Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:fw3_network [2019/01/12 10:28] dturvenedocs:guide-user:firewall:fw3_network [2023/09/30 02:22] – [Firewall Zones] vgaetera
Line 1: Line 1:
-====== Firewall and Network Interfaces ====== +====== Firewall and network interfaces ====== 
-The goal of a router is to forward packet streams from incoming network interfaces to +The goal of a router is to forward packet streams from incoming network interfaces to outgoing network interfaces. 
-outgoing network interfaces.  Firewall rules add another layer of granularity +Firewall rules add another layer of granularity to what is allowed to be forwarded across interfaces - and additionally which packets are allowed to be inputted to, and outputted from, the router itself. 
-to what is allowed to be forwarded across interfaces - and additionally which packets are  +This section discusses the relationships between the firewall code and the network interfaces.
-allowed to be +
-inputted to, and outputted from, the router itself.  This section discusses the +
-relationships between the firewall code and the network interfaces.+
  
-At the heart of all routers is a hardware switch with a number interface ports. +At the heart of all routers is a hardware switch with a number of interface ports. 
-When a packet enters one of the switch ports, the hardware switch matches a +When a packet enters one of the switch ports, the hardware switch matches a fixed field in the packet and forwards the packet to an output port which transmits it.
-fixed field in the packet and forwards the packet to an output port which +
-transmits it.  +
  
-The switch generally uses the the layer-2 destination MAC +The switch generally uses the layer-2 destination MAC address in the packet to switch on. 
-address in the packet to switch on.  Each port has a cache of MAC addresses for  +Each port has a cache of MAC addresses for stations reachable by (attached to) that port.  Entries in the MAC cache gradually out, so must be re-discovered if used again. 
-stations reachable by (attached to) that port.  Entries in the MAC cache gradually +Layer-2 frames with a known destination MAC are switched to the desired LAN port. 
-out, so must be re-discovered if used again.  +If the MAC is not present anywhere in the switch cache, a broadcast packet (e.g. ARP) is flooded to all LAN ports to discover which has access to the destination MAC.
-Layer-2 frames with a known destination MAC are switched to the desired LAN +
-port.  If the MAC is not present anywhere in the switch cache, a broadcast packet +
-(e.g. ARP) is flooded to all LAN ports to discover which has access to the +
-destination MAC.+
  
-OpenWrt routers have two types of LAN interface: wired +OpenWrt routers have two types of LAN interface: wired Ethernet (IEEE802.3 or RFC894 Ethernet II, Ethernet II being the most common) and wireless Ethernet (IEEE802.11.)
-ethernet (IEEE802.3 or RFC894 Ethernet II, Ethernet II being the most common) and +
-wireless ethernet (IEEE802.11.)+
  
 The wired LAN ports each map directly to a single switch port. The wired LAN ports each map directly to a single switch port.
-Generally there is one 802.11 wifi port attached to a Wifi radio +Generally there is one 802.11 Wi-Fi port attached to a Wi-Fi radio chip (2.4Ghz, 5Ghz). 
-chip (2.4Ghz, 5Ghz).  Each handles one or more +Each handles one or more [[https://en.wikipedia.org/wiki/IEEE_802.11|IEEE802.11 standard]] protocols (e.g. 802.11a, 802.11n) and ancillary support for wireless networks (e.g. 802.11s mesh networking). 
-[[https://en.wikipedia.org/wiki/IEEE_802.11|IEEE802.11 standard]] protocols +The Wi-Fi chips convert the 802.11 signal into a canonical ethernet frame injected into the switch port for routing. 
-(e.g. 802.11a, 802.11n) and ancillary support for wireless networks +All Wi-Fi stations connected to the 802.11 Access Point use the same radio(s) and the same switch port.
-(e.g. 802.11s mesh networking).  The wifi chips convert the 802.11 signal +
-into a canonical ethernet frame injected into the switch port for routing. +
-All wifi stations connected to the 802.11 Access Point use the same radio(s) +
-and the same switch port.+
  
 +===== LAN bridge =====
 +{{section>meta:infobox:howto_links#config-network-device&noheader&nofooter&noeditbutton}}
 +The LAN bridge combines the WLAN interface(s) with the wired LAN ports to create a single logical network.  In the ''interface'' configuration set ''option type bridge'' or in LuCI // Network->Interfaces->LAN // ''Bridge interfaces'' box and select the physical interfaces to bridge together.
 +All switch ports in the bridge will act as a single network.
  
 +The new pseudo-interface has a ''br-'' prepended to the interface name, generally ''br-lan''.
  
-===== LAN Bridge ===== +:!: Use bridging when combining WLAN and wired Ethernet ports. 
-The LAN bridge combines the WLAN interface(s) with the wired LAN ports to +Otherwise partition the ports into VLANs.
-create a single logical network In the ''interface'' configuration set +
-''option type bridge'' or in LuCI // Network->Interfaces->LAN // +
-''Bridge interfaces'' box and select the physical interfaces to bridge +
-together.  All switch ports in the bridge will act as a single network.+
  
-The new psuedo-interface has a ''br-'' prepended to the interface name, +See Also: [[docs:guide-user:firewall:fw3_configurations:bridge|Bridge firewall]]
-generally ''br-lan''.+
  
-:!: Use bridging when combining WLAN and wired ethernet ports Otherwise +===== Firewall zones ====== 
-partition the ports into VLANs.+The firewall of an OpenWrt router is able to collect interfaces into ''zones'' to more logically filter traffic
 +A zone can be configured to any set of interfaces but generally there are at least two zones: ''lan'' for the collection of LAN interfaces and ''wan'' for the WAN interfaces.
  
-===== Firewall Zones ====== +This simplifies the firewall rule logic somewhat by conceptually grouping the interfaces: 
-The firewall of an OpenWrt router is able to collect interfaces into ''zones'' +  rule for a packet originating in a zone must be entering the router on one of the zone's interfaces, 
-to more logically filter traffic. A zone can be configured to any set of +  * A rule for a packet being forwarded to a zone must be exiting the router on one of the zone'interfaces.
-interfaces but generally there are at least two zones: ''lan'' for the +
-collection of LAN interfaces and ''wan'' for the WAN interfaces.+
  
-This simplifies the firewall rule logic somewhat by conceptually grouping the +:!: recognize the **zone** concept does not significantly simplify a simple SOHO router with a single ''br-lan'' interface and a single ''wan'' interface.
-interfaces: +
- +
-  * a rule for a packet originating in a zone must be entering the router on one of the zone's interfaces, +
-  * a rule for a packet being forwarded to a zone must be exiting the router on one of the zone's interfaces. +
- +
-:!: recognize the **zone** concept does not significantly simplify a simple +
-SOHO router with a single ''br-lan'' interface and a single ''wan'' interface.+
 Each interface has a one-to-one mapping with a zone. Each interface has a one-to-one mapping with a zone.
  
 ===== Firewall and VLANs ===== ===== Firewall and VLANs =====
 VLAN provisioning and use is documented in: VLAN provisioning and use is documented in:
- 
   * [[docs:guide-user:network:vlan:switch|VLAN Overview]]   * [[docs:guide-user:network:vlan:switch|VLAN Overview]]
   * [[docs:guide-user:network:vlan:switch_configuration|HW switch configuration]]   * [[docs:guide-user:network:vlan:switch_configuration|HW switch configuration]]
Line 74: Line 50:
   * [[docs:guide-user:firewall:fw3_configurations:fw3_dmz|Use VLANs to partition a DMZ]]   * [[docs:guide-user:firewall:fw3_configurations:fw3_dmz|Use VLANs to partition a DMZ]]
  
-A switch partitioned into multiple VLANs futher helps to organize the switch +A switch partitioned into multiple VLANs futher helps to organize the switch ports. 
-ports.  It is recommended that each VLAN map one-to-one with a zone.  The +It is recommended that each VLAN map one-to-one with a zone. 
-advantage to using a VLAN architecture is the packets are tagged with the VLAN +The advantage to using a VLAN architecture is the packets are tagged with the VLAN ID to disambiguate routing/firewall decisions.
-id to disambiguate routing/firewall decisions.+
  
  • Last modified: 2023/09/30 02:39
  • by vgaetera