Hi
I now have IPv6. And with new technology new questions come up ...
I have a DMZ and an IoT zone (and LAN as well but that's not topic here). I consider those two zones insecure (I have the insecure IoT devices contained in that zone and seperated from the rest of the network..)
OpenWrt has the input filter on an internal zone set to 'accept' by default and as I consider those zones insecure I want to set it to reject.
I have opened ports 53, 67, 68, 123, 546 and 547 UDP for providing DHCP, DNS and NTP. IPv6 is not working properly and I see this is due to ICMP which is essential for IPv6.
So, question is: what ICMP types do I need to allow (really don't want to have them all open)?
Why do you have a rule that includes ICMP and UDP; but then lists ports? This is wrong.
I use the following, which is a slight alteration of the rule already included in a default OpenWrt config:
config rule
option name 'New_Allow-ICMPv6-Forward'
option src '*'
option dest '*'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
Seems to be the new look of Luci in 19.07 merging the protocols and ports in one rule.
Your rules are correct, technically you don't need to open 546, you can however limit 547 only from source port 546.
You may also want to open icmp for ipv4, at least the echo request.
Now my original question is still open. The rule, by the way, gives the same list for IPv4..
What ICMP (and TCP/UDP) do I need? The intention is still to have a LAN side interface for a zone containing insecure or potentialy insecure devices, e.g. IoT.
So I need to provide DHCP, NTP, DNS, how about RA? For the rest that is not neccessary it should be blocked to protect the router itself. Don't want to have access to ssh port, the unbound running on the router, etc.
Most of this isn't ICMP. Perhaps you intended to ask another question, or re-title this thread?
I personally chose what I want my VLAN to have and open it. If your IoT devices need those services, obviously you'll have to open them. Are you asking for our best practices on that too?
Examples:
IPv4:
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67'
option name 'Allow-LAN2_DHCP'
option family 'ipv4'
option src 'lan2'
option src_port '68'
config rule
option target 'ACCEPT'
option name 'Allow-LAN2_DNS'
option src 'lan2'
option dest_port '53'
option family 'ipv4'
option dest_ip '192.168.x.1'
option proto 'udp'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '123'
option src 'lan2'
option name 'Allow-LAN2_NTP'
DHCP is enough. They can always ask for time and DNS on the internet if you don't want them to ask the router. So it is up to you.
For IPv6 you can look what is open in the firewall rule for the wan interface and apply the same.
Thank you all for your help. I make progress.
For IoT I now have opened icmp (all at the moment) and ports 53, 123, 67, 547 on UDP for IPv4 and IPv6. It's a compromise of having the router secured by closing all unnnessecary ports for that interface and messing up into two much rules.
I do still have a problem with one of the clients (Fritzbox) not getting IPv6 DHCP to work if I reject everything else on that interface (seems to be related to broadcasts on start of DHCP). Funny though that another client does not have problems so I think I will place the fritzbox into a seperate vlan (VoIP) for testing.
So, question is: what ICMP types do I need to allow (really don't want to have them all open)?
This thread has been marked as solved yet I have not seen any adequate answer This subject is extremely important so a dedicated rfc (4890) has been published covering this matter: https://tools.ietf.org/html/rfc4890.
In a nutshell: one should never block following icmpv6 traffic: type 1 - type 2 - type 3/0 - type 4/1 and type 4/2. Furthermore other types can be allowed and are explained in detail but I leave it up to you to discover (i.e. you should consult the rfc yourself)
For me its solved so far as I don't consider having icmp allowed for all types for input being a threat. But I agree, there should be some documentation on what icmp shall be allowed or is recommmended for different kind of interfaces on OpenWrt routers. Whereas type of interface means:
WAN interface
LAN zone (trusted)
DMZ/IoT and other untrusted, but internal zones
VPN incomming connections (e.g for home office workers)
vpn connections to other sites (so without dhcp, but maybe neighbourhood solicitation)
In the default config you have a trusted (LAN) and an untrusted (WAN) zone. The trusted accepts everything. The untrusted has a list of allowed things for minimal functionality.
It doesn't matter if it is internal or external, but if you trust it or not.
For me it's ok so I set the topic to solved.
I realized the default rules but I still wonder if secure on the outside is the same as secure on the inside. One is upstream, other downstream. Including handling RA, dhcp (client vs server), ... I'm new to IPv6.
Also, my initial problem (didn't work with the settings I had) seems to also based on my client. Yesterday the Fritzbox chose an ULA address for IPv6 with the result that VoIP didn't work anymore. Seems it takes randomly one of the addresses it has...
You should not see RAs from an inside network. If there is another router in the LAN, then configure it manually.
As for dhcp etc, you open the ports according to your needs. You might as well assign settings manually, so DHCP is not needed.
And with new technology new questions come up ...
This subject is extremely important so a dedicated rfc (4890) has been published covering this matter: 