Topic: firewall question

The content of this topic has been archived on 21 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

jr_ttg

24 Nov 2017, 13:48

I am having DNS issues based on client and tool (cmd prompt or browser). I would imagine its my firewall settings and was looking at the guest wlan example and how they did their firewall.

So I have a knowledge gap on the input 'REJECT' setting. I thought the router lan settings were supposed to be input ACCEPT. How does this work? And is this actually the preferred method? (I realize this is for a guest lan, but a guest lan is also the same as one of several vlans, at least in my mind). Most of my knowledge centers around the firewall being local and not on the router, so it throws me off.

So is it better to set input REJECT with a matching lan->wan forward? (along with a couple of holes for DNS and DHCP)

https://wiki.openwrt.org/doc/recipes/guest-wlan

If you look at 4a of the recipe, they have:

 config zone
    option name 'guest'
    option network 'guest'
    option input 'REJECT'   <---  CAN YOU DO THIS?  I thought this was bad?
    option forward 'REJECT'
    option output 'ACCEPT'
  
  # Allow Guest -> Internet
  config forwarding
    option src 'guest'
    option dest 'wan'
   
  # Allow DNS Guest -> Router
  # Client DNS queries ordinate from dynamic UDP ports (>1023) 
  config rule
    option name 'Allow DNS Queries'
    option src 'guest'
    option dest_port '53'
    option proto 'tcp udp'
    option target 'ACCEPT'
  
  # Allow DHCP Guest -> Router
  # DHCP communication uses UDP ports 67-68
  config rule
    option name 'Allow DHCP request'
    option src 'guest'
    option src_port '67-68'
    option dest_port '67-68'
    option proto 'udp'
    option target 'ACCEPT'
  [..]

I have read or tried to read https://wiki.openwrt.org/inbox/doc/ipta … d_firewall but wasn't verbose enough (at least to me.) :-)

Post #2

jr_ttg

24 Nov 2017, 14:09

I forgot to state the actual symptoms:

I can use my browser (typically but not always) but I can't ping from the cmd line, usually.

Example:

Windows 10 machine:

ping www.yahoo.com. <- fails
in browser: www.yahoo.com <- works

At the same time: ssh to router

ping www.yahoo.com <- fails with "ping: bad address 'www.yahoo.com'"

Then back on windows 10 browser, I go to www.yahoo.com and it works.

Windows 10 cmd: ping www.yahoo.com starts working
SSH on router: ping www.yahoo.com starts working

I do not have any specific ports open in firewall.

I have the following:

cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option network 'lan'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config zone
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'lan_ttg'
        option network 'lan_ttg'

config forwarding
        option dest 'lan'
        option src 'lan_ttg'

config forwarding
        option dest 'wan'
        option src 'lan_ttg'

cat /etc/config/dhcp

config dnsmasq
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option sequential_ip '1'
        option filterwin2k '1'
        option leasefile '/root/dhcp.leases'
        option domainneeded '1'
        option logqueries '1'
        option localservice '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'lan_ttg'
        option start '100'
        option leasetime '12h'
        option interface 'lan_ttg'
        option limit '5'

config host
        option name 'HP_Printer'
        option ip '192.168.1.150'
        option mac '3C:52:82:2A:EE:CF'

cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd73:b86e:9176::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '00:00:00:00:00:00'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr 'E8:FC:AF:FC:4F:AE'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 2 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 5t'

config interface 'lan_ttg'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.100.1'
        option ifname 'eth0.100'
        option type 'bridge'

config switch_vlan
        option device 'switch0'
        option ports '0t 5t'
        option vlan '100'

Post #3

ulmwind

24 Nov 2017, 16:18

]ping www.yahoo.com. <- fails
in browser: www.yahoo.com <- works

It is very strange.

1) What is DNS of your router? (See /tmp/resolv.conf.auto)
2) What is DNS of your Windows 10 PC? (See output of ipconfig /all)

(Last edited by ulmwind on 24 Nov 2017, 16:19)

The discussion might have continued from here.

Page 1 of 1