Working, OpenWrt SNAPSHOT r18302-ea49690ff4 / LuCI Master git-21.343.55550-008bd89
ifstatus LANW
{
"up": true,
"pending": false,
"available": true,
"autostart": true,
"dynamic": false,
"uptime": 40290,
"l3_device": "wlan0",
"proto": "static",
"device": "wlan0",
"updated": [
"addresses"
],
"metric": 0,
"dns_metric": 0,
"delegation": true,
"ipv4-address": [
{
"address": "10.0.56.1",
"mask": 24
}
],
"ipv6-address": [
],
"ipv6-prefix": [
],
"ipv6-prefix-assignment": [
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
],
"inactive": {
"ipv4-address": [
],
"ipv6-address": [
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
]
},
"data": {
}
}
root@OpenWrt:~# ifstatus 4GLINK
{
"up": true,
"pending": false,
"available": true,
"autostart": true,
"dynamic": false,
"uptime": 40429,
"l3_device": "wan",
"proto": "dhcp",
"device": "wan",
"metric": 0,
"dns_metric": 0,
"delegation": true,
"ipv4-address": [
{
"address": "10.0.100.102",
"mask": 24
}
],
"ipv6-address": [
],
"ipv6-prefix": [
],
"ipv6-prefix-assignment": [
],
"route": [
{
"target": "0.0.0.0",
"mask": 0,
"nexthop": "10.0.100.1",
"source": "10.0.100.102/32"
}
],
"dns-server": [
"10.0.100.1"
],
"dns-search": [
"lan"
],
"neighbors": [
],
"inactive": {
"ipv4-address": [
],
"ipv6-address": [
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
]
},
"data": {
"hostname": "OpenWrt",
"leasetime": 43200
}
}
package fw3_state
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option __flags_v4 '0x180017'
option __flags_v6 '0x180025'
config zone
option name '4gLAN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '0'
option mtu_fix '0'
option custom_chains '1'
list device 'wlan0@LANW'
list __addrs '10.0.56.1'
list __addrs 'fe80::5e92:5eff:fe37:92c0'
option __flags_v4 '0x8964c7'
option __flags_v6 '0x904c5'
config zone
option name '4gwan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option custom_chains '1'
list device 'wan@4GLINK'
list __addrs '10.0.100.102'
option __flags_v4 '0x8a60c7'
option __flags_v6 '0xa00c5'
No nft installed.
iptables --list-rules
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N forwarding_4gLAN_rule
-N forwarding_4gwan_rule
-N forwarding_rule
-N input_4gLAN_rule
-N input_4gwan_rule
-N input_rule
-N output_4gLAN_rule
-N output_4gwan_rule
-N output_rule
-N reject
-N syn_flood
-N zone_4gLAN_dest_ACCEPT
-N zone_4gLAN_dest_REJECT
-N zone_4gLAN_forward
-N zone_4gLAN_input
-N zone_4gLAN_output
-N zone_4gLAN_src_ACCEPT
-N zone_4gwan_dest_ACCEPT
-N zone_4gwan_dest_REJECT
-N zone_4gwan_forward
-N zone_4gwan_input
-N zone_4gwan_output
-N zone_4gwan_src_REJECT
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i wlan0 -m comment --comment "!fw3" -j zone_4gLAN_input
-A INPUT -i wan -m comment --comment "!fw3" -j zone_4gwan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -m comment --comment "!fw3: any" -j zone_4gLAN_dest_ACCEPT
-A FORWARD -i wlan0 -m comment --comment "!fw3" -j zone_4gLAN_forward
-A FORWARD -i wan -m comment --comment "!fw3" -j zone_4gwan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o wlan0 -m comment --comment "!fw3" -j zone_4gLAN_output
-A OUTPUT -o wan -m comment --comment "!fw3" -j zone_4gwan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_4gLAN_dest_ACCEPT -o wlan0 -m comment --comment "!fw3" -j ACCEPT
-A zone_4gLAN_dest_REJECT -o wlan0 -m comment --comment "!fw3" -j reject
-A zone_4gLAN_forward -m comment --comment "!fw3: Custom 4gLAN forwarding rule chain" -j forwarding_4gLAN_rule
-A zone_4gLAN_forward -m comment --comment "!fw3: any" -j zone_4gwan_dest_ACCEPT
-A zone_4gLAN_forward -m comment --comment "!fw3: Zone 4gLAN to 4gwan forwarding policy" -j zone_4gwan_dest_ACCEPT
-A zone_4gLAN_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_4gLAN_forward -m comment --comment "!fw3" -j zone_4gLAN_dest_REJECT
-A zone_4gLAN_input -m comment --comment "!fw3: Custom 4gLAN input rule chain" -j input_4gLAN_rule
-A zone_4gLAN_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_4gLAN_input -m comment --comment "!fw3" -j zone_4gLAN_src_ACCEPT
-A zone_4gLAN_output -m comment --comment "!fw3: Custom 4gLAN output rule chain" -j output_4gLAN_rule
-A zone_4gLAN_output -m comment --comment "!fw3" -j zone_4gLAN_dest_ACCEPT
-A zone_4gLAN_src_ACCEPT -i wlan0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_4gwan_dest_ACCEPT -o wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_4gwan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
-A zone_4gwan_dest_REJECT -o wan -m comment --comment "!fw3" -j reject
-A zone_4gwan_forward -m comment --comment "!fw3: Custom 4gwan forwarding rule chain" -j forwarding_4gwan_rule
-A zone_4gwan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_4gLAN_dest_ACCEPT
-A zone_4gwan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_4gLAN_dest_ACCEPT
-A zone_4gwan_forward -m comment --comment "!fw3: any" -j zone_4gLAN_dest_ACCEPT
-A zone_4gwan_forward -m comment --comment "!fw3: any" -j ACCEPT
-A zone_4gwan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_4gwan_forward -m comment --comment "!fw3" -j zone_4gwan_dest_REJECT
-A zone_4gwan_input -m comment --comment "!fw3: Custom 4gwan input rule chain" -j input_4gwan_rule
-A zone_4gwan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_4gwan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_4gwan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_4gwan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_4gwan_input -m comment --comment "!fw3" -j zone_4gwan_src_REJECT
-A zone_4gwan_output -m comment --comment "!fw3: Custom 4gwan output rule chain" -j output_4gwan_rule
-A zone_4gwan_output -m comment --comment "!fw3" -j zone_4gwan_dest_ACCEPT
-A zone_4gwan_src_REJECT -i wan -m comment --comment "!fw3" -j reject
OpenWrt 22.03.0-rc4 r19426-2b1941e47d / LuCI openwrt-22.03 branch git-22.140.66268-ef99568
root@OpenWrt:~# nft list ruleset
table inet fw4 {
chain input {
type filter hook input priority filter; policy accept;
iifname "lo" accept comment "!fw4: Accept traffic from loopback"
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
counter packets 20 bytes 1742 jump accept_to_4gLAN comment "!fw4: any"
jump handle_reject
}
chain output {
type filter hook output priority filter; policy accept;
oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
ct state established,related accept comment "!fw4: Allow outbound established and related flows"
}
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject comment "!fw4: Reject any other traffic"
}
chain syn_flood {
limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
drop comment "!fw4: Drop excess packets"
}
chain input_4gLAN {
jump accept_from_4gLAN
}
chain output_4gLAN {
jump accept_to_4gLAN
}
chain forward_4gLAN {
counter packets 0 bytes 0 jump accept_to_4gwan comment "!fw4: any"
jump accept_to_4gwan comment "!fw4: Accept 4gLAN to 4gwan forwarding"
jump reject_to_4gLAN
}
chain accept_from_4gLAN {
}
chain accept_to_4gLAN {
}
chain reject_to_4gLAN {
}
chain input_4gwan {
meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
ip6 saddr fc00::/6 ip6 daddr fc00::/6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
jump reject_from_4gwan
}
chain output_4gwan {
jump accept_to_4gwan
}
chain forward_4gwan {
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
meta l4proto esp counter packets 0 bytes 0 jump accept_to_4gLAN comment "!fw4: Allow-IPSec-ESP"
udp dport 500 counter packets 0 bytes 0 jump accept_to_4gLAN comment "!fw4: Allow-ISAKMP"
counter packets 0 bytes 0 jump accept_to_4gLAN comment "!fw4: any"
counter packets 0 bytes 0 accept comment "!fw4: any"
jump reject_to_4gwan
}
chain accept_to_4gwan {
}
chain reject_from_4gwan {
}
chain reject_to_4gwan {
}
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
}
chain srcnat_4gwan {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 4gwan traffic"
}
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
chain helper_4gLAN {
}
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
}
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
}
chain mangle_input {
type filter hook input priority mangle; policy accept;
}
chain mangle_output {
type route hook output priority mangle; policy accept;
}
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
}
}
root@OpenWrt:~# cat /var/run/fw4.state
{ "zones": [ { "enabled": true, "name": "4gLAN", "network": [ { "invert": false, "val": "LANW", "device": "LANW" } ], "input": "accept", "output": "accept", "forward": "reject", "auto_helper": true, "counter": true, "family": null, "match_rules": [ { "family": 0, "devices_pos": [ "wlan0" ], "devices_neg": null, "devices_neg_wildcard": null, "subnets_pos": null, "subnets_neg": null, "subnets_masked": null } ], "masq4_src_subnets": [ [ null, null, null ] ], "masq4_dest_subnets": [ [ null, null, null ] ], "masq6_src_subnets": [ [ null, null, null ] ], "masq6_dest_subnets": [ [ null, null, null ] ], "sflags": { "accept": true }, "dflags": { "accept": true, "reject": true, "helper": true }, "match_devices": [ "wlan0" ], "match_subnets": [ "10.0.56.0/24" ], "related_subnets": [ { "family": 4, "addr": "10.0.56.1", "mask": "255.255.255.0", "bits": 24 } ], "related_physdevs": [ "wlan0" ] }, { "enabled": true, "name": "4gwan", "network": [ { "invert": false, "val": "4GLINK", "device": "4GLINK" } ], "input": "reject", "output": "accept", "forward": "reject", "masq": true, "mtu_fix": true, "auto_helper": true, "counter": true, "family": null, "match_rules": [ { "family": 0, "devices_pos": [ "wan" ], "devices_neg": null, "devices_neg_wildcard": null, "subnets_pos": null, "subnets_neg": null, "subnets_masked": null } ], "masq4_src_subnets": [ [ null, null, null ] ], "masq4_dest_subnets": [ [ null, null, null ] ], "masq6_src_subnets": [ [ null, null, null ] ], "masq6_dest_subnets": [ [ null, null, null ] ], "sflags": { "reject": true }, "dflags": { "accept": true, "reject": true, "snat": true }, "match_devices": [ "wan" ], "match_subnets": [ "10.0.100.0/24" ], "related_subnets": [ { "family": 4, "addr": "10.0.100.102", "mask": "255.255.255.0", "bits": 24 } ], "related_physdevs": [ "wan" ] } ], "ipsets": null, "networks": { "4GLINK": { "up": true, "device": "wan", "physdev": "wan", "zone": null, "ipaddrs": [ { "family": 4, "addr": "10.0.100.102", "mask": "255.255.255.0", "bits": 24 } ] }, "LANW": { "up": true, "device": "wlan0", "physdev": "wlan0", "zone": null, "ipaddrs": [ { "family": 4, "addr": "10.0.56.1", "mask": "255.255.255.0", "bits": 24 } ] }, "lan": { "up": true, "device": "br-lan", "physdev": "br-lan", "zone": null, "ipaddrs": [ { "family": 4, "addr": "10.0.77.87", "mask": "255.255.255.0", "bits": 24 }, { "family": 6, "addr": "fdd9:f5e0:a057::1", "mask": "ffff:ffff:ffff:fff0::", "bits": 60 } ] }, "loopback": { "up": true, "device": "lo", "physdev": "lo", "zone": null, "ipaddrs": [ { "family": 4, "addr": "127.0.0.1", "maroot@OpenWrt:~# cat /var/run/fw4.state
{ "zones": [ { "enabled": true, "name": "4gLAN", "network": [ { "invert": false, "val": "LANW", "device": "LANW" } ], "input": "accept", "output": "accept", "forward": "reject", "auto_helper": true, "counter": true, "family": null, "match_rules": [ { "family": 0, "devices_pos": [ "wlan0" ], "devices_neg": null, "devices_neg_wildcard": null, "subnets_pos": null, "subnets_neg": null, "subnets_masked": null } ], "masq4_src_subnets": [ [ null, null, null ] ], "masq4_dest_subnets": [ [ null, null, null ] ], "masq6_src_subnets": [ [ null, null, null ] ], "masq6_dest_subnets": [ [ null, null, null ] ], "sflags": { "accept": true }, "dflags": { "accept": true, "reject": true, "helper": true }, "match_devices": [ "wlan0" ], "match_subnets": [ "10.0.56.0/24" ], "related_subnets": [ { "family": 4, "addr": "10.0.56.1", "mask": "255.255.255.0", "bits": 24 } ], "related_physdevs": [ "wlan0" ] }, { "enabled": true, "name": "4gwan", "network": [ { "invert": false, "val": "4GLINK", "device": "4GLINK" } ], "input": "reject", "output": "accept", "forward": "reject", "masq": true, "mtu_fix": true, "auto_helper": true, "counter": true, "family": null, "match_rules": [ { "family": 0, "devices_pos": [ "wan" ], "devices_neg": null, "devices_neg_wildcard": null, "subnets_pos": null, "subnets_neg": null, "subnets_masked": null } ], "masq4_src_subnets": [ [ null, null, null ] ], "masq4_dest_subnets": [ [ null, null, null ] ], "masq6_src_subnets": [ [ null, null, null ] ], "masq6_dest_subnets": [ [ null, null, null ] ], "sflags": { "reject": true }, "dflags": { "accept": true, "reject": true, "snat": true }, "match_devices": [ "wan" ], "match_subnets": [ "10.0.100.0/24" ], "related_subnets": [ { "family": 4, "addr": "10.0.100.102", "mask": "255.255.255.0", "bits": 24 } ], "related_physdevs": [ "wan" ] } ], "ipsets": null, "networks": { "4GLINK": { "up": true, "device": "wan", "physdev": "wan", "zone": null, "ipaddrs": [ { "family": 4, "addr": "10.0.100.102", "mask": "255.255.255.0", "bits": 24 } ] }, "LANW": { "up": true, "device": "wlan0", "physdev": "wlan0", "zone": null, "ipaddrs": [ { "family": 4, "addr": "10.0.56.1", "mask": "255.255.255.0", "bits": 24 } ] }, "lan": { "up": true, "device": "br-lan", "physdev": "br-lan", "zone": null, "ipaddrs": [ { "family": 4, "addr": "10.0.77.87", "mask": "255.255.255.0", "bits": 24 }, { "family": 6, "addr": "fdd9:f5e0:a057::1", "mask": "ffff:ffff:ffff:fff0::", "bits": 60 } ] }, "loopback": { "up": true, "device": "lo", "physdev": "lo", "zone": null, "ipaddrs": [ { "family": 4, "addr": "127.0.0.1", "mask": "255.0.0.0", "bits": 8 } ] } }, "ubus_rules": [ ] }root@OpenWrt:~#
root@OpenWrt:~# ifstatus LANW
{
"up": true,
"pending": false,
"available": true,
"autostart": true,
"dynamic": false,
"uptime": 325,
"l3_device": "wlan0",
"proto": "static",
"device": "wlan0",
"updated": [
"addresses"
],
"metric": 0,
"dns_metric": 0,
"delegation": true,
"ipv4-address": [
{
"address": "10.0.56.1",
"mask": 24
}
],
"ipv6-address": [
],
"ipv6-prefix": [
],
"ipv6-prefix-assignment": [
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
],
"inactive": {
"ipv4-address": [
],
"ipv6-address": [
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
]
},
"data": {
}
}
root@OpenWrt:~# ifstatus 4GLINK
{
"up": true,
"pending": false,
"available": true,
"autostart": true,
"dynamic": false,
"uptime": 358,
"l3_device": "wan",
"proto": "dhcp",
"device": "wan",
"updated": [
"addresses",
"routes",
"data"
],
"metric": 0,
"dns_metric": 0,
"delegation": true,
"ipv4-address": [
{
"address": "10.0.100.102",
"mask": 24
}
],
"ipv6-address": [
],
"ipv6-prefix": [
],
"ipv6-prefix-assignment": [
],
"route": [
{
"target": "0.0.0.0",
"mask": 0,
"nexthop": "10.0.100.1",
"source": "10.0.100.102/32"
}
],
"dns-server": [
"10.0.100.1"
],
"dns-search": [
"lan"
],
"neighbors": [
],
"inactive": {
"ipv4-address": [
],
"ipv6-address": [
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
]
},
"data": {
"dhcpserver": "10.0.100.1",
"hostname": "OpenWrt",
"leasetime": 43200
}
}
FYI
I have configured OpenWrt from zero, and now it has a little different firewall config, there are standard generated rules, like Allow Ping, Allow DHCP renew and so on, but I don't think it's playing any role... I hope it's not necessary to post config again...