Using ip4table + lookup rule on wireguard doesn't enforce 'forward' but it does for WAN

TheLinuxGuy · July 27, 2021, 2:54pm

I have setup a VLAN (eth0.666) that has no forward firewall settings, fully segregated with the exception of a firewall rule that allows traffic to openwrt for DNS/DHCP etc.

There's an interesting observation I have made:

eth0.666 vlan has zero forwarding enabled, clients can't reach internet via wan / default route.
IF eth0.666 has a lookup rule I seem to be able to circumvent the 'forward' configuration requirement.

Is this expected behavior?

I simply set ip4table + ip6table on my wireguard interface = 20.

Then for eth0.666 I have:

uci set network.surfshark_vpn="rule"
uci set network.surfshark_vpn.in="surfshark"
uci set network.surfshark_vpn.lookup="20"
uci set network.surfshark_vpn.priority="30000"

This allows clients to reach the internet using the wireguard tunnel and it works without me explicitly configuring a 'forwarding' rule on the firewall. *This however does NOT work for WAN - in that case unless I enable forwarding the traffic will not go towards the internet.

If this is expected it seems like a simple way for me to setup policy based routing could be as simple as using routing lookup tables in this way for the whole vlan. But I think I may need to add fwmark rules also or is this not necessary?

vgaetera · July 27, 2021, 3:16pm

It's good practice to start with comprehensive diagnostics for troubleshooting.
You need to analyze runtime configs such as routing tables, routing rules and iptables dump:

ip address show; ip route show table all; ip rule show; iptables-save

TheLinuxGuy · July 27, 2021, 3:24pm

Here is the output

root@meow:~# ip address show; ip route show table all; ip rule show; iptables-save
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
    link/ether a6:e0:8d:df:24:bd brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 5e:09:4d:5a:83:a0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.12.103/24 brd 192.168.12.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 6666:xxxx:yyyy:qqqq:cc4f:9c8f:0:e9f/128 scope global dynamic noprefixroute
       valid_lft 86363sec preferred_lft 86363sec
    inet6 6666:xxxx:yyyy:qqqq:5c09:4dff:fe5a:83a0/64 scope global dynamic noprefixroute
       valid_lft 86363sec preferred_lft 86363sec
    inet6 fe80::5c09:4dff:fe5a:83a0/64 scope link
       valid_lft forever preferred_lft forever
9: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether a6:e0:8d:df:24:bd brd ff:ff:ff:ff:ff:ff
    inet 192.168.44.1/24 brd 192.168.44.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fdb6:bf3f:ddd8::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::a4e0:8dff:fedf:24bd/64 scope link
       valid_lft forever preferred_lft forever
10: eth0.666@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether a6:e0:8d:df:24:bd brd ff:ff:ff:ff:ff:ff
    inet 172.66.0.1/24 brd 172.66.0.255 scope global eth0.666
       valid_lft forever preferred_lft forever
    inet6 fe80::a4e0:8dff:fedf:24bd/64 scope link
       valid_lft forever preferred_lft forever
11: eth0.200@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether a6:e0:8d:df:24:bd brd ff:ff:ff:ff:ff:ff
    inet 172.17.200.1/24 brd 172.17.200.255 scope global eth0.200
       valid_lft forever preferred_lft forever
    inet6 fdb6:bf3f:ddd8:10::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::a4e0:8dff:fedf:24bd/64 scope link
       valid_lft forever preferred_lft forever
13: vpsgw: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1350 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.100.100.10/24 brd 10.100.100.255 scope global vpsgw
       valid_lft forever preferred_lft forever
    inet6 2605:6404:2fa:100::10/64 scope global
       valid_lft forever preferred_lft forever
default dev vpsgw table 20 proto static scope link
10.100.100.0/24 dev vpsgw table 20 proto static scope link
default via 192.168.12.1 dev eth1 proto static src 192.168.12.103
45.61.184.24 via 192.168.12.1 dev eth1 proto static
172.17.200.0/24 dev eth0.200 proto kernel scope link src 172.17.200.1
172.66.0.0/24 dev eth0.666 proto kernel scope link src 172.66.0.1
192.168.12.0/24 dev eth1 proto kernel scope link src 192.168.12.103
192.168.44.0/24 dev br-lan proto kernel scope link src 192.168.44.1
broadcast 10.100.100.0 dev vpsgw table local proto kernel scope link src 10.100.100.10
local 10.100.100.10 dev vpsgw table local proto kernel scope host src 10.100.100.10
broadcast 10.100.100.255 dev vpsgw table local proto kernel scope link src 10.100.100.10
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.17.200.0 dev eth0.200 table local proto kernel scope link src 172.17.200.1
local 172.17.200.1 dev eth0.200 table local proto kernel scope host src 172.17.200.1
broadcast 172.17.200.255 dev eth0.200 table local proto kernel scope link src 172.17.200.1
broadcast 172.66.0.0 dev eth0.666 table local proto kernel scope link src 172.66.0.1
local 172.66.0.1 dev eth0.666 table local proto kernel scope host src 172.66.0.1
broadcast 172.66.0.255 dev eth0.666 table local proto kernel scope link src 172.66.0.1
broadcast 192.168.12.0 dev eth1 table local proto kernel scope link src 192.168.12.103
local 192.168.12.103 dev eth1 table local proto kernel scope host src 192.168.12.103
broadcast 192.168.12.255 dev eth1 table local proto kernel scope link src 192.168.12.103
broadcast 192.168.44.0 dev br-lan table local proto kernel scope link src 192.168.44.1
local 192.168.44.1 dev br-lan table local proto kernel scope host src 192.168.44.1
broadcast 192.168.44.255 dev br-lan table local proto kernel scope link src 192.168.44.1
2605:6404:2fa:100::/64 dev vpsgw table 20 proto static metric 1024 pref medium
default dev vpsgw table 20 proto static metric 1024 pref medium
default from 6666:xxxx:yyyy:qqqq:cc4f:9c8f:0:e9f via fe80::e7c:28ff:fe8d:6ecc dev eth1 proto static metric 512 pref medium
default from 6666:xxxx:yyyy:qqqq::/64 via fe80::e7c:28ff:fe8d:6ecc dev eth1 proto static metric 512 pref medium
6666:xxxx:yyyy:qqqq::/64 dev eth1 proto static metric 256 pref medium
6666:xxxx:yyyy:qqqq::/64 via fe80::e7c:28ff:fe8d:6ecc dev eth1 proto static metric 512 pref medium
unreachable 6666:xxxx:yyyy:qqqq::/64 dev lo proto static metric 2147483647 error 4294967183 pref medium
fdb6:bf3f:ddd8::/64 dev br-lan proto static metric 1024 pref medium
fdb6:bf3f:ddd8:10::/64 dev eth0.200 proto static metric 1024 pref medium
unreachable fdb6:bf3f:ddd8::/48 dev lo proto static metric 2147483647 error 4294967183 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev eth0.666 proto kernel metric 256 pref medium
fe80::/64 dev eth0.200 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
default via fe80::e7c:28ff:fe8d:6ecc dev eth1 proto ra metric 1024 expires 1761sec mtu 1440 hoplimit 64 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast 2605:6404:2fa:100:: dev vpsgw table local proto kernel metric 0 pref medium
local 2605:6404:2fa:100::10 dev vpsgw table local proto kernel metric 0 pref medium
anycast 6666:xxxx:yyyy:qqqq:: dev eth1 table local proto kernel metric 0 pref medium
local 6666:xxxx:yyyy:qqqq:5c09:4dff:fe5a:83a0 dev eth1 table local proto kernel metric 0 pref medium
local 6666:xxxx:yyyy:qqqq:cc4f:9c8f:0:e9f dev eth1 table local proto kernel metric 0 pref medium
anycast fdb6:bf3f:ddd8:: dev br-lan table local proto kernel metric 0 pref medium
local fdb6:bf3f:ddd8::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fdb6:bf3f:ddd8:10:: dev eth0.200 table local proto kernel metric 0 pref medium
local fdb6:bf3f:ddd8:10::1 dev eth0.200 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth1 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.200 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.666 table local proto kernel metric 0 pref medium
local fe80::5c09:4dff:fe5a:83a0 dev eth1 table local proto kernel metric 0 pref medium
local fe80::a4e0:8dff:fedf:24bd dev br-lan table local proto kernel metric 0 pref medium
local fe80::a4e0:8dff:fedf:24bd dev eth0.200 table local proto kernel metric 0 pref medium
local fe80::a4e0:8dff:fedf:24bd dev eth0.666 table local proto kernel metric 0 pref medium
ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
ff00::/8 dev eth0.666 table local proto kernel metric 256 pref medium
ff00::/8 dev eth0.200 table local proto kernel metric 256 pref medium
ff00::/8 dev eth1 table local proto kernel metric 256 pref medium
ff00::/8 dev vpsgw table local proto kernel metric 256 pref medium
0:      from all lookup local
10000:  from 10.100.100.10 lookup 20
20000:  from all to 10.100.100.10/24 lookup 20
30000:  from all iif eth0.666 lookup 20
32766:  from all lookup main
32767:  from all lookup default
90013:  from all iif lo lookup 20
# Generated by iptables-save v1.8.3 on Tue Jul 27 11:20:17 2021
*nat
:PREROUTING ACCEPT [62:4773]
:INPUT ACCEPT [23:1530]
:OUTPUT ACCEPT [23:1521]
:POSTROUTING ACCEPT [20:1317]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_surfshark_rule - [0:0]
:postrouting_untrusted_rule - [0:0]
:postrouting_vpsgw_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_surfshark_rule - [0:0]
:prerouting_untrusted_rule - [0:0]
:prerouting_vpsgw_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_surfshark_postrouting - [0:0]
:zone_surfshark_prerouting - [0:0]
:zone_untrusted_postrouting - [0:0]
:zone_untrusted_prerouting - [0:0]
:zone_vpsgw_postrouting - [0:0]
:zone_vpsgw_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth0.666 -m comment --comment "!fw3" -j zone_surfshark_prerouting
-A PREROUTING -i eth0.200 -m comment --comment "!fw3" -j zone_untrusted_prerouting
-A PREROUTING -i vpsgw -m comment --comment "!fw3" -j zone_vpsgw_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth0.666 -m comment --comment "!fw3" -j zone_surfshark_postrouting
-A POSTROUTING -o eth0.200 -m comment --comment "!fw3" -j zone_untrusted_postrouting
-A POSTROUTING -o vpsgw -m comment --comment "!fw3" -j zone_vpsgw_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_surfshark_postrouting -m comment --comment "!fw3: Custom surfshark postrouting rule chain" -j postrouting_surfshark_rule
-A zone_surfshark_prerouting -m comment --comment "!fw3: Custom surfshark prerouting rule chain" -j prerouting_surfshark_rule
-A zone_untrusted_postrouting -m comment --comment "!fw3: Custom untrusted postrouting rule chain" -j postrouting_untrusted_rule
-A zone_untrusted_prerouting -m comment --comment "!fw3: Custom untrusted prerouting rule chain" -j prerouting_untrusted_rule
-A zone_vpsgw_postrouting -m comment --comment "!fw3: Custom vpsgw postrouting rule chain" -j postrouting_vpsgw_rule
-A zone_vpsgw_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_vpsgw_prerouting -m comment --comment "!fw3: Custom vpsgw prerouting rule chain" -j prerouting_vpsgw_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Tue Jul 27 11:20:17 2021
# Generated by iptables-save v1.8.3 on Tue Jul 27 11:20:17 2021
*mangle
:PREROUTING ACCEPT [662:201356]
:INPUT ACCEPT [481:121397]
:FORWARD ACCEPT [159:75667]
:OUTPUT ACCEPT [801:306955]
:POSTROUTING ACCEPT [960:382622]
-A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Jul 27 11:20:17 2021
# Generated by iptables-save v1.8.3 on Tue Jul 27 11:20:17 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_surfshark_rule - [0:0]
:forwarding_untrusted_rule - [0:0]
:forwarding_vpsgw_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_surfshark_rule - [0:0]
:input_untrusted_rule - [0:0]
:input_vpsgw_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_surfshark_rule - [0:0]
:output_untrusted_rule - [0:0]
:output_vpsgw_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_surfshark_dest_ACCEPT - [0:0]
:zone_surfshark_forward - [0:0]
:zone_surfshark_input - [0:0]
:zone_surfshark_output - [0:0]
:zone_surfshark_src_REJECT - [0:0]
:zone_untrusted_dest_ACCEPT - [0:0]
:zone_untrusted_forward - [0:0]
:zone_untrusted_input - [0:0]
:zone_untrusted_output - [0:0]
:zone_untrusted_src_REJECT - [0:0]
:zone_vpsgw_dest_ACCEPT - [0:0]
:zone_vpsgw_dest_REJECT - [0:0]
:zone_vpsgw_forward - [0:0]
:zone_vpsgw_input - [0:0]
:zone_vpsgw_output - [0:0]
:zone_vpsgw_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth0.666 -m comment --comment "!fw3" -j zone_surfshark_input
-A INPUT -i eth0.200 -m comment --comment "!fw3" -j zone_untrusted_input
-A INPUT -i vpsgw -m comment --comment "!fw3" -j zone_vpsgw_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -m comment --comment "!fw3: Zone * to vpsgw forwarding policy" -j zone_vpsgw_dest_ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth0.666 -m comment --comment "!fw3" -j zone_surfshark_forward
-A FORWARD -i eth0.200 -m comment --comment "!fw3" -j zone_untrusted_forward
-A FORWARD -i vpsgw -m comment --comment "!fw3" -j zone_vpsgw_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth0.666 -m comment --comment "!fw3" -j zone_surfshark_output
-A OUTPUT -o eth0.200 -m comment --comment "!fw3" -j zone_untrusted_output
-A OUTPUT -o vpsgw -m comment --comment "!fw3" -j zone_vpsgw_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_surfshark_dest_ACCEPT -o eth0.666 -m comment --comment "!fw3" -j ACCEPT
-A zone_surfshark_forward -m comment --comment "!fw3: Custom surfshark forwarding rule chain" -j forwarding_surfshark_rule
-A zone_surfshark_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_surfshark_forward -m comment --comment "!fw3" -j zone_surfshark_dest_ACCEPT
-A zone_surfshark_input -m comment --comment "!fw3: Custom surfshark input rule chain" -j input_surfshark_rule
-A zone_surfshark_input -p icmp -m comment --comment "!fw3: Allow-vlan666-Ping" -j ACCEPT
-A zone_surfshark_input -p tcp -m comment --comment "!fw3: vlan666-to-router" -j ACCEPT
-A zone_surfshark_input -p udp -m comment --comment "!fw3: vlan666-to-router" -j ACCEPT
-A zone_surfshark_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_surfshark_input -m comment --comment "!fw3" -j zone_surfshark_src_REJECT
-A zone_surfshark_output -m comment --comment "!fw3: Custom surfshark output rule chain" -j output_surfshark_rule
-A zone_surfshark_output -m comment --comment "!fw3" -j zone_surfshark_dest_ACCEPT
-A zone_surfshark_src_REJECT -i eth0.666 -m comment --comment "!fw3" -j reject
-A zone_untrusted_dest_ACCEPT -o eth0.200 -m comment --comment "!fw3" -j ACCEPT
-A zone_untrusted_forward -m comment --comment "!fw3: Custom untrusted forwarding rule chain" -j forwarding_untrusted_rule
-A zone_untrusted_forward -m comment --comment "!fw3: Zone untrusted to * forwarding policy" -j ACCEPT
-A zone_untrusted_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_untrusted_forward -m comment --comment "!fw3" -j zone_untrusted_dest_ACCEPT
-A zone_untrusted_input -m comment --comment "!fw3: Custom untrusted input rule chain" -j input_untrusted_rule
-A zone_untrusted_input -p icmp -m comment --comment "!fw3: Allow-vlan200-Ping" -j ACCEPT
-A zone_untrusted_input -p tcp -m comment --comment "!fw3: vlan200-to-router" -j ACCEPT
-A zone_untrusted_input -p udp -m comment --comment "!fw3: vlan200-to-router" -j ACCEPT
-A zone_untrusted_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_untrusted_input -m comment --comment "!fw3" -j zone_untrusted_src_REJECT
-A zone_untrusted_output -m comment --comment "!fw3: Custom untrusted output rule chain" -j output_untrusted_rule
-A zone_untrusted_output -m comment --comment "!fw3" -j zone_untrusted_dest_ACCEPT
-A zone_untrusted_src_REJECT -i eth0.200 -m comment --comment "!fw3" -j reject
-A zone_vpsgw_dest_ACCEPT -o vpsgw -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpsgw_dest_ACCEPT -o vpsgw -m comment --comment "!fw3" -j ACCEPT
-A zone_vpsgw_dest_REJECT -o vpsgw -m comment --comment "!fw3" -j reject
-A zone_vpsgw_forward -m comment --comment "!fw3: Custom vpsgw forwarding rule chain" -j forwarding_vpsgw_rule
-A zone_vpsgw_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_vpsgw_forward -m comment --comment "!fw3" -j zone_vpsgw_dest_REJECT
-A zone_vpsgw_input -m comment --comment "!fw3: Custom vpsgw input rule chain" -j input_vpsgw_rule
-A zone_vpsgw_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_vpsgw_input -m comment --comment "!fw3" -j zone_vpsgw_src_REJECT
-A zone_vpsgw_output -m comment --comment "!fw3: Custom vpsgw output rule chain" -j output_vpsgw_rule
-A zone_vpsgw_output -m comment --comment "!fw3" -j zone_vpsgw_dest_ACCEPT
-A zone_vpsgw_src_REJECT -i vpsgw -m comment --comment "!fw3" -j reject
-A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_ACCEPT -i eth1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Tue Jul 27 11:20:17 2021

The above output is from when the openwrt eth0.666 is configured with route table lookup. Let me know if it would be helpful to do the same output when surfshark_vpn rule is deleted (which makes eth0.666 vlan traffic to not be able to reach internet - due to no forward zone rule - this I did expect but surprised i didnt need rule for wireguard)

root@meow:~# ip rule list
0:      from all lookup local
10000:  from 10.100.100.10 lookup 20
20000:  from all to 10.100.100.10/24 lookup 20
30000:  from all iif eth0.666 lookup 20
32766:  from all lookup main
32767:  from all lookup default
90013:  from all iif lo lookup 20

In my settings I am using a number "20" for the table name - during my experiments with vpn-policy-routing package I noted the above command ip rule list actually outputted a device_name 'vpsgw' instead of a number - is this a setting I can use instead of ip4table = 20?

I tried a non integer value in config and it did not like it.

trendy · July 27, 2021, 3:47pm

Mind that 172.66.0.0/24 is outside the private address space: 172.16.0.0-172.31.255.255.

Regarding your question:
-A FORWARD -m comment --comment "!fw3: Zone * to vpsgw forwarding policy" -j zone_vpsgw_dest_ACCEPT

vgaetera · July 27, 2021, 5:47pm

To be clear, there's a forwarding with unspecified/empty/asterisk source zone.
This makes the forwarding apply to any source zone.

TheLinuxGuy · July 27, 2021, 7:02pm

Looking at my confs for zones without 'src'

config zone
	option device 'vpsgw'
	option name 'vpsgw'
	option forward 'REJECT'
	option masq '1'
	option output 'ACCEPT'
	option input 'REJECT'
	option masq6 '1'

config zone
	option name 'untrusted'
	option device 'eth0.200'
	option input 'REJECT'
	option forward 'ACCEPT'
	option output 'ACCEPT'

config zone
	option name 'surfshark'
	option device 'eth0.666'
	option input 'REJECT'
	option forward 'ACCEPT'
	option output 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option input 'ACCEPT'
	option masq6 '1'

the forwardings

config forwarding
	option src 'untrusted'
	list dest 'wan'

config forwarding
	option dest 'vpsgw'
	list src 'lan'

config forwarding
	option src 'lan'
	option dest 'wan'

I am not sure I follow, I have explicit "src" in the configs for the forwarding section. What am I missing?

eth0.666 is surfshark where I can do the lookup and send to vpsgw. Note that there is no src = surfshark existing.

vgaetera · July 27, 2021, 7:07pm

You are using the wrong syntax, replace list with option in all forwardings.

trendy · July 27, 2021, 8:39pm

Post the whole firewall config, it's hard to understand your mistakes from snippets.
uci export firewall

TheLinuxGuy · July 28, 2021, 3:31am

@trendy @vgaetera thank you for helping pointing out the configuration syntax error. Visually it seemed that it existed due to 'list'.

I'm experimenting with https://github.com/gekmihesg/ansible-openwrt library and had to figure out the behavior of that library causing it. I think I worked around the problem and fixed it.

root@meow:~# uci export firewall
package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'
        option masq6 '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option enabled '0'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config include
        option path '/etc/firewall.nat6'
        option name 'nat6'
        option reload '1'

config zone
        option name 'surfshark'
        option device 'eth0.666'
        option input 'REJECT'
        option forward 'ACCEPT'
        option output 'ACCEPT'

config rule
        option name 'Allow-vlan666-Ping'
        option src 'surfshark'
        option target 'ACCEPT'
        option proto 'icmp'

config rule
        option name 'vlan666-to-router'
        option src 'surfshark'
        option target 'ACCEPT'

config zone
        option name 'untrusted'
        option device 'eth0.200'
        option input 'REJECT'
        option forward 'ACCEPT'
        option output 'ACCEPT'

config rule
        option name 'Allow-vlan200-Ping'
        option src 'untrusted'
        option target 'ACCEPT'
        option proto 'icmp'

config rule
        option name 'vlan200-to-router'
        option src 'untrusted'
        option target 'ACCEPT'

config forwarding
        option src 'untrusted'
        list dest 'wan'

config zone
        option device 'vpsgw'
        option name 'vpsgw'
        option forward 'REJECT'
        option masq '1'
        option output 'ACCEPT'
        option input 'REJECT'
        option masq6 '1'

config forwarding
        option dest 'lan'
        option src 'vpsgw'

config forwarding
        option dest 'untrusted'
        option src 'vpsgw'

I confirm that after fixing the syntax the security hole I had of blanket zone forwarding seems to be fixed. I set a 'loopkup' rule again and my clients on eth0.666 / surfshark are not able to gain internet... not unless I explicitly add a forwarding from surfshark -> vpsgw.

This is what I had expected

What kind of rules or settings do you recommend for allowing inter-vlan communication?

There's 2 cases I wanted to ask about:

LAN to a restricted_vlan (one way traffic from lan always allowed; hosts in restricted can't unilateraly connect to lan)
LAN to a non_restricted_vlan (both ways traffic allowed between hosts)

vgaetera · July 28, 2021, 5:31am

Looks like you have missed one, verify the syntax:

/etc/init.d/firewall reload 2>&1 | grep -i -e error -e warning

Use different firewall zones and a simple firewall forwarding.

Use the same zone, or different zones and a couple of forwardings.

TheLinuxGuy · July 28, 2021, 5:53am

I'm only getting warnings but I'll admit I have been tweaking my ansible playbook and may have fixed the issue you may have seen?

root@meow:~# /etc/init.d/firewall reload 2>&1 | grep -i -e error -e warning
Warning: Option @zone[1].masq6 is unknown
Warning: Option @zone[4].masq6 is unknown
Warning: Section @rule[10] (vlan666-to-router) does not specify a protocol, assuming TCP+UDP
Warning: Section @rule[12] (vlan200-to-router) does not specify a protocol, assuming TCP+UDP
Warning: Option @include[1].name is unknown
Warning: Option @include[2].name is unknown
Warning: Option @include[3].name is unknown
root@meow:~# cat /etc/config/firewall 

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option input 'ACCEPT'
	option masq6 '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option enabled '0'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include
	option path '/etc/firewall.nat6'
	option name 'nat6'
	option reload '1'

config zone
	option name 'surfshark'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option network 'surfshark'
	option device 'eth0.666'

config rule
	option name 'Allow-vlan666-Ping'
	option src 'surfshark'
	option target 'ACCEPT'
	option proto 'icmp'

config rule
	option name 'vlan666-to-router'
	option src 'surfshark'
	option target 'ACCEPT'

config forwarding
	option dest 'vpsgw'
	option src 'surfshark'

config zone
	option name 'untrusted'
	option device 'eth0.200'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option network 'untrusted'

config rule
	option name 'Allow-vlan200-Ping'
	option src 'untrusted'
	option target 'ACCEPT'
	option proto 'icmp'

config rule
	option name 'vlan200-to-router'
	option src 'untrusted'
	option target 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'untrusted'

config zone
	option device 'vpsgw'
	option name 'vpsgw'
	option forward 'REJECT'
	option masq '1'
	option output 'ACCEPT'
	option input 'REJECT'
	option masq6 '1'

config include
	option path '/etc/firewall.nat6'
	option name 'nat6'
	option reload '1'

config include
	option path '/etc/firewall.nat6'
	option name 'nat6'
	option reload '1'

root@meow:~#

system · August 7, 2021, 5:53am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.