Edgerouter firewall question



  • I bought an Edgerouter to play with at home and after setting up was seeing behavior in the firewall that I didn't expect and so I think I'm missing something fundamental about how the firewall rules work.

    The device is configured with the WAN port on eth0 and LAN on eth1. I set up what I thought were the basic firewall rules to get started:

    • WAN_IN : eth0 / in allow established/related; drop everything else

    • WAN_LOCAL : eth0 / local allow established/related; drop everything else

    With that configuration though while looking at the stats tab I noticed that I was getting hits on WAN_LOCAL for the allow established/related rule which I wasn't expecting to see. Each time a LAN device hit a webpage I would see the packet count for this rule increase. Why would a LAN device reaching for a web page cause the WAN_LOCAL ruleset to get hit? My understanding was that that traffic was simply pass thru traffic from one interface to another and thus wouldn't be processed by the local ruleset.

    Is my understanding there correct? What would cause a LAN side client browsing the web to have this ruleset hit? Isn't the local ruleset only for handling incoming requests to services that reside on the router itself not for traffic destined for the LAN interface?

    Thanks.



  • WAN_IN and WAN_LOCAL are just names. They can do anything. It's what the rules within them are that determine their behaviour.



  • @scottalanmiller said in Edgerouter firewall question:

    WAN_IN and WAN_LOCAL are just names. They can do anything. It's what the rules within them are that determine their behaviour.

    Ok I do understand that.

    I guess the core of my question is why would a ruleset that is assigned as direction local on the WAN interface get processed due to traffic from a LAN side client visiting a web page?

    Wouldn't all the traffic be between the LAN interface and the WAN interface? None of it would be destined for the router nor any of it's services would it? In which case no ruleset defined as local would ever be processed? I wasn't expecting to see that but I concede my knowledge of networking is weak.

    Thanks.



  • @BraswellJay said in Edgerouter firewall question:

    I guess the core of my question is why would a ruleset that is assigned as direction local on the WAN interface get processed due to traffic from a LAN side client visiting a web page?

    Well part of my point there is that we'd need to see the ruleset and see if it is designated as you are thinking. A prominent reason that it would do what you say, is because it doesn't something different than you think it does.



  • It's very possible that something is blocked and on response the router sees it as local bound rather than LAN bound traffic.



  • @scottalanmiller said in Edgerouter firewall question:

    @BraswellJay said in Edgerouter firewall question:

    I guess the core of my question is why would a ruleset that is assigned as direction local on the WAN interface get processed due to traffic from a LAN side client visiting a web page?

    Well part of my point there is that we'd need to see the ruleset and see if it is designated as you are thinking. A prominent reason that it would do what you say, is because it doesn't something different than you think it does.

    I see. Sorry, should have realized to do that.

     firewall {
         all-ping enable
         broadcast-ping disable
         group {
         }
         ipv6-receive-redirects disable
         ipv6-src-route disable
         ip-src-route disable
         log-martians enable
         name WAN_IN {
             default-action drop
             description "WAN to internal"
             rule 10 {
                 action accept
                 description "Allow established/related"
                 state {
                     established enable
                     related enable
                 }
             }
             rule 20 {
                 action drop
                 description "Drop invalid state"
                 state {
                     invalid enable
                 }
             }
         }
         name WAN_LOCAL {
             default-action drop
             description "WAN to router"
             enable-default-log
             rule 1 {
                 action accept
                 description "Allow established related"
                 log disable
                 protocol all
                 state {
                     established enable
                     invalid disable
                     new disable
                     related enable
                 }
             }
             rule 2 {
                 action drop
                 description "Drop Invalid"
                 log disable
                 protocol all
                 state {
                     established disable
                     invalid enable
                     new disable
                     related disable
                 }
             }
         }
         name eth1_LOCAL {
             default-action accept
             description "eth1_LOCAL (for admin)"
         }
         receive-redirects disable
         send-redirects enable
         source-validation disable
         syn-cookies enable
     }
     interfaces {
         ethernet eth0 {
             address dhcp
             description Internet
             duplex auto
             firewall {
                 in {
                     name WAN_IN
                 }
                 local {
                     name WAN_LOCAL
                 }
             }
             speed auto
         }
         ethernet eth1 {
             address 192.168.12.254/24
             description Local
             duplex auto
             firewall {
                 local {
                     name eth1_LOCAL
                 }
             }
             speed auto
         }
         ethernet eth2 {
             address 192.168.13.254/24
             description "Local 2"
             duplex auto
             speed auto
         }
         ethernet eth3 {
             duplex auto
             speed auto
         }
         loopback lo {
         }
     }
     service {
         dhcp-server {
             disabled false
             hostfile-update disable
             shared-network-name LAN1 {
                 authoritative enable
                 subnet 192.168.12.0/24 {
                     default-router 192.168.12.254
                     dns-server 192.168.12.254
                     lease 86400
                     start 192.168.12.100 {
                         stop 192.168.12.199
                     }
                     static-mapping ACProAP {
                         ip-address 192.168.12.240
                         mac-address xx:xx:xx:xx:xx:xx
                     }
                     static-mapping EdgeSwitch8 {
                         ip-address 192.168.12.253
                         mac-address xx:xx:xx:xx:xx:xx
                     }
                 }
             }
             shared-network-name LAN2 {
                 authoritative disable
                 subnet 192.168.13.0/24 {
                     default-router 192.168.13.254
                     dns-server 192.168.13.254
                     lease 86400
                     start 192.168.13.100 {
                         stop 192.168.13.199
                     }
                 }
             }
             static-arp disable
             use-dnsmasq disable
         }
         dns {
             forwarding {
                 cache-size 150
                 listen-on eth1
                 listen-on eth2
             }
         }
         gui {
             http-port 80
             https-port 443
             older-ciphers enable
         }
         nat {
             rule 5010 {
                 description "masquerade for WAN"
                 outbound-interface eth0
                 type masquerade
             }
         }
    


  • I've never paid that much attention to it.

    Puling an answer out of my ass, all packets inbound have to hit that rule before the router can determine if they are LOCAL or IN.

    But I have no real idea.

    Change the rule to deny and see what happens. But do it from the CLI and only use commit not save in case you lock yourself the fuck out.



  • @JaredBusch said in Edgerouter firewall question:

    Puling an answer out of my ass, all packets inbound have to hit that rule before the router can determine if they are LOCAL or IN.

    I thought that too, but looking at my own, I don't think that that can be true from what I've seen.



  • @scottalanmiller said in Edgerouter firewall question:

    @JaredBusch said in Edgerouter firewall question:

    Puling an answer out of my ass, all packets inbound have to hit that rule before the router can determine if they are LOCAL or IN.

    I thought that too, but looking at my own, I don't think that that can be true from what I've seen.

    Well at a glance, it would seem you are correct. So, still, no idea.

    Mine:

    set firewall name WAN_LOCAL default-action drop
    set firewall name WAN_LOCAL description 'WAN to router'
    set firewall name WAN_LOCAL rule 10 action accept
    set firewall name WAN_LOCAL rule 10 state established enable
    set firewall name WAN_LOCAL rule 10 state related enable
    set firewall name WAN_LOCAL rule 20 action drop
    set firewall name WAN_LOCAL rule 20 log disable
    set firewall name WAN_LOCAL rule 20 state invalid enable
    set firewall name WAN_LOCAL rule 30 action accept
    set firewall name WAN_LOCAL rule 30 description 'Allow Pings to Router'
    set firewall name WAN_LOCAL rule 30 limit burst 1
    set firewall name WAN_LOCAL rule 30 limit rate 62/minute
    set firewall name WAN_LOCAL rule 30 log enable
    set firewall name WAN_LOCAL rule 30 protocol icmp
    

    4e922709-afe1-409a-8462-0f38f05fc188-image.png

    set firewall name WAN_IN default-action drop
    set firewall name WAN_IN description 'WAN to internal'
    set firewall name WAN_IN rule 10 action accept
    set firewall name WAN_IN rule 10 description 'Allow established/related'
    set firewall name WAN_IN rule 10 state established enable
    set firewall name WAN_IN rule 10 state related enable
    set firewall name WAN_IN rule 20 action drop
    set firewall name WAN_IN rule 20 description 'Drop invalid state'
    set firewall name WAN_IN rule 20 state invalid enable
    set firewall name WAN_IN rule 23 action accept
    set firewall name WAN_IN rule 23 description ZoneMinder
    set firewall name WAN_IN rule 23 destination address 10.254.103.155
    set firewall name WAN_IN rule 23 destination group port-group Web_Server
    set firewall name WAN_IN rule 23 log disable
    set firewall name WAN_IN rule 23 protocol tcp
    set firewall name WAN_IN rule 23 state established enable
    set firewall name WAN_IN rule 23 state invalid disable
    set firewall name WAN_IN rule 23 state new enable
    set firewall name WAN_IN rule 23 state related enable
    

    8742fe60-b82b-43a5-aeee-74e47691cb6b-image.png



  • i'm not going to turn on logging to find out.