Firewall zones and settings

Hi folks!

Please help me to verify if I understand the firewall "zones" correctly.

The zone "guest" contains just one interface "guest" with an wifi AP.

Because

FORWARD rules for a zone describe what happens to traffic passing between different interfaces belonging in the same zone.

the setting "forward is irrelevant here, because the zone "guest" contains just a single interface. Is that correct?

Yes, your assumption is correct. If there was a second interface in zone guest, forwarding would be rejected to/from the first interface, however both would be able to forward to wan.

1 Like

So if I set input to "accept", all traffic from "guest" to "wan" is allowed. If I like to control that traffic, i have to do that in the "Traffic rules"?

Yep, as well as zone-to-zone forwardings.

2 Likes

No, these are not connected.

You can control any traffic in "Traffic Rules". However you can apply default group settings with the zone settings.

2 Likes

Those are the default rules which apply should no other rule pre-empt them. Rules are considered in order. The first one in the list with matching conditions will accept or reject the packet. If there are no matches, finally the zone default is used.

Forwarding between zones always requires a specific rule.

1 Like

You mean I have to create forward to wan in the "inter zone forwarding"? But in that example this is already done, isn't it?

Yes, it is.
As @mk24 wrote:

The INPUT of guest zone however is not about inter zone. It is about ingress traffic from the guest interface to the device. Traffic that has final destination the router. Traffic that will not be forwarded to another router.

OK, lets say I set "input" an the guest zone to "reject". That means, the client connected to the "guest AP" will get no DHCP, DNS from the router. But if I set static IP and DNS to ISP on the client, traffic to "openwrt.org" over https would be allowed? (Assuming all other settings are correct)

That is correct, and that is why a rule for dns and dhcp is part of the guest guide.

If there is a guest->wan forwarding, then yes.

Perfect, that helps a lot!

Well, its not easy for a network noob like me to understand all that. But you guys are super helpful!

Thank you @trendy, @vgaetera and @mk24 for your inputs!

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.