I do appreciate the interest and input. Please excuse me for not responding sooner, but I've been tied up with some personal matters since I posted this originally.
I've been experiencing this on all my LEDE/OpenWRT routers going back to version 15. My home setup I originally wrote about is a bit more complex with several subnets. My office setup is simpler with an Asus RT-N13U running LEDE 17.04, which normally has only one LAN, but I created a separate LAN3 for testing.
I created a separate VLAN on port 3 with VID 3 on 192.168.3.0/24 aka LAN3. My main or default VLAN with VID 1 is on 192.168.16.0/24 aka LAN1. I'm attaching my network file and output from netstat -nl.
I make all my changes via LuCI. Dropbear is configured for only the lan interface (192.168.16.1). uhttp is configured to listen on all ports. My firewall is configured to not forward to either zone. Each zone can only forward to WAN.
In the above state, I can connect to LuCI from both subnets using each other's IP address. SSH of course is only listening on 192.168.16.1. However, I can connect to SSH from LAN3 using LAN1's IP address.
When the firewall is configured to only forward from LAN1 and LAN3 to WAN:
- LuCI accepts connections on either both IP's fro both LAN1 and LAN3, even using the other subnet's address.
- SSH works from both LAN's using LAN1's IP address.
- I cannot ping hosts on the other LAN with the exception of the other interface's IP address (e.g., from LAN1, I can only ping 192.168.16.0/24 and 192.168.3.1)
When I enable enable forwarding from LAN 1 to LAN3, I can ping and connect to hosts on both LAN1 and LAN from LAN1.
Same goes if forwarding from LAN3 to LAN1 is enabled, I can ping and connect to hosts on both LAN1 and LAN3 from LAN3.
I even tried disabling forwarding from LAN3 to anything. This had the expected effect of not being able to pull up websites, but I could still connect to LuCI and SSH using LAN1's IP address from LAN3.
Regardless of how permissive or restrictive the firewall is, every subnet can connect to services on the other subnets IP address (192.168.X.1).
Is this a bug, or am I misunderstanding a feature? If the latter, how do I prevent hosts from my isolated subnets from connecting to LuCI or SSH? Would I create a separate interface just for those services, in it's own zone and only allow forwarding to that zone from my secure LAN?
See below for my network file, firewall file and output from netstat-nl
NETWORK file:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdde:bc3e:948c::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.16.1'
config device 'lan_dev'
option name 'eth0.1'
option macaddr '00:0c:43:XX:XX:XX'
config interface 'wan'
option ifname 'eth0.2'
option _orig_ifname 'eth0.2'
option _orig_bridge 'false'
option proto 'static'
option ipaddr '192.168.1.68'
option netmask '255.255.255.0'
option gateway '192.168.1.1'
option dns '8.8.8.8 8.8.4.4'
config device 'wan_dev'
option name 'eth0.2'
option macaddr '00:0c:43:XX:XX:XX'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'rt305x'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'rt305x'
option vlan '1'
option ports '0 1 3 5 6t'
config switch_vlan
option device 'rt305x'
option vlan '2'
option ports '4 6t'
config switch_vlan
option device 'rt305x'
option vlan '3'
option ports '2 6t'
config interface 'LAN3'
option proto 'static'
option ifname 'eth0.3'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
FIREWALL:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'wan'
option src 'lan'
config zone
option name 'lan3'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option network 'LAN3'
NETSTAT -NL:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN
tcp 0 0 192.168.16.1:22 0.0.0.0:* LISTEN
tcp 0 0 :::80 :::* LISTEN
tcp 0 0 :::53 :::* LISTEN
tcp 0 0 fdde:bc3e:948c::1:22 :::* LISTEN
udp 0 0 0.0.0.0:53 0.0.0.0:*
udp 0 0 0.0.0.0:67 0.0.0.0:*
udp 0 0 :::546 :::*
udp 0 0 :::547 :::*
udp 0 0 :::53 :::*
raw 0 0 ::%1:58 ::%4443948:* 58
raw 0 0 ::%1:58 ::%4443948:* 58
raw 0 0 ::%1:58 ::%4443948:* 58
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 287 /var/run/ubus.sock