OpenWRT in QEMU: No internet access for LAN clients without WAN-to-LAN forward, and SYN-flood issue

Generally, I am trying to get an OpenWRT VM functioning as a router and firewall for the host OS as well as other clients connecting on the LAN ports. I am running the latest OpenWRT release (openwrt-19.07.4-layerscape-armv8_64b-ls1046ardb-sdboot-ext4-sdcard.img) as a VM on a FRWY-LS1046A Layerscape board from NXP. The host is running LSDK 20.04 (Update 290520), which is using Linux kernel 5.4.3 and has some Ubuntu userland 18.04 packages installed. I am able to start OpenWRT successfully using QEMU and I am passing in tap0 which is bridged to LAN ports/interfaces on the board (br-lan) and tap1 which is bridged to a port/interface (br-wan) which I am designating as my WAN port (details of the bridging and QEMU commands are shown below). In my setup I have the WAN port connected to another upstream router (with an internet connection) which I typically will not have access to, so the WAN ip address in OpenWRT is assigned via DHCP. I am statically defining the OpenWRT LAN ip address to be 192.168.2.1 so as to not conflict with the upstream router.

The first issue is I must disable synflood/synflood_protect in order to initally connect to the LuCI web ui or via SSH.

My second issue is I must change the "defaults"/General OpenWRT firewall rule from "option forward='REJECT'" to "option forward='ACCEPT'" (or create forwarding rule for port 80 and 443 from wan->lan) in order for clients connected on the LAN to get an internet connection.

There is something fundamentally wrong here, but I am still learning networking in Linux (and OpenWRT) so it is possible I am missing something really simple here.

Note, I have stopped/disabled firewalld (as well as docker since it was adding iptables rules automatically) on my host temporarily to focus on the above issues first. Also, none of the ethernet interfaces on the host system (fm1-mac1, fm1-mac5, fm1-mac6 or fm1-mac10) are configured by the host by default, so as far as I know all of the configuration is shown in the "01_setup_network.sh" below.

01_setup_network.sh:

BR_WAN=br-wan
BR_LAN=br-lan
IF_WAN=fm1-mac5
IF_LAN1=fm1-mac6
IF_LAN2=fm1-mac1
IF_LAN3=fm1-mac10

ip link add $BR_LAN type bridge
ip tuntap add dev tap0 mode tap
ip link set dev tap0 master $BR_LAN
ip link set dev $IF_LAN1 master $BR_LAN
ip link set dev $IF_LAN2 master $BR_LAN
ip link set dev $IF_LAN3 master $BR_LAN

ip link set dev tap0 up
ip link set dev $IF_LAN1 up
ip link set dev $IF_LAN2 up
ip link set dev $IF_LAN3 up
ip link set dev $BR_LAN up
ip addr add 192.168.2.3/24 dev $BR_LAN

ip link add $BR_WAN type bridge
ip tuntap add dev tap1 mode tap
ip link set dev tap1 master $BR_WAN
ip link set dev $IF_WAN master $BR_WAN

ip link set dev tap1 up
ip link set dev $IF_WAN up
ip link set dev $BR_WAN up

From the host FRWY-LS1046A serial terminal, run the script to setup the network and start QEMU:

root@localhost:~# ./01_setup_network.sh

root@localhost:~# ifconfig
br-lan: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.2.3  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::204:9fff:fe06:2f8e  prefixlen 64  scopeid 0x20<link>
        ether 00:04:9f:06:2f:8e  txqueuelen 1000  (Ethernet)
        RX packets 19  bytes 3181 (3.1 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 11  bytes 1034 (1.0 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

br-wan: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::204:9fff:fe06:2f8f  prefixlen 64  scopeid 0x20<link>
        ether 00:04:9f:06:2f:8f  txqueuelen 1000  (Ethernet)
        RX packets 14  bytes 2210 (2.2 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8  bytes 744 (744.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

fm1-mac1: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 00:04:9f:06:2f:8e  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device memory 0x1ae0000-1ae0fff

fm1-mac5: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 00:04:9f:06:2f:8f  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device memory 0x1ae8000-1ae8fff

fm1-mac6: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 00:04:9f:06:2f:90  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device memory 0x1aea000-1aeafff

fm1-mac10: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 00:04:9f:06:2f:91  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device memory 0x1af2000-1af2fff

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 480  bytes 34104 (34.1 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 480  bytes 34104 (34.1 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::7488:88ff:fe40:270a  prefixlen 64  scopeid 0x20<link>
        ether 76:88:88:40:27:0a  txqueuelen 1000  (Ethernet)
        RX packets 19  bytes 3447 (3.4 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10  bytes 876 (876.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tap1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::44d8:baff:fea2:3d5e  prefixlen 64  scopeid 0x20<link>
        ether 46:d8:ba:a2:3d:5e  txqueuelen 1000  (Ethernet)
        RX packets 14  bytes 2406 (2.4 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10  bytes 876 (876.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Run the qemu command:
root@localhost:~# qemu-system-aarch64 -smp 4 -m 1024 -cpu host -machine type=virt -kernel /boot/Image -enable-kvm -display none -serial tcp::4446,server,telnet,nowait -drive if=none,file=openwrt-19.07.4-layerscape-armv8_64b-ls1046ardb-sdboot-ext4-sdcard.img,id=foo,format=raw -device virtio-blk-device,drive=foo -netdev tap,id=tap0,script=no,downscript=no,ifname="tap0",vhost=on -device virtio-net-pci,netdev=tap0 -netdev tap,id=tap1,script=no,downscript=no,ifname="tap1",vhost=on -device virtio-net-pci,netdev=tap1 -append 'root=/dev/vda1 rw console=ttyAMA0 rootwait earlyprintk' -daemonize -name openwrt,process=qemu-openwrt -monitor tcp::4447,server,telnet,nowait

NOTE: At this point the OpenWRT VM is booting up because I set the "nowait" parameter... I am also running qemu as a daemon. Other notable qemu options are that I am using KVM mode since the openwrt image supports the LS1046 hardware, and I am using the "virtio-net-pci" with tap and "vhost=on" for optimal performance. Details can be found in the NXP Layerscape SDK (LSDK) documentation:

With my development PC connected to LAN1, I get an ip address in the 192.168.1.x range by default, however I am not able to connect via SSH. I am also not able to connect to LuCI web ui on 192.168.1.1. If I set my development PC to static IP (192.168.2.100 for example), I am able to connect via telnet to see the QEMU stdout and console using:
> telnet 192.168.2.3 4446

I then change OpenWRT br-lan ip address to 192.168.2.1 as follows:

root@OpenWrt:/# uci set network.lan.ipaddr='192.168.2.1'
root@OpenWrt:/# uci commit
root@OpenWrt:/# reboot

NOTE: I have not yet plugged in the ethernet cable to the WAN port so eth1 in OpenWRT is not yet getting an ip via DHCP.

root@OpenWrt:/# ifconfig
br-lan    Link encap:Ethernet  HWaddr 52:54:00:12:34:56
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::5054:ff:fe12:3456/64 Scope:Link
          inet6 addr: fd6e:74f1:b54::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:296 errors:0 dropped:0 overruns:0 frame:0
          TX packets:102 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:17661 (17.2 KiB)  TX bytes:8676 (8.4 KiB)

eth0      Link encap:Ethernet  HWaddr 52:54:00:12:34:56
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:302 errors:0 dropped:0 overruns:0 frame:0
          TX packets:109 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:22175 (21.6 KiB)  TX bytes:10235 (9.9 KiB)

eth1      Link encap:Ethernet  HWaddr 52:54:00:12:34:57
          inet6 addr: fe80::5054:ff:fe12:3457/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2 errors:0 dropped:0 overruns:0 frame:0
          TX packets:41 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:140 (140.0 B)  TX bytes:10554 (10.3 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:96 errors:0 dropped:0 overruns:0 frame:0
          TX packets:96 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:6528 (6.3 KiB)  TX bytes:6528 (6.3 KiB)

At this point I am still not able to connect to OpenWRT via SSH (on 192.168.2.1) or connect to the Luci web ui (192.168.2.1).

The next step is I edit /etc/config/firewall by commenting out 'option syn_flood 1' and rebooting.

config defaults
#        option syn_flood        1

Now, I am able to sucessfully connect to the LuCI web ui and via SSH from my development PC.

The next step is to plug-in an ethernet cable into my WAN port on the FRWY-LS1046A which connects to an upstream router. Upon doing so, OpenWRT eth1 gets a new ip successfully and I can ping google.com from inside the OpenWRT VM.

root@OpenWrt:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr 52:54:00:12:34:56
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fd6e:74f1:b54::1/60 Scope:Global
          inet6 addr: fe80::5054:ff:fe12:3456/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1461 errors:0 dropped:0 overruns:0 frame:0
          TX packets:437 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:104547 (102.0 KiB)  TX bytes:41541 (40.5 KiB)

eth0      Link encap:Ethernet  HWaddr 52:54:00:12:34:56
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1479 errors:0 dropped:0 overruns:0 frame:0
          TX packets:443 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:126177 (123.2 KiB)  TX bytes:43010 (42.0 KiB)

eth1      Link encap:Ethernet  HWaddr 52:54:00:12:34:57
          inet addr:10.1.10.173  Bcast:10.1.10.255  Mask:255.255.255.0
          inet6 addr: 2603:301f:2701:800:5054:ff:fe12:3457/64 Scope:Global
          inet6 addr: fe80::5054:ff:fe12:3457/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:110 errors:0 dropped:0 overruns:0 frame:0
          TX packets:181 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:20582 (20.0 KiB)  TX bytes:43487 (42.4 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:160 errors:0 dropped:0 overruns:0 frame:0
          TX packets:160 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:10880 (10.6 KiB)  TX bytes:10880 (10.6 KiB)

On my Windows development PC the network appears to be connected (Does NOT indicate "No internet access" at least), however I am not able to access the internet in a web browser or ping google.com. The ip addr on the development PC is in the 192.168.2.x range as expected and can ping other devices in that subnet on the LAN.

>ping google.com
Pinging google.com [172.217.164.174] with 32 bytes of data:
Request timed out.

The only way I have found to get past this is either to change the default firewall forward option to accept:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        #option forward 'REJECT'
        option forward 'ACCEPT'

..Or to add firewall rules to allow HTTP and HTTPS port to be forward from wan to lan:

config rule
        option src_port '80'
        option src 'wan'
        option target 'ACCEPT'
        option dest 'lan'
        option name 'Allow-HTTP'

config rule
        option src_port '443'
        option src 'wan'
        option name 'Allow-HTTPS'
        option dest 'lan'
        option target 'ACCEPT'

Previously, I have tried adding the following to /etc/sysctl.conf, but it does not seem to make a difference.

net.ipv4.ip_forward=1
net.ipv4.conf.all.proxy_arp=1
net.ipv6.conf.all.forwarding=1

Here is some additional info from the host side:

root@localhost:~# ip route show
192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.3

root@localhost:~# brctl show
bridge name     bridge id               STP enabled     interfaces
br-lan          8000.00049f062f8e       no              fm1-mac1
                                                        fm1-mac10
                                                        fm1-mac6
                                                        tap0
br-wan          8000.00049f062f8f       no              fm1-mac5
                                                        tap1
root@localhost:~# iptables-save
# Generated by iptables-save v1.6.1 on Thu Oct  8 15:45:33 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Thu Oct  8 15:45:33 2020
# Generated by iptables-save v1.6.1 on Thu Oct  8 15:45:33 2020
*mangle
:PREROUTING ACCEPT [46954:13886647]
:INPUT ACCEPT [7416:590059]
:FORWARD ACCEPT [38803:13052634]
:OUTPUT ACCEPT [6794:522481]
:POSTROUTING ACCEPT [45597:13575115]
COMMIT
# Completed on Thu Oct  8 15:45:33 2020
# Generated by iptables-save v1.6.1 on Thu Oct  8 15:45:33 2020
*filter
:INPUT ACCEPT [7416:590059]
:FORWARD ACCEPT [38803:13052634]
:OUTPUT ACCEPT [6794:522481]
COMMIT
# Completed on Thu Oct  8 15:45:33 2020

Here is some additional information from the OpenWRT side.
I have left everything at the default (out of the box) settings except for changing the lan ip address to 192.168.2.1... and temporarily disabling synflood and adding the "Allow-HTTP" and "Allow-HTTPS" rules for testing.

root@OpenWrt:~# fw3 print
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @rule[9] (Allow-HTTP) does not specify a protocol, assuming TCP+UDP
Warning: Section @rule[10] (Allow-HTTPS) does not specify a protocol, assuming TCP+UDP
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t filter -N reject
iptables -t filter -N input_rule
iptables -t filter -N output_rule
iptables -t filter -N forwarding_rule
iptables -t filter -N zone_lan_input
iptables -t filter -N zone_lan_output
iptables -t filter -N zone_lan_forward
iptables -t filter -N zone_lan_src_ACCEPT
iptables -t filter -N zone_lan_dest_ACCEPT
iptables -t filter -N input_lan_rule
iptables -t filter -N output_lan_rule
iptables -t filter -N forwarding_lan_rule
iptables -t filter -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
iptables -t filter -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
iptables -t filter -N zone_wan_input
iptables -t filter -N zone_wan_output
iptables -t filter -N zone_wan_forward
iptables -t filter -N zone_wan_src_REJECT
iptables -t filter -N zone_wan_dest_ACCEPT
iptables -t filter -N zone_wan_dest_REJECT
iptables -t filter -N input_wan_rule
iptables -t filter -N output_wan_rule
iptables -t filter -N forwarding_wan_rule
iptables -t filter -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
iptables -t filter -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
iptables -t filter -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
iptables -t filter -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
iptables -t filter -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
iptables -t filter -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
iptables -t filter -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
iptables -t filter -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
iptables -t filter -A zone_wan_input -p 2 -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
iptables -t filter -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_wan_forward -p tcp -m tcp --sport 80 -m comment --comment "!fw3: Allow-HTTP" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_wan_forward -p udp -m udp --sport 80 -m comment --comment "!fw3: Allow-HTTP" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_wan_forward -p tcp -m tcp --sport 443 -m comment --comment "!fw3: Allow-HTTPS" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_wan_forward -p udp -m udp --sport 443 -m comment --comment "!fw3: Allow-HTTPS" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
iptables -t filter -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
iptables -t filter -D zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -D OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -D FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
iptables -t filter -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
iptables -t filter -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -D zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -D INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -D OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -D FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -D zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -D INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -D OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -D FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A FORWARD -m comment --comment "!fw3" -j reject
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule
iptables -t nat -N zone_lan_postrouting
iptables -t nat -N zone_lan_prerouting
iptables -t nat -N prerouting_lan_rule
iptables -t nat -N postrouting_lan_rule
iptables -t nat -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
iptables -t nat -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
iptables -t nat -N zone_wan_postrouting
iptables -t nat -N zone_wan_prerouting
iptables -t nat -N prerouting_wan_rule
iptables -t nat -N postrouting_wan_rule
iptables -t nat -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
iptables -t nat -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
iptables -t nat -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
iptables -t nat -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
iptables -t nat -D PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -D POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
iptables -t nat -D PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -D POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -D PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -D POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting

/etc/config/firewall:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option src_port '80'
        option src 'wan'
        option target 'ACCEPT'
        option dest 'lan'
        option name 'Allow-HTTP'

config rule
        option src_port '443'
        option src 'wan'
        option name 'Allow-HTTPS'
        option dest 'lan'
        option target 'ACCEPT'

/etc/config/network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd6e:74f1:0b54::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.1'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

I just wanted to provide some additional information. I have tried the following links below to allow internet access and they don't seem to have an effect. Running wireshark on my development PC, I see lots of TCP retransmissions for SYN and ACK (on the local network) which partially explains why I need to disable SYN-flood protection.