Understanding firewall behavior

I'm trying to set up some firewall rules on my OpenWRT router, but they're not behaving as I expect. I'm hoping the community here can help me understand why.

I'm using a FriendlyElec R2S router that has two physical Ethernet ports: a LAN port (eth1) and WAN (eth0). This particular router does not have a WiFi interface.

I have created four VLANS on virtual interfaces:

nogginboink_net - eth1.10
nogginboink_kids - eth1.20
nogginboink_iot - eth1.30
nogginboink_guest - eth1.40

I set up DHCP pools for each VLAN at 10.0..x with ~150 addresses in each pool. I configured a firewall zone for each network (zones WAN/LAN/Net/Kids/IoT/Guest and WAN6). I have an 8 port desktop switch that supports VLANs and I configured ports 1-4 to be on VLANs 10-40. I tested plugging my laptop into each port on the Ethernet switch and I got a DHCP lease in the expected VLAN range for each.

None of the interfaces is bridged.

I hope that sufficiently describes my setup.

Now I'm looking at the firewall 'input,' 'output,' and 'forward' policies for each firewall zone. Regrettably, the OpenWRT wiki does not describe these rules very well, and even searches on other websites aren't as helpful as they could be.

My understanding is that the 'input' policy defines what the firewall should do with packets destined for the router itself that arrive from this firewall zone, if no other rules match. (Such as an HTTP connection to LuCI.)

My understanding is that the 'output' policy defines what the firewall should do with packets that originate from the router itself in this firewall zone, if no other rules match. (Such as the router doing an NTP time sync, or doing a DDNS update.)

My understanding is that the 'forward' policy defines what the firewall should do with packets that neither originate nor are destined for the router itself. (Which would be the majority of IP traffic routed through the router.)

Okay, so if that's the case, then if I set the default FORWARD policy on the LAN zone to DROP, and I plug my laptop into an Ethernet port that is not assigned a VLAN, and I verify that I get an IP address on the 192.168.2.x subnet (the router's default LAN pool), then I shouldn't be able to browse the Internet.

I haven't found that to be the case. I'm still able to browse the Internet in this case.

If I repeat the experiment on one of the VLANs, I get the same results: I expect that I shouldn't be able to browse the internet, yet I can.

I haven't added any firewall rules beyond the defaults that let the router itself get a DHCP lease from my ISP and similar.

Can anyone explain to me what is happening here? Why am I able to browse the 'net when the default forward policy for the firewall zone is 'drop'?

2 Likes