Guest network users can unexpectedly access modem

For ages, ever since I had a guest network on my 4040, I had blocked access to the modem gui. Recently, that is well after the upgrade to the current version with DSA, I found out that I could in fact connect to the modem from the guest network.

Here are the config files to help you help me understand what is going on:

ubus call system board

{
        "kernel": "5.15.137",
        "hostname": "router-casa-andrea",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "AVM FRITZ!Box 4040",
        "board_name": "avm,fritzbox-4040",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "ipq40xx/generic",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}

uci export network

package network

config globals 'globals'
        option ula_prefix 'redacted'

config interface 'loopback'
        option device 'lo'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option proto 'static'

config device
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        option name 'br-casa'
        option type 'bridge'

config interface 'casa'
        list ip6class 'he_2_fra'
        list ip6class 'local'
        option device 'br-casa'
        option ip6assign '64'
        option ip6hint '2'
        option ip6ifaceid 'redacted'
        option ipaddr '192.168.2.1'
        option ipv6 '1'
        option netmask '255.255.255.0'
        option proto 'static'

config device
        list ports 'lan4'
        option name 'br-guest'
        option type 'bridge'

config interface 'guest'
        list ip6class 'he_2_fra'
        list ip6class 'local'
        option device 'br-guest'
        option ip6assign '64'
        option ip6hint '3'
        option ip6ifaceid 'redacted'
        option ipaddr '192.168.3.1'
        option ipv6 '1'
        option netmask '255.255.255.0'
        option proto 'static'

config interface 'wan'
        option device 'wan'
        option ipv6 'auto'
        option keepalive '6 5'
        option password 'redacted'
        option peerdns '0'
        option proto 'pppoe'
        option username 'redacted'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'modem'
        option device 'wan'
        option ipaddr '192.168.178.2'
        option netmask '255.255.255.0'
        option proto 'static'
        
config interface 'he_1_nyc'
        option auto '0'
        option dns '2001:4860:4860::8888 2001:4860:4860::8844'
        option ip6addr 'redacted'
        option ip6prefix 'redacted'
        option peeraddr '209.51.161.14'
        option proto '6in4'
        option tunnelid 'redacted'
        option updatekey 'redacted'
        option username 'redacted'

config interface 'he_2_fra'
        list ip6prefix 'redacted'
        option ip6addr 'redacted'
        option peeraddr '216.66.80.30'
        option proto '6in4'
        option tos 'inherit'
        option tunnelid 'redacted'
        option updatekey 'redacted'
        option username 'redacted'

uci export dhcp

package dhcp

config dnsmasq
        option authoritative '1'
        option domain 'bamberlan'
        option domainneeded '1'
        option expandhosts '1'
        option leasefile '/tmp/dhcp.leases'
        option local '/bamberlan/'
        option localise_queries '1'
        option localservice '1'
        option nonegcache '1'
        option nonwildcard '0'
        option noresolv '1'
        option port '1053'
        option rebind_localhost '1'
        option rebind_protection '1'

config odhcpd 'odhcpd'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option maindhcp '0'

config dhcp 'wan'
        option ignore '1'
        option interface 'wan'

config dhcp 'casa'
        list dhcp_option 'option:domain-search,bamberlan,dummy.nodomain'
        list dhcp_option 'option:dns-server,0.0.0.0'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option force '1'
        option interface 'casa'
        option leasetime '24h'
        option limit '100'
        option ra 'server'
        option ra_slaac '1'
        option ra_useleasetime '1'
        option start '11'

config dhcp 'guest'
        list dhcp_option 'option:domain-search,bamberlan,dummy.nodomain'
        list dhcp_option 'option:dns-server,0.0.0.0'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option force '1'
        option interface 'guest'
        option leasetime '30m'
        option limit '100'
        option ra 'server'
        option ra_useleasetime '1'
        option start '11'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

uci export firewall

package firewall

config defaults
        option drop_invalid '1'
        option forward 'REJECT'
        option input 'REJECT'
        option output 'ACCEPT'
        option syn_flood '1'
        option synflood_protect '1'

config zone
        list network 'casa'
        option forward 'REJECT'
        option input 'ACCEPT'
        option name 'casa'
        option output 'ACCEPT'

config zone
        list network 'guest'
        option forward 'REJECT'
        option input 'ACCEPT'
        option name 'guest'
        option output 'ACCEPT'

config zone
        option forward 'REJECT'
        option input 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option name 'modem'
        option network 'modem'
        option output 'ACCEPT'

config zone
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'vpn'
        list device 'tun0'

config zone
        list network 'he_1_nyc'
        list network 'he_2_fra'
        list network 'wan'
        list network 'wan6'
        option forward 'REJECT'
        option input 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option name 'wan'
        option output 'ACCEPT'

config forwarding
        option dest 'casa'
        option src 'vpn'
        
config forwarding
        option dest 'guest'
        option src 'casa'
        
config forwarding
        option dest 'guest'
        option src 'vpn'
        
config forwarding
        option dest 'modem'
        option src 'casa'
        
config forwarding
        option dest 'modem'
        option src 'vpn'
        
config forwarding
        option dest 'wan'
        option src 'casa'
        
config forwarding
        option dest 'wan'
        option src 'vpn'
        
config forwarding
        option dest 'wan'
        option src 'guest'

config rule
        option dest_port '68'
        option family 'ipv4'
        option name 'Allow-DHCP-Renew'
        option proto 'udp'
        option src 'wan'
        option target 'ACCEPT'

config rule
        option family 'ipv4'
        option icmp_type 'echo-request'
        option name 'Allow-Ping'
        option proto 'icmp'
        option src 'wan'
        option target 'ACCEPT'

config rule
        option family 'ipv4'
        option name 'Allow-IGMP'
        option proto 'igmp'
        option src 'wan'
        option target 'ACCEPT'

config rule
        option dest_port '546'
        option family 'ipv6'
        option name 'Allow-DHCPv6'
        option proto 'udp'
        option src 'wan'
        option target 'ACCEPT'

config rule
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option name 'Allow-MLD'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        option src 'wan'
        option target 'ACCEPT'

config rule
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'packet-too-big'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'
        option family 'ipv6'
        option limit '1000/sec'
        option name 'Allow-ICMPv6-Input'
        option proto 'icmp'
        option src 'wan'
        option target 'ACCEPT'

config rule
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'
        option dest '*'
        option family 'ipv6'
        option limit '1000/sec'
        option name 'Allow-ICMPv6-Forward'
        option proto 'icmp'
        option src 'wan'
        option target 'ACCEPT'

config rule
        option dest 'casa'
        option name 'Allow-IPSec-ESP'
        option proto 'esp'
        option src 'wan'
        option target 'ACCEPT'

config rule
        option dest 'casa'
        option dest_port '500'
        option name 'Allow-ISAKMP'
        option proto 'udp'
        option src 'wan'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPv6-in-IPv4'
        option proto '41'
        option src 'wan'
        option target 'ACCEPT'

config rule
        list proto 'tcp'
        list proto 'udp'
        option dest_port '53 853'
        option dest 'wan'
        option enabled '0'
        option name 'Reject-DNS-forward'
        option src '*'
        option target 'REJECT'

In particular, the wan interface has always had a static address to reach the modem gui from the main "casa" network.

What could I change, if anything?

The two interfaces ('wan' and 'modem') share the same device (wan) and that's where the confusion comes from.

This creates in the forward_guest chain a rule to jump to chain accept_to_wan.
In that chain, everything leaving the "wan" interface (device) is accepted (including traffic destined for the modem).

Create an explicit rule denying the guest network access to the modem.

config rule
        option name 'Deny_guest_modem'
        option src 'guest'
        option dest 'modem'
        option target 'REJECT'
        list proto 'all'
        list dest_ip '192.168.178.0/24'

Thank for catching that and for the explanation!

Followup question: why would that work before DSA?
(disclaimer: I assume but cannot absolutely guarantee that it did in fact work back when I created the rule because, while regression testing may not always happen, for sure you tend to test what you're trying to achieve when you're actually doing it)

I have daily config backup plus I log any changes so finding out what /etc/config/network and /etc/config/firewall looked like the day before the upgrade is straightforward.

Here is the relevant part of network config:

config interface 'wan'
        option keepalive '6 5'
        option device 'eth1'
        option proto 'pppoe'
        option username 'redacted'
        option password 'redacted'
        option ipv6 'auto'
        option peerdns '0'

config interface 'modem'
        option delegate '0'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.178.2'
        option device 'eth1'

Firewall config is unchanged with respect to guest network. Basically eth1 got renamed to wan in both interfaces; the firewall config references the zone by network name, not by device, so it is not affected.

Could it be something else? I'm thinking of DSA because that got my attention, having to redo the config.

If you're positive this worked before (without an additional restrictive rule), then I have no explanation.
Whether it's wan or eth1, the device name is the device name and the iptables based fw3 uses the same principles.

Assuming I find the time for a rollback and can verify that it worked, what would be most helpful to pinpoint the difference in behaviour? Something like "fw4 print"?
(I would open a new thread and reference this one, in case...)

This or nft list ruleset for version 22.03.
If you intend to roll back to 21.02, it should be iptables-save -c.

Of course it's up to you, but I really think it would be a waste of time, because the logic is pretty clear.
The moment you create a guest=>wan forwarding, the following will appear in the forward_guest chain.

# nft list chain inet fw4 forward_guest
table inet fw4 {
        chain forward_guest {
                jump accept_to_wan comment "!fw4: Accept guest to wan forwarding"
                jump reject_to_guest
        }
}

The accept_to_wan chain relies on the physical interface name.

# nft list chain inet fw4 accept_to_wan
table inet fw4 {
        chain accept_to_wan {
                oifname "wan" counter packets 0 bytes 0 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
}

All packets leaving the wan interface are masqueraded by default.

# nft list chain inet fw4 srcnat
table inet fw4 {
        chain srcnat {
                type nat hook postrouting priority 100; policy accept;
                oifname "wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
        }
}


# nft list chain inet fw4 srcnat_wan
table inet fw4 {
        chain srcnat_wan {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
        }
}

The only difference in 22.03 should be to see oifname "eth1" instead of oifname "wan".

Considering this, you should be able to optimize your firewall settings, because the modem zone seems useless.

This is covered by

And

is covered by

You should get the same result by simply assigning the modem interface to the wan firewall zone and creating a guest=>wan deny rule based on the destination (modem) address/subnet.

I went back in time as far as I have backups, thinking that in a previous device I might have had different device names between modem and wan (or different masq settings) and perhaps blindly carried the rule over, no luck.

I agree with you on the issue of wasting time: at the end of the day, it is only one specific device with a fixed address, I'll rewrite the config as you suggested. Thanks again for the assistance, much appreciated.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.