I can't block port 3141 with traffic rule

The story is as follows, company employees have access to a mobile application that connects to our network through port 3042. I happen to want to limit this access to the company's office hours, for example from 7:00 am to 5:00 pm :00. Port 3042 is already open in the port forwarding option and now I just wanted to create a rule to block this port at specific times. The problem is that I create the rule but it doesn't work, it just doesn't block traffic at the time I declare.

If your allow rule is earlier in the list, above the block rule, the block rule will never be evaluated. It should be a single rule with time restrictions.

2 Likes

That's a known issue.
Read carefully about the prerequisites:
Time restriction of internet access

1 Like

I've already left the rule as a whole, above the others, and it still doesn't work. I did a test and realized that when I set the source port, in this case 3141, the rule doesn't work. But if I leave without a source port and define only a destination port, the rule works. Here is the rule as I had defined it from the beginning

I used rules like that to manage home traffic, so hopefully it can be made to work.

I used direct entries to /etc/config/firewall.user rather than the GUI. IIRC I needed to use the --contiguous and --kerneltz flags: https://ipset.netfilter.org/iptables-extensions.man.html

I'm not sure how port forwarding and firewalling layer. Does the packet have the src and dest ports you've specifed when it hits the firewall?

Source port should remain unset. Client devices (your users out on the Internet) choose a random source port as they initiate the connection. So in a situation like this there should be no filtering based on source port.

4 Likes

It doesn't make sense to me this, as I had to do a port forwarding, so that external clients would see this port. How is the port they define random??
Here's the port forwarding I made for external clients.

Specify both external and internal ports, but not the source.
The client source port is almost always random.
https://en.wikipedia.org/wiki/Ephemeral_port

2 Likes

You could exemplify how my rule would be, because I didn't understand. It's for me to define the external and internal port, but not the source, how do I do that????

But port forwarding is already like that. how does this solve the problem of the traffic rule that doesn't work?

The traffic rule you had posted earlier in the thread had the ports set up wrong. The traffic you're trying to block is being sent by the mobile app to port 3141, so that's the port you need to have in the destination port. The mobile app will (most likely) pick a random port to send the traffic from so you just leave the source port blank.

In this way?

I tested it here and it still doesn't block access to the app

Try changing the destination zone to Any zone or lan

1 Like

in this way?

still not blocking

The block rule needs to be higher in the list than the DNAT port forward rule. Whether that is actually the case is an interesting question because LuCI does not present them in the same list. The packet will be dispatched according to the first rule listed that matches all conditions specified. Rules after that are not considered.

Also LuCI does not offer an interface to put time restrictions on a forward rule, which would be the most direct way to do this. I don't know if time restrictions would work if you edit the firewall config file directly.

@LeandroCorrea, change the destination port to match the internal port.

@mk24, the rule order for DNAT is correct by default.
Only the RELATED/ESTABLISHED need to be fixed as mentioned above.

in this way?

  • Clear the source port.
  • Specify the destination port to match the internal port.

there is a peculiarity in this, in the port forwarding rule, the external port is 3141 and the internal port is 80. Following what you said, I have to clean the source port and put a destination port at 80, is that it? Won't that block all traffic to port 80?

https://forum.openwrt.org/uploads/default/original/3X/2/e/2e1414158cac6d3ac61ddf815adec439556b611b.jpeg

1 Like

Finally I arrived at the solution to the problem. Through the collaboration of a forum participant in another post I made, I found a way to solve the problem. Armed with this documents https://openwrt.org/docs/guide-user/firewall/firewall_configurationI changed the etc / config / firewall file regarding port forwarding.

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '3141'
        option weekdays 'Mon Tue Wed Thu Fri'
        option start_time '07:00:00'
        option stop_time '17:30:00'
        option dest_ip '192.168.1.20'
        option dest_port '80'
        option name 'Nova_appAprov'