Philips bridge requests are not blocked by firewall

astingengo · November 26, 2024, 7:23am

Hi,

I have pihole configured as my DNS into br-lan at use custom dns servers
This is the only location I'm specifying the DNS of pihole

I have a philips bridge that I want to block its access completely over internet

What I did for it is on firewall/traffic rules I added a rule that from bridge IP to drop all requests if destination is wan

Now the strange thing is that on pihole I'm seeing from 30s to 30s requests from bridge and I don't understand why

(Another topic but for requests on pihole I'm seeing only router ip, I guess just for static ips I'm seeing the ip on the pihole and for all dynamic IPs I'll always see just the router ip?)

psherman · November 26, 2024, 7:39am

It's worth noting that the bridge may be making DNS requests, but may still not have access to the internet.

How have you determined that the Hue Bridge is still able to access the internet?

You can block internet access for the device itself either with the OpenWrt firewall or with DNS blocks using the pihole.

But, at least with respect to the OpenWrt situation... The best way to understand your issue is for us to look at your configs...

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

astingengo · November 26, 2024, 7:59am

ubus call system board output

{
	"kernel": "5.15.167",
	"hostname": "biTc0d",
	"system": "ARMv7 Processor rev 0 (v7l)",
	"model": "ZyXEL NBG6817",
	"board_name": "zyxel,nbg6817",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.5",
		"revision": "r24106-10cc5fcd00",
		"target": "ipq806x/generic",
		"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
	}
}

cat /etc/config/network output

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'ipv6::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config device
	option name 'eth1.1'
	option macaddr 'xx:xx:xx:xx:56'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.23.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipv6 '0'
	list dns '192.168.23.2'

config device
	option name 'eth0.2'
	option macaddr 'xx:xx:xx:xx:57'
	option ipv6 '0'

config interface 'wan'
	option device 'eth0.2'
	option proto 'pppoe'
	option username 'user'
	option password 'pass'
	option ipv6 '0'
	option peerdns '0'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 5'
	option vid '2'

config interface 'HomeVPN'
	option proto 'wireguard'
	option private_key 'priv'
	option listen_port '51820'
	list addresses '10.10.10.1/24'

config wireguard_HomeVPN
	option description 'phone'
	option public_key 'pub'
	option private_key 'priv'
	option preshared_key 'shared'
	list allowed_ips '10.0.100.2/32'

config device
	option name 'eth0'

config wireguard_HomeVPN
	option description 'Laptop'
	option public_key 'pub'
	option private_key 'priv'
	option preshared_key 'shared'
	list allowed_ips '10.10.10.3/24'

cat /etc/config/wireless output

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel 'auto'
	option band '5g'
	option htmode 'VHT160'
	option cell_density '0'
	option country 'country'
	option txpower '26'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'ssid1'
	option encryption 'psk2'
	option key 'pass'
	option ieee80211w '2'
	option hidden '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'
	option country 'country'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'ssid2'
	option encryption 'sae'
	option key 'pass'
	option network 'lan'

cat /etc/config/dhcp output



config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '200'
	option limit '250'
	option leasetime '6h'
	option dhcpv4 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'PhilipsBridge'
	list mac 'xx:xx:xx:xx:xx'
	option ip '192.168.23.60'
	option leasetime 'infinite'

...

config domain
	option name 'router.lan'
	option ip '192.168.23.1'

config domain
	option name 'pihole.lan'
	option ip '192.168.23.2'

config domain
	option name 'bridge.lan'
	option ip '192.168.23.60'

...

cat /etc/config/firewall output

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'HomeVPN'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Block-Bridge-Internet'
	option src 'lan'
	list src_ip '192.168.23.60'
	option dest 'wan'
	option target 'DROP'
	list proto 'all'

config rule
	option name 'Block-Printer-Internet'
	list proto 'all'
	option src 'lan'
	list src_ip '192.168.23.70'
	option dest 'wan'
	option target 'DROP'

config rule
	option name 'Block Synalogy Outgoing'
	option src 'lan'
	list src_ip '192.168.23.30'
	option dest 'wan'
	option target 'DROP'

config rule
	option name 'Block-Jellyfin-Media'
	option src 'lan'
	list src_ip '192.168.23.11'
	option dest 'wan'
	option target 'DROP'

config rule
	option name 'Block Proxmox Outgoing'
	option src 'lan'
	list src_ip '192.168.23.10'
	option dest 'wan'
	option target 'DROP'
	option enabled '0'

config rule
	option name 'Block-HA-Internet'
	option src 'lan'
	option dest 'wan'
	option target 'DROP'
	list proto 'all'
	list src_ip '192.168.23.15'

config rule
	option name 'Block-Iphone-X-Internet'
	option src 'lan'
	option dest 'wan'
	option target 'DROP'
	list proto 'all'
	list src_ip '192.168.23.120'

config rule
	option name 'Drop-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'DROP'
	option family 'ipv4'

config rule
	option name 'Drop-Ping'
	option src 'wan'
	option proto 'icmp'
	option family 'ipv4'
	option target 'DROP'
	list icmp_type 'echo-request'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Drop-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'DROP'
	list icmp_type 'bad-header'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	list icmp_type 'neighbour-advertisement'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'packet-too-big'
	list icmp_type 'router-advertisement'
	list icmp_type 'router-solicitation'
	list icmp_type 'time-exceeded'
	list icmp_type 'unknown-header-type'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'AllowHomeVPN'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'
	option dest_ip '10.10.10.10.1'
	option dest_port '51820'

config zone
	option name 'IOT'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option family 'ipv4'

config redirect
	option target 'DNAT'
	option name 'Intercept-DNS'
	option src 'lan'
	option src_dport '53'
	option dest_ip '192.168.23.2'
	option dest_port '53'
	option enabled '0'

I know I can block the requests from pihole but why to check all the requests and block them (maybe some requests are legit by other clients) as long as the best way is to block internaly the bridge requests to the outside world via firewall

thank you

astingengo · November 26, 2024, 8:03am

as the image show I blocked all requests to the meethue.com but there are also legit requests that I don't want to block via pihole

I would like to be able to block all its requests via firewall

psherman · November 26, 2024, 8:27am

I do see a bunch of issues in your config, but none of them relevant to this question (and I don't actually have the time to address them now).

This should effectively drop all outgoing access from the bridge to the internet. As a result, the DNS lookups that the device is doing ( the pihole) shouldn't really matter since it doesn't have internet.

What is it that you feel is not working properly?

astingengo · November 26, 2024, 8:37am

The image that I attached looks like the bridge still make outside connections (like syncing with NTP and meethue that I manually blocked after I saw it makes lots of requests to it)

When you have time please let me know what are the issues and how to fix them. Thank you

psherman · November 26, 2024, 8:57am

That is not what it looks like to me. I see dns requests, but that doesn’t mean that it is actually able to reach the internet.

egc · November 26, 2024, 8:59am

That is not OK, start + limit must be below 255

astingengo:

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'AllowHomeVPN'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'
	option dest_ip '10.10.10.10.1'
	option dest_port '51820'

Also not OK, a simple allow rule should do:

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

But both are also not related to your problem

system · December 6, 2024, 8:59am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.