FW don't block correct on forward to wan

ume · December 6, 2024, 6:03pm

I'm trying to change from openwrt 21 to 23.

I habe only 2 zones configures:

LAN - uses BR-LAN (configured to use physical Ports of the router Lan1 to Lan3 and the Wifi)
WAN - uses physical Port LAN4 to connect to external Modem.

In openwrt 21x only Packets were forwarded from Lan2Wan which are accepted in customrules with iptables. All other were blocked.

Now i installed openwrt 23.05 on a testrouter (same hardware) and it seems, all packets were forwarded. I don't even habe to put rules via luci.

If i define trafficrules, for example port 80/443 are accepted in forward to wan and as last rule "all other should rejected" - the http/s are also rejected.

FW General settings: accept accept rejected
Zone Lane->Wan: accept accept accept
Zone WAN ->Rejected: reject accept reject

This is what status/firewall shows for the chain:

Rule container chain "forward_lan"
Rule matches Rule actions
#Rule comment: http_https0 BTraffic matched by rule: 0 Packets, 0 BytesTCP source port in set { 80, 443 }80
443 Continue in accept_to_wan
#Rule comment: http_https0 BTraffic matched by rule: 0 Packets, 0 BytesUDP source port in set { 80, 443 }80
443 Continue in accept_to_wan
#Rule comment: Block_other0 BTraffic matched by rule: 0 Packets, 0 BytesIP protocol is TCP Continue in reject_to_wan
#Rule comment: Block_other0 BTraffic matched by rule: 0 Packets, 0 BytesIP protocol is UDP Continue in reject_to_wan
#Rule comment: Accept lan to wan forwardingAny packet Continue in accept_to_wan
Any packet Continue in accept_to_lan

what do i wrong or heading false?
Thank you.

psherman · December 6, 2024, 6:04pm

The best way to figure out what is happening is to look at your config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

ume · December 6, 2024, 6:23pm

Thanks, here ist what you required:

{
	"kernel": "5.15.167",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "AVM FRITZ!Box 7530",
	"board_name": "avm,fritzbox-7530",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.5",
		"revision": "r24106-10cc5fcd00",
		"target": "ipq40xx/generic",
		"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
	}
}

#My minimal FW

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'


config rule
	option name 'http_https'
	option src 'lan'
	option target 'ACCEPT'
	option src_port '443 80'
	option dest 'wan'


config rule
	option name 'Block_other'
	option dest 'wan'
	option target 'REJECT'
	option src 'lan'
	list proto 'tcp'
	list proto 'udp'

config forwarding
	option src 'lan'
	option dest 'wan'

Network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd74:d4db:6a61::/48'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'
config dsl 'dsl'            #not working on my box, not used
	option annex 'j'
	option tone 'b'
	option ds_snr_offset '0'
config device
	option name 'dsl0'
	option macaddr '50:E6:36:74:C9:AC'


config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.100.250'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.228.4'



config interface 'wan'
	option device 'lan4'
	option proto 'static'
	option ipaddr '192.168.228.4'
	option netmask '255.255.255.0'
	option gateway '192.168.228.1'

config interface 'wan6'
	option device '@wan'
	option proto 'dhcpv6'
	option disabled '1'
	option auto '0'
	option reqaddress 'try'
	option reqprefix 'auto'

brada4 · December 6, 2024, 9:03pm

Frankly no idea what is the purpose of this rule? You are allowing responses from (ipv6) lan webservers but you never allowed connections in firsthand.

psherman · December 6, 2024, 9:07pm

What is your goal with this router's firewall with respect to access to:

the router itself from the upstream network
the network behind this router from the upstream network
the upstream network from the downstream network.

The rules you have in your firewall are rather strange...

This router sits behind another one, but I notice that NAT Masquerading is not applied on the wan firewall zone. This means that you must have a static route installed on the main router. But then you have some other odd rules, and it's not clear what you are trying to accomplish. If you can describe the goal, we'll help you get there.

ume · December 7, 2024, 8:55am

You are right. There is a cablerouter which connects to the internet, has internal net 192.168.228.0. This router has a link to the wan port on the openwrt router and a static route to the net 192.168.100.0. Net 228.0 should serve as a dmz.

net 192.168.100.0 is my lanzone on the openwrt. The goal is, i will allow only certain traffic from lan to wan which is allowed by rules, say http/s, ssh, imap, smtp and some other.

protocol is only ipv4

egc · December 7, 2024, 9:11am

It looks like you only want to allow http and https traffic going out?

If so delete the following:

Furthermore you can remove the option gateway it should not be necessary (and is wrong):

ume:

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.100.250'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.228.4'

ume · December 7, 2024, 10:47am

If i delete config forwarding nothing goes out. My trafficrule 'http_https' doesn't seems to work.

pavelgl · December 7, 2024, 11:02am

ume:

If i delete config forwarding nothing goes out. My trafficrule 'http_https' doesn't seems to work.
ume:
config rule
	option name 'http_https'
	option src 'lan'
	option target 'ACCEPT'
	option src_port '443 80'
	option dest 'wan'

Change option src_port '443 80' to option dest_port '443 80'

ume · December 7, 2024, 11:22am

Thanks to you and all other helpers here, seems i had a tree before my head. In my old iptables script all is forward to dport, but in lucy-gui i didnt't realize it. Crazy, sometimes you look and look and ... oversee simplest things.

system · December 17, 2024, 11:22am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.