It looks like I am doing something wrong but I do not see what/why. I hope someone can help.
I have an OpenWrt setup consisting of an OpenWrt router with Wifi and 3 network ports (WAN, LAN1, LAN2).
The WAN side is connected to a modem which is in bridge mode. The router gets a WAN IP address through the modem. Despite being in bridge mode the modem has a fixed IP (192.168.234.249) that allows access to its web interface.
I have several interfaces: i_Lan1, i_Lan2, i_Wan, i_Wifi_01, i_Wifi_02, i_Wifi_03
and several zones: z_WAN, z_Lan1, z_Wifi_01, z_Wifi_02, z_Wifi_03, z_Lan2
The intention is to allow access to the modem from the OpenWRT router and z_Lan1 ONLY.
To this end I added 2 rules before the rules that block access to all private IP ranges on Wan:
Adding the ‘Wan: Allow modem’ rule works as expected (can ping the modem from the router)
Adding the ‘Lan1: Allow modem’ rule works only if I use *’From: any zone’ (I can ping the modem and access its web interface, but access to the modem is too open / not according to my intention). Unexpected / My issue: The moment I use ‘From: Lan1’ the rule does NOT allow access to the modem web interface from Lan1.
If the modem is ipoe then 192.168.234.249 is treated as just another address on the Internet (only the modem will intercept it locally rather than forward it to the ISP). So without writing any rules at all, all zones that are allowed to use the Internet can also initiate a connection to the modem web page. If you don't want that, write blocking rules instead.
In order to really understand what is happening, we need some additional info:
what is the address for the modem?
please confirm that you do want z_Lan1 to access the modem
please confirm that it should be blocked from all others.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
@mk24: There is a whole set of rules that block anything going out on Wan to 10.x.x.x, 172.16.x.x etc. I did not include all such details to keep things readable.
@psherman: You guys are very fast in responding. I just updated the original post to express the additional info. Once I have access (currently not at home) I will provide the output of the three commands.
I've skimmed through your configs, and honestly I am having trouble following it because you've basically re-written everything. It seems like you've essentially deleted all of the standard stuff and then made your own replacements. It also looks like you may have rules that are redundant and/or unnecessary. But it would require quite a bit of work to keep track of everything you've done.
Another really unusual thing you've done here is the use of .193 as your router's address on each of the networks. While there is no technical reason you can't use this, it's uncommon (most of the time it's at the top of bottom of the range, so on a /24, that would be the .1 or .254 address). That said, it is absolutely critical that the DHCP pool does not overlap the router's address. The default DHCP server config has the pool from .100-249, so hopefully yours is different.
All of that said, is there a reason that you've made your config so drastically different than the default (or common) use of OpenWrt?
When you are using any zone the rule is placed on top of the list.
When you specify a zone you have jump action to a more specific rule, like forward lan
Do the nft list ruleset to check for yourself.
I used the web interface only to configure the rules. I come from a different firewall (pf). Therefore when building these rules I tested each and every rule in an attempt to learn how OpenWRT works. I have always assumed:
The order in which the rules are processed are top to bottom
The moment a packet matches a rule the remaining rules are not processed.
Your reply seems to indicate my assumption is incorrect.
I searched for a description of rules ordering but never found it. Maybe I use the wrong keywords.
Assuming I interpret your reply correctly (and as a result my assumption expressed above is not true):
I need to rethink my rules.
You would help me with a (pointer to) a description explaining the order etc rules are processed
... you were trying to recreate the firewall rules as expressed in pfsense?
If that's the reason for the significant re-write of your firewall, I would recommend that you reset to defaults.
From there, we can help you implement the specific goals you might have if you can provide clear descriptions of what you want to happen with each network.
Either add the source subnet in ‘Lan1: Allow modem’ and leave src zone any or you'll need to make a separate rule for every zone, allowing from lan1 and dropping from the others.
Yes, indeed I deleted the original config. The reason I did so was to start with a completely blocked firewall where I added rules starting from zero to get it to work in exactly the way I want it to. Unless I misunderstand how OpenWRT works there are no redundant rules. There are however quite a few similar rules as I never found a way to make rules apply to multiple but not all zones. For example: All my networks/zones (except WAN) have access to the OpenWRT DNS server. Is there any way to allow such acces in a single rule?
However from the reply of trendy I just might not understand how OpenWRT works exactly: My assumption on the order etc how rules are processed might be wrong. See my other reply.
In the relation to unusual networks 192.168.24x.193/26. I did this on purpose and yes the DHCP pools are configured accordingly for both dynamic and static addresses. I intend to use the OpenWRT config in multiple locations connecting to various sources, both with or without the (LTE) modem I mentioned. As a result the WAN network can basically get assigned any IP, both RFC1918 or a public IP address. The moment the assigned IP overlaps with any of 'my own' network ranges things do not work properly anymore. I already experienced such overlaps with the default OpenWRT private address and the more usual networks I selected myself before. I know my current networks do not guarantee anything but the current unusual addresses avoid collisions better.
I really wouldn't recommend that unless you have a complete understanding of OpenWrt's firewall and the function of each rule.
To be clear, the default OpenWrt firewall allows open/unrestricted routing from itself > wan and also from lan > wan (and obviously the established/related return traffic is allowed), but does not allow any unsolicited ingress to the router itself or to the network behind the router.
That is to say, the default state of the OpenWrt firewall is secure for the vast majority of use cases, and you're better off making small modifications if you want additional restrictions at that point.
There are no redundant rules in the system by default, but a user could obviously create two rules that do the same thing, or that are unnecessary. Those would be redundant in the context I was using. However, I think more to the point is that each network needs to be in a maximum of 1 zone... maybe that's what you're thinking about. You cannot put the same network into multiple zones.
Yes, in general you need to either create multiple accept (or reject) rules, 1 per zone, or create a main (any) accept (or reject) rule + rules to do the opposite for the zone that needs to be different.
There are other techniques, but the methods of constructing the firewall depend on the goals -- and if there is a complete vision of the rulesets, there are sometimes efficiencies to be gained with certain methods.
Rules are processed in order, and stop when they have the first hit (with the exception of the 'default' zone rule which is applied if there are no other conditions are met). But, I think you may not fully understand the way that OpenWrt's ZBF works, and this is even more of a reason to not try to re-write the whole thing... keep the defaults and make a few additions/modifications as needed.
You're possibly conflating address with subnet. I was talking about the 193 address itself -- vs just using the top or bottom of say a /24.
Yes, that's true. But you probably have a 'random' enough subnet to not worry about it... but if there is an overlap that happens (let's say the wan is 192.168.240.0/24), it's going to break one of your subnets anyway -- it would overlap your 192.168.2.193/26. This also wouldn't save you if the upstream was a large subnet such as an entire /16.
Sure... the default 192.168.1.1 is extremely common. So yes, use other subnets, but no need to use a /26 per-se.
