cross-posted to: https://sh.itjust.works/post/14114626
If the rule is about forwarding traffic from the lan
interface to the wan
interface, then why is there also a forward rule? How would inputs, and outputs make any sense if the rule is talking about forwarding? What does it mean for wan
to forward to REJECT
? I interperet that as saying that wan
doesn't go anywhere, but that wouldn't make sense given that the router can send, and receive over the internet.
For example I would interperet the first rule as follows:
lan => wan
: the conditions for which connections from the lan
interface are forwarded to to the wan
interface.
Input: accept
: the lan
interface accepts all connections originating from the network (I wouldn't understand the point of setting this to be reject
).
Output: accept
: all connections exiting the wan
interface are accepted (again, I'm not sure what the point of this would be).
Forward: accept
: forwarding of packets from lan
to wan
is allowed.
- Masquerade: I honestly don't know what the effect of enabling this would be. What would it mean to masquerade the
lan
interface?
I tried finding documentation, and I did come across this, and this, but, from what I could understand, they didn't really answer any of my questions.
Disclaimer: I am not a professional network engineer, this is just what i found out after researching some
iptables
terminology.the
lan => wan
is perhaps a bit misleading.lan
is the zone, or which side of the router this firewall rule is in reference to.wan
is another zone, the arrow shows where packets of type Forward are ending up.When forward on the wan interface is set to reject, it essentially means no device from outside may initiate a connection. However, they may respond to already opened connection.
I don't yet know what masquerade does.
Everything you've said here also aligns with my knowledge!
I can add some additional information.
The Masquerade option changes how the packet rule behaves when performing in a NAT situation. When Masquerade is off, the rule is configured statically with each interface's address when the rule is loaded. When Masquerade is on, the rule is evaluated dynamically every time against each interface's current address.
If you are routing packets through an interface, and the interface's address is dynamic (which is the case for most residential internet connections), you should have Masquerade ON to be able to route packets after the interface's address changes during normal operation.
That's not quite what masquerade does. Masquerade enables NAT, essentially.
Without masquerade, the router would send packets out like 192.168.0.109->8.8.8.8 and your ISP would be like "what is that IP I don't know how to route that". With masquerade on, the router remaps it to its own WAN IP so you have like 3.16.87.54->8.8.8.8, your ISP can handle that, and when the reply comes back, the router then switches it back to the correct internal IP.
Oh, thank you! I think I mixed up the option with something else. I appreciate the correction!
I investigated more and it seems that one can indeed perform NAT with Linux netfilter without the Masquerade action. If one knows the address of the interface, simply using the "SNAT" action with a to-address of the outbound interface will achieve the same result as using the "MASQUERADE" action, as long as the address of the outbound interface does not change.
But, this fact only matters for the actual underlying netfilter. I should have been thinking about OP's application specifically. For OpenWRT it probably does just mean Checked->NAT, Unchecked->No NAT.
That works too. Ultimately they're all NAT, that's why they're in the NAT table to begin with. Masquerade specifically is to rewrite the traffic as if it was originating from the router itself, which can be useful if you don't know which interface it'll go out, you just want it to NAT no matter where. SNAT just rewrites the source address so it's a bit less smart. There's also DNAT to rewrite where the packet will go. It's not just addresses either, you can rewrite ports too. There's also REDIRECT.
Just different ways of doing similar things, but they're all doing network address translation. For OpenWRT's purposes it is indeed what everyone thinks of a NAT, the most simple and common one. Past that a GUI becomes more of an annoyance than a feature anyway, so might as well go for scripts or at least raw iptables rules.
There's also the whole connection tracking system on top of the firewall rules. If you're clever you can make a load balancer right in iptables, since connection mappings will stick. You don't have to always rewrite it the same for every packer.
Isn't the lan -> wan interfaces refering to your packets going outside your router and lan network to the outside world (internet?).
I vaguely remember the pfsense configuration I did a while ago, where the wan interface is actually the internet connection interface.
Maybe I'm wrong and misunderstood something, if so, please correct me !
yes, lan is the Local Area Network, wan is the Wide Area Network. The zone lan refers to the devices on the local side, wan to the great internet.
How does this work with the second rule? Wouldn't any connection from the internet be a connection originating from another device within the
wan
zone (internet) with the router as the destination? The rule hasInput: reject
, but I would think that it should then beInput: accept
.Input means the packet stops at the router, like when you access its web ui. I don't think you want to give the internet access to your router settings :)
Ah okay, so if
Output: accept
is still enabled, then, even thoughInput: reject
is set, the packet can still use the router as a hop in it's journey to a device on the router's network? It just can't stop at the router? I guess that makes sense because the device on the routers network is addressed by a port which is a layer above the IP address, so it wouldn't even have a notion of addressing the router unless it just specifies the raw IP.[EDIT (2024-02-08T00:21Z): Redacted this paragraph after re-reading this comment.]~~Another thing that is confusing me is the setting for
Forward
. I would assume that if a packet is destined for a device on the router's network, then that packet is being forwarded fromwan
tolan
, and ifMasquerading
is enabled, then the destination IP will be modified by the router. But, in the example image we have thatForward: reject
is set. How does the packet get forwarded between interfaces if forwarding is disabled?~~[EDIT (2024-02-08T00:21Z): Added the following quote, and response.]
How does the router differentiate between the two? If I remember correctly, nftbales uses conntrack to track this sort of stuff. I would guess that the router does the same?
[EDIT (2024-02-08T00:26Z): Added the following update.]
When I was looking through the settings for the second row, I came across the following setting:
I believe that this setting is accomplishing the behaviour that you described (not allowing connections from
wan
, but still allowing responses). Correct?