Zone ordering in Firewall

Does adding zone info in firewall matters in OpenWrt 23.05 ? I need to enable SSH for lan1 interface, for that if I add that lan1 zone info next after wan-zone info, ssh is not enabled and not working. If I place it above wan-zone info SSH is working as expected. If ordering of zone info matters, what's the best way to add zone info for lan1 interface ? Please suggest.

lan1-zone info

config zone
        option name 'lan1'
        list network 'lan1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

/etc/config/firewall

root@mcphost:/home/mcpuser# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'lan1'
        list network 'lan1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'


config forwarding
        option src 'lan'
        option dest 'wan'


config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'


config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'


config rule
        option name 'Allow-SSH'
        option src 'lan1'
        option proto 'tcp'
        option dest_port '22'
        option family 'ipv4'
        option target 'ACCEPT'


Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

After providing the files - can you explain the actual issues you're experiencing?

Your statement isn't clear.

Matter how?

The vertical order of zones in the firewall config file doesn’t matter, in fact luci just add them mixed with everything else from the bottom in the config file and downward if you make any change.

The order they are loaded from config file in to the firewall are another business, but as long as you only define rules and zones in the config file the firewall will take care of it.

The problem begins if you start writing things in nftable language, then you can mess upp everything.

1 Like

There isn’t any value to a zone compared to another zone. A wan zone or a lan zone is the same as a blubblubblah zone or whatever you want to call it.

A zone is only an isolated cell with three security access settings: input, output or forward.

I recall a recent thread about a user having SSH issues similar to this...I can't locate it.

How is this inquiry different?

This prompt is extremely odd. As already asked, please provide the output of:

ubus call system board

As long as you have zone input to accept.

This rule is pointless since you already accept all traffic to the router input.

But be aware, if you set zone input to reject all dhcp and dns traffic also stop. So it is only all or nothing.

But does the lan1 interface normal data flow work to begin with, do you get a IP address?
And what filtering do you have for the uhttpd listening interfaces?

1 Like