Hi,
I’ve just bought a Linksys 32000ACM and trying to setup a simple configuration with OpenWRT : 1 lan subnet and 1 wifi guest subnet, half-isolated (computers in GUEST cannot access computers in LAN, but LAN computers can access computers in GUEST), but the problem is pings and connections (iperf) work in both directions
I have two interfaces :
LAN (192.168.1.x
, mapped on device switch-port-lan1 but also tried br-lan)
GUEST (192.168.2.x
mapped on device wireless)
Both using DHCP. I set two static leases in order to give them the right IPs, computer 1 on ethernet is having 192.168.1.5
, computer 2 on wifi is having 192.168.2.5
. That’s ok.
I created two firewall zones, named Lan and Guest, interfaces are respectively bound to them :
Lan : Allow forwarding to Guest. Input Accept, Output Accept, Forward Accept
Guest : No forward allowed (arrow to REJECT in LuCI). Input Accept, Output Accept, Forward Reject
In this context, I’m able to ping and connect in both directions. Am I missing something ? I did all configuration with LuCI, I’m not confident enough in network and firewall knowledge to do it in text/file mode.
I also tried to add a Traffic Rule, placed on top of all others with : Any protocol, source Guest, destination Lan, action Reject ; but still the same.
Thanks for your help !
uci show firewall; iptables-save -c
uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='Guest'
firewall.@zone[0].network='Guest'
firewall.@zone[0].forward='REJECT'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='lan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].network='lan'
firewall.@zone[1].forward='ACCEPT'
firewall.@zone[2]=zone
firewall.@zone[2].name='wan'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].network='wan' 'wan6'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].enabled='0'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='0'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='lan'
iptables-save -c
# Generated by iptables-save v1.8.7 on Tue Oct 26 00:57:03 2021
*nat
:PREROUTING ACCEPT [2704:231860]
:INPUT ACCEPT [2675:227881]
:OUTPUT ACCEPT [217:15030]
:POSTROUTING ACCEPT [218:15114]
:postrouting_Guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_Guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_Guest_postrouting - [0:0]
:zone_Guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[2704:231860] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[110:11297] -A PREROUTING -i wlan1 -m comment --comment "!fw3" -j zone_Guest_prerouting
[2594:220563] -A PREROUTING -i lan1 -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i wan -m comment --comment "!fw3" -j zone_wan_prerouting
[218:15114] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[1:334] -A POSTROUTING -o wlan1 -m comment --comment "!fw3" -j zone_Guest_postrouting
[1:84] -A POSTROUTING -o lan1 -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o wan -m comment --comment "!fw3" -j zone_wan_postrouting
[1:334] -A zone_Guest_postrouting -m comment --comment "!fw3: Custom Guest postrouting rule chain" -j postrouting_Guest_rule
[110:11297] -A zone_Guest_prerouting -m comment --comment "!fw3: Custom Guest prerouting rule chain" -j prerouting_Guest_rule
[1:84] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[2594:220563] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Tue Oct 26 00:57:03 2021
# Generated by iptables-save v1.8.7 on Tue Oct 26 00:57:03 2021
*mangle
:PREROUTING ACCEPT [9132:802669]
:INPUT ACCEPT [9098:798270]
:FORWARD ACCEPT [6:504]
:OUTPUT ACCEPT [8532:875204]
:POSTROUTING ACCEPT [8538:875708]
[0:0] -A FORWARD -o wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Oct 26 00:57:03 2021
# Generated by iptables-save v1.8.7 on Tue Oct 26 00:57:03 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_Guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_Guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_Guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_Guest_dest_ACCEPT - [0:0]
:zone_Guest_dest_REJECT - [0:0]
:zone_Guest_forward - [0:0]
:zone_Guest_input - [0:0]
:zone_Guest_output - [0:0]
:zone_Guest_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[1728:118012] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[7370:680258] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[4694:450346] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[41:2528] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[88:9884] -A INPUT -i wlan1 -m comment --comment "!fw3" -j zone_Guest_input
[2588:220028] -A INPUT -i lan1 -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i wan -m comment --comment "!fw3" -j zone_wan_input
[6:504] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[5:420] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1:84] -A FORWARD -m comment --comment "!fw3: Zone * to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A FORWARD -i wlan1 -m comment --comment "!fw3" -j zone_Guest_forward
[0:0] -A FORWARD -i lan1 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[1728:118012] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[6804:757192] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[6803:756858] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1:334] -A OUTPUT -o wlan1 -m comment --comment "!fw3" -j zone_Guest_output
[0:0] -A OUTPUT -o lan1 -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[41:2528] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1:334] -A zone_Guest_dest_ACCEPT -o wlan1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_Guest_dest_REJECT -o wlan1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_Guest_forward -m comment --comment "!fw3: Custom Guest forwarding rule chain" -j forwarding_Guest_rule
[0:0] -A zone_Guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_Guest_forward -m comment --comment "!fw3" -j zone_Guest_dest_REJECT
[88:9884] -A zone_Guest_input -m comment --comment "!fw3: Custom Guest input rule chain" -j input_Guest_rule
[0:0] -A zone_Guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[88:9884] -A zone_Guest_input -m comment --comment "!fw3" -j zone_Guest_src_ACCEPT
[1:334] -A zone_Guest_output -m comment --comment "!fw3: Custom Guest output rule chain" -j output_Guest_rule
[1:334] -A zone_Guest_output -m comment --comment "!fw3" -j zone_Guest_dest_ACCEPT
[88:9884] -A zone_Guest_src_ACCEPT -i wlan1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[1:84] -A zone_lan_dest_ACCEPT -o lan1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[2588:220028] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[2588:220028] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[2588:220028] -A zone_lan_src_ACCEPT -i lan1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i wan -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue Oct 26 00:57:03 2021
1 Like
while uci -q delete firewall.@forwarding[0]; do :; done
uci set firewall.lan_wan="forwarding"
uci set firewall.lan_wan.src="lan"
uci set firewall.lan_wan.dest="wan"
uci set firewall.lan_guest="forwarding"
uci set firewall.lan_guest.src="lan"
uci set firewall.lan_guest.dest="Guest"
uci set firewall.guest_wan="forwarding"
uci set firewall.guest_wan.src="Guest"
uci set firewall.guest_wan.dest="wan"
uci commit firewall
/etc/init.d/firewall restart
1 Like
Thanks for your help, but I'm still able to ping and connect in both directions.
Here is my new uci show firewall
:
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='Guest'
firewall.@zone[0].network='Guest'
firewall.@zone[0].forward='REJECT'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='lan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].network='lan'
firewall.@zone[1].forward='ACCEPT'
firewall.@zone[2]=zone
firewall.@zone[2].name='wan'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].network='wan' 'wan6'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].enabled='0'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='0'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='lan'
firewall.lan_wan=forwarding
firewall.lan_wan.src='lan'
firewall.lan_wan.dest='wan'
firewall.lan_guest=forwarding
firewall.lan_guest.src='lan'
firewall.lan_guest.dest='Guest'
firewall.guest_wan=forwarding
firewall.guest_wan.src='Guest'
firewall.guest_wan.dest='wan'
and my iptables-save -c
:
# Generated by iptables-save v1.8.7 on Tue Oct 26 08:24:29 2021
*nat
:PREROUTING ACCEPT [689:56786]
:INPUT ACCEPT [658:53805]
:OUTPUT ACCEPT [7:796]
:POSTROUTING ACCEPT [13:1204]
:postrouting_Guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_Guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_Guest_postrouting - [0:0]
:zone_Guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[689:56786] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[92:7365] -A PREROUTING -i wlan1 -m comment --comment "!fw3" -j zone_Guest_prerouting
[597:49421] -A PREROUTING -i lan1 -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i wan -m comment --comment "!fw3" -j zone_wan_prerouting
[12:1084] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[4:538] -A POSTROUTING -o wlan1 -m comment --comment "!fw3" -j zone_Guest_postrouting
[3:204] -A POSTROUTING -o lan1 -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o wan -m comment --comment "!fw3" -j zone_wan_postrouting
[4:538] -A zone_Guest_postrouting -m comment --comment "!fw3: Custom Guest postrouting rule chain" -j postrouting_Guest_rule
[92:7365] -A zone_Guest_prerouting -m comment --comment "!fw3: Custom Guest prerouting rule chain" -j prerouting_Guest_rule
[3:204] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[597:49421] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Tue Oct 26 08:24:29 2021
# Generated by iptables-save v1.8.7 on Tue Oct 26 08:24:29 2021
*mangle
:PREROUTING ACCEPT [63690:77296244]
:INPUT ACCEPT [2847:248977]
:FORWARD ACCEPT [60818:77044694]
:OUTPUT ACCEPT [2523:277269]
:POSTROUTING ACCEPT [63341:77321963]
[0:0] -A FORWARD -o wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Oct 26 08:24:29 2021
# Generated by iptables-save v1.8.7 on Tue Oct 26 08:24:29 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_Guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_Guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_Guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_Guest_dest_ACCEPT - [0:0]
:zone_Guest_dest_REJECT - [0:0]
:zone_Guest_forward - [0:0]
:zone_Guest_input - [0:0]
:zone_Guest_output - [0:0]
:zone_Guest_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[40:2847] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[2813:246442] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[2155:192637] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[20:1256] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[65:4661] -A INPUT -i wlan1 -m comment --comment "!fw3" -j zone_Guest_input
[593:49144] -A INPUT -i lan1 -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i wan -m comment --comment "!fw3" -j zone_wan_input
[60818:77044694] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[60795:77042858] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[23:1836] -A FORWARD -m comment --comment "!fw3: Zone * to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A FORWARD -i wlan1 -m comment --comment "!fw3" -j zone_Guest_forward
[20:1632] -A FORWARD -i lan1 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[40:2847] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[2495:276134] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[2492:275592] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1:334] -A OUTPUT -o wlan1 -m comment --comment "!fw3" -j zone_Guest_output
[2:208] -A OUTPUT -o lan1 -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[20:1256] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[21:1966] -A zone_Guest_dest_ACCEPT -o wlan1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_Guest_dest_REJECT -o wlan1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_Guest_forward -m comment --comment "!fw3: Custom Guest forwarding rule chain" -j forwarding_Guest_rule
[0:0] -A zone_Guest_forward -m comment --comment "!fw3: Zone Guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_Guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_Guest_forward -m comment --comment "!fw3" -j zone_Guest_dest_REJECT
[65:4661] -A zone_Guest_input -m comment --comment "!fw3: Custom Guest input rule chain" -j input_Guest_rule
[0:0] -A zone_Guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[65:4661] -A zone_Guest_input -m comment --comment "!fw3" -j zone_Guest_src_ACCEPT
[1:334] -A zone_Guest_output -m comment --comment "!fw3: Custom Guest output rule chain" -j output_Guest_rule
[1:334] -A zone_Guest_output -m comment --comment "!fw3" -j zone_Guest_dest_ACCEPT
[65:4661] -A zone_Guest_src_ACCEPT -i wlan1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[5:412] -A zone_lan_dest_ACCEPT -o lan1 -m comment --comment "!fw3" -j ACCEPT
[20:1632] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[20:1632] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[20:1632] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to Guest forwarding policy" -j zone_Guest_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[593:49144] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[593:49144] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[2:208] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[2:208] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[593:49144] -A zone_lan_src_ACCEPT -i lan1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i wan -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue Oct 26 08:24:29 2021
1 Like
Thank you, that's working now !
I'm just discovering OpenWRT : Is there some settings that cannot be modified via LuCI interface ? Could I have removed this line via LuCI or not ?
1 Like
Fixing this issue only using the web interface is problematic.
In fact, there are many settings not supported by the web interface.
system
Closed
November 17, 2021, 10:10pm
9
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.