Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
inbox:firewall:firewall3:fw3_network [2018/08/24 04:55] – [Firewall Zones] dturvenedocs:guide-user:firewall:fw3_network [2023/09/30 02:36] – split unrelated bridge configs vgaetera
Line 1: Line 1:
-====== Firewall and Network Interfaces ====== +====== Firewall and network interfaces ====== 
-The goal of a router is forward packet streams from incoming network interfaces to +The goal of a router is to forward packet streams from incoming network interfaces to outgoing network interfaces. 
-outgoing network interfaces.  Firewall rules add another layer of granularity +Firewall rules add another layer of granularity to what is allowed to be forwarded across interfaces - and additionally which packets are allowed to be inputted to, and outputted fromthe router itself. 
-to what is allowed to be forwarded - and additionally what is allowed to be +This section discusses the relationships between the firewall code and the network interfaces.
-inputted to from outputted from the router itself.  This section discusses the +
-relationships between the firewall code and the network interfaces.+
  
-===== LAN Bridge ===== +At the heart of all routers is a hardware switch with a number of interface ports. 
-OpenWrt routers have two types of LAN interface: hardwired +When packet enters one of the switch ports, the hardware switch matches fixed field in the packet and forwards the packet to an output port which transmits it.
-ethernet (IEEE802.3, which we will call just ''LAN'' ports) and +
-wireless ethernet (IEEE802.11, which we will call ''WLAN'' ports).  The LAN +
-ports each map directly to single switch port.  Layer-2 frames with a +
-destination MAC are switched to the desired LAN port; broadcast packets +
-(e.g. ARP) are flooded to all LAN ports.+
  
-Generally there is are one or more WLAN ports, each attached to a Wifi radio +The switch generally uses the layer-2 destination MAC address in the packet to switch on. 
-chip (2.4Ghz5Ghz) Each handles the specifics of the IEEE802.11 specs, +Each port has a cache of MAC addresses for stations reachable by (attached to) that port. 
-converting the signal to an ethernet frame and stream to a single switch port.+Entries in the MAC cache gradually outso must be re-discovered if used again. 
 +Layer-2 frames with a known destination MAC are switched to the desired LAN port
 +If the MAC is not present anywhere in the switch cache, a broadcast packet (e.g. ARP) is flooded to all LAN ports to discover which has access to the destination MAC.
  
-The LAN bridge combines the WLAN interface(s) with the 802.3 LAN ports to +OpenWrt routers have two types of LAN interface: wired Ethernet (IEEE802.3 or RFC894 Ethernet II, Ethernet II being the most common) and wireless Ethernet (IEEE802.11.)
-create a single network.  Conceptually a client station could use an 802.11 WLAN +
-interface and then plug into a hardwired LAN port without any functional +
-difference (possibly getting a new DHCP address.)  The new bridged 802.3 LAN +
-and 802.11 WLAN ports are collectively called something like ''br-lan''.+
  
-The ''br-lan'' psuedo-interface is the LAN-side of the router.+The wired LAN ports each map directly to a single switch port. 
 +Generally there is one 802.11 Wi-Fi port attached to a Wi-Fi radio chip (2.4Ghz, 5Ghz). 
 +Each handles one or more [[https://en.wikipedia.org/wiki/IEEE_802.11|IEEE802.11 standard]] protocols (e.g. 802.11a, 802.11n) and ancillary support for wireless networks (e.g. 802.11s mesh networking). 
 +The Wi-Fi chips convert the 802.11 signal into a canonical ethernet frame injected into the switch port for routing. 
 +All Wi-Fi stations connected to the 802.11 Access Point use the same radio(s) and the same switch port. 
 +The LAN bridge interface ''br-lan'' combines wireless interface(s) with the wired ports to create a single logical network.
  
-===== Firewall Zones ====== +:!: Use bridging when combining WLAN and wired Ethernet ports
-The firewall of an OpenWrt router is able to collect interfaces into ''zones'' +Otherwise partition the ports into VLANs.
-to more logically filter traffic. A zone can be configured to any set of +
-interfaces but generally there are two zones''lan'' for the collection of LAN +
-interfaces and ''wan'' for the WAN interfaces A SOHO router uses the LAN +
-bridge psuedo-interface as the single interface for the ''lan'' zone.  It uses +
-the single 802.3 port connected to the WAN as the ''wan'' zone.+
  
-This simplifies the firewall rule logic For example:+===== Firewall zones ====== 
 +The firewall of an OpenWrt router is able to collect interfaces into ''zones'' to more logically filter traffic. 
 +A zone can be configured to any set of interfaces but generally there are at least two zones''lan'' for the collection of LAN interfaces and ''wan'' for the WAN interfaces.
  
-  rule for a packet originating in a zone must be entering the router on one of the zone's interfaces, +This simplifies the firewall rule logic somewhat by conceptually grouping the interfaces: 
-  * rule for a packet being forwarded to a zone must be exiting the router on one of the zone's interfaces.+  rule for a packet originating in a zone must be entering the router on one of the zone's interfaces, 
 +  * rule for a packet being forwarded to a zone must be exiting the router on one of the zone's interfaces.
  
-:!: recognize the **zone** concept does not significantly simplify a simple +:!: recognize the **zone** concept does not significantly simplify a simple SOHO router with a single ''br-lan'' interface and a single ''wan'' interface.
-SOHO router with a single ''br-lan'' interface and a single ''wan'' interface.+
 Each interface has a one-to-one mapping with a zone. Each interface has a one-to-one mapping with a zone.
  
 ===== Firewall and VLANs ===== ===== Firewall and VLANs =====
 VLAN provisioning and use is documented in: VLAN provisioning and use is documented in:
- 
   * [[docs:guide-user:network:vlan:switch|VLAN Overview]]   * [[docs:guide-user:network:vlan:switch|VLAN Overview]]
   * [[docs:guide-user:network:vlan:switch_configuration|HW switch configuration]]   * [[docs:guide-user:network:vlan:switch_configuration|HW switch configuration]]
-  * [[docs:guide-user:network:vlan:switch_untaggedvlan_howto|Adding VLANs]] +  * [[docs:guide-user:network:vlan:creating_virtual_switches|Adding VLANs]] 
- +  [[docs:guide-user:firewall:fw3_configurations:fw3_dmz|Use VLANs to partition a DMZ]]
-This section documents how to use [[inbox:firewall:firewall3:overview|fw3]] rules to +
-filter traffic on the router for each provisioned VLAN and between VLANs+
- +
-<WRAP center round alert 60%> +
-Need to reconfigure +
-[[inbox:firewall:fw3_configurations:fw3_ref_topo|Reference Network Topology]] +
-to create a guest and internal VLAN with seperate netfilter rule sets. +
-</WRAP> +
- +
-:!: say something about the sw-config command+
  
 +A switch partitioned into multiple VLANs futher helps to organize the switch ports.
 +It is recommended that each VLAN map one-to-one with a zone.
 +The advantage to using a VLAN architecture is the packets are tagged with the VLAN ID to disambiguate routing/firewall decisions.
  
  • Last modified: 2023/09/30 02:39
  • by vgaetera