trendy
August 13, 2019, 6:06pm
7
To avoid any misunderstanding, these rules are in Firewall configuration. Not port forward, but traffic rules.
Remove the part
config forwarding
option dest 'wan'
option src 'lan'
and add
config rule
option enabled '1'
option target 'ACCEPT'
option src 'lan'
option name 'test'
option proto 'all'
option dest 'wan'
option dest_ip '192.168.2.3'
config rule
option enabled '1'
option target 'ACCEPT'
option src 'lan'
option name 'test'
option proto 'all'
option dest 'wan'
option dest_ip '192.168.2.6'
2 Likes
maart
August 13, 2019, 7:18pm
8
I can not reach from 192.168.6.0/24 subnet the 192.168.2.6. Is something wrong in the rules above?
trendy
August 13, 2019, 7:22pm
9
Do 2.3 and 2.6 have a route for 192.168.6.0/24 via the 2.7 of WRT54GL?
trendy:
option dest_ip
Shouldn't this be the source address?
maart
August 13, 2019, 7:35pm
11
Where should I exactly define the routes?
trendy
August 13, 2019, 8:17pm
13
He said from LAN to WAN
Either directly on the .2.3 and .2.6
OR at their default gateway
OR (easiest) keep NAT on in WRT54GL on the WAN interface, so no routes will be needed.
1 Like
tapper
August 13, 2019, 11:31pm
14
What the heck are you rocking such a old build of openwrt for? That old build is not safe to have on the internet in 2019.
4 Likes
maart
August 14, 2019, 7:35pm
15
After I define the route in the default gateway, I can reach 192.168.2.6 but also the full 192.168.2.0/24 subnet e. g. I can access the device 192.168.2.2 Is in my firewall config a problem?
firewall:
config 'rule'
option 'name' 'Allow-DHCP-Renew'
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '68'
option 'target' 'ACCEPT'
option 'family' 'ipv4'
config 'rule'
option 'name' 'Allow-Ping'
option 'src' 'wan'
option 'proto' 'icmp'
option 'icmp_type' 'echo-request'
option 'family' 'ipv4'
option 'target' 'ACCEPT'
config 'rule'
option 'name' 'Allow-DHCPv6'
option 'src' 'wan'
option 'proto' 'udp'
option 'src_ip' 'fe80::/10'
option 'src_port' '547'
option 'dest_ip' 'fe80::/10'
option 'dest_port' '546'
option 'family' 'ipv6'
option 'target' 'ACCEPT'
config 'rule'
option 'name' 'Allow-ICMPv6-Input'
option 'src' 'wan'
option 'proto' 'icmp'
list 'icmp_type' 'echo-request'
list 'icmp_type' 'destination-unreachable'
list 'icmp_type' 'packet-too-big'
list 'icmp_type' 'time-exceeded'
list 'icmp_type' 'bad-header'
list 'icmp_type' 'unknown-header-type'
list 'icmp_type' 'router-solicitation'
list 'icmp_type' 'neighbour-solicitation'
option 'limit' '1000/sec'
option 'family' 'ipv6'
option 'target' 'ACCEPT'
config 'rule'
option 'name' 'Allow-ICMPv6-Forward'
option 'src' 'wan'
option 'dest' '*'
option 'proto' 'icmp'
list 'icmp_type' 'echo-request'
list 'icmp_type' 'destination-unreachable'
list 'icmp_type' 'packet-too-big'
list 'icmp_type' 'time-exceeded'
list 'icmp_type' 'bad-header'
list 'icmp_type' 'unknown-header-type'
option 'limit' '1000/sec'
option 'family' 'ipv6'
option 'target' 'ACCEPT'
config 'defaults'
option 'syn_flood' '1'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'ACCEPT'
option 'drop_invalid' '0'
config 'zone'
option 'name' 'lan'
option 'network' 'lan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'ACCEPT'
config 'zone'
option 'name' 'wan'
option 'network' 'wan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'ACCEPT'
config 'include'
option 'path' '/etc/firewall.user'
config 'rule'
option 'enabled' '1'
option 'target' 'ACCEPT'
option 'src' 'lan'
option 'name' 'test'
option 'proto' 'all'
option 'dest' 'wan'
option 'dest_ip' '192.168.2.11'
config 'rule'
option 'enabled' '1'
option 'target' 'ACCEPT'
option 'src' 'lan'
option 'name' 'test'
option 'proto' 'all'
option 'dest' 'wan'
option 'dest_ip' '192.168.2.6'
route:
You cannot block access to the 192.168.2.0/24 subnet since this would be switched, not routed. As a result, it never goes through the router/firewall, just the switch chip.
If you want to isolate those devices, you would be best served by setting up VLANs.
@psherman , it looks like separate interfaces and different firewall zones:
@maart , let's check the runtime configuration:
ip a; ip r; ip ru; iptables-save
It's possible I'm mis-interpreting this part of the issue... I'm reading it as "192.168.2.3 can reach 192.168.2.6 and can reach any other devices in 192.168.2.0/24 subnet." This would, of course, be expected behavior. But maybe I've got the interpretation wrong and we're talking about the LAN/WLAN subnet looking into the WRT54GL's network.
maart
August 15, 2019, 9:14am
20
The goal is to reach from clients in 192.168.6.0/24 subnet only the client 192.168.2.6 and 192.168.2.3 in the 192.168.2.0/24 subnet. Now I changed the firewall in 192.168.2.7 und add a route in gateway from 192.168.2.0/24 subnet.
@vgaetera
I post later the output.
maart
August 15, 2019, 2:42pm
21
I do not have the ip command on the WRT54GL, only iptables-save.
# Generated by iptables-save v1.4.6 on Mon Sep 12 13:18:04 2011
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [16227:1233808]
:OUTPUT ACCEPT [16227:1233808]
:nat_reflection_in - [0:0]
:nat_reflection_out - [0:0]
:postrouting_rule - [0:0]
:prerouting_lan - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan - [0:0]
:zone_lan_nat - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_nat - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -j prerouting_rule
-A PREROUTING -i br-lan -j zone_lan_prerouting
-A PREROUTING -i eth0.1 -j zone_wan_prerouting
-A POSTROUTING -j postrouting_rule
-A POSTROUTING -o br-lan -j zone_lan_nat
-A POSTROUTING -o eth0.1 -j zone_wan_nat
-A postrouting_rule -j nat_reflection_out
-A prerouting_rule -j nat_reflection_in
-A zone_lan_prerouting -j prerouting_lan
-A zone_wan_prerouting -j prerouting_wan
COMMIT
# Completed on Mon Sep 12 13:18:04 2011
# Generated by iptables-save v1.4.6 on Mon Sep 12 13:18:04 2011
*raw
:PREROUTING ACCEPT [31284:7738250]
:OUTPUT ACCEPT [16481:1283593]
:zone_lan_notrack - [0:0]
:zone_wan_notrack - [0:0]
-A PREROUTING -i br-lan -j zone_lan_notrack
-A PREROUTING -i eth0.1 -j zone_wan_notrack
-A zone_lan_notrack -j NOTRACK
-A zone_wan_notrack -j NOTRACK
COMMIT
# Completed on Mon Sep 12 13:18:04 2011
# Generated by iptables-save v1.4.6 on Mon Sep 12 13:18:04 2011
*mangle
:PREROUTING ACCEPT [203849:50582027]
:INPUT ACCEPT [70811:6000889]
:FORWARD ACCEPT [19175:9971307]
:OUTPUT ACCEPT [114003:11698513]
:POSTROUTING ACCEPT [130594:21488417]
COMMIT
# Completed on Mon Sep 12 13:18:04 2011
# Generated by iptables-save v1.4.6 on Mon Sep 12 13:18:04 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:forward - [0:0]
:forwarding_lan - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan - [0:0]
:input - [0:0]
:input_lan - [0:0]
:input_rule - [0:0]
:input_wan - [0:0]
:nat_reflection_fwd - [0:0]
:output - [0:0]
:output_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan - [0:0]
:zone_lan_ACCEPT - [0:0]
:zone_lan_DROP - [0:0]
:zone_lan_REJECT - [0:0]
:zone_lan_forward - [0:0]
:zone_wan - [0:0]
:zone_wan_ACCEPT - [0:0]
:zone_wan_DROP - [0:0]
:zone_wan_REJECT - [0:0]
:zone_wan_forward - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A INPUT -j input_rule
-A INPUT -j input
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j forwarding_rule
-A FORWARD -j forward
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j output_rule
-A OUTPUT -j output
-A forward -i br-lan -j zone_lan_forward
-A forward -i eth0.1 -j zone_wan_forward
-A forwarding_rule -j nat_reflection_fwd
-A input -i br-lan -j zone_lan
-A input -i eth0.1 -j zone_wan
-A output -j zone_lan_ACCEPT
-A output -j zone_wan_ACCEPT
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
-A syn_flood -j DROP
-A zone_lan -j input_lan
-A zone_lan -j zone_lan_ACCEPT
-A zone_lan_ACCEPT -o br-lan -j ACCEPT
-A zone_lan_ACCEPT -i br-lan -j ACCEPT
-A zone_lan_DROP -o br-lan -j DROP
-A zone_lan_DROP -i br-lan -j DROP
-A zone_lan_REJECT -o br-lan -j reject
-A zone_lan_REJECT -i br-lan -j reject
-A zone_lan_forward -d 192.168.2.3/32 -j zone_wan_ACCEPT
-A zone_lan_forward -d 192.168.2.6/32 -j zone_wan_ACCEPT
-A zone_lan_forward -j forwarding_lan
-A zone_lan_forward -j zone_lan_ACCEPT
-A zone_wan -p udp -m udp --dport 68 -j ACCEPT
-A zone_wan -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A zone_wan -j input_wan
-A zone_wan -j zone_wan_ACCEPT
-A zone_wan_ACCEPT -o eth0.1 -j ACCEPT
-A zone_wan_ACCEPT -i eth0.1 -j ACCEPT
-A zone_wan_DROP -o eth0.1 -j DROP
-A zone_wan_DROP -i eth0.1 -j DROP
-A zone_wan_REJECT -o eth0.1 -j reject
-A zone_wan_REJECT -i eth0.1 -j reject
-A zone_wan_forward -j forwarding_wan
-A zone_wan_forward -j zone_wan_ACCEPT
COMMIT
# Completed on Mon Sep 12 13:18:04 2011
odrt
August 15, 2019, 2:44pm
23
The discussion point was to not recommend buying devices in 2019 with single core SoC, fast ethernet, 802.11n wifi, 8 MB flash and 64 MB of RAM from generation 2013, when also devices with multi core SoC, gigabit ethernet, 802.11ac, 128 MB flash and 256 MB RAM are available for about the same price .
If the older device is already in possession the situation is different. As I still hope you will understand the difference: I still recommend to NOT buy generation 2013 hardware in 2019 when you can get recent hardware with good OpenWrt support for about the same price.
1 Like
uci set firewall.@defaults[0].forward="REJECT"
uci commit firewall
/etc/init.d/firewall restart
maart
August 15, 2019, 4:50pm
25
I set up in the defaults config forward="REJECT", but I can access furthermore the full 192.168.2.0/24? What goes wrong?
@all
I know that the device is very old, but I use it for my audio system without internet access.
Perhaps the firmware is too old, so some features don't work as expected.
Just add another finishing rule to reject all the rest forward traffic.
maart
August 15, 2019, 7:21pm
27
Can you please define this rule for me?
If this does not work, I use it for hammer testing
maart
August 15, 2019, 7:59pm
28
OK, here is the last rule and now it works...
config 'rule' 'reject_all'
option 'src' 'lan'
option 'dest' 'wan'
option '_name' 'reject_all'
option 'target' 'DROP'
option 'enabled' '1'
1 Like
system
Closed
August 25, 2019, 7:59pm
29
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.