Guest network + Parental Control // Accept // any zone?

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello everyone,

Thank you for your interest. I recently installed the latest OpenWrt 18.06.
I followed https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_parent_controls to define parental control rules with LUCI. (Device1 has one Reject rule. Device2 gets 3 Accept rules followed by one Reject.)

I subsequently created a guest network with LUCI based on
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_parent_controls

As a result of the Guest network creation, I got a hole in my parental control... (BTW: At first, it looked like I had it all under control. I made a couple of changes in the Wiki e.g. to warn about this, and suggest a possible solution. I'll revert/clarify them if it appears I was wrong. Sorry for the noise.)

I'd like some clarification because my fix appeared to be imperfect after more testing. It was based on source zone=any zone (not just source zone=lan).

For Device1, with one Reject rule, I get the expected result. And I don't mind extending the "scope" of a "Reject rule". ("From any host in any zone with source MAC XX:XX:XX:XX:XX:XX To any host in wan")

For Device2, with three Accept followed by one Reject, it gets more complicated.
I wanted to keep all Accept rules with source zone=lan, and extend the Reject rule with source zone=any zone. However, this results in unexpected blocking. As if the order of the Reject rule with "any zone" was modified to end up before the lan "Accept rule". It seems to work fine if I extend all rules with "any zone", although I can't know if it's safe. I'm not a network expert nor do I want to become one. (I'm not against learning a bit and I already had to learn a bit I must say.)

Considering the complexity of the default firewall rules and my limited knowledge, I won't extend any "Accept" rule unless some expert can confirm it's safe. Extract from /etc/config/firewall below.

What's the good strategy with respect to parental control with a guest network? Is it safe to use source zone=any zone for any rule, or at least for rules such as the ones below ?

Thank you for your guidance

Model Netgear Nighthawk X4S R7800
Architecture ARMv7 Processor rev 0 (v7l)
Firmware Version OpenWrt 18.06.4 r7808-ef686b7292 / LuCI openwrt-18.06 branch (git-19.170.32094-4d6d8bc)
Kernel Version 4.14.131

MAC adresses have been obfuscated. They were identical in all 4 rules.

config rule
	option target 'ACCEPT'
	option src_mac 'xx:xx:xx:xx:xx:xx'
	option weekdays 'Sun Mon Sat'
	option start_time '17:00:00'
	option name 'R S2 SA-DI-LU 17-18 Accept'
	option src 'lan'
	option dest 'wan'
	option stop_time '18:00:00'

config rule
	option target 'ACCEPT'
	option src 'lan'
	option src_mac 'xx:xx:xx:xx:xx:xx'
	option weekdays 'Sun Sat'
	option start_time '14:00:00'
	option stop_time '15:00:00'
	option name 'R S2 SA-DI 14-15'
	option dest 'wan'

config rule
	option target 'ACCEPT'
	option src 'lan'
	option weekdays 'Tue Wed'
	option start_time '16:00:00'
	option stop_time '17:00:00'
	option src_mac 'xx:xx:xx:xx:xx:xx'
	option name 'R S2 MAR-MER 16-17 Accept'
	option dest 'wan'

config rule
	option name 'R S2 General block'
	option src_mac 'xx:xx:xx:xx:xx:xx'
	option target 'REJECT'
	option src '*'
	option dest 'wan'
2

How many zones do you have in the firewall?
If there are only LAN and WAN there is really no point to use the wildcard option for the source zone. LAN will do.

3

Thank you for your time.
It looks like 3 zones to me: lan, wan and "guest".
Note that I didn't like to name eveything "guest" (it slows down my learning). So I gave different names to the firewall zone, the network interface etc:

Extract from /etc/config/firewall:

config zone
	option name 'guestFWZ'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'guestNI44'
	option input 'REJECT'
4

If you believe that the host will try to use the Guest network to avoid the blockade, then you can leave the wildcard in the source zone of the blocking rule.

5

That was my strategy. However, my test results are that if I use the wildcard in the source zone of the REJECT rule, and lan in the ACCEPT rules, the host is blocked even when it should be allowed.

6

The sequence of the rules matters. You need to have the specific ALLOW rules first and last should be the generic DROP rule. If you think this is not the case you can post here the output of the following:
uci show firewall; iptables -L -vn; iptables -t nat -L -vn; iptables -t mangle -L -vn

1 Like
7

Thank you for the command. It has been of great help and allowed me to understand or at least visualize better. See extract from output below.

I wrote in the first post "As if the order of the Reject rule with "any zone" was modified". This is indeed what happens. The Reject rule for that MAC address appears last (i.e. after the 3 Accept for that MAC address) in LUCI. It appears last in /etc/config/firewall. Technically, when all parental rules are "source zone"=lan, they all appear in "Chain zone_lan_forward" and Reject is last. Cool. If the Reject is "source zone=any zone" and the Accept are "lan", they end up in two different sections: Accepts in "Chain zone_lan_forward" and the Reject in "Chain FORWARD", the latter coming first (even though the rule is last in LUCI). So, an unexpected order, at least for the noobs.

My preference was to define Accept only for "source zone=lan" (and not the "any zone" wildcard), which seemed safer and more future-proof to me. Generally speaking, my gut feeling tells me to have the scope of Accept very limited and the scope of Reject very wide.
Anyway, making all parental rules (Accept and Reject) for "source zone=any zone" seems to work. I might do that, or add an explicit rule to Reject on the guest network.
Thank you for the command tip.
Regards
Olivier

COPY PASTE from LUCI. Notice that the Refuse/Reject comes after the 3 Accept rules.

Any traffic
From any host in lan with source MAC XX:XX:XX:XX:XX:X3
To any host in wan
Accept forward

Any traffic
From any host in lan with source MAC XX:XX:XX:XX:XX:X3
To any host in wan
Accept forward

Any traffic
From any host in lan with source MAC XX:XX:XX:XX:XX:X3
To any host in wan
Accept forward

Any traffic
From any host in any zone with source MAC XX:XX:XX:XX:XX:X3
To any host in wan
Refuse forward

Extract from the command output when all rules are source zone=lan. All rules are grouped. Order is as expected: Reject is last, in line with LUCI and /etc/config/firewall.
This works kind of OK except that kid restrictions don't apply to the Guest network. So, not really OK.

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  162 24458 forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan forwarding rule chain */
    0     0 zone_wan_dest_ACCEPT  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC AA:BB:CC:DD:EE:F3 TIME from 17:00:00 to 22:00:00 on Mon,Sat,Sun /* !fw3: R S2 SA-DI-LU 17-22 Accept */
    0     0 zone_wan_dest_ACCEPT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC AA:BB:CC:DD:EE:F3 TIME from 17:00:00 to 22:00:00 on Mon,Sat,Sun /* !fw3: R S2 SA-DI-LU 17-22 Accept */
    0     0 zone_wan_dest_ACCEPT  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC AA:BB:CC:DD:EE:F3 TIME from 14:00:00 to 15:00:00 on Sat,Sun /* !fw3: R S2 SA-DI 14-15 */
    0     0 zone_wan_dest_ACCEPT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC AA:BB:CC:DD:EE:F3 TIME from 14:00:00 to 15:00:00 on Sat,Sun /* !fw3: R S2 SA-DI 14-15 */
   92  5520 zone_wan_dest_ACCEPT  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC AA:BB:CC:DD:EE:F3 TIME from 16:00:00 to 22:00:00 on Tue,Wed /* !fw3: R S2 MAR-MER 16-17 Accept */
    3  1720 zone_wan_dest_ACCEPT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC AA:BB:CC:DD:EE:F3 TIME from 16:00:00 to 22:00:00 on Tue,Wed /* !fw3: R S2 MAR-MER 16-17 Accept */
    0     0 zone_wan_dest_REJECT  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC AA:BB:CC:DD:EE:F3 /* !fw3: R S2 General block */
    0     0 zone_wan_dest_REJECT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC AA:BB:CC:DD:EE:F3 /* !fw3: R S2 General block */

Different extract from the command output when Accept rules are "source zone=lan" but Reject rule is "source zone=any zone". The reject rule has been silently moved upwards by OpenWRT (or fw3, or iptables or whatever). Order is not in line with LUCI and /etc/config/firewall (unless you learned enough to understand it better than I currently do).
BTW: This approach doesn't work as kids are always rejected.

 Chain FORWARD (policy DROP 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source               destination         
    55 10964 forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom forwarding rule chain */
    54 10904 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
     0     0 zone_wan_dest_REJECT  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC AA:BB:CC:DD:EE:F3 /* !fw3: R S2 General block */
     0     0 zone_wan_dest_REJECT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC AA:BB:CC:DD:EE:F3 /* !fw3: R S2 General block */
9

Looks like the wildcard rules take precedence in the FORWARD chain and they are placed higher that the zone_*_forward.
It seems to me that it will be faster not to use the wildcard rule at all and add an extra REJECT rule for these MAC coming from the guest network. Otherwise you could change all the rules to have as source the wildcard.

2 Likes
10

Thank you for your help.
Olivier

11

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.