Don't use guide for a dumb AP on the router.
uci -q delete firewall.lan.masq
uci set firewall.@forwarding[1].dest="wan"
uci commit firewall
/etc/init.d/firewall restart
3 Likes
@vgaetera I bow to you. How do you manage to make sense of the large output above so quickly????
Thanks a million!!!
May I ask you something that has to do with Guest Wlan now that we are at it? is it wise to have my guest users query my router interface in the guest wlan for DNS resolution? I just feel that is something that can be exploited, and it would make more sense if they queried google DNS for example. What is your opinion?
Again, hats off!
2 Likes
If you don't care so much for the extra traffic, you can assign them a public resolver, like GoogleDNS.
Otherwise you can take advantage of the local caching and answer faster repeated queries.
2 Likes
There's no definite answer as there's no absolute security.
Dnsmasq provides DHCP and DNS services, so although in theory both can be exploited, it might not be that simple in practice.
In any case, if you are concerned about it, you should enable encryption for your guest network.
1 Like
Thanks!! I will be creating a new thread soon as I have other questions related to Guest wlan. This thread deals with no internet access and that has been already addressed by your above. Many thanks again everyone!
btw, I use WPA2 in my guest wlan too. Good advice!
2 Likes
@trendy one last thing, how would you go about using a public resolver on the Guest WLAN yet use dnsmaq on the main lan? I take it I need two things:
- Remove the firewall rule that allows DNS queries from Guest WLAN against "this device"
- Find a way to pass parameter DHCP 42 to Guest WLAN devices with the public resolver of my choice. Is this possible with the default single instance of dnsmasq for both networks? (see the thread that I started yesterday on this topic: Advise on best approach to deal with local networks)
thank you!!
Yep, it's possible.
uci -q delete dhcp.kitusguest.dhcp_option
uci add_list dhcp.kitusguest.dhcp_option="6,8.8.8.8,8.8.4.4"
uci add_list dhcp.kitusguest.dhcp_option="42,192.168.10.1"
uci commit dhcp
/etc/init.d/dnsmasq restart
Oh God, I made a mistake. It was not option 42 but 6 as you indicated in your example @vgaetera. Thanks. I've disabled firewall rule #1 in my list above here: Guest wlan no internet access
Now, there is still something else that I don't understand. Why do I get these results when I'm connected to my guest wlan (subnet 192.168.10.0/24):
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.10.171 netmask 0xffffff00 broadcast 192.168.10.255
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
if I try to trace my way to the main interface on the main lan:
Marcs-MacBook-Air:~ marc$ traceroute 192.168.1.1
traceroute to 192.168.1.1 (192.168.1.1), 64 hops max, 52 byte packets
1 192.168.1.1 (192.168.1.1) 4.248 ms 1.421 ms 1.304 ms
Marcs-MacBook-Air:~ marc$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
92 bytes from 192.168.1.1: Destination Port Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 195b 0 0000 40 01 d451 192.168.10.171 192.168.1.1
why are these ports open if I have the rules in my firewall as per the above post Guest wlan no internet access
Marcs-MacBook-Air:~ marc$ nmap 192.168.1.1
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 10:01 CET
Nmap scan report for 192.168.1.1
Host is up (0.0022s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
110/tcp open pop3
143/tcp open imap
993/tcp open imaps
995/tcp open pop3s
also, I don't understand your statement related to samba? how does this apply to a guest wlan?
thanks a million again @vgaetera
1 Like
I don't think these ports are open on your router. Make sure you are not connected to something else which replies to you instead of OpenWrt.
If that is not the case post once again the firewall configurations:
uci export firewall; iptables-save -c
1 Like
I verified again the connection and nothing has changed:
Marcs-MacBook-Air:~ marc$ ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 28:3x
inet6 fe80::1030:6x9c%en0 prefixlen 64 secured scopeid 0x7
inet 192.168.10.171 netmask 0xffffff00 broadcast 192.168.10.255
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
Marcs-MacBook-Air:~ marc$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
92 bytes from 192.168.1.1: Destination Port Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 ba73 0 0000 40 01 3339 192.168.10.171 192.168.1.1
Request timeout for icmp_seq 0
92 bytes from 192.168.1.1: Destination Port Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 4cec 0 0000 40 01 a0c0 192.168.10.171 192.168.1.1
^C
--- 192.168.1.1 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
if I now check the open ports again I see the same results:
Marcs-MacBook-Air:~ marc$ nmap 192.168.1.1
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 22:37 CET
Nmap scan report for 192.168.1.1
Host is up (0.0019s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
110/tcp open pop3
143/tcp open imap
993/tcp open imaps
995/tcp open pop3s
Nmap done: 1 IP address (1 host up) scanned in 41.03 seconds
root@OpenWrt:/overlay# uci export firewall; iptables-save -c
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'tun+'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option network 'kitusguest'
option forward 'REJECT'
option name 'kitusguest'
option output 'ACCEPT'
option input 'REJECT'
config forwarding
option src 'kitusguest'
option dest 'wan'
config rule
option dest_port '67-68'
option src 'kitusguest'
option name 'Guest DHCP'
option target 'ACCEPT'
list proto 'udp'
config rule
option dest_port '53'
option src 'kitusguest'
option name 'Guest DNS'
option target 'ACCEPT'
option enabled '0'
config rule
option src 'kitusguest'
option name 'Block guest access to private network'
option dest 'lan'
option target 'DROP'
list proto 'all'
config redirect
option dest_port '8123'
option src 'wan'
option name 'HomeAssistant'
option src_dport '8123'
option target 'DNAT'
option dest_ip '192.168.1.4'
option dest 'lan'
list proto 'tcp'
config redirect
option dest_port '80'
option src 'wan'
option name 'DuckDNS'
option src_dport '80'
option target 'DNAT'
option dest_ip '192.168.1.4'
option dest 'lan'
list proto 'tcp'
config rule 'ovpn'
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option proto 'udp'
option target 'ACCEPT'
# Generated by iptables-save v1.8.3 on Sun Nov 1 22:41:58 2020
*nat
:PREROUTING ACCEPT [413492:74785955]
:INPUT ACCEPT [29310:3207708]
:OUTPUT ACCEPT [18142:1275920]
:POSTROUTING ACCEPT [3100:162703]
:postrouting_kitusguest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_kitusguest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_kitusguest_postrouting - [0:0]
:zone_kitusguest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[413897:74809623] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[43:2817] -A PREROUTING -i tun+ -m comment --comment "!fw3" -j zone_lan_prerouting
[341630:69202843] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[3592:280728] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[62447:4858047] -A PREROUTING -i pppoe-wan6 -m comment --comment "!fw3" -j zone_wan_prerouting
[6185:465188] -A PREROUTING -i wlan0-1 -m comment --comment "!fw3" -j zone_kitusguest_prerouting
[153165:11972392] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o tun+ -m comment --comment "!fw3" -j zone_lan_postrouting
[473:40368] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[150048:11808605] -A POSTROUTING -o pppoe-wan6 -m comment --comment "!fw3" -j zone_wan_postrouting
[2320:93394] -A POSTROUTING -o wlan0-1 -m comment --comment "!fw3" -j zone_kitusguest_postrouting
[2320:93394] -A zone_kitusguest_postrouting -m comment --comment "!fw3: Custom kitusguest postrouting rule chain" -j postrouting_kitusguest_rule
[6185:465188] -A zone_kitusguest_prerouting -m comment --comment "!fw3: Custom kitusguest prerouting rule chain" -j prerouting_kitusguest_rule
[473:40368] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[17:1084] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.4/32 -p tcp -m tcp --dport 8123 -m comment --comment "!fw3: HomeAssistant (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.4/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: DuckDNS (reflection)" -j SNAT --to-source 192.168.1.1
[341673:69205660] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[17:1084] -A zone_lan_prerouting -s 192.168.1.0/24 -d xxxx/32 -p tcp -m tcp --dport 8123 -m comment --comment "!fw3: HomeAssistant (reflection)" -j DNAT --to-destination 192.168.1.4:8123
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d xxxx/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: DuckDNS (reflection)" -j DNAT --to-destination 192.168.1.4:80
[150048:11808605] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[150048:11808605] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[66039:5138775] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[337:20412] -A zone_wan_prerouting -p tcp -m tcp --dport 8123 -m comment --comment "!fw3: HomeAssistant" -j DNAT --to-destination 192.168.1.4:8123
[51:2172] -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: DuckDNS" -j DNAT --to-destination 192.168.1.4:80
COMMIT
# Completed on Sun Nov 1 22:41:58 2020
# Generated by iptables-save v1.8.3 on Sun Nov 1 22:41:58 2020
*mangle
:PREROUTING ACCEPT [20161981:16235085312]
:INPUT ACCEPT [179829:21852676]
:FORWARD ACCEPT [19758965:16155841839]
:OUTPUT ACCEPT [192635:86778075]
:POSTROUTING ACCEPT [19948523:16242393091]
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[44549:2696491] -A FORWARD -o pppoe-wan6 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[39032:2187008] -A FORWARD -i pppoe-wan6 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sun Nov 1 22:41:58 2020
# Generated by iptables-save v1.8.3 on Sun Nov 1 22:41:58 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_kitusguest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_kitusguest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_kitusguest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_kitusguest_dest_ACCEPT - [0:0]
:zone_kitusguest_dest_REJECT - [0:0]
:zone_kitusguest_forward - [0:0]
:zone_kitusguest_input - [0:0]
:zone_kitusguest_output - [0:0]
:zone_kitusguest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_dest_DROP - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[14633:1441606] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[165198:20411174] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[42445:7658467] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[42075:2210992] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[21:1409] -A INPUT -i tun+ -m comment --comment "!fw3" -j zone_lan_input
[47844:7299814] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[70875:5187801] -A INPUT -i pppoe-wan6 -m comment --comment "!fw3" -j zone_wan_input
[2708:189623] -A INPUT -i wlan0-1 -m comment --comment "!fw3" -j zone_kitusguest_input
[19758967:16155842056] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[19654716:16145877828] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[25:1600] -A FORWARD -i tun+ -m comment --comment "!fw3" -j zone_lan_forward
[101575:9795912] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[394:23116] -A FORWARD -i pppoe-wan6 -m comment --comment "!fw3" -j zone_wan_forward
[2257:143600] -A FORWARD -i wlan0-1 -m comment --comment "!fw3" -j zone_kitusguest_forward
[104:10400] -A FORWARD -m comment --comment "!fw3" -j reject
[14633:1441606] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[177988:85336585] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[159458:84035668] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o tun+ -m comment --comment "!fw3" -j zone_lan_output
[108:29280] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[18413:1269239] -A OUTPUT -o pppoe-wan6 -m comment --comment "!fw3" -j zone_wan_output
[9:2398] -A OUTPUT -o wlan0-1 -m comment --comment "!fw3" -j zone_kitusguest_output
[49492:2506191] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[23801:2848137] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[40770:2136932] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[1305:74060] -A syn_flood -m comment --comment "!fw3" -j DROP
[9:2398] -A zone_kitusguest_dest_ACCEPT -o wlan0-1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_kitusguest_dest_REJECT -o wlan0-1 -m comment --comment "!fw3" -j reject
[2257:143600] -A zone_kitusguest_forward -m comment --comment "!fw3: Custom kitusguest forwarding rule chain" -j forwarding_kitusguest_rule
[2257:143600] -A zone_kitusguest_forward -m comment --comment "!fw3: Block guest access to private network" -j zone_lan_dest_DROP
[921:59280] -A zone_kitusguest_forward -m comment --comment "!fw3: Zone kitusguest to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_kitusguest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_kitusguest_forward -m comment --comment "!fw3" -j zone_kitusguest_dest_REJECT
[2708:189623] -A zone_kitusguest_input -m comment --comment "!fw3: Custom kitusguest input rule chain" -j input_kitusguest_rule
[16:2578] -A zone_kitusguest_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: Guest DHCP" -j ACCEPT
[0:0] -A zone_kitusguest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[2692:187045] -A zone_kitusguest_input -m comment --comment "!fw3" -j zone_kitusguest_src_REJECT
[9:2398] -A zone_kitusguest_output -m comment --comment "!fw3: Custom kitusguest output rule chain" -j output_kitusguest_rule
[9:2398] -A zone_kitusguest_output -m comment --comment "!fw3" -j zone_kitusguest_dest_ACCEPT
[2692:187045] -A zone_kitusguest_src_REJECT -i wlan0-1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_lan_dest_ACCEPT -o tun+ -m comment --comment "!fw3" -j ACCEPT
[127:31626] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_DROP -o tun+ -m comment --comment "!fw3" -j DROP
[1336:84320] -A zone_lan_dest_DROP -o br-lan -m comment --comment "!fw3" -j DROP
[101600:9797512] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[101600:9797512] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[17:1084] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[123:12746] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[47865:7301223] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[47865:7301223] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[108:29280] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[108:29280] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[21:1409] -A zone_lan_src_ACCEPT -i tun+ -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[47844:7299814] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[1624:131951] -A zone_wan_dest_ACCEPT -o pppoe-wan6 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[119170:10980250] -A zone_wan_dest_ACCEPT -o pppoe-wan6 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o pppoe-wan6 -m comment --comment "!fw3" -j reject
[394:23116] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[394:23116] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[70875:5187801] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[373:30682] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[5:236] -A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[70497:5156883] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[18413:1269239] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[18413:1269239] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
[70497:5156883] -A zone_wan_src_REJECT -i pppoe-wan6 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sun Nov 1 22:41:58 2020
1 Like
I don't see anything accepted towards the router out of the ordinary. Basically only DHCP is allowed to the router.
The first rule is empty, the second is the DHCP, the third is for port forwards (since you don't have any it has 0 hits) and the fourth is rejecting everything.
1 Like
Sorry, I've confused option 42 NTP with 44 NETBIOS/Samba. 
Remove those rules and check this:
nmap -sV 192.168.1.1
come on, not a problem!! you've been most helpful in this thread!!! I can only be thankful!
Done. here you go:
Marcs-MacBook-Air:~ marc$ nmap -sV 192.168.1.1
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-07 11:58 CET
Nmap scan report for 192.168.1.1
Host is up (0.0019s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
110/tcp open tcpwrapped
143/tcp open tcpwrapped
993/tcp open tcpwrapped
995/tcp open tcpwrapped
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.96 seconds
and yes, I'm connected to my guest wlan network:
Marcs-MacBook-Air:~ marc$ ifconfig -L en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 28:37:37:1b:b0:44
inet6 fe80::1030:6580:60a2:fe9c%en0 prefixlen 64 secured scopeid 0x7
inet 192.168.10.171 netmask 0xffffff00 broadcast 192.168.10.255
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
Marcs-MacBook-Air:~ marc$ traceroute 192.168.1.1
traceroute to 192.168.1.1 (192.168.1.1), 64 hops max, 52 byte packets
1 192.168.1.1 (192.168.1.1) 4.444 ms 2.052 ms 1.102 ms
Marcs-MacBook-Air:~ marc$
this the current output of the commands above:
root@OpenWrt:~# uci export firewall; iptables-save -c
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'tun+'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option network 'kitusguest'
option forward 'REJECT'
option name 'kitusguest'
option output 'ACCEPT'
option input 'REJECT'
config forwarding
option src 'kitusguest'
option dest 'wan'
config rule
option dest_port '67-68'
option src 'kitusguest'
option name 'Guest DHCP'
option target 'ACCEPT'
list proto 'udp'
config rule
option dest_port '53'
option src 'kitusguest'
option name 'Guest DNS'
option target 'ACCEPT'
option enabled '0'
config rule
option src 'kitusguest'
option name 'Block guest access to private network'
option dest 'lan'
option target 'DROP'
list proto 'all'
config redirect
option dest_port '8123'
option src 'wan'
option name 'HomeAssistant'
option src_dport '8123'
option target 'DNAT'
option dest_ip '192.168.1.4'
option dest 'lan'
list proto 'tcp'
config redirect
option dest_port '80'
option src 'wan'
option name 'DuckDNS'
option src_dport '80'
option target 'DNAT'
option dest_ip '192.168.1.4'
option dest 'lan'
list proto 'tcp'
config rule 'ovpn'
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option proto 'udp'
option target 'ACCEPT'
# Generated by iptables-save v1.8.3 on Sat Nov 7 12:04:55 2020
*nat
:PREROUTING ACCEPT [3624043:905490078]
:INPUT ACCEPT [267684:19755390]
:OUTPUT ACCEPT [265753:19159938]
:POSTROUTING ACCEPT [6035:428185]
:postrouting_kitusguest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_kitusguest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_kitusguest_postrouting - [0:0]
:zone_kitusguest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[3626929:905656374] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[0:0] -A PREROUTING -i tun+ -m comment --comment "!fw3" -j zone_lan_prerouting
[3456972:893901208] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[32952:2575776] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[134232:8982314] -A PREROUTING -i pppoe-wan6 -m comment --comment "!fw3" -j zone_wan_prerouting
[2773:197076] -A PREROUTING -i wlan0-1 -m comment --comment "!fw3" -j zone_kitusguest_prerouting
[760764:58139666] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[2:258] -A POSTROUTING -o tun+ -m comment --comment "!fw3" -j zone_lan_postrouting
[3273:284829] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[754729:57711481] -A POSTROUTING -o pppoe-wan6 -m comment --comment "!fw3" -j zone_wan_postrouting
[1322:53177] -A POSTROUTING -o wlan0-1 -m comment --comment "!fw3" -j zone_kitusguest_postrouting
[1322:53177] -A zone_kitusguest_postrouting -m comment --comment "!fw3: Custom kitusguest postrouting rule chain" -j postrouting_kitusguest_rule
[2773:197076] -A zone_kitusguest_prerouting -m comment --comment "!fw3: Custom kitusguest prerouting rule chain" -j prerouting_kitusguest_rule
[3275:285087] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.4/32 -p tcp -m tcp --dport 8123 -m comment --comment "!fw3: HomeAssistant (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.4/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: DuckDNS (reflection)" -j SNAT --to-source 192.168.1.1
[3456972:893901208] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 79.156.122.55/32 -p tcp -m tcp --dport 8123 -m comment --comment "!fw3: HomeAssistant (reflection)" -j DNAT --to-destination 192.168.1.4:8123
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 79.156.122.55/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: DuckDNS (reflection)" -j DNAT --to-destination 192.168.1.4:80
[754729:57711481] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[754729:57711481] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[167184:11558090] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[2431:145668] -A zone_wan_prerouting -p tcp -m tcp --dport 8123 -m comment --comment "!fw3: HomeAssistant" -j DNAT --to-destination 192.168.1.4:8123
[455:20628] -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: DuckDNS" -j DNAT --to-destination 192.168.1.4:80
COMMIT
# Completed on Sat Nov 7 12:04:55 2020
# Generated by iptables-save v1.8.3 on Sat Nov 7 12:04:55 2020
*mangle
:PREROUTING ACCEPT [108075336:77023982979]
:INPUT ACCEPT [863281:100515137]
:FORWARD ACCEPT [104383776:76081573861]
:OUTPUT ACCEPT [796302:86502280]
:POSTROUTING ACCEPT [105163074:76167342107]
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[325508:18484824] -A FORWARD -o pppoe-wan6 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[288697:16230324] -A FORWARD -i pppoe-wan6 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat Nov 7 12:04:55 2020
# Generated by iptables-save v1.8.3 on Sat Nov 7 12:04:55 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_kitusguest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_kitusguest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_kitusguest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_kitusguest_dest_ACCEPT - [0:0]
:zone_kitusguest_dest_REJECT - [0:0]
:zone_kitusguest_forward - [0:0]
:zone_kitusguest_input - [0:0]
:zone_kitusguest_output - [0:0]
:zone_kitusguest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_dest_DROP - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[8183:674960] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[855101:99840333] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[289623:50675478] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[97333:4014788] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[0:0] -A INPUT -i tun+ -m comment --comment "!fw3" -j zone_lan_input
[364709:37489111] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[198678:11547985] -A INPUT -i pppoe-wan6 -m comment --comment "!fw3" -j zone_wan_input
[1573:100583] -A INPUT -i wlan0-1 -m comment --comment "!fw3" -j zone_kitusguest_input
[104383787:76081574945] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[103915540:76039341089] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i tun+ -m comment --comment "!fw3" -j zone_lan_forward
[464770:42029420] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[2886:167308] -A FORWARD -i pppoe-wan6 -m comment --comment "!fw3" -j zone_wan_forward
[591:37128] -A FORWARD -i wlan0-1 -m comment --comment "!fw3" -j zone_kitusguest_forward
[155:21700] -A FORWARD -m comment --comment "!fw3" -j reject
[8183:674960] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[788122:85828948] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[514779:66191430] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o tun+ -m comment --comment "!fw3" -j zone_lan_output
[557:170216] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[272780:19465610] -A OUTPUT -o pppoe-wan6 -m comment --comment "!fw3" -j zone_wan_output
[6:1692] -A OUTPUT -o wlan0-1 -m comment --comment "!fw3" -j zone_kitusguest_output
[163910:6696598] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[35450:4898652] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[96815:3987612] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[518:27176] -A syn_flood -m comment --comment "!fw3" -j DROP
[6:1692] -A zone_kitusguest_dest_ACCEPT -o wlan0-1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_kitusguest_dest_REJECT -o wlan0-1 -m comment --comment "!fw3" -j reject
[591:37128] -A zone_kitusguest_forward -m comment --comment "!fw3: Custom kitusguest forwarding rule chain" -j forwarding_kitusguest_rule
[591:37128] -A zone_kitusguest_forward -m comment --comment "!fw3: Block guest access to private network" -j zone_lan_dest_DROP
[291:18232] -A zone_kitusguest_forward -m comment --comment "!fw3: Zone kitusguest to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_kitusguest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_kitusguest_forward -m comment --comment "!fw3" -j zone_kitusguest_dest_REJECT
[1573:100583] -A zone_kitusguest_input -m comment --comment "!fw3: Custom kitusguest input rule chain" -j input_kitusguest_rule
[14:1922] -A zone_kitusguest_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: Guest DHCP" -j ACCEPT
[0:0] -A zone_kitusguest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1559:98661] -A zone_kitusguest_input -m comment --comment "!fw3" -j zone_kitusguest_src_REJECT
[6:1692] -A zone_kitusguest_output -m comment --comment "!fw3: Custom kitusguest output rule chain" -j output_kitusguest_rule
[6:1692] -A zone_kitusguest_output -m comment --comment "!fw3" -j zone_kitusguest_dest_ACCEPT
[1559:98661] -A zone_kitusguest_src_REJECT -i wlan0-1 -m comment --comment "!fw3" -j reject
[2:258] -A zone_lan_dest_ACCEPT -o tun+ -m comment --comment "!fw3" -j ACCEPT
[580:172033] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_DROP -o tun+ -m comment --comment "!fw3" -j DROP
[300:18896] -A zone_lan_dest_DROP -o br-lan -m comment --comment "!fw3" -j DROP
[464770:42029420] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[464770:42029420] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[180:23775] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[364709:37489111] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[364709:37489111] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[557:170216] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[557:170216] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i tun+ -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[364709:37489111] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[16600:710166] -A zone_wan_dest_ACCEPT -o pppoe-wan6 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[721061:60779321] -A zone_wan_dest_ACCEPT -o pppoe-wan6 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o pppoe-wan6 -m comment --comment "!fw3" -j reject
[2886:167308] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[2886:167308] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[198678:11547985] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[2:85] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[1005:71983] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[25:1028] -A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[197646:11474889] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[272780:19465610] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[272780:19465610] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
[197646:11474889] -A zone_wan_src_REJECT -i pppoe-wan6 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat Nov 7 12:04:55 2020
1 Like
Do a netstat -lnp on OpenWrt.
1 Like
This might be local firewall rules for outgoing connections on your PC.
Possibly related to some antivirus/antispam software.
1 Like
Here you go:
root@OpenWrt:~# netstat -lnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 823/uhttpd
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 17442/dnsmasq
tcp 0 0 192.168.1.1:53 0.0.0.0:* LISTEN 17442/dnsmasq
tcp 0 0 10.0.0.1:53 0.0.0.0:* LISTEN 17442/dnsmasq
tcp 0 0 79.156.122.55:53 0.0.0.0:* LISTEN 17442/dnsmasq
tcp 0 0 192.168.10.1:53 0.0.0.0:* LISTEN 17442/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 672/dropbear
tcp 0 0 :::80 :::* LISTEN 823/uhttpd
tcp 0 0 ::1:53 :::* LISTEN 17442/dnsmasq
tcp 0 0 fe80::46a5:6eff:fe47:3d55:53 :::* LISTEN 17442/dnsmasq
tcp 0 0 fe80::46a5:6eff:fe47:3d54:53 :::* LISTEN 17442/dnsmasq
tcp 0 0 fda7:3a7a:f62::1:53 :::* LISTEN 17442/dnsmasq
tcp 0 0 fe80::46a5:6eff:fe47:3d54:53 :::* LISTEN 17442/dnsmasq
tcp 0 0 fe80::46a5:6eff:fe47:3d55:53 :::* LISTEN 17442/dnsmasq
tcp 0 0 fe80::46a5:6eff:fe47:3d57:53 :::* LISTEN 17442/dnsmasq
tcp 0 0 fe80::1bc1:5d28:6c99:5ea4:53 :::* LISTEN 17442/dnsmasq
tcp 0 0 fe80::46a5:6eff:fe47:3d56:53 :::* LISTEN 17442/dnsmasq
tcp 0 0 2a02:9003:af:5feb:9927:7c7:57e3:c854:53 :::* LISTEN 17442/dnsmasq
tcp 0 0 fe80::9927:7c7:57e3:c854:53 :::* LISTEN 17442/dnsmasq
tcp 0 0 fe80::44a5:6eff:fe47:3d56:53 :::* LISTEN 17442/dnsmasq
tcp 0 0 :::22 :::* LISTEN 672/dropbear
udp 0 0 0.0.0.0:1194 0.0.0.0:* 1016/openvpn
udp 0 0 127.0.0.1:53 0.0.0.0:* 17442/dnsmasq
udp 0 0 192.168.1.1:53 0.0.0.0:* 17442/dnsmasq
udp 0 0 10.0.0.1:53 0.0.0.0:* 17442/dnsmasq
udp 0 0 79.156.122.55:53 0.0.0.0:* 17442/dnsmasq
udp 0 0 192.168.10.1:53 0.0.0.0:* 17442/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 17442/dnsmasq
udp 0 0 :::123 :::* 1302/ntpd
udp 0 0 :::546 :::* 1997/odhcp6c
udp 0 0 :::547 :::* 17474/odhcpd
udp 0 0 ::1:53 :::* 17442/dnsmasq
udp 0 0 fe80::46a5:6eff:fe47:3d55:53 :::* 17442/dnsmasq
udp 0 0 fe80::46a5:6eff:fe47:3d54:53 :::* 17442/dnsmasq
udp 0 0 fda7:3a7a:f62::1:53 :::* 17442/dnsmasq
udp 0 0 fe80::46a5:6eff:fe47:3d54:53 :::* 17442/dnsmasq
udp 0 0 fe80::46a5:6eff:fe47:3d55:53 :::* 17442/dnsmasq
udp 0 0 fe80::46a5:6eff:fe47:3d57:53 :::* 17442/dnsmasq
udp 0 0 fe80::1bc1:5d28:6c99:5ea4:53 :::* 17442/dnsmasq
udp 0 0 fe80::46a5:6eff:fe47:3d56:53 :::* 17442/dnsmasq
udp 0 0 2a02:9003:af:5feb:9927:7c7:57e3:c854:53 :::* 17442/dnsmasq
udp 0 0 fe80::9927:7c7:57e3:c854:53 :::* 17442/dnsmasq
udp 0 0 fe80::44a5:6eff:fe47:3d56:53 :::* 17442/dnsmasq
raw 0 0 ::%161:58 ::%1:* 58 17474/odhcpd
raw 0 0 ::%158:58 ::%2:* 58 1997/odhcp6c
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 2203 152/ubusd /var/run/ubus.sock
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.