New firewall zone - Forward to wan not working

jsalatiel · February 6, 2020, 9:09am

Hi, I have created a new firewall zone named "guest" and attached a new interface ( also named guest) to it.

Clients connected to that interface, correctly receive one IP from the range specified but they are unable to access internet.

Taking a look at FORWARD chain I was expecting the guest zone have a rule there, but i do not see that.

If i manually add a rule allowing input from guest interface and output to wan interface in forward chain, everything starts to working. isn't this rule supposed to be added automatically the moment i allow forward to wan zone ?

ulmwind · February 6, 2020, 9:44am

It should work. Have you reloaded firewall?

Please, give appended sections to /etc/config/firewall

jsalatiel · February 6, 2020, 9:56am

I have reloaded and also rebooted. Never works. I see that chains are created on iptables, but no reference to them on default FORWARD chain is added.

config zone
	option input 'ACCEPT'
	option name 'guest'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'guest'

ulmwind · February 6, 2020, 9:58am

OK, reboot router, and give output of
iptables -S | grep guest
You should add interface to zone:
list network 'guest'
I recommend you to name zones and interfaces separately, you've messed with it.

jsalatiel · February 6, 2020, 10:02am

# iptables -S | grep guest
-N forwarding_guest_rule
-N input_guest_rule
-N output_guest_rule
-N zone_guest_dest_ACCEPT
-N zone_guest_forward
-N zone_guest_input
-N zone_guest_output
-N zone_guest_src_ACCEPT
-A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
-A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
-A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
-A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_ACCEPT
-A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
-A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT

ulmwind · February 6, 2020, 10:03am

OK, see comment above.

jsalatiel · February 6, 2020, 10:04am

I will try to name them differently, but by default don't i have wan zone and wan interface ?

ulmwind · February 6, 2020, 10:05am

Yes, you have. But zone contains interface:

config zone
        option name             wan
        list   network          'wan'

jsalatiel · February 6, 2020, 10:15am

But shouldn't luci firewall app automatically add the interface ? Maybe it is a bug ?

Deleting the old guest zone and creating a zone named guests worked after attaching the guest interface to it.

I still think that there is a little bug on the luci firewall app. =)
Thank you very much for your help!

jsalatiel · February 6, 2020, 10:15am

btw, I do not see

 list   network          'guest'

I see

	option network 'guest'

option not list

ulmwind · February 6, 2020, 11:21am

It is normal, option is for single item, list - for multiple. In common case zone can contain several interfaces, in this case list should be used.