Please excuse the question, unfortunately I have not understood how the firewall works. I would like to understand step by step what is happening and why. Use Case: My notebook (192.168.3.2) is connected to the OpenWrt router via WLan. OpenWrt is connected via wan (192.168.1.3) port with another router B (192.168.1.1). Now I send a ping from the notebook to router B. ping 192.168.1.1. The question is now what happens. I'll try to guess a little, with emphasis on guessing.
The OpenWrt router sees the traffic on the wifi interface. It now checks whether it can find a network zone that leads from wifi to wan. It goes through the list from top to bottom and takes the first zone that fits.
In my case, zone three would be found. Because this is a communication between Wlan and Wan. If no suitable zone could be found, e.g. if the communication was from Wlan to Lan, then the default settings at the top would be used.
So the third zone was found. This says that in principle the ping request may enter the OpenWrt router (input accept). Due to the fact that the output is set to drop, the OpenWrt router will not let the ping request go outside. Since I only have one network interface configured for incoming and one for outgoing traffic, the forward setting is irrelevant. Furthermore, this is set to drop, which would also make forwarding impossible. Conclusion: Because of the zone, the ping is not allowed through.
Now the traffic rules come into play. These can override the behaviour of the zone configuration. Now the Traffic Rules are searched for rules, from top to bottom, that match my ping request. In my case, I do not believe that there is such a suitable rule. So I now expect that the ping will not get through.
As you guessed, my ping to router B is answered. Which means that, as mentioned at the beginning, I have not understood the firewall. Can anyone tell me what is wrong with my thinking? Here is the configuration I currently have.
Thanks for the help and sorry for asking again on this topic
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdc1:c34b:d63c::/48'
config device
option name 'eth1'
option macaddr '5C:49:79:2C:88:66'
option ipv6 '0'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option delegate '0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
option ipv6 '0'
config device
option name 'eth0.1'
option macaddr '5C:49:79:2C:88:65'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.3.1'
option delegate '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'
config interface 'WLan'
option proto 'static'
option device 'wlan0'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
option delegate '0'
config device
option name 'wlan0'
option ipv6 '0'
config device
option name 'eth0'
option ipv6 '0'
config defaults
option input 'ACCEPT'
option synflood_protect '1'
option drop_invalid '1'
option forward 'DROP'
option output 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option mtu_fix '1'
list network 'wan'
option input 'DROP'
option forward 'DROP'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config zone
option name 'WLan'
option input 'ACCEPT'
list network 'WLan'
option forward 'DROP'
option output 'DROP'
config forwarding
option src 'WLan'
option dest 'wan'