What's new
By:

Are these Firewall setting ok

N

Notconnected

Occasional Visitor
HI again everyone.
I managed to re install OpenWrt and it is working.
I connect this OpenWrt router to my switch, and use the WiFi on this device to bridge to my phone.
This provides all the devices on the network with internet access.
I am not sure if my Firewall settings are correct, may be someone could advise.
The settings of the Wan seem too open, but am afraid to alter them as I do not want to brick this device.
Advise welcome, thank you all.
Firewall-Setup-.png
 
What is the wan port plugged into? Post these outputs:
Code: 
cat /etc/config/network
cat /etc/config/firewall
You wouldn’t want wan Input set to accept if your wan has a public IP.
 
dave14305 said:
What is the wan port plugged into? Post these outputs:
Code: 
cat /etc/config/network
cat /etc/config/firewall
You wouldn’t want wan Input set to accept if your wan has a public IP.
Click to expand...
You wouldn’t want wan Input set to accept if your wan has a public IP ?
My Mobile phone is set to a hotspot, the WiFi on the router connects to this hotspot,
does this mean I do not have public IP.
*******cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fdf4:a883:b575::/48'

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '10.50.50.5'
option netmask '255.255.255.0'
option ip6assign '60'
option force_link '1'

config interface 'wwan'
option proto 'dhcp'
option peerdns '0'
option dns '9.9.9.9 149.112.112.112'
******
cat /etc/config/firewall

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'

config zone
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wwan'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
 
Notconnected said:
My Mobile phone is set to a hotspot, the WiFi on the router connects to this hotspot,
does this mean I do not have public IP.
Click to expand...
You can check the wan IP with this command:
Code: 
ifstatus wwan | jsonfilter -e '@["ipv4-address"][0].address'
You don’t need to post it, but if it doesn’t start with 10., 196.168., or 172., you might be at risk. I don’t know if the phone would provide any protection from the carrier end, I’ve never had to bother with hotspots/tethering.
 
You must log in or register to reply here.

Similar threads

N
I need a router, done with diy ones
Replies
3
Views
189
Tech9
Tech9
N
Please help me get connected to the internet
Replies
14
Views
874
CornfieldWin
C
biohazardx92
Vodafone Digital Voice + Grandstream HT801 one way audio.
Replies
4
Views
551
biohazardx92
biohazardx92
S
Help with BE-92U
Replies
4
Views
627
jzchen
J
W
Best way to implement Vlan
2
Replies
24
Views
1K
Tech9
Tech9

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Members online

Total: 1,976 (members: 35, guests: 1,941)
Back
Top