Why is packet routing via WAN interface working here?

Hi all,

my setup is like the below, the packet flow is marked red when accessing the web interface of my firewall from the client network. I've checked this via capturing the packets. The WAN interface has it's default config and is not allowed to forward things to other zones.

My question is now, why is this working?

I assume some kind of state in the firewall, but want to be sure. The ingress-route for the packets to Router 2 is via WAN, while the the egress one goes via the management interface.

Can someone help me here to explain this?

Thanks and best regards
Robert

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Hi @brada4,

thanks for your reply.

I don't think the config is necessary at that point. The question is, based on my diagram and a default WAN config: is this a normal behavior and if so what is the background?

If not, we can review my configuration. But than I need a hint as well in which direction I should look, it is pretty complex and I will not post everything here.

Best regards
Robert

Issue closed then? No problem from the start?
Your configuration with vlan-spiderweb topology is not default not understandable from your description of pictures.

1 Like

It's likely the traffic is being allowed as established or related traffic. That's a default rule in place to allow responses through the firewall.

2 Likes

No idea if it is offload states fixed with 2x dst iif or some other foggy stuff.

Sorry, likewise we can't assume or guess either.

(To be clear, we need to see the configs to answer your question.)

2 Likes

I asked wireless and network for the reason routing is expected and so that we dont break wifi down the road.

1 Like

Agreed, those configs are needed too.

Hi @lleachii,

if it is helpful for you, here it is (there is no wifi involved at all). But in general everything is part of the diagram or described in the first post, that's why I drawed it. :slight_smile:

Anyway, thanks for any hint or help!

Best regards
Robert

Ubus:

{
        "kernel": "5.15.137",
        "hostname": "hostname",
        "system": "ARMv8 Processor rev 4",
        "model": "FriendlyElec NanoPi R4S",
        "board_name": "friendlyarm,nanopi-r4s",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "rockchip/armv8",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}

Network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'wan'
        option device 'eth1.15'
        option proto 'static'
        option ipaddr '192.168.100.2'
        option netmask '255.255.255.0'
        option gateway '192.168.100.1'

config interface 'wan6'
        option device 'eth1.15'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'mgm'
        option device 'eth1'
        option proto 'static'
        option ipaddr '192.168.200.2'
        option netmask '255.255.255.0'

config interface 'cli'
        option device 'eth1.150'
        option proto 'static'
        option ipaddr '192.168.150.1'
        option netmask '255.255.255.0'
        option ip6assign '64'

Firewall:

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option log '1'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        
config zone
        option name 'mgm'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option log '1'
        list network 'mgm'

config forwarding
        option src 'mgm'
        option dest 'wan'

config zone
        option name 'cli'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option log '1'
        list network 'cli'

config forwarding
        option src 'cli'
        option dest 'wan'

config forwarding
        option src 'cli'
        option dest 'mgm'

What more are we actually trying to find out here?

1 Like

Not much anyway.

  • From the extremely redacted config, it seem the OP has tagged and untagged traffic.
  • If the config isn't redacted, loopback is missing
  • WAN is not using masquerade, so the asymmetrical ingress is possible anyways
    • That [routing] config is found in Router 1 (non OpenWrt) anyway

Hi @lleachii, @krazeh

From the extremely redacted config, it seem the OP has tagged and untagged traffic.

  • If the config isn't redacted, loopback is missing
  • WAN is not using masquerade, so the asymmetrical ingress is possible anyways
  • That config is in Router 1

It is redacted, there are more than 10 interfaces with config so I stripped it down to the relevant part for the mentioned interfaces. You are right with point 3, router 1 is responsible for the asymmetric routing decision.

It's likely the traffic is being allowed as established or related traffic. That's a default rule in place to allow responses through the firewall.

What more are we actually trying to find out here?

The whole question is not about being something wrong in terms of config, but in the direction of understanding. Obviously (sniffed packets) the routing is done asymmetric and allowed by OpenWRT.

So, if you say it is fully expected that traffic spanned over two interfaces (egress over one, ingress over another) is always allowed because of established and related, ok. That's is new for me and I didn't expect this (but I am no expert here, just security wise it was agains my feeling). Where is this default rule defined?

And, based on @lleachii 's comment: what is the difference with masquerading enabled on the WAN interface in my case, why is the default rule not kicking in here? Because it points to the route IP directly and there is no entry in the NAT table for it mapping it to the internal IP?

Thanks and best regards
Robert

There may be none. Again:

Not sure why that's difficult. E.g. you even redacted loopback. So should we assume you've altered the normal loopback?

You're also carrying tagged and untagged traffic on the same PHY, that's not a suggested config on the OpenWrt anyway.

Apologies, experience dictates that we'd need the config to answer you.

ubus call system board

Is absolutely necessary to see which firewall engine is in use.
The config cuts look like working without visible defects. What does not work is cut to your side of field.

1 Like

Hi @brada4,

I've added the ubus output to my post with the configs, just to have them all together.

Not sure why that's difficult. E.g. you even redacted loopback. So should we assume you've altered the normal loopback?

Added as well, but it is plain standard.

You're also carrying tagged and untagged traffic on the same PHY, that's not a suggested config on the OpenWrt anyway.

Can you maybe give me some more information about the background or a link to the wiki where I can read about this topic? This is new for me and good to know. In that case I would rework my management network to be tagged as well.

Best regards
Imk82