Generally, I am trying to get an OpenWRT VM functioning as a router and firewall for the host OS as well as other clients connecting on the LAN ports. I am running the latest OpenWRT release (openwrt-19.07.4-layerscape-armv8_64b-ls1046ardb-sdboot-ext4-sdcard.img) as a VM on a FRWY-LS1046A Layerscape board from NXP. The host is running LSDK 20.04 (Update 290520), which is using Linux kernel 5.4.3 and has some Ubuntu userland 18.04 packages installed. I am able to start OpenWRT successfully using QEMU and I am passing in tap0 which is bridged to LAN ports/interfaces on the board (br-lan) and tap1 which is bridged to a port/interface (br-wan) which I am designating as my WAN port (details of the bridging and QEMU commands are shown below). In my setup I have the WAN port connected to another upstream router (with an internet connection) which I typically will not have access to, so the WAN ip address in OpenWRT is assigned via DHCP. I am statically defining the OpenWRT LAN ip address to be 192.168.2.1 so as to not conflict with the upstream router.
The first issue is I must disable synflood/synflood_protect in order to initally connect to the LuCI web ui or via SSH.
My second issue is I must change the "defaults"/General OpenWRT firewall rule from "option forward='REJECT'" to "option forward='ACCEPT'" (or create forwarding rule for port 80 and 443 from wan->lan) in order for clients connected on the LAN to get an internet connection.
There is something fundamentally wrong here, but I am still learning networking in Linux (and OpenWRT) so it is possible I am missing something really simple here.
Note, I have stopped/disabled firewalld (as well as docker since it was adding iptables rules automatically) on my host temporarily to focus on the above issues first. Also, none of the ethernet interfaces on the host system (fm1-mac1, fm1-mac5, fm1-mac6 or fm1-mac10) are configured by the host by default, so as far as I know all of the configuration is shown in the "01_setup_network.sh" below.
01_setup_network.sh:
BR_WAN=br-wan
BR_LAN=br-lan
IF_WAN=fm1-mac5
IF_LAN1=fm1-mac6
IF_LAN2=fm1-mac1
IF_LAN3=fm1-mac10
ip link add $BR_LAN type bridge
ip tuntap add dev tap0 mode tap
ip link set dev tap0 master $BR_LAN
ip link set dev $IF_LAN1 master $BR_LAN
ip link set dev $IF_LAN2 master $BR_LAN
ip link set dev $IF_LAN3 master $BR_LAN
ip link set dev tap0 up
ip link set dev $IF_LAN1 up
ip link set dev $IF_LAN2 up
ip link set dev $IF_LAN3 up
ip link set dev $BR_LAN up
ip addr add 192.168.2.3/24 dev $BR_LAN
ip link add $BR_WAN type bridge
ip tuntap add dev tap1 mode tap
ip link set dev tap1 master $BR_WAN
ip link set dev $IF_WAN master $BR_WAN
ip link set dev tap1 up
ip link set dev $IF_WAN up
ip link set dev $BR_WAN up
From the host FRWY-LS1046A serial terminal, run the script to setup the network and start QEMU:
root@localhost:~# ./01_setup_network.sh
root@localhost:~# ifconfig
br-lan: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.2.3 netmask 255.255.255.0 broadcast 0.0.0.0
inet6 fe80::204:9fff:fe06:2f8e prefixlen 64 scopeid 0x20<link>
ether 00:04:9f:06:2f:8e txqueuelen 1000 (Ethernet)
RX packets 19 bytes 3181 (3.1 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11 bytes 1034 (1.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
br-wan: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::204:9fff:fe06:2f8f prefixlen 64 scopeid 0x20<link>
ether 00:04:9f:06:2f:8f txqueuelen 1000 (Ethernet)
RX packets 14 bytes 2210 (2.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 744 (744.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
fm1-mac1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 00:04:9f:06:2f:8e txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0x1ae0000-1ae0fff
fm1-mac5: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 00:04:9f:06:2f:8f txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0x1ae8000-1ae8fff
fm1-mac6: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 00:04:9f:06:2f:90 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0x1aea000-1aeafff
fm1-mac10: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 00:04:9f:06:2f:91 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0x1af2000-1af2fff
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 480 bytes 34104 (34.1 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 480 bytes 34104 (34.1 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::7488:88ff:fe40:270a prefixlen 64 scopeid 0x20<link>
ether 76:88:88:40:27:0a txqueuelen 1000 (Ethernet)
RX packets 19 bytes 3447 (3.4 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10 bytes 876 (876.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tap1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::44d8:baff:fea2:3d5e prefixlen 64 scopeid 0x20<link>
ether 46:d8:ba:a2:3d:5e txqueuelen 1000 (Ethernet)
RX packets 14 bytes 2406 (2.4 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10 bytes 876 (876.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Run the qemu command:
root@localhost:~# qemu-system-aarch64 -smp 4 -m 1024 -cpu host -machine type=virt -kernel /boot/Image -enable-kvm -display none -serial tcp::4446,server,telnet,nowait -drive if=none,file=openwrt-19.07.4-layerscape-armv8_64b-ls1046ardb-sdboot-ext4-sdcard.img,id=foo,format=raw -device virtio-blk-device,drive=foo -netdev tap,id=tap0,script=no,downscript=no,ifname="tap0",vhost=on -device virtio-net-pci,netdev=tap0 -netdev tap,id=tap1,script=no,downscript=no,ifname="tap1",vhost=on -device virtio-net-pci,netdev=tap1 -append 'root=/dev/vda1 rw console=ttyAMA0 rootwait earlyprintk' -daemonize -name openwrt,process=qemu-openwrt -monitor tcp::4447,server,telnet,nowait
NOTE: At this point the OpenWRT VM is booting up because I set the "nowait" parameter... I am also running qemu as a daemon. Other notable qemu options are that I am using KVM mode since the openwrt image supports the LS1046 hardware, and I am using the "virtio-net-pci" with tap and "vhost=on" for optimal performance. Details can be found in the NXP Layerscape SDK (LSDK) documentation:
With my development PC connected to LAN1, I get an ip address in the 192.168.1.x range by default, however I am not able to connect via SSH. I am also not able to connect to LuCI web ui on 192.168.1.1. If I set my development PC to static IP (192.168.2.100 for example), I am able to connect via telnet to see the QEMU stdout and console using:
> telnet 192.168.2.3 4446
I then change OpenWRT br-lan ip address to 192.168.2.1 as follows:
root@OpenWrt:/# uci set network.lan.ipaddr='192.168.2.1'
root@OpenWrt:/# uci commit
root@OpenWrt:/# reboot
NOTE: I have not yet plugged in the ethernet cable to the WAN port so eth1 in OpenWRT is not yet getting an ip via DHCP.
root@OpenWrt:/# ifconfig
br-lan Link encap:Ethernet HWaddr 52:54:00:12:34:56
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::5054:ff:fe12:3456/64 Scope:Link
inet6 addr: fd6e:74f1:b54::1/60 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:296 errors:0 dropped:0 overruns:0 frame:0
TX packets:102 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:17661 (17.2 KiB) TX bytes:8676 (8.4 KiB)
eth0 Link encap:Ethernet HWaddr 52:54:00:12:34:56
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:302 errors:0 dropped:0 overruns:0 frame:0
TX packets:109 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:22175 (21.6 KiB) TX bytes:10235 (9.9 KiB)
eth1 Link encap:Ethernet HWaddr 52:54:00:12:34:57
inet6 addr: fe80::5054:ff:fe12:3457/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:41 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:140 (140.0 B) TX bytes:10554 (10.3 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:96 errors:0 dropped:0 overruns:0 frame:0
TX packets:96 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6528 (6.3 KiB) TX bytes:6528 (6.3 KiB)
At this point I am still not able to connect to OpenWRT via SSH (on 192.168.2.1) or connect to the Luci web ui (192.168.2.1).
The next step is I edit /etc/config/firewall by commenting out 'option syn_flood 1' and rebooting.
config defaults
# option syn_flood 1
Now, I am able to sucessfully connect to the LuCI web ui and via SSH from my development PC.
The next step is to plug-in an ethernet cable into my WAN port on the FRWY-LS1046A which connects to an upstream router. Upon doing so, OpenWRT eth1 gets a new ip successfully and I can ping google.com from inside the OpenWRT VM.
root@OpenWrt:~# ifconfig
br-lan Link encap:Ethernet HWaddr 52:54:00:12:34:56
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fd6e:74f1:b54::1/60 Scope:Global
inet6 addr: fe80::5054:ff:fe12:3456/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1461 errors:0 dropped:0 overruns:0 frame:0
TX packets:437 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:104547 (102.0 KiB) TX bytes:41541 (40.5 KiB)
eth0 Link encap:Ethernet HWaddr 52:54:00:12:34:56
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1479 errors:0 dropped:0 overruns:0 frame:0
TX packets:443 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:126177 (123.2 KiB) TX bytes:43010 (42.0 KiB)
eth1 Link encap:Ethernet HWaddr 52:54:00:12:34:57
inet addr:10.1.10.173 Bcast:10.1.10.255 Mask:255.255.255.0
inet6 addr: 2603:301f:2701:800:5054:ff:fe12:3457/64 Scope:Global
inet6 addr: fe80::5054:ff:fe12:3457/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:110 errors:0 dropped:0 overruns:0 frame:0
TX packets:181 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:20582 (20.0 KiB) TX bytes:43487 (42.4 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:160 errors:0 dropped:0 overruns:0 frame:0
TX packets:160 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10880 (10.6 KiB) TX bytes:10880 (10.6 KiB)
On my Windows development PC the network appears to be connected (Does NOT indicate "No internet access" at least), however I am not able to access the internet in a web browser or ping google.com. The ip addr on the development PC is in the 192.168.2.x range as expected and can ping other devices in that subnet on the LAN.
>ping google.com
Pinging google.com [172.217.164.174] with 32 bytes of data:
Request timed out.
The only way I have found to get past this is either to change the default firewall forward option to accept:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
#option forward 'REJECT'
option forward 'ACCEPT'
..Or to add firewall rules to allow HTTP and HTTPS port to be forward from wan to lan:
config rule
option src_port '80'
option src 'wan'
option target 'ACCEPT'
option dest 'lan'
option name 'Allow-HTTP'
config rule
option src_port '443'
option src 'wan'
option name 'Allow-HTTPS'
option dest 'lan'
option target 'ACCEPT'
Previously, I have tried adding the following to /etc/sysctl.conf, but it does not seem to make a difference.
net.ipv4.ip_forward=1
net.ipv4.conf.all.proxy_arp=1
net.ipv6.conf.all.forwarding=1
Here is some additional info from the host side:
root@localhost:~# ip route show
192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.3
root@localhost:~# brctl show
bridge name bridge id STP enabled interfaces
br-lan 8000.00049f062f8e no fm1-mac1
fm1-mac10
fm1-mac6
tap0
br-wan 8000.00049f062f8f no fm1-mac5
tap1
root@localhost:~# iptables-save
# Generated by iptables-save v1.6.1 on Thu Oct 8 15:45:33 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Thu Oct 8 15:45:33 2020
# Generated by iptables-save v1.6.1 on Thu Oct 8 15:45:33 2020
*mangle
:PREROUTING ACCEPT [46954:13886647]
:INPUT ACCEPT [7416:590059]
:FORWARD ACCEPT [38803:13052634]
:OUTPUT ACCEPT [6794:522481]
:POSTROUTING ACCEPT [45597:13575115]
COMMIT
# Completed on Thu Oct 8 15:45:33 2020
# Generated by iptables-save v1.6.1 on Thu Oct 8 15:45:33 2020
*filter
:INPUT ACCEPT [7416:590059]
:FORWARD ACCEPT [38803:13052634]
:OUTPUT ACCEPT [6794:522481]
COMMIT
# Completed on Thu Oct 8 15:45:33 2020
Here is some additional information from the OpenWRT side.
I have left everything at the default (out of the box) settings except for changing the lan ip address to 192.168.2.1... and temporarily disabling synflood and adding the "Allow-HTTP" and "Allow-HTTPS" rules for testing.
root@OpenWrt:~# fw3 print
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @rule[9] (Allow-HTTP) does not specify a protocol, assuming TCP+UDP
Warning: Section @rule[10] (Allow-HTTPS) does not specify a protocol, assuming TCP+UDP
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t filter -N reject
iptables -t filter -N input_rule
iptables -t filter -N output_rule
iptables -t filter -N forwarding_rule
iptables -t filter -N zone_lan_input
iptables -t filter -N zone_lan_output
iptables -t filter -N zone_lan_forward
iptables -t filter -N zone_lan_src_ACCEPT
iptables -t filter -N zone_lan_dest_ACCEPT
iptables -t filter -N input_lan_rule
iptables -t filter -N output_lan_rule
iptables -t filter -N forwarding_lan_rule
iptables -t filter -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
iptables -t filter -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
iptables -t filter -N zone_wan_input
iptables -t filter -N zone_wan_output
iptables -t filter -N zone_wan_forward
iptables -t filter -N zone_wan_src_REJECT
iptables -t filter -N zone_wan_dest_ACCEPT
iptables -t filter -N zone_wan_dest_REJECT
iptables -t filter -N input_wan_rule
iptables -t filter -N output_wan_rule
iptables -t filter -N forwarding_wan_rule
iptables -t filter -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
iptables -t filter -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
iptables -t filter -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
iptables -t filter -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
iptables -t filter -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
iptables -t filter -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
iptables -t filter -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
iptables -t filter -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
iptables -t filter -A zone_wan_input -p 2 -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
iptables -t filter -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_wan_forward -p tcp -m tcp --sport 80 -m comment --comment "!fw3: Allow-HTTP" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_wan_forward -p udp -m udp --sport 80 -m comment --comment "!fw3: Allow-HTTP" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_wan_forward -p tcp -m tcp --sport 443 -m comment --comment "!fw3: Allow-HTTPS" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_wan_forward -p udp -m udp --sport 443 -m comment --comment "!fw3: Allow-HTTPS" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
iptables -t filter -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
iptables -t filter -D zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -D OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -D FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
iptables -t filter -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
iptables -t filter -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -D zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -D INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -D OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -D FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -D zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
iptables -t filter -D INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -D OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -D FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A FORWARD -m comment --comment "!fw3" -j reject
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule
iptables -t nat -N zone_lan_postrouting
iptables -t nat -N zone_lan_prerouting
iptables -t nat -N prerouting_lan_rule
iptables -t nat -N postrouting_lan_rule
iptables -t nat -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
iptables -t nat -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
iptables -t nat -N zone_wan_postrouting
iptables -t nat -N zone_wan_prerouting
iptables -t nat -N prerouting_wan_rule
iptables -t nat -N postrouting_wan_rule
iptables -t nat -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
iptables -t nat -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
iptables -t nat -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
iptables -t nat -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
iptables -t nat -D PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -D POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
iptables -t nat -D PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -D POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -D PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -D POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
/etc/config/firewall:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option src_port '80'
option src 'wan'
option target 'ACCEPT'
option dest 'lan'
option name 'Allow-HTTP'
config rule
option src_port '443'
option src 'wan'
option name 'Allow-HTTPS'
option dest 'lan'
option target 'ACCEPT'
/etc/config/network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd6e:74f1:0b54::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'