I'm having some problems understanding the OpenWrt naming convention for the WAN interface when defining custom firewall iptables rules.
If the WAN is directly connected to the ISP (no PPPoE), usually there is the eth0.2 alias I can use for defining my own iptables rules.
Then, if the WAN uses PPP encapsulation (PPPoE) I need to use the pppoe-wan interface in my iptables rules.
Basically, respecting the Linux (kernel) interface naming convention.
I'd like to have a set of firewall rules that I could just simply move on all the OpenWrt routers without needing to adapt it to the WAN connection specific.
I also tried once to use the OpenWrt network naming as interface in my iptables rules and apparently it worked, using WIFI5 instead of wlan0 & WIFI2 instead of wlan1 (using a routed AP scenario, unbridging LAN, 2,4GHz & 5GHz WiFi networks). But it had quite a high impact on both traffic and CPU load as far as I remember.
Thanks for the hint! It just adds to the confusion
On a PPPoE connected router:
#/sbin/uci get network.wan.ifname
eth0.2
# ip a s pppoe-wan
33: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN qlen 3
link/ppp
...
&
...
#logread | grep pppoe-wan
Sat Jan 9 15:17:03 2021 daemon.notice pppd[7323]: Connect: pppoe-wan <--> eth0.2
Sat Jan 9 15:17:04 2021 daemon.notice netifd: Network device 'pppoe-wan' link is up
AFAIK (experience - trying to filter it) the interface eth0.2 is not the same as pppoe-wan
@vgaetera
Care to elaborate a little?
eth0.2 is the actual WAN interface connected to the ISP through which the encapsulated PPP traffic is flowing, but pppoe-wan (the virtual interface created by pppd) is the actual public WAN interface where the "real" traffic is flowing/routed trough.
Here, a continuation of the system log after the PPPoE reconnect shows that the system is actually reporting the connection of the pppoe-wan interface (reloading firewall) and also fwknopd is identifying pppoe-wan as the actual WAN interface. Using the uci utility the way it was presented previously doesn't really help.
Sat Jan 9 15:17:04 2021 user.notice firewall: Reloading firewall due to ifup of wan (pppoe-wan)
Sat Jan 9 15:17:05 2021 daemon.info fwknopd[----]: Neither network, nor PCAP_INTF interface specified, trying network wan
Sat Jan 9 15:17:05 2021 daemon.debug fwknopd[----]: Resolved network wan as interface pppoe-wan
Sat Jan 9 15:17:05 2021 daemon.info fwknopd[----]: Listening for changes on network wan
Where AAA.AAA.AAA.AAA is the public routable IP address obtained from the ISP and BBB.BBB.BBB.BBB is some internal non-routable ISP network IP (relevant only for the PPP connection).
Note that the eth0.2 adapter - the one the uci utility identifies as WAN doesn't have an IP address allocated (as expected, doesn't need one).
Well, I read that section of commands (flush&find & crap) and my head started to hurt
I'll do a trivial conditional checking in the header of my custom firewall to check if pppoe-wan is existent and use it as the external interface.
Thank you all for your inputs.
P.S. The following works on the rather limited ash interpreter (BusyBox) on OpenWrt 19.07.5
extif="eth0.2"
if [[ $(/bin/cat /sys/class/net/pppoe-wan/carrier) -eq 1 ]] ; then
extif="pppoe-wan"
fi
Then use the $extif variable in the iptables rules.