LAN - green WAN - red

swinches · May 31, 2017, 7:28pm

Does the WAN being marked red indicate I have it configured incorrectly?
I have a WRT1900AC behind a 2wire DSL modem. The LAN is set up statically and the WAN is using DHCP
One of my NAS devices on the LAN side says it cannot get an external IP?

Thanks in advance

DjiPi · May 31, 2017, 7:46pm

No, it is the default for WAN.

Do you have access to your NAS on your local network? My guess is that it has to do with making your NAS visible on the Internet and maybe you need to open incoming ports on the router for this NAS, or configure upnp.

golialive · June 2, 2017, 12:57pm

Hey there.

Different colors indicate different firewall groups. Default is green for LAN and red for WAN. There's default behavior for INPUTing and FORWARDing traffic and creating distinct firewall rules usually means picking a certain firewall group als source and/or target and allow or deny anything. Like "from LAN is allowed, from WAN is for bidden, except from WAN to LAN in case protocol type is ICMP, then this is allowed, too".
As for the default situation, you have an interface called LAN and a firewall group called LAN. And you have an interface called WAN and a firewall group called WAN.

You could, for example, have three interfaces LAN1, LAN2 and LAN3 for three room mates of dorm apartments. Every interface could belong to the very same firewall zone LAN (since all firewall rules apply to them equally), but they can be different interfaces with individual IP ranges and so on. In this situation, all three LAN1-LAN3 interfaces would be green.

If you create additional firewall zones they get different colors. I currently run 10 interfaces in 6 different firewall groups.

Green
All green zones can reach (nearly) every other zone, including every other green zone.
Management network is green
My personal network is green, too
The network of my brother is green, too.
The network of my parents is green, too.
When I work at home, my company laptop joins an additional network (basically to avoid broadacsting), that one is green, too.
Dark Blue
I have a dedicated network for a couple of VoIP devices. That's blue since it has its own firewall group. It cannot be reached from the green zone. That's the exception I wrote about six lines ago.
Light blue
A guest wifi has its dedicated network
Yellow
A data center VPN has its own security group.
Purple
DMZ, for a couple of machines (VMs or hardware ones) that have INPUT rules and can be reached from WAN. This zone cannot connect to the green zone by itself.
Orange
Smart TVs and other IOT devices sometimes want internet uplink (for Netflix and stuff like that), but I don't want them to be able to connect to my green zones. Just in case NSA or another eval attacker decides to take over my IOT devices, I want them to be not able to hop on to my computer. So This is a restricted firewall group as well.
Red
And of course I have a WAN uplink.

My point being: Color doesn't indicate any kind of quality, it's just a distinction between different firewall groups.

That would be exactly my guess, too.

Is this an actual problem for you? Is something not working as expected? Maybe you can just leave it as is. If you don't need your NAS device to be reachable from the WAN side there's just nothing to do.

Do you run a couple of identical NAS devices? I'm just asking because you wrote "one of my NAS devices". Chances are they fight for the very same port forwarding rule.

Regards,
Stephan.

braian87b · June 2, 2017, 4:33pm

@golialive Hi! it is a very interesting configuration that you have there, I am trying to do something similar, mainly the vpn (Yellow) and Orange configuration... can you post your config files?, will be really useful to learn how to do it, thanks!

swinches · June 4, 2017, 2:38am

Thank you all for your replies! Very helpful. Thanks to "golialive" for the information about the different colors as they relate to the different firewall groups. Regarding the NAS not being able to get an external IP, this turned out to be an issue with the firmware (bug?) on an Iomega StorCenter ix2-200. Not a huge deal though as I am able to access it remotely by setting up port forwarding through LEDE/router... Great help everyone!

takimata · June 4, 2017, 11:27am

I'm sorry to say that @golialive came to a bit of a wrong conclusion, especially "All green zones can reach (nearly) every other zone" and similar assumptions about the meaning of a "green zone", or other zone colors.

It's really much, much simpler than that. The single factor that defines the color of a firewall zone is its name.

There are two hardcoded colors; green for "lan", red for "wan". The color for any other zone is generated from its name.

Relevant source code here, search for function "zone.get_color".

The initial decision to use red and green for the most basic firewall zones is, in my opinion, a bit unfortunate. Red and green, without any further explanation, can easily be misinterpreted as a status indicator, as the OP proves. It would have been better to choose other defaults and make sure that pure red and pure green won't be generated from the PRNG-based code.

golialive · June 4, 2017, 11:49am

Sorry if I didn't point that out clear enough. That's actually what I intended to say. Colors don't meen anything in general and are just used to determine different firewall groups from each other. The actul value of the color has nothing to do with the behavior of the group. The only static colors are red and green for WAN and LAN group. But this, again, has nothing to do with the behavior of the group. I can switch everything to "allow" for the WAN group as well, it will still be displayed red although it doesn't block any traffic.

My whole post, especially when talking about different LAN interfaces, was about the distinction between interface and firewall group, where both are named "LAN" by default (and thus are displayed green), but the assigned interface to a certain firewall group can have a completely different naming as well.

I didn't want to explain what colors do in default setups, since that's not possible at all. I just wanted to give my current setup as an example of what can be done, and as part of that, "all green zones can reach reach (nearly) every toher zone" was meant purely as a descripton of how I configured this.

So sorry for not making that clear enough.

braian87b · June 5, 2017, 3:03pm

@golialive LOL! I already knew about color thing, I just talk about the configuration of your networks, I want to have on my current router the same as you, a network just for vpn, a network just for guest, a network for IOT... I already managed to get working OpenVPN, and a guest network, but I don't know yet how to isolate OpenVPN in other network and those thing you already done. It is possible you publish your config files? it will be really helpful, thanks in advance!

braian87b · June 12, 2017, 8:54pm

Hi! can you share your config files ? it is a really interesting configuration. thanks!

golialive · June 16, 2017, 8:48pm

Hey there.

Sorry for not having replied earlier, I was quite busy during the last couple of days.

To be honest, there's really not much interesting to my setting.

Here it is

That's my BananaPi M1.

Connected to that there's a couple of TP-Link 4900, 4300 and 1043. All TP-Link devices are "dumb AP" that connect vlans 64 (floor0), 72 (floor1), 80 (floor2), 208 (guest) and 200 (bunker) and expose respectie vlans through rj45 ports.

I won't post the actual config of my TP-Links, but here's the shell script that sets wifi up:

Regards,
Stephan.

braian87b · June 19, 2017, 2:22pm

I consider myselft a very experienced OpenWRT / LEDE user but I actually had problems with Firewall / Networks / Route Tables, I configure some times networks but I fail in complex configurations... I will see your files in detail and try to learn how you achieve it, Thanks!