LAN devices accessible from internet on IPv6

Hi all

So I have set an hurricane ipv6 tunnel and delegate a 64 subnet as part of the /48 prefix assigned, to LAN.

The dangerous thing now is that I have ran a ipv6 port scan online and from Internet it appears that my devices in LAN are accessible on the server ports I run!

I only have the standard input and forward rules for ICMP, so why the LAN devices are exposed on internet?

Edit:

I have added discard forward for LAN and discard input for router, so now the port are closed BUT the LUCI 443 port result still open

Make sure you firewall is on!!!

What tool are you using?

Put your interface in the proper firewall zone and this is done automatically. For example, simply place the henet interface in the WAN zone; and traffic is dropped via the forward rule.

I'm using
http://www.ipv6scanner.com/cgi-bin/main.py

Firewall is on, henet tunnel is on wan, but it was clear that traffic was allowed!

Now the situation is better but for some reason LUCI 443 port is still opened

  • Are you allowing that?
  • What is your firewall rule that permits access to LuCI? (please post)
    • maybe a zone needs to be specified in the rule

@lleachii

login as: root
root@192.168.182.1's password:
Access denied
root@192.168.182.1's password:


BusyBox v1.30.1 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 19.07-SNAPSHOT, r10779+142-d2d12346e8
 -----------------------------------------------------
root@MenionRouter:~# uci export network; uci export firewall;
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb5:24dd:030d::/48'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.182.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option _orig_ifname 'eth0'
        option _orig_bridge 'false'
        option ifname 'eth0.2'
        option type 'bridge'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'wan'
        option proto 'dhcp'
        option ifname 'eth0.3'

config interface 'vpn0'
        option ifname 'tun0'
        option proto 'none'
        option auto '1'

config interface 'vpn1'
        option ifname 'tun1'
        option proto 'none'
        option auto '1'

config route
        option interface 'lan'
        option target '10.10.0.0'
        option netmask '255.255.255.0'
        option gateway '192.168.182.192'

config route
        option interface 'lan'
        option target '10.11.0.0'
        option netmask '255.255.255.0'
        option gateway '192.168.182.192'

config route
        option interface 'lan'
        option target '10.12.0.0'
        option netmask '255.255.255.0'
        option gateway '192.168.182.10'

config route
        option interface 'lan'
        option target '10.13.0.0'
        option netmask '255.255.255.0'
        option gateway '192.168.182.10'

config route
        option interface 'lan'
        option target '10.14.0.0'
        option netmask '255.255.255.0'
        option gateway '192.168.182.11'

config route
        option interface 'lan'
        option target '10.15.0.0'
        option netmask '255.255.255.0'
        option gateway '192.168.182.11'

config interface 'wanh'
        option proto '6in4'
        option username 'xxxxxx'
        option password 'xxxxxx'
        option peeraddr '216.66.80.30'
        option ip6addr '2001:qqqq:yyyy:2d0::2/64'
        list ip6prefix '2001:qqqq:pppp::/48'
        option tunnelid '584073'

config route
        option interface 'lan'
        option target '192.168.183.0'
        option netmask '255.255.255.0'
        option gateway '192.168.182.135'

config route
        option interface 'lan'
        option target '192.168.56.0'
        option netmask '255.255.255.0'
        option gateway '192.168.182.192'

config interface 'VPN_USA'
        option proto 'none'
        option ifname 'tun2'

config interface 'LAN_VPN_USA'
        option proto 'static'
        option ifname 'eth0.10'
        option netmask '255.255.255.0'
        option dns '8.8.8.8 4.4.4.4'
        option metric '10'
        option ipaddr '192.168.180.1'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wanh'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option dest_port '547'
        option name 'Allow DHCPv6 Relay'
        option family 'ipv6'
        option src_port '547'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '10001'
        option dest_ip '192.168.182.18'
        option dest_port '10001'
        option name 'Allarme'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '1028'
        option dest_port '1028'
        option name 'Webcam Cameretta'
        option dest_ip '192.168.182.216'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '1030'
        option dest_port '1030'
        option name 'Webcam Taverna'
        option dest_ip '192.168.182.239'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '1027'
        option dest_ip '192.168.182.22'
        option dest_port '1027'
        option name 'Webcam Camera'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '5144'
        option dest_ip '192.168.182.192'
        option dest_port '5144'
        option name 'aMule TCP'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '5134'
        option dest_ip '192.168.182.192'
        option dest_port '5134'
        option name 'aMule UDP'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '6881'
        option dest_ip '192.168.182.192'
        option dest_port '6881'
        option name 'Torrent first'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '6882'
        option dest_ip '192.168.182.192'
        option dest_port '6882'
        option name 'Torrent second'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '1032'
        option dest_ip '192.168.182.25'
        option name 'WebCam Sala 720p'
        option dest_port '1032'
        option enabled '0'

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src '*'
        option proto 'tcp'
        option dest_port '443'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'vpn0 vpn1'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option name 'OpenVPN TCP'
        option src_dport '443'
        option dest_ip '192.168.182.1'
        option dest_port '8094'

config rule
        option name 'Allow-OpenVPN-UDP-InBound'
        option target 'ACCEPT'
        option src '*'
        option proto 'udp'
        option dest_port '1195'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '1195'
        option dest_ip '192.168.182.1'
        option dest_port '1195'
        option name 'OpenVPN UDP'

config forwarding
        option dest 'lan'
        option src 'vpn'

config forwarding
        option dest 'wan'
        option src 'vpn'

config forwarding
        option dest 'lan'
        option src 'wan'

config forwarding
        option dest 'vpn'
        option src 'wan'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '5201'
        option dest_ip '192.168.182.1'
        option dest_port '5201'
        option name 'Iperf3'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '6981'
        option dest_ip '192.168.182.192'
        option dest_port '6981'
        option name 'qBitTorrent'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '1029'
        option dest_ip '192.168.182.23'
        option dest_port '1029'
        option name 'Webcam Cucina'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option dest_ip '192.168.182.192'
        option name 'OpenVPN backup TCP'
        option src_dport '8194'
        option dest_port '8194'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '8195'
        option dest_ip '192.168.182.192'
        option dest_port '8195'
        option name 'OpenVPN backup UDP'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option dest_ip '192.168.182.10'
        option dest_port '8294'
        option name 'OpenVPN TCP P0'
        option src_dport '8294'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '8295'
        option dest_ip '192.168.182.10'
        option dest_port '8295'
        option name 'OpenVPN UDP P0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '8394'
        option dest_ip '192.168.182.11'
        option dest_port '8394'
        option name 'OpenVPN TCP P1'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '8395'
        option dest_ip '192.168.182.11'
        option dest_port '8395'
        option name 'OpenVPN UDP P1'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '34567'
        option dest_ip '192.168.182.26'
        option dest_port '34567'
        option name 'Webcam cucina2'
        option enabled '0'

config rule
        option src 'lan'
        option name 'Drop IPv6 flooding UPnP'
        option target 'DROP'
        option family 'ipv6'
        option proto 'udp'
        option dest_port '1900'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option dest_ip '192.168.182.21'
        option name 'Webcam Camera2'
        option src_dport '1040'
        option dest_port '1040'
        option enabled '0'

config forwarding
        option dest 'vpn'
        option src 'lan'

config forwarding
        option dest 'wan'
        option src 'lan'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option dest_ip '192.168.182.192'
        option dest_port '4200'
        option name 'Shellinabox'
        option src_dport '443'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '443'
        option dest_ip '192.168.182.1'
        option dest_port '9999'
        option name 'squid'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '88'
        option dest_ip '192.168.182.168'
        option dest_port '88'
        option name 'Xbox 1'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '500'
        option dest_ip '192.168.182.168'
        option dest_port '500'
        option name 'Xbox 2'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '3544'
        option dest_ip '192.168.182.168'
        option dest_port '3544'
        option name 'Xbox 3'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '4500'
        option dest_ip '192.168.182.168'
        option dest_port '4500'
        option name 'Xbox 4'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_ip '192.168.182.168'
        option dest_port '53'
        option name 'Xbox 5'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '80'
        option dest_ip '192.168.182.168'
        option dest_port '80'
        option name 'Xbox 6'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '50182'
        option dest_ip '192.168.182.168'
        option dest_port '50182'
        option name 'Xbox 7'
        option enabled '0'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp udp'
        option dest_port '50182'
        option name 'Xbox One'
        option family 'ipv6'
        option dest 'lan'
        option enabled '0'

config rule
        option proto 'tcp udp'
        option src 'lan'
        option src_mac 'A0:9D:C1:72:B3:85'
        option target 'DROP'
        option name 'IPCAM Cucina no Internet'
        option dest 'wan'

config rule
        option proto 'tcp udp'
        option name 'IPCAM Sala no Internet'
        option src 'lan'
        option src_mac '48:02:2A:0B:E1:16'
        option dest 'wan'
        option target 'DROP'

config rule
        option proto 'tcp udp'
        option name 'IPCAM Taverna no Internet'
        option src 'lan'
        option src_mac 'A0:9D:C1:72:EC:F4'
        option dest 'wan'
        option target 'DROP'

config rule
        option proto 'tcp udp'
        option name 'IPCAM Letto no Internet'
        option src 'lan'
        option src_mac 'E0:B9:4D:D4:A3:B5'
        option dest 'wan'
        option target 'DROP'

config rule
        option src 'wan'
        option proto 'udp'
        option name 'Block 3074'
        option dest 'lan'
        option target 'REJECT'
        option enabled '0'

config zone
        option output 'ACCEPT'
        option network 'VPN_USA'
        option name 'vpn_usa'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option name 'lan_vpn_usa'
        option network 'LAN_VPN_USA'
        option forward 'ACCEPT'

config forwarding
        option dest 'vpn_usa'
        option src 'lan_vpn_usa'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config rule
        option name 'STUN'
        option proto 'udp'
        option src 'wan'
        option target 'ACCEPT'
        option dest_port '5349'
        option enabled '0'

config forwarding
        option src 'vpn_usa'
        option dest 'lan_vpn_usa'

config rule
        option name 'Ipv6 drop'
        option family 'ipv6'
        option proto 'tcp udp'
        option src 'wan'
        option dest 'lan'
        option target 'DROP'

config rule
        option name 'Ipv6 drop on router'
        option family 'ipv6'
        option proto 'tcp udp'
        option src 'wan'
        option target 'DROP'

config rule
        option name 'IPv6 drop 443 ou router'
        option proto 'tcp udp'
        option src 'wan'
        option dest_port '443'
        option target 'REJECT'
        option family 'ipv6'

root@MenionRouter:~#

root@MenionRouter:/etc/config# fw3 reload
 * Clearing IPv4 filter table
 * Clearing IPv4 nat table
 * Clearing IPv4 mangle table
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'Allow-OpenVPN-Inbound'
   * Rule 'IPCAM Cucina no Internet'
   * Rule 'IPCAM Sala no Internet'
   * Rule 'IPCAM Taverna no Internet'
   * Rule 'IPCAM Letto no Internet'
   * Redirect 'Allarme'
   * Redirect 'aMule TCP'
   * Redirect 'aMule UDP'
   * Redirect 'Torrent first'
   * Redirect 'Torrent second'
   * Redirect 'OpenVPN TCP'
   * Redirect 'OpenVPN UDP'
   * Redirect 'qBitTorrent'
   * Redirect 'OpenVPN backup TCP'
   * Redirect 'OpenVPN backup UDP'
   * Redirect 'OpenVPN TCP P0'
   * Redirect 'OpenVPN UDP P0'
   * Redirect 'OpenVPN TCP P1'
   * Redirect 'OpenVPN UDP P1'
   * Forward 'vpn' -> 'lan'
   * Forward 'vpn' -> 'wan'
   * Forward 'wan' -> 'lan'
   * Forward 'wan' -> 'vpn'
   * Forward 'lan' -> 'vpn'
   * Forward 'lan' -> 'wan'
   * Forward 'lan_vpn_usa' -> 'vpn_usa'
   * Forward 'vpn_usa' -> 'lan_vpn_usa'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
   * Zone 'vpn_usa'
   * Zone 'lan_vpn_usa'
 * Populating IPv4 nat table
   * Redirect 'Allarme'
   * Redirect 'aMule TCP'
   * Redirect 'aMule UDP'
   * Redirect 'Torrent first'
   * Redirect 'Torrent second'
   * Redirect 'OpenVPN TCP'
   * Redirect 'OpenVPN UDP'
   * Redirect 'qBitTorrent'
   * Redirect 'OpenVPN backup TCP'
   * Redirect 'OpenVPN backup UDP'
   * Redirect 'OpenVPN TCP P0'
   * Redirect 'OpenVPN UDP P0'
   * Redirect 'OpenVPN TCP P1'
   * Redirect 'OpenVPN UDP P1'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
   * Zone 'vpn_usa'
   * Zone 'lan_vpn_usa'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
   * Zone 'vpn_usa'
   * Zone 'lan_vpn_usa'
 * Clearing IPv6 filter table
 * Clearing IPv6 mangle table
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'Allow DHCPv6 Relay'
   * Rule 'Allow-OpenVPN-Inbound'
   * Rule 'IPCAM Cucina no Internet'
   * Rule 'IPCAM Sala no Internet'
   * Rule 'IPCAM Taverna no Internet'
   * Rule 'IPCAM Letto no Internet'
   * Rule 'Ipv6 drop'
   * Rule 'Ipv6 drop on router'
   * Rule 'IPv6 drop 443 ou router'
   * Forward 'vpn' -> 'lan'
   * Forward 'vpn' -> 'wan'
   * Forward 'wan' -> 'lan'
   * Forward 'wan' -> 'vpn'
   * Forward 'lan' -> 'vpn'
   * Forward 'lan' -> 'wan'
   * Forward 'lan_vpn_usa' -> 'vpn_usa'
   * Forward 'vpn_usa' -> 'lan_vpn_usa'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
   * Zone 'vpn_usa'
   * Zone 'lan_vpn_usa'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
   * Zone 'vpn_usa'
   * Zone 'lan_vpn_usa'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/usr/share/miniupnpd/firewall.include'

Ah ok, sorry it was the OpenVPN port I use for TCP VPN that was open for IPv4 and IPv6 and not LUCI.
But the question remain: how comes that the firewall allowed IPv6 inbound connection? Should be rejected by default with the rule:

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wanh'

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src '*'
        option proto 'tcp'
        option dest_port '443'

Fix this ASAP!

config rule
        option name 'IPv6 drop 443 ou router'
        option proto 'tcp udp'
        option src 'wan'
        option dest_port '443'
        option target 'REJECT'
        option family 'ipv6'

This would have needed to be before the bad allow rule to have any blocking affect.

You have a lot of rules that use 443, that's quite confusing; and some appear to conflict (i.e. Allow-OpenVPN-Inbound, Shellinabox and squid rules have same WAN port)!

1 Like

Openvpn port 443 shall be opened because it is my openvpn server

Shellinabox and squid I have to remove them, if you see they are disabled

So, is it normal that with the default wan-lan firewall rules the ipv6 inbound traffic is actually unprotected?

No. I tested. Mine is blocked. I used Wireshark to verify the packets didn't reach the client. I also see drops moved from Forward to zone_wan_forward - then to zone_wan_dest_DROP in the Ipv6 firewall.

  • Can you show the results of this test that shows the firewall is open?
  • Also, what version of OpenWrt are you using?
1 Like

I run 19.07.02

This is what happens if I remove the ipv6 block rules with a port scan to my lan server

With rules on

Port scanners can be hit or miss, depending on how they actually perform the test (especially if its s a website based test, sometimes it is actually operating locally on the device you use to run the test, rather than from their servers). Your best bet is to only run a port scan from a device that is not connected to your network (cellular or a remote location).

If you are in doubt, I'd recommend taking a backup of your configuration and simply resetting to defaults. Do not restore your backup, as any configuration issues will just be restored along with the rest of the settings. You will need to re-install any additional packages you might have added, and you'll need to go through basic configuration again. But don't touch the firewall, at least initially. Then run your port scan test again. You should see that the default firewall will block all incoming connections. At this point, add back any firewall rules that you specifically need (such as opening a port for a VPN server or similar), but there shouldn't be that many rules that you need to add or modify -- most of the default rules are set up correctly for most users/environments. You can copy certain configuration files over manually rather than restoring with the automatic process (things like the openvpn config file and certs and such would be copied over via scp).

EDIT: better yet, immediately after you reset the router and setup just the very basics of your network config (like the SSID/password for wifi, network address, etc.), don't install any packages...don't restore any settings. Perform the port scan in this near default state. Then as you add packages and make other adjustments, keep testing. If you suddenly see a whole bunch of IPv6 stuff going through, you can identify the steps in the process that may have cause the firewall to open up like that.

2 Likes

@lleachii

Is it possible that this rule

config forwarding
       option dest 'lan'
       option src 'wan'

is causing problem because does not work in "pair" with

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wanh'

That forwarding rule may be the whole problem. You are literally allowing stuff from the wan to reach your lan unfiltered.

2 Likes

But this is the default rule shipped with Openwrt!

And the wan zone config says that forward from the zone is rejected

config forwarding
       option dest 'lan'
       option src 'wan'

:warning:

WHOA!!!!

REMOVE THIS!!!

This is the problem. There should be no reason to do this - and it exposes your device!!!

NO, IT'S NOT!!!

This is:

config forwarding                                          
        option dest 'wan'              
        option src 'lan'
1 Like

The default rule has source lan and dest wan. Not what you have.

2 Likes

Not when you made a bad default allow forwarding rule that's processed first!!!

1 Like

So actually the correct configuration is this one:

Before I had:

I thiught that the forward reject by default rejected the traffic, but apparently it is not
I removed the forward rule and also the ipv6 rules and ports resul blocked now (strange that result closed and not filtered)