Zone Forwarding not Working

Hey guys, I tried 22.03 from rc1 to 5, and a bug seems to persist
It seems that custom zone forwarding does not work, in my case from lan->ovpn and vice versa
This config has worked since uci firewall was first implemented until now
I can ping the router from OpenVPN Clients, but not get into lan
I can ping the clients from the router, but not from lan
And again, like I said, this worked flawlessly

Considering doing a custom build with firewall3 to see if it works

Any ideas? Could it be related to the new netfilter based firewall?

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd49:b960:d70c::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr 'xxxxx'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        option hostname '*'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '2001:4860:4860::8888'
        list dns '2001:4860:4860::8844'

config interface 'ovpn'
        option proto 'none'
        option device 'tun0'
        option force_link '1'
        option auto '0'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option name 'Allow HAP 80'
        option src 'wan'
        option dest_port '80'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'NASOVPN'
        option src 'wan'
        option src_dport '1194'
        option dest_ip '192.168.2.3'

config rule
        option name 'OVPN 1195'
        list proto 'udp'
        option src 'wan'
        option dest_port '1195'
        option target 'ACCEPT'

config zone
        option name 'ovpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'ovpn'
        option forward 'ACCEPT'

config forwarding
        option src 'ovpn'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'ovpn'

Also created a github issue with this very same data

Check that the routes are in place before blaming the firewall. In particular the OpenVPN server needs to push the route to its LAN to the client. If the client is on a LAN (e.g. hotel wifi), it can't be an overlapping subnet as the remote lan. Thus the advice to set your LAN to an obscure subnet if you will be VPNing to it from hotels and such.

Routes are in place, routes are pushed !
10.8.0.0/24 via 10.8.0.9 dev tun0
10.8.0.9 dev tun0 proto kernel scope link src 10.8.0.10

config openvpn 'home_server'
        option dev 'tun'
        option keepalive '10 120'
        option persist_key '1'
        option persist_tun '1'
        option user 'nobody'
        option status '/tmp/openvpn-status.log'
        option verb '3'
        option ca '/etc/openvpn/pki/ca.crt'
        option dh '/etc/openvpn/pki/dh.pem'
        option cert '/etc/openvpn/pki/issued/server.crt'
        option key '/etc/openvpn/pki/private/server.key'
        option port '1195'
        option enabled '1'
        option comp_lzo 'yes'
        option client_to_client '1'
        option server '10.8.0.0 255.255.255.0'
        list push 'route 192.168.2.0 255.255.255.0'
        option ifconfig_pool_persist '/etc/openvpn/ipp.txt 600'

There are NO overlapping subnets on the remote lan

Everything works fine from all versions until 22.03, it's a 22.03 specific issue!

Run nft list chain inet fw4 forward and look for a rule containing iiface "tun0".
If you don't see one, change list network 'ovpn' to list device 'tun0'

Why don't you just attach tun0 to the lan zone?

Ended up fixing on my own, seems that you need to bring the device on boot, i did not have that

so I removed the option auto '0' from the ovpn interface

Also, re-ordered the firewall config to setup the zone forwarding in the same section instead of at the end of the file

so the firewall now begins with:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'ovpn'
        list network 'ovpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'ovpn'

config forwarding
        option src 'ovpn'
        option dest 'lan'

Thanks @pavelgl, i'm new to this netfilter tables, been using iptables since the 90's, and openwrt since white russian, and personally, for me, it's gonna take some time to get used to it
It seems that iiface rule wasn't there, which made me think that it was not detecting the device for some reason.

It's no longer necessary to create a dummy network/interface for a VPN tunnel since you can refer directly to the tun0 device with a list device in the firewall zone definition.

Will try that later on, but in case the dummy device is not created at boot , will the firewall create it in order to create the rules or not?
Because the openvpn daemon starts, if i recall, after the firewall, hence creates the device later

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.