LAN DHCP not working when disabling Zone Forwards LAN->WAN

Hi,

this is a follow up Question to this Thread:

By disabling the “Zone ⇒ Forwards” by rejecting in the LAN→WAN Input and Output i could stop my Computers in the LAN for getting connections to the WAN - everything works fine here - i defined only a few specific Ports/Servers in the WAN which are allowed.

But - its a little bit annoying that with this setup the DHCP on the LAN is not working anymore - i have to configure my nw interface on the compunters in the LAN by hand. Is thies meant to be like that? How can i get the DHCP Server working again in my LAN area?

Thanks!

Accept the Input and Output again for LAN. Those drop downs are not for the LAN to WAN forwarding, but for the entire LAN zone.

Yea, you were only supposed to edit the LAN to WAN [zone] forwarding. Your description seems as if you edited the LAN zone input, output and [intra-zone] forward rules.

You mean like this?

grafik729×140 6.41 KB

When i do this my LAN still has normal connection to the WAN…

No.

• Click edit
• You will see a section "Allow forward to destination zones"
• Remove WAN
• Save and apply

Hit the Edit button on the right and remove the forwarding to WAN.

now it looks like this - but my intention to disable the LAN to WAN connection is not functioning - my LAN still has full connection to WAN! I even rebooted the router…

grafik946×767 27.3 KB

grafik897×698 35.3 KB

Post the /etc/config/firewall file. You must have rules that are too permissive.

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
	option piofolder '/tmp/odhcpd-piofolder'

The “Forward” setting near the top of the screenshot (accept) is allowing forwarding by default. It should usually be reject or drop.

This is the dhcp config, not the firewall config.

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option flow_offloading '1'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option fullcone4 '1'
	option fullcone6 '1'
	option masq '1'
	option mtu_fix '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Reject-IPv6'
	option family 'ipv6'
	option src 'wan'
	option dest '*'
	option target 'REJECT'
	option enabled '0'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'External-Webconfig-WAN'
	option src 'wan'
	option src_dport '1612'
	option dest_ip '192.168.2.1'
	option dest_port '80'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Internal-Webconfig-LAN'
	option family 'ipv4'
	option src 'lan'
	option src_dport '1612'
	option dest_ip '192.168.2.1'
	option dest_port '80'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Port22'
	option src 'wan'
	option src_dport '2222'
	option dest_ip '192.168.2.1'
	option dest_port '22'

It looks like you didn’t follow the advice in the previous thread to disable the forwarding AND create specific traffic rules for the traffic you want to allow from lan to wan (e.g. Samba).

I think you need to start over again.

No - this is a fresh testrouter - on the production system it works with my forwards… but without the dhcp - i dont want to play around on the production system - there are computers behind which never got any Windows updates and they should get never any update!!!

Ok, then set the Default Forward (under General Settings) to reject or drop and test again.

Change forward to Drop (or Reject).

@dave14305 also mentioned how to do so via the web GUI.

That's not a default configuration.

What build are you running please post:

ubus call system board

While best practice to have the default forward set to drop or reject, this is not strictly necessary here and is not the cause of the problem. The General Settings Input/Output/Forward rules apply only to networks that are not included in a zone. The wan and lan networks in this setup do appear to be assigned to the correct zones.

EDIT: See post 22 in this thread where @dave14305 points out what I then verified in post 23. My assertion here was incorrect, thus the strikethrough.

Let's actually take a look at your entire config.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

I’m not sure I agree with you yet. The default forward policy will determine the policy of the main forward chain, and without any lan forwards defined, the forward_lan chain will not stop lan to wan traffic. That traffic will return to the forward chain where the policy is accept.