[Solved] Need help for firewall on DMZ zone

I now have IPv6. :slight_smile: And with new technology new questions come up ...

I have a DMZ and an IoT zone (and LAN as well but that's not topic here). I consider those two zones insecure (I have the insecure IoT devices contained in that zone and seperated from the rest of the network..)

OpenWrt has the input filter on an internal zone set to 'accept' by default and as I consider those zones insecure I want to set it to reject.
I have opened ports 53, 67, 68, 123, 546 and 547 UDP for providing DHCP, DNS and NTP. IPv6 is not working properly and I see this is due to ICMP which is essential for IPv6.

So, question is: what ICMP types do I need to allow (really don't want to have them all open)?

So this is how it looks at the moment:

Any help appreciated.

  • What do you need help with?
  • Why do you have a rule that includes ICMP and UDP; but then lists ports? This is wrong.

I use the following, which is a slight alteration of the rule already included in a default OpenWrt config:

config rule
	option name 'New_Allow-ICMPv6-Forward'
	option src '*'
	option dest '*'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
1 Like

Is ICMP really insecure nowadays? Or is it just a reminder of the old ping-of-death days?


I believe too it belongs to the past. Should I disable icmp?

As far as I know ICMP is essential to IPv6. So I wouldn't disable it. I wonnder what ICMP types need to be

  • open on a WAN interface
  • open on a LAN interface (e.g. DHCPv6?)
  • need to be open for forward between zones (echo, ..)

Is this really a problem? Gives me the following:

which seems to be ports for UDP and open all ICMP, or am I wrong?

Seems to be the new look of Luci in 19.07 merging the protocols and ports in one rule.
Your rules are correct, technically you don't need to open 546, you can however limit 547 only from source port 546.
You may also want to open icmp for ipv4, at least the echo request.

1 Like

Now my original question is still open. The rule, by the way, gives the same list for IPv4..

What ICMP (and TCP/UDP) do I need? The intention is still to have a LAN side interface for a zone containing insecure or potentialy insecure devices, e.g. IoT.
So I need to provide DHCP, NTP, DNS, how about RA? For the rest that is not neccessary it should be blocked to protect the router itself. Don't want to have access to ssh port, the unbound running on the router, etc.

Wow...seems not to be...interesting! :thinking:

I gave you a rule, are you asking about IPv4 now too?

Or perhaps you're asking us to define every ICMP message so you can decide on-the-spot?


Most of this isn't ICMP. Perhaps you intended to ask another question, or re-title this thread?

I personally chose what I want my VLAN to have and open it. If your IoT devices need those services, obviously you'll have to open them. Are you asking for our best practices on that too?



config rule                                 
        option target 'ACCEPT'                      
        option proto 'udp'             
        option dest_port '67'     
        option name 'Allow-LAN2_DHCP'
        option family 'ipv4'      
        option src 'lan2'   
        option src_port '68'

config rule                                              
        option target 'ACCEPT'              
        option name 'Allow-LAN2_DNS'           
        option src 'lan2'         
        option dest_port '53'             
        option family 'ipv4'              
        option dest_ip '192.168.x.1'
        option proto 'udp'       
config rule                          
        option target 'ACCEPT'    
        option proto 'udp'               
        option dest_port '123'           
        option src 'lan2'  
        option name 'Allow-LAN2_NTP'
1 Like

DHCP is enough. They can always ask for time and DNS on the internet if you don't want them to ask the router. So it is up to you.
For IPv6 you can look what is open in the firewall rule for the wan interface and apply the same.

1 Like

Thank you all for your help. I make progress.
For IoT I now have opened icmp (all at the moment) and ports 53, 123, 67, 547 on UDP for IPv4 and IPv6. It's a compromise of having the router secured by closing all unnnessecary ports for that interface and messing up into two much rules.
I do still have a problem with one of the clients (Fritzbox) not getting IPv6 DHCP to work if I reject everything else on that interface (seems to be related to broadcasts on start of DHCP). Funny though that another client does not have problems so I think I will place the fritzbox into a seperate vlan (VoIP) for testing.

So, question is: what ICMP types do I need to allow (really don't want to have them all open)?

This thread has been marked as solved yet I have not seen any adequate answer :face_with_raised_eyebrow: This subject is extremely important so a dedicated rfc (4890) has been published covering this matter: https://tools.ietf.org/html/rfc4890.

In a nutshell: one should never block following icmpv6 traffic: type 1 - type 2 - type 3/0 - type 4/1 and type 4/2. Furthermore other types can be allowed and are explained in detail but I leave it up to you to discover (i.e. you should consult the rfc yourself) :wink:

For me its solved so far as I don't consider having icmp allowed for all types for input being a threat. But I agree, there should be some documentation on what icmp shall be allowed or is recommmended for different kind of interfaces on OpenWrt routers. Whereas type of interface means:

  • WAN interface
  • LAN zone (trusted)
  • DMZ/IoT and other untrusted, but internal zones
  • VPN incomming connections (e.g for home office workers)
  • vpn connections to other sites (so without dhcp, but maybe neighbourhood solicitation)
  • wireguard intferfaces (without dhcp, RA, ...)

In the default config you have a trusted (LAN) and an untrusted (WAN) zone. The trusted accepts everything. The untrusted has a list of allowed things for minimal functionality.
It doesn't matter if it is internal or external, but if you trust it or not.

1 Like

BTW & FYI to all:

  • That RFC is informational
  • The default rules already cover that
  • It's already been noted OpenWrt has the rules by default

For me it's ok so I set the topic to solved.
I realized the default rules but I still wonder if secure on the outside is the same as secure on the inside. One is upstream, other downstream. Including handling RA, dhcp (client vs server), ... I'm new to IPv6.

Also, my initial problem (didn't work with the settings I had) seems to also based on my client. Yesterday the Fritzbox chose an ULA address for IPv6 with the result that VoIP didn't work anymore. Seems it takes randomly one of the addresses it has...

You should not see RAs from an inside network. If there is another router in the LAN, then configure it manually.
As for dhcp etc, you open the ports according to your needs. You might as well assign settings manually, so DHCP is not needed.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.