LAN - green WAN - red

Installing and Using OpenWrt
3

Hey there.

Different colors indicate different firewall groups. Default is green for LAN and red for WAN. There's default behavior for INPUTing and FORWARDing traffic and creating distinct firewall rules usually means picking a certain firewall group als source and/or target and allow or deny anything. Like "from LAN is allowed, from WAN is for bidden, except from WAN to LAN in case protocol type is ICMP, then this is allowed, too".
As for the default situation, you have an interface called LAN and a firewall group called LAN. And you have an interface called WAN and a firewall group called WAN.

You could, for example, have three interfaces LAN1, LAN2 and LAN3 for three room mates of dorm apartments. Every interface could belong to the very same firewall zone LAN (since all firewall rules apply to them equally), but they can be different interfaces with individual IP ranges and so on. In this situation, all three LAN1-LAN3 interfaces would be green.

If you create additional firewall zones they get different colors. I currently run 10 interfaces in 6 different firewall groups.

  • Green
  • All green zones can reach (nearly) every other zone, including every other green zone.
  • Management network is green
  • My personal network is green, too
  • The network of my brother is green, too.
  • The network of my parents is green, too.
  • When I work at home, my company laptop joins an additional network (basically to avoid broadacsting), that one is green, too.
  • Dark Blue
  • I have a dedicated network for a couple of VoIP devices. That's blue since it has its own firewall group. It cannot be reached from the green zone. That's the exception I wrote about six lines ago.
  • Light blue
  • A guest wifi has its dedicated network
  • Yellow
  • A data center VPN has its own security group.
  • Purple
  • DMZ, for a couple of machines (VMs or hardware ones) that have INPUT rules and can be reached from WAN. This zone cannot connect to the green zone by itself.
  • Orange
  • Smart TVs and other IOT devices sometimes want internet uplink (for Netflix and stuff like that), but I don't want them to be able to connect to my green zones. Just in case NSA or another eval attacker decides to take over my IOT devices, I want them to be not able to hop on to my computer. So This is a restricted firewall group as well.
  • Red
  • And of course I have a WAN uplink.

My point being: Color doesn't indicate any kind of quality, it's just a distinction between different firewall groups.

That would be exactly my guess, too.

Is this an actual problem for you? Is something not working as expected? Maybe you can just leave it as is. If you don't need your NAS device to be reachable from the WAN side there's just nothing to do.

Do you run a couple of identical NAS devices? I'm just asking because you wrote "one of my NAS devices". Chances are they fight for the very same port forwarding rule.

Regards,
Stephan.