OpenWRT – Network configuration

Firewall, port forwarding, etc.? What and how should this get configured to make our services available?

This article describes describes exemplary how to make the necessary adjustmenzs to the firewall


Go to all articles of this series and the description of the test setup:

Test Setup
Test Setup

OpenWRT – Overview



AVM FRITZ!Box 4040

AVM FRITZ!Box 4040 – front

AVM FRITZ!Box 4040 – back

AVM FRITZ!Box 4040

OpenWRT – Overview

OpenWRT - Network configuration
OpenWRT – Network configuration

Interfaces Configuration

OpenWRT universally distinguishes between two types of software network interfaces:

  • Physical devices
  • Virtual Network Interfaces (see ➡ Switches)

Links:

https://openwrt.org/docs/guide-developer/networking/network.interfaces

The OpenWRT setup uses the interfaces as shown in the screenshot.

OpenWRT - Network configuration
OpenWRT – Network configuration

WAN Interface

The WAN interface is the connection between the OpenWRT device (= AVM FRITZ!Box 4040) and the network router (= AVM FRITZ!Box 7490)

The IP address of the OpenWRT device is configured in the router’s network settings to 192.168.xxx.xxx.

General Settings

OpenWRT - Network configuration
OpenWRT – Network configuration

The option Masquerading must be checked otherwise the WireGuard interface is not able to use the networks DNS server.

The DNS server is redirected to the local DNS server 127.0.0.1.

The DNS documentation is explained in detail in the manual

OpenWRT – Stubby & DNSMASQ

Advanced Settings

OpenWRT - Network configuration
OpenWRT – Network configuration

Firewall Settings

OpenWRT - Network configuration
OpenWRT – Network configuration

DHCP Server – General Settings

OpenWRT - Network configuration
OpenWRT – Network configuration

DHCP Server – Advanced Settings

OpenWRT - Network configuration
OpenWRT – Network configuration

IPv6 is not in use in the network.

DHCP Server – IPv6 Settings

OpenWRT - Network configuration
OpenWRT – Network configuration

LAN Interface

OpenWRT - Network configuration
OpenWRT – Network configuration

The IP address of the OpenWRT device is set to a static address which is configured in Interfaces - LAN - General Settings

IP address: 192.168.200.1

The IP range is 192.168.200.1 - 192.168.200.255

The network interface lan is a is a bridge from one network segment to the other.

The IPv4 gateway is the IP address of the router. (please refer to ➡ AMV Router Configuration)

General Settings

OpenWRT - Network configuration
OpenWRT – Network configuration

Advanced Settings

OpenWRT - Network configuration
OpenWRT – Network configuration

Firewall Settings

OpenWRT - Network configuration
OpenWRT – Network configuration

DHCP Server – General Setup

OpenWRT - Network configuration
OpenWRT – Network configuration

DHCP Server – Advanced Setup

OpenWRT - Network configuration
OpenWRT – Network configuration

DHCP Server – IPv6 Settings

OpenWRT - Network configuration
OpenWRT – Network configuration

DHCP Server – IPv6 RA Settings

OpenWRT - Network configuration
OpenWRT – Network configuration

Gib mir gerne einen Kaffee ☕ aus!

Wenn dir meine Beiträge gefallen und geholfen haben, dann kannst du mir gerne einen Kaffee ☕ ausgeben.

PayPal Logo


liberapay.com/strobelstefan.org


Kaffee via Bitcoin

bc1qfuz93hw2fhdvfuxf6mlxlk8zdadvnktppkzqzj


DMZ Interface

A DMZ is only recommended when a server shall be accessible from the internet.

In this example an Nextcloud server is set into DMZ and made accessible from the internet.

The DMZ uses the VLAN configuration. The Device must be set to the respective VLAN.

Switches

General Settings

OpenWRT - Network configuration
OpenWRT – Network configuration

The Device should be the VLAN.

Advanced Settings

OpenWRT - Network configuration
OpenWRT – Network configuration

Firewall Settings

OpenWRT - Network configuration
OpenWRT – Network configuration

DHCP Server – General Settings

OpenWRT - Network configuration
OpenWRT – Network configuration

DHCP Server – Advanced Settings

OpenWRT - Network configuration
OpenWRT – Network configuration

IPv6 Settings

OpenWRT - Network configuration
OpenWRT – Network configuration

Wireguard Interface

Please refer to the detailed WireGuard descriptions:


Wireless

The two wireless interfaces are deactivated.

OpenWRT - Network configuration
OpenWRT – Network configuration

Switches

Standard switch configuration of OpenWRT after a fresh OpenWRT installation.

OpenWRT - Network configuration
OpenWRT – Network configuration

A new VLAN is created to make all devices plugged in to LAN 3 of AVM FRITZ!Box 4040 accessible from the internet, in this example a Nextcloud server.

DMZ Interface

It is important that the CPU port (= WAN port of the AVM FRITZ!Box 4040) is set to tagged. The port to which the device is connected (eth3 in this example) is set to untagged.

Menu: Netzwerk -> Switch

OpenWRT - Network configuration
OpenWRT – Network configuration
  • CPU needs to be set to tagged
  • LAN connection needs to be set to untagged. This is the ethernet port where the device / network is plugged in.

!!! The purpose of a tagged port is to pass traffic for multiple VLANs, whereas an untagged port accepts traffic for only a single VLAN. Generally speaking, tagged ports will link switches, and untagged ports will link to end devices.

!!! Der Zweck eines getaggten Ports ist es, Datenverkehr für mehrere VLANs durchzulassen, während ein nicht getaggter Port nur Datenverkehr für ein einziges VLAN akzeptiert. Im Allgemeinen verbinden getaggte Ports Switches und nicht getaggte Ports Endgeräte.

https://openwrt.org/docs/guide-user/network/vlan/switch_configuration<


Routing

Static IPv4 Routes

OpenWRT - Network configuration
OpenWRT – Network configuration

Static IPv6 Routes

OpenWRT - Network configuration
OpenWRT – Network configuration

Static IPv4 Rules

OpenWRT - Network configuration
OpenWRT – Network configuration

Static IPv6 Rules

OpenWRT - Network configuration
OpenWRT – Network configuration

DHCP and DNS

The DNS settings are configured for Stubby and DNSMAQS ➡ OpenWRT – Stubby & DNSMASQ

If you don’t have Stubby DNSMAQS installed on your OpenWRT device, keep the default settings.

General Settings

OpenWRT - DHCP and DNS
OpenWRT – DHCP and DNS

Resolv and Host Files

OpenWRT - DHCP and DNS
OpenWRT – DHCP and DNS

PXE/TFTP Settings

OpenWRT - DHCP and DNS
OpenWRT – DHCP and DNS

Advanced Settings

OpenWRT - DHCP and DNS
OpenWRT – DHCP and DNS

Static Leases

OpenWRT - DHCP and DNS
OpenWRT – DHCP and DNS

Hostnames

OpenWRT - DHCP and DNS
OpenWRT – DHCP and DNS

IP Sets

OpenWRT - DHCP and DNS
OpenWRT – DHCP and DNS

Gib mir gerne einen Kaffee ☕ aus!

Wenn dir meine Beiträge gefallen und geholfen haben, dann kannst du mir gerne einen Kaffee ☕ ausgeben.

PayPal Logo


liberapay.com/strobelstefan.org


Kaffee via Bitcoin

bc1qfuz93hw2fhdvfuxf6mlxlk8zdadvnktppkzqzj


Firewall – General Settings

The OpenWRT setup uses the Firewall Zones as shown in the screenshot.

OpenWRT - Firewall Configuration
OpenWRT – Firewall Configuration

Firewall – Zone wan

!!! ************************************************ !!!

When input is set to reject it is not possible to access OpenWRT from wan!!!

!!! ************************************************ !!!

General Settings

OpenWRT - Firewall Configuration
OpenWRT – Firewall Configuration

Advanced Settings

OpenWRT - Firewall Configuration
OpenWRT – Firewall Configuration

Conntrack Settings

OpenWRT - Firewall Configuration
OpenWRT – Firewall Configuration

Gib mir gerne einen Kaffee ☕ aus!

Wenn dir meine Beiträge gefallen und geholfen haben, dann kannst du mir gerne einen Kaffee ☕ ausgeben.

PayPal Logo


liberapay.com/strobelstefan.org


Kaffee via Bitcoin

bc1qfuz93hw2fhdvfuxf6mlxlk8zdadvnktppkzqzj


Firewall – Zone lan

General Settings

OpenWRT - Firewall Configuration
OpenWRT – Firewall Configuration

Advanced Settings

OpenWRT - Firewall Configuration
OpenWRT – Firewall Configuration

Comtrack Settings

OpenWRT - Firewall Configuration
OpenWRT – Firewall Configuration

Firewall – Zone dmz

General Settings

OpenWRT - Firewall Configuration
OpenWRT – Firewall Configuration

Advanced Settings

OpenWRT - Firewall Configuration
OpenWRT – Firewall Configuration

Comtrack Settings

OpenWRT - Firewall Configuration
OpenWRT – Firewall Configuration

Firewall – Zone wg

Interface for the WireGuard VPN.

General Settings

OpenWRT - Firewall Configuration
OpenWRT – Firewall Configuration

Advanced Settings

OpenWRT - Firewall Configuration
OpenWRT – Firewall Configuration

Comtrack Settings

OpenWRT - Firewall Configuration
OpenWRT – Firewall Configuration

Firewall – Port Forwards

Port forwards are necessary that the device in the DMZ os accessible via defined ports from WAN. (The device is accessible from the internet. Please make sure that the respective ports are open on the router (= AVM FRITZ!Box 7490). ➡ Portfreigaben

Port Forwards

OpenWRT - Firewall Configuration
OpenWRT – Firewall Configuration

Firewall – Port Forwards nextcloud-80

This rule is only required for the renewal of Let’s Encrypt certificate.

Port Forwards 80 – General Settings

OpenWRT - Firewall Configuration
OpenWRT – Firewall Configuration

Port Forwards 80 – Advanced Settings

OpenWRT - Firewall Configuration
OpenWRT – Firewall Configuration

Firewall – Port Forwards nextcloud-443

This rule is only required for the renewal of Let’s Encrypt certificate.

Port Forwards 443 – General Settings

OpenWRT - Firewall Configuration
OpenWRT – Firewall Configuration

Port Forwards 443 – Advanced Settings

OpenWRT - Firewall Configuration
OpenWRT – Firewall Configuration

Firewall – Port Forwards nextcloud-20000

This rule makes the share.strobel.cloud device accessible from the internet via port 20.000. When this rule is deactivated the Nextcloud won’t be visible in the internet.

General Settings

OpenWRT - Firewall Configuration
OpenWRT – Firewall Configuration

Advanced Settings

<img src="pics/firewall/openwrt-network-firewall-portforwards-07.png" width="550">

More Port Forward Rules are configured for DNS. Please refer to ?? Hijack DNS for a detailed description.


Firewall – Traffic Rules

The traffic rules are hierarchically organized. The firewall goes from top to bottom. If it finds a match it stops regardless of the successive rules. The following rule will be ignored.

Traffic Rules – Overview

The screenshots show is an example. It shows not all rules described in this section.

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

This block-all-dmz rule shall be the last active rule in your list. If you define new rules place them above this rule.

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

At the bottom all OpenWRT standard rules are listed. The rules are DISABLED.

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Firewall – Traffic Rules – Allow-Wireguard-Inbound

Allow-Wireguard-Inbound – General Settings

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Allow-Wireguard-Inbound – Advanced Settings

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Allow-Wireguard-Inbound – Time Restrictions

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Firewall – Traffic Rules – dmz-dhcp

Traffic Rules – dmz-dhcp – General Settings

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Traffic Rules – dmz-dhcp – Advanced Settings

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Traffic Rules – dmz-dhcp – Time Restrictions

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Firewall – Traffic Rules – dmz-dns-53

Traffic Rules – dmz-dns-53 – General Settings

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Traffic Rules – dmz-dns-53 – Advanced Settings

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Traffic Rules – dmz-dns-53 – Time Restrictions

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Firewall – Traffic Rules – dmz-dns-853

Traffic Rules – dmz-dns-53 – General Settings

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Traffic Rules – dmz-dns-853 – Advanced Settings

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Traffic Rules – dmz-dns-853 – Time Restrictions

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Firewall – Traffic Rules – dmz-allow-smtp

Traffic Rules – dmz-allow-smtp – General Settings

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Traffic Rules – dmz-allow-smtp – – Advanced Settings

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Traffic Rules – dmz-allow-smtp – Time Restriction

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Firewall – Traffic Rules – dmz-http-https

This rule allows the Nextcloud server which runs on a Raspberry Pi to communicate with the repositories to update / upgrade installed software packages.

Without this rule the Raspberry Pi isn’t able to thr the current lists.

Traffic Rules – dmz-http-https – General Settings

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Traffic Rules – dmz-http-https – – Advanced Settings

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Traffic Rules – dmz-http-https – Time Restriction

The rule is time restricted! The devices in dmz can only access the wan is the specified time slot.

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Firewall – Traffic Rules – dmz-icmp

Traffic Rules – dmz-icmp – General Settings

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Traffic Rules – dmz-icmp – Advanced Settings

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Traffic Rules – dmz-icmp – Time Restrictions

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Firewall – Traffic Rules – ssh-from-lan-into-dmz

Traffic Rules – ssh-from-lan-into-dmz – General Settings

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Traffic Rules – ssh-from-lan-into-dmz – Advanced Settings

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Traffic Rules – ssh-from-lan-into-dmz – Time Restrictions

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Firewall – Traffic Rules – block-all-dmz

This is a important rule. It will block all traffic which is no explicitly allowed to pass from dmz to any other network.

Traffic Rules – block-all-dmz – General Settings

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Traffic Rules – block-all-dmz – General Settings

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Traffic Rules – block-all-dmz – General Settings

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

Firewall – NAT Rules

OpenWRT - Firewall Traffic Rules
OpenWRT – Firewall Traffic Rules

See all articles of this series …

stefanstrobel - Logo

… on strobelstefan.org
Overview of all OpenWRT Articles/

© Logo material is licensed under CC0 Codeberg and the Codeberg Logo are trademarks of Codeberg e.V

… hosted on Codeberg.

https://codeberg.org/strobelstefan.org/openwrt-configuration


Gib mir gerne einen Kaffee ☕ aus!

Wenn dir meine Beiträge gefallen und geholfen haben, dann kannst du mir gerne einen Kaffee ☕ ausgeben.

PayPal Logo


liberapay.com/strobelstefan.org


Kaffee via Bitcoin

bc1qfuz93hw2fhdvfuxf6mlxlk8zdadvnktppkzqzj


Source:
– https://openwrt.org/
– https://openwrt.org/_media/docs/guide-graphic-designer/openwrt-logo-usage-guidelines.pdf

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert