(SOLVED) Firwall misunderstanding?

I guess I misunderstand how the firewall works, can someone educate me?

I run LEDE as a KVM guest on a linux server. The server bridges it's ethernet port with LEDE. Two wifi cards are passed through to the LEDE guest (pci delegation).

There are firewall zones LAN and WAN.

LAN is the bridged ethernet + one of the wifi cards.

WAN is the other wifi card.

The wifi card in WAN is a client of my non-LEDE DSL Router.

The server has a second KVM guest configured a a freepbx server, again with a bridged connection with the server's ethernet port.

The server and freepbx guest are both in the LAN zone.

The firewall is configured as per the attached screenshot. There are 2 holes in the firewall which redirect ssh and https traffic to the server other than this no further customisations have been made.

firewall

There is a static route configured on the non-LEDE router with the LAN subnet as the destination and the LEDE wifi client as the gateway.

I have setup a fowarding rule on the non-LEDE router to redirect SIP traffice (port 5060) coming from the DSL line to the freepbx server in LAN.

I have not setup any rule on the LEDE firewall to allow this SIP traffic onto the LAN.

With this configuration I am able to connect to the freepbx server via a SIP client running on my phone connected to the cellular network (wifi disabled).

I expected this not to be possible as I have not setup a rule for the LEDE firewall to allow the SIP traffic through.

Why is such a rule not required?

Well...

  • If your LEDE VM's WAN is a wifi card, and the LAN is Ethernet bridge...why do you mention that there is a virtual Ethernet bridge...what physical network is it bridged to???
  • You cannot bridge make you LEDE's LAN the same network you connect the LEDE's WAN port to. Regardless if you connect the LEDE by Ethernet or Wifi, there must be 2 separate LANs.

This sounds like you've placed:

  • the LEDE VM's WAN PORT; and
  • the PBX Server VM;
  • and the LEDE's VM's LAN PORT

on the same Layer 2 network as the DSL modem. If so, this is wrong. In this case, you're not routing. I'm also lost why you need a static route form your DSL modem to the virtual LEDE router, since you still have Masquerade turned on.

  • Where does the WAN-facing WIFI connect to?
  • Can you tell us what physical Ethernet card you bridged the SIP server and Router VM to???
  • Is this the same physical interface that the DSL router is found?

You seem to describe that you want:
INTERNET <> DSL_MODEM <> LEDE <> SIP_SERVER AND LEDE_WIFI_LAN

It seems you have:

INTERNET <>DSL_MODEM <> WIFI_WAN <> LEDE AND SIP_SERVER <> LEDE_ WIFI_LAN

(I think you're confusing the physical and virtual world during your setups.)

  • If your LEDE VM’s WAN is a wifi card, and the LAN is Ethernet bridge…why do you mention that there is a virtual Ethernet bridge…what physical network is it bridged to???
  • You cannot bridge make you LEDE’s LAN the same network you connect the LEDE’s WAN port to. Regardless if you connect the LEDE by Ethernet or Wifi, there must be 2 separate LANs.

There are 2 wifi cards + one ethernet bridge:

  • Wifi1 - LAN
  • Ethernet Bridge - LAN
  • Wifi2 - WAN

Wifi1 / Ethernet Bridge are on the same subnet.
Wiif2 is on a separate subnet.

This sounds like you’ve placed:

  • the LEDE VM’s WAN PORT; and
  • the PBX Server VM;
  • and the LEDE’s VM’s LAN PORT
    on the same Layer 2 network as the DSL modem. If so, this is wrong. In this case, you’re not routing. I’m also lost why you need a static route form your DSL modem to the virtual LEDE router, since you still have Masquerade turned on.

As above this is not the case. The PBX is on the same subnet as the Ethernet Bridge / Wifi1. Wifi2-WAN is a separate subnet.

  • Where does the WAN-facing WIFI connect to?

The WAN facing WIFI connects as a client to a non-LEDE DSL/Router WIFI AP.

  • Can you tell us what physical Ethernet card you bridged the SIP server and Router VM to???

The LEDE VM and PBX VM are bridged on there server's eth0 port.

You seem to describe that you want:
INTERNET <> DSL_MODEM <> LEDE <> SIP_SERVER AND LEDE_WIFI_LAN

Indeed, and unless I misunderstand something this is what I have?

  • When you say LEDE and PBX are on the same subnet, you do mean the LEDE LAN port, correct???
  • Also, please answer why do you use Masquerade on LEDE WAN AND a static route in the DSL device???

You would only place a route if you are not using NAT between IP subnets.

  • Just to be clear, where does eth0 connect...(i.e. a switch to provide Internet via the LEDE VM)?
  • ...basicallly, how does the physical server obtain Internet???
  • When you say LEDE and PBX are on the same subnet, you do mean the LEDE LAN port, correct???

Yes

  • Also, please answer why do you use Masquerade on LEDE WAN AND a static route in the DSL device???
    You would only place a route if you are not using NAT between IP subnets.

Actually this is a left over from an old configuration that I've forgotten to change (previously I was masquerading on an ethernet modem on eth1 but this is no longer the case). I agree this should be removed.

  • Just to be clear, where does eth0 connect…(i.e. a switch to provide Internet via the LEDE VM)?
  • …basicallly, how does the physical server obtain Internet???

It is connected to a switch, yes. The server (& pbx) get's it internet connection via the bridged connection with Lede (as do the other devices connected to the switch).

Please confirm that you are NOT able to access the device from the WAN once you fix the Masquerade rule.

How would masquerading on the WAN zone open the firewall for inbound traffic on (UDP or TCP?) port 5060?

I don't know...and I never said that it did...perhaps the same way OP seems to be able to pass traffic with a masquerade rule in place, yet OP shouldn't have been able to route reply traffic until the masquerade rule was fixed.

OP noted:

You should setup the DSL device to go to the WAN of the LEDE, as the PBX should not be on this network. The LEDE should be in the middle of the DSL network (LEDE WAN) and LAN with the switch and SIP VM (LEDE LAN).

UPDATE:

  • The DSL should have ONE connection to the LEDE WAN via the first WiFi card you attached to the VM.
  • your server should have one Ethernet port, plugged to a switch. It should be bridged (in your VM Host software) to LEDE LAN interface and the PBX.
  • the second WiFi is added to LEDE and attached to LEDE's LAN.
  • If you turn off Masquerade, you should be able to address the devices in the LEDE WAN ONLY after opening the firewall.
  • There should be no other connections to the DSL router except WiFi thru the WAN of the LEDE VM.
  • Ensure the IP subnet of the LEDE LAN is differet from the DSL-facing network of the WAN side on the LEDE.

Disabling masquerading has had no effect.

I am still able to access the PBX on the LEDE LAN segment from the DSL port of the external router (in the WAN segment) without opening a hole in the LEDE firewall.

Looking into this a bit more it seems that the firewall isn't being configured correctly (according to my understanding of what the GUI means at least).

root@LEDE:~# iptables -nvL --line-numbers

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     4414 1223K forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for forwarding     */
2     4409 1223K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
3        3   180 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
4        2   120 zone_wan_forward  all  --  wlan1  *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_forward (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        2   120 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for forwarding */
2        0     0 zone_lan_dest_ACCEPT  esp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Allow-IPSec-ESP */
3        0     0 zone_lan_dest_ACCEPT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500 /* !fw3: Allow-ISAKMP */
4        2   120 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: forwarding wan -> lan */
5        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
6        0     0 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 100/min burst 5 /* !fw3 */ LOG flags 0 level 4 prefix "REJECT(dest wan)"
2        0     0 reject     all  --  *      wlan1   0.0.0.0/0            0.0.0.0/0            /* !fw3 */

i.e. a WAN->WAN forward reject is in there but no WAN->LAN forward reject

This looks wrong, no?

I didn't see that before, but you are actually allowing wan -> lan forwarding in the GUI. This explains the rules in iptables.

1 Like

I didn’t see that before, but you are actually allowing wan -> lan forwarding in the GUI. This explains the rules in iptables.

I think this is what I don't follow - what do you mean when you say I'm allowing wan->lan forwarding.

My reading of the Gui is that I have wan->lan forwarding set to REJECT.

???

The forward column in the zone lists defines the default action, which is reject for the wan zone. But you are allowing forwarding to lan explicitly. It may be more apparent if you edit the wan zone.

Sorry, I guess I'm being really dense here but I don't follow what you mean.

Are you suggesting I change /etc/config/firewall from:

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option network 'lan'
    option forward 'ACCEPT'

to:

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option network 'lan'
    option forward 'REJECT'

(This doesn't effect the forwarding from wan->lan - the chain above remains the same)

No, changing the defaults for the lan zone won't affect inbound traffic from wan.

Don't you have the following section? Remove it in such case.

config forwarding
	option dest 'lan'
	option src 'wan'

Finally understand! :slight_smile:

Thanks!

1 Like

Wow...I missed that too!

You may want to add "Solved" to the thread's title.