Questions about configuring Firewall

Hello all,
I am new to openwrt 22.03..
I have setup several FW zones.

lan,wlan,wan,dmz
wlan is a bridge for 2 WI-FI AP's( 802.11g/n +802.11ac )

This are my rules:

drop
drop
drop
lan  => wan,wlan,dmz |  accept accept drop none
wan  => drop         |    drop accept drop masquerade
dmz  => drop         |    drop   drop drop none
wlan => wlan         |    drop accept drop none

Then I have a Traffic Rule( DNS + DHCP ), to assist Wireless Lan devices:

Incoming ipv4
From wlan
to this_device, port 53,67,68  accept

I noticed that, sometimes, on reboot I get a Guest network, and also plenty of Port Forwards and that scares the hell out of me..I just deleted them.
Now it seems to problem is solved, but can they appear again?

I have also 2 more questions,

  1. Does I need those 'accept' in the Output Chain?
    If I don't put then, I have to Internet, or WIFI.. :frowning:

  2. I have a lot of listing interfaces for dnsmasq, Am I secure with this scheme?
    Does ssh and http servers are protected from wlan, and wan??

Thanks in advance for your help on this,
Best Regards,
gandalph

upon a reboot? This sounds really strange. Unless your storage is full, the configuration files don't spontaneously change (and if it is full, usually they will end up in the last saved state before the storage filled up, and you cannot write/delete anything in that mode).

It's not clear to me how a guest network and port forwards appeared on your router unless you (or someone) had configured those things in the first place... what you're describing would not be part of the default configuration, so it could only appear if explicitly added and/or if you're using a firmware version that has been customized outside the standard official OpenWrt context.

If you drop/reject the output chain, you will break the routing. So, yes, you need it.

What do you mean by this?

Yes, unless you have rules that allow input (your general zone rules appear to drop input).

We can review your config if you'd like...

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
2 Likes

Hello,
Many thanks for your help on this.

Ok, I will leave them :slight_smile:

I mean, are this services(dnsmasq), secure from attacks comming from wlan and wan?

Thanks, What are for. those general rules section at beginning of firewall config?

The vague idea I have is that, if no rule is matching(from those configured in my zones), it will apply those...
Is this Ok?Or are there a better explanation of that section?

Many thanks.
Ok here it goes:

# ubus call system board
{
	"kernel": "5.10.176",
	"hostname": "edited",
	"system": "Qualcomm Atheros QCA9533 ver 2 rev 0",
	"model": "My Precious",
	"board_name": "precious-nor",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.4",
		"revision": "r20123-34aaa000",
		"target": "ath79/nand",
		"description": "OpenWrt 22.03.4 r20123-34aaa000"
	}
}
# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'ab37:ac45:1a8c::/48' ------->< what is this?

config device
	option name 'eth1'
	option macaddr '**:**:**:**:**'
	option mtu '1500'
	option ipv6 '0'
	option acceptlocal '0'
	option promisc '0'
	option multicast '0'
	option sendredirects '0'
	option drop_gratuitous_arp '1'

config device
	option name 'eth0'
	option mtu '1500'
	option acceptlocal '0'
	option promisc '0'
	option macaddr '**:**:**:**:**:**'

config rule 'policy_bypass_vpn'
	option mark '0x70000/0x70000'
	option lookup '53'
	option priority '53'

config rule 'policy_via_vpn'
	option mark '0x50000/0x50000'
	option lookup '52'
	option priority '52'

config rule 'policy_dns'
	option mark '0x300000/0x300000'
	option lookup '51'
	option priority '51'

config device
	option name 'br-wlan'
	option ipv6 '0'
	list ports 'wlan0'
	list ports 'wlan1'
	option macaddr '**:**:**:**:**:**'
	option type 'bridge'
	option mtu '1500'
	option multicast '0'

config interface 'wlan'
	option device 'br-wlan'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config interface 'dmz'
	option device 'eth0'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option auto '0'

config device
	option name 'wwan0'
	option macaddr **:**:**:**:**:**'
	option mtu '1500'
	option acceptlocal '0'
	option promisc '0'
	option multicast '0'
	option sendredirects '0'
	option drop_gratuitous_arp '1'
	option ipv6 '0'

config interface 'wan'
	option device 'wwan0'
	option proto 'static'
	option ipv6 '0'
	option delegate '0'
	option auto '0'

config interface 'lan'
	option device 'eth1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	list dns_search 'lan'
	option delegate '0'

config interface 'modem_1_1_2_6'
	option proto 'dhcpv6'
	option disabled '1'
	option device '@modem_1_1_2'
	option reqaddress 'none'
	option auto '0'
	option reqprefix 'no'

config interface 'modem_1_1_2'
	option device '/dev/cdc-wdm0'
	option apn 'umts'
	option proto 'qmi'
	option node '1-1.2:1.4'
	option metric '40'
	option roaming '1'
	option band_enable '0'
	option disabled '0'

# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option band '5g'
	option channel 'auto'
	option cell_density '0'
	option require_vht '1'
	option require_mode 'ac'
	option channels '36,40,44,48'
	option country 'ES'
	option hwmode '11a'
	option htmode 'VHT40'
	option disabled '1'
	option txpower '9'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option key '**************'
	option ifname 'wlan1'
	option ssid 'myprecious1'
	option hidden '1'
	option network 'wlan'
	option wpa_disable_eapol_key_retries '1'
	option wmm '0'
	option encryption 'psk2+ccmp'
	option ieee80211w '1'
	option wnm_sleep_mode_no_keys '1'
	option wnm_sleep_mode '1'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option band '2g'
	option channel 'auto'
	option htmode 'HT40'
	option hwmode '11n'
	option txpower '0'
	option cell_density '0'
	option country 'ES'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option key '**************'
	option ifname 'wlan0'
	option ssid 'myprecious0'
	option hidden '1'
	option network 'wlan'
	option wpa_disable_eapol_key_retries '1'
	option wmm '0'
	option encryption 'psk2+ccmp'
	option wnm_sleep_mode_no_keys '1'
	option wnm_sleep_mode '1'
	option ieee80211w '1'
	option isolate '1'
	option disabled '1'

# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '0'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option localuse '1'
	option rebind_protection '1'
	list server '127.0.0.1#5453'
	option noresolv '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config domain
	option name 'myprecious.com'
	option ip '192.168.1.1'

config dhcp 'wlan'
	option interface 'wlan'
	option leasetime '12h'
	option start '2'
	option limit '254'
	option netmask '255.255.255.0'
	option force '1'

# cat /etc/config/firewall

config defaults
	option drop_invalid '1'
	option flow_offloading '1'
	option synflood_protect '1'
	option input 'DROP'
	option forward 'DROP'
	option output 'DROP'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'lan'

config zone
	option name 'wan'
	option masq '1'
	option mtu_fix '1'
	option forward 'DROP'
	option output 'ACCEPT'
	option input 'DROP'
	list network 'wan'
	list network 'modem_1_1_2'
	list network 'modem_1_1_2_6'

config include 'nat6'
	option path '/etc/firewall.nat6'
	option reload '1'

config include 'mys2s'
	option type 'script'
	option path '/var/etc/mys2s.include'
	option reload '1'

config include 'myblock'
	option type 'script'
	option path '/usr/bin/my_block.sh'
	option reload '1'

config include 'vpn_server_policy'
	option type 'script'
	option path '/etc/firewall.vpn_server_policy.sh'
	option reload '1'
	option enabled '1'

config zone
	option name 'dmz'
	option input 'DROP'
	option forward 'DROP'
	option output 'DROP'
	list network 'dmz'

config zone
	option name 'wlan'
	option input 'DROP'
	option forward 'DROP'
	option output 'ACCEPT'
	list network 'wlan'

config forwarding
	option dest 'wan'
	option src 'wlan'

config forwarding
	option dest 'dmz'
	option src 'lan'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'wlan'
	option src 'lan'

config rule
	option dest_port '53 67 68'
	option src 'wlan'
	option name 'wlan dhcp and dns'
	option target 'ACCEPT'
	option family 'ipv4'

I have some scripts that I still don't know exaclt what they do for vpn.
I have 1 wifi that still don't work..regdomain issues..

I wanted a simple way to completely disable ipv6..its a nightmare to configure interface after interface, and also device after device..dnsmasq and so on..

Thanks in Advance
Best Regards
Gandalph

The firewall is what is responsible for securing the router/services from untrusted networks. In the case of services running on the router itself, the input rule is relevant here. By default, the input rule is set to drop for the wan zone, so no hosts coming from the wan can access the router's services. If you have changed the wan zone input rule to accept, that would obviously open the device to attack (and not just dnsmasq, but any and all services on the device). Similarly, if you added any rules that accept input from the wan, the same would apply. But by default, this is not permitted.

your wlan configuration does allow access to dnsmasq, but that is a common configuration -- most of the time, people want to offer dns and dhcp services to the hosts on the lan/guest/iot networks, etc. You've blocked general input on the wlan network, but you have allowed dns and dhcp.

Yes, you're right... it is the general ruleset for networks not assigned to a zone.

There is a ton of stuff in those config files... is this stuff you've added yourself? And did you do it with a complete understanding of what you were doing? Given the nature of your original question, it seems that you've got a configuration that is much more advanced than you necessarily need... I'm trying to understand where it came from.

If that is the case, where did they come from and/or why are they there? You may want to start from a default config and build up from there with only what you need and understand.

Like I said before, there is a lot of really complex and advanced stuff. It would take a while to evaluate your config, and the best approach is really to understand 1) what is your intent, 2) how did you arrive at your current configuration, and 3) what specifically is wrong?

usually the easiest way is to remove the wan6 interface and then remove the ipv6 related entries from the dhcp configuration in your lan or other networks.

1 Like

hello,

Many many thanks for your explanation, its very valuable to me and others!

Ok I will try now ro remove all ipv6 entries and wan6.
I also found this:

cat <<<'EOF' >> /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6     = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6      = 1
net.ipv6.conf.eth0.disable_ipv6    = 1
net.ipv6.conf.eth1.disable_ipv6    = 1
net.ipv6.conf.wwan0.disable_ipv6   = 1
EOF

# sysctl -p

Ok, my Idea was to:

  1. start with building a system with wlan,wan,lan,dmz
  2. Disable ipv6
  3. Implement VPN( Openvpn + WireGuard ), those scripts were copied from a old device I have, but I still have to look into them..

The 1st faze is done.
The 2nd, I am doing it now.

In /etc/config/dhcp I see:

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

What is odhcpd, does I need it?

May thanks in advance for your time, really appreciated.
Best Regards,
Gandalph

This the dhcp server service... so usually, yes, you need it.