Networking Issues (Turris Omnia)

libre · April 21, 2023, 9:00pm

Hello, I have the following device:

Turris Omnia
Turris OS version: 6.3.1
Kernel version: 5.15.96

Have some issues with the LAN interface; which has the following settings:

https://192.168.1.1/cgi-bin/luci/admin/network/network:

LAN

Protocol: Static address
Device: br-lan
IPv4 address: 192.168.1.1
IPv4 netmask: 255.255.255.0

The WAN interface is set to DHCP client and passes the WAN connection test
in reForis admin webpage.

The problem is not with the WAN connection, which passes the diagnostic ping test, but
with the LAN connection. When a ping is attempted from a device on the LAN to
a DNS server, this test fails. The error message is (Destination Host Unreachable)

So the question is, why is the WAN connection ping working fine, but the ping from
within the LAN fails?

AreYouLoco · April 21, 2023, 9:52pm

I suspect NAT is the problem. Check if you have Masquerade enabled on WAN zone in Firewall settings. Also you posted a link to private address in your network and nobody but you can access that. Its not public IP.

libre · April 22, 2023, 4:57pm

this should be a public ip address as opposed to private? Would it be helpful to post logs?

libre · April 22, 2023, 5:01pm

There is no masquerade setting applied currently.

AreYouLoco · April 22, 2023, 5:08pm

But there should be. By default on WAN zone and on TR_VPN zone if you use OpenVPN. So most likely you disabled NAT Masquerading

libre · April 22, 2023, 6:59pm

you are correct that masquerading was turned off. what does this setting do exactly?
is there a wiki article on this? Also, is there a wiki article on how to setup the firewall settings?

Thank you

libre · April 22, 2023, 7:14pm

are there any tools I can use to pentest my firewall and ensure the settings are correct?

AreYouLoco · April 22, 2023, 7:29pm

If you are unsure about the setting you should stick with defaults. That are sufficiently secure. Mark topic as solved if you think it solved your issue

libre · April 22, 2023, 7:38pm

Yeah you solved the issue. Was just wondering if there are any wiki resources regarding firewall configuration.

DIKKEHENK · April 23, 2023, 8:23am

sorry, nOOb here on this, but are these settings correct?

AreYouLoco · April 23, 2023, 10:01am

There is no good settings. Depends on what you are trying to achieve. These are the defaults. There is ongoing debate if one should use Drop or Reject on Input. But should be ok with Reject. Also the rest of the settings are safe defaults.

moeller0 · April 23, 2023, 10:40am

Which partially seems to be based on misinformation… the difference is:
drop: will silently ignore unsolicited packets for which no exempting rules exist in the firewall configuration
reject: additionally will tell the sender that a packet was rejected

One big argument for “drop” seems to be that that way the existence of an address can be hidden or “stealthed” however many ISPs will generate differential responses whether an IP address is in use or not, so “drop” will not make your router invisible. (It will still offer less information for fingerprinting so a remote party will have a harder time figuring out what OS that router is using).

+1;

tac2 · April 23, 2023, 12:26pm

As the os is based on openwrt this is a good place to start

system · April 26, 2023, 12:26pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.