i have issues understanding the Firewall concept of my Turris Omnia (6.3.3)
My environment is like this:
Internet - IPS Router (x.x.1.1)
ISP Router - Turris (x.x.2.1)
static IP for Playstation x.x.2.40 (connected by wifi)
I want to access to my Playstation from Outside (using wake on lan with the remote play app)
Everything else shout not be able to connect.
My Turris Firewall Setting is like this:
General Settings:
Input: Reject
Output: Reject
Forward: Reject
Zone WAN - Reject:
Input: Reject
Output: Reject
Forward: Reject
Zone LAN - WAN:
Input: Accept
Output: Accept
Forward: Accept
Traffic Rule:
None Rules
Based on this settings connection (from mobile) can be established to playstation.
And I don’t understand why? For my understanding is should blocked, right?
Can anyone please please help here
No, the IPS Router do not support gateway mode. I have a static route to the turris.
Why: I need it because of my ISP TV over IP. I also use the ISP Router for Guest-Wifi and Surveillance Cam net. Turris is for Internal and IT devices.
Therefor, as an Test i would like to block every incomming request from WAN to LAN, beside my specificaitons. As an test: access to my playstation.
I tried a lot of configs, but it doesnt make any sense for me.
Thanks for your help.
best regards,
Ozzy
I’m trying to understand our setup. Do you have multiple Public IPv4 addresses? Or do you have NAT runniung on boith routers? If (x.x.1.1) is like 192.168.1.1 or 10.1.1.1 you don’t need to hide the numbers, it is common addressing plan.
If you have two NATs, and no port forwarding, and still able to connect from public Internet to LAN devices, then there is something really wrong in your network setup.
If you are Rejecting all traffic on WAN, you are effectively blocking any traffic on the interface.
How do you connect your mobile to your playstation? Does not playstation have some kind of tunneling that would make it work automatically behind NAT?
Let me try to explain in more detail.
My ISP-Router has the IP 192.168.1.1 and is connected to the internet
At the WAN Port of the ISP-Router my Turris is wired with a static IP 192.168.1.2
From ISP-Router to Turris is a static route: Target Network 192.168.2.0 forward to 192.168.1.2
On my Turris I have the interface WAN and LAN (Internal IT Devices and Playstation)
The Turris Network setting is 192.168.2.1 (<- it is a different IP “internal”, then the static IP from the ISP-Router)
My Aim is to block every connection from WAN to the LAN. As long as I don’t set a specific policy to allow traffic.
And what i dont understand is my settings.
wan > drop: input output and forward is drop
lan ( every eth and wifi) > wan: is allow
for my understanding, every connection from WAN to LAN should now be stopped and so the connection from ISP over WAN to my LAN should also be blocked right?
maybe i do not understand the concept of zoning. The gui is a bit strange. specially within the zone settings.
//Edit: Let my test something else.
I have my ipad over Wifi at the ISP with a static IP: 192.168.1.150.
With the current setting, i am not allowed to connect to the turris 192.168.2.1
Now i create a Traffic policy: from WAN - IP 192.168.1.150 to LAN: Destination 192.168.2.1 to allow. but connection is not working.
///Edit:
I tried also these settings:
Zone Wan to LAN: Input output forward to drop
Traffic Policy: From WAN (Source ip Ipad 192.168.1.150) to source LAN (IP 192.168.2.1) Allow
→ it create a allow forward policy (why forward?!)
Result: I can NOT access the Turris (192.168.2.1)
When I create a Policy
WAN (Des IP IPAD) to “this device” des port 192.168.2.1
→ it creates a allow output
Result: My IPAD can access to all IPs, not only the 192.168.2.1… this is really strange to me.
during Omnia initial setup wizard you can choose if it will work as NAT Router, simple router or Client, so maybe you have choosen wrong type, I would suggest performing factory reset (use current image) and try again
try turning Firewall completely off and see if routing works as expected first
