Firewall zone defaults wrong?

Installing and Using OpenWrt Network and Wireless Configuration
1

I have a wifi network which is hosting untrusted IOT devices. I want traffic coming from that zone to be dropped and not rejected.

Here's the zone config:

config zone
        option name 'IOT'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'DEV_IOT'
        option forward 'DROP'

And here's what fw3 makes from it:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
1220K 1236M forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom forwarding rule chain */
1214K 1235M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
 3347  426K zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
   34  2040 zone_wan_forward  all  --  pppoe-wan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_forward  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
 3314  199K zone_IOT_forward  all  --  wlan1  *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_vpn_forward  all  --  wg0    *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
 3314  199K reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Note the IOT rule saying that traffic coming from device wlan1 (which is the IOT device) goes to zone_IOT_forward. This is the chain for it:

Chain zone_IOT_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
 3314  199K forwarding_IOT_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom IOT forwarding rule chain */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
 3314  199K zone_IOT_dest_DROP  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

forwarding_IOT_rule is empty and traffic is bound to enter the zone_IOT_dest_DROP chain which should drop the packets.

Chain zone_IOT_dest_DROP (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      wlan1   0.0.0.0/0            0.0.0.0/0            /* !fw3 */

This rule will not be applied as we're coming here with packets being forwarded from wlan1 (toplevel forwarding rule zone_IOT_forward requiring packets incoming from wlan1) and this rule only applies to packets destined for wlan1 which is a contradiction.

Am I missing something here?

This is on OpenWrt 21.02.1 r16325-88151b8303.

2

Yes.

The forwarding option you're using relates to intra-zone traffic, i.e. it determines what happens to traffic passing between interfaces within the same zone. If the zone only has one interface it'll never be used.

What exactly are you trying to achieve? Are you wanting to prevent all traffic from that zone from having any access to your trusted LAN, the internet, both?

1 Like
3

Both - and it's working. I just wanted to drop packets instead of rejecting them. That's what I thought the zone's default forward policy should do. But thanks to your explanation I now understand that this is not how it's meant to be.

4

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.