First, some more info: This is a Ubiquiti Routerstation with Openwrt 15.05.1 built with Image Maker using the default packages plus the bind packages and nano. It is located at a ISP itself behind a NAT firewall provided by a Zyxel router. The BIND is configured without any zones just to handle all the dns traffic on a wireless network with approx 125 customers.
The dns functions work fine from the LAN side with the dns queries upstream going out and returning over the WAN side.
Second, from the WAN side, I ran nmap -v -sT -sU 192.168.1.21 (WAN ip). It showed ALL ports closed.
I tried adding config for bind logging but got nowhere.
Here is the current /etc/config/firewall:
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp udp'
option dest_port '53'
option name 'Allow DNS Queries to BIND'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.user'
I didn't find and way to understand howto turn on firewall logging.
So, if the firewall is configured correctly, the only things I can think of is possibly a new system wide feature to block all inbound WAN traffic that I don't know about or the bind server is not answering requests from the WAN which I would find hard to understand as both the LAN and WAN ip address for BIND is 192.168.2.1.
This now leads me to ask the question: If the DHCP(ZYXEL) assigned IP for the WAN is 192.168.1.21 and the static LAN IP for the router is 192.168.2.1, how does this open port rule listed about connect these two? Wouldn't the ACCEPT rule simple allow the traffic in but not remap it to the 192.168.2.1 IP address?
Thanks for the help,
Perazim