my setup is like the below, the packet flow is marked red when accessing the web interface of my firewall from the client network. I've checked this via capturing the packets. The WAN interface has it's default config and is not allowed to forward things to other zones.
My question is now, why is this working?
I assume some kind of state in the firewall, but want to be sure. The ingress-route for the packets to Router 2 is via WAN, while the the egress one goes via the management interface.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
I don't think the config is necessary at that point. The question is, based on my diagram and a default WAN config: is this a normal behavior and if so what is the background?
If not, we can review my configuration. But than I need a hint as well in which direction I should look, it is pretty complex and I will not post everything here.
Issue closed then? No problem from the start?
Your configuration with vlan-spiderweb topology is not default not understandable from your description of pictures.
if it is helpful for you, here it is (there is no wifi involved at all). But in general everything is part of the diagram or described in the first post, that's why I drawed it.
From the extremely redacted config, it seem the OP has tagged and untagged traffic.
If the config isn't redacted, loopback is missing
WAN is not using masquerade, so the asymmetrical ingress is possible anyways
That config is in Router 1
It is redacted, there are more than 10 interfaces with config so I stripped it down to the relevant part for the mentioned interfaces. You are right with point 3, router 1 is responsible for the asymmetric routing decision.
It's likely the traffic is being allowed as established or related traffic. That's a default rule in place to allow responses through the firewall.
What more are we actually trying to find out here?
The whole question is not about being something wrong in terms of config, but in the direction of understanding. Obviously (sniffed packets) the routing is done asymmetric and allowed by OpenWRT.
So, if you say it is fully expected that traffic spanned over two interfaces (egress over one, ingress over another) is always allowed because of established and related, ok. That's is new for me and I didn't expect this (but I am no expert here, just security wise it was agains my feeling). Where is this default rule defined?
And, based on @lleachii 's comment: what is the difference with masquerading enabled on the WAN interface in my case, why is the default rule not kicking in here? Because it points to the route IP directly and there is no entry in the NAT table for it mapping it to the internal IP?
Is absolutely necessary to see which firewall engine is in use.
The config cuts look like working without visible defects. What does not work is cut to your side of field.
I've added the ubus output to my post with the configs, just to have them all together.
Not sure why that's difficult. E.g. you even redacted loopback. So should we assume you've altered the normal loopback?
Added as well, but it is plain standard.
You're also carrying tagged and untagged traffic on the same PHY, that's not a suggested config on the OpenWrt anyway.
Can you maybe give me some more information about the background or a link to the wiki where I can read about this topic? This is new for me and good to know. In that case I would rework my management network to be tagged as well.