OpenWRT

Table of content

• Firewall Zone
  • General FWZ
    • Input FWZ Rule
    • Output FWZ Rule
    • Forward FWZ Rule
• Helpers for troubleshooting
  • nft
    • For example
• [Issues][#issues]
  • No routing into allowed interface

Firewall Zone

General FWZ

Firewall Zones have three generick “quick” settings

• Input
• Output
• Forward

Within these settings the following is defined

Input FWZ Rule

Permits all networks within Source-Zone to all networks inside of the Desitnation-Zone

Output FWZ Rule

Permits all networks the Destination-Zone to all networks inside of the Source-Zone

Forward FWZ Rule

Permits all networks within Source-Zone to talk to all the other networks inside the Source-Zone

Helpers for troubleshooting

nft

To trace rules in nft you can use a similar command like that:

$ nft insert rule inet fw4 prerouting ip saddr <your subnet/cidr notation> meta nftrace set 1

and by running the command:

$ nft monitor trace

you will be able to trace packages and there permissions.

To remove the nft rule again you can simply restart your firewall by using the command /etc/init.d/firewall restart or the command nft delete rule inet fw4 prerouting ip saddr <your subnet/cidr notation> meta nftrace set 1`

For example

$ nft insert rule inet fw4 prerouting ip saddr 10.10.0.0/24 meta nftrace set 1
$ nft monitor trace
trace id 8a61b435 inet fw4 prerouting packet: iif "lan1.2" ether saddr ab:ab:ab:ab:3f:3f ether daddr ab:ab:ab:ab:3f:cc ip saddr 10.10.0.2 ip daddr 8.8.8.8 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 31749 ip protocol icmp ip length 84 icmp type echo-request icmp code 0 icmp id 2 icmp sequence 1992
trace id 8a61b435 inet fw4 prerouting rule ip saddr 10.10.0.0/24 meta nftrace set 1 (verdict continue)
trace id 8a61b435 inet fw4 prerouting verdict continue
trace id 8a61b435 inet fw4 prerouting policy accept
trace id 8a61b435 inet fw4 mangle_forward packet: iif "lan1.2" oif "eth0" ether saddr ab:ab:ab:ab:3f:3f ether daddr ab:ab:ab:ab:3f:cc ip saddr 10.10.0.2 ip daddr 8.8.8.8 ip dscp cs0 ip ecn not-ect ip ttl 61 ip id 31749 ip protocol icmp ip length 84 icmp type echo-request icmp code 0 icmp id 2 icmp sequence 1992
trace id 8a61b435 inet fw4 mangle_forward verdict continue
trace id 8a61b435 inet fw4 mangle_forward policy accept
trace id 8a61b435 inet turris-sentinel dynfw_block_hook_forward packet: iif "lan1.2" oif "eth0" ether saddr ab:ab:ab:ab:3f:3f ether daddr ab:ab:ab:ab:3f:cc ip saddr 10.10.0.2 ip daddr 8.8.8.8 ip dscp cs0 ip ecn not-ect ip ttl 61 ip id 31749 ip protocol icmp ip length 84 icmp type echo-request icmp code 0 icmp id 2 icmp sequence 1992
trace id 8a61b435 inet turris-sentinel dynfw_block_hook_forward verdict continue
trace id 8a61b435 inet turris-sentinel dynfw_block_hook_forward policy accept
trace id 8a61b435 inet fw4 forward packet: iif "lan1.2" oif "eth0" ether saddr ab:ab:ab:ab:3f:3f ether daddr ab:ab:ab:ab:3f:cc ip saddr 10.10.0.2 ip daddr 8.8.8.8 ip dscp cs0 ip ecn not-ect ip ttl 61 ip id 31749 ip protocol icmp ip length 84 icmp type echo-request icmp code 0 icmp id 2 icmp sequence 1992
trace id 8a61b435 inet fw4 forward rule jump upnp_forward comment "Hook into miniupnpd forwarding chain" (verdict jump upnp_forward)
trace id 8a61b435 inet fw4 upnp_forward verdict continue
trace id 8a61b435 inet fw4 forward verdict continue
trace id 8a61b435 inet fw4 forward policy drop

Issues

No routing into allowed interface

If you have the issue that your packages are not going into the interace you have allowed it (e.g. via zone configuration) have checked the following

• nft monitor trace (like shown beneath hints) shows you a forward policy drop before it enters the target interface
• uci show firewall | grep zone contains as network your interface name and as name your zone name, output/forward/input can be ignored in this case
• uci show firewall | grep forwarding contains as src your zone name and as dest your wan interface

have a look in your nft forwarder list. In there, you should find one line for your interface.

$ nft list chain inet fw4 forward
table inet fw4 {
        chain forward {
                    type filter hook forward priority filter; policy drop;
                            ct state vmap { invalid : drop, established : accept, related : accept } comment "!fw4: Handle forwarded flows"
                            iifname "eth0" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
                            iifname "lan1.1" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
                            iifname "lan1.3" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
                            iifname "......" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
        }
}

If not, then the chances are high, that either you have a racecondition when the firewall ist starting but the interface was not up or your interafce causes some unwanted beahvoir.

In both scenariouse restart on your terminal the firewall like so:

$ /etc/init.d/firewall restart

Based on the output, you have to continue then your work.