Hi all !
I don't quite understand how masquerading works if you enable it on both the wan and lan interfaces at the same time.
Whether this is good or bad in terms of security, that's what interests me.
Hi all !
I don't quite understand how masquerading works if you enable it on both the wan and lan interfaces at the same time.
Whether this is good or bad in terms of security, that's what interests me.
It's not a security thing.
example: if you block icmp at the raw_prerouting level on the wan interface, you may have connection problems.
But if you enable masquerading on the lan interface, everything works fine, with icmp blocked.
That's the question, I don't quite understand how it works, is it dangerous or not.
It seems to me that it's cool or am I wrong?
It is not a security thing per se, but as all traffic now originates from the routers IP address you loose logging and access control.
For me that is a security thing
You're wrong. Leave things you don't understand alone. Your grasp of networking concepts is already poor, do not attempt to overcomplicate it with more things you don't understand.
The log doesn't bother me, I'm more interested in if you block icmp on the wan interface, then icmp comes from the lan interface or what, I don't understand
Why are you blocking ICMP?
where are you pinging from ? LAN or internet ?
just a task to block all icmp traffic on the wan interface
Why are you blocking ICMP
change the default traffic rules, for whatever reason you want to do it.
I am satisfied with such a combination, I just don't understand how it works
how what works ? the firewall ?
Why, thanks to the masquerade on the LAN interface and the ICMP blocking on the WAN interface, everything works fine, and is it possible to leave it like that ?
I don't need traceroute and ping usage
you could have left it without any changes, too ...
of course it is possible without changes, but it is not interesting
If you enable masquerade on the LAN interface, you may experience anomalies when internally routing (e.g. you ever create a second LAN or VPN) interfaces.
By default masquerade on WAN (IPv4) is enabled because:
Usually ISPs issue one IPv4 address. Masquerade, a form of Network Address Translation (NAT) was designed so Private IP (RFC 1918) can be used internally, while traffic to the Internet uses the WAN IP. It's a type of Source NAT. Since the Private Address are not Publicly Routable, the WAN IP must be used to send traffic, hence the need to masquerade WAN.
This is basic networking knowledge and masquerade not OpenWrt-specific.
https://tldp.org/HOWTO/IP-Masquerade-HOWTO/ipmasq-background2.1.html
I consider ICMP traffic dangerous, so the goal is to turn it off completely for the Internet and force the router to work without this protocol
Then just disable the ping firewall rule. Viola.
Still other ways the router could respond, though (e.g. you still have the default rule as REJECT). So not sure why ping is considered insecure in particular.
It's not. Blocking it is neither necessary, nor a good idea.