homelab @lemmy.ml Kalcifer @sh.itjust.works 9 mo. ago

Could someone explain these OpenWRT LuCI firewall settings to me? I am having trouble interpereting what they are saying exactly.

cross-posted to: https://sh.itjust.works/post/14114626

If the rule is about forwarding traffic from the lan interface to the wan interface, then why is there also a forward rule? How would inputs, and outputs make any sense if the rule is talking about forwarding? What does it mean for wan to forward to REJECT? I interperet that as saying that wan doesn't go anywhere, but that wouldn't make sense given that the router can send, and receive over the internet.

For example I would interperet the first rule as follows:

lan => wan: the conditions for which connections from the lan interface are forwarded to to the wan interface.
Input: accept: the lan interface accepts all connections originating from the network (I wouldn't understand the point of setting this to be reject).
Output: accept: all connections exiting the wan interface are accepted (again, I'm not sure what the point of this would be).
Forward: accept: forwarding of packets from lan to wan is allowed.
Masquerade: I honestly don't know what the effect of enabling this would be. What would it mean to masquerade the lan interface?

I tried finding documentation, and I did come across this, and this, but, from what I could understand, they didn't really answer any of my questions.

OpenWrt @lemdro.id Kalcifer @sh.itjust.works 9 mo. ago

Could someone explain these OpenWRT LuCI firewall settings to me? I am having trouble interpereting what they are saying exactly.

17 comments

Disclaimer: I am not a professional network engineer, this is just what i found out after researching some iptables terminology.

the lan => wan is perhaps a bit misleading. lan is the zone, or which side of the router this firewall rule is in reference to. wan is another zone, the arrow shows where packets of type Forward are ending up.

Input means packets originating from another device within this zone with the router as the destination.

Output is a packet from the router to another device in the zone.

Forward is a packet originating from one zone with a destination in another zone.

When forward on the wan interface is set to reject, it essentially means no device from outside may initiate a connection. However, they may respond to already opened connection.

I don't yet know what masquerade does.
- Everything you've said here also aligns with my knowledge!
  
  I can add some additional information.
  
  The Masquerade option changes how the packet rule behaves when performing in a NAT situation. When Masquerade is off, the rule is configured statically with each interface's address when the rule is loaded. When Masquerade is on, the rule is evaluated dynamically every time against each interface's current address.
  
  If you are routing packets through an interface, and the interface's address is dynamic (which is the case for most residential internet connections), you should have Masquerade ON to be able to route packets after the interface's address changes during normal operation.
  
  That's not quite what masquerade does. Masquerade enables NAT, essentially.
  
  Without masquerade, the router would send packets out like 192.168.0.109->8.8.8.8 and your ISP would be like "what is that IP I don't know how to route that". With masquerade on, the router remaps it to its own WAN IP so you have like 3.16.87.54->8.8.8.8, your ISP can handle that, and when the reply comes back, the router then switches it back to the correct internal IP.
- Input means packets originating from another device within this zone with the router as the destination.
  
  How does this work with the second rule? Wouldn't any connection from the internet be a connection originating from another device within the wan zone (internet) with the router as the destination? The rule has Input: reject, but I would think that it should then be Input: accept.
  
  Input means the packet stops at the router, like when you access its web ui. I don't think you want to give the internet access to your router settings :)
- Isn't the lan -> wan interfaces refering to your packets going outside your router and lan network to the outside world (internet?).
  
  I vaguely remember the pfsense configuration I did a while ago, where the wan interface is actually the internet connection interface.
  
  Maybe I'm wrong and misunderstood something, if so, please correct me !
  
  yes, lan is the Local Area Network, wan is the Wide Area Network. The zone lan refers to the devices on the local side, wan to the great internet.
https://openwrt.org/docs/guide-user/firewall/firewall_configuration

Does this help op ?

Linking this is better than my interpretation of the firewall because this page explains it better then I would have
- https://openwrt.org/docs/guide-user/firewall/firewall_configuration
  
  Does this help op ?
  
  I linked that at the end of my post. I mentioned that I felt it didn't answer my question.
  
  Sorry, I just read skimmed through your post without checking through the links
Are there still questions about this?
- For the most part, it has been answered (you can scroll through the comments to see if you want to add any other information to a reply of mine, or someone else), but I would still certainly appreciate other attempts at explanations.

You've viewed 17 comments.