OpenWRT Firewall Rule Limitations

spade · December 8, 2024, 3:08am

Hello, I want to use the openWRT firewall as an implicit deny all firewall. Essentially I don't want any traffic allowed between networks/zones unless I create a traffic rule allowing it. I believe with my current config I have this mostly figured out but there are some limitations I am running into and from what I can tell the only work around is to just make extra rules. For example in order for IPv6 to work on my lan I need to allow v6 ICMP between the LAN zone and 'this device' as a traffic rule. I can not specific a destination IP in this rule because ICMP is used for neighbor discovery with IPv6. So when this rule is created the LAN zone can ping the v6 gateway of my guest zone. I do not want this and on any network firewall ever created this behavior does not occur. Typically you would need to make a rule between the LAN and Guest zone for this to be possible. The only work around I can think of is to just add a v6 ICMP deny rule from the LAN to 'this device' that has the v6 gateways of all of my other networks as the destination. I really do not want to do this as I have a lot of networks and this will add a ton of extra firewall rules that should not be needed in the first place. Does anyone know of a work around here or something I may have configured wrong that would be causing this?

Thanks!

brada4 · December 8, 2024, 7:03am

Yes, ip6 requires icmp, the whole long list in /rom/etc/config/firewall and multicast for neighbour advertisment replacing past ARP protocol.

Likely you first log, then drop with log, then drop for good (watch out for reject generating new packets)

By default "zones" mean cable connections, i.e no anti-spoof with supposed source IPs in rule.

spade · December 8, 2024, 6:14pm

Ok so for the specific scenario I made it so I have an IPv6 rule from LAN to 'this device' where the source IP is set to fe80::/10. That resolves that. I still would like a solution for making rules where the destination is 'this device'. When the destination is 'this device' I don't want to be able to reach the gateway IPs of other zones/networks. I just want to be able to reach 'this device' as it pertains to my zone.

krazeh · December 8, 2024, 6:47pm

Are these all the router?

brada4 · December 8, 2024, 6:48pm

You need to make your own guard rules using $variable with IP addresses seen in fw4 print

spade · December 8, 2024, 7:58pm

Im sorry do you have an example of what this would look like?

spade · December 8, 2024, 7:58pm

Correct all of these gateways are on the router just in different vlans which are in different zones.

krazeh · December 8, 2024, 8:00pm

So what's the actual issue? Can devices in one vlan access devices in a different vlan? Or is it just the router responding from any of the IP addresses it has?

spade · December 8, 2024, 8:04pm

The issue is unicast traffic can reach the IP gateways of other vlans. No they can not reach hosts in other vlans since there is no zone to zone rules built. Really this is probably not that big of a problem but someone in my guest network for example could run a IP scanner and figure out all of my internal subnets as all of the gateways on the router would respond.

krazeh · December 8, 2024, 8:08pm

They possibly could, but as you've already surmised it's not really a problem. There's nothing that could be done with that info so is it worth all the hassle to 'solve' it?