Still a bit lost in Firewall rules

It has been a while since I used openWRT or setting up an own "open" router myself.
I use it as Internet-Gateway for my home:

ISP router/modem -- openWRTrouter -- home network

Normally I was setting up the firewall like:
homenetwork: everyting allowed
WAN to home network: all allowd that ist related or established

I normaly have a cery small ruleset for that.

Now I'm trying to understand the corresponding setting in openWRT with all the tables and zone that exist there. I understand, that a fresh install of openWRT does mostly what I want, is that correct?

I found teh section "Traffic", though, which allows some requests form WAN to LAN.
Most seem somewhat "wrong" for my settings, like DHCP requests from WAN to LAn are allowed..

I wasn't gaining much knowledge from the docu I found...

The default rules are adequate for your use case. The DHCP rule you meantion allows DHCP responses into WAN - this is needed to properly handle DHCP renewals.

1 Like

Has this been verified recently (as the default rules are holdovers from 3+ years ago), and/or does this only affect certain routers/modems?

  • I only ask because I always remove the default rules [they're too open for me personally], and I've never had an issue with DHCP renewal for the WAN interface, as WAN side DHCP is handled by the modem (at least for cable, not sure about DSL or fiber).

Yes this has been verified within the last 12 months. The problem arises when (the half of) the DHCP renewal time is longer than the netfilter conntrack timeout - in this case DHCP renewal responses are not regarded as established/related anymore and get discarded which will force the udhcpc client into a complete DHCP renogtiation cycle which has the side effecft of tearing down wan completely and flushing the conntrack table, interrupting all established sessions.