Firewall strange problem: icmp drop or rejected

Installing and Using OpenWrt
1

I have split the br network in two networks

config interface 'lan1'
option device 'lan1'
option proto 'static'
option ipaddr '192.168.0.1'
option netmask '255.255.255.0'
option ip6assign '60'

config interface 'lan2'
option device 'lan2'
option proto 'static'
option ipaddr '192.168.178.1'
option netmask '255.255.255.0'
option ip6assign '60'

On Network “lan2” I have connected another pc (address 192.168.178.2)

The ping works from router to 192.168.178.2

root@router:~# ping 192.168.178.2
PING 192.168.178.2 (192.168.178.2): 56 data bytes
64 bytes from 192.168.178.2: seq=0 ttl=64 time=1.276 ms
64 bytes from 192.168.178.2: seq=1 ttl=64 time=0.744 ms

but from pc of lan (192.168.0.0/24) is drop!

I have tried this configuration



config zone
option name             lan
list   network          'lan'
option input            ACCEPT
option output           ACCEPT
option forward          ACCEPT
list network 'br-lan'
list network 'lan1'

config zone
option name             lan2
option input            ACCEPT
option output           ACCEPT
option forward          ACCEPT
list network 'lan2'

config zone
option name             wan
list   network          'wan'
list   network          'wan6'
option input            REJECT
option output           ACCEPT
option forward          REJECT
option masq             1
option mtu_fix          1

config forwarding
option src              lan
option dest             wan

config forwarding
option src              lan2
option dest             lan

config forwarding
option src              lan
option dest             lan2

and result is drop

With this one



config zone
option name             lan
list   network          'lan'
option input            ACCEPT
option output           ACCEPT
option forward          ACCEPT
list network 'br-lan'
list network 'lan1'
list network 'lan2'

config zone
option name             wan
list   network          'wan'
list   network          'wan6'
option input            REJECT
option output           ACCEPT
option forward          REJECT
option masq             1
option mtu_fix          1

config forwarding
option src              lan
option dest             wan

the result is same (drop)

Very strange thing happen if I remove the “lan2” from firewall config



config zone
option name             lan
list   network          'lan'
option input            ACCEPT
option output           ACCEPT
option forward          ACCEPT
list network 'br-lan'
list network 'lan1'
list network 'lan2'

became



config zone
option name             lan
list   network          'lan'
option input            ACCEPT
option output           ACCEPT
option forward          ACCEPT
list network 'br-lan'
list network 'lan1'

The packets are not more dropped..but rejected

ping 192.168.178.2
PING 192.168.178.2 (192.168.178.2) 56(84) bytes of data.
From 192.168.0.1 icmp_seq=382 Destination Port Unreachable
From 192.168.0.1 icmp_seq=383 Destination Port Unreachable
From 192.168.0.1 icmp_seq=384 Destination Port Unreachable
From 192.168.0.1 icmp_seq=385 Destination Port Unreachable
From 192.168.0.1 icmp_seq=386 Destination Port Unreachable
From 192.168.0.1 icmp_seq=387 Destination Port Unreachable
From 192.168.0.1 icmp_seq=388 Destination Port Unreachable
From 192.168.0.1 icmp_seq=389 Destination Port Unreachable

How to solve?

2

There are some things that don't quite look right, but it's best to see the complete config before making any suggestions.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Screenshot 2025-10-20 at 8.14.14 PM

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
1 Like
3

Ubus said

ubus call system board
{
"kernel": "6.6.119",
"hostname": "router",
"system": "xRX200 rev 1.2",
"model": "AVM FRITZ!Box 7490 (Micron NAND)",
"board_name": "avm,fritz7490-micron",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.5",
"revision": "r29087-d9c5716d1d",
"target": "lantiq/xrx200",
"description": "OpenWrt 24.10.5 r29087-d9c5716d1d",
"builddate": "1766005702"
}
}

Complete network config

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix '************'

config atm-bridge 'atm'
option vpi '1'
option vci '32'
option encaps 'llc'
option payload 'bridged'
option nameprefix 'dsl'

config dsl 'dsl'
option annex 'b'
option tone 'av'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan3'
list ports 'lan4'

config device
option name 'lan1'
option macaddr '****'

config device
option name 'lan2'
option macaddr '****'

config device
option name 'lan3'
option macaddr '****'

config device
option name 'lan4'
option macaddr '****'

config interface 'lan1'
option device 'lan1'
option proto 'static'
option ipaddr '192.168.0.1'
option netmask '255.255.255.0'
option ip6assign '60'

config interface 'lan2'
option device 'lan2'
option proto 'static'
option ipaddr '192.168.178.1'
option netmask '255.255.255.0'
option ip6assign '60'

config device
option name 'dsl0'
option macaddr '****'

config interface 'wan'
option device 'dsl0.835'
option proto 'pppoe'
option peerdns '0'
option ipv6 '1'
option username 'proot'
option password 'proot'

#config interface 'wan6'

option device '
'

option proto 'dhcpv6'

config device
option type '8021q'
option ifname 'lan1'
option vid '1'
option name 'lan1.1'

config interface 'dmz'
option proto 'static'
option device 'lan1.1'
option ipaddr '192.168.179.1'
option netmask '255.255.255.0'

firewall config

config defaults
option syn_flood	1
option input		REJECT
option output		ACCEPT
option forward		REJECT

Uncomment this line to disable ipv6 rules

option disable_ipv6	1

config zone
option name		lan
list   network		'lan'
option input		ACCEPT
option output		ACCEPT
option forward		ACCEPT
list network 'br-lan'
list network 'lan1'
list network 'lan2'

config zone
option name		wan
list   network		'wan'
list   network		'wan6'
option input		REJECT
option output		ACCEPT
option forward		REJECT
option masq		1
option mtu_fix		1

config forwarding
option src		lan
option dest		wan

We need to accept udp packets on port 68,

see https://dev.openwrt.org/ticket/4108

config rule
option name		Allow-DHCP-Renew
option src		wan
option proto		udp
option dest_port	68
option target		ACCEPT
option family		ipv4

Allow IPv4 ping

config rule
option name		Allow-Ping
option src		wan
option proto		icmp
option icmp_type	echo-request
option family		ipv4
option target		ACCEPT

config rule
option name		Allow-IGMP
option src		wan
option proto		igmp
option family		ipv4
option target		ACCEPT

Allow DHCPv6 replies

see https://github.com/openwrt/openwrt/issues/5066

config rule
option name		Allow-DHCPv6
option src		wan
option proto		udp
option dest_port	546
option family		ipv6
option target		ACCEPT

config rule
option name		Allow-MLD
option src		wan
option proto		icmp
option src_ip		fe80::/10
list icmp_type		'130/0'
list icmp_type		'131/0'
list icmp_type		'132/0'
list icmp_type		'143/0'
option family		ipv6
option target		ACCEPT

Allow essential incoming IPv6 ICMP traffic

config rule
option name		Allow-ICMPv6-Input
option src		wan
option proto	icmp
list icmp_type		echo-request
list icmp_type		echo-reply
list icmp_type		destination-unreachable
list icmp_type		packet-too-big
list icmp_type		time-exceeded
list icmp_type		bad-header
list icmp_type		unknown-header-type
list icmp_type		router-solicitation
list icmp_type		neighbour-solicitation
list icmp_type		router-advertisement
list icmp_type		neighbour-advertisement
option limit		1000/sec
option family		ipv6
option target		ACCEPT

Allow essential forwarded IPv6 ICMP traffic

config rule
option name		Allow-ICMPv6-Forward
option src		wan
option dest		*
option proto		icmp
list icmp_type		echo-request
list icmp_type		echo-reply
list icmp_type		destination-unreachable
list icmp_type		packet-too-big
list icmp_type		time-exceeded
list icmp_type		bad-header
list icmp_type		unknown-header-type
option limit		1000/sec
option family		ipv6
option target		ACCEPT

config rule
option name		Allow-IPSec-ESP
option src		wan
option dest		lan
option proto		esp
option target		ACCEPT

config rule
option name		Allow-ISAKMP
option src		wan
option dest		lan
option dest_port	500
option proto		udp
option target		ACCEPT

EXAMPLE CONFIG SECTIONS

do not allow a specific ip to access wan

#config rule

option src		lan

option src_ip	192.168.45.2

option dest		wan

option proto	tcp

option target	REJECT

block a specific mac on wan

#config rule

option dest		wan

option src_mac	00:11:22:33:44:66

option target	REJECT

block incoming ICMP traffic on a zone

#config rule

option src		lan

option proto	ICMP

option target	DROP

port redirect port coming in on wan to lan

#config redirect

option src			wan

option src_dport	80

option dest			lan

option dest_ip		192.168.16.235

option dest_port	80

option proto		tcp

port redirect of remapped ssh port (22001) on wan

#config redirect

option src		wan

option src_dport	22001

option dest		lan

option dest_port	22

option proto		tcp

FULL CONFIG SECTIONS

#config rule

option src		lan

option src_ip	192.168.45.2

option src_mac	00:11:22:33:44:55

option src_port	80

option dest		wan

option dest_ip	194.25.2.129

option dest_port	120

option proto	tcp

option target	REJECT

#config redirect

option src		lan

option src_ip	192.168.45.2

option src_mac	00:11:22:33:44:55

option src_port		1024

option src_dport	80

option dest_ip	194.25.2.129

option dest_port	120

option proto	tcp

config zone
option name 'dmz'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
list device 'lan1.1'

config forwarding
option src 'lan'
option dest 'dmz'

config forwarding
option src 'dmz'
option dest 'wan'

config redirect
option name            'Https1'
option target          DNAT
option src             wan
option dest            lan
option proto           tcp
option src_dport       443
option dest_ip         192.168.179.3
option dest_port       443
option enabled         1
4

I have also tried

change forward from reject to accept

and change wan to lan for ip rules

Nothing change

5

You don't have a network called br-lan so delete that from the list below (yes, there is a device with that name, but you don't want that here, either):

Remove the device from this one and use the network name instead (list network 'dmz'):

1 Like
6

Never do it again, you can swap drop to reject ONLY without radically changing firewall logic.

This is wrong (firewall)

list   network		'lan'
option input		ACCEPT
option output		ACCEPT
option forward		ACCEPT
- list network 'br-lan'
list network 'lan1'
list network 'lan2'

Normally on DSA you add vlans to br-lan and use them for separate subnets, what you do here creates dual configs on some ports and you never know which will be active on particular port at any one time/restart/upgrade level.

1 Like
7

Thanks I will try soon

8

Back up current config and reset the device, then re-configure and re-post your /etc/config/network , id guess net ports are glitching leading to you making panic changes to firewall.

1 Like
9

You have reject set on forward for the default.

2 Likes
10

Incredible! I have reboot the device (192.168.178.2) and..

ping 192.168.178.2
PING 192.168.178.2 (192.168.178.2) 56(84) bytes of data.
64 bytes from 192.168.178.2: icmp_seq=1 ttl=64 time=11.9 ms
64 bytes from 192.168.178.2: icmp_seq=2 ttl=64 time=8.58 ms

With the same configuration (no modify) used before.

Thanks anyway for help

11

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.