Need help with Network + Firewall Zones

Hi All.
I would appreciate some help with my openwrt config.. been struggling with it for 2 whole days now.

My issue is that I cannot send email (SMTP) from my vlan ("lan") even though I've enabled port 993 in the firewall. The strange thing is that it works whenever I use "ipset" to define the src net/ip, but when I used the actual zone name ("lan") as source it doesn't work at all. In fact, both zone "lan" and "voip" (my ata is plugged into port "lan1" doesn't work at all in the firewall, but ipset works fine. I suspect tis a misconfigure network. Here are the relevant settings.

**/etc/config/network:**
config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan.3'
        option proto 'static'
        option ipaddr '192.168.3.254'
        option netmask '255.255.255.0'
        option ipv6 '0'
        option delegate '0'

config bridge-vlan                        
        option device 'br-lan'            
        option vlan '3'                  
        list ports 'lan2:t'               
        list ports 'lan3'                 
        list ports 'lan4'

config bridge-vlan                        
        option device 'br-lan'            
        option vlan '6'                  
        list ports 'lan1'

config interface 'voip'                   
        option proto 'static'             
        option device 'br-lan.6'         
        option ipaddr '192.168.6.254'    
        option netmask '255.255.255.0'

**/etc/config/firewall**

config zone                           
        option name 'lan'             
        list network 'lan'            
        option input 'REJECT'         
        option output 'ACCEPT'        
        option forward 'REJECT'

config rule                                       
        option name 'Allow SMTP'                  
        option src 'lan'                            
        option dest 'wan'                         
        option proto 'tcp'                        
        option dest_port '465 993'                
        option target 'ACCEPT'

config zone                                       
        option name 'voip'                        
        list network 'voip'                       
        option input 'REJECT'                     
        option output 'ACCEPT'                    
        option forward 'REJECT'

config rule                                             
        option name 'Allow voip -> WAN SIP'             
        option src 'voip'                                  
        option src_port '5004 5060'                     
        option dest 'wan'                               
        option proto 'tcpudp'                           
        option target 'ACCEPT'

To repeat, if I use ipset to identify the src for both the SMTP and voip rules, then everything works fine. But using their zone names does not.

Some recommendations (this won't necessarily fix your overall issue, but should be considered):

For the untagged, ports, add :u* to explicitly set the ports as untagged+PVID:

config bridge-vlan                        
        option device 'br-lan'            
        option vlan '3'                  
        list ports 'lan2:t'               
        list ports 'lan3:u*'                 
        list ports 'lan4:u*'

config bridge-vlan                        
        option device 'br-lan'            
        option vlan '6'                  
        list ports 'lan1:u*'

Is there a reason you've rejected input on your lan? Typically input is accepted:

Remove the proto line below (this will default to tcp and udp, but as written it is not right)

Are you certain that the ports specified are the source ports (and not destination ports)?

I'm also assuming that you don't have the entire firewall shown here -- it looks like it's missing a lot of the standard stuff, and maybe some rules that are relevant to the issue.

Hi.
(1) Thanks for tip re ":u*".. I'll update the config accordingly.
(2) The reason I have input there, is tis a carry over from my previous router's opernwrt setting.. which never had any issues.. not sure what difference it makes?
(3) Ok.. I will remove the proto line, but remember, If I change the voip rule to use ipset, it works fine. Here is the ipset setting that works.

config ipset
option name voipclient'
option match 'src_ip'
list entry '192.168.6.10'

config rule
option name 'Allow voip -> WAN SIP'
option src '*'
option ipset 'voipclient'
option src_port '5004 5060'
option dest 'wan'
option proto 'tcpudp'
option target 'ACCEPT'
(4) Re ports, again, that is the settings that worked for a few years form my previous router.. I've just checked online, saw one place mention it as a source port..

(5) Since changing that litlte line to include ipset in the rule make it work, I don't know what else could be relevant in the firewall.. I would think it is only those settings that are explicitly bound to the zone names (which are all included here)?

Let's see the complete config. On the surface, I agree with you that the behavior is unexpected. but maybe there are other rules that are affecting the packets before they get to what should be a basic accept rule.

Here is the complete (updated) /etc/config/network:

config globals 'globals'
option packet_steering '1'

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'

config interface 'lan'
option device 'br-lan.3'
option proto 'static'
option ipaddr '192.168.3.254'
option netmask '255.255.255.0'
option ipv6 '0'
option delegate '0'

config device
option name 'wan'
option macaddr '62:bc:e0:c5:de:32'

config interface 'wan'
option device 'wan'
option proto 'dhcp'
option ipv6 '0'
option peerdns '0'

config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'lan2:t'
list ports 'lan3:u*'
list ports 'lan4:u*'

config bridge-vlan
option device 'br-lan'
option vlan '6'
list ports 'lan1:u*'

config interface 'voip'
option proto 'static'
option device 'br-lan.6'
option ipaddr '192.168.6.254'
option netmask '255.255.255.0'

config device
option type 'bridge'
option name 'media'
option bridge_empty '1'

config interface 'media'
option proto 'static'
option device 'media'
option ipaddr '192.168.10.254'
option netmask '255.255.255.0'
option ipv6 '0'

It looks like you have very restrictive settings, this looks like the only LAN > WAN traffic allowed?

For SMPT traffic nowadays usually port 587 is used, maybe also add that?

Hi.. :), no, here is my complete firewall:

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

wan zone

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

IPSET lists

config ipset
option name 'vlans'
option match 'src_net'
list entry '192.168.3.0/24'
list entry '192.168.6.0/24'
list entry '192.168.10.0/24'

config ipset
option name 'webclients'
option match 'src_net'
list entry '192.168.3.0/24'
list entry '192.168.10.0/24'

config ipset
option name 'voipclient'
option match 'src_ip'
list entry '192.168.6.20'

multi-zones rules

config rule
option name 'Allow DNS'
option src '*'
option ipset 'vlans'
option dest_port '53'
option target 'ACCEPT'

config rule
option name 'Block DNS 853'
option src '*'
option ipset 'vlans'
option dest 'wan'
option dest_port '853'
option target 'REJECT'

config rule
option name 'Allow NTP'
option src '*'
option ipset 'vlans'
option dest_port '123'
option proto 'udp'
option target 'ACCEPT'

config rule
option name 'Allow HTTP HTTPS'
option src '*'
option ipset 'vlans'
option dest 'wan'
option proto 'tcp'
option dest_port '80 443'
option target 'ACCEPT'

lan zone

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config redirect
option name 'Redirect lan DNS 53'
option src 'lan'
option src_dport '53'
option dest_port '53'
option target 'DNAT'

config redirect
option name 'Redirect lan DNS 5353'
option src 'lan'
option src_dport '5353'
option dest_port '53'
option target 'DNAT'

config rule
option name 'Allow lan SMTP'
option src 'lan'
option dest 'wan'
option proto 'tcp'
option dest_port '465 993'
option target 'ACCEPT'

media zone

config zone
option name 'media'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'media'

config redirect
option name 'Redirect media DNS 53'
option src 'media'
option src_dport '53'
option dest_port '53'
option target 'DNAT'

config redirect
option name 'Redirect media DNS 5353'
option src 'media'
option src_dport '5353'
option dest_port '53'
option target 'DNAT'

voip zone

config zone
option name 'voip'
list network 'voip'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'

config rule
option name 'Allow voip -> WAN SIP'
option src '*'
option ipset 'voipclient'
option src_port '5004 5060'
option dest 'wan'
option target 'ACCEPT'

config rule
option name 'Allow voip -> WAN SIP'
option src '*'
option ipset 'voipclient'
option src_port '5004 5060'
option dest 'wan'
option target 'ACCEPT'

config redirect
option name 'Redirect voip DNS 53'
option src 'voip'
option src_dport '53'
option dest_port '53'
option target 'DNAT'

config redirect
option name 'Redirect voip DNS 5353'
option src 'voip'
option src_dport '5353'
option dest_port '53'
option target 'DNAT'

catchall

config rule
option name 'Deny all -> WAN'
option src '*'
option ipset 'vlans'
option dest 'wan'
option proto 'all'
option target 'DROP'

I can confirm and all the rules that uses ipset as the src works, and all those what use the zone name as the src do not work ("lan", "voip", "media").

Still trying to solve this issue. It gets weirder..
This first set of firewall rule works fine when using src "lan", but in the following rule "lan" doesn't work and I have to specify "*" instead. The only difference I could think of is that the second rule is destined for wan..

config rule
    option  name        lan-allow-dhcp
    option  src         lan
    option  ipset       lan-dhcp
    option  src_port    67-68
    option  dest_port   67-68
    option  proto       udp
    option  target      ACCEPT

config rule
    option  name        lan-media-allow-smtp
    option  src         *
    option  ipset       web-email
    option  dest        wan
    option  proto       tcp
    option  dest_port   '465 993'
    option  target      ACCEPT

Also, I have the following errors in my logs.. anyone knows what these "failed... fdb" lines mean, and what is this obscure marvell chip "mv88e6085".. can hardly find any openwrt related info on it.. am using a WRT32x router.

[    6.905458] kmodloader: failed to open /tmp/overlay/upper/lib/modules/5.15.134/mwifiex.ko
[    6.913724] kmodloader: failed to open /tmp/overlay/upper/lib/modules/5.15.134/mwifiex_sdio.ko
[    6.925410] mount_root: failed to launch kmodloader from internal overlay
[   17.204204] mv88e6085 f1072004.mdio-mii:00: port 3 failed to add 72:ea:5d:91:4c:78 vid 6 to fdb: -95
[   17.264407] mv88e6085 f1072004.mdio-mii:00: port 3 failed to add 72:ea:5d:91:4c:78 vid 3 to fdb: -95
[   17.281074] mv88e6085 f1072004.mdio-mii:00: port 3 failed to delete 72:ea:5d:91:4c:78 vid 3 from fdb: -2
[   17.291925] mv88e6085 f1072004.mdio-mii:00: port 3 failed to add 60:38:e0:c5:c8:38 vid 3 to fdb: -95
[   17.301210] mv88e6085 f1072004.mdio-mii:00: port 3 failed to delete 72:ea:5d:91:4c:78 vid 10 from fdb: -2
[   17.508843] mv88e6085 f1072004.mdio-mii:00: port 2 failed to add 60:38:e0:c5:c8:38 vid 3 to fdb: -95

After some more investigations, I have a suspicion that it is a NAT issue.. when using the zone names. NAT works fine when source (src) is defined with "*" + "ipset" instead of zone name only. Next, am going to use nftables tracing to debug..

Ok.. I found the culprit! It's this "catchall" rule at the end of the firewall config. I have no idea where I got this rule from (definitely from a doc online somewhere). Its purpose is to "the catch-all default action at the end is to just drop any packets that don't match the rules above". Does anyone know why it is not behaving as intended?

config rule
    option  name        catch-all
    option  src         *
    option  ipset       vlans 
    option  dest        wan
    option  proto       all
    option  target      DROP

Why do you have the rule in the first place? It doesn't look like you have any forwarding allowed between zones so everything should be blocked anyway, unless otherwise explicitly allowed.

Yes, I've deleted the rule after checking that the other rules worked as intended. The question remains though, (1) in terms of the order that rules are processed in the firewall chains (with the catch all rule being the last rule in the config), why the "allowed" rules before it were ignored, and (2) why using the src "*" + "ipset" (instead of src "zone name"), behaved properly in relation to the catch all rule. I won't be doing any more investigations though.. am satisfied with the new status quo. Thanks everyone for your help.