Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| inbox:firewall:firewall3:fw3_network [2018/08/24 04:55] – [Firewall Zones] dturvene | docs:guide-user:firewall:fw3_network [2023/09/30 02:22] – [Firewall Zones] vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Firewall and Network Interfaces | + | ====== Firewall and network interfaces |
| - | The goal of a router is forward packet streams from incoming network interfaces to | + | The goal of a router is to forward packet streams from incoming network interfaces to outgoing network interfaces. |
| - | outgoing network interfaces. | + | Firewall rules add another layer of granularity to what is allowed to be forwarded |
| - | to what is allowed to be forwarded - and additionally | + | This section discusses the relationships between the firewall code and the network interfaces. |
| - | inputted to from outputted from the router itself. | + | |
| - | relationships between the firewall code and the network interfaces. | + | |
| - | ===== LAN Bridge ===== | + | At the heart of all routers |
| - | OpenWrt | + | When a packet enters one of the switch |
| - | ethernet (IEEE802.3, which we will call just '' | + | |
| - | wireless ethernet (IEEE802.11, which we will call '' | + | |
| - | ports each map directly to a single | + | |
| - | destination MAC are switched | + | |
| - | (e.g. ARP) are flooded to all LAN ports. | + | |
| - | Generally there is are one or more WLAN ports, each attached | + | The switch generally uses the layer-2 destination MAC address in the packet |
| - | chip (2.4Ghz, 5Ghz). | + | Each port has a cache of MAC addresses for stations reachable by (attached to) that port. |
| - | converting | + | Layer-2 frames with a known destination MAC are switched to the desired LAN port. |
| + | If the MAC is not present anywhere in the switch cache, a broadcast packet (e.g. ARP) is flooded | ||
| - | The LAN bridge combines the WLAN interface(s) with the 802.3 LAN ports to | + | OpenWrt routers have two types of LAN interface: wired Ethernet |
| - | create a single network. | + | |
| - | interface | + | |
| - | difference | + | |
| - | and 802.11 WLAN ports are collectively called something like '' | + | |
| - | The '' | + | The wired LAN ports each map directly to a single switch port. |
| + | Generally there is one 802.11 Wi-Fi port attached to a Wi-Fi radio chip (2.4Ghz, 5Ghz). | ||
| + | Each handles one or more [[https:// | ||
| + | The Wi-Fi chips convert | ||
| + | All Wi-Fi stations connected to the 802.11 Access Point use the same radio(s) and the same switch port. | ||
| - | ===== Firewall Zones ====== | + | ===== LAN bridge |
| - | The firewall of an OpenWrt router is able to collect interfaces into '' | + | {{section> |
| - | to more logically filter traffic. A zone can be configured to any set of | + | The LAN bridge combines the WLAN interface(s) with the wired LAN ports to create a single logical network. |
| - | interfaces but generally there are two zones: | + | All switch ports in the bridge |
| - | interfaces and '' | + | |
| - | bridge | + | |
| - | the single 802.3 port connected to the WAN as the '' | + | |
| - | This simplifies | + | The new pseudo-interface has a '' |
| - | * a rule for a packet originating in a zone must be entering the router on one of the zone's interfaces, | + | :!: Use bridging when combining WLAN and wired Ethernet ports. |
| - | * a rule for a packet being forwarded to a zone must be exiting the router on one of the zone's interfaces. | + | Otherwise partition |
| - | :!: recognize the **zone** concept does not significantly simplify a simple | + | See Also: [[docs: |
| - | SOHO router with a single '' | + | |
| + | ===== Firewall zones ====== | ||
| + | The firewall of an OpenWrt router is able to collect interfaces into '' | ||
| + | A zone can be configured to any set of interfaces but generally there are at least two zones: '' | ||
| + | |||
| + | This simplifies the firewall rule logic somewhat by conceptually grouping the interfaces: | ||
| + | * A rule for a packet originating in a zone must be entering the router on one of the zone's interfaces, | ||
| + | * A rule for a packet being forwarded to a zone must be exiting the router on one of the zone's interfaces. | ||
| + | |||
| + | :!: recognize the **zone** concept does not significantly simplify a simple SOHO router with a single '' | ||
| Each interface has a one-to-one mapping with a zone. | Each interface has a one-to-one mapping with a zone. | ||
| ===== Firewall and VLANs ===== | ===== Firewall and VLANs ===== | ||
| VLAN provisioning and use is documented in: | VLAN provisioning and use is documented in: | ||
| - | |||
| * [[docs: | * [[docs: | ||
| * [[docs: | * [[docs: | ||
| - | * [[docs: | + | * [[docs: |
| - | + | | |
| - | This section documents how to use [[inbox:firewall:firewall3:overview|fw3]] rules to | + | |
| - | filter traffic on the router for each provisioned VLAN and between | + | |
| - | + | ||
| - | <WRAP center round alert 60%> | + | |
| - | Need to reconfigure | + | |
| - | [[inbox: | + | |
| - | to create a guest and internal VLAN with seperate netfilter rule sets. | + | |
| - | </ | + | |
| - | + | ||
| - | :!: say something about the sw-config command | + | |
| + | A switch partitioned into multiple VLANs futher helps to organize the switch ports. | ||
| + | It is recommended that each VLAN map one-to-one with a zone. | ||
| + | The advantage to using a VLAN architecture is the packets are tagged with the VLAN ID to disambiguate routing/ | ||