Guest wlan no internet access

vgaetera · October 31, 2020, 5:42pm

. /lib/functions/network.sh
network_flush_cache
network_find_wan NET_IF
network_get_subnet NET_SUB "${NET_IF}"
uci set firewall.@rule[-2].dest_ip="${NET_SUB}"
uci commit firewall
/etc/init.d/firewall restart

mk24 · October 31, 2020, 6:13pm

Running on a main router that has lan and wan active, usually guests would forward from guest to wan, not lan.

The IP subnet of guest needs to be different from both lan and wan.

It looks like there also may be a VPN involved in this?

kitus · October 31, 2020, 6:41pm

That's precisely my point. I would have expected a rule in the guidance doing what you suggest.

kitus · October 31, 2020, 6:46pm

I still struggle to understand the basic OpenWRT syntax so I have given this a try without knowing very well what this may do.

root@OpenWrt:~# . /lib/functions/network.sh
root@OpenWrt:~# network_flush_cache
root@OpenWrt:~# network_find_wan NET_IF
root@OpenWrt:~# network_get_subnet NET_SUB "${NET_IF}"
root@OpenWrt:~# uci set firewall.@rule[-2].dest_ip="${NET_SUB%.*}.0/${NET_SUB#*/}"
root@OpenWrt:~# uci commit firewall
root@OpenWrt:~# /etc/init.d/firewall restart
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @rule[10] (Guest DNS) does not specify a protocol, assuming TCP+UDP
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'Guest DHCP'
   * Rule 'Guest DNS'
   * Rule 'Block guest access to private network'
   * Rule 'Allow-OpenVPN'
   * Redirect 'HomeAssistant'
   * Redirect 'DuckDNS'
   * Forward 'lan' -> 'wan'
   * Forward 'kitusguest' -> 'lan'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'kitusguest'
 * Populating IPv4 nat table
   * Redirect 'HomeAssistant'
   * Redirect 'DuckDNS'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'kitusguest'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'kitusguest'
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'Guest DHCP'
   * Rule 'Guest DNS'
   * Rule 'Block guest access to private network'
     ! Skipping due to different family of ip address
   * Rule 'Allow-OpenVPN'
   * Forward 'lan' -> 'wan'
   * Forward 'kitusguest' -> 'lan'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'kitusguest'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'kitusguest'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'

The results I get after doing what you suggest are the same.

and I've now spotted the forwarding command I was missing earlier, but to my surprise I seem to be forwarding the packets to the lan interface from guest???

   * Forward 'kitusguest' -> 'lan'

Marcs-MacBook-Air:~ marc$ ping 216.58.211.35
PING 216.58.211.35 (216.58.211.35): 56 data bytes
92 bytes from openwrt.lan (192.168.10.1): Destination Port Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 008d   0 0000  3f  01 046b 192.168.10.171  216.58.211.35 

Request timeout for icmp_seq 0
92 bytes from openwrt.lan (192.168.10.1): Destination Port Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 f94b   0 0000  3f  01 0bac 192.168.10.171  216.58.211.35 

Request timeout for icmp_seq 1
^C
--- 216.58.211.35 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
Marcs-MacBook-Air:~ marc$ ping 216.58.211.35
PING 216.58.211.35 (216.58.211.35): 56 data bytes
92 bytes from openwrt.lan (192.168.10.1): Destination Port Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 1600   0 0000  3f  01 eef7 192.168.10.171  216.58.211.35 

Request timeout for icmp_seq 0
92 bytes from openwrt.lan (192.168.10.1): Destination Port Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 8292   0 0000  3f  01 8265 192.168.10.171  216.58.211.35 

^C
--- 216.58.211.35 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
Marcs-MacBook-Air:~ marc$ telnet 216.58.211.35 80
Trying 216.58.211.35...
telnet: connect to address 216.58.211.35: Connection refused
telnet: Unable to connect to remote host
Marcs-MacBook-Air:~ marc$

vgaetera · October 31, 2020, 6:56pm

Post the output:

uci show network; uci show dhcp; uci show firewall; \
ip address show; ip route show; ip rule show; iptables-save

kitus · October 31, 2020, 7:06pm

sure

root@OpenWrt:~# uci show network; uci show dhcp; uci show firewall; \
> ip address show; ip route show; ip rule show; iptables-save
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fda7:3a7a:0f62::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth1.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.1.1'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='pppoe'
network.wan.password=******
network.wan.ipv6='auto'
network.wan.username=******
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='pppoe'
network.wan6.password=******
network.wan6.ipv6='auto'
network.wan6.username=*******
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='1 2 3 4 6t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='5 0t'
network.kitusguest=interface
network.kitusguest.proto='static'
network.kitusguest.ipaddr='192.168.10.1'
network.kitusguest.netmask='255.255.255.0'
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].localservice='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.limit='250'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_management='1'
dhcp.lan.start='2'
dhcp.lan.dhcp_option='42,192.168.1.1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.kitusguest=dhcp
dhcp.kitusguest.leasetime='12h'
dhcp.kitusguest.interface='kitusguest'
dhcp.kitusguest.start='2'
dhcp.kitusguest.limit='250'
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.network='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.device='tun+'
firewall.lan.masq='1'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.network='wan' 'wan6'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].network='kitusguest'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].name='kitusguest'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].input='REJECT'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='lan'
firewall.@forwarding[1].src='kitusguest'
firewall.@rule[9]=rule
firewall.@rule[9].dest_port='67-68'
firewall.@rule[9].src='kitusguest'
firewall.@rule[9].name='Guest DHCP'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].proto='udp'
firewall.@rule[10]=rule
firewall.@rule[10].dest_port='53'
firewall.@rule[10].src='kitusguest'
firewall.@rule[10].name='Guest DNS'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[11]=rule
firewall.@rule[11].src='kitusguest'
firewall.@rule[11].name='Block guest access to private network'
firewall.@rule[11].dest='lan'
firewall.@rule[11].target='DROP'
firewall.@rule[11].proto='all'
firewall.@redirect[0]=redirect
firewall.@redirect[0].dest_port='8123'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].name='HomeAssistant'
firewall.@redirect[0].src_dport='8123'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].dest_ip='192.168.1.4'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[1]=redirect
firewall.@redirect[1].dest_port='80'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].name='DuckDNS'
firewall.@redirect[1].src_dport='80'
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].dest_ip='192.168.1.4'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].proto='tcp'
firewall.ovpn=rule
firewall.ovpn.name='Allow-OpenVPN'
firewall.ovpn.src='wan'
firewall.ovpn.dest_port='1194'
firewall.ovpn.proto='udp'
firewall.ovpn.target='ACCEPT'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 44:a5:6e:47:3d:55 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::46a5:6eff:fe47:3d55/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 44:a5:6e:47:3d:54 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::46a5:6eff:fe47:3d54/64 scope link 
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 44:a5:6e:47:3d:54 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fda7:3a7a:f62::1/60 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::46a5:6eff:fe47:3d54/64 scope link 
       valid_lft forever preferred_lft forever
8: eth1.1@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 44:a5:6e:47:3d:54 brd ff:ff:ff:ff:ff:ff
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 44:a5:6e:47:3d:55 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::46a5:6eff:fe47:3d55/64 scope link 
       valid_lft forever preferred_lft forever
11: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 44:a5:6e:47:3d:57 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::46a5:6eff:fe47:3d57/64 scope link 
       valid_lft forever preferred_lft forever
12: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 44:a5:6e:47:3d:56 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::46a5:6eff:fe47:3d56/64 scope link 
       valid_lft forever preferred_lft forever
13: pppoe-wan6: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN qlen 3
    link/ppp 
    inet 83.55.135.148 peer 192.168.144.1/32 scope global pppoe-wan6
       valid_lft forever preferred_lft forever
    inet6 2a02:9003:af:4ae1:ecde:ef70:ae83:17bc/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::ecde:ef70:ae83:17bc/10 scope link 
       valid_lft forever preferred_lft forever
14: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 46:a5:6e:47:3d:56 brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.1/24 brd 192.168.10.255 scope global wlan0-1
       valid_lft forever preferred_lft forever
    inet6 fe80::44a5:6eff:fe47:3d56/64 scope link 
       valid_lft forever preferred_lft forever
15: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    link/[65534] 
    inet 10.0.0.1/24 brd 10.0.0.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::220e:f603:fef8:edcb/64 scope link 
       valid_lft forever preferred_lft forever
default via 192.168.144.1 dev pppoe-wan6 
10.0.0.0/24 dev tun0 scope link  src 10.0.0.1 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
192.168.10.0/24 dev wlan0-1 scope link  src 192.168.10.1 
192.168.144.1 dev pppoe-wan6 scope link  src 83.55.135.148 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
# Generated by iptables-save v1.8.3 on Sat Oct 31 20:03:00 2020
*nat
:PREROUTING ACCEPT [164:27615]
:INPUT ACCEPT [13:1368]
:OUTPUT ACCEPT [11:941]
:POSTROUTING ACCEPT [1:212]
:postrouting_kitusguest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_kitusguest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_kitusguest_postrouting - [0:0]
:zone_kitusguest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i tun+ -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i pppoe-wan6 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i wlan0-1 -m comment --comment "!fw3" -j zone_kitusguest_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o tun+ -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o pppoe-wan6 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o wlan0-1 -m comment --comment "!fw3" -j zone_kitusguest_postrouting
-A zone_kitusguest_postrouting -m comment --comment "!fw3: Custom kitusguest postrouting rule chain" -j postrouting_kitusguest_rule
-A zone_kitusguest_prerouting -m comment --comment "!fw3: Custom kitusguest prerouting rule chain" -j prerouting_kitusguest_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.4/32 -p tcp -m tcp --dport 8123 -m comment --comment "!fw3: HomeAssistant (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.4/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: DuckDNS (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_lan_prerouting -s 192.168.1.0/24 -d 83.55.135.148/32 -p tcp -m tcp --dport 8123 -m comment --comment "!fw3: HomeAssistant (reflection)" -j DNAT --to-destination 192.168.1.4:8123
-A zone_lan_prerouting -s 192.168.1.0/24 -d 83.55.135.148/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: DuckDNS (reflection)" -j DNAT --to-destination 192.168.1.4:80
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 8123 -m comment --comment "!fw3: HomeAssistant" -j DNAT --to-destination 192.168.1.4:8123
-A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: DuckDNS" -j DNAT --to-destination 192.168.1.4:80
COMMIT
# Completed on Sat Oct 31 20:03:00 2020
# Generated by iptables-save v1.8.3 on Sat Oct 31 20:03:00 2020
*mangle
:PREROUTING ACCEPT [8199:6497491]
:INPUT ACCEPT [115:14462]
:FORWARD ACCEPT [8034:6478715]
:OUTPUT ACCEPT [108:36850]
:POSTROUTING ACCEPT [8141:6515525]
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o pppoe-wan6 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i pppoe-wan6 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat Oct 31 20:03:00 2020
# Generated by iptables-save v1.8.3 on Sat Oct 31 20:03:00 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_kitusguest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_kitusguest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_kitusguest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_kitusguest_dest_ACCEPT - [0:0]
:zone_kitusguest_dest_REJECT - [0:0]
:zone_kitusguest_forward - [0:0]
:zone_kitusguest_input - [0:0]
:zone_kitusguest_output - [0:0]
:zone_kitusguest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_dest_DROP - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i tun+ -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i pppoe-wan6 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i wlan0-1 -m comment --comment "!fw3" -j zone_kitusguest_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i tun+ -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i pppoe-wan6 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i wlan0-1 -m comment --comment "!fw3" -j zone_kitusguest_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o tun+ -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o pppoe-wan6 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o wlan0-1 -m comment --comment "!fw3" -j zone_kitusguest_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_kitusguest_dest_ACCEPT -o wlan0-1 -m comment --comment "!fw3" -j ACCEPT
-A zone_kitusguest_dest_REJECT -o wlan0-1 -m comment --comment "!fw3" -j reject
-A zone_kitusguest_forward -m comment --comment "!fw3: Custom kitusguest forwarding rule chain" -j forwarding_kitusguest_rule
-A zone_kitusguest_forward -m comment --comment "!fw3: Block guest access to private network" -j zone_lan_dest_DROP
-A zone_kitusguest_forward -m comment --comment "!fw3: Zone kitusguest to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_kitusguest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_kitusguest_forward -m comment --comment "!fw3" -j zone_kitusguest_dest_REJECT
-A zone_kitusguest_input -m comment --comment "!fw3: Custom kitusguest input rule chain" -j input_kitusguest_rule
-A zone_kitusguest_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: Guest DHCP" -j ACCEPT
-A zone_kitusguest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Guest DNS" -j ACCEPT
-A zone_kitusguest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Guest DNS" -j ACCEPT
-A zone_kitusguest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_kitusguest_input -m comment --comment "!fw3" -j zone_kitusguest_src_REJECT
-A zone_kitusguest_output -m comment --comment "!fw3: Custom kitusguest output rule chain" -j output_kitusguest_rule
-A zone_kitusguest_output -m comment --comment "!fw3" -j zone_kitusguest_dest_ACCEPT
-A zone_kitusguest_src_REJECT -i wlan0-1 -m comment --comment "!fw3" -j reject
-A zone_lan_dest_ACCEPT -o tun+ -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_lan_dest_ACCEPT -o tun+ -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_DROP -o tun+ -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_DROP -o br-lan -m comment --comment "!fw3" -j DROP
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i tun+ -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-wan6 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-wan6 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o pppoe-wan6 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i pppoe-wan6 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat Oct 31 20:03:00 2020

vgaetera · October 31, 2020, 7:18pm

Don't use guide for a dumb AP on the router.

uci -q delete firewall.lan.masq
uci set firewall.@forwarding[1].dest="wan"
uci commit firewall
/etc/init.d/firewall restart

kitus · October 31, 2020, 7:25pm

@vgaetera I bow to you. How do you manage to make sense of the large output above so quickly????
Thanks a million!!!
May I ask you something that has to do with Guest Wlan now that we are at it? is it wise to have my guest users query my router interface in the guest wlan for DNS resolution? I just feel that is something that can be exploited, and it would make more sense if they queried google DNS for example. What is your opinion?

Again, hats off!

trendy · October 31, 2020, 7:28pm

If you don't care so much for the extra traffic, you can assign them a public resolver, like GoogleDNS.
Otherwise you can take advantage of the local caching and answer faster repeated queries.

vgaetera · October 31, 2020, 7:44pm

There's no definite answer as there's no absolute security.
Dnsmasq provides DHCP and DNS services, so although in theory both can be exploited, it might not be that simple in practice.
In any case, if you are concerned about it, you should enable encryption for your guest network.

kitus · October 31, 2020, 8:04pm

Thanks!! I will be creating a new thread soon as I have other questions related to Guest wlan. This thread deals with no internet access and that has been already addressed by your above. Many thanks again everyone!
btw, I use WPA2 in my guest wlan too. Good advice!

kitus · November 1, 2020, 7:01am

@trendy one last thing, how would you go about using a public resolver on the Guest WLAN yet use dnsmaq on the main lan? I take it I need two things:

Remove the firewall rule that allows DNS queries from Guest WLAN against "this device"
Find a way to pass parameter DHCP 42 to Guest WLAN devices with the public resolver of my choice. Is this possible with the default single instance of dnsmasq for both networks? (see the thread that I started yesterday on this topic: Advise on best approach to deal with local networks)

thank you!!

vgaetera · November 1, 2020, 8:02am

Yep, it's possible.

uci -q delete dhcp.kitusguest.dhcp_option
uci add_list dhcp.kitusguest.dhcp_option="6,8.8.8.8,8.8.4.4"
uci add_list dhcp.kitusguest.dhcp_option="42,192.168.10.1"
uci commit dhcp
/etc/init.d/dnsmasq restart

kitus · November 1, 2020, 3:38pm

Oh God, I made a mistake. It was not option 42 but 6 as you indicated in your example @vgaetera. Thanks. I've disabled firewall rule #1 in my list above here: Guest wlan no internet access

Now, there is still something else that I don't understand. Why do I get these results when I'm connected to my guest wlan (subnet 192.168.10.0/24):

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet 192.168.10.171 netmask 0xffffff00 broadcast 192.168.10.255
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect
	status: active

if I try to trace my way to the main interface on the main lan:

Marcs-MacBook-Air:~ marc$ traceroute 192.168.1.1
traceroute to 192.168.1.1 (192.168.1.1), 64 hops max, 52 byte packets
 1  192.168.1.1 (192.168.1.1)  4.248 ms  1.421 ms  1.304 ms

Marcs-MacBook-Air:~ marc$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
92 bytes from 192.168.1.1: Destination Port Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 195b   0 0000  40  01 d451 192.168.10.171  192.168.1.1

why are these ports open if I have the rules in my firewall as per the above post Guest wlan no internet access

Marcs-MacBook-Air:~ marc$ nmap 192.168.1.1
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 10:01 CET
Nmap scan report for 192.168.1.1
Host is up (0.0022s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
110/tcp open  pop3
143/tcp open  imap
993/tcp open  imaps
995/tcp open  pop3s

also, I don't understand your statement related to samba? how does this apply to a guest wlan?

thanks a million again @vgaetera

trendy · November 1, 2020, 7:53pm

I don't think these ports are open on your router. Make sure you are not connected to something else which replies to you instead of OpenWrt.
If that is not the case post once again the firewall configurations:
uci export firewall; iptables-save -c

kitus · November 1, 2020, 9:44pm

I verified again the connection and nothing has changed:

Marcs-MacBook-Air:~ marc$ ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	ether 28:3x 
	inet6 fe80::1030:6x9c%en0 prefixlen 64 secured scopeid 0x7 
	inet 192.168.10.171 netmask 0xffffff00 broadcast 192.168.10.255
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect
	status: active
Marcs-MacBook-Air:~ marc$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
92 bytes from 192.168.1.1: Destination Port Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 ba73   0 0000  40  01 3339 192.168.10.171  192.168.1.1 

Request timeout for icmp_seq 0
92 bytes from 192.168.1.1: Destination Port Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 4cec   0 0000  40  01 a0c0 192.168.10.171  192.168.1.1 

^C
--- 192.168.1.1 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

if I now check the open ports again I see the same results:

Marcs-MacBook-Air:~ marc$ nmap 192.168.1.1
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 22:37 CET
Nmap scan report for 192.168.1.1
Host is up (0.0019s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
110/tcp open  pop3
143/tcp open  imap
993/tcp open  imaps
995/tcp open  pop3s

Nmap done: 1 IP address (1 host up) scanned in 41.03 seconds

root@OpenWrt:/overlay# uci export firewall; iptables-save -c
package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun+'

config zone 'wan'
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option network 'kitusguest'
	option forward 'REJECT'
	option name 'kitusguest'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding
	option src 'kitusguest'
	option dest 'wan'

config rule
	option dest_port '67-68'
	option src 'kitusguest'
	option name 'Guest DHCP'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option dest_port '53'
	option src 'kitusguest'
	option name 'Guest DNS'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option src 'kitusguest'
	option name 'Block guest access to private network'
	option dest 'lan'
	option target 'DROP'
	list proto 'all'

config redirect
	option dest_port '8123'
	option src 'wan'
	option name 'HomeAssistant'
	option src_dport '8123'
	option target 'DNAT'
	option dest_ip '192.168.1.4'
	option dest 'lan'
	list proto 'tcp'

config redirect
	option dest_port '80'
	option src 'wan'
	option name 'DuckDNS'
	option src_dport '80'
	option target 'DNAT'
	option dest_ip '192.168.1.4'
	option dest 'lan'
	list proto 'tcp'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

# Generated by iptables-save v1.8.3 on Sun Nov  1 22:41:58 2020
*nat
:PREROUTING ACCEPT [413492:74785955]
:INPUT ACCEPT [29310:3207708]
:OUTPUT ACCEPT [18142:1275920]
:POSTROUTING ACCEPT [3100:162703]
:postrouting_kitusguest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_kitusguest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_kitusguest_postrouting - [0:0]
:zone_kitusguest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[413897:74809623] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[43:2817] -A PREROUTING -i tun+ -m comment --comment "!fw3" -j zone_lan_prerouting
[341630:69202843] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[3592:280728] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[62447:4858047] -A PREROUTING -i pppoe-wan6 -m comment --comment "!fw3" -j zone_wan_prerouting
[6185:465188] -A PREROUTING -i wlan0-1 -m comment --comment "!fw3" -j zone_kitusguest_prerouting
[153165:11972392] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o tun+ -m comment --comment "!fw3" -j zone_lan_postrouting
[473:40368] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[150048:11808605] -A POSTROUTING -o pppoe-wan6 -m comment --comment "!fw3" -j zone_wan_postrouting
[2320:93394] -A POSTROUTING -o wlan0-1 -m comment --comment "!fw3" -j zone_kitusguest_postrouting
[2320:93394] -A zone_kitusguest_postrouting -m comment --comment "!fw3: Custom kitusguest postrouting rule chain" -j postrouting_kitusguest_rule
[6185:465188] -A zone_kitusguest_prerouting -m comment --comment "!fw3: Custom kitusguest prerouting rule chain" -j prerouting_kitusguest_rule
[473:40368] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[17:1084] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.4/32 -p tcp -m tcp --dport 8123 -m comment --comment "!fw3: HomeAssistant (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.4/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: DuckDNS (reflection)" -j SNAT --to-source 192.168.1.1
[341673:69205660] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[17:1084] -A zone_lan_prerouting -s 192.168.1.0/24 -d xxxx/32 -p tcp -m tcp --dport 8123 -m comment --comment "!fw3: HomeAssistant (reflection)" -j DNAT --to-destination 192.168.1.4:8123
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d xxxx/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: DuckDNS (reflection)" -j DNAT --to-destination 192.168.1.4:80
[150048:11808605] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[150048:11808605] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[66039:5138775] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[337:20412] -A zone_wan_prerouting -p tcp -m tcp --dport 8123 -m comment --comment "!fw3: HomeAssistant" -j DNAT --to-destination 192.168.1.4:8123
[51:2172] -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: DuckDNS" -j DNAT --to-destination 192.168.1.4:80
COMMIT
# Completed on Sun Nov  1 22:41:58 2020
# Generated by iptables-save v1.8.3 on Sun Nov  1 22:41:58 2020
*mangle
:PREROUTING ACCEPT [20161981:16235085312]
:INPUT ACCEPT [179829:21852676]
:FORWARD ACCEPT [19758965:16155841839]
:OUTPUT ACCEPT [192635:86778075]
:POSTROUTING ACCEPT [19948523:16242393091]
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[44549:2696491] -A FORWARD -o pppoe-wan6 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[39032:2187008] -A FORWARD -i pppoe-wan6 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sun Nov  1 22:41:58 2020
# Generated by iptables-save v1.8.3 on Sun Nov  1 22:41:58 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_kitusguest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_kitusguest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_kitusguest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_kitusguest_dest_ACCEPT - [0:0]
:zone_kitusguest_dest_REJECT - [0:0]
:zone_kitusguest_forward - [0:0]
:zone_kitusguest_input - [0:0]
:zone_kitusguest_output - [0:0]
:zone_kitusguest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_dest_DROP - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[14633:1441606] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[165198:20411174] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[42445:7658467] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[42075:2210992] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[21:1409] -A INPUT -i tun+ -m comment --comment "!fw3" -j zone_lan_input
[47844:7299814] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[70875:5187801] -A INPUT -i pppoe-wan6 -m comment --comment "!fw3" -j zone_wan_input
[2708:189623] -A INPUT -i wlan0-1 -m comment --comment "!fw3" -j zone_kitusguest_input
[19758967:16155842056] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[19654716:16145877828] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[25:1600] -A FORWARD -i tun+ -m comment --comment "!fw3" -j zone_lan_forward
[101575:9795912] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[394:23116] -A FORWARD -i pppoe-wan6 -m comment --comment "!fw3" -j zone_wan_forward
[2257:143600] -A FORWARD -i wlan0-1 -m comment --comment "!fw3" -j zone_kitusguest_forward
[104:10400] -A FORWARD -m comment --comment "!fw3" -j reject
[14633:1441606] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[177988:85336585] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[159458:84035668] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o tun+ -m comment --comment "!fw3" -j zone_lan_output
[108:29280] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[18413:1269239] -A OUTPUT -o pppoe-wan6 -m comment --comment "!fw3" -j zone_wan_output
[9:2398] -A OUTPUT -o wlan0-1 -m comment --comment "!fw3" -j zone_kitusguest_output
[49492:2506191] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[23801:2848137] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[40770:2136932] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[1305:74060] -A syn_flood -m comment --comment "!fw3" -j DROP
[9:2398] -A zone_kitusguest_dest_ACCEPT -o wlan0-1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_kitusguest_dest_REJECT -o wlan0-1 -m comment --comment "!fw3" -j reject
[2257:143600] -A zone_kitusguest_forward -m comment --comment "!fw3: Custom kitusguest forwarding rule chain" -j forwarding_kitusguest_rule
[2257:143600] -A zone_kitusguest_forward -m comment --comment "!fw3: Block guest access to private network" -j zone_lan_dest_DROP
[921:59280] -A zone_kitusguest_forward -m comment --comment "!fw3: Zone kitusguest to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_kitusguest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_kitusguest_forward -m comment --comment "!fw3" -j zone_kitusguest_dest_REJECT
[2708:189623] -A zone_kitusguest_input -m comment --comment "!fw3: Custom kitusguest input rule chain" -j input_kitusguest_rule
[16:2578] -A zone_kitusguest_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: Guest DHCP" -j ACCEPT
[0:0] -A zone_kitusguest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[2692:187045] -A zone_kitusguest_input -m comment --comment "!fw3" -j zone_kitusguest_src_REJECT
[9:2398] -A zone_kitusguest_output -m comment --comment "!fw3: Custom kitusguest output rule chain" -j output_kitusguest_rule
[9:2398] -A zone_kitusguest_output -m comment --comment "!fw3" -j zone_kitusguest_dest_ACCEPT
[2692:187045] -A zone_kitusguest_src_REJECT -i wlan0-1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_lan_dest_ACCEPT -o tun+ -m comment --comment "!fw3" -j ACCEPT
[127:31626] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_DROP -o tun+ -m comment --comment "!fw3" -j DROP
[1336:84320] -A zone_lan_dest_DROP -o br-lan -m comment --comment "!fw3" -j DROP
[101600:9797512] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[101600:9797512] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[17:1084] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[123:12746] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[47865:7301223] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[47865:7301223] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[108:29280] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[108:29280] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[21:1409] -A zone_lan_src_ACCEPT -i tun+ -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[47844:7299814] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[1624:131951] -A zone_wan_dest_ACCEPT -o pppoe-wan6 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[119170:10980250] -A zone_wan_dest_ACCEPT -o pppoe-wan6 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o pppoe-wan6 -m comment --comment "!fw3" -j reject
[394:23116] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[394:23116] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[70875:5187801] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[373:30682] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[5:236] -A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[70497:5156883] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[18413:1269239] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[18413:1269239] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
[70497:5156883] -A zone_wan_src_REJECT -i pppoe-wan6 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sun Nov  1 22:41:58 2020

trendy · November 1, 2020, 11:18pm

kitus:

[2708:189623] -A zone_kitusguest_input -m comment --comment "!fw3: Custom kitusguest input rule chain" -j input_kitusguest_rule
[16:2578] -A zone_kitusguest_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: Guest DHCP" -j ACCEPT
[0:0] -A zone_kitusguest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[2692:187045] -A zone_kitusguest_input -m comment --comment "!fw3" -j zone_kitusguest_src_REJECT

I don't see anything accepted towards the router out of the ordinary. Basically only DHCP is allowed to the router.
The first rule is empty, the second is the DHCP, the third is for port forwards (since you don't have any it has 0 hits) and the fourth is rejecting everything.

vgaetera · November 1, 2020, 11:19pm

Sorry, I've confused option 42 NTP with 44 NETBIOS/Samba.

Remove those rules and check this:

nmap -sV 192.168.1.1

kitus · November 7, 2020, 11:06am

come on, not a problem!! you've been most helpful in this thread!!! I can only be thankful!

Done. here you go:

Marcs-MacBook-Air:~ marc$ nmap -sV 192.168.1.1
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-07 11:58 CET
Nmap scan report for 192.168.1.1
Host is up (0.0019s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE    VERSION
110/tcp open  tcpwrapped
143/tcp open  tcpwrapped
993/tcp open  tcpwrapped
995/tcp open  tcpwrapped
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.96 seconds

and yes, I'm connected to my guest wlan network:

Marcs-MacBook-Air:~ marc$ ifconfig -L en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	ether 28:37:37:1b:b0:44 
	inet6 fe80::1030:6580:60a2:fe9c%en0 prefixlen 64 secured scopeid 0x7 
	inet 192.168.10.171 netmask 0xffffff00 broadcast 192.168.10.255
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect
	status: active
Marcs-MacBook-Air:~ marc$ traceroute 192.168.1.1
traceroute to 192.168.1.1 (192.168.1.1), 64 hops max, 52 byte packets
 1  192.168.1.1 (192.168.1.1)  4.444 ms  2.052 ms  1.102 ms
Marcs-MacBook-Air:~ marc$

Screen Shot 2020-11-07 at 12.03.49

this the current output of the commands above:

root@OpenWrt:~# uci export firewall; iptables-save -c
package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun+'

config zone 'wan'
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option network 'kitusguest'
	option forward 'REJECT'
	option name 'kitusguest'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding
	option src 'kitusguest'
	option dest 'wan'

config rule
	option dest_port '67-68'
	option src 'kitusguest'
	option name 'Guest DHCP'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option dest_port '53'
	option src 'kitusguest'
	option name 'Guest DNS'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option src 'kitusguest'
	option name 'Block guest access to private network'
	option dest 'lan'
	option target 'DROP'
	list proto 'all'

config redirect
	option dest_port '8123'
	option src 'wan'
	option name 'HomeAssistant'
	option src_dport '8123'
	option target 'DNAT'
	option dest_ip '192.168.1.4'
	option dest 'lan'
	list proto 'tcp'

config redirect
	option dest_port '80'
	option src 'wan'
	option name 'DuckDNS'
	option src_dport '80'
	option target 'DNAT'
	option dest_ip '192.168.1.4'
	option dest 'lan'
	list proto 'tcp'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

# Generated by iptables-save v1.8.3 on Sat Nov  7 12:04:55 2020
*nat
:PREROUTING ACCEPT [3624043:905490078]
:INPUT ACCEPT [267684:19755390]
:OUTPUT ACCEPT [265753:19159938]
:POSTROUTING ACCEPT [6035:428185]
:postrouting_kitusguest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_kitusguest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_kitusguest_postrouting - [0:0]
:zone_kitusguest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[3626929:905656374] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[0:0] -A PREROUTING -i tun+ -m comment --comment "!fw3" -j zone_lan_prerouting
[3456972:893901208] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[32952:2575776] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[134232:8982314] -A PREROUTING -i pppoe-wan6 -m comment --comment "!fw3" -j zone_wan_prerouting
[2773:197076] -A PREROUTING -i wlan0-1 -m comment --comment "!fw3" -j zone_kitusguest_prerouting
[760764:58139666] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[2:258] -A POSTROUTING -o tun+ -m comment --comment "!fw3" -j zone_lan_postrouting
[3273:284829] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[754729:57711481] -A POSTROUTING -o pppoe-wan6 -m comment --comment "!fw3" -j zone_wan_postrouting
[1322:53177] -A POSTROUTING -o wlan0-1 -m comment --comment "!fw3" -j zone_kitusguest_postrouting
[1322:53177] -A zone_kitusguest_postrouting -m comment --comment "!fw3: Custom kitusguest postrouting rule chain" -j postrouting_kitusguest_rule
[2773:197076] -A zone_kitusguest_prerouting -m comment --comment "!fw3: Custom kitusguest prerouting rule chain" -j prerouting_kitusguest_rule
[3275:285087] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.4/32 -p tcp -m tcp --dport 8123 -m comment --comment "!fw3: HomeAssistant (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.4/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: DuckDNS (reflection)" -j SNAT --to-source 192.168.1.1
[3456972:893901208] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 79.156.122.55/32 -p tcp -m tcp --dport 8123 -m comment --comment "!fw3: HomeAssistant (reflection)" -j DNAT --to-destination 192.168.1.4:8123
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 79.156.122.55/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: DuckDNS (reflection)" -j DNAT --to-destination 192.168.1.4:80
[754729:57711481] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[754729:57711481] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[167184:11558090] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[2431:145668] -A zone_wan_prerouting -p tcp -m tcp --dport 8123 -m comment --comment "!fw3: HomeAssistant" -j DNAT --to-destination 192.168.1.4:8123
[455:20628] -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: DuckDNS" -j DNAT --to-destination 192.168.1.4:80
COMMIT
# Completed on Sat Nov  7 12:04:55 2020
# Generated by iptables-save v1.8.3 on Sat Nov  7 12:04:55 2020
*mangle
:PREROUTING ACCEPT [108075336:77023982979]
:INPUT ACCEPT [863281:100515137]
:FORWARD ACCEPT [104383776:76081573861]
:OUTPUT ACCEPT [796302:86502280]
:POSTROUTING ACCEPT [105163074:76167342107]
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[325508:18484824] -A FORWARD -o pppoe-wan6 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[288697:16230324] -A FORWARD -i pppoe-wan6 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat Nov  7 12:04:55 2020
# Generated by iptables-save v1.8.3 on Sat Nov  7 12:04:55 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_kitusguest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_kitusguest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_kitusguest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_kitusguest_dest_ACCEPT - [0:0]
:zone_kitusguest_dest_REJECT - [0:0]
:zone_kitusguest_forward - [0:0]
:zone_kitusguest_input - [0:0]
:zone_kitusguest_output - [0:0]
:zone_kitusguest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_dest_DROP - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[8183:674960] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[855101:99840333] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[289623:50675478] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[97333:4014788] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[0:0] -A INPUT -i tun+ -m comment --comment "!fw3" -j zone_lan_input
[364709:37489111] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[198678:11547985] -A INPUT -i pppoe-wan6 -m comment --comment "!fw3" -j zone_wan_input
[1573:100583] -A INPUT -i wlan0-1 -m comment --comment "!fw3" -j zone_kitusguest_input
[104383787:76081574945] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[103915540:76039341089] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i tun+ -m comment --comment "!fw3" -j zone_lan_forward
[464770:42029420] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[2886:167308] -A FORWARD -i pppoe-wan6 -m comment --comment "!fw3" -j zone_wan_forward
[591:37128] -A FORWARD -i wlan0-1 -m comment --comment "!fw3" -j zone_kitusguest_forward
[155:21700] -A FORWARD -m comment --comment "!fw3" -j reject
[8183:674960] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[788122:85828948] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[514779:66191430] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o tun+ -m comment --comment "!fw3" -j zone_lan_output
[557:170216] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[272780:19465610] -A OUTPUT -o pppoe-wan6 -m comment --comment "!fw3" -j zone_wan_output
[6:1692] -A OUTPUT -o wlan0-1 -m comment --comment "!fw3" -j zone_kitusguest_output
[163910:6696598] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[35450:4898652] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[96815:3987612] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[518:27176] -A syn_flood -m comment --comment "!fw3" -j DROP
[6:1692] -A zone_kitusguest_dest_ACCEPT -o wlan0-1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_kitusguest_dest_REJECT -o wlan0-1 -m comment --comment "!fw3" -j reject
[591:37128] -A zone_kitusguest_forward -m comment --comment "!fw3: Custom kitusguest forwarding rule chain" -j forwarding_kitusguest_rule
[591:37128] -A zone_kitusguest_forward -m comment --comment "!fw3: Block guest access to private network" -j zone_lan_dest_DROP
[291:18232] -A zone_kitusguest_forward -m comment --comment "!fw3: Zone kitusguest to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_kitusguest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_kitusguest_forward -m comment --comment "!fw3" -j zone_kitusguest_dest_REJECT
[1573:100583] -A zone_kitusguest_input -m comment --comment "!fw3: Custom kitusguest input rule chain" -j input_kitusguest_rule
[14:1922] -A zone_kitusguest_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: Guest DHCP" -j ACCEPT
[0:0] -A zone_kitusguest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1559:98661] -A zone_kitusguest_input -m comment --comment "!fw3" -j zone_kitusguest_src_REJECT
[6:1692] -A zone_kitusguest_output -m comment --comment "!fw3: Custom kitusguest output rule chain" -j output_kitusguest_rule
[6:1692] -A zone_kitusguest_output -m comment --comment "!fw3" -j zone_kitusguest_dest_ACCEPT
[1559:98661] -A zone_kitusguest_src_REJECT -i wlan0-1 -m comment --comment "!fw3" -j reject
[2:258] -A zone_lan_dest_ACCEPT -o tun+ -m comment --comment "!fw3" -j ACCEPT
[580:172033] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_DROP -o tun+ -m comment --comment "!fw3" -j DROP
[300:18896] -A zone_lan_dest_DROP -o br-lan -m comment --comment "!fw3" -j DROP
[464770:42029420] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[464770:42029420] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[180:23775] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[364709:37489111] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[364709:37489111] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[557:170216] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[557:170216] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i tun+ -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[364709:37489111] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[16600:710166] -A zone_wan_dest_ACCEPT -o pppoe-wan6 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[721061:60779321] -A zone_wan_dest_ACCEPT -o pppoe-wan6 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o pppoe-wan6 -m comment --comment "!fw3" -j reject
[2886:167308] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[2886:167308] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[198678:11547985] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[2:85] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[1005:71983] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[25:1028] -A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[197646:11474889] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[272780:19465610] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[272780:19465610] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
[197646:11474889] -A zone_wan_src_REJECT -i pppoe-wan6 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat Nov  7 12:04:55 2020

kitus · November 7, 2020, 11:07am

@trendy fully aligned with you. I can't seem to find an explanation for what I see!!