Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| inbox:firewall:firewall3:fw3_network [2018/09/11 01:59] – dturvene | docs:guide-user:firewall:fw3_network [2023/09/30 02:22] – [Firewall Zones] vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Firewall and Network Interfaces | + | ====== Firewall and network interfaces |
| - | The goal of a router is forward packet streams from incoming network interfaces to | + | The goal of a router is to forward packet streams from incoming network interfaces to outgoing network interfaces. |
| - | outgoing network interfaces. | + | Firewall rules add another layer of granularity to what is allowed to be forwarded |
| - | to what is allowed to be forwarded - and additionally | + | This section discusses the relationships between the firewall code and the network interfaces. |
| - | inputted to, and outputted from,l the router itself. | + | |
| - | relationships between the firewall code and the network interfaces. | + | |
| - | At the heart of all routers is a hardware switch with a number interface ports. | + | At the heart of all routers is a hardware switch with a number |
| - | When a packet enters one of the switch ports, the hardware switch matches a | + | When a packet enters one of the switch ports, the hardware switch matches a fixed field in the packet and forwards the packet to an output port which transmits it. |
| - | fixed field in the packet and forwards the packet to an output port which | + | |
| - | transmits it. The switch generally uses the the layer-2 destination MAC | + | |
| - | address in the packet to switch on. Each port has a MAC cache, which gradually | + | |
| - | ages-out. | + | |
| - | (e.g. ARP) are used to discover which switch port can deliver a packet to the | + | |
| - | destination MAC. | + | |
| - | OpenWrt routers have two types of LAN interface: wired | + | The switch generally uses the layer-2 destination MAC address in the packet to switch on. |
| - | ethernet | + | Each port has a cache of MAC addresses for stations reachable by (attached to) that port. Entries in the MAC cache gradually out, so must be re-discovered if used again. |
| - | wireless | + | Layer-2 frames with a known destination MAC are switched to the desired LAN port. |
| + | If the MAC is not present anywhere in the switch cache, a broadcast packet (e.g. ARP) is flooded to all LAN ports to discover which has access to the destination MAC. | ||
| + | |||
| + | OpenWrt routers have two types of LAN interface: wired Ethernet | ||
| The wired LAN ports each map directly to a single switch port. | The wired LAN ports each map directly to a single switch port. | ||
| - | Generally there is one 802.11 | + | Generally there is one 802.11 |
| - | chip (2.4Ghz, 5Ghz). | + | Each handles one or more [[https:// |
| - | [[https:// | + | The Wi-Fi chips convert |
| - | (e.g. 802.11a, 802.11n) and ancillary support for wireless networks | + | All Wi-Fi stations connected to the 802.11 Access Point use the same radio(s) and the same switch port. |
| - | (e.g. 802.11s mesh networking). | + | |
| - | into a canonical ethernet frame injected into the switch port for routing. | + | |
| - | All wifi stations connected to the 802.11 Access Point use the same radio(s) | + | |
| - | and the same switch port. | + | |
| - | Layer-2 frames | + | ===== LAN bridge ===== |
| - | port. | + | {{section> |
| - | (e.g. ARP) is flooded | + | The LAN bridge combines the WLAN interface(s) |
| - | destination MAC. After that the destination MAC is bound to that port for a | + | All switch |
| - | period of time. | + | |
| - | ===== LAN Bridge ===== | + | The new pseudo-interface |
| - | The LAN bridge combines the WLAN interface(s) with the 802.3 LAN ports to | + | |
| - | create | + | |
| - | '' | + | |
| - | '' | + | |
| - | together. | + | |
| - | The new psuedo-interface has a '' | + | :!: Use bridging when combining WLAN and wired Ethernet ports. |
| - | generally '' | + | Otherwise partition the ports into VLANs. |
| - | :!: Use bridging when combining WLAN and wired ethernet ports. | + | See Also: [[docs:guide-user: |
| - | partition the ports into VLANs. | + | |
| - | ===== Firewall | + | ===== Firewall |
| - | The firewall of an OpenWrt router is able to collect interfaces into '' | + | The firewall of an OpenWrt router is able to collect interfaces into '' |
| - | to more logically filter traffic. A zone can be configured to any set of | + | A zone can be configured to any set of interfaces but generally there are at least two zones: '' |
| - | interfaces but generally there are at least two zones: '' | + | |
| - | collection of LAN interfaces and '' | + | |
| - | This simplifies the firewall rule logic somewhat by conceptually grouping the | + | This simplifies the firewall rule logic somewhat by conceptually grouping the interfaces: |
| - | interfaces: | + | * A rule for a packet originating in a zone must be entering the router on one of the zone's interfaces, |
| + | * A rule for a packet being forwarded to a zone must be exiting the router on one of the zone's interfaces. | ||
| - | * a rule for a packet originating in a zone must be entering the router on one of the zone's interfaces, | + | :!: recognize the **zone** concept does not significantly simplify a simple SOHO router with a single '' |
| - | * a rule for a packet being forwarded to a zone must be exiting the router on one of the zone's interfaces. | + | |
| - | + | ||
| - | :!: recognize the **zone** concept does not significantly simplify a simple | + | |
| - | SOHO router with a single '' | + | |
| Each interface has a one-to-one mapping with a zone. | Each interface has a one-to-one mapping with a zone. | ||
| ===== Firewall and VLANs ===== | ===== Firewall and VLANs ===== | ||
| VLAN provisioning and use is documented in: | VLAN provisioning and use is documented in: | ||
| - | |||
| * [[docs: | * [[docs: | ||
| * [[docs: | * [[docs: | ||
| - | * [[docs: | + | * [[docs: |
| - | * [[inbox: | + | * [[docs: |
| - | A switch partitioned into multiple VLANs futher helps to organize the switch | + | A switch partitioned into multiple VLANs futher helps to organize the switch ports. |
| - | ports. | + | It is recommended that each VLAN map one-to-one with a zone. |
| - | advantage to using a VLAN architecture is the packets are tagged with the VLAN | + | The advantage to using a VLAN architecture is the packets are tagged with the VLAN ID to disambiguate routing/ |
| - | id to disambiguate routing/ | + | |