OpenWrt Forum Archive

Topic: HELP! Firewall configs on a WNDR3700v4 with separate subnet

The content of this topic has been archived on 12 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
UberGeek
29 Apr 2015, 02:50

Greetings,

I'm a longtime DD-WRT user who recently decided to try OpenWRT because of better opkg compatibility. Two days ago I flashed BARRIER BREAKER 14.07, r42625 onto my Netgear WNDR3700v4 and since that time, have experienced a series of firewall and connectivity headaches. I'm clearly doing something wrong and need some expert advice.

Network Topology:
I operate offices at several project sites where my equipment is installed on a separate wired subnet. Unlike other users, this is not wishful thinking or a network misconfiguration, it is entirely by design and absolutely necessary. For years I have configured these installations on a number of different network devices without much difficulty, some OEM, others flashed with DD-WRT.

For simplicity, the basic procedure is described as follows: A router ("subnet router") is attached to the primary Gateway ("internet gateway") by connecting an ethernet cable between the LAN port of the "internet gateway" and WAN port of the "subnet router", creating a separate subnet. I have administrative rights and can reconfigure any necessary settings.

Most network devices, including DD-WRT firmware, provide a convenient option to disable the firewall, a configuration often called "Router Mode". This option has historically been used to provide subnet clients access to the Internet, groups of printers, other users, etc. I usually create routes on upstream devices such as the "internet gateway" which requires regular monitoring.

Of course an OpenWRT device can be configured to operate in "Router Mode" like any other router, however, simply disabling the firewall does not create the intended result. I spent a great deal of time searching the site, finding many comments that "it couldn't be done", a few interesting hints, but no definitive solutions. Last night I experienced perfect connectivity bliss for about 30 minutes before the firewall kicked in with a vengeance. I'm close to a solution and intend to share my results in a separate posting but only after the settings are scrutinized and the firewall is under control.

Symptoms have always included no Internet access and chronic generation of unusual MAC Addresses. Regularly include  firewall settings that don't stick, firewall option checkboxes in GUI which briefly appear as LAN or WAN options, then quickly vanish, leaving the blank field "unspecified -or- create", and subsequent text values added to these fields which are never saved. In CLI, the restart command: /etc/init.d/firewall restart, throws the error:"Parse error (option/list command found before the first section) at line 2, byte 1", however, previously added configs have been removed and nothing I find matches the error.

There's also a known bug for this model regarding assignment of VLAN values but I'm unsure if this could be the problem.

Thanks in advance for any help.

UG

Here are the basic settings from /etc/firewall.user, /etc/config/firewall, and /etc/config/network.

firewall.user (what I would like to add but can't)
config rule
    option src 'wan'
    option src_ip '192.168.1.0/24'
    option dest 'lan'
    option dest_ip '192.168.0.0/24'
    option proto 'all'
   option target 'ACCEPT'

FIREWALL (looks generic):

#config defaults
option syn_flood    1
option input        ACCEPT
option output        ACCEPT
option forward        REJECT
# Uncomment this line to disable ipv6 rules
#    option disable_ipv6    1
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4

# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fe80::/10
option src_port 547
option dest_ip fe80::/10
option dest_port 546
option family ipv6
option target ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT

# include a file with users custom iptables rules
config include
option path /etc/firewall.user

NETWORK:
config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fdb8:b9bc:32a6::/48'

config interface 'lan'
    option ifname 'eth0.1'
    option force_link '1'
    option type 'bridge'
    option proto 'static'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option macaddr '04:a1:51:9e:72:fe'
    option ipaddr '192.168.0.1'

config interface 'wan'
    option ifname 'eth0.2'
    option _orig_ifname 'eth0.2'
    option _orig_bridge 'false'
    option proto 'static'
    option ipaddr '192.168.1.5'
    option netmask '255.255.255.0'
    option gateway '192.168.1.1'
    option metric '1'
    option macaddr '04:a1:51:9e:72:ff'

config interface 'wan6'
    option ifname '@wan'
    option proto 'dhcpv6'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '0t 1 2 3 4'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '0t 5'

Post #2
HelloWorld
29 Apr 2015, 03:14

From your first configuration rule

config rule
    option src 'wan'
    option src_ip '192.168.1.0/24'
    option dest 'lan'
    option dest_ip '192.168.0.0/24'
    option proto 'all'
   option target 'ACCEPT'

I am understanding that you want all source ip addresses originating from 192.168.1.0-254 from WAN
to be able to communicate with destination ip addresses 192.168.0.0-254 in LAN?

Is this right? Or could you tell me exactly what your rules are meant for.

You should probably check if your ISP router supports bridged mode.

(Last edited by HelloWorld on 29 Apr 2015, 04:04)

Post #3
UberGeek
29 Apr 2015, 07:10

Thanks for the reply HelloWorld,

You are correct, connectivity on three different subnets.
* My network (the "LAN") is the downstream subnet 192.168.0.0/24, managed by the WNDR3700v4 with OpenWRT FW.
* Occasionally I need to access clients and configure the "internet gateway" 192.168.1.1 on the upstream subnet, 192.168.1.0/24
* Most importantly, I need WAN access for Internet, hosted by the "internet gateway" above.

This has nothing to do with Modem to Gateway bridging...it's a firewall issue. For the last 8 months my WNDR3700v4 with DD-WRT FW maintained flawless connectivity on all three subnets above. After flashing the WNDR3700v4 with OpenWRT I immediately experienced connectivity problems.

Currently, I can access devices on my LAN as well as those on the upstream subnet.
Unfortunately, OpenWRT's firewall is completely preventing access to the internet.

UPDATES:
I discovered white spaces were responsible for several of my unexplained firewall problems. After their removal, I was finally able to watch the firewall flush, rebuild, and post errors. The remaining errors were corrected and the commands removed from firewall.user.

Here is the updated code from /etc/config/firewall. Can anyone explain what's wrong with this?

config defaults
    option syn_flood    1
    option input        ACCEPT
    option output        ACCEPT
    option forward        REJECT
# Uncomment this line to disable ipv6 rules
#    option disable_ipv6    1
config zone
    option name        lan
    list   network        'lan'
    option input        ACCEPT
    option output        ACCEPT
    option forward        ACCEPT

config zone
    option name        wan
    list   network        'wan'
    list   network        'wan6'
    option input        ACCEPT
    option output        ACCEPT
    option forward        REJECT
    option masq        1
    option mtu_fix        1

config forwarding
    option src        lan
    option dest        wan

config rule
    option src 'wan'
    option src_ip '192.168.1.0/24'
    option dest 'lan'
    option dest_ip '192.168.0.0/24'
    option proto 'all'
    option target 'ACCEPT'

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
    option name        Allow-DHCP-Renew
    option src        wan
    option proto        udp
    option dest_port    68
    option target        ACCEPT
    option family        ipv4

# Allow IPv4 ping
config rule
    option name        Allow-Ping
    option src        wan
    option proto        icmp
    option icmp_type    echo-request
    option family        ipv4
    option target        ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
    option name        Allow-DHCPv6
    option src        wan
    option proto        udp
    option src_ip        fe80::/10
    option src_port        547
    option dest_ip        fe80::/10
    option dest_port    546
    option family        ipv6
    option target        ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
    option name        Allow-ICMPv6-Input
    option src        wan
    option proto    icmp
    list icmp_type        echo-request
    list icmp_type        echo-reply
    list icmp_type        destination-unreachable
    list icmp_type        packet-too-big
    list icmp_type        time-exceeded
    list icmp_type        bad-header
    list icmp_type        unknown-header-type
    list icmp_type        router-solicitation
    list icmp_type        neighbour-solicitation
    list icmp_type        router-advertisement
    list icmp_type        neighbour-advertisement
    option limit        1000/sec
    option family        ipv6
    option target        ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
    option name        Allow-ICMPv6-Forward
    option src        wan
    option dest        *
    option proto        icmp
    list icmp_type        echo-request
    list icmp_type        echo-reply
    list icmp_type        destination-unreachable
    list icmp_type        packet-too-big
    list icmp_type        time-exceeded
    list icmp_type        bad-header
    list icmp_type        unknown-header-type
    option limit        1000/sec
    option family        ipv6
    option target        ACCEPT

# include a file with users custom iptables rules
config include
    option path /etc/firewall.user

Post #4
HelloWorld
29 Apr 2015, 10:03

Have you tried messing with the ipv4 netmask?
If you say that disabling the firewall doesn't help, which means it could be something other than that.

Network>Interfaces>LAN>IP4 Netmask>255.255.0.0 which would let it connect to other ips other than be limited to 192.168.1.x

Would be better if I could be there with you, haha.

Post #5
UberGeek
29 Apr 2015, 22:42

Success!!!

I finally have Internet access with full connectivity on all networks smile Apparently the Internet issue was caused by using the GUI and entering a DNS setting in the wrong place.

After a sequence of tests, I removed some unnecessary entries in the firewall configs and posted the amended copy below.

Since this was largely a guessing game, I feel greatly relieved but somewhat disenchanted by the outcome of an empty learning experience. This would be far more satisfying and educational for myself and other readers if the following questions could be definitively answered by members who are more knowledgeable than myself.

1. Generally speaking, when conventional routers offer "router mode" or "disable firewall" options, are they the same or different, and what would the resulting configs or iptables look like?

2. Are these the same as the "disable firewall" option found in the GUI interface?

3. I assume the "disable firewall" option is equivalent to the raw iptables command to accept all traffic:iptables -I FORWARD -j ACCEPT, and is this correct?

4. Would this configuration have achieved the same result as my firewall configs posted below?

5. For most private networks protected by a firewall enabled on the "internet gateway", what are the advantages or disadvantages of  the "disable firewall" option vs more refined firewall configs? Packet collisions, security, unnecessary traffic???

6. Any comments on my final configs? Could they be simplified, improved, or the option masq '1' removed?

7. Any suggestions on how to overcome the most obvious limitation,  a poorly defined upstream gateway? In my experience, this could often be resolved by using additional GUI settings that would point to this device as; ie: the DNS server, NTP server, adding static leases, netbios names, MAC addresses, enabling DNSMasq, etc.

As a new user, I find the GUI layout very confusing. The absolute defaults which guarantee connectivity on most routers (generally found on the first page or Startup tab), are scattered throughout the GUI interface in various places with at least four locations for entering DNS addresses. Still unsure which one finally triggered a working internet connection.
Are there any guides which describe each GUI page and the available options?

Any answers would be greatly appreciated.

Final firewall configs: /etc/config/firewall

config defaults
    option input ACCEPT
    option output ACCEPT
    option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1

config zone
    option name lan
    list network 'lan'
    option input ACCEPT
    option output ACCEPT
    option forward ACCEPT

config zone
    option name wan
    list network 'wan'
    list network 'wan6'
    option input ACCEPT
    option output ACCEPT
    option forward REJECT
    option masq 1

config forwarding
    option src lan
    option dest wan

config rule 'grant_ip_access_to_subnet'
    option src 'wan'
    option src_ip '192.168.1.0/24'
    option dest 'lan'
    option dest_ip '192.168.0.0/24'
    option proto 'all'
    option target 'ACCEPT'

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
<<<<<<<<<<<< SNIP >>>>>>>>>>>>>>>>

Post #6
UberGeek
30 Apr 2015, 20:31

Anyone out there?

The discussion might have continued from here.