[SOLVED] I need help understanding firewall rules[SOLVED]

Hello,

I have a basic network with br-lan.1 and br-land.10, vlan1 and vlan10 respectively.

Vlan1 is main LAN
Vlan10 is a guest network.

I have two rules, which I was hoping would block traffic between vlan1 and vlan10. I can still ping the 192.168.10.1 interface from the 192.168.1.1 LAN.
-I have restarted the firewall service

expected behavior: deny traffic between vlan1 and vlan10.

Question: What is the simplest way to implicit deny across all vlans, and just allow DHCP and DNS for internet access? I'm looking for the smallest amount of rules to manage in an implicit deny fashion.

As always, thank you for the community help as I get comfortable with openwrt

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option delegate '0'
        option ipv6 '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'

config interface 'GST'
        option proto 'static'
        option device 'br-lan.10'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'eth1:t'
        list ports 'eth2:t'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'
        option ipv6 '0'

config interface 'ExpressVPN'
        option proto 'none'
        option device 'tun0'

config device
        option name 'eth0'

/etc/config/firewall:

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'vlan_1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'vlan_10'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'GST'
        option input 'DROP'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'vlan_1'
        option dest 'wan'

config rule
        option name 'Block LAN to VLAN10'
        option src 'vlan_1'
        option dest 'vlan_10'
        option target 'REJECT'

config rule
        option name 'block VLAN10 to LAN'
        option src 'vlan_10'
        option dest 'vlan_1'
        option target 'REJECT'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-vlan10-DNS'
        option src 'vlan_10'
        option dest_port '53'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'

config rule
        option name 'Allow-vlan10-DHCP'
        list proto 'udp'
        option src 'vlan_10'
        option dest_port '67-68'
        option target 'ACCEPT'

config forwarding
        option src 'vlan_10'
        option dest 'wan'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config zone
        option name 'VPN'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'ExpressVPN'
        option masq '1'

config forwarding
        option src 'vlan_10'
        option dest 'VPN'

You're actually not pinging across subnets here -- you're actually pinging the router itself. It is the input rule of the main lan that allows access to the router itself, and the router responds to the pings to 192.168.10.1 because it holds that address. You can think of it like a nickname insofar as it is just another way to address the same entity/device.

The real test is to attempt to ping a host one one network from a host on the other. Based on your firewall and the lack of forwarding between the two respective zones, there should be no connectivity between any two hosts (not counting the router itself) on the different networks.

That said, you can remove these rules as they are unnecessary:

1 Like

Thanks for the reply

I actually just got done absorbing your responses to this post:

It explained it well.

What I learned:

The interfaces are not routable endpoints, just nicknames for the router itself. Response to pings isn't indicative of traversing the vlan, just contacting the router.

If I would like to block ping responses, I would set deny across all of the zones, and just allow DHCP and DNS to 'this device' to allow a umbrella explicit allow for DHCP and DNS across all networks configured with the router as it's gateway. I'll need to add a management vlan to access ssh and luci, I assume.

I'll delete the redundant rules because the 'drop' for VLAN 10's input zone rule will handle this.

I am a little confused how VLAN10 would not be able to access VLAN1, if VLAN is set to Accept. it would still work, or is it denied because it is not listed in forwarding rules?

Edit: accept just means input into the router, I understand now.

thanks

You've already got the input rule (which governs access to the router itself) set to reject on the VLAN 10 (guest) zone. So the guest network will be unable to connect to the router except for the explicitly allowed services (i.e. the additional rules to allow DHCP and DNS).

You probably don't want to block the ping responses and other access from the trusted LAN because you will loose access to administer the router. If the ping responses to the router's address on the guest network really bother you, it is possible to block that specific address, but it's not really necessary or recommended.

Yes you can delete the rules I mentioned, but not for the reason you are thinking.

Because the networks are in different firewall zones, you would need to setup rules (often zone forwards) to allow traffic between the zones (if it were desired). You don't have any such rules, so no traffic can traverse between the two networks.

1 Like

Got it!

So Input is to the router itself.

Zones can't forward between each other by default, so if there's no rule to allow forwarding - the traffic is blocked.

It's making sense now heh...

I have limited devices at the moment, and the WLAN isn't fully configured for the VLAN10 - So connecting devices and testing is difficult at the moment. Just needed a little theory brush up.

Yeah... it can be confusing:

Input = access to the router itself
Output = traffic flow from the firewall towards the network(s) in the zone -- this is almost always ACCEPT except in really rare situations.
Forward = intra-zone forwarding -- this applies to two or more networks that are in the same zone -- can one network reach another network in the same zone.

These zone level rules are quite broad, but usually cover the majority of uses. When needed, more granular rules can be made.

I suppose I don't have a use case in mind where one firewall zone would have multiple networks.

I suppose I could add my VPN and WAN networks to the same firewall zone, would that make sense to do?

You could if you want. It's a valid configuration. However, if you want to ensure that traffic from one or both networks can never egress through the regular wan (i.e. a kill-switch when the VPN is down), you need to have a separate zone. But depends on your use case, of course.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.