Still possible to access luci from vlan

Hey there,

I have created a VLAN which I am using for a server. I created the VLAN successfully, but the problem is that I can't block the server from accessing luci. I don't get where the issue is, I have created a firewall zone and blocked the forwarding from the VLAN Zone to LAN. The access from LAN to VLAN zone should be still possible, to connect to the server from my LAN zone via SSH.

My VLAN zone is called synapse. Here are my config files:

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '*********'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	option ipv6 '0'

config device
	option name 'eth1'
	option macaddr '**********'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0'
	option macaddr '***********'
	option ipv6 '0'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'
	option peerdns '0'
	list dns '192.168.1.188'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	list dns '192.168.1.188'

config device
	option type 'bridge'
	option name 'br-synapse'
	list ports 'eth2'
	list ports 'eth3'

config device
	option name 'eth2'

config bridge-vlan
	option device 'br-synapse'
	option vlan '20'
	list ports 'eth2'
	list ports 'eth3'

config interface 'synapse'
	option device 'br-synapse.20'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	list dns '192.168.1.188'

config device
	option name 'eth3'

config device
	option name 'br-synapse.20'
	option type '8021q'
	option ifname 'br-synapse'
	option vid '20'
root@OpenWrt:~# cat /etc/config/firewall 

config defaults
	option output 'ACCEPT'
	option synflood_protect '1'
	option input 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Block-SSH-From-WAN-to-LAN'
	option src 'wan'
	option src_port '22'
	option dest 'lan'
	option dest_port '22'
	option target 'REJECT'

config rule
	option name 'Block-HTTPS-from-WAN-to-LAN'
	option src 'wan'
	option src_port '443'
	option dest 'lan'
	option dest_port '443'
	option target 'REJECT'

config rule
	option name 'Block-HTTP-from-WAN-to-LAN'
	option src 'wan'
	option src_port '80'
	option dest 'lan'
	option dest_port '80'
	option target 'REJECT'

config zone
	option name 'synapse'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'ACCEPT'
	list device 'br-synapse.20'
	list network 'synapse'

config forwarding
	option src 'synapse'
	option dest 'wan'

config rule
	option name 'Block synapse from accessing luci http'
	option src 'synapse'
	option src_port '80'
	list dest_ip '192.168.1.1'
	option dest_port '80'
	option target 'REJECT'

config rule
	option name 'Block synapse from accessing luci https'
	option src 'synapse'
	option src_port '443'
	list dest_ip '192.168.1.1'
	option dest_port '443'
	option target 'REJECT'

config forwarding
	option src 'lan'
	option dest 'synapse'
root@OpenWrt:~# cat /etc/config/dhcp 

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'synapse'
	option interface 'synapse'
	option start '100'
	option limit '150'
	option leasetime '12h'

config host
	option name 'synapse-server'
	option dns '1'
	option Mac '********'
	option ip '192.168.3.171'

Some parts are covered with *** to keep information private

luci is an internal router service which exists on all networks. But it can be blocked with a suitable rule:

config rule
    option name 'Block luci http'
    option src 'synapse'
    option dest_port '80'
    option target 'REJECT'

Note that src_port is not in the rule, as clients use a random source port to make an outgoing connection. The src_port will never be 443 for example, so a rule that requires that to be the src_port will never match.

The standard practice though is to set the input default policy on the zone (synapse) to REJECT then add rules that allow only internal services that are needed, such as DHCP and DNS. This is exactly the same as setting up a guest network.

2 Likes
  • You allow input

Suggestion: don't use IP - just block Input. :wink:

(BTW - all IPs are accessible based on the current zone rule)

2 Likes

If I'm not mistaken you could also make it so that luci listens only on certain IP addresses

modifying

cat /etc/config/uhttpd

config uhttpd 'main'
        list listen_http '0.0.0.0:80'
        list listen_https '0.0.0.0:443'

provided that the firewall zone has drop as input

1 Like

You mean I should block input on the synapse zone?

if you put input on drop or reject

you need to create rules to allow the following essentials

53 dns
67 dhcp

follow the guide:

1 Like

After setting the things in /etc/config/uhttpd I should change the input on the lan zone to drop, did I get this right?

not in lan

but in synapse

2 Likes

example:

guest --> wan ok
lan --> guest ok
guest --> lan ko
guest --> to luci on router ko

my luci

netstat -atn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      

my guest zone:

cat /etc/config/firewall
config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'guest'

config rule 'guest_dhcp'
        option name 'Allow-dns-dhcp-Guest'
        option src 'guest'
        option dest_port '53 67'
        option family 'ipv4'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'

This is partially true, but will actually not replace the firewall rule.

So... if you were to put 192.168.1.1 in that field, it would listen on that address. It would no longer respond to a request to 192.168.3.1. However, a host on the synapse network (192.168.3.0/24) would still be able to access the router if the connection request was to 192.168.1.1.

If blocking access is desired, the firewall does this... either by drop/reject input or a specific rule to drop/reject the respective service ports (80/443, 22, etc.).

1 Like

I apologize for my mistake

No need to apologize... and this is, in fact, a common misunderstanding of the role of the "listen on" address.

2 Likes

If set the input for the synapse zone to rejected.

The port 8282 is the port to connect via ssh to openwrt:
OpenWrt is reachable under 192.168.1.1

Here is the nmap output from my server on the synapse network when input is rejected.

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-09 10:34 UTC
Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).

PORT    STATE  SERVICE
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-09 10:35 UTC
Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).

PORT   STATE  SERVICE
80/tcp closed http

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-09 10:36 UTC
Nmap scan report for 192.168.1.1
Host is up (0.0011s latency).

PORT     STATE  SERVICE
8282/tcp closed libelle

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

If I try to ping google.com on my server the output is the following:

ping: google.com: Temporary failure in name resolution

Here is my current firewall config:

root@OpenWrt:~# cat /etc/config/firewall 

config defaults
	option output 'ACCEPT'
	option synflood_protect '1'
	option input 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option forward 'REJECT'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip '****'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Block-SSH-From-WAN-to-LAN'
	option src 'wan'
	option src_port '22'
	option dest 'lan'
	option dest_port '22'
	option target 'REJECT'

config rule
	option name 'Block-HTTPS-from-WAN-to-LAN'
	option src 'wan'
	option src_port '443'
	option dest 'lan'
	option dest_port '443'
	option target 'REJECT'

config rule
	option name 'Block-HTTP-from-WAN-to-LAN'
	option src 'wan'
	option src_port '80'
	option dest 'lan'
	option dest_port '80'
	option target 'REJECT'

config zone
	option name 'synapse'
	option output 'ACCEPT'
	option forward 'REJECT'
	list device 'synapse.20'
	option input 'REJECT'

config forwarding
	option src 'lan'
	option dest 'synapse'

config forwarding
	option src 'synapse'
	option dest 'wan'

config rule
	option src 'synapse'
	option target 'ACCEPT'
	option name 'Allow Synapse DHCP and DNS'
	option src_port '53 67-68'
	option dest_port '53 67-68'

When I set input to accepted on the synapse network and add these rules for the zone:

config rule
	option name 'Block synapse from accessing https http and ssh'
	option src 'synapse'
	option src_port '8282 443 80'
	option dest_port '8282 443 80'
	option target 'REJECT'
	option enabled '0'

The ports on openwrt are reachable again from my server.

Do I have to change something in the rules?

Another problem I experienced is that my DNS is reachable under 192.168.1.188. Do I have to change the rules for the dns to allow requests from 192.168.3.171 (server on synapse network) to 192.168.1.188 (DNS) ?

If I should explain some parts of my config more in detail or if you are missing some parts, please let me know :slight_smile:

Some parts are covered with *** to keep information private

Usually, the preferred approach is to prohibit access to the router itself from an untrusted zone by setting input = drop. Then, allow the specific services needed (often DHCP and DNS, possibly other servicecs based on the need).

Before getting to the rules, a note about this:

Please refer back to the statement from @mk24 ...

Now...
delete all of these -- they're unnecessary.

Then, edit this rule by removing the src_port (that's why it isn't working)

1 Like

change this

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan'

in

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

and
change this

config rule
	option src 'synapse'
	option target 'ACCEPT'
	option name 'Allow Synapse DHCP and DNS'
	option src_port '53 67-68'
	option dest_port '53 67-68'

in

config rule
	option src 'synapse'
	option target 'ACCEPT'
	option name 'Allow Synapse DHCP and DNS'
	option dest_port '53 67 68'
	list proto 'tcp'
	list proto 'udp'

Thank you, that is working now!!

also follow the advice of:

I also did that, it's working fine :slight_smile: thanks to both of you @ncompact @psherman and the others @lleachii @mk24

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.