How to isolate the wireless network

Slayes · November 30, 2019, 9:09am

Hello,

I configured on my Archer C2 V1 :

Lan
Wan
MWan (Travelmate)
3 wireless networks :
1. for all connected objects (wlan1)
2. for guests (wlan2)
3. for personnal desktop and mobil (wlan3)

I would like to isolate wlan1 and wlan2 for the other, I tried to set differents parameters without success (unbridge lan & wireless, set the firewall)

Network configuration.

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr 'f4:f2:6d:f9:73:63'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr 'f4:f2:6d:f9:73:64'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

config interface 'wlan1'
	option _orig_ifname 'radio0.network2'
	option _orig_bridge 'false'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'wlan2'
	option _orig_ifname 'radio0.network3'
	option _orig_bridge 'false'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config interface 'trm_wwan'
	option proto 'dhcp'

config interface 'wlan3'
	option _orig_ifname 'wlan0'
	option _orig_bridge 'false'
	option proto 'static'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'

Wireless configuration

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/10180000.wmac'
	option htmode 'HT20'
	option txpower '20'
	option country '00'
	option disabled '0'
	option channel '1'

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option ssid 'SlayesHome'
	option encryption 'psk-mixed'
	option key 'xxxxxxxxxxxxxxx'
	option network 'lan wlan3'

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option ssid 'SlayesObj'
	option network 'wlan1'
	option encryption 'psk-mixed'
	option key 'xxxxxxxxxxxx'

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option ssid 'SlayesGuest'
	option network 'wlan2'
	option encryption 'psk-mixed'
	option key 'xxxxxxxx'

config wifi-iface
	option ssid 'vlsm'
	option encryption 'psk2'
	option device 'radio0'
	option mode 'sta'
	option bssid '94:65:2D:7F:16:A5'
	option key 'xxxxxxxx'
	option network 'trm_wwan'
	option disabled '1'

Firewall configuration

config rule
	option name 'test'
	option src '*'
	option dest 'wlan1'
	option target 'DROP'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config defaults
	option syn_flood '1'
	option output 'ACCEPT'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'lan'
	option forward 'REJECT'

config zone
	option name 'wlan1'
	option output 'ACCEPT'
	option network 'wlan1'
	option forward 'REJECT'
	option input 'ACCEPT'

config zone
	option name 'wlan2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'wlan2'
	option forward 'REJECT'

config zone
        option name 'wlan3'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option network 'wlan3'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 trm_wwan wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'wlan1'
	option dest 'wan'

config forwarding
	option src 'wlan2'
	option dest 'wan'

config forwarding
        option dest 'wan'
        option src 'wlan3'


config include
	option path '/etc/firewall.user'

Route

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.0.254   0.0.0.0         UG    0      0        0 eth0.2
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0.2
192.168.0.254   *               255.255.255.255 UH    0      0        0 eth0.2
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0.1
192.168.2.0     *               255.255.255.0   U     0      0        0 wlan0-1
192.168.3.0     *               255.255.255.0   U     0      0        0 wlan0-2
192.168.4.0     *               255.255.255.0   U     0      0        0 wlan0

Somebody know what I missunderstood ?

trendy · November 30, 2019, 12:12pm

That is wrong. Remove wlan3 altogether. You are treating wlan3 as the lan, so no need to use wlan3 and make it more complicated.
The rest look fine, every wifi-iface is attached to a network of it's own and you have specifically enabled the forwardings in firewall for the zones that you want to allow communication.

Slayes · November 30, 2019, 1:21pm

Thanks for your help.

option network 'lan wlan3' should be option network 'wlan3'.
I'm trying to isolate wlan1 and wlan3 to authorize only connection to the wan ( block the connection between wlan1 and (Lan/wlan2/wlan3) and block the connection between wlan2 and (Lan/wlan1/wlan3)).

I tried to use something like :
config rule
option src 'wlan1'
option dest 'lan'
option proto '*'
option target 'DROP'

But this solution doesn't work, I'm still succeed to ping an IP on the Lan from wlan1.

bluewavenet · November 30, 2019, 2:16pm

The simplest is to go back to defaults, then:

Create another two lan interfaces so you have lan, lana and lanb all assigned to the LAN zone
set up lan, lana and lanb to use different subnets. eg lan 192.168.1.1, lana 192.168.2.1, lanb 192.168.3.1
Assign a virtual wireless to each of these

By default, each "lan" will be natted to wan, preventing any connection between the 3 lans
No additional firewall settings required.

Slayes · November 30, 2019, 2:31pm

Thanks, I'll try this evening, to reset the router and follow your method.

trendy · November 30, 2019, 5:34pm

By default the LAN zone has ALLOW in FORWARD, so all of them will be allowed to communicate to each other.

The rule is not wrong, but it is most likely lower in the chain of rules, thus not used at all.
If you want to allow traffic between zones you should use the forwardings, like you have in your firewall configuration in the first post.

Slayes · November 30, 2019, 5:50pm

Thanks for your reply.

Before to reset my configuration, I'm doing some tests to try to understand the minimum .
I would like to block the traffic between lan and wlan1
I added these lines of the firewall file :

 config rule                                     
    option name 'Deny wlan1 -> LAN'        
    option src 'wlan1'                      
    option dest 'lan'                       
    option proto 'all'                      
    option target 'DROP'

On the lan , there is a raspberry with a webserver (192.168.1.254)
I'm working on my laptop connected with the wlan1 (192.168.2.216)

Why this rule doesn't work ? Could you please explained me what I'm doing wrong ? I'm always able to ping and reach the webserver

trendy · November 30, 2019, 5:54pm

You are not doing anything wrong. Like I said before, it is a matter of precedence. Post your firewall configuration and I'll show you.
iptables-save -c

Slayes · November 30, 2019, 6:08pm

Thanks, please see below :

`:PREROUTING ACCEPT [3418:541129]
:INPUT ACCEPT [552:45215]
:OUTPUT ACCEPT [193:18796]
:POSTROUTING ACCEPT [79:10524]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:postrouting_wlan1_rule - [0:0]
:postrouting_wlan2_rule - [0:0]
:postrouting_wlan3_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:prerouting_wlan1_rule - [0:0]
:prerouting_wlan2_rule - [0:0]
:prerouting_wlan3_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
:zone_wlan1_postrouting - [0:0]
:zone_wlan1_prerouting - [0:0]
:zone_wlan2_postrouting - [0:0]
:zone_wlan2_prerouting - [0:0]
:zone_wlan3_postrouting - [0:0]
:zone_wlan3_prerouting - [0:0]
[3418:541129] -A PREROUTING -m comment --comment "!fw3: user chain for prerouting" -j prerouting_rule
[381:48496] -A PREROUTING -i eth0.1 -m comment --comment "!fw3" -j zone_lan_prerouting
[2616:367429] -A PREROUTING -i wlan0-1 -m comment --comment "!fw3" -j zone_wlan1_prerouting
[0:0] -A PREROUTING -i wlan0-2 -m comment --comment "!fw3" -j zone_wlan2_prerouting
[0:0] -A PREROUTING -i wlan0 -m comment --comment "!fw3" -j zone_wlan3_prerouting
[421:125204] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[1084:79633] -A POSTROUTING -m comment --comment "!fw3: user chain for postrouting" -j postrouting_rule
[78:10183] -A POSTROUTING -o eth0.1 -m comment --comment "!fw3" -j zone_lan_postrouting
[1:341] -A POSTROUTING -o wlan0-1 -m comment --comment "!fw3" -j zone_wlan1_postrouting
[0:0] -A POSTROUTING -o wlan0-2 -m comment --comment "!fw3" -j zone_wlan2_postrouting
[0:0] -A POSTROUTING -o wlan0 -m comment --comment "!fw3" -j zone_wlan3_postrouting
[1005:69109] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[78:10183] -A zone_lan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.254/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: JeedomHttps (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.254/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: JeedomHttp (reflection)" -j SNAT --to-source 192.168.1.1
[381:48496] -A zone_lan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.0.16/32 -p tcp -m tcp --dport 36944 -m comment --comment "!fw3: JeedomHttps (reflection)" -j DNAT --to-destination 192.168.1.254:443
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.0.16/32 -p tcp -m tcp --dport 36415 -m comment --comment "!fw3: JeedomHttp (reflection)" -j DNAT --to-destination 192.168.1.254:80
[1005:69109] -A zone_wan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_wan_rule
[1005:69109] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[421:125204] -A zone_wan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 36944 -m comment --comment "!fw3: JeedomHttps" -j DNAT --to-destination 192.168.1.254:443
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 36415 -m comment --comment "!fw3: JeedomHttp" -j DNAT --to-destination 192.168.1.254:80
[1:341] -A zone_wlan1_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_wlan1_rule
[2616:367429] -A zone_wlan1_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_wlan1_rule
[0:0] -A zone_wlan2_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_wlan2_rule
[0:0] -A zone_wlan2_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_wlan2_rule
[0:0] -A zone_wlan3_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_wlan3_rule
[0:0] -A zone_wlan3_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_wlan3_rule
COMMIT
# Completed on Sat Nov 30 18:07:20 2019
# Generated by iptables-save v1.4.21 on Sat Nov 30 18:07:20 2019
*raw
:PREROUTING ACCEPT [222822:119946314]
:OUTPUT ACCEPT [40724:12792726]
COMMIT
# Completed on Sat Nov 30 18:07:20 2019
# Generated by iptables-save v1.4.21 on Sat Nov 30 18:07:20 2019
*mangle
:PREROUTING ACCEPT [86199:44200353]
:INPUT ACCEPT [20388:2103904]
:FORWARD ACCEPT [63836:41661372]
:OUTPUT ACCEPT [21237:6569149]
:POSTROUTING ACCEPT [85073:48230521]
[306:17076] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat Nov 30 18:07:20 2019
# Generated by iptables-save v1.4.21 on Sat Nov 30 18:07:20 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [68:3464]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_wlan1_rule - [0:0]
:forwarding_wlan2_rule - [0:0]
:forwarding_wlan3_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_wlan1_rule - [0:0]
:input_wlan2_rule - [0:0]
:input_wlan3_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_wlan1_rule - [0:0]
:output_wlan2_rule - [0:0]
:output_wlan3_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_dest_REJECT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_newzone_forward - [0:0]
:zone_newzone_input - [0:0]
:zone_newzone_output - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_wlan1_dest_ACCEPT - [0:0]
:zone_wlan1_dest_REJECT - [0:0]
:zone_wlan1_forward - [0:0]
:zone_wlan1_input - [0:0]
:zone_wlan1_output - [0:0]
:zone_wlan1_src_ACCEPT - [0:0]
:zone_wlan2_dest_ACCEPT - [0:0]
:zone_wlan2_dest_REJECT - [0:0]
:zone_wlan2_forward - [0:0]
:zone_wlan2_input - [0:0]
:zone_wlan2_output - [0:0]
:zone_wlan2_src_ACCEPT - [0:0]
:zone_wlan3_dest_ACCEPT - [0:0]
:zone_wlan3_dest_REJECT - [0:0]
:zone_wlan3_forward - [0:0]
:zone_wlan3_input - [0:0]
:zone_wlan3_output - [0:0]
:zone_wlan3_src_ACCEPT - [0:0]
[402:53864] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[19986:2050040] -A INPUT -m comment --comment "!fw3: user chain for input" -j input_rule
[19036:1970133] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[86:4472] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[160:20152] -A INPUT -i eth0.1 -m comment --comment "!fw3" -j zone_lan_input
[790:59755] -A INPUT -i wlan0-1 -m comment --comment "!fw3" -j zone_wlan1_input
[0:0] -A INPUT -i wlan0-2 -m comment --comment "!fw3" -j zone_wlan2_input
[0:0] -A INPUT -i wlan0 -m comment --comment "!fw3" -j zone_wlan3_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[63836:41661372] -A FORWARD -m comment --comment "!fw3: user chain for forwarding" -j forwarding_rule
[62859:41595130] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[167:11736] -A FORWARD -i eth0.1 -m comment --comment "!fw3" -j zone_lan_forward
[810:54506] -A FORWARD -i wlan0-1 -m comment --comment "!fw3" -j zone_wlan1_forward
[0:0] -A FORWARD -i wlan0-2 -m comment --comment "!fw3" -j zone_wlan2_forward
[0:0] -A FORWARD -i wlan0 -m comment --comment "!fw3" -j zone_wlan3_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[402:53864] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[20835:6515285] -A OUTPUT -m comment --comment "!fw3: user chain for output" -j output_rule
[20619:6490739] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[38:12559] -A OUTPUT -o eth0.1 -m comment --comment "!fw3" -j zone_lan_output
[1:341] -A OUTPUT -o wlan0-1 -m comment --comment "!fw3" -j zone_wlan1_output
[0:0] -A OUTPUT -o wlan0-2 -m comment --comment "!fw3" -j zone_wlan2_output
[0:0] -A OUTPUT -o wlan0 -m comment --comment "!fw3" -j zone_wlan3_output
[177:11646] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[86:4472] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[38:12559] -A zone_lan_dest_ACCEPT -o eth0.1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_REJECT -o eth0.1 -m comment --comment "!fw3" -j reject
[167:11736] -A zone_lan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_lan_rule
[167:11736] -A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> wan" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_REJECT
[160:20152] -A zone_lan_input -m comment --comment "!fw3: user chain for input" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[160:20152] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[38:12559] -A zone_lan_output -m comment --comment "!fw3: user chain for output" -j output_lan_rule
[38:12559] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[160:20152] -A zone_lan_src_ACCEPT -i eth0.1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[1086:74424] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: user chain for input" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[177:11646] -A zone_wan_output -m comment --comment "!fw3: user chain for output" -j output_wan_rule
[177:11646] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
[1:341] -A zone_wlan1_dest_ACCEPT -o wlan0-1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wlan1_dest_REJECT -o wlan0-1 -m comment --comment "!fw3" -j reject
[810:54506] -A zone_wlan1_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_wlan1_rule
[810:54506] -A zone_wlan1_forward -m comment --comment "!fw3: forwarding wlan1 -> wan" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wlan1_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[68:3464] -A zone_wlan1_forward -m comment --comment "!fw3" -j zone_wlan1_dest_REJECT
[790:59755] -A zone_wlan1_input -m comment --comment "!fw3: user chain for input" -j input_wlan1_rule
[0:0] -A zone_wlan1_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Allow DNS requet WLAN1" -j ACCEPT
[227:14868] -A zone_wlan1_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Allow DNS requet WLAN1" -j ACCEPT
[0:0] -A zone_wlan1_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[563:44887] -A zone_wlan1_input -m comment --comment "!fw3" -j zone_wlan1_src_ACCEPT
[1:341] -A zone_wlan1_output -m comment --comment "!fw3: user chain for output" -j output_wlan1_rule
[1:341] -A zone_wlan1_output -m comment --comment "!fw3" -j zone_wlan1_dest_ACCEPT
[563:44887] -A zone_wlan1_src_ACCEPT -i wlan0-1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wlan2_dest_ACCEPT -o wlan0-2 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wlan2_dest_REJECT -o wlan0-2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wlan2_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_wlan2_rule
[0:0] -A zone_wlan2_forward -m comment --comment "!fw3: forwarding wlan2 -> wan" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wlan2_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wlan2_forward -m comment --comment "!fw3" -j zone_wlan2_dest_REJECT
[0:0] -A zone_wlan2_input -m comment --comment "!fw3: user chain for input" -j input_wlan2_rule
[0:0] -A zone_wlan2_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wlan2_input -m comment --comment "!fw3" -j zone_wlan2_src_ACCEPT
[0:0] -A zone_wlan2_output -m comment --comment "!fw3: user chain for output" -j output_wlan2_rule
[0:0] -A zone_wlan2_output -m comment --comment "!fw3" -j zone_wlan2_dest_ACCEPT
[0:0] -A zone_wlan2_src_ACCEPT -i wlan0-2 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wlan3_dest_ACCEPT -o wlan0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wlan3_dest_REJECT -o wlan0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wlan3_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_wlan3_rule
[0:0] -A zone_wlan3_forward -m comment --comment "!fw3: forwarding wlan3 -> wan" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wlan3_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wlan3_forward -m comment --comment "!fw3" -j zone_wlan3_dest_REJECT
[0:0] -A zone_wlan3_input -m comment --comment "!fw3: user chain for input" -j input_wlan3_rule
[0:0] -A zone_wlan3_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wlan3_input -m comment --comment "!fw3" -j zone_wlan3_src_ACCEPT
[0:0] -A zone_wlan3_output -m comment --comment "!fw3: user chain for output" -j output_wlan3_rule
[0:0] -A zone_wlan3_output -m comment --comment "!fw3" -j zone_wlan3_dest_ACCEPT
[0:0] -A zone_wlan3_src_ACCEPT -i wlan0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Sat Nov 30 18:07:20 2019
`

trendy · November 30, 2019, 6:31pm

Did you restart the firewall after you added this rule? I don't see it there.

Slayes · November 30, 2019, 6:45pm

Oups sorry, I was reloading only the network


# Generated by iptables-save v1.4.21 on Sat Nov 30 18:43:07 2019
*nat
:PREROUTING ACCEPT [28:3111]
:INPUT ACCEPT [7:386]
:OUTPUT ACCEPT [2:148]
:POSTROUTING ACCEPT [4:208]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:postrouting_wlan1_rule - [0:0]
:postrouting_wlan2_rule - [0:0]
:postrouting_wlan3_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:prerouting_wlan1_rule - [0:0]
:prerouting_wlan2_rule - [0:0]
:prerouting_wlan3_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
:zone_wlan1_postrouting - [0:0]
:zone_wlan1_prerouting - [0:0]
:zone_wlan2_postrouting - [0:0]
:zone_wlan2_prerouting - [0:0]
:zone_wlan3_postrouting - [0:0]
:zone_wlan3_prerouting - [0:0]
[28:3111] -A PREROUTING -m comment --comment "!fw3: user chain for prerouting" -j prerouting_rule
[0:0] -A PREROUTING -i eth0.1 -m comment --comment "!fw3" -j zone_lan_prerouting
[9:1637] -A PREROUTING -i wlan0-1 -m comment --comment "!fw3" -j zone_wlan1_prerouting
[0:0] -A PREROUTING -i wlan0-2 -m comment --comment "!fw3" -j zone_wlan2_prerouting
[15:802] -A PREROUTING -i wlan0 -m comment --comment "!fw3" -j zone_wlan3_prerouting
[4:672] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[15:829] -A POSTROUTING -m comment --comment "!fw3: user chain for postrouting" -j postrouting_rule
[4:208] -A POSTROUTING -o eth0.1 -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o wlan0-1 -m comment --comment "!fw3" -j zone_wlan1_postrouting
[0:0] -A POSTROUTING -o wlan0-2 -m comment --comment "!fw3" -j zone_wlan2_postrouting
[0:0] -A POSTROUTING -o wlan0 -m comment --comment "!fw3" -j zone_wlan3_postrouting
[11:621] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[4:208] -A zone_lan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.254/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: JeedomHttps (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.254/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: JeedomHttp (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.0.16/32 -p tcp -m tcp --dport 36944 -m comment --comment "!fw3: JeedomHttps (reflection)" -j DNAT --to-destination 192.168.1.254:443
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.0.16/32 -p tcp -m tcp --dport 36415 -m comment --comment "!fw3: JeedomHttp (reflection)" -j DNAT --to-destination 192.168.1.254:80
[11:621] -A zone_wan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_wan_rule
[11:621] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[4:672] -A zone_wan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 36944 -m comment --comment "!fw3: JeedomHttps" -j DNAT --to-destination 192.168.1.254:443
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 36415 -m comment --comment "!fw3: JeedomHttp" -j DNAT --to-destination 192.168.1.254:80
[0:0] -A zone_wlan1_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_wlan1_rule
[9:1637] -A zone_wlan1_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_wlan1_rule
[0:0] -A zone_wlan2_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_wlan2_rule
[0:0] -A zone_wlan2_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_wlan2_rule
[0:0] -A zone_wlan3_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_wlan3_rule
[15:802] -A zone_wlan3_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_wlan3_rule
COMMIT
# Completed on Sat Nov 30 18:43:07 2019
# Generated by iptables-save v1.4.21 on Sat Nov 30 18:43:07 2019
*raw
:PREROUTING ACCEPT [264616:144021809]
:OUTPUT ACCEPT [48097:15013852]
COMMIT
# Completed on Sat Nov 30 18:43:07 2019
# Generated by iptables-save v1.4.21 on Sat Nov 30 18:43:07 2019
*mangle
:PREROUTING ACCEPT [962:389883]
:INPUT ACCEPT [276:29190]
:FORWARD ACCEPT [678:358785]
:OUTPUT ACCEPT [328:68449]
:POSTROUTING ACCEPT [1006:427234]
[8:448] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat Nov 30 18:43:07 2019
# Generated by iptables-save v1.4.21 on Sat Nov 30 18:43:07 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [10:520]
:OUTPUT ACCEPT [2:80]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_wlan1_rule - [0:0]
:forwarding_wlan2_rule - [0:0]
:forwarding_wlan3_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_wlan1_rule - [0:0]
:input_wlan2_rule - [0:0]
:input_wlan3_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_wlan1_rule - [0:0]
:output_wlan2_rule - [0:0]
:output_wlan3_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_dest_DROP - [0:0]
:zone_lan_dest_REJECT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_newzone_forward - [0:0]
:zone_newzone_input - [0:0]
:zone_newzone_output - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_wlan1_dest_ACCEPT - [0:0]
:zone_wlan1_dest_REJECT - [0:0]
:zone_wlan1_forward - [0:0]
:zone_wlan1_input - [0:0]
:zone_wlan1_output - [0:0]
:zone_wlan1_src_ACCEPT - [0:0]
:zone_wlan2_dest_ACCEPT - [0:0]
:zone_wlan2_dest_REJECT - [0:0]
:zone_wlan2_forward - [0:0]
:zone_wlan2_input - [0:0]
:zone_wlan2_output - [0:0]
:zone_wlan2_src_REJECT - [0:0]
:zone_wlan3_dest_ACCEPT - [0:0]
:zone_wlan3_dest_REJECT - [0:0]
:zone_wlan3_forward - [0:0]
:zone_wlan3_input - [0:0]
:zone_wlan3_output - [0:0]
:zone_wlan3_src_ACCEPT - [0:0]
[26:3500] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[257:25970] -A INPUT -m comment --comment "!fw3: user chain for input" -j input_rule
[243:24892] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[6:312] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[0:0] -A INPUT -i eth0.1 -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i wlan0-1 -m comment --comment "!fw3" -j zone_wlan1_input
[0:0] -A INPUT -i wlan0-2 -m comment --comment "!fw3" -j zone_wlan2_input
[10:758] -A INPUT -i wlan0 -m comment --comment "!fw3" -j zone_wlan3_input
[4:320] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[678:358785] -A FORWARD -m comment --comment "!fw3: user chain for forwarding" -j forwarding_rule
[659:357752] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i eth0.1 -m comment --comment "!fw3" -j zone_lan_forward
[11:617] -A FORWARD -i wlan0-1 -m comment --comment "!fw3" -j zone_wlan1_forward
[0:0] -A FORWARD -i wlan0-2 -m comment --comment "!fw3" -j zone_wlan2_forward
[8:416] -A FORWARD -i wlan0 -m comment --comment "!fw3" -j zone_wlan3_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[26:3500] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[318:69505] -A OUTPUT -m comment --comment "!fw3: user chain for output" -j output_rule
[314:69277] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o eth0.1 -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o wlan0-1 -m comment --comment "!fw3" -j zone_wlan1_output
[0:0] -A OUTPUT -o wlan0-2 -m comment --comment "!fw3" -j zone_wlan2_output
[0:0] -A OUTPUT -o wlan0 -m comment --comment "!fw3" -j zone_wlan3_output
[4:228] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[4:320] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[6:312] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_lan_dest_ACCEPT -o eth0.1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_DROP -o eth0.1 -m comment --comment "!fw3" -j DROP
[0:0] -A zone_lan_dest_REJECT -o eth0.1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_lan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> wan" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_REJECT
[0:0] -A zone_lan_input -m comment --comment "!fw3: user chain for input" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: user chain for output" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i eth0.1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[11:661] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: @rule[6]" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[4:320] -A zone_wan_input -m comment --comment "!fw3: user chain for input" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[4:320] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[4:228] -A zone_wan_output -m comment --comment "!fw3: user chain for output" -j output_wan_rule
[4:228] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[4:320] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wlan1_dest_ACCEPT -o wlan0-1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wlan1_dest_REJECT -o wlan0-1 -m comment --comment "!fw3" -j reject
[11:617] -A zone_wlan1_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_wlan1_rule
[11:617] -A zone_wlan1_forward -m comment --comment "!fw3: Deny Guest -> LAN" -j zone_lan_dest_DROP
[11:617] -A zone_wlan1_forward -m comment --comment "!fw3: forwarding wlan1 -> wan" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wlan1_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[6:312] -A zone_wlan1_forward -m comment --comment "!fw3" -j zone_wlan1_dest_REJECT
[0:0] -A zone_wlan1_input -m comment --comment "!fw3: user chain for input" -j input_wlan1_rule
[0:0] -A zone_wlan1_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wlan1_input -m comment --comment "!fw3" -j zone_wlan1_src_ACCEPT
[0:0] -A zone_wlan1_output -m comment --comment "!fw3: user chain for output" -j output_wlan1_rule
[0:0] -A zone_wlan1_output -m comment --comment "!fw3" -j zone_wlan1_dest_ACCEPT
[0:0] -A zone_wlan1_src_ACCEPT -i wlan0-1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wlan2_dest_ACCEPT -o wlan0-2 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wlan2_dest_REJECT -o wlan0-2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wlan2_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_wlan2_rule
[0:0] -A zone_wlan2_forward -m comment --comment "!fw3: forwarding wlan2 -> wan" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wlan2_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wlan2_forward -m comment --comment "!fw3" -j zone_wlan2_dest_REJECT
[0:0] -A zone_wlan2_input -m comment --comment "!fw3: user chain for input" -j input_wlan2_rule
[0:0] -A zone_wlan2_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wlan2_input -m comment --comment "!fw3" -j zone_wlan2_src_REJECT
[0:0] -A zone_wlan2_output -m comment --comment "!fw3: user chain for output" -j output_wlan2_rule
[0:0] -A zone_wlan2_output -m comment --comment "!fw3" -j zone_wlan2_dest_ACCEPT
[0:0] -A zone_wlan2_src_REJECT -i wlan0-2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wlan3_dest_ACCEPT -o wlan0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wlan3_dest_REJECT -o wlan0 -m comment --comment "!fw3" -j reject
[8:416] -A zone_wlan3_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_wlan3_rule
[8:416] -A zone_wlan3_forward -m comment --comment "!fw3: forwarding wlan3 -> wan" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wlan3_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[4:208] -A zone_wlan3_forward -m comment --comment "!fw3" -j zone_wlan3_dest_REJECT
[10:758] -A zone_wlan3_input -m comment --comment "!fw3: user chain for input" -j input_wlan3_rule
[0:0] -A zone_wlan3_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[10:758] -A zone_wlan3_input -m comment --comment "!fw3" -j zone_wlan3_src_ACCEPT
[0:0] -A zone_wlan3_output -m comment --comment "!fw3: user chain for output" -j output_wlan3_rule
[0:0] -A zone_wlan3_output -m comment --comment "!fw3" -j zone_wlan3_dest_ACCEPT
[10:758] -A zone_wlan3_src_ACCEPT -i wlan0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Sat Nov 30 18:43:07 2019
root@OpenWrt:~#

Broseidon · November 30, 2019, 7:01pm

Perhaps you can redo your settings using this guide on how to setup a "Guest" network.
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan-webinterface

Also from your rules I am also noticing that you have "Ipv4" Ip addresses on your firewall as source and destination. I am mentioning this because on recent Openwrt builds there is an error that breaks your firewall if you happened to create a rule Using Luci GUI and you want it to specifically target "IPv4" by setting your Source IPs and Destination IPs to IPv4. What happens is on the Advanced tab there is a setting that lets you choose between ipv4 and ipv6 or both. If you set "IPv4" sources and destination but did not explicitly set the Advanced tab to IPv4 only... the Luci GUI will attempt to add the same rules for IPv6 as well which will cause an error of some sort.

trendy · November 30, 2019, 7:13pm

I can see the rule now in line 194 chain zone_wlan1_forward, it jumps to zone_lan_dest_DROP but there are no hits there.

Slayes · December 1, 2019, 11:48am

Thanks all for you help
I reseted my router / redone the configuration and all is working fine now.

1 Lan
3 wlan (home / connected objects / guest)
5 firewall zones lan / wlan1 / wlan2 / wlan3 / wan
........wan
..........î î
.. lan <=> wlan1
wlan2 => wan
wlan3 => wan

1 wan : ADSL connection
1 wwan : mobil connection managed with Travelmate

Need now to search some informations about a captive portal for my guest wifi.

Thanks again

trendy · December 1, 2019, 2:28pm

If your problem is solved, feel free to mark the relevant post as the solution; and edit the title to add "[SOLVED]" to the beginning (click the pencil behind the topic).

grafik

Slayes · December 1, 2019, 2:43pm

I'm sorry, I don't found how to update the title

trendy · December 1, 2019, 2:47pm

No worries, the solution mark does the trick too. I guess they changed something in the forum, as it used to be possible.

system · December 11, 2019, 2:47pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.