Hi,
I'm new to OpenWRT. My setup is most-likely default:
ISP <- IPv4+v6 -> Fritzbox with IPv4 and IPv6 enabled <-> OpenWrt with WAN-interface as DHCP-client
I modified the default setup like this:
disabled masquerading on WAN-zone (to avoid double-NAT)
added ipv4&v6-routes for communication between fritz an openwrt
I understand that, out of the box:
OpenWrt can query DNS provided by Fritzbox.
Fritzbox cannot query the DNS provided by OpenWrt
only after adding a firewall-rule from source WAN, Fritzbox can query the DNS of OpenWRT
My problem:
Querying IPv4's IP of OpenWRT DNS is working, but queries to ULA IP are rejected. After switching Zone WAN Input Reject to Input Accept, also queries to ULA IP are answered.
Why?
My expectation is, that I have to set Input on zone WAN to accept, so that incoming request for the DNS-service, located on the OpenWRT-device, are accepted.
DNS request via IPv4 are proceeded although WAN Input was set to REJECT.
DNS request via IPv6 were blocked. So I changed WAN Input from REJECT to ACCEPT which made the requests being proceeded.
I can modify the behaviour of my IPv6-requests with the WAN-INPUT-setting:
ACCEPT => nslookup is answered
REJECT => nslookup is immediatly rejected
DROP => nslookup runs into timeout
All as expected.
Why are IPv4-requests from WAN to OpenWrt, regardless whether Fritz's IP of OpenWrt or the LAN-IP of OpenWrt is beeing asked, are answered although WAN-INPUT is set to REJECT?
I found the reason.
My explicite firewall-rule which opens DNS-requests coming from WAN to "this device" had a typing mismatch on the source-IPv6-address.
I now also see clear, that I had a false understanding about the INPUT/OUTPUT/FORWARD-concept of zones.
I thought traffic must be ACCEPTed within the zone-setting AND there also has to exist an explicite firewall-rule which allows the traffic. But this is wrong.
WAN INPUT accept is equal to this explicit rule:
