[Solved] Hosts talking between zones

stansmith · May 18, 2019, 4:56pm

I have setup three zones on my network; wan, lan, and "server-side." The lan side is where all of the consumer devices live and the "server-side" zone is where the home server lives. I've setup an additional vlan for this zone as well and a port-forward for me to access services outside my network. I've followed different guides on creating a DMZ which has led me here. Currently the "server-side" zone is able to access other hosts inside that zone when I have the redirect set:

config redirect
        option target 'DNAT'
        option src 'wan'
        option proto 'tcp'
        option src_dport '443'
        option dest_ip '192.168.26.xx'
        option dest_port '443'
        option name 'Apache'
        option dest 'ServerZone'

Yet when I change the destination zone to lan, I am able to access the services through their FQDN but the services (run in LXC containers) are not able to access or lookup any DNS records to each other. This wouldn't be a big issue at first glance but I am starting to test out services that need to talk to different LXC containers and use SSL certificates for validation and security. They connect to each other through their FQDN.

I've made attempts to setup the forwarding between zones but that doesn't work, I've added rules to allow port 53 to communicate across the zone but that doesn't work. I've tried looking at the kernal logs (which are dog slow to populate by the way) and they say that port 53 is being blocked all around, even from within the zone to itself.

Here is a copy of my current firewall config:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option conntrack '1'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option forward 'REJECT'
        option network 'wan wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'DROP'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'DROP'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
		
config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option output 'ACCEPT'
        option name 'ServerZone'
        option network 'Server_Side'
        option log '1'
        option input 'ACCEPT'
        option forward 'ACCEPT'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option name 'Nextcloud Sync'
        option src_ip '192.168.25.5'
        option dest 'ServerZone'
        option dest_ip '192.168.26.14'
        option dest_port '80'
		
config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option src_dport '3367'
        option dest_ip '192.168.25.4'
        option dest_port '3367'
        option name 'vpn'
        option proto 'udp'

config forwarding
        option dest 'ServerZone'
        option src 'lan'

config redirect
        option target 'DNAT'
        option src 'wan'
        option proto 'tcp'
        option src_dport '443'
        option dest_ip '192.168.26.12'
        option dest_port '443'
        option name 'Apache'
        option dest 'ServerZone'

config rule
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '53'
        option name 'DNS'
        option src 'ServerZone'
        option family 'ipv4'

config rule
        option target 'ACCEPT'
        option name 'HttpsSS'
        option src_port '443'
        option dest_port '443'
        option proto 'tcp'
        option src 'lan'
        option dest 'ServerZone'
        option enabled '0'

config forwarding
        option dest 'wan'
        option src 'ServerZone'

config forwarding
        option dest 'wan'
        option src 'lan'

The few rules that allow traffic to pass from lan to server-side zone do work but for some reason I am not able to get the DNS port 53 to pass and not be rejected. Here is a copy of the kernal message:

REJECT ServerZone in: IN=eth0.26 OUT= MAC=ADDRESS XX-XX-XX-XX SRC=192.168.26.20 DST=192.168.26.1 LEN=62 TOS=0x00 PREC=0x00 TTL=128 ID=3780 PROTO=UDP SPT=56094 DPT=53 LEN=42

I've been beating my head against the wall trying to figure this one out. I want traffic to pass from lan to server-side through their FQDN and allow the server-side LXC services to be able to talk as well.

mikma · May 18, 2019, 9:13pm

I can't see a reason to reject the packet since ServerZone has input ACCEPT. A dump of the current firewall status (in luci or with iptables -v -n -L) probably is useful.

trendy · May 18, 2019, 10:01pm

Also post the configs for network and dhcp.
Could be that dnsmasq is not running on the ServerZone interface (especially if DHCP is not running on that interface). netstat -lnp | grep 53

stansmith · May 19, 2019, 2:25am

The output for iptables -v -n -L

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
  214 19452 input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom input rule chain */
  146 14027 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3 */
    6   328 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 /* !fw3 */
   68  5425 zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_input  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_ServerZone_input  all  --  eth0.26 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  505 63420 forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom forwarding rule chain */
  466 61066 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3 */
   39  2354 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_forward  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_ServerZone_forward  all  --  eth0.26 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            /* !fw3 */
  218 33949 output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom output rule chain */
  112 25852 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3 */
    0     0 zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
  106  8097 zone_wan_output  all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_ServerZone_output  all  --  *      eth0.26  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain forwarding_ServerZone_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_ServerZone_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_ServerZone_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain reject (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination
    6   328 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_ServerZone_dest_ACCEPT (8 references)
 pkts bytes target     prot opt in     out     source               destination
   26  1544 ACCEPT     all  --  *      eth0.26  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_ServerZone_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 forwarding_ServerZone_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom ServerZone forwarding rule chain */
    0     0 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Zone ServerZone to wan forwarding policy */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_ServerZone_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_ServerZone_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 input_ServerZone_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom ServerZone input rule chain */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* !fw3: DNS */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
    0     0 zone_ServerZone_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_ServerZone_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 output_ServerZone_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom ServerZone output rule chain */
    0     0 zone_ServerZone_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_ServerZone_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  eth0.26 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_dest_ACCEPT (4 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
   39  2354 forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan forwarding rule chain */
    2   104 zone_ServerZone_dest_ACCEPT  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 /* !fw3: Nextcloud Sync */
    0     0 zone_ServerZone_dest_ACCEPT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:80 /* !fw3: Nextcloud Sync */
   24  1440 zone_ServerZone_dest_ACCEPT  tcp  --  *      *       192.168.25.9         0.0.0.0/0            tcp dpt:10050 /* !fw3: Zabbix */
    0     0 zone_ServerZone_dest_ACCEPT  udp  --  *      *       192.168.25.9         0.0.0.0/0            udp dpt:10050 /* !fw3: Zabbix */
    0     0 zone_ServerZone_dest_ACCEPT  icmp --  *      *       192.168.25.9         0.0.0.0/0            /* !fw3: Zabbix Ping */
   13   810 zone_wan_dest_		ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Zone lan to wan forwarding policy */
    0     0 zone_ServerZone_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Zone lan to ServerZone forwarding policy */
    0     0 					ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            		/* !fw3 */

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
   68  5425 input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan input rule chain */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
   68  5425 zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan output rule chain */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination
   68  5425 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_dest_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3: Prevent NAT leakage */
  119  8907 ACCEPT     all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 reject     all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan forwarding rule chain */
    0     0 zone_lan_dest_ACCEPT  esp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Allow-IPSec-ESP */
    0     0 zone_lan_dest_ACCEPT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500 /* !fw3: Allow-ISAKMP */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan input rule chain */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68 /* !fw3: Allow-DHCP-Renew */
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* !fw3: Allow-Ping */
    0     0 DROP       2    --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Allow-IGMP */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
    0     0 zone_wan_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
  106  8097 output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan output rule chain */
  106  8097 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 reject     all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

And the output for netstat -lnp | grep 53

tcp        0      0 127.0.0.1:5453          0.0.0.0:*               LISTEN      1750/stubby
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      17490/dnsmasq
tcp        0      0 192.168.25.1:53         0.0.0.0:*               LISTEN      17490/dnsmasq
tcp        0      0 24.XX.XX.XX:53       0.0.0.0:*               LISTEN      17490/dnsmasq
tcp        0      0 192.168.26.1:53         0.0.0.0:*               LISTEN      17490/dnsmasq
tcp        0      0 ::1:5453                :::*                    LISTEN      1750/stubby
tcp        0      0 ::1:53                  :::*                    LISTEN      17490/dnsmasq
tcp        0      0 fe80::c24a:ff:feb6:b584:53 :::*                    LISTEN      17490/dnsmasq
tcp        0      0 2600:8800:9200:8b::1:53 :::*                    LISTEN      17490/dnsmasq
tcp        0      0 fd20:9411:2900::1:53    :::*                    LISTEN      17490/dnsmasq
tcp        0      0 fe80::c24a:ff:feb6:b584:53 :::*                    LISTEN      17490/dnsmasq
tcp        0      0 2600:8800:ff0d:400:4d8a:f9e0:5212:f5e3:53 :::*                    LISTEN      17490/dnsmasq
tcp        0      0 fe80::c24a:ff:feb6:b584:53 :::*                    LISTEN      17490/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           17490/dnsmasq
udp        0      0 192.168.25.1:53         0.0.0.0:*                           17490/dnsmasq
udp        0      0 24.XX.XX.XX:53       0.0.0.0:*                           17490/dnsmasq
udp        0      0 192.168.26.1:53         0.0.0.0:*                           17490/dnsmasq
udp        0      0 127.0.0.1:5453          0.0.0.0:*                           1750/stubby
udp        0      0 ::1:53                  :::*                                17490/dnsmasq
udp        0      0 fe80::c24a:ff:feb6:b584:53 :::*                                17490/dnsmasq
udp        0      0 2600:8800:9200:8b::1:53 :::*                                17490/dnsmasq
udp        0      0 fd20:9411:2900::1:53    :::*                                17490/dnsmasq
udp        0      0 fe80::c24a:ff:feb6:b584:53 :::*                                17490/dnsmasq
udp        0      0 2600:8800:ff0d:400:4d8a:f9e0:5212:f5e3:53 :::*                                17490/dnsmasq
udp        0      0 fe80::c24a:ff:feb6:b584:53 :::*                                17490/dnsmasq
udp        0      0 ::1:5453                :::*                                1750/stubby

I do not have DHCP running on that Vlan interface though.

Output for network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd20:9411:2900::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ip6assign '60'
        option ipaddr '192.168.25.1'
        option netmask '255.255.255.192'
        option ifname 'eth0.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 2 4t 5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '26'
        option ports '0t 3 4t'

config interface 'Server_Side'
        option proto 'static'
        option ipaddr '192.168.26.1'
        option netmask '255.255.255.224'
        option ip6assign '64'
        option ifname 'eth0.26'

Output for DHCP:

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option nonwildcard '1'
        option localservice '1'
        option noresolv '1'
        list server '1.1.1.1'
        list server '9.9.9.9'

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option start '20'
        option limit '25'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

There are some host name entries at the end of the DHCP file but I truncated them off.

trendy · May 19, 2019, 1:00pm

Accept DNS queries only from hosts whose address is on a local subnet, ie a subnet for which an interface exists on the server.

But you haven't configured the config dhcp 'Server_Side'

You could disable this, since you have not allowed/banned particular interfaces.

stansmith · May 19, 2019, 2:15pm

I changed both of those options but still not working. Should I setup a DHCP server of 1 ip and see if that changes it?

trendy · May 19, 2019, 9:33pm

Try that, also post the rest of the iptables and some ip stuff, in case something is happening elsewhere, cause you have no hits on udp/53
iptables -L -vn; iptables -t nat -L -vn; iptables -t mangle -L -vn; ip -4 add; ip -4 ro; ip -4 ru

stansmith · May 19, 2019, 9:49pm

Here is the next output:

Chain INPUT (policy ACCEPT 1 packets, 52 bytes)
 pkts bytes target     prot opt in     out     source               destination
    2   152 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
 179K   13M input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom input rule chain */
 141K   10M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
 1503 61705 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3 */
20939 1218K syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 /* !fw3 */
34609 2177K zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
 2010  168K zone_wan_input  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
  328 21081 zone_ServerZone_input  all  --  eth0.26 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
6657K 4412M forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom forwarding rule chain */
6581K 4407M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
  318 16503 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3 */
75737 4707K zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
   16   880 zone_wan_forward  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
  222 13634 zone_ServerZone_forward  all  --  eth0.26 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    1    52 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    2   152 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            /* !fw3 */
 157K   19M output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom output rule chain */
 146K   18M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3 */
   11  3128 zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
11347  844K zone_wan_output  all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_ServerZone_output  all  --  *      eth0.26  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain forwarding_ServerZone_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_ServerZone_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_ServerZone_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain reject (3 references)
 pkts bytes target     prot opt in     out     source               destination
 1677 67972 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with tcp-reset
   48 12712 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination
20939 1218K RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_ServerZone_dest_ACCEPT (8 references)
 pkts bytes target     prot opt in     out     source               destination
60698 3651K ACCEPT     all  --  *      eth0.26  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_ServerZone_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
  222 13634 forwarding_ServerZone_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom ServerZone forwarding rule chain */
  222 13634 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Zone ServerZone to wan forwarding policy */
    6   360 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_ServerZone_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_ServerZone_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
  328 21081 input_ServerZone_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom ServerZone input rule chain */
  327 21033 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* !fw3: DNS */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
    1    48 zone_ServerZone_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_ServerZone_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 output_ServerZone_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom ServerZone output rule chain */
    0     0 zone_ServerZone_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_ServerZone_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1    48 ACCEPT     all  --  eth0.26 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_dest_ACCEPT (4 references)
 pkts bytes target     prot opt in     out     source               destination
   11  3128 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
75737 4707K forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan forwarding rule chain */
 2180  118K zone_ServerZone_dest_ACCEPT  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 /* !fw3: Nextcloud Sync */
    0     0 zone_ServerZone_dest_ACCEPT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:80 /* !fw3: Nextcloud Sync */
58298 3498K zone_ServerZone_dest_ACCEPT  tcp  --  *      *       192.168.25.9         0.0.0.0/0            tcp dpt:10050 /* !fw3: Zabbix */
    0     0 zone_ServerZone_dest_ACCEPT  udp  --  *      *       192.168.25.9         0.0.0.0/0            udp dpt:10050 /* !fw3: Zabbix */
  900 75600 zone_ServerZone_dest_ACCEPT  icmp --  *      *       192.168.25.9         0.0.0.0/0            /* !fw3: Zabbix Ping */
15039 1056K zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Zone lan to wan forwarding policy */
    0     0 zone_ServerZone_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Zone lan to ServerZone forwarding policy */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
34609 2177K input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan input rule chain */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
34609 2177K zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
   11  3128 output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan output rule chain */
   11  3128 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination
34609 2177K ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_dest_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3: Prevent NAT leakage */
26602 1913K ACCEPT     all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 reject     all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
   16   880 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan forwarding rule chain */
    0     0 zone_lan_dest_ACCEPT  esp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Allow-IPSec-ESP */
    0     0 zone_lan_dest_ACCEPT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500 /* !fw3: Allow-ISAKMP */
   16   880 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
 2010  168K input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan input rule chain */
  231 84486 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68 /* !fw3: Allow-DHCP-Renew */
   55  3148 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* !fw3: Allow-Ping */
    0     0 DROP       2    --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Allow-IGMP */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
 1724 80632 zone_wan_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
11347  844K output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan output rule chain */
11347  844K zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1724 80632 reject     all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
Chain PREROUTING (policy ACCEPT 106K packets, 8066K bytes)
 pkts bytes target     prot opt in     out     source               destination
 106K 8068K prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom prerouting rule chain */
 104K 7931K zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
 1872  113K zone_wan_prerouting  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
  377 23655 zone_ServerZone_prerouting  all  --  eth0.26 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain INPUT (policy ACCEPT 27129 packets, 1965K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 10101 packets, 763K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 59895 packets, 3592K bytes)
 pkts bytes target     prot opt in     out     source               destination
79590 4944K postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom postrouting rule chain */
    9  2147 zone_lan_postrouting  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
19689 1352K zone_wan_postrouting  all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
59892 3590K zone_ServerZone_postrouting  all  --  *      eth0.26  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain postrouting_ServerZone_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_ServerZone_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_ServerZone_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
59892 3590K postrouting_ServerZone_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom ServerZone postrouting rule chain */
    6   360 SNAT       tcp  --  *      *       192.168.26.0/27      192.168.26.12        tcp dpt:443 /* !fw3: Apache (reflection) */ to:192.168.26.1

Chain zone_ServerZone_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
  377 23655 prerouting_ServerZone_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom ServerZone prerouting rule chain */
    6   360 DNAT       tcp  --  *      *       192.168.26.0/27      24.xxx.xxx.xxx       tcp dpt:443 /* !fw3: Apache (reflection) */ to:192.168.26.12:443

Chain zone_lan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
    9  2147 postrouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan postrouting rule chain */
    0     0 SNAT       udp  --  *      *       192.168.25.0/26      192.168.25.4         udp dpt:3367 /* !fw3: vpn (reflection) */ to:192.168.25.1

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
 104K 7931K prerouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan prerouting rule chain */
    0     0 DNAT       udp  --  *      *       192.168.25.0/26      24.xxx.xxx.xxx       udp dpt:3367 /* !fw3: vpn (reflection) */ to:192.168.25.4:3367

Chain zone_wan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
19689 1352K postrouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan postrouting rule chain */
19689 1352K MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1872  113K prerouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan prerouting rule chain */
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:3367 /* !fw3: vpn */ to:192.168.25.4:3367
   16   880 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 /* !fw3: Apache */ to:192.168.26.12:443
iptables v1.6.2: no command specified
Try `iptables -h' or 'iptables --help' for more information.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.25.1/26 brd 192.168.25.63 scope global br-lan
       valid_lft forever preferred_lft forever
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 24.xxx.xxx.xxx/24 brd 24.AAA.AAA.AAA scope global eth0.2
       valid_lft forever preferred_lft forever
12: eth0.26@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.26.1/27 brd 192.168.26.31 scope global eth0.26
       valid_lft forever preferred_lft forever
default via 24.AAA.AAA.AAA dev eth0.2  src 24.xxx.xxx.xxx
24.AAA.AAA.AAA/24 dev eth0.2 scope link  src 24.xxx.xxx.xxx
192.168.25.0/26 dev br-lan scope link  src 192.168.25.1
192.168.26.0/27 dev eth0.26 scope link  src 192.168.26.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

Tried setting up the DHCP server but that did nothing. I am setting up a pi-hole on that vlan to see if that will change anything. Removing the DNS lookup's from the router. If that doesn't change anything then I'll try to reflash the router back to defaults and set everything up by hand again.

trendy · May 19, 2019, 10:04pm

I made a correction to the iptables mangle table, as I forgot the -L.

It seems better now:
327 21033 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* !fw3: DNS */
There are hits and the target is ACCEPT, so they cannot be dropped.
I don't see the logging option though. Is there anything in '/etc/firewall.user'?

stansmith · May 19, 2019, 10:05pm

There is nothing there inside that file.

Edit: After setting up a Pi-Hole on that Vlan I noticed something strange. No requests for any FQDN from any of my services running on that Vlan. It seems as though it is blocking those DNS requests all together. When I switch the portforward "internal zone" to the 'lan' zone then I see the requests come through.

Would this have anything to do with setting up DNS-over-TLS with stubby? I remember setting that up a while back but now I do not know how to reverse it. That's the only thing routing-wise that is out of the default.

trendy · May 20, 2019, 6:08am

Seems so that something is interrupting it. I cannot think of anything else and since I have no experience with stubby I hope someone else will will be of more help.

stansmith · May 21, 2019, 2:50am

Well this doesn't make any sense to me. I reset the router to all defaults and did everything by hand again. Created all the VLANS and adjusted everything back to make the network flow, still....nothing. There is something I'm missing that is being blocked related to the DNS lookups or the way the address gets resolved between the zones. I'm not sure.

Another thing that is strange though, from default when I created the new zone, the router was passing http, and dns traffic without any additional rules. The only way to stop the router from passing that traffic between the zones was to set up an explicit block rule. I'm not sure what's going on with the firewall because it seems to be working in sporadic ways and making me not want to trust it.

trendy · May 21, 2019, 10:34am

By default, the firewall will allow all traffic from/to/via the LAN zone. Same applies to your Server zone, since you had all policies ACCEPT.
If this default configuration is not working, something might be wrong with the device.
I suggest to post once again the configuration files and run some diagnostics
uci show network; uci show dhcp; uci show firewall;
ip -4 add; ip -4 ro; ip -4 ru
iptables -L -vn; iptables -t nat -L -vn; iptables -t mangle -L -vn;
tcpdump -i eth0.26 -vvn port 53

stansmith · May 23, 2019, 10:48pm

Here are the most recent diagnostic's from the router after a reset and reconfigure from stock.

'OpenWRT - ipv4-ro'

default via 24.251.250.1 dev eth0.2  src 24.ABC.DEF.GHI
24.251.250.0/24 dev eth0.2 scope link  src 24.ABC.DEF.GHI
192.168.25.0/26 dev br-lan scope link  src 192.168.25.1
192.168.26.0/27 dev eth0.26 scope link  src 192.168.26.1

'OpenWRT - ipv4-ru'

0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

OpenWRT - Network Interfaces Config
OpenWRT -iptables -t mangle -L -vn
OpenWRT - ipv4-add
OpenWRT - iptables -t nat -L -vn
OpenWRT - iptables -L -vn
OpenWRT - Firewall Config
OpenWRT - DHCP

One thing I am noticing through wire-shark on my desktop that is inside the LAN zone is that the path is going out the wan, receiving the WAN ip address and coming back in via port 443 and that response is sending back a 'reject' response.

trendy · May 24, 2019, 7:58am

This one doesn't work. Just paste them here instead of pastebin.

Did you solve the issue with DNS after the reinstall?
What is the IP of the desktop? Which IP is it trying to reach? Can you post the tcpdump or the pcap from wireshark?
Alternatively run the tcpdump on the router tcpdump -i any -vvn host IP_OF_SERVER or host IP_OF_DESKTOP

stansmith · May 24, 2019, 10:25pm

The DNS issue was a forwarding issue between the lan zone and the adjacent zones.

The IP I'm trying to reach would resolve to 192.168.26.12 which is the apache server on the different VLAN. The desktop is 192.168.25.5. It acts as though the NAT settings are not letting the FQDN touch the wan interface, resolve, and then come back inside the lan.

Here is what I am commonly seeing through TCP dump and wireshark:

192.168.25.5.50207 > 24.ABC.DEF.GHI.443: Flags [S], cksum 0x6981 (correct), seq 3281622017, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
	Line 182:     192.168.25.5.50207 >24.ABC.DEF.GHI.443: Flags [S], cksum 0x6981 (correct), seq 3281622017, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
	Line 184:     192.168.25.5.50207 > 24.ABC.DEF.GHI.443: Flags [S], cksum 0x6981 (correct), seq 3281622017, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
	Line 186:     24.ABC.DEF.GHI.443 > 192.168.25.5.50207: Flags [R.], cksum 0xa531 (correct), seq 0, ack 3281622018, win 0, length 0
	Line 188:     24.ABC.DEF.GHI.443> 192.168.25.5.50207: Flags [R.], cksum 0xa531 (correct), seq 0, ack 1, win 0, length 0
	Line 190:     192.168.25.5.50208 > 24.ABC.DEF.GHI.443 Flags [S], cksum 0xea33 (correct), seq 3887263540, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
	Line 192:     192.168.25.5.50208 > 24.ABC.DEF.GHI.443: Flags [S], cksum 0xea33 (correct), seq 3887263540, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
	Line 194:     192.168.25.5.50208 >24.ABC.DEF.GHI.443: Flags [S], cksum 0xea33 (correct), seq 3887263540, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
	Line 196:     24.ABC.DEF.GHI.443 > 192.168.25.5.50208: Flags [R.], cksum 0x25e4 (correct), seq 0, ack 3887263541, win 0, length 0
	Line 198:     24.ABC.DEF.GHI.443 > 192.168.25.5.50208: Flags [R.], cksum 0x25e4 (correct), seq 0, ack 1, win 0, length 0

Here is the network interfaces config:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd58:19de:a71f::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ip6assign '60'
        option ifname 'eth0.25'
        option ipaddr '192.168.25.1'
        option netmask '255.255.255.192'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '25'
        option ports '0t 2 4t 5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '26'
        option ports '0t 3 4t'

config interface 'S_Side'
        option proto 'static'
        option ifname 'eth0.26'
        option ipaddr '192.168.26.1'
        option netmask '255.255.255.224'
        option ip6assign '64'

I'm starting to think that there is something unique about this situation that makes it not achievable with OpenWRT. I'm starting to think that something in the hardware/software for this router, that there is a feature missing that I need to make this work. In Pfsense it would be setup with Pure-Nat and enabling firewall rules to pass that traffic through. The zones here on Lede are proving to be a stopping point in this setup.

trendy · May 24, 2019, 11:15pm

You don't have a rule to allow route reflection from LAN over the WAN IP to the S_Side. You have a rule for S_Side to WAN back to S_Side (with zero hits).
My question is why do you do that, instead of just accessing the apache directly? Create a FQDN in hosts for the IP of the server and the hosts in the LAN will resolve that directly from dnsmasq.

stansmith · May 25, 2019, 12:24am

In order to create the hosts entry would I need to edit the hosts file directly over ssh or add the hostnames into the hostnames section? I imagine this would be setting up split-dns. Should I try and add the route from lan to wan to S_Side with reflection? I guess I thought I had done that already. I've been going in with 65% knowledge on how the firewall system and routing works on OWRT but not having a clear picture.

trendy · May 25, 2019, 7:47am

Better add hostname entries in the section of the dhcp config file.

No, just allow traffic from LAN to S-Side and force connection tracking if you don't allow the reverse.

stansmith · May 25, 2019, 1:16pm

Through a traffic rule with a specific port or make it an any to any rule? I thought I had added one that direction over port 443 but I will try again.

With the hostnames should include the whole host with the domain name? Meaning 192.168.26.12 is apache.example.com. How would adding a host that operates off of a different port work? My reverse proxy handles to translation outside of the network for those.

Edit: I was able to make it work by pointing all of my FQDN names and subdomains directly at the apache reverse proxy. Now that Spli-DNS works I'm gonna try and close it down from all open to only the parts I need open.

One side effect I did notice was that my DDNS client now sees only my private IP's as the ip for each domain name. I'll have to change it to take the IP address from the WAN port and see how that goes.

Thank you for the help trendy!