I have been banging my head against this for a while, and after reading through multiple threads with no results, I figured I should just submit my own question.
So, I have a test envrionemnt right now, no external connection, eth0 will be the WAN but is currently disconnected.
Eth1 is trunked with VLAN 10 & 11 on it, eth2 connects to my computer.
I can ping among the networks on the router:
eth1.10: 10.80.23.0/24
eth1.11: 172.16.0.024
eth2: 192.168.1.0/24
I am attempting to follow this guide to implement a zone-based firewall:
Before I implement the zones on the interfaces I can ping from the switch to the routers interfaces, everything is working.
However, after implementation it will not get through.
tcpdump shows that the ICMP packet is getting to the switch and getting returned on the 10.80.23.0 network:
ubnt@ubntRtr# sudo tcpdump -i eth1 -n -vv
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
01:31:28.778849 IP (tos 0x0, ttl 127, id 24834, offset 0, flags [none], proto ICMP (1), length 60)
192.168.1.2 > 10.80.23.252: ICMP echo request, id 1, seq 5552, length 40
01:31:28.780007 IP (tos 0x0, ttl 64, id 18483, offset 0, flags [none], proto ICMP (1), length 60)
10.80.23.252 > 192.168.1.2: ICMP echo reply, id 1, seq 5552, length 40
01:31:29.303235 STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.f4:8e:38:14:d1:e4.8017, length 43
message-age 0.00s, max-age 20.00s, hello-time 2.00s, forwarding-delay 15.00s
root-id 8000.f4:8e:38:14:d1:e4, root-pathcost 0, port-role Designated
01:31:31.303187 STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.f4:8e:38:14:d1:e4.8017, length 43
message-age 0.00s, max-age 20.00s, hello-time 2.00s, forwarding-delay 15.00s
root-id 8000.f4:8e:38:14:d1:e4, root-pathcost 0, port-role Designated
01:31:33.303141 STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.f4:8e:38:14:d1:e4.8017, length 43
message-age 0.00s, max-age 20.00s, hello-time 2.00s, forwarding-delay 15.00s
root-id 8000.f4:8e:38:14:d1:e4, root-pathcost 0, port-role Designated
01:31:33.779575 IP (tos 0x0, ttl 127, id 24835, offset 0, flags [none], proto ICMP (1), length 60)
192.168.1.2 > 10.80.23.252: ICMP echo request, id 1, seq 5553, length 40
01:31:33.780732 IP (tos 0x0, ttl 64, id 20688, offset 0, flags [none], proto ICMP (1), length 60)
10.80.23.252 > 192.168.1.2: ICMP echo reply, id 1, seq 5553, length 40
01:31:35.303094 STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.f4:8e:38:14:d1:e4.8017, length 43
message-age 0.00s, max-age 20.00s, hello-time 2.00s, forwarding-delay 15.00s
root-id 8000.f4:8e:38:14:d1:e4, root-pathcost 0, port-role Designated
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernelHowever, for some reason, the translation between eth1 to eth2 it gets dropped:
ubnt@ubntRtr# sudo tcpdump -i eth2 -n -vv not port 22
tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes
01:32:46.877174 IP (tos 0x0, ttl 1, id 30107, offset 0, flags [none], proto UDP (17), length 302)
192.168.1.2.54502 > 239.255.255.250.1900: [udp sum ok] UDP, length 274
01:32:48.778444 IP (tos 0x0, ttl 128, id 24850, offset 0, flags [none], proto ICMP (1), length 60)
192.168.1.2 > 10.80.23.252: ICMP echo request, id 1, seq 5568, length 40
01:32:51.877709 IP (tos 0x0, ttl 1, id 30108, offset 0, flags [none], proto UDP (17), length 302)
192.168.1.2.54502 > 239.255.255.250.1900: [udp sum ok] UDP, length 274
01:32:53.778822 IP (tos 0x0, ttl 128, id 24851, offset 0, flags [none], proto ICMP (1), length 60)
192.168.1.2 > 10.80.23.252: ICMP echo request, id 1, seq 5569, length 40
01:32:56.879040 IP (tos 0x0, ttl 1, id 30109, offset 0, flags [none], proto UDP (17), length 302)
192.168.1.2.54502 > 239.255.255.250.1900: [udp sum ok] UDP, length 274
01:32:58.778846 IP (tos 0x0, ttl 128, id 24852, offset 0, flags [none], proto ICMP (1), length 60)
192.168.1.2 > 10.80.23.252: ICMP echo request, id 1, seq 5570, length 40
01:33:01.877127 IP (tos 0x0, ttl 1, id 30110, offset 0, flags [none], proto UDP (17), length 302)
192.168.1.2.54502 > 239.255.255.250.1900: [udp sum ok] UDP, length 274
^C
7 packets captured
7 packets received by filter
0 packets dropped by kernelObviously somewhere in the eth2>local>eth1>switch>eth1>local>eth2 there is a disconnect.
I believe that the path up to eth2>local>eth1>switch>eth1 is functional, since I can see an echo reply on eth1.
I tried making all zones ALLOW-ALL but WAN thinking I can narrow down what is blocking the connection, but even that doesn't seem to help.
Any thoughts would be appreciative, and my config follows:
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name ALLOW-ALL {
default-action accept
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
name ALLOW-EST-DROP-INV {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
name LAN-LOCAL {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
rule 100 {
action accept
protocol icmp
}
rule 200 {
action accept
description "Allow HTTP/HTTPS"
destination {
port 80,443
}
protocol tcp
}
rule 600 {
action accept
description "Allow DNS"
destination {
port 53
}
protocol tcp_udp
}
rule 700 {
action accept
description "Allow DHCP"
destination {
port 67,68
}
protocol udp
}
rule 800 {
action accept
description "Allow SSH"
destination {
port 22
}
protocol tcp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
description WAN
dhcp-options {
name-server no-update
}
}
ethernet eth1 {
description "Wired and guest networks"
vif 10 {
address 10.80.23.1/24
description "Wired VLAN"
}
vif 11 {
address 172.16.0.1/24
description "Guest VLAN"
}
}
ethernet eth2 {
address 192.168.1.1/24
}
loopback lo {
}
}
service {
dhcp-server {
shared-network-name Guest {
authoritative disable
subnet 172.16.0.0/24 {
default-router 172.16.0.1
dns-server 172.16.0.1
lease 86400
start 172.16.0.11 {
stop 172.16.0.250
}
}
}
shared-network-name Wired {
authoritative disable
subnet 10.80.23.0/24 {
default-router 10.80.23.1
dns-server 10.80.23.1
lease 86400
start 10.80.23.11 {
stop 10.80.23.250
}
}
}
}
dns {
forwarding {
listen-on eth1.1
listen-on eth1.2
}
}
gui {
}
nat {
rule 5010 {
description "Masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
}
}
system {
host-name XXX
login {
user XXXX {
authentication {
encrypted-password XXXXX
}
level admin
}
name-server 8.8.8.8
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
}
zone-policy {
zone LAN1 {
default-action drop
from LAN2 {
firewall {
name ALLOW-ALL
}
}
from LOCAL {
firewall {
name ALLOW-ALL
}
}
from WAN {
firewall {
name ALLOW-EST-DROP-INV
}
}
interface eth1
}
zone LAN2 {
default-action drop
from LAN1 {
firewall {
name ALLOW-ALL
}
}
from LOCAL {
firewall {
name ALLOW-ALL
}
}
from WAN {
firewall {
name ALLOW-EST-DROP-INV
}
}
interface eth2
}
zone LOCAL {
default-action drop
from LAN1 {
firewall {
name ALLOW-ALL
}
}
from LAN2 {
firewall {
name ALLOW-ALL
}
}
from WAN {
firewall {
name ALLOW-EST-DROP-INV
}
}
local-zone
}
zone WAN {
default-action drop
from LAN1 {
firewall {
name ALLOW-ALL
}
}
from LAN2 {
firewall {
name ALLOW-ALL
}
}
from LOCAL {
firewall {
name LAN-LOCAL
}
}
interface eth0
}
}
[edit]