IPv6/v4 Firewall Traffic Rules

keithspg · October 31, 2020, 3:54pm

I have a mixed ipv4/ipv6 network and am trying to set up a 'Firewall - Traffic Rule' for 3 MAC addresses and was unsuccessful getting it to work for the MAC addresses. I tried on the 'Advanced Settings' to put the MAC addresses of the 4 devices and was unable to get it to work. I ended up putting all the various IPv4 and IPv6 addresses in the 'Source Address' bar and can get the rule to work. It is a 'Kids Rule' to deny internet from evening till morning for 4 MAC addresses.

Also, when I make a change to any firewall rule, access to the internet is shut down and I need to reboot the router to get any routing to work again. Is this normal?

I am running hnyman's latest 19.07 on an R7800.

vgaetera · October 31, 2020, 4:12pm

keithspg · October 31, 2020, 6:11pm

@ vgaetera Thanks for the response, but I do not get the gist.
That is basically what I did. Added a firewall rule for 'kids weekday' and 'kids weekend' with their MAC addresses and rebooted the router. Are you saying that there needs to be an order to the the rules to have the time restrictions work? With the IP address rule I made, it is listed last on the UI and that does seem to work. (Kids gripe when the internet goes down at night...) I can try it again with the MAC address and see if it works, but I spent a while on this last weekend and was unable to get it to work with the MAC. Only with IP addresses.

The clip of the UI is not current on the link. The mac address portions are on the 'Advanced Settings' tab. I put in the MAC address in there and rebooted the router and it did not shut down the route to the internet from that device.

vgaetera · October 31, 2020, 6:20pm

Yes, but it's problematic to reorder the rules for established connections with just web interface.

trendy · October 31, 2020, 7:22pm

No it is not normal.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; ip6tables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru

keithspg · October 31, 2020, 10:28pm

@trendy This may take a while....
@vgaetera So, when I run the script on that page to re-order the rules, there are some errors and when I reboot the router, the 2 traffic rules are still at the bottom of the UI page:

root@OpenWrt:~# cat << "EOF" >> /etc/sysupgrade.conf
> /etc/firewall.estab
> EOF
root@OpenWrt:~# uci -q delete firewall.estab
root@OpenWrt:~# uci set firewall.estab="include"
root@OpenWrt:~# uci set firewall.estab.path="/etc/firewall.estab"
root@OpenWrt:~# uci set firewall.estab.reload="1"
root@OpenWrt:~# uci commit firewall
root@OpenWrt:~# /etc/init.d/firewall restart
Warning: Section @rule[12] (Kids Weekday MAC) does not specify a protocol, assuming TCP+UDP
Warning: Section @rule[13] (Kids Weekend MAC) does not specify a protocol, assuming TCP+UDP
Warning: Section @redirect[0] (MineOS) does not specify a protocol, assuming TCP+UDP
Warning: Section @redirect[1] (Plex) does not specify a protocol, assuming TCP+UDP
Warning: Section @redirect[2] (Garage) does not specify a protocol, assuming TCP+UDP
Warning: Section @redirect[3] (MineOS_Mgmt) does not specify a protocol, assuming TCP+UDP
Warning: Section @redirect[4] (WireGuard) does not specify a protocol, assuming TCP+UDP
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv4 raw table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing conntrack table ...
* Populating IPv4 filter table
  * Rule 'ubus:igmpproxy[instance1] rule 0'
  * Rule 'ubus:igmpproxy[instance1] rule 1'
  * Rule 'ubus:igmpproxy[instance1] rule 2'
  * Rule 'ubus:igmpproxy[instance1] rule 3'
  * Rule 'Allow-DHCP-Renew'
  * Rule 'Allow-Ping'
  * Rule 'Allow-IGMP'
  * Rule 'Allow-IPSec-ESP'
  * Rule 'Allow-ISAKMP'
  * Rule 'Allow-OpenVPN'
  * Rule 'Kids Weekday MAC'
  * Rule 'Kids Weekend MAC'
  * Redirect 'MineOS'
  * Redirect 'Plex'
  * Redirect 'Garage'
  * Redirect 'MineOS_Mgmt'
  * Redirect 'WireGuard'
  * Forward 'lan' -> 'wan'
  * Zone 'lan'
  * Zone 'wan'
* Populating IPv4 nat table
  * Redirect 'MineOS'
  * Redirect 'Plex'
  * Redirect 'Garage'
  * Redirect 'MineOS_Mgmt'
  * Redirect 'WireGuard'
  * Zone 'lan'
  * Zone 'wan'
* Populating IPv4 mangle table
  * Zone 'lan'
  * Zone 'wan'
* Populating IPv4 raw table
  * Zone 'lan'
    - Using automatic conntrack helper attachment
  * Zone 'wan'
* Populating IPv6 filter table
  * Rule 'Allow-DHCPv6'
  * Rule 'Allow-MLD'
  * Rule 'Allow-ICMPv6-Input'
  * Rule 'Allow-ICMPv6-Forward'
  * Rule 'Allow-IPSec-ESP'
  * Rule 'Allow-ISAKMP'
  * Rule 'Allow-OpenVPN'
  * Rule 'Kids Weekday MAC'
  * Rule 'Kids Weekend MAC'
  * Forward 'lan' -> 'wan'
  * Zone 'lan'
  * Zone 'wan'
* Populating IPv6 mangle table
  * Zone 'lan'
  * Zone 'wan'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'
* Running script '/usr/lib/bcp38/run.sh'
  ! Skipping due to path error: No such file or directory
* Running script '/usr/share/miniupnpd/firewall.include'
* Running script '/etc/firewall.estab'
sed: unsupported command [
sed: unsupported command [

vgaetera · October 31, 2020, 10:34pm

Let's troubleshoot:

sha256sum /etc/firewall.estab; sh -x -v /etc/firewall.estab

keithspg · November 1, 2020, 12:00am

root@OpenWrt:~# sha256sum /etc/firewall.estab; sh -x -v /etc/firewall.estab
8f4c803064c74e3beca8285192da609ecc8f6abb58405332c60481a3426ac91e  /etc/firewall.estab
for IPT in iptables ip6tables
do ${IPT}-save -c -t filter \
| sed -e "/FORWARD.*ESTABLISHED/d;
/FORWARD.*reject/i $(${IPT}-save -c -t filter \
| sed -n -e "/FORWARD.*ESTABLISHED/p")" \
| ${IPT}-restore -c -T filter
done
+ iptables-save -c -t filter
+ iptables-save -c -t filter
+ iptables-restore -c -T filter
+ sed -n -e '/FORWARD.*ESTABLISHED/p'
+ sed -e '/FORWARD.*ESTABLISHED/d;
/FORWARD.*reject/i [19231:2531944] -A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOFFLOAD --hw
[19231:2531944] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT'
sed: unsupported command [
+ ip6tables-save -c -t filter
+ ip6tables-save -c -t filter
+ ip6tables-restore -c -T filter
+ sed -n -e '/FORWARD.*ESTABLISHED/p'
+ sed -e '/FORWARD.*ESTABLISHED/d;
/FORWARD.*reject/i [13628:2896483] -A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOFFLOAD --hw
[13628:2896483] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT'
sed: unsupported command [

vgaetera · November 1, 2020, 12:21am

I've updated the code in the wiki to fix your error.

keithspg · November 1, 2020, 6:42pm

The script now runs without error. Will see tonight if I understood well enough for it to turn off the internet for the kids...

Thanks for the help.

keithspg · November 2, 2020, 2:21pm

Well, The internet did not turn off for those MAC addresses last night. I must be doing something wrong.
The steps I took:
In the UI: Network -> Firewall -> Traffic Rules added a new rule 'Kids Weekday'
General Settings: Protocols: TCP,UDP; Source Zone: wan,wan6; Destination Zone: lan: Action: Reject
Advanced Settings: 'Put in the MAC addresses'
Time Restrictions: Sunday-Thursday; Start Time: 22:30:00; Stop Time: 07:00:00
then I hit save
then from the CLI, I copied and pasted this:

# Reorder firewall rules
cat << "EOF" > /etc/firewall.estab
for IPT in iptables ip6tables
do ${IPT}-save -c -t filter \
| sed -e "/FORWARD.*ESTABLISHED.*ACCEPT/d;
/FORWARD.*reject/i $(${IPT}-save -c -t filter \
| sed -n -e "/FORWARD.*ESTABLISHED.*ACCEPT/p")" \
| ${IPT}-restore -c -T filter
done
EOF
cat << "EOF" >> /etc/sysupgrade.conf
/etc/firewall.estab
EOF
uci -q delete firewall.estab
uci set firewall.estab="include"
uci set firewall.estab.path="/etc/firewall.estab"
uci set firewall.estab.reload="1"
uci commit firewall
/etc/init.d/firewall restart

and this resulted:

Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @rule[10] (Kids Weekend ) does not specify a protocol, assuming TCP+UDP
Warning: Section @rule[11] (Kid Weekday) does not specify a protocol, assuming TCP+UDP
Warning: Section @redirect[1] (WireGuard) does not specify a protocol, assuming TCP+UDP
Warning: Section @redirect[2] (MineOS) does not specify a protocol, assuming TCP+UDP
Warning: Section @redirect[3] (Plex) does not specify a protocol, assuming TCP+UDP
Warning: Section @redirect[4] (Garage) does not specify a protocol, assuming TCP+UDP
Warning: Section @redirect[5] (MineOS_Mgmt) does not specify a protocol, assuming TCP+UDP
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv4 raw table
 * Flushing IPv6 filter table
 * Flushing IPv6 nat table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...

It did not finish, but did last night as I am remote and connected via VPN. I can run this again tonight, but it finished yesterday and did not have anything that looked strange.

trendy · November 2, 2020, 3:09pm

Use source zone lan and destination zone wan.

keithspg · November 3, 2020, 12:51pm

@trendy Will try it.
Do I need to run that re-order script every time I turn the rule on or off?

Also, could this script be run from the UI when 'save and apply' is clicked? If there are no time based rules, it still works, doesn't it?

vgaetera · November 3, 2020, 1:02pm

No, it should be invoked automatically upon the firewall service start/restart/reload.

It is supposed to be the same as firewall reload.

Yep, it works unless you disable it specifically.

keithspg · November 4, 2020, 4:51am

Ok, what am I doing wrong? It did not work, again, tonight. It is as if iptables cannot deal with MAC addresses. I can make the rule work if I put in all the ipv4 and ipv6 addresses, but with MAC it fails every time. Also when I use the IP addresses, I reverse the source and destination and it worked. It is just a pain to put in all the IP addresses. If that is what I have to do, I'll do it; but this just seems silly that iptables cannot block a MAC address.

This is the rule:

config rule
        option name 'Kid Weekday'
        list src_mac 'xx:xx:xx:xx:xx'
        ( then I list 4 more)
        option weekdays 'Sun Mon Tue Wed Thu'
        option start_time '22:30:00'
        option stop_time '07:00:00'
        option target 'REJECT'
        option src 'lan'
        option dest 'wan'

I am running local time on the router and the clock does show local time when I type 'date'

Tue Nov  3 22:47:19 CST 2020

The UI shows it as enabled and I ran that script. I must be doing something wrong.

vgaetera · November 4, 2020, 5:17am

I recommend to check your runtime configuration to make sure the rule is applied properly:

lleachii · November 4, 2020, 9:41am

What does "fail" mean?
Does your kid's device use a rotating privacy MAC (most modern Androids do)?

keithspg · November 4, 2020, 1:58pm

@lleachii 'Fail' means the reject rule does not work to shut down the internet to these devices. Both kids phones are Android, but the MAC stays consistent on both of them.
@vgaetera I can do this for tonight, but doesn't the 'save and apply' from the UI do this anyway?

A bit more detail. The list of devices I want to deny internet to is: 2 tower computers, 2 android phones, a Smart TV and a Roku. I do have these devices in my 'Static Lease' list. Does having them in a Static Lease (ipv4) mess with iptables somehow?

trendy · November 4, 2020, 2:12pm

No, and by the way we are still waiting for the output of the commands.

keithspg · November 4, 2020, 3:33pm

This link has a txt file with the output to those commands:
(deleted link)