Because I've tried blocking everything from LAN to WAN except for 53,67,80,443 and I still can't access the internet.
Which one am I missing?
80 (HTTP) and 443 (HTTPS) tcp are all that's needed for a client's browser to access the Internet.
FYI, the device will need to access some DNS server at 53/udp. By default, clients access the router at 192.168.1.1.
- Did you do something to DHCP packets?
- BTW, DHCP traffic does not go from LAN to WAN
Does your client successfully obtain an IP assigned via DHCP?
Perhaps you should show us the firewall config. Please provide the output of:
cat /etc/config/firewall
3 Likes
Take a different approach. First make sure everything works fine with firewall allowing traffic. Then test by allowing each port and having policy to reject.
From lan to wan only 80 and 443 can be enough for browsing. 67 and 53 are input traffic to OpenWrt.
3 Likes
hmmm.
You probably handle destination ports here?
80 and 443 are the website's listening/incoming ports, but your own browser's outgoing connections' local source ports are likely something high, random.
If your rule sets that the originating source port should only be 80 or 443, then you likely fail.
3 Likes
Tried this approach first and still got access to internet What are the minium amount of ports to browse the internet? - #3 by trendy
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'blockmodem'
option src 'lan'
list dest_ip '192.168.10.11'
option dest_port '80-443'
option target 'DROP'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect 'adblock_lan53'
option name 'Adblock DNS (lan, 53)'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
option family 'any'
config redirect 'adblock_lan853'
option name 'Adblock DNS (lan, 853)'
option src 'lan'
option proto 'tcp udp'
option src_dport '853'
option dest_port '853'
option target 'DNAT'
option family 'any'
config redirect 'adblock_lan5353'
option name 'Adblock DNS (lan, 5353)'
option src 'lan'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '5353'
option target 'DNAT'
option family 'any'
config rule
option name '1'
option src 'lan'
option dest_port '80'
option target 'ACCEPT'
option dest 'wan'
config rule
option name '443'
option src 'lan'
option src_port '443'
option dest 'wan'
option dest_port '443'
option target 'ACCEPT'
config rule
option src 'lan'
option src_port '53'
option dest 'wan'
option dest_port '53'
option target 'ACCEPT'
config rule
option name '67'
option src 'lan'
option src_port '67'
option dest 'wan'
option dest_port '67'
option target 'ACCEPT'
config rule
option name '1'
option src 'lan'
option src_port '853'
option dest 'wan'
option dest_port '853'
option target 'ACCEPT'
config rule
option src 'lan'
option dest 'wan'
option dest_port '5353'
option target 'ACCEPT'
config rule
option name '1'
option src 'lan'
option dest 'wan'
option target 'DROP'
option dest_port '853-65535'
option enabled '0'
config rule
option src 'lan'
option dest_port '1-52'
option target 'DROP'
option dest 'wan'
option enabled '0'
config rule
option dest_port '22 80 443 22229'
option src 'lan'
option name 'Disallow other traffic'
option extra '-m iprange --src-range 192.168.100.168-192.168.100.255'
option target 'REJECT'
config rule
option src_port '80'
option dest_port '80'
option target 'DROP'
option src 'lan'
option dest 'wan'
config rule
option target 'DROP'
option src_port '443'
option dest_port '443'
option src 'lan'
option dest 'wan'
config rule
option target 'DROP'
option src_port '443'
option dest_port '443'
option src 'wan'
option dest 'lan'
Your config contains lots of erroneous source port specs.
3 Likes
Should all be dest?
You should likely remove pretty much all src_port lines, as like I explained above, the connections originate from a random high port, not e.g. 443 (which is the destination port at the remote server)
2 Likes
to achieve what you want you will need to block everything outgoing ( i.e. all ports and protocols ) and then force users to connect to the internet via a transparent http proxy. For a home network setup this might be a bit too much work for your router depending on its processor.
If the goal is to prevent all lan traffic to the internet except for ports 80/443 and 53, that can be achieved by a set of simple firewall rules.
If, however, the goal is to only allow http/https and dns services and to ensure that nothing else can get through even if it uses the same ports, then you need a packet/protocol inspection process.
@LEDEuser - what is your actual goal here? are you trying to restrict access to non-web (http/https) services? And how strictly are you trying to do this -- are you for example, blocking a teenager from using some apps or games or whatever, or are you just trying to do a simple restriction that blocks most non-web services? or some is there some other reason for blocking ports?
2 Likes
Instead of all these complex config discussions, I would simply:
- Remove the LAN -> WAN forwarding in the firewall
- Make Traffic Rules to Allow DST ports 80/tcp and 443/tcp to WAN from LAN
- (You may need to also Allow DNS, DoT/DoH - as some devices may connect to a DNS server on the Internet)
- The normal LAN allow rules will work for DHCP and DNS requests to the OpenWrt
1 Like
Ports up to 1023 are fixed well-known server ports; ports between 1024 and 49151 are for not-so-typical servers/services; ports above 49152 are dynamically (randomly) used by the clients to connect to those servers. For more information, you can read the Note and IANA registration.
1 Like
You may also want to permit udp port 443 for the http3/quic protocol as well. It makes browsing faster and it's particularly beneficial for wireless devices when they need to migrate their connections between mobile and wifi networks.
1 Like