Kalcifer

Kalcifer OP , 4 months ago to homelab in Could someone explain these OpenWRT LuCI firewall settings to me? I am having trouble interpereting what they are saying exactly.

For the most part, it has been answered (you can scroll through the comments to see if you want to add any other information to a reply of mine, or someone else), but I would still certainly appreciate other attempts at explanations.

Kalcifer OP , 4 months ago (edited 4 months ago) to homelab in Could someone explain these OpenWRT LuCI firewall settings to me? I am having trouble interpereting what they are saying exactly.

Input means the packet stops at the router

Ah okay, so if Output: accept is still enabled, then, even though Input: reject is set, the packet can still use the router as a hop in it's journey to a device on the router's network? It just can't stop at the router? I guess that makes sense because the device on the routers network is addressed by a port which is a layer above the IP address, so it wouldn't even have a notion of addressing the router unless it just specifies the raw IP.

[EDIT (2024-02-08T00:21Z): Redacted this paragraph after re-reading this comment.]Another thing that is confusing me is the setting for Forward. I would assume that if a packet is destined for a device on the router's network, then that packet is being forwarded from wan to lan, and if Masquerading is enabled, then the destination IP will be modified by the router. But, in the example image we have that Forward: reject is set. How does the packet get forwarded between interfaces if forwarding is disabled?

[EDIT (2024-02-08T00:21Z): Added the following quote, and response.]

When forward on the wan interface is set to reject, it essentially means no device from outside may initiate a connection. However, they may respond to already opened connection.

How does the router differentiate between the two? If I remember correctly, nftbales uses conntrack to track this sort of stuff. I would guess that the router does the same?

[EDIT (2024-02-08T00:26Z): Added the following update.]

nftbales uses conntrack to track this sort of stuff. I would guess that the router does the same?

When I was looking through the settings for the second row, I came across the following setting:

https://sh.itjust.works/pictrs/image/dc459644-af01-48e4-aa00-a9b9a8f54e18.webp

I believe that this setting is accomplishing the behaviour that you described (not allowing connections from wan, but still allowing responses). Correct?

Kalcifer OP , 4 months ago to homelab in Could someone explain these OpenWRT LuCI firewall settings to me? I am having trouble interpereting what they are saying exactly.

It's no problem! Thank you for trying to help 😊

Kalcifer OP , 4 months ago to homelab in Could someone explain these OpenWRT LuCI firewall settings to me? I am having trouble interpereting what they are saying exactly.

https://openwrt.org/docs/guide-user/firewall/firewall_configuration

Does this help op ?

I linked that at the end of my post. I mentioned that I felt it didn't answer my question.

Kalcifer OP , 4 months ago to homelab in Could someone explain these OpenWRT LuCI firewall settings to me? I am having trouble interpereting what they are saying exactly.

Input means packets originating from another device within this zone with the router as the destination.

How does this work with the second rule? Wouldn't any connection from the internet be a connection originating from another device within the wan zone (internet) with the router as the destination? The rule has Input: reject, but I would think that it should then be Input: accept.

Kalcifer OP , 5 months ago to homelab in Does Avahi work over a bridged network?

Does this make it more clear?

Yes, thank you! Usually, however, most of my issues seem to stem from knowing where configs are, what tools to use for what, or where to find things in the router user interface, etc.

Kalcifer , 5 months ago to linuxmemes in Your .dots have arrived

Firefox has an issue that's been open for 20 years regarding implementing the XDG Base Directory Specification.

Kalcifer OP , 5 months ago to homelab in Does Avahi work over a bridged network?

However, how comfortable are you with routing in general?

Ha, depends what you mean by that. If you mean manually specifying routes in a router, I think I generally understand it, but I am not at all confident in my abilities.

Kalcifer OP , 5 months ago to Selfhosted in [WORKAROUND] Nextcloud portforward stops working when it is moved to a bridged network

I'm not exactly sure what the previous issue was, but it appears that, possibly, the previous bridge that was in use was broken in some way. I have since switched the primary router to one that supports WDS, and created a WDS bridge between the two, and now everything is working as expected.

Kalcifer OP , 5 months ago to homelab in [WORKAROUND] Nextcloud portforward stops working when it is moved to a bridged network

I really appreciate all the help that you provided in this thread! To simplify the setup, I bought a different primary router, flashed OpenWRT to it, then set up a WDS bridge between it and the other router. So far, I've had no issues, and the setup has been greatly simplified. I'm, of course, still curious as to why the previous setup wasn't working, but at least everything is working now.

Kalcifer OP , 5 months ago to homelab in Does Avahi work over a bridged network?

To make sure that I understand correctly, are you describing something similar to what was described in this thread?

Kalcifer OP , 5 months ago to homelab in Does Avahi work over a bridged network?

Interesting, where does the 3rd hop come from? Wouldn't the routing table just point from one router to the other -- so 2 hops?

Kalcifer OP , 5 months ago to homelab in Does Avahi work over a bridged network?

Wait, are you just generally referring to this? That already exists in the form of PPPoE, and, for all intents and purposes, WPA, does it not?

Kalcifer OP , 5 months ago to homelab in Does Avahi work over a bridged network?

This works if B has an interface that is connected to the A subnet

I'm not sure I understand exactly what you mean. Is it not given that if two routers are connected to each other then an interface from either of them will be connected to the other?

but not if you have a PtP between the two routers

What do you mean by PtP? Are you referring to something like WDS, or, in my case, relayd?

Kalcifer , 5 months ago to Selfhosted in Backing-up Single Board Computer

Fair points! I hadn't considered these nuances.