[Solved] Simple network segmentation. why is it soooo hard for newcommers?

trendy · November 6, 2020, 12:42pm

You can omit the static dhcp lease part if it is a big part of the config. I suppose there is no issue there.

Other than that your firewall is pretty empty. You have only lan and wan zones configured. There is a forwarding to a Guest/Guestzone, which doesn't exist. All your other interfaces if_IOT, if_Peripherals, etc don't belong to any zone, so forwarding will not work with lan or wan.
You can either add them all in lan zone and every interface will communicate with the others, or create individual zones and forwardings depending on which traffic you want to allow.
By default forwardings between zones are not allowed. A forwarding allows all traffic from one zone to another. More fine tuning can be done with individual traffic rules.

diversity · November 6, 2020, 1:03pm

But I changed the default to accept forwarding didn't I?

Nontheless, I will try (again) applying zones. Starting with all if's to lan

trendy · November 6, 2020, 1:12pm

This concerns interfaces not belonging to any zone. Lan and Wan are defined zones with their interfaces, so it won't apply to them.
Quick workaround, add all your if_* interfaces in LAN zone. They will communicate to each other and have internet access. Then you can add rules to deny specific flows. Or you can start taking interfaces out of lan zone and putting them in their own zones, with more specific forwardings to allow traffic towards specific zones.

diversity · November 6, 2020, 5:55pm

back again at where I belive having been before. All interfaces are now in the lan firewall zone.

I am getting no ping responses back and forth from 2 clients. 1 debian is on trusted the other is on guest as windows.

Is there anything like traceroute I can do to see where I am missing something only obvious to experts?

Shall I be blunt? If it is this hard then the concept probably could benefit from a rework to be more accessible to the masses.

EDIT: there is no firewall on both systems active

diversity · November 6, 2020, 7:16pm

If it helps, my dhcp for the if_* seem to work. I.e. giving ip leases in the expected range.

Should it still be of matter I'll give the contents minus the static lease definitions

Pls let me know

diversity · November 6, 2020, 9:38pm

I am desperate my fellows. I am more than willing to get this done on an hourly paid basis. Given one is seasoned

trendy · November 6, 2020, 10:31pm

Windows firewall by default blocks ping coming from different subnet. Keep that in mind.

You can post once again the output of the commands

This is an advanced scenario. Most commercial home routers wouldn't even dream of adding all this functionality. Most lack the vlans, so nothing that you tried would be possible.

diversity · November 10, 2020, 10:43am

I now am running the most recent version of openwrt.
Also I have the interfaces using the correct eth0.xx (corresponding to the correct vlan id in the switch section) port in the physical settings.
increased the a in 10.a.b.c with one for the different interfaces to be able to use a netmask of 255.252.0.0 for the 10.0.0.1 (LAN) interface to span to 10.3.255.255

--- EDIT
DHCP is working only when coming via interfaces if_Trused & if_Guests when coming in via the WAP via tagged ssid's using the 5Ghz band. Not the 2.4Ghz---- NOW DHCP is working properly. Was a misconfiguration in the Level one AP

Added a temporary if_tmp_oldlan interface so that I am able to connect to all the clients on the ld network while migrating them to the new one.

one thing to mention that other than in my network diagram there temporarly is a fritzbox router in between the internet and the openwrt. I am waiting for my ISP to come and remove that inbetween

underneath the output from the commands. I have no more static routes at the moment.

root@OpenWrt:~# ubus call system board; \
> uci export network; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* 
/tmp/resolv.* /tmp/resolv.*/*
{
	"kernel": "4.14.195",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 1 (v7l)",
	"model": "Linksys WRT3200ACM",
	"board_name": "linksys,rango",
	"release": {
		"distribution": "OpenWrt",
		"version": "19.07.4",
		"revision": "r11208-ce6496d796",
		"target": "mvebu/cortexa9",
		"description": "OpenWrt 19.07.4 r11208-ce6496d796"
	}
}
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd68:74a7:6e62::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '10.0.0.1'
	option netmask '255.252.0.0'

config interface 'if_tmp_oldLan'
	option ifname 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '4 6t'

config interface 'if_Trusted'
	option proto 'static'
	option force_link '0'
	option type 'bridge'
	content removed due to considerations
	option netmask '255.255.0.0'
	option ifname 'eth0.40'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '2t 5t'
	option vid '40'

config interface 'if_Guests'
	option proto 'static'
	option type 'bridge'
	content removed due to considerations
	option netmask '255.255.0.0'
	option ifname 'eth0.50'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '2t 5t'
	option vid '50'

package dhcp

config dnsmasq
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option sequential_ip '1'
	option localservice '0'
	option boguspriv '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'if_Trusted'
	option interface 'if_Trusted'
	option start '1025'
	option limit '1000'
	option leasetime '2m'
	option force '1'

config dhcp 'if_Guests'
	option interface 'if_Guests'
	option start '1025'
	option limit '1000'
	option leasetime '2m'
	option force '1'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan if_Trusted if_Servers if_Switch_APs if_IOT if_Peripherals if_tmp_oldLan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option src 'lan'
	option name 'block iot wan'
	option src_ip '192.168.1.128/25'
	option dest 'wan'
	option target 'DROP'

config rule
	option src 'lan'
	option name 'block default ipcam'
	option src_ip '192.168.1.10'
	option dest 'wan'
	option target 'DROP'

config redirect
	option dest_port '443'
	option src 'wan'
	option name 'guideriis'
	option src_dport '443'
	option target 'DNAT'
	option dest 'lan'
	option proto 'tcp udp'
	option dest_ip '192.168.1.111'

config zone
	option name 'fw_Guests'
	option network 'if_Guests'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option dest 'wan'
	option src 'fw_Guests'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.3 on Tue Nov 10 11:37:01 2020
*nat
:PREROUTING ACCEPT [27000:2365110]
:INPUT ACCEPT [5233:392153]
:OUTPUT ACCEPT [1355:96696]
:POSTROUTING ACCEPT [1321:78184]
:postrouting_fw_Guests_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_fw_Guests_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_fw_Guests_postrouting - [0:0]
:zone_fw_Guests_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[27000:2365110] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[4184:352987] -A PREROUTING -i br-if_Trusted -m comment --comment "!fw3" -j zone_lan_prerouting
[20754:1892321] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[51:5023] -A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[2011:114779] -A PREROUTING -i br-if_Guests -m comment --comment "!fw3" -j zone_fw_Guests_prerouting
[3586:229037] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[12:1976] -A POSTROUTING -o br-if_Trusted -m comment --comment "!fw3" -j zone_lan_postrouting
[1302:74060] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[2265:150853] -A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[3:1876] -A POSTROUTING -o br-if_Guests -m comment --comment "!fw3" -j zone_fw_Guests_postrouting
[3:1876] -A zone_fw_Guests_postrouting -m comment --comment "!fw3: Custom fw_Guests postrouting rule chain" -j postrouting_fw_Guests_rule
[2011:114779] -A zone_fw_Guests_prerouting -m comment --comment "!fw3: Custom fw_Guests prerouting rule chain" -j prerouting_fw_Guests_rule
[1314:76036] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 10.0.0.0/14 -d 192.168.1.111/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.0.0.1
[0:0] -A zone_lan_postrouting -s 10.0.0.0/14 -d 192.168.1.111/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.0.0.1
[0:0] -A zone_lan_postrouting -s 10.4.0.0/16 -d 192.168.1.111/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.4.0.1
[0:0] -A zone_lan_postrouting -s 10.4.0.0/16 -d 192.168.1.111/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.4.0.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.111/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.111/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 192.168.1.1
[24938:2245308] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 10.0.0.0/14 -d 192.168.178.20/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
[0:0] -A zone_lan_prerouting -s 10.0.0.0/14 -d 192.168.178.20/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
[0:0] -A zone_lan_prerouting -s 10.4.0.0/16 -d 192.168.178.20/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
[0:0] -A zone_lan_prerouting -s 10.4.0.0/16 -d 192.168.178.20/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.178.20/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.178.20/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
[2265:150853] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[2265:150853] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[51:5023] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: guideriis" -j DNAT --to-destination 192.168.1.111:443
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 443 -m comment --comment "!fw3: guideriis" -j DNAT --to-destination 192.168.1.111:443
COMMIT
# Completed on Tue Nov 10 11:37:01 2020
# Generated by iptables-save v1.8.3 on Tue Nov 10 11:37:01 2020
*mangle
:PREROUTING ACCEPT [92160:26857983]
:INPUT ACCEPT [13553:1728941]
:FORWARD ACCEPT [73929:24735057]
:OUTPUT ACCEPT [9301:949838]
:POSTROUTING ACCEPT [67964:24209091]
[4726:280984] -A FORWARD -o eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[652:35748] -A FORWARD -i eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Nov 10 11:37:01 2020
# Generated by iptables-save v1.8.3 on Tue Nov 10 11:37:01 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [7:3260]
:OUTPUT ACCEPT [0:0]
:forwarding_fw_Guests_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_fw_Guests_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_fw_Guests_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_fw_Guests_dest_ACCEPT - [0:0]
:zone_fw_Guests_dest_REJECT - [0:0]
:zone_fw_Guests_forward - [0:0]
:zone_fw_Guests_input - [0:0]
:zone_fw_Guests_output - [0:0]
:zone_fw_Guests_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[19:1849] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[13534:1727092] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[1892:262974] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[36:2160] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[3713:216715] -A INPUT -i br-if_Trusted -m comment --comment "!fw3" -j zone_lan_input
[5891:1154620] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[138:8615] -A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
[1900:84168] -A INPUT -i br-if_Guests -m comment --comment "!fw3" -j zone_fw_Guests_input
[73929:24735057] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[55683:23095564] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1035:63750] -A FORWARD -i br-if_Trusted -m comment --comment "!fw3" -j zone_lan_forward
[17211:1575743] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i br-if_Guests -m comment --comment "!fw3" -j zone_fw_Guests_forward
[19:1849] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[8890:917333] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[7516:818309] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[17:3616] -A OUTPUT -o br-if_Trusted -m comment --comment "!fw3" -j zone_lan_output
[6:480] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[1349:94552] -A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
[2:376] -A OUTPUT -o br-if_Guests -m comment --comment "!fw3" -j zone_fw_Guests_output
[62:5879] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[36:2160] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[2:376] -A zone_fw_Guests_dest_ACCEPT -o br-if_Guests -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_fw_Guests_dest_REJECT -o br-if_Guests -m comment --comment "!fw3" -j reject
[0:0] -A zone_fw_Guests_forward -m comment --comment "!fw3: Custom fw_Guests forwarding rule chain" -j forwarding_fw_Guests_rule
[0:0] -A zone_fw_Guests_forward -m comment --comment "!fw3: Zone fw_Guests to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_fw_Guests_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_fw_Guests_forward -m comment --comment "!fw3" -j zone_fw_Guests_dest_REJECT
[1900:84168] -A zone_fw_Guests_input -m comment --comment "!fw3: Custom fw_Guests input rule chain" -j input_fw_Guests_rule
[0:0] -A zone_fw_Guests_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1900:84168] -A zone_fw_Guests_input -m comment --comment "!fw3" -j zone_fw_Guests_src_ACCEPT
[2:376] -A zone_fw_Guests_output -m comment --comment "!fw3: Custom fw_Guests output rule chain" -j output_fw_Guests_rule
[2:376] -A zone_fw_Guests_output -m comment --comment "!fw3" -j zone_fw_Guests_dest_ACCEPT
[1900:84168] -A zone_fw_Guests_src_ACCEPT -i br-if_Guests -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[17:3616] -A zone_lan_dest_ACCEPT -o br-if_Trusted -m comment --comment "!fw3" -j ACCEPT
[2477:136598] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[18246:1639493] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[4128:247680] -A zone_lan_forward -s 192.168.1.128/25 -p tcp -m comment --comment "!fw3: block iot wan" -j zone_wan_dest_DROP
[10730:1195964] -A zone_lan_forward -s 192.168.1.128/25 -p udp -m comment --comment "!fw3: block iot wan" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -s 192.168.1.10/32 -p tcp -m comment --comment "!fw3: block default ipcam" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -s 192.168.1.10/32 -p udp -m comment --comment "!fw3: block default ipcam" -j zone_wan_dest_DROP
[3388:195849] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[2478:139378] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[9604:1371335] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[9604:1371335] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[23:4096] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[23:4096] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[3713:216715] -A zone_lan_src_ACCEPT -i br-if_Trusted -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[5891:1154620] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[12:480] -A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[2247:150543] -A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
[14858:1443644] -A zone_wan_dest_DROP -o eth1.2 -m comment --comment "!fw3" -j DROP
[0:0] -A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[138:8615] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[76:2736] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[62:5879] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[1349:94552] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[1349:94552] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[62:5879] -A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue Nov 10 11:37:01 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
8: br-if_Guests: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.5.0.1/16 brd 10.5.255.255 scope global br-if_Guests
       valid_lft forever preferred_lft forever
10: br-if_Trusted: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.4.0.1/16 brd 10.4.255.255 scope global br-if_Trusted
       valid_lft forever preferred_lft forever
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.0.0.1/14 brd 10.3.255.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
14: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.178.20/24 brd 192.168.178.255 scope global eth1.2
       valid_lft forever preferred_lft forever
default via 192.168.178.1 dev eth1.2 proto static src 192.168.178.20 
10.0.0.0/14 dev br-lan proto kernel scope link src 10.0.0.1 
10.4.0.0/16 dev br-if_Trusted proto kernel scope link src 10.4.0.1 
10.5.0.0/16 dev br-if_Guests proto kernel scope link src 10.5.0.1 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.178.0/24 dev eth1.2 proto kernel scope link src 192.168.178.20 
broadcast 10.0.0.0 dev br-lan table local proto kernel scope link src 10.0.0.1 
local 10.0.0.1 dev br-lan table local proto kernel scope host src 10.0.0.1 
broadcast 10.3.255.255 dev br-lan table local proto kernel scope link src 10.0.0.1 
broadcast 10.4.0.0 dev br-if_Trusted table local proto kernel scope link src 10.4.0.1 
local 10.4.0.1 dev br-if_Trusted table local proto kernel scope host src 10.4.0.1 
broadcast 10.4.255.255 dev br-if_Trusted table local proto kernel scope link src 10.4.0.1 
broadcast 10.5.0.0 dev br-if_Guests table local proto kernel scope link src 10.5.0.1 
local 10.5.0.1 dev br-if_Guests table local proto kernel scope host src 10.5.0.1 
broadcast 10.5.255.255 dev br-if_Guests table local proto kernel scope link src 10.5.0.1 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1 
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1 
broadcast 192.168.178.0 dev eth1.2 table local proto kernel scope link src 192.168.178.20 
local 192.168.178.20 dev eth1.2 table local proto kernel scope host src 192.168.178.20 
broadcast 192.168.178.255 dev eth1.2 table local proto kernel scope link src 192.168.178.20 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
ls: /tmp/resolv.*/*: No such file or directory
lrwxrwxrwx    1 root     root            16 Sep  6 18:19 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Nov 10 08:57 /tmp/resolv.conf
-rw-r--r--    1 root     root            58 Nov 10 08:57 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 192.168.178.1
search fritz.box
head: /tmp/resolv.*/*: No such file or directory

```*emphasized text*

trendy · November 10, 2020, 11:23am

Use ifname @lan

This mask is for 262k hosts. And 65k for /16. Are you expecting that many hosts to connect there?
If you actually do, then setting a leasetime of 2 minutes in dhcp will ddos the router.

Other than that, what other problem you have? It's not clear from your previous post and the edits.

diversity · November 10, 2020, 5:49pm

I'll try and move away from the 255.252.0.0 netmask on the lan interface later. I though I needed it to be able to connect to my servers.

earlier I thought that the DHCP issue had been solved but I spoke to soon.

I have segmented the 5GHzx ssid's from the 2.4GHz ssid's by adding a + to the 5GHz Trusted and Guests.

Also I have enabled the radio 0 and 1 on the OpenWRT router and created there OpenWrt-Trusted(+) and OpenWRT-Guests(+)

When connecting to Trusted ssid:
I mostly get a 10.4.4.1 DHCP lease which is good. Sometimes though it fails and then I get a 10.1.4.1 as if there still is a DHCP active on the lan interface which there should not be as far as I intended.

When connecting to Trusted+ ssid:
I only get a 10.1.4.1 as if there still is a DHCP active on the lan interface which there should not be as far as I intended. When evert I get this IP (whether comming in via here or another ssid) I can't connect to anything. Which is good I guess but I should not be getting IP's in this range at all.

When connecting to Guests ssid:
I mostly get a 10.5.4.1 DHCP lease which is good. Sometimes though it fails and then I get a 10.1.4.1.
But like now I can't reach anything. No internet and no local.

When connecting to Guests+ ssid:
Mostly I get a 10.1.4.1 and switching back to Guests I also get a 10.1.4.1

Connecting to OpenWrt-Trusted(+) and OpenWRT-Guests(+) ssid's always results in a10.1.4.1 DHCP lease even though they are explicitly for the if-Trusted and if-Guests interfaces respectively.

It looks like the lan interface is somehow not configured correctly because this is what I see in the system log when things have gone wrong:

Tue Nov 10 18:44:06 2020 daemon.warn dnsmasq-dhcp[3200]: no address range available for DHCP request via br-lan
Tue Nov 10 18:44:06 2020 daemon.warn dnsmasq-dhcp[3200]: no address range available for DHCP request via br-lan
Tue Nov 10 18:44:07 2020 daemon.warn dnsmasq-dhcp[3200]: no address range available for DHCP request via br-lan
Tue Nov 10 18:44:08 2020 daemon.warn dnsmasq-dhcp[3200]: no address range available for DHCP request via br-lan
Tue Nov 10 18:44:10 2020 daemon.warn dnsmasq-dhcp[3200]: no address range available for DHCP request via br-lan

root@OpenWrt:~# uci export network; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* 
/tmp/resolv.* /tmp/resolv.*/*
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd68:74a7:6e62::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	content removed due to considerations
	option netmask '255.252.0.0'
	list dns '8.8.8.8'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '4 6t'

config interface 'if_Trusted'
	option proto 'static'
	option force_link '0'
	option type 'bridge'
	content removed due to considerations
	option netmask '255.255.0.0'
	option ifname 'eth0.40'
	list dns '8.8.8.8'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '2t 5t'
	option vid '40'

config interface 'if_Guests'
	option proto 'static'
	option type 'bridge'
	content removed due to considerations
	option netmask '255.255.0.0'
	option ifname 'eth0.50'
	list dns '8.8.8.8'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '2t 5t'
	option vid '50'

config interface 'if_tmp_oldlan'
	option ifname 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

package dhcp

config dnsmasq
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option sequential_ip '1'
	option localservice '0'
	option boguspriv '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'if_Trusted'
	option interface 'if_Trusted'
	option start '1025'
	option limit '1000'
	option leasetime '2m'
	option force '1'

config dhcp 'if_Guests'
	option interface 'if_Guests'
	option start '1025'
	option limit '1000'
	option leasetime '2m'
	option force '1'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan if_Trusted if_Servers if_Switch_APs if_IOT if_Peripherals if_tmp_oldlan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option src 'lan'
	option name 'block iot wan'
	option src_ip '192.168.1.128/25'
	option dest 'wan'
	option target 'DROP'

config rule
	option src 'lan'
	option name 'block default ipcam'
	option src_ip '192.168.1.10'
	option dest 'wan'
	option target 'DROP'

config redirect
	option dest_port '443'
	option src 'wan'
	option name 'guideriis'
	option src_dport '443'
	option target 'DNAT'
	option dest 'lan'
	option proto 'tcp udp'
	option dest_ip '192.168.1.111'

config zone
	option name 'fw_Guests'
	option network 'if_Guests'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option dest 'wan'
	option src 'fw_Guests'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.3 on Tue Nov 10 18:48:55 2020
*nat
:PREROUTING ACCEPT [20507:1824898]
:INPUT ACCEPT [5463:394292]
:OUTPUT ACCEPT [2485:177218]
:POSTROUTING ACCEPT [1441:89712]
:postrouting_fw_Guests_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_fw_Guests_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_fw_Guests_postrouting - [0:0]
:zone_fw_Guests_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[20507:1824898] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[1197:125499] -A PREROUTING -i br-if_Trusted -m comment --comment "!fw3" -j zone_lan_prerouting
[16431:1492383] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[29:1680] -A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[2850:205336] -A PREROUTING -i br-if_Guests -m comment --comment "!fw3" -j zone_fw_Guests_prerouting
[5149:338053] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[13:2024] -A POSTROUTING -o br-if_Trusted -m comment --comment "!fw3" -j zone_lan_postrouting
[1065:60624] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[3708:248341] -A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[8:1504] -A POSTROUTING -o br-if_Guests -m comment --comment "!fw3" -j zone_fw_Guests_postrouting
[8:1504] -A zone_fw_Guests_postrouting -m comment --comment "!fw3: Custom fw_Guests postrouting rule chain" -j postrouting_fw_Guests_rule
[2850:205336] -A zone_fw_Guests_prerouting -m comment --comment "!fw3: Custom fw_Guests prerouting rule chain" -j prerouting_fw_Guests_rule
[1078:62648] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 10.0.0.0/14 -d 192.168.1.111/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.0.0.1
[0:0] -A zone_lan_postrouting -s 10.0.0.0/14 -d 192.168.1.111/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.0.0.1
[0:0] -A zone_lan_postrouting -s 10.4.0.0/16 -d 192.168.1.111/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.4.0.1
[0:0] -A zone_lan_postrouting -s 10.4.0.0/16 -d 192.168.1.111/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 10.4.0.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.111/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.111/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j SNAT --to-source 192.168.1.1
[17628:1617882] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 10.0.0.0/14 -d 192.168.178.20/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
[0:0] -A zone_lan_prerouting -s 10.0.0.0/14 -d 192.168.178.20/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
[0:0] -A zone_lan_prerouting -s 10.4.0.0/16 -d 192.168.178.20/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
[0:0] -A zone_lan_prerouting -s 10.4.0.0/16 -d 192.168.178.20/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.178.20/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.178.20/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: guideriis (reflection)" -j DNAT --to-destination 192.168.1.111:443
[3708:248341] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[3708:248341] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[29:1680] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: guideriis" -j DNAT --to-destination 192.168.1.111:443
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 443 -m comment --comment "!fw3: guideriis" -j DNAT --to-destination 192.168.1.111:443
COMMIT
# Completed on Tue Nov 10 18:48:55 2020
# Generated by iptables-save v1.8.3 on Tue Nov 10 18:48:55 2020
*mangle
:PREROUTING ACCEPT [161992:68733603]
:INPUT ACCEPT [36023:4138303]
:FORWARD ACCEPT [125184:64452489]
:OUTPUT ACCEPT [40717:12570813]
:POSTROUTING ACCEPT [153906:75865022]
[4302:254980] -A FORWARD -o eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[868:48348] -A FORWARD -i eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Nov 10 18:48:55 2020
# Generated by iptables-save v1.8.3 on Tue Nov 10 18:48:55 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [555:33300]
:OUTPUT ACCEPT [0:0]
:forwarding_fw_Guests_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_fw_Guests_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_fw_Guests_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_fw_Guests_dest_ACCEPT - [0:0]
:zone_fw_Guests_dest_REJECT - [0:0]
:zone_fw_Guests_forward - [0:0]
:zone_fw_Guests_input - [0:0]
:zone_fw_Guests_output - [0:0]
:zone_fw_Guests_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[17414:1412512] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[18609:2725791] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[10024:1529143] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[91:5460] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[577:49449] -A INPUT -i br-if_Trusted -m comment --comment "!fw3" -j zone_lan_input
[4723:933276] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[95:4322] -A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
[3190:209601] -A INPUT -i br-if_Guests -m comment --comment "!fw3" -j zone_fw_Guests_input
[125184:64452489] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[109461:63081148] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1001:64791] -A FORWARD -i br-if_Trusted -m comment --comment "!fw3" -j zone_lan_forward
[13770:1249382] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
[952:57168] -A FORWARD -i br-if_Guests -m comment --comment "!fw3" -j zone_fw_Guests_forward
[17414:1412512] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[22910:11127385] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[20297:10939723] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[21:4648] -A OUTPUT -o br-if_Trusted -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[2579:179870] -A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
[13:3144] -A OUTPUT -o br-if_Guests -m comment --comment "!fw3" -j zone_fw_Guests_output
[33:2090] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[91:5460] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[13:3144] -A zone_fw_Guests_dest_ACCEPT -o br-if_Guests -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_fw_Guests_dest_REJECT -o br-if_Guests -m comment --comment "!fw3" -j reject
[952:57168] -A zone_fw_Guests_forward -m comment --comment "!fw3: Custom fw_Guests forwarding rule chain" -j forwarding_fw_Guests_rule
[952:57168] -A zone_fw_Guests_forward -m comment --comment "!fw3: Zone fw_Guests to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_fw_Guests_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[555:33300] -A zone_fw_Guests_forward -m comment --comment "!fw3" -j zone_fw_Guests_dest_REJECT
[3190:209601] -A zone_fw_Guests_input -m comment --comment "!fw3: Custom fw_Guests input rule chain" -j input_fw_Guests_rule
[0:0] -A zone_fw_Guests_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[3190:209601] -A zone_fw_Guests_input -m comment --comment "!fw3" -j zone_fw_Guests_src_ACCEPT
[13:3144] -A zone_fw_Guests_output -m comment --comment "!fw3: Custom fw_Guests output rule chain" -j output_fw_Guests_rule
[13:3144] -A zone_fw_Guests_output -m comment --comment "!fw3" -j zone_fw_Guests_dest_ACCEPT
[3190:209601] -A zone_fw_Guests_src_ACCEPT -i br-if_Guests -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[21:4648] -A zone_lan_dest_ACCEPT -o br-if_Trusted -m comment --comment "!fw3" -j ACCEPT
[1404:73968] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[14771:1314173] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[3203:192180] -A zone_lan_forward -s 192.168.1.128/25 -p tcp -m comment --comment "!fw3: block iot wan" -j zone_wan_dest_DROP
[8392:934260] -A zone_lan_forward -s 192.168.1.128/25 -p udp -m comment --comment "!fw3: block iot wan" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -s 192.168.1.10/32 -p tcp -m comment --comment "!fw3: block default ipcam" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -s 192.168.1.10/32 -p udp -m comment --comment "!fw3: block default ipcam" -j zone_wan_dest_DROP
[3176:187733] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[1404:73968] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[5300:982725] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[5300:982725] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[21:4648] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[21:4648] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[577:49449] -A zone_lan_src_ACCEPT -i br-if_Trusted -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[4723:933276] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[4:160] -A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[4744:317343] -A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
[11595:1126440] -A zone_wan_dest_DROP -o eth1.2 -m comment --comment "!fw3" -j DROP
[0:0] -A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[95:4322] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[62:2232] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[33:2090] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[2579:179870] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[2579:179870] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[33:2090] -A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue Nov 10 18:48:55 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
8: br-if_Guests: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.5.0.1/16 brd 10.5.255.255 scope global br-if_Guests
       valid_lft forever preferred_lft forever
10: br-if_Trusted: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.4.0.1/16 brd 10.4.255.255 scope global br-if_Trusted
       valid_lft forever preferred_lft forever
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.0.0.1/14 brd 10.3.255.255 scope global br-lan
       valid_lft forever preferred_lft forever
14: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.178.20/24 brd 192.168.178.255 scope global eth1.2
       valid_lft forever preferred_lft forever
default via 192.168.178.1 dev eth1.2 proto static src 192.168.178.20 
10.0.0.0/14 dev br-lan proto kernel scope link src 10.0.0.1 
10.4.0.0/16 dev br-if_Trusted proto kernel scope link src 10.4.0.1 
10.5.0.0/16 dev br-if_Guests proto kernel scope link src 10.5.0.1 
192.168.178.0/24 dev eth1.2 proto kernel scope link src 192.168.178.20 
broadcast 10.0.0.0 dev br-lan table local proto kernel scope link src 10.0.0.1 
local 10.0.0.1 dev br-lan table local proto kernel scope host src 10.0.0.1 
broadcast 10.3.255.255 dev br-lan table local proto kernel scope link src 10.0.0.1 
broadcast 10.4.0.0 dev br-if_Trusted table local proto kernel scope link src 10.4.0.1 
local 10.4.0.1 dev br-if_Trusted table local proto kernel scope host src 10.4.0.1 
broadcast 10.4.255.255 dev br-if_Trusted table local proto kernel scope link src 10.4.0.1 
broadcast 10.5.0.0 dev br-if_Guests table local proto kernel scope link src 10.5.0.1 
local 10.5.0.1 dev br-if_Guests table local proto kernel scope host src 10.5.0.1 
broadcast 10.5.255.255 dev br-if_Guests table local proto kernel scope link src 10.5.0.1 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.178.0 dev eth1.2 table local proto kernel scope link src 192.168.178.20 
local 192.168.178.20 dev eth1.2 table local proto kernel scope host src 192.168.178.20 
broadcast 192.168.178.255 dev eth1.2 table local proto kernel scope link src 192.168.178.20 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
ls: /tmp/resolv.*/*: No such file or directory
lrwxrwxrwx    1 root     root            16 Sep  6 18:19 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Nov 10 16:09 /tmp/resolv.conf
-rw-r--r--    1 root     root           176 Nov 10 16:15 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface if_Guests
nameserver 8.8.8.8
# Interface if_Trusted
nameserver 8.8.8.8
# Interface lan
nameserver 8.8.8.8
# Interface wan
nameserver 192.168.178.1
search fritz.box
head: /tmp/resolv.*/*: No such file or directory

diversity · November 10, 2020, 6:56pm

disabling lan interface and if_tmp_oldlan also did not change anything. Sometimes I get:
daemon.warn dnsmasq-dhcp[3200]: no address range available for DHCP request via br-lan

lleachii · November 10, 2020, 7:02pm

Ummm...because you disabled its interface. I assume you meant to do this, so remove/disable the corresponding DHCP entry...or ignore it.

diversity · November 10, 2020, 7:36pm

I actually had these issues before I disabled the lan and if_tmp_oldlan interfaces. after doing so the messages stayed the same.

it seems there still is an old dhcp server active that gives out leases on a random basis. How do I remove the corresonding dhcp enrty?

this is what I have in my dhcp config before and after disabling those interfaces

config dnsmasq
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option sequential_ip '1'
	option localservice '0'
	option boguspriv '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'if_Trusted'
	option interface 'if_Trusted'
	option start '1025'
	option limit '1000'
	option leasetime '2m'
	option force '1'

config dhcp 'if_Guests'
	option interface 'if_Guests'
	option start '1025'
	option limit '1000'
	option leasetime '2m'
	option force '1'

diversity · November 10, 2020, 8:37pm

I am happy to report that the intermittend dchp issues have been solved.

it was a conflict between the dhcp's on the openwrt and the dhcp (which i thought i needed to trouble shoot) on the WAP.

earlier weird behaviour was most likely caused by old configuration settings that were lingering around that I have never noticed because only having used LUCI up till that point.

Thx all for the help in the meantime. It has made me plow through where I would have otherwise stopped already and given up. without these suggestions I would have never found old unused config statements scattered around.

I am getting closer!!! this is getting exciting.

I'll now do some more testing on the firewall settings for Guests

diversity · November 11, 2020, 5:22am

So to sum up my experiences thus far. It's sooo hard for newcommers because it's well possible that (l)uci doesn't keep the underlying config well organized when used frantically.

Also the docs are not always easy to find. I'll close this topic now

trendy · November 11, 2020, 7:48am

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

diversity · November 11, 2020, 8:21am

I am not seeing a pencil icon next to the topic subject

trendy · November 11, 2020, 12:24pm

That's fine, we have added that. You can skip to step 5 and mark a post as the solution or provide the steps that fixed the problem in your own post and mark that as the solution.

diversity · November 13, 2020, 6:01am

I have a concrete example of how (L)uci can make a mess of things.
When moving my guests interface back to it's own fwzone I normally just save&apply.

But when looking at the unsaved changes first I saw references to interfaces that have long since been deleted using (L)uci. Image at the bottom.

Turns out that the lan firewall zone is not properly updated by uci when deleting interfaces from Luci that are still in a firewall zone. I am sure I am doing something wrong but just a heads up to @developers

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd68:74a7:6e62::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	content removed due to considerations
	option netmask '255.252.0.0'
	option delegate '0'
	option force_link '0'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '4 6t'

config interface 'if_Trusted'
	option proto 'static'
	option force_link '0'
	option type 'bridge'
	content removed due to considerations
	option netmask '255.255.0.0'
	option ifname 'eth0.40'
	option delegate '0'
	list dns '1.1.1.1'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '2t 5t'
	option vid '40'

config interface 'if_Guests'
	option proto 'static'
	option type 'bridge'
	content removed due to considerations
	option netmask '255.255.0.0'
	option ifname 'eth0.50'
	option delegate '0'
	option force_link '0'
	list dns '1.1.1.1'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '2t 5t'
	option vid '50'

config interface 'if_tmp_oldlan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ifname '@lan'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan if_Trusted if_Servers if_Switch_APs if_IOT if_Peripherals if_tmp_oldlan if_Guests'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option src 'lan'
	option name 'block iot wan'
	option src_ip '192.168.1.128/25'
	option dest 'wan'
	option target 'DROP'

config rule
	option src 'lan'
	option name 'block default ipcam'
	option src_ip '192.168.1.10'
	option dest 'wan'
	option target 'DROP'

config redirect
	option dest_port '443'
	option src 'wan'
	option name 'guideriis'
	option src_dport '443'
	option target 'DNAT'
	option dest 'lan'
	option proto 'tcp udp'
	option dest_ip '192.168.1.111'

config zone 'guest'
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option network 'guest'

config forwarding 'guest_wan'
	option src 'guest'
	option dest 'wan'

config rule 'guest_dns'
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule 'guest_dhcp'
	option name 'Allow-DHCP-Guest'
	option src 'guest'
	option dest_port '67'
	option family 'ipv4'
	option proto 'udp'
	option target 'ACCEPT'

tmomas · November 23, 2020, 6:01am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.