Firewall traffic rule not respecting whitelist

I set up this DNAT rule to allow traffic to my mail server that sits behind my OpenWRT router. The rule forwards WAN traffic to the server as expected but it is not respecting the source address whitelist and is allowing traffic from any source IP.

Scenario: Traffic coming from whitelisted WAN IP to mail server
Expected behavior: Traffic is forwarded to mail server
Actual behavior: Traffic is forwarded to mail server

Scenario: Traffic coming from NON-whitelisted WAN IP to mail server
Expected behavior: Traffic is dropped
Actual behavior: Traffic is forwarded to mail server

Not sure what I'm missing here, any pointers appreciated. The following discussions were informative but did not address whitelist problem.
Forum Discussion 1
Forum Discussion 2
Forum Discussion 3

Version 19.07.7

Default firewall config:

Port Forwards:

Traffic Rules:

cat /etc/config/network

config defaults
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option input 'ACCEPT'

config zone 'lan'
	option name 'lan'
	option output 'ACCEPT'
	option network 'lan'
	list device 'tun0'
	list device 'tun+'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config zone 'wan'
	option name 'wan'
	option masq '1'
	option mtu_fix '1'
	option network 'wan'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding 'lan_wan'
	option src 'lan'
	option dest 'wan'

config include
	option path '/etc/firewall.user'

config redirect
	option dest_port '25'
	option src 'wan'
	option name 'MAIL'
	option src_dport '25'
	option target 'DNAT'
	option dest_ip ''
	option dest 'lan'
	list proto 'tcp'

The source condition needs to be in the redirect rule. Redirect rules are considered first.

The firewall works by going through the list of rules until one of them matches all its conditions. The action is then taken, and the firewall decision is complete. No rules further down the list will be evaluated for that packet.


@ mk24 Thanks for pitching in. I had tested this theory during my initial troubleshooting and found that I could only whitelist a single source IP / subnet which made me drop this option and focus on getting the traffic rule to work because that ones allows the use of multiple source IPs.

Also, my testing shows that the rules are indeed applied after the redirect. This was demonstrated by changing the rule "drop" and it did indeed block the traffic in the whitelist which means the traffic rules are processed after the redirection.

Just because LuCI red flags something that you attempt to set, doesn't mean it is wrong.

If it really doesn't work even on the CLI to have multiple sources in one rule, write multiple redirect rules, one for each allowed source IP or subnet.

1 Like

I had done numerous grep searches for the whitelist IPs to see which files may contain the configuration but got no results. Any idea where the whitelist parameters are configured?

I never considered using multiple redirect rules, that's ingenious, thanks for the tip! Will turn to that as a last resort.


This worked, thank you.

This also worked, thank you. Because it doesn't require multiple rules, it is cleaner. The changes however don't show in the UI so one must remember to always look in /etc/config/firewall for config.

Resolution steps:

  • Created an IP set with the source addresses

  • Attached the IP set to the forwarding rule

  • Deleted the traffic rule as it was unnecessary as @mk24 pointed out
    (UDP exception explained below)

Lessons learned:

  • "Forwarded" redirect traffic is automatically "allowed" and does not need a "traffic rule" (for example, traffic to a mail server as was the case here) ( :pray: @mk24 )

  • "Input" redirect traffic does also require a traffic rule to allow it to reach the port/service on the router (for example to OpenVPN if the router itself is the server)

  • If the UI says you can't do something it doesn't mean it's not doable

  • IP Sets can be used in "redirect" and "traffic" rules ( :pray: @vgaetera)

  • For UDP traffic, the source address filtering must be applied to both the "redirect" and the "traffic" rules in order for it to work. For TCP traffic, only the "redirect" rule needs to have the filter (ipset)
    (Note: I am not sure if this is inherent to the protocol or to OpenWRT design but it was tested and confirmed to be the case on my router)

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.