Interfaces with device '@lan' have access to wan

diversity · July 9, 2021, 3:03pm

even though they have their own firewall zone
quite recently we solved setting up interfaces

and came to the conclusion that it is best to use device '@lan'

I am doing the same now for tmp_old_lan interface, in an effort moving IoT devices from a previous network scheme over to the network scheme I am setting up now.

the problem is is that setting up such an interface looks like it imidiatly enables devices on that network segment to phone home.

uci export network; uci export firewall

package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd2b:1367:f843::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.0.0'
	option ipaddr '10.1.0.1'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config interface 'virtualization'
	option proto 'static'
	option ipaddr '10.2.0.1'
	option netmask '255.255.0.0'
	option device '@lan'

config interface 'trusted'
	option proto 'static'
	option device 'eth0.40'
	option ipaddr '10.4.0.1'
	option netmask '255.255.0.0'

config interface 'guests'
	option proto 'static'
	option device 'eth0.50'
	option ipaddr '10.5.0.1'
	option netmask '255.255.0.0'

config interface 'iot'
	option proto 'static'
	option device 'eth0.60'
	option ipaddr '10.6.0.1'
	option netmask '255.255.0.0'

config interface 'peripherals'
	option proto 'static'
	option device 'eth0.70'

config interface 'tmp_old_lan'
	option proto 'static'
	option device '@lan'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'trusted'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'virtualization'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'virtualization'

config zone
	option name 'guests'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'guests'

config rule
	option name 'Allow-DNS-DHCP-Guest'
	option src 'guests'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'udp'
	option dest_port '53 67'

config forwarding
	option src 'guests'
	option dest 'wan'

config zone
	option name 'iot'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

config zone
	option name 'peripherals'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'peripherals'

config zone
	option name 'tmp_old_lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'tmp_old_lan'

how can I force interfaces device '@lan' to listen to their firewall zones or did I incorrectly configure the firewall zone?

vgaetera · July 9, 2021, 3:16pm

Aliases share the same firewall zone, you need to create a separate L2-interface instead:
https://openwrt.org/docs/guide-user/network/wan/multiwan/mwan3#single_wan_port

Another way is to add one more NIC to the OpenWrt VM.

diversity · July 10, 2021, 6:20am

thank you vgaetera for your response.

I must admit I got intimidated by the information in the link you provided. I also tried reading up on the OSI model in an effort to understand what an L2 interface could mean.

I am sorry to inform you that I am too much of a newcomer that as of yet I have not understood how to setup a data link interface using OpenWrt.

Is there a perhaps someone that can nudge me in the right direction?

diversity · July 10, 2021, 6:26am

I changed the interface device from '@lan' to eth0 and now I can both reach the IoT devices and I can not ping openwrt.org when connected to that interface

this is exactly what I wanted to achieve.

now what I do not understand is why earlier, in the link I have in my initial thread post, I had to change the virtualization interface device from eth0 to '@lan' to be able to reach the hypervisors.

this is completely the opposite now and I am non the wiser. Is there some way to debug or dive deeper into the inner workings of OpenWrt? Other than getting the source code of course

diversity · July 15, 2021, 1:11am

I have now OpenWrt in a VM ready to be reset to absolute zero if need be.

Meaning we can start from an absolute empty OpenWrt and then take steps while taking snapshots and rollback if need be. This way we can tame (l)uci which can be sometimes temperemental.

Can you please help me our covering what seems basic steps?