Firewall Rules and Guest Network


I downloaded the latest medkit for Turris Omnia from here (Version 3.11.x last modified at 2020-04-01), so I could check the default firewall values and there’s a setting I don’t understand. In the lan config zone the default option for forward is accept, but there’s also a forwarding config from lan to wan. Why the 2? If lan is configured to accept forward why add another forwarding config? Should the default forward option for lan be reject? Could someone please explain this, because I’m trying to learn more about firewall rules, thank you very much.
Also, even though I don’t have a Guest Wi-fi enabled, I enabled the Guest Network in Foris (for other reasons) but every time I do a Save & Apply in the Firewall section of Luci, the Guest Network gets disabled in Foris, even though everything keeps working as usual. Is this normal? Thank you.


It depends on what firewall configuration tool are you familiar with, so OpenWrt firewall rules might look confusing.

I’d suggest to take a look at documentation

Forwarding inside zone is different thing than forwarding between zones.

FORWARD rules for a zone describe what happens to traffic passing between different interfaces belonging in the same zone.

Accept forwarding on single interface seems weird at first, but if you take a look at /etc/config/network, you’ll see that interface lan is actually bridge consisting of multiple interfaces.

Forwarding between zones, should be read as: forward everything from lan zone to anything in wan zone.

Foris and Luci coexist alongside each other, but doing things their way regardless of the other one.

Luci allows you to set almost anything (even values that doesn’t make sense), while Foris will allow you to set only subset of available configuration and is very picky about what should be should be there. Even when the configuration basically does the same thing, but some details are different.

If you are using both for configuration (although sometimes it is necessary), you can’t expect that everything will work fine, because Foris can’t handle every possible change that might come from Luci and vice versa. So you have to be carefull, what are you changing and how.


Fist of all, thank you very much for taking the time to answer my questions! It means a lot. I understood what you said about the difference between forwarding between zones and between interfaces inside the zone. But, now you got me even more confused… So firewall zones consist of interfaces/networks themselves, but in the lan zone the only interface is lan, so it doesn’t really matter if forward is accept or reject because there’s only one network/interface in the lan zone. The only zone with 2 interfaces is wan, it consists of wan and wan6. The bridge you’re talking about is in the lan interface, not the lan zone, right? The lan interface is a bridge between eth0, eth2, wlan0 and wlan1. If I’m understanding what you said, than with forward reject in lan zone, I wouldn’t be able to ping a device in wlan1 if I was on wlan0, right? I thought the forward in zones was between interfaces/networks in the same zone and not physical interfaces (like eth0). Sorry to bother with this… But I had already read through the openwrt documentation and it didn’t clear these doubts. The lan zone is supposed to be the safe zone, but if the general setting for forward is set to reject, as is in the settings of vpn_turris and guest_turris, why not in the lan zone too? Again, thank you very much for your help.
As to the Guest Network part, I’m sorry I didn’t explain myself better, but I didn’t change anything in the Firewall section of Luci, that’s why I was asking about this. If you enable Guest Network in Foris and then go to Luci --> Firewall --> Traffic Rules and hit Save & Apply without changing anything, Guest Network gets disabled in Foris, even though everything keeps working as usual.

I got few things mixed up, so disregard that advice.
You got it right - even though with single interface ACCEPT/REJECT shouldn’t make a difference, there is no reason to set ACCEPT there.

Thanks for clarification, I was able to reproduce it exactly as you described it.

There is indeed “bug” in handling guest network rules, that is also quite good example of Foris and LuCi coexistence.

This situation is caused by different treatment of firewall rules from both admin interfaces.

Foris use option enabled to detect if settings is applied.
LuCi on the other hand use option enabled only as confirmation that this particular config section is disabled (option disabled 0), while mere existence of section is considered as enabled.

Thus when you do “Save & Apply” in LuCi, it delete option enabled in all relevant config sections and Foris then don’t consider guest network as active. Even though it actually is active.

I’m not sure what is the best solution here. In my opinion, using option enabled in all cases is simpler to work with, but apparently LuCi developers thinks otherwise.

1 Like


Thank you for your reply! So will the default lan setting for forward change to reject in Turris or will it stay accept? I had already changed it to reject in my config, just wondering sense there’s no reason to accept. Regarding the guest network, it’s a very small “bug” that we can live with, thanks for clarification.
I also found two other strange things with the firewall settings:
I enabled drop invalid packets in Luci -> Firewall -> General Settings but no option drop_invalid ‘1’ is added to config defaults in /etc/config/firewall. Is this normal?
The other thing is the default dhcp and dns rules for guest network, since ipv6 is disabled (by default) in this interface, why do these rules accept input from ipv6? Shouldn’t it be just ipv4? Thank you very much for your help!