Problem with Firewall rules for internal connections!

[Greeno]

Hi.
I have a problem with a rule entered in the Firewall rules for internal connections in the RTX-AX86U Pro (merlin firmware).
To check the firewall rules for internal connections, I placed an entry in the firewall rules for internal connections for the printer and host with the address 10.0.0.12.

Source IP address: 10.0.0.12; port range: 515; protocol: tcp

The firewall was working and the host was unable to print to the printer.
I removed the rule, but now there are problems printing from the host address: 10.0.0.12.
Restarting the router helps, but only for a limited time, and the host address: 10.0.0.12 has the printer availability problem again!

Can I clear the firewall rules for internal connections from the console?

 

[ColinTaylor]

It is unclear exactly what you're doing. What "firewall rules" are you changing?

Do you mean the "Network Services Filter"? If so, those rules only effect LAN to WAN traffic as stated on that page. It does not affect LAN to LAN traffic (i.e. a PC to a printer).

 

[degrub]

did you re-boot the router after making the changes ?

 

[Greeno]

No! I'm talking about!

Section
firewall
General
Firewall rules for internal connections (maximum number: 128)

 

[dave14305]

Can I clear the firewall rules for internal connections from the console?

nvram set filter_wllist=""
nvram commit
service restart_firewall

“Inbound” and “Internal” are not the same.

 

[ColinTaylor]

Can you post a screenshot of that page. I think you're looking at the WAN to LAN filter ("Enable IPv4 inbound firewall rules"). You can't filter LAN to LAN.

 

[bennor]

No! I'm talking about!

Section
firewall
General
Firewall rules for internal connections (maximum number: 128)

Uh that's not "firewall rules for internal connections" it is "Inbound Firewall Rules (Max Limit : 128)". From a RT-AX86U Pro:

 

[Greeno]

I have this translation in Polish in the RT-AC86U Pro router:

Polish language: „Reguły firewalla dla połączeń wewnętrznych (maks. liczba: 128)”
English language: "Firewall rules for internal connections (max. number: 128)"

Screenshot confirming the translation:

 

[bennor]

I have this translation in Polish in the RT-AC86U Pro router:

Polish language: „Reguły firewalla dla połączeń wewnętrznych (maks. liczba: 128)”
English language: "Firewall rules for internal connections (max. number: 128)"

Screenshot confirming the translation:

Bad translation then. Asus gives a basic explanation of that page here:
[Wireless Router] Introduction of Firewall on ASUS router
[Wireless Router] How to set up IPv6 Firewall?
In basic terms those "Inbound" sections deals with WAN to LAN not LAN to LAN.

 

[Greeno]

I understand everything
however in this case why my printer stopped working when i set the filter as in the screenshot:

I deleted the rule and committed the changes, but I'm still having trouble communicating with the printer!

how to fix it?

Is it possible to view the NVRAM and clear the specific records that are causing the problem?

By the way, I'm complaining a bit and don't take it personally my friends, because the people on the forum are doing a great job,
but I think ASUS fracked up the software firewall. I feel like no matter what rule I try to implement, something always doesn't work as it should.

For example, I wanted to apply a firewall - filtering network services and blocking all traffic except services on ports 80 and 443 (www) for a given host

In general, you should implement a whitelist and deploy 2 rules per host.

Of course this works, but it also cuts off all traffic for all other hosts on the subnet!

A simple principle, but I don't know how to implement it!

 

[ColinTaylor]

Is it possible to view the NVRAM and clear the specific records that are causing the problem?

No. Because we don't know what is causing your problem. It's not the firewall rule because a) you have removed the rule and turned off the inbound firewall, and b) the firewall has no effect on LAN to LAN traffic. Your problem lies elsewhere.

 

[dave14305]

The GUI implementation of the rules is incomplete compared to the firewall code in the firmware. Can you show us the output of:

iptables -nvL FORWARD

when the rule is enabled? I think it’s broken in some ways.

 

[drinkingbird]

I understand everything
however in this case why my printer stopped working when i set the filter as in the screenshot:

I deleted the rule and committed the changes, but I'm still having trouble communicating with the printer!

how to fix it?

Is it possible to view the NVRAM and clear the specific records that are causing the problem?

By the way, I'm complaining a bit and don't take it personally my friends, because the people on the forum are doing a great job,
but I think ASUS fracked up the software firewall. I feel like no matter what rule I try to implement, something always doesn't work as it should.

For example, I wanted to apply a firewall - filtering network services and blocking all traffic except services on ports 80 and 443 (www) for a given host

In general, you should implement a whitelist and deploy 2 rules per host.

Of course this works, but it also cuts off all traffic for all other hosts on the subnet!

A simple principle, but I don't know how to implement it!

For your first issue, LAN to LAN traffic does not pass through the router, just the switch. More likely your printer IP changed and PC hasn't detected it. Your printer should have a static IP or you need to use a WSD printer port instead of a standard TCP/IP one (static dhcp reservation for the printer is a good idea regardless though).

For the network service filter scenario you mention it is possible but you need more than 2 rules. First set it to "block list"
Then add a rule for tcp <80 (which it converts to 1:79)
Another rule for tcp 81:442
Another rule for tcp >443 (which it converts to 444:65535
another rule for any (blank) port UDP

Use the same source and/or destination IP for all of them. Leave source port blank.

 

[Greeno]

With the statement that LAN to LAN traffic does not go through the router, but through the switch, you exaggerated a bit

In this case, most of the advanced features of the router software will not work!

iptables -nvL FORWARD
FORWARD string (ACCEPT policy 0 packets, 0 bytes)
pts bytes target prot opt in out source target
33820 39M IPSEC_DROP_SUBNET_ICMP all -- * * 0.0.0.0/0 0.0.0.0/0
33820 39M IPSEC_STRONGSWAN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 PControls all -- br0 * 0.0.0.0/0 0.0.0.0/0 MAC 00:2B:47:00:63:8A
33144 39M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 status ASSOCIATED, ESTABLISHED
676 147K WGSF all -- * * 0.0.0.0/0 0.0.0.0/0
676 147K OVPNSF all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DELETE all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
7 364 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
47 2515 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 invalid status
2 120 SECURITY all -- eth0 * 0.0.0.0/0 0.0.0.0/0
2 120 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
0 0 DNSFILTER_DOT tcp -- br+ * 0.0.0.0/0 0.0.0.0/0 tcp dpt:853
620 144K WGCF all -- * * 0.0.0.0/0 0.0.0.0/0
620 144K OVPNCF all -- * * 0.0.0.0/0 0.0.0.0/0
620 144K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 LEAVE all -- * * 0.0.0.0/0 0.0.0.0/0

My printer has a static IP address.

After restarting the router with the printer, the communication is correct, but after some time, a communication error occurs!

Surely the problem lies in the rule that I introduced and then deleted, or is somehow related to it because I initiated it myself because I wanted to block printing on a given host.

 

[bennor]

After restarting the router with the printer, the communication is correct, but after some time, a communication error occurs!

Surely the problem lies in the rule that I introduced and then deleted, or is somehow related to it because I initiated it myself because I wanted to block printing on a given host.

Not sure it's been asked but is the printer connected to the router using USB? Are you using Network Print Server feature of the Asus firmware? Is the printer connected using Ethernet or WiFi? Does the printer network connection go through any sort of network extender, AiMesh node, power line extender?

A basic troubleshooting step, if you have not it already, is to turn off and disconnect every other local network device or client, both wired an wireless. Leave only the printer and one wired Ethernet computer connected to the router. Then reboot all three devices and see if the issue continues.

If you feel the router is the cause of the printer issue then one way to determine if it was the changes on the Firewall > General page is to do a hard factory reset on the router and manually reconfigure it without importing any saved configuration files. Generally making changes to the firewall which generally deals with WAN traffic does not, or should not, affect LAN to LAN only traffic.

If your printer relies on a "web print" feature where it contacts a remote service outside the local network to receive print requests, then changing the Firewall setting could impact the printer. In that specific case, if LAN clients are configured to print through the "web print" service rather than direct to the local printer, then its possible the LAN clients cannot reach the printer after it sends the traffic out to the WAN with the firewall rejecting the WAN communication to the printer.

 

[Greeno]

The printer is connected via WIFI and is connected directly to the router without any additional devices, it is also not connected via the aimesh node.
The printer only works on LAN.
I am not using the Network Print Server function in the Asus software!

I tried to solve the problem as you described and everything is ok until some time after restarting the router,
but after some time the printer stops responding to pings from host 10.0.0.12 which I entered in the incoming firewall rule:

source IP address: 10.0.0.12; port range: 515; protocol: TCP

then i deleted it!

When this problem occurs, the printer is connected to the router, I checked it, it can also be pinged from the router's SSH console.

It is possible to print from other hosts with IP addresses other than: 10.0.0.12
I just can't connect to the printer after a while from host address 10.0.0.12.

I'll mess around a bit more, if I don't come up with anything, I'll update the firmware because a new one has appeared and I'll configure everything from scratch

 

[ColinTaylor]

You have parental control set up for device 00:2B:47:00:63:8A. Is this the PC or the printer?

 

[bennor]

It is possible to print from other hosts with IP addresses other than: 10.0.0.12
I just can't connect to the printer after a while from host address 10.0.0.12.

Then you likely have configured another setting elsewhere in the router configuration that is causing the issue. As ColinTaylor pointed out, check your Parental Control settings if you have enabled it on the 10.0.0.12 or some other local network client.

As previously mentioned one sure way to rule out the router being the cause is to perform a hard factory reset on the router and do a basic manual reconfiguration (no parental control, no reconfiguration of firewall rules, no additional router scripts or add-ons), then recheck if the printer becomes inaccessible after a period of time.

 

[drinkingbird]

With the statement that LAN to LAN traffic does not go through the router, but through the switch, you exaggerated a bit

In this case, most of the advanced features of the router software will not work!

iptables -nvL FORWARD
FORWARD string (ACCEPT policy 0 packets, 0 bytes)
pts bytes target prot opt in out source target
33820 39M IPSEC_DROP_SUBNET_ICMP all -- * * 0.0.0.0/0 0.0.0.0/0
33820 39M IPSEC_STRONGSWAN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 PControls all -- br0 * 0.0.0.0/0 0.0.0.0/0 MAC 00:2B:47:00:63:8A
33144 39M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 status ASSOCIATED, ESTABLISHED
676 147K WGSF all -- * * 0.0.0.0/0 0.0.0.0/0
676 147K OVPNSF all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DELETE all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
7 364 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
47 2515 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 invalid status
2 120 SECURITY all -- eth0 * 0.0.0.0/0 0.0.0.0/0
2 120 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
0 0 DNSFILTER_DOT tcp -- br+ * 0.0.0.0/0 0.0.0.0/0 tcp dpt:853
620 144K WGCF all -- * * 0.0.0.0/0 0.0.0.0/0
620 144K OVPNCF all -- * * 0.0.0.0/0 0.0.0.0/0
620 144K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 LEAVE all -- * * 0.0.0.0/0 0.0.0.0/0

My printer has a static IP address.

After restarting the router with the printer, the communication is correct, but after some time, a communication error occurs!

Surely the problem lies in the rule that I introduced and then deleted, or is somehow related to it because I initiated it myself because I wanted to block printing on a given host.

With LAN to LAN traffic the advanced features of the router do not do anything. There is no exaggeration. The rules you list are for traffic through the router, not through the switch. If your printer is on wifi and computer on wired (or vice-versa) or if one is on guest and the other isn't, then it is possible that the rule you added impacted something. But any rules you add, if not in a script, are flushed out when you reboot.

EBTABLES rules are only applied to guest wireless interfaces. There are none applied to regular wireless.

IPtables rules only apply when traffic leaves a bridge interface (which your traffic would not be) destined for another subnet.

Both your non-guest wifi interfaces and your physical ports sit in BR0 so they'll never hit any rules. In your messing around it is likely something else got messed up, just do the factory reset and if it is still happening after that, there is something going on with your PC or printer.