Firewall traffic rules not working

Hi there!,

So I'm running a version of Openwrt 22.03.3 on the Mochabin but im noticing something strange and I'm not sure if its a bug or a wrong configuration on my end.

The only thing different than the 'clean' default packages, was that I self compiled dnsmasq to v2.88-2 and updated it as opkg.

now from what I understand is you have firewall zones these would be the global rules of said interface lets say:

zones:
pcnet->wgclient
wgclient->wan
steamcache->wan

now what I thought what should 'normally' work is I add a traffic rule and forward src pcnet to steamcache with ip 172.19.0.2 as external ip and accept traffic, and then override the global zone rule by this forward rule.

somehow I cannot ping 172.19.0.2 it only works if I put my zones like this:

which means traffic goes through both zones... but often follows the default route supplied by pbr (I tested this with it disabled too, and then by making the traffic rule to reject but it fully ignored it)

But this is not really what I want because I would like to make the rule more specific by adding a external destination ip, so I'm 100% sure that I never accidentally leak my vpn traffic by for example misconfiguration on my end.

Do I have the wrong picture in mind that traffic rules should prioritize over normal firewall zones?

the lancache is a docker instance but I was trying the same with a printer on a other zone, same problems.

P.s to not create too much confusion I rather don't want to sent my full lab configuration it would make it too complicated :stuck_out_tongue:

heres a example of it in luci how the zones are:

and as traffic rule I had:

it confuses me why it won't like my ping from pcnet even when pbr is stopped :stuck_out_tongue:

I'm having a hard time understanding the specific scenarios here, so it is difficult to advise.

In particular, we don't know anything about which host(s) the source and destination of the ping tests and which networks they are part of.

The screenshots are also not sufficient to understand what firewall rules you have created and what your network config looks like.

To that end, please be very specific about the source and destination IPs for your ping tests and also provide your config files:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall
2 Likes

Hello!,

Okay I'm sending a ping from pcnet to the docker instance with firewall zone steamcache.

heres is my full configuration:

network:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '-redacted-'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	option igmp_snooping '1'
	option ipv6 '0'
	option bridge_empty '1'
	option acceptlocal '1'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipaddr '10.234.53.1'
	option device 'br-lan.1'
	option force_link '0'

config device
	option name 'br-wan'
	option type 'bridge'
	option macaddr '-redacted-'
	option ipv6 '0'
	option bridge_empty '1'
	list ports 'eth2'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan0:u*'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '50'
	list ports 'lan0:t'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan3:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '51'
	list ports 'lan0:t'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan3:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '52'
	list ports 'lan0:t'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan3:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '53'
	list ports 'lan0:t'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan3:t'

config interface 'wlan0'
	option proto 'static'
	option ipaddr '10.234.80.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option device 'br-wlan0'

config interface 'wlan1'
	option proto 'static'
	option device 'br-lan.51'
	option ipaddr '10.234.81.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'zigbee'
	option proto 'static'
	option ipaddr '10.33.77.1'
	option netmask '255.255.255.0'
	option device 'br-zigbee'

config interface 'tvnet'
	option proto 'static'
	option device 'br-lan.53'
	option ipaddr '172.18.33.1'
	option netmask '255.255.255.0'

config interface 'wgclient'
	option proto 'wireguard'
	list addresses '10.67.41.39/32'
	option private_key '-redacted-'
	option delegate '0'
	option metric '10'
	option defaultroute '0'

config wireguard_wgclient
	option description 'mullvad_nl01'
	option public_key '-redacted-'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '-redacted-'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	option disabled '1'

config wireguard_wgclient
	option public_key '-redacted-'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '-redacted-'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	option description 'mullvad_nl02'
	option disabled '1'

config wireguard_wgclient
	option description 'mullvad_nl03'
	option public_key '-redacted-'
	list allowed_ips '0.0.0.0/0'
	option persistent_keepalive '25'
	option endpoint_host '127.0.0.1'
	option endpoint_port '1080'
	option disabled '1'

config wireguard_wgclient
	option description 'mullvad_nl04'
	option public_key '-redacted-'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '-redacted-'
	option endpoint_port '51820'
	option persistent_keepalive '25'

config device
	option name 'wan'
	option macaddr '-redacted-'
	option ipv6 '0'

config interface 'wan'
	option proto 'pppoe'
	option username '-redacted-'
	option password '-redacted-'
	option device 'eth2.6'
	option delegate '0'
	option ipv6 '0'
	option metric '20'

config device
	option name 'br-lan.1'
	option type '8021q'
	option ifname 'br-lan'
	option vid '1'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '49'
	list ports 'lan0:t'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan3:t'

config interface 'pcnet'
	option proto 'static'
	option ipaddr '10.34.79.1'
	option netmask '255.255.255.0'
	option device 'br-pcnet'
	option defaultroute '0'

config device
	option type 'bridge'
	option name 'br-iptv'
	option bridge_empty '1'
	option igmp_snooping '1'
	option ipv6 '0'
	list ports 'eth2.4'

config interface 'iptv'
	option proto 'dhcp'
	option vendorid 'IPTV_RG'
	option device 'br-iptv'
	option delegate '0'

config interface 'wgserver'
	option proto 'wireguard'
	option metric '15'
	option delegate '0'
	option private_key '-redacted-'
	option listen_port '1234'
	list addresses '10.14.0.1/24'

config device
	option name 'br-lan.49'
	option type '8021q'
	option ifname 'br-lan'
	option vid '49'
	option ipv6 '0'

config device
	option name 'br-lan.52'
	option type '8021q'
	option ifname 'br-lan'
	option vid '52'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-zigbee'
	list ports 'br-lan.52'
	option igmp_snooping '1'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-pcnet'
	list ports 'br-lan.49'
	option igmp_snooping '1'
	option ipv6 '0'

config device
	option name 'br-lan.50'
	option type '8021q'
	option ifname 'br-lan'
	option vid '50'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-wlan0'
	list ports 'br-lan.50'
	option igmp_snooping '1'
	option ipv6 '0'

config wireguard_wgserver
	option description 'wlan0'
	option public_key '-redacted-'
	list allowed_ips '10.14.0.3/32'

config interface 'docker'
	option device 'docker0'
	option proto 'none'
	option auto '0'

config device
	option type 'bridge'
	option name 'docker0'

config route
	option metric '10'
	option table 'microsoft'
	option interface 'pcnet'
	option disabled '1'
	option target '10.34.79.1/24'

config interface 'steamcache'
	option proto 'none'
	option device 'br-81dc207e2a7b'

config device
	option name 'br-81dc207e2a7b'
	option type 'bridge'
	option bridge_empty '1'
	option ipv6 '0'

firewall:


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option input 'DROP'
	list network 'wan2'
	list network 'wan'

config zone
	option name 'wlan0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wlan0'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'wlan1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wlan1'

config zone
	option name 'zigbee'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'zigbee'

config zone
	option name 'tvnet'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'tvnet'

config zone
	option name 'wgclient'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wgclient'
	option input 'DROP'

config forwarding
	option src 'wgclient'
	option dest 'wan'

config forwarding
	option src 'zigbee'
	option dest 'wan'

config forwarding
	option src 'tvnet'
	option dest 'wan'

config forwarding
	option src 'docker'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config zone
	option name 'pcnet'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'pcnet'
	option forward 'REJECT'

config rule
	option name 'Allow-IGMP-Proxy-Lan'
	option src 'lan'
	option dest 'lan'
	list dest_ip '224.0.0.1/4'
	option target 'ACCEPT'

config zone
	option name 'iptv'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'iptv'

config forwarding
	option src 'iptv'
	option dest 'wan'

config rule
	option name 'allow iptv'
	option src 'lan'
	option dest 'iptv'
	option target 'ACCEPT'

config rule
	option name 'allow-mcast'
	option src 'iptv'
	option dest 'lan'
	list dest_ip '224.0.0.1/4'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'iptv'

config include
	option path '/etc/firewall.fail2ban'
	option enabled '1'
	option reload '1'

config zone
	option name 'wgserver'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wgserver'

config forwarding
	option src 'wlan0'
	option dest 'wgserver'

config rule
	option name 'Allow-chromecast'
	option src 'zigbee'
	list dest_ip '224.0.0.251'
	option target 'ACCEPT'
	option dest_port '5353 5443'
	option dest '*'

config rule
	option name 'Allow-Chromecast'
	option target 'ACCEPT'
	option dest 'zigbee'
	option src 'wgserver'
	option dest_port '8008 8009 8443 5353 5443'

config rule
	option name 'Allow-Chromecast'
	option target 'ACCEPT'
	option src 'zigbee'
	option dest_port '8008 8009 8443'
	option dest 'wgserver'

config rule
	option src 'pcnet'
	list dest_ip '10.33.77.5'
	option dest_port '80 443'
	option target 'ACCEPT'
	option dest 'zigbee'
	option name 'Allow-Printer-To-PCnet'

config rule
	option name 'Block-Chromecast'
	option src 'pcnet'
	list dest_ip '224.0.0.251'
	option dest_port '5353 8008-8009 8443'
	option target 'DROP'

config forwarding
	option src 'wgserver'
	option dest 'wgclient'

config forwarding
	option src 'wlan1'
	option dest 'wgserver'

config zone 'docker'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option name 'docker'
	list network 'docker'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
	option src 'pcnet'
	option dest 'wgclient'

config zone
	option name 'steamcache'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'ACCEPT'
	list network 'steamcache'

config forwarding
	option src 'steamcache'
	option dest 'wan'

config forwarding
	option src 'wlan0'
	option dest 'steamcache'

config forwarding
	option src 'wlan1'
	option dest 'steamcache'

config rule
	option src 'lan'
	option dest 'zigbee'
	list dest_ip '10.33.77.5'
	option dest_port '80 443'
	option target 'ACCEPT'
	option name 'Allow-Printer-To-Lan'

config rule
	option name 'Allow-Printer-To-PCNet'
	option src 'pcnet'
	option dest 'zigbee'
	list dest_ip '10.33.77.5'
	option target 'ACCEPT'

config rule
	option name 'Allow pcnet to switch'
	option src 'pcnet'
	option dest 'lan'
	option dest_port '80 443'
	option target 'ACCEPT'
	list dest_ip '10.234.53.10'
	list dest_ip '10.234.53.20'
	list dest_ip '10.234.53.3'

config rule
	option src 'wgserver'
	option dest 'docker'
	list dest_ip '172.17.0.2'
	option target 'ACCEPT'
	option name 'Allow-nextcloud-tunnel'

config rule
	option name 'Allow-nextcloud-pcnet'
	option src 'pcnet'
	option dest 'docker'
	list dest_ip '172.17.0.2'
	option target 'ACCEPT'

config rule
	list dest_ip '172.17.0.3'
	option target 'ACCEPT'
	option dest 'docker'
	option name 'Forward nextcloud to pcnet'
	option src 'pcnet'

config redirect
	option src 'lan'
	option dest 'wan'
	option proto 'udp'
	option src_dport '5060-5062'
	option dest_ip '10.234.53.1'
	option dest_port '5060'
	option target 'DNAT'
	option enabled '0'
	option name 'Allow-Voip'

config redirect
	option dest_port '53'
	option dest_ip '127.0.0.1'
	option target 'DNAT'
	option src_dport '53'
	option src '*'
	option name 'hijack dns'
	option enabled '0'

config rule
	option src 'pcnet'
	option dest 'steamcache'
	list dest_ip '172.19.0.2'
	option target 'ACCEPT'
	option name 'Allow pcnet to steamcache'

the pcnet zone only talks to wgclient zone, however I thought when I use a traffic rule that I can make the steamcache zone being able to talk to, somehow when I ping it says this in windows:

C:\Users\Guido>ping 172.19.0.2

Pinging 172.19.0.2 with 32 bytes of data:
Reply from 10.34.79.1: Destination port unreachable.
Reply from 10.34.79.1: Destination port unreachable.
Reply from 10.34.79.1: Destination port unreachable.
Reply from 10.34.79.1: Destination port unreachable.

Ping statistics for 172.19.0.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

C:\Users\Guido>

this is something I cannot get my head around :stuck_out_tongue:

You need to add option proto 'all' to this rule.

Currently you have two nftables rules - for tcp and udp but not for icmp.

2 Likes

yes that fixed the issue!, I totally forgot icmp is different than udp/tcp.

thanks!. :smiley:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.