What am I doing wrong with firewall security config? Tons of open ports

I'm using a Rooter build that uses LEDE r3205-59508e3.

What would produce a result like this? Every time I do the scan the results change slightly, but always far too many open ports.

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option src 'wan'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 wwan wan1 wan2'

config forwarding
	option src 'lan'
	option dest 'wan'

config include
	option path '/etc/firewall.user'

Edit: the issue

Where does this result come from?

I've tested both with:

https://www.grc.com/x/ne.dll?bh0bkyd2

and

First update to the latest stable version of LEDE or to the latest snapshopt for your router (if you can) and see if that helps.

As an alternative try changing the following in your firewall config:

config defaults: All to REJECT

config zone lan: forward to REJECT

changing this should NOT lock you out of the router but should ensure that any traffic that is not explicity set to ACCEPT will be blocked.

reboot the router and try the tests again.

here is my firewall config for reference. i have not changed much compared to the default config (only removed some things) and it shows no open ports when testing with different online port scanners for IPv4/IPv6:

firewall config:
config defaults
	option syn_flood '1'
	option drop_invalid '1'
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'

config include
	option path '/etc/firewall.user'

Here is how it is setup now, i'm still getting the same issue. I should have added, my setup consists of a USB modem going to my LEDE Router, with LAN from that router going to the WAN of a different router. I have tried having the second router's firewall both on and off and it doesn't make a difference.

Nothing from the LEDE firewall config jumps at me as being wrong. But I haven't dealth with any USB modem / multi router setups yet.

With such a complex setup traffic could simply be bypassing the firewall in LEDE and go straight to your PC because of the modem (or is it attached to the LEDE router and not the PC?).

The modem is directly connected to the LEDE router via the USB port. My second router is then plugged into the LAN of the LEDE router and is given an IP address by LEDE DHCP. The second router is the one all my devices are connected to.

Try isolating the LAN port where you plugged in the second router:

on the lede router create a VLAN for it via the the switch config so it is the only port on that vlan
on the lede router create a network interface for it with that LAN port/VLAN being the only member (no bridgin) and give it it's own firewall zone. config the new firewall zone like the lan zone.

if the cable of the second router goes into its WAN port the firewall of the second router should also be active.

no idea if this helps since the firewall of the LEDE router should already block all traffic originating from WAN with your firewall config.

just be careful with the switch config on the LEDE router. It could softbrick and then you would have to reset. also make sure to check the port numbers of your router so you can map them correctly (web interface <-> actual port numbers written on the back of the router). that info should be on some openwrt/lede wiki page.

if this does not work try resetting and starting from the default settings again or try updating LEDE. it could be that some VLAN config got messed up or you need a special config for USB modems. But i can't help with that.

I did try a full reset just now. With just an ethernet cable going straight to my laptop from the LEDE router, I still have the firewall issue. Everything is in its default state right now.

Have you questioned why port 0 is shown as open and marked in red (to show that this is a bad thing)?

No. Sorry im not following where you're going.

Does your USB modem really have a public internet address? Rather often the mobile ISPs just give out NAT addresses meaning 192.168.x.x, 172.[16-31].x.x and 10.x.x.x

If that is your case, then the port scanner actually scans your ISP's "modem bank" instead of your specific router.

It has a address beginning with 184.209. But the behavior does seem like its not scanning my actual router.