Edgerouter firewall question
-
I bought an Edgerouter to play with at home and after setting up was seeing behavior in the firewall that I didn't expect and so I think I'm missing something fundamental about how the firewall rules work.
The device is configured with the WAN port on eth0 and LAN on eth1. I set up what I thought were the basic firewall rules to get started:
-
WAN_IN : eth0 / in allow established/related; drop everything else
-
WAN_LOCAL : eth0 / local allow established/related; drop everything else
With that configuration though while looking at the stats tab I noticed that I was getting hits on WAN_LOCAL for the allow established/related rule which I wasn't expecting to see. Each time a LAN device hit a webpage I would see the packet count for this rule increase. Why would a LAN device reaching for a web page cause the WAN_LOCAL ruleset to get hit? My understanding was that that traffic was simply pass thru traffic from one interface to another and thus wouldn't be processed by the local ruleset.
Is my understanding there correct? What would cause a LAN side client browsing the web to have this ruleset hit? Isn't the local ruleset only for handling incoming requests to services that reside on the router itself not for traffic destined for the LAN interface?
Thanks.
-
-
WAN_IN and WAN_LOCAL are just names. They can do anything. It's what the rules within them are that determine their behaviour.
-
@scottalanmiller said in Edgerouter firewall question:
WAN_IN and WAN_LOCAL are just names. They can do anything. It's what the rules within them are that determine their behaviour.
Ok I do understand that.
I guess the core of my question is why would a ruleset that is assigned as direction local on the WAN interface get processed due to traffic from a LAN side client visiting a web page?
Wouldn't all the traffic be between the LAN interface and the WAN interface? None of it would be destined for the router nor any of it's services would it? In which case no ruleset defined as local would ever be processed? I wasn't expecting to see that but I concede my knowledge of networking is weak.
Thanks.
-
@BraswellJay said in Edgerouter firewall question:
I guess the core of my question is why would a ruleset that is assigned as direction local on the WAN interface get processed due to traffic from a LAN side client visiting a web page?
Well part of my point there is that we'd need to see the ruleset and see if it is designated as you are thinking. A prominent reason that it would do what you say, is because it doesn't something different than you think it does.
-
It's very possible that something is blocked and on response the router sees it as local bound rather than LAN bound traffic.
-
@scottalanmiller said in Edgerouter firewall question:
@BraswellJay said in Edgerouter firewall question:
I guess the core of my question is why would a ruleset that is assigned as direction local on the WAN interface get processed due to traffic from a LAN side client visiting a web page?
Well part of my point there is that we'd need to see the ruleset and see if it is designated as you are thinking. A prominent reason that it would do what you say, is because it doesn't something different than you think it does.
I see. Sorry, should have realized to do that.
firewall { all-ping enable broadcast-ping disable group { } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name WAN_IN { default-action drop description "WAN to internal" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } name WAN_LOCAL { default-action drop description "WAN to router" enable-default-log rule 1 { action accept description "Allow established related" log disable protocol all state { established enable invalid disable new disable related enable } } rule 2 { action drop description "Drop Invalid" log disable protocol all state { established disable invalid enable new disable related disable } } } name eth1_LOCAL { default-action accept description "eth1_LOCAL (for admin)" } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address dhcp description Internet duplex auto firewall { in { name WAN_IN } local { name WAN_LOCAL } } speed auto } ethernet eth1 { address 192.168.12.254/24 description Local duplex auto firewall { local { name eth1_LOCAL } } speed auto } ethernet eth2 { address 192.168.13.254/24 description "Local 2" duplex auto speed auto } ethernet eth3 { duplex auto speed auto } loopback lo { } } service { dhcp-server { disabled false hostfile-update disable shared-network-name LAN1 { authoritative enable subnet 192.168.12.0/24 { default-router 192.168.12.254 dns-server 192.168.12.254 lease 86400 start 192.168.12.100 { stop 192.168.12.199 } static-mapping ACProAP { ip-address 192.168.12.240 mac-address xx:xx:xx:xx:xx:xx } static-mapping EdgeSwitch8 { ip-address 192.168.12.253 mac-address xx:xx:xx:xx:xx:xx } } } shared-network-name LAN2 { authoritative disable subnet 192.168.13.0/24 { default-router 192.168.13.254 dns-server 192.168.13.254 lease 86400 start 192.168.13.100 { stop 192.168.13.199 } } } static-arp disable use-dnsmasq disable } dns { forwarding { cache-size 150 listen-on eth1 listen-on eth2 } } gui { http-port 80 https-port 443 older-ciphers enable } nat { rule 5010 { description "masquerade for WAN" outbound-interface eth0 type masquerade } } -
I've never paid that much attention to it.
Puling an answer out of my ass, all packets inbound have to hit that rule before the router can determine if they are LOCAL or IN.
But I have no real idea.
Change the rule to deny and see what happens. But do it from the CLI and only use
commitnotsavein case you lock yourself the fuck out. -
@JaredBusch said in Edgerouter firewall question:
Puling an answer out of my ass, all packets inbound have to hit that rule before the router can determine if they are LOCAL or IN.
I thought that too, but looking at my own, I don't think that that can be true from what I've seen.
-
@scottalanmiller said in Edgerouter firewall question:
@JaredBusch said in Edgerouter firewall question:
Puling an answer out of my ass, all packets inbound have to hit that rule before the router can determine if they are LOCAL or IN.
I thought that too, but looking at my own, I don't think that that can be true from what I've seen.
Well at a glance, it would seem you are correct. So, still, no idea.
Mine:
set firewall name WAN_LOCAL default-action drop set firewall name WAN_LOCAL description 'WAN to router' set firewall name WAN_LOCAL rule 10 action accept set firewall name WAN_LOCAL rule 10 state established enable set firewall name WAN_LOCAL rule 10 state related enable set firewall name WAN_LOCAL rule 20 action drop set firewall name WAN_LOCAL rule 20 log disable set firewall name WAN_LOCAL rule 20 state invalid enable set firewall name WAN_LOCAL rule 30 action accept set firewall name WAN_LOCAL rule 30 description 'Allow Pings to Router' set firewall name WAN_LOCAL rule 30 limit burst 1 set firewall name WAN_LOCAL rule 30 limit rate 62/minute set firewall name WAN_LOCAL rule 30 log enable set firewall name WAN_LOCAL rule 30 protocol icmp
set firewall name WAN_IN default-action drop set firewall name WAN_IN description 'WAN to internal' set firewall name WAN_IN rule 10 action accept set firewall name WAN_IN rule 10 description 'Allow established/related' set firewall name WAN_IN rule 10 state established enable set firewall name WAN_IN rule 10 state related enable set firewall name WAN_IN rule 20 action drop set firewall name WAN_IN rule 20 description 'Drop invalid state' set firewall name WAN_IN rule 20 state invalid enable set firewall name WAN_IN rule 23 action accept set firewall name WAN_IN rule 23 description ZoneMinder set firewall name WAN_IN rule 23 destination address 10.254.103.155 set firewall name WAN_IN rule 23 destination group port-group Web_Server set firewall name WAN_IN rule 23 log disable set firewall name WAN_IN rule 23 protocol tcp set firewall name WAN_IN rule 23 state established enable set firewall name WAN_IN rule 23 state invalid disable set firewall name WAN_IN rule 23 state new enable set firewall name WAN_IN rule 23 state related enable
-
i'm not going to turn on logging to find out.
