	option start '10'
	option limit '40'

Network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fda8:1129:473c::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.1'
	list dns '192.168.0.250'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.1.5'
	option gateway '192.168.1.1'
	list dns '1.1.1.1'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 3 4 5'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '6t 1'
	option vid '2'

config route
	option target '192.168.2.0'
	option gateway '192.168.0.250'
	option netmask '255.255.255.0'
	option interface 'lan'

config route
	option gateway '192.168.0.250'
	option netmask '255.255.255.0'
	option interface 'lan'
	option target '172.17.0.0'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '0t 2 3t 4t 5t'

config interface 'iot'
	option proto 'static'
	option ifname 'eth1.3'
	option type 'bridge'
	option netmask '255.255.255.0'
	option ipaddr '192.168.5.1'
	list dns '192.168.5.251'

Wireless:

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'pci0000:01/0000:01:00.0'
	option htmode 'VHT80'
	option country 'BE'
	option channel '100'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option key 'my_password'
	option encryption 'psk2'
	option ssid 'Titi'
	option ifname 'wlan-Titi'
	option macfilter 'deny'
	list maclist 'some_mac'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/qca955x_wmac'
	option htmode 'HT20'
	option country 'BE'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option key 'my_password'
	option encryption 'psk2'
	option ssid 'Titi-2.4'
	option ifname 'wlan-Titi24'
	option macfilter 'deny'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option encryption 'psk2'
	option key 'another_password'
	option ifname 'Wifi-IoT'
	option network 'iot'
	option ssid 'Titi-IoT'

Firewall:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option src 'wan'
	option name 'HTTPS'
	option src_dport '443'
	option target 'DNAT'
	option dest_ip '192.168.0.250'
	option dest 'lan'
	list proto 'tcp'
	option dest_port '443'

config redirect
	option src 'wan'
	option name 'DiskStation'
	option target 'DNAT'
	option dest_ip '192.168.0.250'
	option dest 'lan'
	option dest_port '5002'
	option src_dport '5002'
	list proto 'tcp'

config redirect
	option dest_port '32400'
	option src 'wan'
	option name 'Plex'
	option src_dport '32400'
	option target 'DNAT'
	option dest_ip '192.168.0.250'
	option dest 'lan'
	list proto 'tcp'

config redirect
	option src 'wan'
	option name 'Tomcat '
	option target 'DNAT'
	option dest_ip '192.168.0.250'
	option dest 'lan'
	option src_dport '80'
	option dest_port '80'
	list proto 'tcp'

config redirect
	option dest_port '80'
	option src 'wan'
	option name 'LetsEncryptRenew'
	option src_dport '80'
	option target 'DNAT'
	option dest_ip '192.168.0.250'
	option dest 'lan'
	option enabled '0'
	list proto 'tcp'

config redirect
	option dest_port '1194'
	option src 'wan'
	option name 'OpenVPN'
	option src_dport '1194'
	option target 'DNAT'
	option dest_ip '192.168.0.250'
	option dest 'lan'

config redirect
	option dest_port '3478'
	option src 'wan'
	option name 'iSpyAgent (TURN port)'
	option src_dport '3478'
	option target 'DNAT'
	option dest_ip '192.168.0.250'
	option dest 'lan'
	list proto 'udp'

config rule
	option dest_port '1194'
	option src 'wan'
	option name 'Allow VPN traffic'
	option dest 'lan'
	option target 'ACCEPT'
	option family 'ipv6'
	list dest_ip 'Public_ipv6'
	list dest_ip 'another_ipv6'

config redirect
	option dest_port '6690'
	option src 'wan'
	option name 'Synology Drive'
	option src_dport '6690'
	option target 'DNAT'
	option dest_ip '192.168.0.250'
	option dest 'lan'
	list proto 'tcp'

config redirect
	option dest_port '50100-50200'
	option src 'wan'
	option name 'iSpy'
	option src_dport '50100-50200'
	option target 'DNAT'
	option dest_ip '192.168.0.250'
	option dest 'lan'
	list proto 'udp'

config rule
	option src 'lan'
	option name 'Stop iSPy go out'
	option dest 'wan'
	list dest_ip '74.125.128.127'
	option target 'REJECT'

config zone
	option name 'iot'
	list network 'iot'
	option input 'DROP'
	option forward 'DROP'
	option output 'DROP'

config rule
	option dest_port '53 67 68'
	option name 'Allow DHCP for IoT'
	option target 'ACCEPT'
	option src 'iot'

config rule
	option dest_port '68'
	list proto 'udp'
	option name 'Allow DHCP to client'
	option dest 'iot'
	option target 'ACCEPT'

config rule
	option dest_port '53'
	option src 'iot'
	option name 'Allow DNS to DiskStation'
	option dest 'iot'
	list dest_ip '192.168.5.250'
	option target 'ACCEPT'

config rule
	option dest_port '123'
	option name 'Allow NTP for IoT'
	option target 'ACCEPT'
	option src 'iot'

config rule
	option dest_port '554'
	option name 'Allow RTSP to Camera from iSpy'
	option target 'ACCEPT'
	option dest 'iot'
	option src 'iot'
	list src_ip '192.168.5.250'

config rule
	list proto 'tcp'
	option name 'Allow HA to internet'
	list src_ip '192.168.5.252'
	option dest 'wan'
	option target 'ACCEPT'
	option src 'iot'

config rule
	option name 'Allow HA to reach IoT devices'
	list src_ip '192.168.5.252'
	option target 'ACCEPT'
	option dest 'iot'
	option src 'iot'

config rule
	option dest_port '1883'
	option name 'Allow MQTT to server'
	list dest_ip '192.168.5.252'
	option target 'ACCEPT'
	list proto 'tcp'
	option dest 'iot'
	option src 'iot'

config rule
	option src 'iot'
	option name 'Allow Nest to internet'
	list src_ip '192.168.5.234'
	option dest 'wan'
	option target 'ACCEPT'

config rule
	option src 'lan'
	option name 'Allow Google Home to reach Nest Mini'
	option dest 'iot'
	list dest_ip '192.168.5.234'
	option target 'ACCEPT'

config rule
	list proto 'tcp'
	option name 'Allow Tuya lamp to connect to internet'
	list src_ip '192.168.5.101'
	list src_ip '192.168.5.102'
	option dest 'wan'
	option target 'ACCEPT'
	option src 'iot'

config rule
	option dest_port '22'
	option src 'lan'
	option dest 'iot'
	list dest_ip '192.168.5.252'
	option target 'ACCEPT'
	option name 'Enable SSH'

config rule
	option dest 'wan'
	option src 'iot'
	option target 'ACCEPT'
	list src_ip '192.168.5.230'
	option name 'Allow Hue to connect to internet'
	list proto 'tcp'
	option enabled '0'

config rule
	option src '*'
	option name 'Block access to Raspberry on LAN'
	option dest 'lan'
	list dest_ip '192.168.0.252'
	option target 'DROP'

config rule
	option dest_port '443'
	option src 'iot'
	option name 'Allow Luci'
	option target 'ACCEPT'
	list proto 'tcp'

config rule
	option dest 'iot'
	option src 'iot'
	option name 'Drop all remaining traffic'
	option target 'DROP'

What specific tests have you performed? Please provide details.

Also, all of your firewall rules that have a source and destination in the same zone have zero purpose since the traffic will not pass through the firewall.

All my devices connect directly to the router through wireless or one of the network ports... hence 2 interfaces are bridged...

I was hoping I could restrict all traffic only towards my Home assistant installation (and a few other required flows).

I thought the firewall would apply when forwarding traffic between the 2 interfaces...

You still have not provided specific examples of the tests you are running.

Being connected to the IOT wireless I was doingthe following tests:

Test case

• Connect to Home Assistant
• Expected: Success
• Result: Success

• Connect to DiskStation
• Expected: Failure
• Result: Success

• Connect to Management GUI of IOT device
• Expected: Failure
• Result: Success

We need to know more about your tests:

For example:

• Ping test from host on LAN @ 192.168.1.7 to Diskstation @ 192.168.2.10
• expected result: fail
• actual result: succeeded

But we also need to know other things that might be relevant such as "the Diskstation also has an address on the 192.168.1.0/24 network -- 192.168.1.10" or whatever.

All my test currently are solely based on HTTP requests using a browser frm my laptop.

Some additional details:

DiskStation:

• 192.168.0.250/24
• 192.168.5.250/24
• Webserver on port 5002

Home Assistant server:

• 192.168.0.252/24
• 192.168.5.252/24
• Webserver on 8123

IoT device:

• 192.168.5.132/24
• Webserver on port 80
• Send MQTT messages to HA server

Laptop on IoT wireless:

• 192.168.5.11
• HTTP Connect test using browser to HA, Diskstation, IoT device

All of your devices exist on the same subnet (192.168.5.0/24), so it is expected that they will all be able to communicate.

Is there no way to restrict traffic between devices on a same subnet?

It would be rather strnage and very complex to setup individual subnet for individual devices for the purpose of managing the traffic between them...

Yes the firewall works at layer 3, it can't regulate traffic between devices that are bridged at layer 2.

In order for the firewalling to work, the NAS needs to be in a different network, with a different subnet and layer 3 routing of desired traffic from other zones to it.

Generally speaking, no. The principle of L2 is that the traffic is switched and never goes through the firewall.

First, I wouldn't say this is strange or complex at all... this is standard for networking. You don't need to setup individual subnets for every device, but rather for groups of devices. So. if you want to make sure your IoT devices can't communicate with devices on your trusted LAN, you just need 2 networks to handle that. If you need to further divide the networks to limit specific connections, you could do that, too, but generally you can just do it by broad categories. It really depends on how granular you want to get.

There are a few ways that you can limit things beyond the different subnets, but these are a bit more nuanced on how they function:

• Wireless client isolation -- this has the ability to prevent wireless devices from connecting to each other, but this only works for devices on the same AP, and does not limit wired-wireless connections. A good example of where this may be useful is a cafe where you have users connecting via wireless and you wish to prevent communication between customer devices (this can be a security benefit to prevent a bad actor or a malware infested system from trying to hack other people's machines).
• local firewalls -- you can set the firewalls on the individual host systems to only accept connections from designated IP addresses. How this is achieved will depend on the specifics of each host operating system and the services that are being hosted, but this is another way to limit connectivity.
• Bridge firewall: https://openwrt.org/docs/guide-user/firewall/fw3_configurations/bridge -- this is a method of firewalling L2 connections, but it requires that all traffic actually traverse the bridge. It will not work if there are other paths that the traffic can take (such as through a hardware switch. You can think of this like blocking a road -- it will work well to prevent people from getting from one point to another as long as that road is the only path that connects them. If there are other roads that have not been blocked, people can simply take a detour.

Alright... after an evening of fuzzing around... I think I managed to get up to something that looks more like to what I want, following your feedback above (thanks it was very well explained).

I moved my 2 servers (diskstation & HA) to a new interface that is based on a different subnet.
I've setup my IoT interface on the wireless side to have client isolation. As the nodes only talk to the servers (and having servers now in different subnet/interface), the firewall rules apply and I can better segregate the traffic flowing between the individual components.

With this I'm able to strongly increase my home security in case of a breach on one of my IoT devices.

Thanks again for all feedback & advise

At least it is a protection for lateral movement in a network.
But the most common breach for IoT devices is DDoS bots living inside them and making them support big DDoS networks with very limited WAN traffic from each IoT over the whole world.
But a firewall will not stop this traffic since it is normally allowed forwarded network to wan traffic.

Well not in my case...
I restricted all traffic from my IoT devices to WAN and reverse... only a few devices I have authorized to reach WAN (Like Tuya as they are still based on cloud polling, and Hue for updates)

The IoT network cannot be accessed directly from WAN and neither from LAN. that fully protects my IoT devices.

Nice😃
A little off point but still OpenWRT/OpenVPN server based tip.
Hue (the Philips thing). I managed to evade their cloud based remote control with my VPN tunnel. Then I could use the app to control the Hue hub from within the network even if I was away from home.
But the Hue is still allowed to update it self.

I have a Netatmo weather station also but that is 100% cloud based. And it doesn’t seem to update firmware that often (or at all?). So I am a bit skeptical about the Netatmo cyber security.

But I haven’t had time to do that much tweaking with the IoT network other than make it and put the IoT devices inside of it and block it from reaching the admin network.
So I have this work “still in progress”.

How did you as easy as possible you find out what wan connections every IoT must be allowed to have? Did you log the packages for a time?

Using Home Assistant, it talks to local API's on the bridge. Hence a traffic rule from my 'servers' towards my 'iot' subnet is sufficient to turn on/off my lights... I almost never use the Hue app itself.

Currently I have traffic rules enable for some devices to reach internet. But I will disable them soon, as like you mentioned, updates don't occur that often... So if I enable them once a month, it should be sufficient.

If you start of your firewall rules to put Deny on input, output & forwarding, you can also enable logging for that zone.
In your system log you will then see source ip, destination ip and corresponding port numbers...
Based on this trace you can open up some routes to internet.

I currently have generic routes open (towards full internet), but I still need to work further on putting some ip restrictions to make it more secure.