Firewall Zones - WAN input - drop?

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi All,

Hope you're doing good.

I have been googling a question for the past week and can't find a definitive answer, so I thought it may be best to ask the experts..

My firewall zones look like this -

image_2022-03-12_103838
image_2022-03-12_1038381494×418 42.4 KB

Everything seems to work as it should do, so that's great.

It's mainly just a query, i've noticed that under the cain 'Zone_WAN_input' I can get 10k or more worth of drops... it doesn't particularly seem like an issue as the traffic isn't high, but I'm wondering if I'm blocking legitimate traffic? Here it is currently (I reset the counters just now so it only looks like a small amount)

image_2022-03-12_104136
image_2022-03-12_1041361108×639 46.4 KB

I've ran a tcpdump -i WAN dst host my public IP and it seems to be just sites we're browsing/our external DNS etc.

And if I enable logging on the WAN zone with a 10/minute filter it seems to output the ton of stuff it's dropping: (public IP and MAC taken out)

Sat Mar 12 09:55:09 2022 kern.warn kernel: [1932.323044] DROP wan in: IN=wan OUT= MAC=00:00:00:00:00:00:00 SRC=104.149.163.234 DST=mypublicip LEN=434 TOS=0x00
PREC=0x00 TTL=47 ID=13245 DF PROTO=UDP SPT=5157 DPT=60181 LEN=414

So was just looking for some guidance as I'm fairly new to OpenWRT and just want to ensure I'm not blocking legit traffic or if it's by design, but why it's dropping that traffic if it is genuine.

Thanks as always guys.

2

Are you having issues with legitimate traffic?

I assure you, you don't want to allow traffic on WAN. This is a common firewall/security concept not specifically related to OpenWrt.

Of course it should be, you were monitoring your WAN port.

By default, your router is set only to allow ESTABLISHED,RELATED traffic initiated by LAN (or the OpenWrt itself). Everything else that has timed out, already responded or is UNRELATED will be Dropped. Quite simple.

3

Thanks for the response lleachii

I've not noticed anything in particular yet.. just more curious as to why.

Completely agree, I wasn't suggesting to change it to accept, I understand the common concept of it, just wondering why it seems like I have legitimate replies that hit that drop rule.

Yes, I understand it would be, I was more suggesting it doesn't seem to be something like DOS traffic etc. that's input to WAN.

Thanks understood that, just doesn't answer why sites that should be ESTABLISHED are hitting back to the WAN port and getting dropped.