I have a wifi network which is hosting untrusted IOT devices. I want traffic coming from that zone to be dropped and not rejected.
Here's the zone config:
config zone
option name 'IOT'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'DEV_IOT'
option forward 'DROP'
And here's what fw3 makes from it:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1220K 1236M forwarding_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom forwarding rule chain */
1214K 1235M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
3347 426K zone_lan_forward all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
34 2040 zone_wan_forward all -- pppoe-wan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_forward all -- eth0.2 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
3314 199K zone_IOT_forward all -- wlan1 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_vpn_forward all -- wg0 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
3314 199K reject all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Note the IOT rule saying that traffic coming from device wlan1
(which is the IOT device) goes to zone_IOT_forward
. This is the chain for it:
Chain zone_IOT_forward (1 references)
pkts bytes target prot opt in out source destination
3314 199K forwarding_IOT_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom IOT forwarding rule chain */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port forwards */
3314 199K zone_IOT_dest_DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
forwarding_IOT_rule
is empty and traffic is bound to enter the zone_IOT_dest_DROP
chain which should drop the packets.
Chain zone_IOT_dest_DROP (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * wlan1 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
This rule will not be applied as we're coming here with packets being forwarded from wlan1
(toplevel forwarding rule zone_IOT_forward
requiring packets incoming from wlan1
) and this rule only applies to packets destined for wlan1
which is a contradiction.
Am I missing something here?
This is on OpenWrt 21.02.1 r16325-88151b8303
.