Firewall: What happens step by step?

Installing and Using OpenWrt Network and Wireless Configuration
1

Please excuse the question, unfortunately I have not understood how the firewall works. I would like to understand step by step what is happening and why. Use Case: My notebook (192.168.3.2) is connected to the OpenWrt router via WLan. OpenWrt is connected via wan (192.168.1.3) port with another router B (192.168.1.1). Now I send a ping from the notebook to router B. ping 192.168.1.1. The question is now what happens. I'll try to guess a little, with emphasis on guessing.
The OpenWrt router sees the traffic on the wifi interface. It now checks whether it can find a network zone that leads from wifi to wan. It goes through the list from top to bottom and takes the first zone that fits.

zones
zones974×711 64.2 KB

In my case, zone three would be found. Because this is a communication between Wlan and Wan. If no suitable zone could be found, e.g. if the communication was from Wlan to Lan, then the default settings at the top would be used.
So the third zone was found. This says that in principle the ping request may enter the OpenWrt router (input accept). Due to the fact that the output is set to drop, the OpenWrt router will not let the ping request go outside. Since I only have one network interface configured for incoming and one for outgoing traffic, the forward setting is irrelevant. Furthermore, this is set to drop, which would also make forwarding impossible. Conclusion: Because of the zone, the ping is not allowed through.
Now the traffic rules come into play. These can override the behaviour of the zone configuration. Now the Traffic Rules are searched for rules, from top to bottom, that match my ping request. In my case, I do not believe that there is such a suitable rule. So I now expect that the ping will not get through.

As you guessed, my ping to router B is answered. Which means that, as mentioned at the beginning, I have not understood the firewall. Can anyone tell me what is wrong with my thinking? Here is the configuration I currently have.

Thanks for the help and sorry for asking again on this topic

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc1:c34b:d63c::/48'

config device
	option name 'eth1'
	option macaddr '5C:49:79:2C:88:66'
	option ipv6 '0'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option delegate '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'
	option ipv6 '0'

config device
	option name 'eth0.1'
	option macaddr '5C:49:79:2C:88:65'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.3.1'
	option delegate '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0t'

config interface 'WLan'
	option proto 'static'
	option device 'wlan0'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'
	option delegate '0'

config device
	option name 'wlan0'
	option ipv6 '0'

config device
	option name 'eth0'
	option ipv6 '0'

config defaults
	option input 'ACCEPT'
	option synflood_protect '1'
	option drop_invalid '1'
	option forward 'DROP'
	option output 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option mtu_fix '1'
	list network 'wan'
	option input 'DROP'
	option forward 'DROP'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config zone
	option name 'WLan'
	option input 'ACCEPT'
	list network 'WLan'
	option forward 'DROP'
	option output 'DROP'

config forwarding
	option src 'WLan'
	option dest 'wan'
2

How?

config interface 'WLan'
	option proto 'static'
	option device 'wlan0'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'
	option delegate '0'

WLan1 network is on 192.168.4.1/24

Show us ifconfig from your laptop.

(Remember to redact passwords, MAC addresses and any public IP addresses you may have)

3

The input and output rules relate to traffic intended directly for the router or being sent by the router. The forwarding between zones is controlled by the zone forwarding (I.e. the first column with the zone name and an arrow to other zones). Because you have a forwarding between the wlan and wan this allows the ping to traverse the firewall.

1 Like
4

please see https://openwrt.org/docs/guide-user/firewall/firewall_configuration#zones how Zone section works.

by default a related traffic, i.e. traffic related/reply to a connection initiated from controlled network (such as lan) to uncontrolled network (such as wan) is allowed. in simple words: you can initiate traffic from lan to wan and you will receive the answer (due to conntrack module), but you are not allowed to answer traffic initiated from wan, i.e. from insecure to your secure lan network.
so the zone forwarding rule "lan to wan" is unidirectional rule.

6

Ahh the first column is the point. I think you've taken me miles further now!!! Thanks a lot :slight_smile:

7

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.