Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
inbox:firewall:firewall3:fw3_network [2018/08/24 04:55] – [Firewall Zones] dturvenedocs:guide-user:firewall:fw3_network [2023/09/30 02:39] (current) – [Firewall and network interfaces] vgaetera
Line 1: Line 1:
-====== Firewall and Network Interfaces ====== +====== Firewall and network interfaces ====== 
-The goal of a router is forward packet streams from incoming network interfaces to +The goal of a router is to forward packet streams from incoming network interfaces to outgoing network interfaces. 
-outgoing network interfaces.  Firewall rules add another layer of granularity +Firewall rules add another layer of granularity to what is allowed to be forwarded across interfaces - and additionally which packets are allowed to be inputted to, and outputted fromthe router itself. 
-to what is allowed to be forwarded - and additionally what is allowed to be +This section discusses the relationships between the firewall code and the network interfaces.
-inputted to from outputted from the router itself.  This section discusses the +
-relationships between the firewall code and the network interfaces.+
  
-===== LAN Bridge ===== +At the heart of all routers is a hardware switch with a number of interface ports. 
-OpenWrt routers have two types of LAN interface: hardwired +When packet enters one of the switch ports, the hardware switch matches fixed field in the packet and forwards the packet to an output port which transmits it.
-ethernet (IEEE802.3, which we will call just ''LAN'' ports) and +
-wireless ethernet (IEEE802.11, which we will call ''WLAN'' ports).  The LAN +
-ports each map directly to single switch port.  Layer-2 frames with a +
-destination MAC are switched to the desired LAN port; broadcast packets +
-(e.g. ARP) are flooded to all LAN ports.+
  
-Generally there is are one or more WLAN ports, each attached to a Wifi radio +The switch generally uses the layer-2 destination MAC address in the packet to switch on. 
-chip (2.4Ghz5Ghz) Each handles the specifics of the IEEE802.11 specs, +Each port has a cache of MAC addresses for stations reachable by (attached to) that port. 
-converting the signal to an ethernet frame and stream to a single switch port.+Entries in the MAC cache gradually outso must be re-discovered if used again. 
 +Layer-2 frames with a known destination MAC are switched to the desired LAN port
 +If the MAC is not present anywhere in the switch cache, a broadcast packet (e.g. ARP) is flooded to all LAN ports to discover which has access to the destination MAC.
  
-The LAN bridge combines the WLAN interface(s) with the 802.3 LAN ports to +OpenWrt routers have two types of LAN interface: wired Ethernet (IEEE802.3 or RFC894 Ethernet II, Ethernet II being the most common) and wireless Ethernet (IEEE802.11).
-create a single network.  Conceptually a client station could use an 802.11 WLAN +
-interface and then plug into a hardwired LAN port without any functional +
-difference (possibly getting a new DHCP address.)  The new bridged 802.3 LAN +
-and 802.11 WLAN ports are collectively called something like ''br-lan''.+
  
-The ''br-lan'' psuedo-interface is the LAN-side of the router.+The wired LAN ports each map directly to a single switch port. 
 +Generally there is one 802.11 Wi-Fi port attached to a Wi-Fi radio chip (2.4Ghz, 5Ghz). 
 +Each handles one or more [[https://en.wikipedia.org/wiki/IEEE_802.11|IEEE802.11 standard]] protocols (e.g. 802.11a, 802.11n) and ancillary support for wireless networks (e.g. 802.11s mesh networking). 
 +The Wi-Fi chips convert the 802.11 signal into a canonical ethernet frame injected into the switch port for routing. 
 +All Wi-Fi stations connected to the 802.11 Access Point use the same radio(s) and the same switch port.
  
-===== Firewall Zones ====== +The LAN bridge interface ''br-lan'' combines wireless interface(s) with the wired ports to create a single logical network.
-The firewall of an OpenWrt router is able to collect interfaces into ''zones'' +
-to more logically filter traffic. A zone can be configured to any set of +
-interfaces but generally there are two zones: ''lan'' for the collection of LAN +
-interfaces and ''wan'' for the WAN interfaces.  A SOHO router uses the LAN +
-bridge psuedo-interface as the single interface for the ''lan'' zone.  It uses +
-the single 802.3 port connected to the WAN as the ''wan'' zone.+
  
-This simplifies the firewall rule logic For example:+:!: Use bridging when combining WLAN and wired Ethernet ports. 
 +Otherwise partition the ports into VLANs.
  
-  * a rule for a packet originating in a zone must be entering the router on one of the zone'interfaces+===== Firewall zones ====== 
-  * a rule for a packet being forwarded to zone must be exiting the router on one of the zone'interfaces.+The firewall of an OpenWrt router is able to collect interfaces into ''zones'' to more logically filter traffic. 
 +zone can be configured to any set of interfaces but generally there are at least two zones: ''lan'' for the collection of LAN interfaces and ''wan'' for the WAN interfaces.
  
-:!: recognize the **zone** concept does not significantly simplify a simple +This simplifies the firewall rule logic somewhat by conceptually grouping the interfaces: 
-SOHO router with a single ''br-lan'' interface and a single ''wan'' interface.+  * A rule for a packet originating in a zone must be entering the router on one of the zone's interfaces, 
 +  * A rule for a packet being forwarded to a zone must be exiting the router on one of the zone's interfaces. 
 + 
 +:!: recognize the **zone** concept does not significantly simplify a simple SOHO router with a single ''br-lan'' interface and a single ''wan'' interface.
 Each interface has a one-to-one mapping with a zone. Each interface has a one-to-one mapping with a zone.
  
 ===== Firewall and VLANs ===== ===== Firewall and VLANs =====
 VLAN provisioning and use is documented in: VLAN provisioning and use is documented in:
- 
   * [[docs:guide-user:network:vlan:switch|VLAN Overview]]   * [[docs:guide-user:network:vlan:switch|VLAN Overview]]
   * [[docs:guide-user:network:vlan:switch_configuration|HW switch configuration]]   * [[docs:guide-user:network:vlan:switch_configuration|HW switch configuration]]
-  * [[docs:guide-user:network:vlan:switch_untaggedvlan_howto|Adding VLANs]] +  * [[docs:guide-user:network:vlan:creating_virtual_switches|Adding VLANs]] 
- +  [[docs:guide-user:firewall:fw3_configurations:fw3_dmz|Use VLANs to partition a DMZ]]
-This section documents how to use [[inbox:firewall:firewall3:overview|fw3]] rules to +
-filter traffic on the router for each provisioned VLAN and between VLANs+
- +
-<WRAP center round alert 60%> +
-Need to reconfigure +
-[[inbox:firewall:fw3_configurations:fw3_ref_topo|Reference Network Topology]] +
-to create a guest and internal VLAN with seperate netfilter rule sets. +
-</WRAP> +
- +
-:!: say something about the sw-config command+
  
 +A switch partitioned into multiple VLANs futher helps to organize the switch ports.
 +It is recommended that each VLAN map one-to-one with a zone.
 +The advantage to using a VLAN architecture is the packets are tagged with the VLAN ID to disambiguate routing/firewall decisions.
  
  • Last modified: 2023/09/30 02:39
  • by vgaetera