I am trying to understand why a network flow is allowed given my router (an EdgeRouter X) configuration.
I have a number of VLANs defined, with each VLAN corresponding to a firewall Zone:
wan - connection to the internet via modem
lan - local trusted network (192.168.1.0/24)
modem - to enable connectivity to the modem management web ui (192.168.0.0/24)
vlan10 - isolated network with wan access (192.168.10.0/24)
vlan20 - isolated network with wan access (192.168.20.0/24)
The unexpected allowed traffic flow is from vlan20, vlan10 and lan to modem - can anyone clue me in on why this traffic is allowed with the configuration below - I would expect it to be blocked as there is no explicit forward from vlan10/vlan20/lan to modem.
/etc/config/firewall:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan'
option forward 'ACCEPT'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
option input 'DROP'
option forward 'DROP'
config zone
option network 'vlan10'
option name 'vlan10'
option output 'ACCEPT'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'wan'
option src 'vlan10'
config zone
option forward 'REJECT'
option name 'vlan20'
option output 'ACCEPT'
option network 'vlan20'
option input 'REJECT'
config zone
option network 'modem'
option forward 'REJECT'
option name 'modem'
option input 'REJECT'
option output 'ACCEPT'
config forwarding
option dest 'wan'
option src 'vlan20'
config rule
option dest_port '53'
option src 'vlan10'
option name 'Allow-vlan10-DNS'
option target 'ACCEPT'
config rule
option dest_port '67-68'
option src 'vlan10'
option name 'Allow-vlan10-DHCP'
option target 'ACCEPT'
list proto 'udp'
config rule
option dest_port '53'
option src 'vlan20'
option name 'Allow-vlan20-DNS'
option target 'ACCEPT'
config rule
option dest_port '67-68'
option src 'vlan20'
option name 'Allow-vlan20-DHCP'
option target 'ACCEPT'
list proto 'udp'
config redirect 'adblock_dns_53'
option name 'Adblock DNS, port 53'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
config redirect 'adblock_dns_853'
option name 'Adblock DNS, port 853'
option src 'lan'
option proto 'tcp udp'
option src_dport '853'
option dest_port '853'
option target 'DNAT'
config redirect 'adblock_dns_5353'
option name 'Adblock DNS, port 5353'
option src 'lan'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '5353'
option target 'DNAT'
Maybe it's because network wan and modem share the same linux interface eth0.2. Since vlan20 to wan is allowed and generated netfilter rule matches on interface name, it's essentially eth0.20 to eth0.2 allowed.
iptables-save -t filter may tell a lot here
EDIT: hmm, wan interface should be pppoe-wan. Still iptables-save output should help
Thanks @yousong - here is the output of iptables-save -t filter
Edit: updated - I had added two temporary rules to block the traffic flows i didn't want from vlan10 and vlan20. Updated now to reflect the output given the configuration in the OP
# iptables-save -t filter
# Generated by iptables-save v1.8.3 on Wed Feb 24 07:27:45 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vlan10_rule - [0:0]
:forwarding_vlan20_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vlan10_rule - [0:0]
:input_vlan20_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vlan10_rule - [0:0]
:output_vlan20_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_modem_dest_ACCEPT - [0:0]
:zone_modem_dest_REJECT - [0:0]
:zone_modem_forward - [0:0]
:zone_modem_input - [0:0]
:zone_modem_output - [0:0]
:zone_modem_src_REJECT - [0:0]
:zone_untrusted_forward - [0:0]
:zone_untrusted_input - [0:0]
:zone_untrusted_output - [0:0]
:zone_vlan10_dest_ACCEPT - [0:0]
:zone_vlan10_dest_REJECT - [0:0]
:zone_vlan10_forward - [0:0]
:zone_vlan10_input - [0:0]
:zone_vlan10_output - [0:0]
:zone_vlan10_src_REJECT - [0:0]
:zone_vlan20_dest_ACCEPT - [0:0]
:zone_vlan20_dest_REJECT - [0:0]
:zone_vlan20_forward - [0:0]
:zone_vlan20_input - [0:0]
:zone_vlan20_output - [0:0]
:zone_vlan20_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_DROP - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i br-vlan10 -m comment --comment "!fw3" -j zone_vlan10_input
-A INPUT -i br-vlan20 -m comment --comment "!fw3" -j zone_vlan20_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_modem_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i br-vlan10 -m comment --comment "!fw3" -j zone_vlan10_forward
-A FORWARD -i br-vlan20 -m comment --comment "!fw3" -j zone_vlan20_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_modem_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o br-vlan10 -m comment --comment "!fw3" -j zone_vlan10_output
-A OUTPUT -o br-vlan20 -m comment --comment "!fw3" -j zone_vlan20_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_modem_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_modem_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_modem_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_modem_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_modem_forward -m comment --comment "!fw3" -j zone_modem_dest_REJECT
-A zone_modem_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_modem_input -m comment --comment "!fw3" -j zone_modem_src_REJECT
-A zone_modem_output -m comment --comment "!fw3" -j zone_modem_dest_ACCEPT
-A zone_modem_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
-A zone_vlan10_dest_ACCEPT -o br-vlan10 -m comment --comment "!fw3" -j ACCEPT
-A zone_vlan10_dest_REJECT -o br-vlan10 -m comment --comment "!fw3" -j reject
-A zone_vlan10_forward -m comment --comment "!fw3: Custom vlan10 forwarding rule chain" -j forwarding_vlan10_rule
-A zone_vlan10_forward -m comment --comment "!fw3: Zone vlan10 to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_vlan10_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_vlan10_forward -m comment --comment "!fw3" -j zone_vlan10_dest_REJECT
-A zone_vlan10_input -m comment --comment "!fw3: Custom vlan10 input rule chain" -j input_vlan10_rule
-A zone_vlan10_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Allow-vlan10-DNS" -j ACCEPT
-A zone_vlan10_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Allow-vlan10-DNS" -j ACCEPT
-A zone_vlan10_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: Allow-vlan10-DHCP" -j ACCEPT
-A zone_vlan10_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_vlan10_input -m comment --comment "!fw3" -j zone_vlan10_src_REJECT
-A zone_vlan10_output -m comment --comment "!fw3: Custom vlan10 output rule chain" -j output_vlan10_rule
-A zone_vlan10_output -m comment --comment "!fw3" -j zone_vlan10_dest_ACCEPT
-A zone_vlan10_src_REJECT -i br-vlan10 -m comment --comment "!fw3" -j reject
-A zone_vlan20_dest_ACCEPT -o br-vlan20 -m comment --comment "!fw3" -j ACCEPT
-A zone_vlan20_dest_REJECT -o br-vlan20 -m comment --comment "!fw3" -j reject
-A zone_vlan20_forward -m comment --comment "!fw3: Custom vlan20 forwarding rule chain" -j forwarding_vlan20_rule
-A zone_vlan20_forward -m comment --comment "!fw3: Zone vlan20 to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_vlan20_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_vlan20_forward -m comment --comment "!fw3" -j zone_vlan20_dest_REJECT
-A zone_vlan20_input -m comment --comment "!fw3: Custom vlan20 input rule chain" -j input_vlan20_rule
-A zone_vlan20_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Allow-vlan20-DNS" -j ACCEPT
-A zone_vlan20_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Allow-vlan20-DNS" -j ACCEPT
-A zone_vlan20_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: Allow-vlan20-DHCP" -j ACCEPT
-A zone_vlan20_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_vlan20_input -m comment --comment "!fw3" -j zone_vlan20_src_REJECT
-A zone_vlan20_output -m comment --comment "!fw3: Custom vlan20 output rule chain" -j output_vlan20_rule
-A zone_vlan20_output -m comment --comment "!fw3" -j zone_vlan20_dest_ACCEPT
-A zone_vlan20_src_REJECT -i br-vlan20 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_DROP -o pppoe-wan -m comment --comment "!fw3" -j DROP
-A zone_wan_dest_DROP -o eth0.2 -m comment --comment "!fw3" -j DROP
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_DROP
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_DROP
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_DROP -i pppoe-wan -m comment --comment "!fw3" -j DROP
-A zone_wan_src_DROP -i eth0.2 -m comment --comment "!fw3" -j DROP
COMMIT
# Completed on Wed Feb 24 07:27:45 2021
Adding option subnet 192.168.0.0/24 may solve the issue.
@yousong this did solve the issue and I think your root cause analysis must be right - wan/wan6 and modem share an interface and so the normal zone specifications don't provide the isolation I was expecting. Thanks for all your help.
Actually, adding subnet 192.168.0.0/24 to the modem zone subsequently prevents me from allowing forwarding from (say) the lan zone explicitly, which is odd.
Is it possible that this was caused by the modem does not route traffics to 192.168.1.0/24 back to eth0.2? That is the traffic does forward out from eth0.2 to modem but modem does not know how to route the response back to the openwrt box. Tcpdump on eth0.2 may confirm if this is the case, but adding masq for modem should also help.
So, it turns out the reason I couldn't connect at all to the modem gui was because I had somehow broken the wan6 interface definition. Once I returned that to the previous state (i.e. dhcpv6 client, eth0.2) connectivity was restored.
Having revisited all of the suggestions in the thread, I am certain that @yousong is correct in the analysis that the reason the "unexpected" traffic flows are allowed is because the modem and wan/wan6 firewall zones both equate to the same physical switch interface. Within the limitations of the way OpenWRTs firewall treats firewall zones, it's then necessary to add traffic rules to block those unexpected flows. Here's where I ended up:
/etc/config/firewall:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan'
option forward 'ACCEPT'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
option forward 'DROP'
option network 'wan wan6'
config zone
option network 'vlan10'
option name 'vlan10'
option output 'ACCEPT'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'wan'
option src 'vlan10'
config zone
option forward 'REJECT'
option name 'vlan20'
option output 'ACCEPT'
option network 'vlan20'
option input 'REJECT'
config zone
option name 'modem'
list subnet '192.168.0.0/24'
option output 'ACCEPT'
option network 'modem'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option dest 'wan'
option src 'vlan20'
config rule
option dest_port '53'
option src 'vlan10'
option name 'Allow-vlan10-DNS'
option target 'ACCEPT'
config rule
option dest_port '67-68'
option src 'vlan10'
option name 'Allow-vlan10-DHCP'
option target 'ACCEPT'
list proto 'udp'
config rule
option dest_port '53'
option src 'vlan20'
option name 'Allow-vlan20-DNS'
option target 'ACCEPT'
config rule
option dest_port '67-68'
option src 'vlan20'
option name 'Allow-vlan20-DHCP'
option target 'ACCEPT'
list proto 'udp'
config redirect 'adblock_dns_53'
option name 'Adblock DNS, port 53'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
config redirect 'adblock_dns_853'
option name 'Adblock DNS, port 853'
option src 'lan'
option proto 'tcp udp'
option src_dport '853'
option dest_port '853'
option target 'DNAT'
config redirect 'adblock_dns_5353'
option name 'Adblock DNS, port 5353'
option src 'lan'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '5353'
option target 'DNAT'
config rule
option dest 'modem'
option src 'vlan10'
option target 'REJECT'
option name 'Block-vlan10-modem'
list proto 'all'
config rule
option dest 'modem'
option src 'vlan20'
option name 'Block-vlan20-modem'
option target 'REJECT'
list proto 'all'
config rule
option dest '*'
option src 'modem'
option target 'REJECT'
option name 'Block-modem-all'
list src_ip '192.168.0.0/24'