OpenWRT firewall rules are hard to understand, I think FortiGate has a better "user-friendly logic"

Hi there,
I am experienced in using FortiGate firewall and it is so hard for me to understand how to configure firewall rules on OpenWRT.
There's no "zone" in FortiGate. For example, you can just create a firewall rule "any address or protocol from interface B are allowed to go to any address through interface A" and you can enable NAT to this specific rule, anything plugged on interface b will be able to access to internet(interface A is automatically treated as WAN). Another example, if you want to connect from one local network on interface B to another local network on interface C, you can just create two rules allow access from each other without enabling NAT. By the way, you can also apply whether you want to enable web-filters/email filters/IPS/SSL Inspection based on rules, we might not need this feature right now but nice to have.
I still don't understand why do we need "Zone" and meanwhile we need "Traffic Rules"? I never figured out why do we need "Zone", we can just simply configure the firewall based on the traffic direction between two interfaces. We also don't need to NAT everything to WAN to get DHCP or be able to ping the OpenWRT device.
"Why don't you use FortiGate if OpenWRT is so bad?"
"Because I love freedom and OpenWRT."

Not sure how that's hugely different (or less complicated) than allowing forwarding from (for example) a LAN zone to the WAN zone and enabling NAT in the WAN zone.

Again, doesn't sound hugely different (or less complicated) than adding two interfaces to the same zone. Or having them in different zones and allowing forwarding between the two.

Zones allow you to group interfaces with similar firewall requirements together. Traffic rules allow you to add finely grained rules.

You also don't need to do that on OpenWRT.

You can create one zone for each interface, then handle the zones in OpenWrt the same as you did with the interfaces in FortiGate.


OpenWRT(or me) will have trouble if I want this: B and C are allowed to connect to internet by NAT to interface A, B and C are allowed to connected each other WITHOUT NAT. I create zone B and Zone C configured them to connect to WAN zone and enabled Masquerading. I also configured zone B and Zone C can connect each other in Traffic Rules. But B and C are using NAT communicating each others now...

Where do I configured forwarding between the two?

Why do we need a separate area for finely grained rules? Doesn't putting everything in one rule look more straightforward?

It is by default. One of the default Traffic Rule is to allow DHCP from WAN to local port 68. The only thing I can imagine is it will forward everything to WAN and start over from there.

What's the difference between covered networks and covered interface and covered subnets? This is not straightforward. You can't configure anything without a good learning ahead.

Then you've configured it wrong.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

That allows the router to obtain a WAN address from your isp using DHCP. It's got nothing to do with DHCP on the LAN side of the router.

That means the user interface is not straightforward enough if anyone has chance to configure it wrong. It sounds ridiculous but it is what it is.
I never make any wrong configure on FortiGate. It is just easy and straightforward or learn anything before I start to work on it. It also has a function that allows you to input source and destination IP and source interface and protocol and see which firewall rule matches.

I am login from a phone. I will try to send it.

I don't think so. It was already configured as DHCP client in interface settings.

I'd be willing to bet that, as someone who's never used FortiGate before, I'd have to go double check things to ensure I was setting up things correctly. There's no such thing as a 100% foolproof UI, especially when dealing with complex topics such as firewalls.

Setting the WAN interface to be a DHCP client is not the same thing as allowing DHCP traffic from your ISP through the firewall. The latter part is what the default firewall rule does.


It doesn’t say local port. It say device.

Device is the “router brain” where all the services work. Device isn’t a network.

Port 67 is used for the internal dnsmask/dhcp server connection.

It really sounds like we are comparing apples and oranges here.
One is a zone based fw and the other is a no zone based fw.

So unless you start reading the fw introduction in the wiki and read it again until you understand the concept of zones, input/output/forward, device and network I don’t see where we are going here?

1 Like

I meant "configuration that is not working as what I expected", I always test my configuration in different ways. Sometimes my supervisor also test it.
By the way, you are free to watch this video to see how it was configured on FortiGate

Do you mean by "device behind OpenWRT get DHCP from ISP modem"? I can configure DHCP relay on my OpenWRT firewall and I don't even need to allow any traffic between my device and ISP modem.

Let me be straight, I don't think "zone based" firewall make any sense for users. Not very direct.

I read it and that's why I am posting here.
By the way, you don't need to read anything to start on FortiGate firewall.

You not understanding how a zone based firewall differs from a non-zone based firewall didn't mean the UI is lacking. Nor does it mean that the fortigate firewall is more intuitive. It's just what you know.

I have no idea what you're trying to say here, or how it relates to OpenWRT's firewall having a default rule that allows the necessary DHCP traffic to allow the WAN interface to get its IP from the isp using DHCP (if that's how you configure the interface).

And you're free to hold that opinion. It doesn't however mean the firewall in OpenWRT is flawed or should be changed. Once you grasp the basics it makes a lot more sense, you just have to do a little learning to understand how it differs from what you already know.


How many interfaces have you set up in your router?

Any big enterprise has at least 20 or more VLANs, they all have different rules.

Sorry maybe I don't. But "non-zone" firewall configuration makes much more sense to people who don't understand "zone" firewall.
Is there anyway to find the link and logic in between?

You are trying to say "in order to get DHCP IP address from ISP modem, you have to do both steps(set interface as DHCP client and allow DHCP traffic on traffic rule)", am I correct?

"Once you grasp the basics..." our enemy's product don't need to grasp any basic.

I could say the same about the reverse situation. What you know is always going to make more sense than what you don't.

Yes. The interface needs to know it should attempt to obtain an IP by DHCP AND relevant traffic needs to be able to traverse any firewalls between the DHCP server and client.

I assume this is a reiteration of your previous claims that anyone can just start using the fortigate firewall and will intuitively know how everything works. If that's your opinion then great; however, I suspect it's swayed by your existing knowledge of how to use that firewall. I have no doubt that a great many people would struggle with it if they had no experience and were just asked to configure it blind.

I can pretty much guarantee you that no serious and big enterprise run OpenWrt.

Those business cases expect guarantees and performance and a container full of legal documents.

But still, if you have 20 interfaces you can collect similar interfaces (for example if 15 interfaces only need DNS, DHCP and internet) you can control all 15 interfaces with 3 unique rules for one zone instead of 45rules.

And make more specialized rules for the rest of the connections.


Because we pushed IT technicians out by hard-to-understand configures isn't it? Also OpenWrt doesn't support one-click-upgrade.

Not really. I know some big companies run Gentoo Linux for production server.

I would rather to have 45 rules. It allows me to control it better. FortiGate also allows multi-interface policy.

Do you talk about enterprises or companies?