[Solved] OpenWrt WAN interface naming convention for iptables rules

justme123 · January 9, 2021, 4:19pm

Hi,

I'm having some problems understanding the OpenWrt naming convention for the WAN interface when defining custom firewall iptables rules.
If the WAN is directly connected to the ISP (no PPPoE), usually there is the eth0.2 alias I can use for defining my own iptables rules.
Then, if the WAN uses PPP encapsulation (PPPoE) I need to use the pppoe-wan interface in my iptables rules.
Basically, respecting the Linux (kernel) interface naming convention.

I'd like to have a set of firewall rules that I could just simply move on all the OpenWrt routers without needing to adapt it to the WAN connection specific.

I also tried once to use the OpenWrt network naming as interface in my iptables rules and apparently it worked, using WIFI5 instead of wlan0 & WIFI2 instead of wlan1 (using a routed AP scenario, unbridging LAN, 2,4GHz & 5GHz WiFi networks). But it had quite a high impact on both traffic and CPU load as far as I remember.

trendy · January 9, 2021, 5:45pm

Use this in place of wan $(uci get network.wan.ifname)

justme123 · January 9, 2021, 5:58pm

Thanks for the hint! It just adds to the confusion
On a PPPoE connected router:

#/sbin/uci get network.wan.ifname
eth0.2
# ip a s pppoe-wan
33: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN qlen 3
    link/ppp
...
&
...
#logread | grep pppoe-wan
Sat Jan  9 15:17:03 2021 daemon.notice pppd[7323]: Connect: pppoe-wan <--> eth0.2
Sat Jan  9 15:17:04 2021 daemon.notice netifd: Network device 'pppoe-wan' link is up

AFAIK (experience - trying to filter it) the interface eth0.2 is not the same as pppoe-wan

vgaetera · January 9, 2021, 6:10pm

https://openwrt.org/docs/guide-user/base-system/uci#get_wan_interface

justme123 · January 9, 2021, 6:33pm

@vgaetera
Care to elaborate a little?
eth0.2 is the actual WAN interface connected to the ISP through which the encapsulated PPP traffic is flowing, but pppoe-wan (the virtual interface created by pppd) is the actual public WAN interface where the "real" traffic is flowing/routed trough.
Here, a continuation of the system log after the PPPoE reconnect shows that the system is actually reporting the connection of the pppoe-wan interface (reloading firewall) and also fwknopd is identifying pppoe-wan as the actual WAN interface. Using the uci utility the way it was presented previously doesn't really help.

Sat Jan  9 15:17:04 2021 user.notice firewall: Reloading firewall due to ifup of wan (pppoe-wan)
Sat Jan  9 15:17:05 2021 daemon.info fwknopd[----]: Neither network, nor PCAP_INTF interface specified, trying network wan
Sat Jan  9 15:17:05 2021 daemon.debug fwknopd[----]: Resolved network wan as interface pppoe-wan
Sat Jan  9 15:17:05 2021 daemon.info fwknopd[----]: Listening for changes on network wan

trendy · January 9, 2021, 6:39pm

Worked fine for me. Isn't that what you want?

root@magiatiko / > uci get network.wan.ifname
eth1
root@magiatiko / > . /lib/functions/network.sh
root@magiatiko / > network_flush_cache
root@magiatiko / > network_find_wan NET_IF
root@magiatiko / > network_find_wan6 NET_IF6
root@magiatiko / > network_get_device NET_DEV "${NET_IF}"
root@magiatiko / > network_get_device NET_DEV6 "${NET_IF6}"
root@magiatiko / > echo "${NET_DEV}"
pppoe-wan
root@magiatiko / > echo "${NET_DEV6}"
pppoe-wan

justme123 · January 9, 2021, 6:50pm

Please read the reply I wrote to @vgaetera
Here, a relevant ifconfig excerpt for a PPPoE connect router:

eth0.2    Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
          UP BROADCAST RUNNING  MTU:1500  Metric:1
          RX packets:69481 errors:0 dropped:2681 overruns:0 frame:0
          TX packets:42074 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:66175876 (63.1 MiB)  TX bytes:6871444 (6.5 MiB)


pppoe-wan Link encap:Point-to-Point Protocol
          inet addr:AAA.AAA.AAA.AAA  P-t-P:BBB.BBB.BBB.BBB  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:66294 errors:0 dropped:0 overruns:0 frame:0
          TX packets:42030 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:65490721 (62.4 MiB)  TX bytes:5945382 (5.6 MiB)

Where AAA.AAA.AAA.AAA is the public routable IP address obtained from the ISP and BBB.BBB.BBB.BBB is some internal non-routable ISP network IP (relevant only for the PPP connection).
Note that the eth0.2 adapter - the one the uci utility identifies as WAN doesn't have an IP address allocated (as expected, doesn't need one).

trendy · January 9, 2021, 6:54pm

And if you had read my reply the Runtime configuration commands return the pppoe-wan

justme123 · January 9, 2021, 6:59pm

Well, I read that section of commands (flush&find & crap) and my head started to hurt
I'll do a trivial conditional checking in the header of my custom firewall to check if pppoe-wan is existent and use it as the external interface.

Thank you all for your inputs.

P.S. The following works on the rather limited ash interpreter (BusyBox) on OpenWrt 19.07.5

extif="eth0.2"
if  [[ $(/bin/cat /sys/class/net/pppoe-wan/carrier) -eq 1 ]] ; then
 extif="pppoe-wan"
fi

Then use the $extif variable in the iptables rules.

system · January 19, 2021, 7:00pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.