What are the default firewall zone settings?

Nayel123 · January 23, 2021, 6:49pm

Novice user here - I was trying to set up a separate VPN interface to restrict vpn traffic only to a couple of IP addresses on my LAN, and in the process of playing with the new zone configuration, I'm afraid I may have messed up the default zone configurations.

My configuration showing up in LuCi is:

Zones => Forwardings | Input | Output | Forward | Masquerading

the wan one is the one that may have been changed. is this now back to default?

eginnc · January 23, 2021, 6:57pm

These match my firewall settings. I've not changed these from defaults. The "checked" is for Masquerading.

trendy · January 23, 2021, 7:15pm

You may want to set the output of vpn zone to accept. Otherwise you might face some weird issues.
Other than that it looks fine.

Nayel123 · January 23, 2021, 7:21pm

thanks.

I have a port forwarding rule: incoming from wan [zone], port 2345 to this device, port 2345; forward to vpn [zone] ip 192.168.1.1 (i.e. the address of the router) port 2345.

i then have a traffic rule: from vpn [zone] to lan IP 192.168.1.xxx (security cam),192.168.1.yyy(other lan device)... accept forward

did I do that right and does that eliminate the need to set the output of vpn zone to accept?

trendy · January 23, 2021, 7:54pm

Better post the output of uci export firewall in preformatted text </>, because it doesn't sound right.

Nayel123 · January 23, 2021, 8:01pm

[see below]

i think that's what you were asking for?

trendy · January 23, 2021, 8:01pm

Better post it all.

Nayel123 · January 23, 2021, 8:06pm

package firewall
[truncated]

config include
	option path '/etc/firewall.user'

config redirect
	option dest_port '2345'
	option src 'wan'
	option name 'vpn'
	option src_dport '2345'
	option target 'DNAT'
	option dest 'lan'
	list proto 'udp'
	option dest_ip '192.168.1.1'
	option enabled '0'

config zone
	option network 'wg0'
	option name 'vpn'
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'

config rule
	option src 'vpn'
	option name 'test2'
	option dest 'lan'
	option target 'ACCEPT'
	option family 'ipv4'
	list dest_ip '192.168.1.107'
	list dest_ip '192.168.1.109'
	list proto 'all'

config redirect
	option dest_port '2345'
	option src 'wan'
	option name 'vpn'
	option src_dport '2345'
	option target 'DNAT'
	option dest_ip '192.168.1.1'
	option dest 'vpn'
	list proto 'udp'

trendy · January 23, 2021, 8:15pm

So in zone vpn make output accept
Rule test2 is fine.
Both redirects are wrong, delete them and make a rule to accept source zone wan to the device (no destination zone), destination port 2345 protocol udp.

Nayel123 · January 23, 2021, 8:27pm

config redirect
	option dest_port '2345'
	option src 'wan'
	option src_dport '2345'
	option target 'DNAT'
	list proto 'udp'
	option name 'VPN-New'

ok I fixed it to the above. Just so I can learn better: why is the old way INcorrect? shouldn't I be fowarding the wan connection to the vpn zone? or by sending it to the router directly then the router figures out that the connection to port 2345 should be sent to the vpn zone?

trendy · January 23, 2021, 8:35pm

No, delete the redirect and make a rule.
You are not redirecting anything, you open the port 2345 udp on the wan zone to accept wireguard connections.
By redirecting the traffic internally you are adding more things to do for every wireguard packet without any reason or profit.

Nayel123 · January 23, 2021, 8:39pm

got it.

config rule
	option src_port '2345'
	option src 'wan'
	option name 'VPN-In'
	option target 'ACCEPT'
	option dest_port '2345'
	list proto 'udp'

i think that's it? appreciate the help, by the way

Nayel123 · January 23, 2021, 8:54pm

sorry to be a pain, one last question:
i had set the source port as 2345 as shown in the config rule above... that didn't work.
i changed it to what you originally said (read it closer) and removed the incoming source port (so it's any)
and now it works...

why is that? i tell the wireguard client on my phone to connect to IPADDRESS:PORT...

and then, another question: isn't that then making my router exposed to the internet/wan overall since it's not demanding a specific incoming port? or is it still secure because the only thing port 2345 does on my router is go to the vpn zone which is configured as a wireguard peer?

trendy · January 23, 2021, 9:19pm

The source port that the phone is using to connect can be any, especially if it is behind CG-NAT on a mobile data network.
The important here is the destination port, which is 2345 and you configure it on the OpenWrt as listening port of wireguard.

no, it doesn't matter.

it is secure because wireguard server will not respond if the client is not legitimate, that means to have the correct keys configured.