User Tools

Site Tools


docs:guide-user:firewall:fw3_network

Firewall and Network Interfaces

The goal of a router is forward packet streams from incoming network interfaces to outgoing network interfaces. Firewall rules add another layer of granularity to what is allowed to be forwarded - and additionally what is allowed to be inputted to, and outputted from,l the router itself. This section discusses the relationships between the firewall code and the network interfaces.

At the heart of all routers is a hardware switch with a number interface ports. When a packet enters one of the switch ports, the hardware switch matches a fixed field in the packet and forwards the packet to an output port which transmits it. The switch generally uses the the layer-2 destination MAC address in the packet to switch on. Each port has a MAC cache, which gradually ages-out. If the destination MAC is not bound to a port, other protocols (e.g. ARP) are used to discover which switch port can deliver a packet to the destination MAC.

OpenWrt routers have two types of LAN interface: wired ethernet (IEEE802.3 or RFC894 Ethernet II, Ethernet II being the most common) and wireless ethernet (IEEE802.11.)

The wired LAN ports each map directly to a single switch port. Generally there is one 802.11 wifi port attached to a Wifi radio chip (2.4Ghz, 5Ghz). Each handles one or more IEEE802.11 standard protocols (e.g. 802.11a, 802.11n) and ancillary support for wireless networks (e.g. 802.11s mesh networking). The wifi chips convert the 802.11 signal into a canonical ethernet frame injected into the switch port for routing. All wifi stations connected to the 802.11 Access Point use the same radio(s) and the same switch port.

Layer-2 frames with a known destination MAC are switched to the desired LAN port. If the MAC is not present in the switch cache, a broadcast packet (e.g. ARP) is flooded to all LAN ports to discover which has access to the destination MAC. After that the destination MAC is bound to that port for a period of time.

LAN Bridge

The LAN bridge combines the WLAN interface(s) with the wired LAN ports to create a single logical network. In the interface configuration set option type bridge or in LuCI Network→Interfaces→LAN Bridge interfaces box and select the physical interfaces to bridge together. All switch ports in the bridge will act as a single network.

The new psuedo-interface has a br- prepended to the interface name, generally br-lan.

:!: Use bridging when combining WLAN and wired ethernet ports. Otherwise partition the ports into VLANs.

Firewall Zones

The firewall of an OpenWrt router is able to collect interfaces into zones to more logically filter traffic. A zone can be configured to any set of interfaces but generally there are at least two zones: lan for the collection of LAN interfaces and wan for the WAN interfaces.

This simplifies the firewall rule logic somewhat by conceptually grouping the interfaces:

  • a rule for a packet originating in a zone must be entering the router on one of the zone's interfaces,
  • a rule for a packet being forwarded to a zone must be exiting the router on one of the zone's interfaces.

:!: recognize the zone concept does not significantly simplify a simple SOHO router with a single br-lan interface and a single wan interface. Each interface has a one-to-one mapping with a zone.

Firewall and VLANs

VLAN provisioning and use is documented in:

A switch partitioned into multiple VLANs futher helps to organize the switch ports. It is recommended that each VLAN map one-to-one with a zone. The advantage to using a VLAN architecture is the packets are tagged with the VLAN id to disambiguate routing/firewall decisions.

docs/guide-user/firewall/fw3_network.txt · Last modified: 2018/10/20 05:22 by 54806b45