Traffic inexplicably blocked

Hi everyone,

Once again, I struggle to understand how OpenWRT 20.03's firewall works.

I have a synology NAS whith Plex on it.
It is "flooding" the network with UDP packets on UDP ports 32410, 32412, 32413 and 32414.
Whether or not it is legitimate, I do not care for now.
What bothers me is that it seems like OpenWRT is blocking this traffic as my logs are filled with these :

reject lan in: IN=br-lan OUT= MAC=ff:ff:ff:ff:ff:ff:00:xx:xx:xx:xx:xx:xx:00 SRC=10.22.22.192 DST=10.22.22.255 LEN=49 TOS=0x00 PREC=0x00 TTL=64 ID=36463 DF PROTO=UDP SPT=51347 DPT=32412 LEN=29
reject lan in: IN=br-lan OUT= MAC=ff:ff:ff:ff:ff:ff:00:xx:xx:xx:xx:xx:xx:00 SRC=10.22.22.192 DST=10.22.22.255 LEN=49 TOS=0x00 PREC=0x00 TTL=64 ID=38848 DF PROTO=UDP SPT=42063 DPT=32414 LEN=29
reject lan in: IN=br-lan OUT= MAC=ff:ff:ff:ff:ff:ff:00:xx:xx:xx:xx:xx:xx:00 SRC=10.22.22.192 DST=10.22.22.255 LEN=49 TOS=0x00 PREC=0x00 TTL=64 ID=41083 DF PROTO=UDP SPT=51347 DPT=32412 LEN=29

First, I do not understand why the firewall is blocking traffic inside a single zone.
Just to be sure, I set up rules to specifically allow this traffic.... And it does nothing.

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option log '1'
        option log_limit '5/second'
        option input 'REJECT'

config rule
        option name 'Allow Plex GDM network discovery 0'
        list src_ip '10.22.22.192'
        option target 'ACCEPT'
        option dest_port '32410'
        list proto 'udp'
        option src 'lan'
        option dest 'lan'
        list dest_ip '10.22.22.0/24'
...
config rule
        option name 'Allow Plex GDM network discovery 4'
        list src_ip '10.22.22.192'
        option target 'ACCEPT'
        option dest_port '32414'
        list proto 'udp'
        option src 'lan'
        option dest 'lan'
        list dest_ip '10.22.22.0/24'

I tried to disable SYN-flood protection but it did nothing either...

These are going to the broadcast address for your network (assuming you're using a /24 subnet).

Normally, input, output and forward are all "ACCEPT" on the lan. Is there a reason you're not allowing input (i.e. access to the router itself) from the lan zone/lan network? I suspect that these errors are showing up because all devices on the network (including the router) will listen to the broadcast address. However, because you have rejected the input, it is doing two things:

1. the router cannot actually accept the broadcast (not necessarily consequential)
2. it is sending back a REJECT reply -- this may cause the plex server to try resending the broadcast, thus flooding the network.

I'd recommend setting input = ACCEPT, unless there is a reason to block it. In that situation, use DROP instead so it silently drops the packets rather than sending back a reject.

These two rules can be deleted...

They don't do anything because the traffic is not traversing the routing engine/firewall (which is L3). The traffic is on the same network which means it is switched (L2), not routed.