How does Luci Firewall zone settings work?

grenouille · May 26, 2021, 10:08am

Hi There!

I would like to use openwrt not as usual router and I'm not comfortable with the Firewall zone system.

I wish to understand exactly what I'm doing here, so explanations are welcome

First, let me explain what I want to do.

I am using a gl.inet device with USB, 2 Ethernet (eth0, eth1) and wifi (not used).

-USB is used with a LTE modem (interface "ncm wwan", Firewall Zone WWAN).
-eth0 is attached to firewall zone LAN
-eth1 is attached to firewall zone WAN (It will not be exactly used as WAN but will be connected to WAN port of my main router).

I would like to use this openwrt device as a LTE gateway connected on WAN port of my main router.

I want to use eth0 LAN as a maintenance access and this port will be connected to my LAN as 192.168.1.253.
I will use this to access luci and manage the gateway ( I assume it's possible to access also from WAN through my router, but I prefer do this on LAN side: it's also an opportunity to learn how to isolate Zone on openwrt).

eth1 will be connected to WAN port of my router and will be a gateway to the LTE modem.

So, now let's come to the firewall settings:

It's not clear to me what's the meaning of "input, output, forward" and also this masquerading check box ?

Here:

And Here:

Then, it's also not clear how work this "zone forwarding" area:

Explanations welcome !

At the end, I wish to have a path WAN<->WWAN, but LAN side shall be fully isolated from WAN and WWAN side. LAN side shall be a dead-end except for Luci/SSH from LAN.

grenouille · May 26, 2021, 10:13am

by the way, here is a sketch of the planned setup

the LTE gateway is a backup WAN, there is an other WAN on the router (not on picture)

trendy · May 26, 2021, 11:04am

A zone is a collection of one or more interfaces, using the same policy.
Input and output mean the default policy for packets ingress-egress to this zone from-to the device itself.
forward is the default policy for packets traversing the interfaces of the same zone. (you won't need it in your case)
masquerade is enabling source nat on the egress packets out of the zone, using the interface IP as source.
The way you have it depicted on the diagram, I think you should have:
LAN as is.
WAN: INPUT/FORWARD DROP or REJECT, OUTPUT ACCEPT. Forwarding to WWAN, no masquerade.
WWAN: INPUT/FORWARD DROP or REJECT, OUTPUT ACCEPT. No forwarding, enable masquerade.
Make sure the other router does masquerade out of its wan interface, otherwise there will be a problem with the source IPs.

grenouille · May 29, 2021, 12:26pm

Let make sure I understood well

The "input, output, forward" things are related to the device itself ?

On LAN row :
input: Accept on input allows that I connect to openwrt from LAN ? (like ssh or luci).
output: Accept on output allows openwrt to send message, for example, let's say to ping someone on the LAN from openwrt ?
forward : used in case I have multiple interface in the LAN zone, for example in case I have eth0 and wifi on LAN zone, so that package can go from LAN to WLAN through openwrt ?

On WWAN:
input: reject: no-one can connect to Luci from internet ?
output : accept openwrt can go on the internet through LTE, for example ping 8.8.8.8
forward: useless as I have only one interface in this zone ?

On WAN:
input: reject: no-one can connect to Luci from the router through LAN. ?
output : accept openwrt can go on the internet through LTE, for example ping 8.8.8.8
forward: useless as I have only one interface in this zone ?

Is my understanding correct ?

Would it make any sense to put both WAN&WWAN in same firewall zone and enable forward ?

trendy · May 29, 2021, 4:15pm

You assumptions are correct. However these are policies. It means that if you have drop on wwan input, it means that by default nothing will be allowed inbound from the wwan zone to the router, unless you have explicitly allowed something, e.g ssh or vpn.

You can combine them in one zone, say wan, but you must not allow forward. That would mean that you allow traffic from your LTE provider to use you as an intermediate step to reach your other ISP. This shouldn't work due to restrictions from ISP as well, but you get my point.

ulmwind · May 29, 2021, 6:01pm

Sorry, I do not understand 'circle' 172.16.1.1-172.16.1.2, 192.168.1.254-192.168.1.253 What does it mean?

grenouille · May 29, 2021, 6:48pm

Hi !

@ulmwind
Well, I want to use this openwrt as gateway from my router to my LTE modem.
The LAN side is not mandatory and it@'s possible to access the gateway luci from LAN through the router (on 172.16.1.1).....But ! as I have this 2nd ethernet port available, why not use it
A great advantage is if I mess up completly with eth1, I still can manage and repair from eth0.
I have done some various tests (like bridging eth1 &wwan0) and I can say it's a good idea to keep an open door on LAN side with 192.168.1.253...
I hope my explanations are not too confusing ?

@trendy
Many thanks for your explanations !!

ulmwind · May 29, 2021, 8:09pm

It is too confusing.

'Standard' router operation is by WAN, or WWAN, if any. So Internet connection is established by WAN, or by WWAN. But in your case there is using of WAN, as 'second' LAN interface. Now I understand your questions concerning masquerading. But, I suppose, the ONLY route for internal router to Internet is VIA ITS WAN port 172.16.1.2?

grenouille · May 29, 2021, 10:21pm

Hi!
Yes! I use the eth1 as a link from router. I called it "wan" because it's supposed to be the wan port of the device I use as a gateway. But eth1 is repurposed here and should not be called wan.
Sorry that I bring a bit of confusion.

And yes, you are right, I expect no communication from lan through 192.168.1.253 to the Internet
I expect this to be managed by the "zone forwarding" area where I have " LAN => reject"

SamuelCeasar12 · June 1, 2021, 2:13pm

Thank you for updating us with the outcome.