Hey guys, I tried 22.03 from rc1 to 5, and a bug seems to persist
It seems that custom zone forwarding does not work, in my case from lan->ovpn and vice versa
This config has worked since uci firewall was first implemented until now
I can ping the router from OpenVPN Clients, but not get into lan
I can ping the clients from the router, but not from lan
And again, like I said, this worked flawlessly
Considering doing a custom build with firewall3 to see if it works
Any ideas? Could it be related to the new netfilter based firewall?
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd49:b960:d70c::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr 'xxxxx'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '8.8.8.8'
list dns '8.8.4.4'
option hostname '*'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
list dns '2001:4860:4860::8888'
list dns '2001:4860:4860::8844'
config interface 'ovpn'
option proto 'none'
option device 'tun0'
option force_link '1'
option auto '0'
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option name 'Allow HAP 80'
option src 'wan'
option dest_port '80'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'NASOVPN'
option src 'wan'
option src_dport '1194'
option dest_ip '192.168.2.3'
config rule
option name 'OVPN 1195'
list proto 'udp'
option src 'wan'
option dest_port '1195'
option target 'ACCEPT'
config zone
option name 'ovpn'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'ovpn'
option forward 'ACCEPT'
config forwarding
option src 'ovpn'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'ovpn'
Also created a github issue with this very same data
Check that the routes are in place before blaming the firewall. In particular the OpenVPN server needs to push the route to its LAN to the client. If the client is on a LAN (e.g. hotel wifi), it can't be an overlapping subnet as the remote lan. Thus the advice to set your LAN to an obscure subnet if you will be VPNing to it from hotels and such.
Run nft list chain inet fw4 forward and look for a rule containing iiface "tun0".
If you don't see one, change list network 'ovpn' to list device 'tun0'
Ended up fixing on my own, seems that you need to bring the device on boot, i did not have that
so I removed the option auto '0' from the ovpn interface
Also, re-ordered the firewall config to setup the zone forwarding in the same section instead of at the end of the file
so the firewall now begins with:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config zone
option name 'ovpn'
list network 'ovpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'ovpn'
config forwarding
option src 'ovpn'
option dest 'lan'
Thanks @pavelgl, i'm new to this netfilter tables, been using iptables since the 90's, and openwrt since white russian, and personally, for me, it's gonna take some time to get used to it
It seems that iiface rule wasn't there, which made me think that it was not detecting the device for some reason.
It's no longer necessary to create a dummy network/interface for a VPN tunnel since you can refer directly to the tun0 device with a list device in the firewall zone definition.
Will try that later on, but in case the dummy device is not created at boot , will the firewall create it in order to create the rules or not?
Because the openvpn daemon starts, if i recall, after the firewall, hence creates the device later