Enabling firewall rule causes router to reboot

jfrodsham · November 7, 2023, 9:34pm

I am trying to control my child’s access to the internet with a firewall rule.

I blurred the mac addresses, but that is the rule.

It causes the router to completely reboot to enable the rule, this is disruptive to everyone else.
It keeps injecting another mac address (I have not figured out what device it yet) in the list.
When I tried to delete the odd mac address from the list it reboots and then says “rolled back changes” and the mac is still there. I disabled the rule then was able to delete it.

I get that message pop up if I try to enable the rule without the extra MAC in the list. Am I even taking the right approach? What is the best way to flip his access on and off? (I added his PC and tablet MACs to the rule)

Thank you,
Justin

peci1 · November 8, 2023, 12:53am

This seems all weird.

You should not have “From this device”. “This device” is the router, not your kid’s device(s). I think it should be From LAN to WAN.

jfrodsham · November 8, 2023, 4:31pm

It seems I have grossly misinterpreted what I was looking at. I haven’t tried it yes as I got distracted by another issue, but I attached my new best guess.

Admittedly in hindsight this makes a lot more sense.

Thanks,
J

peci1 · November 8, 2023, 4:42pm

And does it work for you now?

cassianoleal · November 10, 2023, 9:15am

Just as a (slightly pedantic) tentative for clarification.

The router didn’t reboot. The reason why the operation was disruptive is that the firewall rule stopped the router from sending packets anywhere, so whatever network activity was going through it (all of it, most likely), would simply stop there. That also meant it couldn’t sent packets back to your browser, and after a few seconds (1 minute if I recall correctly) it rolled back the firewall change which restored your connection.

The MAC address it was putting there is likely that of one of the router’s NICs.

IMO that’s not great behaviour. If it was detected that the rule didn’t make sense, LuCI should warn the user rather than taking charge and modifying user-specified settings on its own.

peci1 · November 10, 2023, 9:26am

Oh, how much I’d like to have a “firewall sanity checker” Unfortunately, I don’t know of anything like that. The variety of possible configurations is possibly so large that almost no configuration can be marked invalid.

cassianoleal · November 10, 2023, 9:53am

I agree with you in general.

The most important point I was trying to make was not that a sanity checking should exist, but rather that the system should never override settings created by the user.

If it detects a situation where it thinks that would make sense, it should warn the user instead rather than sweeping the proverbial rug from under the user’s feet.

I will emphasise that this is based on the assumption that this is what went on which I have not proved or disproved.

peci1 · November 10, 2023, 10:50am

There is no “it thinks”. What LuCI does is just apply the configuration and test connection to the router. If the connection is broken, there is no way the GUI could instruct the router to do anything. So the authors implemented at least this server-side check. But yes, what could be there, is a checkbox configuring this fallback behavior. But I don’t think there currently is something like that.

cassianoleal · November 10, 2023, 11:37am

This is what I’m referring to.

jfrodsham · November 12, 2023, 6:18am

Yes, it does work now. No odd behavior while enabling either.