[Solved] Firewall traffic rule for dhcp doesn't work

Hi, Quite new to opwnwrt but love it!
A couple things I don't understand about the LUCI firewall interface...

  1. I have a interface called 'lan' that bridges a wired/wifi network that works perfectly until I start trying to tighten security. I've creates a traffic rule like this:

IPv4-udp
From any host in lan
To IP 192.168.0.160 (dhcp server) on this device, accept input.

but when I set lan:input from accept to drop dhcp renews don't work. The dhcp server is on the 160 address. Why? Setting lan:input back to accept, and everything works fine.

  1. Also, currently the 'global' INPUT Policy is set to accept so shouldn't all traffic be allowed anyway irrespective of the individual interface policies?

Thanks for helping to unconfuse me!

Working rules below you can compare and find the difference:

uci set firewall.@zone[0].input="REJECT"
uci set firewall.luci="rule"
uci set firewall.luci.name="luci"
uci set firewall.luci.src="lan"
uci set firewall.luci.dest_port="80 443"
uci set firewall.luci.proto="tcp"
uci set firewall.luci.target="ACCEPT"
uci set firewall.ssh="rule"
uci set firewall.ssh.name="ssh"
uci set firewall.ssh.src="lan"
uci set firewall.ssh.dest_port="22"
uci set firewall.ssh.proto="tcp"
uci set firewall.ssh.target="ACCEPT"
uci set firewall.dhcp="rule"
uci set firewall.dhcp.name="dhcp"
uci set firewall.dhcp.src="lan"
uci set firewall.dhcp.dest_port="67"
uci set firewall.dhcp.family="ipv4"
uci set firewall.dhcp.proto="udp"
uci set firewall.dhcp.target="ACCEPT"
uci set firewall.dhcp6="rule"
uci set firewall.dhcp6.name="dhcp6"
uci set firewall.dhcp6.src="lan"
uci set firewall.dhcp6.dest_port="547"
uci set firewall.dhcp6.family="ipv6"
uci set firewall.dhcp6.proto="udp"
uci set firewall.dhcp6.target="ACCEPT"
service firewall restart
# Reconnect and test, then save
uci commit firewall

It is applied only for those interfaces which are not assigned to firewall zones.
It helps to prevent soft lock if your network configuration changes.

1 Like

This rule that accepts input applies to the incoming traffic destined to the router itself.
So, if the DHCP server is different than the router, but within the broadcast domain of the LAN, you cannot drop the packets like this.
If it is on a different broadcast domain, then you need to do some routing and also enable DHCP relay. Still you need to add any rules in the Forward chain, which is exactly for traffic traversing the router.
Finally have you disabled the built-in DHCP server of OpenWrt?

3 Likes

THANK-YOU to you all!
Problem solve thanks for all your help

If your problem is solved, please consider marking this topic as [Solved].
See How to mark a topic as [Solved] for a short how-to.

1 Like