Help with firewall zones, stopped randomly working after it worked

Philip2809 · January 3, 2025, 10:00pm

I need some help to figure out why my firewall isn't working as I want it to, and why it randomly stopped working after working just how I wanted for 2 days.

I will provide both images of my config (i find it easier to see it this way) but will also send all the config files as text. First of, I will explain my desired scenario. I want an interface "lan" that connects all my devices together, this uses some of the ports and a 2.4ghz and a 5ghz wifi network. This interface should have access to the internet. I can VPN into my "lan" interface. I have a "guest" interface, it does not have access to the devices on the "lan" interface, just has access to the internet. The "guest" interface has a separate 2.4ghz wifi network. I have a "notrust" interface, this has a 2.4ghz network but currently disable, this should not have internet access and should with firewall traffic rules to allow access to certain ips on the "lan" interface. Last but not least, the part that stopped working for me my "open" interface. The "open" interface is only used by the LAN4 port and is for a specific device that has ports open to the internet, I wanted to to only be able to send data to the "wan" but devices on the "lan" should be able to connect to it (and then port 80 and 443 for wan but that is port forward and it works fine).

This is how this looks in LuCi:

This setup worked just how I wanted it, I could ssh into the "open" machine from a device on "lan", access the "open" machine from the internet via the port forward and when i had ssh-ed in I was not able to ping or view other devices on my "lan", exactly how I wanted. This worked perfectly fine for 2 days, however in the morning today I wanted to see if I could use cloudflare DNS for my internet via a router setting, this however made my local dns entries to stop working so I removed it basically immediately, and the the firewall stuff worked all the way until the evening when it randomly stopped working, I am no longer able to ssh into the "open" machine from my "lan", I can however access the "open" machine over wan with the port forwards. I have tried adding access to "lan" from "open" however this did not work. Removing "wan" from "open" works perfectly fine and has an immediate effect when trying to debug this.

So I am wondering, what can I do to make it work as I want, if not via this way, how else could I do this?

Many thanks,
Philip

EDIT: Adding lan to the guest and connecting my phone to the guest network i can access device on "lan", without this change it does not work.

Setting it to "open":

I can now access http port 80 over a device on "guest", question is, why does this not work on "lan"? Edit2: I can ssh now this way as well, but again, why not from "lan"?

Edit 3: I have now tried restarting multiple times, configured lan4 over a bridge (like lan is), but still not working. Because it works perfectly from guest but not from lan when adding "open" to the "guest" and then stops working when removing it, I see this as a bug and will report is as such on github.

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd07:1bfc:a00c::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.200.1'
	option netmask '255.255.255.0'

config device
	option type 'bridge'
	option name 'br-notrust'
	option bridge_empty '1'

config interface 'notrust'
	option proto 'static'
	option device 'br-notrust'
	option ipaddr '192.168.205.1'
	option netmask '255.255.255.0'

config interface 'open'
	option proto 'static'
	option device 'lan4'
	option ipaddr '192.168.100.1'
	option netmask '255.255.255.0'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '8'
	option band '2g'
	option htmode 'HE20'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option channel '48'
	option band '5g'
	option htmode 'HE80'
	option cell_density '0'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'DoUWantToEnterMyChamberOfSecrets'
	option encryption 'sae-mixed'
	option key 'password'
	option network 'lan'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'DoUWantToEnterMyChamberOfSecrets'
	option encryption 'sae-mixed'
	option key 'password'
	option network 'lan'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid 'LordVoldemodem'
	option encryption 'sae-mixed'
	option key 'password'
	option network 'guest'

config wifi-iface 'wifinet4'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Big'\''D'\'''
	option encryption 'sae-mixed'
	option key 'password'
	option network 'notrust'
	option disabled '1'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '0'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '0'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'
	list address '/.home/192.168.100.100'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'mediapc'
	option ip '192.168.1.10'
	list mac '74:D8:3E:42:57:84'

config host
	option name 'printer'
	option ip '192.168.1.200'
	list mac '64:EB:8C:13:40:62'

config host
	option ip '192.168.1.201'
	option name '3dprinter'
	list mac 'FC:EE:91:00:2E:5F'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'notrust'
	option interface 'notrust'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'open'
	option interface 'open'
	option start '100'
	option limit '150'
	option leasetime '12h'

config host
	option ip '192.168.100.100'
	option name 'elitebook-server'
	list mac '70:5A:0F:CD:EC:9A'

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun0'
	list device 'tun+'
	option log '1'
	list network 'lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'open'
	option target 'DNAT'
	option name 'http'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.100.100'
	option dest_port '80'

config redirect
	option dest 'open'
	option target 'DNAT'
	option name 'https'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.100.100'
	option dest_port '443'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config rule
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCP-Guest'
	list proto 'udp'
	option src 'guest'
	option dest_port '67'
	option target 'ACCEPT'

config forwarding
	option src 'guest'
	option dest 'wan'

config zone
	option name 'notrust'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'notrust'

config rule
	option name 'Allow-DNS-NoTrust'
	option src 'notrust'
	option dest_port '53'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-DHCP-NoTrust'
	list proto 'udp'
	option src 'notrust'
	option dest_port '67'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option src 'notrust'
	option dest 'lan'
	list dest_ip '192.168.1.10'
	option target 'ACCEPT'
	option dest_port '9999'
	option name 'ExampleForNotrust'
	option enabled '0'

config zone
	option name 'open'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'open'

config forwarding
	option src 'lan'
	option dest 'open'

config rule
	option name 'Allow-DHCP-Open'
	list proto 'udp'
	option src 'open'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'Allow-DNS-Open'
	option src 'open'
	option dest_port '53'
	option target 'ACCEPT'

config forwarding
	option src 'open'
	option dest 'wan'

hotfur · January 4, 2025, 4:14pm

Check the route on the machines on "open" network. They must have route configured for 192.168.1.0/24 via 192.168.100.1

Then you need forwarding rights from open to lan. Otherwise ssh (or other traffic) reply from "open" machines can never cross into lan.

Philip2809 · January 4, 2025, 4:18pm

I will check this, and if it does not exist try to add it
it looks like this:

default via 192.168.100.1 dev enp0s31f6 proto dhcp src 192.168.100.100 metric 100 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
172.18.0.0/16 dev br-4e615d5193fb proto kernel scope link src 172.18.0.1 
172.19.0.0/16 dev br-4693c78c0714 proto kernel scope link src 172.19.0.1 
172.21.0.0/16 dev br-65e729a9f2f2 proto kernel scope link src 172.21.0.1 
172.22.0.0/16 dev br-45af93d1ae5e proto kernel scope link src 172.22.0.1 
172.23.0.0/16 dev br-e37b27179b59 proto kernel scope link src 172.23.0.1 
172.24.0.0/16 dev br-ea0dc9412ec1 proto kernel scope link src 172.24.0.1 
192.168.0.0/20 dev br-3cceae7ce269 proto kernel scope link src 192.168.0.1 
192.168.16.0/20 dev br-c8db8d06dbd2 proto kernel scope link src 192.168.16.1 
192.168.48.0/20 dev br-a6b096e63afe proto kernel scope link src 192.168.48.1 
192.168.80.0/20 dev br-a9f4e7a07e70 proto kernel scope link src 192.168.80.1 
192.168.96.0/20 dev br-8c9f72e79734 proto kernel scope link src 192.168.96.1 
192.168.100.0/24 dev enp0s31f6 proto kernel scope link src 192.168.100.100 metric 100 
192.168.100.1 dev enp0s31f6 proto dhcp scope link src 192.168.100.100 metric 100 
192.168.112.0/20 dev br-08a9e51f4ee2 proto kernel scope link src 192.168.112.1

I don't think I ever configured rules like this, but why did it work initially then? And why does it still work when using the "guest" network?

Philip2809 · January 4, 2025, 4:24pm

This worked! Thank you soo much, can this be auto configued somehow?

But still why did it work over guest? Guest uses ip range: 192.168.200.1, but there is nothing in the route config for this and it worked.

hotfur · January 4, 2025, 4:33pm

Sometimes the ssh-reply is sent over default route, which is why it would work. But there is no guarantee for that unless you add the route for the subnet. You can also NAT the traffic from/to open network, so that machines on open would not need to know the actual source ip, hence avoiding the need for adding route.

Philip2809 · January 4, 2025, 4:42pm

Interesting, thank you soo much for the help. I don't really understand how to setup the NAT Rules, would i need to specify per machine? Also would that allow open to access lan? Because I only want to allow replies if that makes sense, and it seams to work that way because I have another webinterface hosted on lan that the open machine can't connect to unless I add lan to the firewall rule for open

system · January 14, 2025, 4:43pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.