MWAN3? eth0 wan ignores firewall rules and connects to lan

AHthishurts · November 7, 2022, 10:31pm

I have a filehub 009. -2 wifi radios, 1 wan eth port
The eth wan port ignores to firewall and feeds directly into the LAN.
Could I make another Zone in the firewall that mimics the wan?

Is MWAN3 the solution?
If so could someone show me how to set this up properly to my current config?

Network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd5b:3af4:0538::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.7.1'
	option defaultroute '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '0'

config interface 'trm_wwan'
	option proto 'dhcp'
	option metric '100'

config interface 'trm_wwan6'
	option device '@trm_wwan'
	option proto 'dhcpv6'

config device
	option name 'tailscale0'

config interface 'TS0'
	option proto 'none'
	option device 'tailscale0'
	option peerdns '0'
	option force_link '1'
	option defaultroute '0'
	option type 'bridge'

config device
	option name 'eth0'
	option ipv6 '0'
config interface 'wwan'
	option proto 'dhcp'
	option device 'eth0'

(I use travelmate for the wifi radios)
Wireless:

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/10300000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option disabled '0'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '100'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'
	option country 'US'

config wifi-iface 'trm_uplink1'
	option device 'radio0'
	option mode 'sta'
	option network 'trm_wwan'
	option ssid 'FiOS'
	option encryption 'psk2+ccmp'
	option key 
	option disabled '1'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option network 'lan'

Firewall:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'TS0'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'trm_wwan'
	list network 'trm_wwan6'
	list network 'wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'tailscale'
	option family 'ipv4'
	option src 'lan'
	option src_port '41641'
	option target 'ACCEPT'
	option dest '*'
	option enabled '0'

config rule
	option src 'wan'
	option dest 'lan'
	option dest_port '41641'
	option target 'ACCEPT'
	option name 'tailscale incoming'
	option enabled '0'

DHCP:

 config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

lleachii · November 8, 2022, 1:19am

That shouldn't be possible. Can you better clarify what you mean.
Do you have 2 Internet connections?
- If so, yes you'll need to balance that connection somehow

AHthishurts · November 8, 2022, 8:37am

That shouldn't be possible. Can you better clarify what you mean.

I placed the eth0 interface as part of the wan in the firewall.I plug in the ethernet connected to 192.168.1.1 into the eth0 wan port. I connect to the wifi 5g (lan zone, 192.168.7.1). My designated lan ip(7.1) does not connect to the internet. If I switch my pc to the network ip(1.1) manually on the PC I have internet. Meaning my lan is bypassed right?
The router is a dumby AP this way? Also, tailscale seems to not like this either. Which is weird to me.

I had no problems with the 2g wifi connected to the network (1.1) and the 5g as the lan(7.1). I have internet through the lan IP(7.1) for any computer connected over the 5g wifi and tailscale worked.

If this information helps:Eth0 is the only port on the portable router. I believe when I installed openwrt it was in the lan zone by default. On the manufacturers website the eth0 port is said to only be used as a wan. If any of this helps.

If so, yes you'll need to balance that connection somehow

No. I mean I could use the wan and the wifi 2g that way, but not my issue. Since both the eth0 and the wifi2g radio would be to the same network right now. This also confuses me, since they are both in the wan firewall. I thought that was the entire purpose of a firewall lol.

I asked because I thought maybe multiple wans in the firewall zone would confuse the router? I do not know. I just thought this might have some help?

trendy · November 8, 2022, 10:51am

I hope you see the problem. Firewall can't do anything if you have the eth0 assigned to both wan and lan.

system · November 18, 2022, 10:52am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.