I noticed a strange behaviour using wireshark and zone based firewalls. As I do not know which of my configuration might have an implication on this I am first going to try to share only the relevant parts of the config and later share the whole config.
In short, the behaviour is as follow:
When applying a firewall with a default action of accept to WIREGUARD from LOCAL interface using the command set zone-policy zone WIREGUARD from LOCAL firewall name LOCAL-WIREGUARD all request are blocked. This makes not sense at all but I don’t know how to narrow this down.
System information:
Version: v2.0.9-hotfix.2
Build ID: 5402463
Build on: 05/11/21 13:17
Copyright: 2012-2020 Ubiquiti Networks, Inc.
HW model: EdgeRouter 6P
HW S/N: 245A4C593E2F
Uptime: 22:54:07 up 1:08, 1 user, load average: 0.22, 0.15, 0.07
Here is the relevant part of the config from my pov:
firewall {
all-ping enable
broadcast-ping disable
group {
address-group DNSoverHTTPs-SERVER {
address 168.235.81.167
# Some more
}
network-group LAN_NETWORKS {
description "Local Traffic"
network 192.168.21.0/24
network 192.168.31.0/24
network 192.168.41.0/24
}
}
name GUEST-WAN {
default-action reject
rule 30 {
action drop
description "Block DNS over HTTPS Traffic"
destination {
group {
address-group DNSoverHTTPs-SERVER
}
}
}
rule 40 {
action accept
destination {
port 443
}
protocol tcp
}
rule 41 {
action accept
destination {
port 80
}
protocol tcp
}
rule 42 {
action accept
destination {
address 208.67.222.123
port 53
}
protocol tcp_udp
}
rule 43 {
action accept
destination {
address 208.67.220.123
port 53
}
protocol tcp_udp
}
rule 44 {
action accept
destination {
address 208.67.220.123
port 853
}
protocol udp
}
rule 45 {
action accept
destination {
address 208.67.222.123
port 853
}
protocol udp
}
rule 60 {
action accept
protocol icmp
state {
established enable
new enable
}
}
rule 70 {
action accept
description "iperf Performance monitor"
destination {
address 192.168.80.0/24
port 5201
}
protocol tcp_udp
}
}
name INT-LOCAL {
default-action accept
}
name INT-WAN {
default-action accept
}
name INT-WIREGUARD {
default-action accept
}
name LOCAL-WIREGUARD {
default-action accept
}
name WAN-GUEST {
default-action drop
rule 5 {
action accept
description "Allow EST/Related Traffic"
state {
established enable
related enable
}
}
}
name WAN-INT {
default-action drop
rule 5 {
action accept
description "Allow EST/Related Traffic"
state {
established enable
related enable
}
}
rule 20 {
action accept
protocol icmp
state {
new enable
}
}
}
name WAN-LOCAL {
default-action drop
rule 5 {
action accept
description "Allow EST/Related Traffic"
state {
established enable
related enable
}
}
rule 20 {
action accept
protocol icmp
state {
new enable
}
}
rule 30 {
action accept
description WireGuard
destination {
port 51820
}
protocol udp
}
rule 39 {
action drop
description "SSH Management"
destination {
port 22
}
protocol tcp
recent {
count 5
time 60
}
state {
new enable
}
}
rule 40 {
action accept
description "Limit SSH when brute force is used"
destination {
port 22
}
protocol tcp
state {
new enable
}
}
}
name WIREGUARD-INT {
default-action accept
}
name WIREGUARD-LOCAL {
default-action accept
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
bridge br21 {
address 192.168.21.254/24
aging 300
bridged-conntrack disable
description skylounge.INT
hello-time 2
max-age 20
priority 32768
promiscuous disable
stp false
}
bridge br31 {
address 192.168.31.254/24
aging 300
bridged-conntrack disable
description skylounge.GUEST
hello-time 2
max-age 20
priority 32768
promiscuous disable
stp false
}
ethernet eth0 {
address 192.168.80.11/24
duplex auto
poe {
output off
}
speed auto
}
ethernet eth1 {
bridge-group {
bridge br21
}
description skylounge.INT
duplex auto
poe {
output off
}
speed auto
}
ethernet eth2 {
bridge-group {
bridge br31
}
description skylounge.GUEST
duplex auto
poe {
output off
}
speed auto
}
ethernet eth3 {
bridge-group {
bridge br21
}
description skylounge.WIFI
duplex auto
poe {
output off
}
speed auto
vif 21 {
bridge-group {
bridge br21
}
}
vif 31 {
bridge-group {
bridge br31
}
}
}
ethernet eth4 {
address dhcp
duplex auto
poe {
output off
}
speed auto
}
ethernet eth5 {
duplex auto
speed auto
}
loopback lo {
}
wireguard wg0 {
address 192.168.41.254/24
description skylounge.WIREGUARD
listen-port 51820
mtu 1420
peer secret {
allowed-ips 192.168.41.2/32
}
peer secret {
allowed-ips 192.168.41.1/32
}
private-key secret
route-allowed-ips true
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 192.168.80.254 {
}
}
}
}
zone-policy {
zone GUEST {
default-action drop
from WAN {
firewall {
name WAN-GUEST
}
}
interface br31
}
zone INT {
default-action drop
from WAN {
firewall {
name WAN-INT
}
}
from WIREGUARD {
firewall {
name WIREGUARD-INT
}
}
interface br21
}
zone LOCAL {
default-action drop
from INT {
firewall {
name INT-LOCAL
}
}
from WAN {
firewall {
name WAN-LOCAL
}
}
from WIREGUARD {
firewall {
name WIREGUARD-LOCAL
}
}
local-zone
}
zone WAN {
default-action drop
from GUEST {
firewall {
name GUEST-WAN
}
}
from INT {
firewall {
name INT-WAN
}
}
interface eth0
}
zone WIREGUARD {
default-action reject
from INT {
firewall {
name INT-WIREGUARD
}
}
interface wg0
}
}
For the sake of completeness here is the full config:
firewall {
all-ping enable
broadcast-ping disable
group {
address-group DNSoverHTTPs-SERVER {
address 168.235.81.167
address 176.56.236.175
address 176.103.130.131
address 176.103.130.130
}
network-group LAN_NETWORKS {
description "Local Traffic"
network 192.168.21.0/24
network 192.168.31.0/24
network 192.168.41.0/24
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
modify Modify_Local_In_Mark {
rule 1 {
action accept
description "Do not mark local traffic"
destination {
group {
network-group LAN_NETWORKS
}
}
}
rule 2 {
action modify
description restore_all_marks
modify {
connmark {
restore-mark
}
}
}
rule 20 {
action modify
description "skylounge.INT Mark Packet"
modify {
mark 10
}
source {
address 192.168.21.0/24
}
}
rule 25 {
action modify
description "VoIP Mark Packet"
modify {
mark 1
}
source {
address 192.168.21.10/32
}
}
rule 30 {
action modify
description "skylounge.GUEST Mark Packet"
modify {
mark 20
}
source {
address 192.168.31.0/24
}
}
rule 100 {
action modify
description CopyPacketMarkToConnectionMark
modify {
connmark {
save-mark
}
}
}
}
modify WAN_MOD_IN {
rule 10 {
action modify
description restore_all_marks
modify {
connmark {
restore-mark
}
}
}
rule 11 {
action accept
description DoneOnMarkPresent
mark !0
}
}
name GUEST-WAN {
default-action reject
rule 30 {
action drop
description "Block DNS over HTTPS Traffic"
destination {
group {
address-group DNSoverHTTPs-SERVER
}
}
}
rule 40 {
action accept
destination {
port 443
}
protocol tcp
}
rule 41 {
action accept
destination {
port 80
}
protocol tcp
}
rule 42 {
action accept
destination {
address 208.67.222.123
port 53
}
protocol tcp_udp
}
rule 43 {
action accept
destination {
address 208.67.220.123
port 53
}
protocol tcp_udp
}
rule 44 {
action accept
destination {
address 208.67.220.123
port 853
}
protocol udp
}
rule 45 {
action accept
destination {
address 208.67.222.123
port 853
}
protocol udp
}
rule 60 {
action accept
protocol icmp
state {
established enable
new enable
}
}
rule 70 {
action accept
description "iperf Performance monitor"
destination {
address 192.168.80.0/24
port 5201
}
protocol tcp_udp
}
}
name INT-LOCAL {
default-action accept
}
name INT-WAN {
default-action accept
}
name INT-WIREGUARD {
default-action accept
}
name LOCAL-WIREGUARD {
default-action accept
}
name WAN-GUEST {
default-action drop
rule 5 {
action accept
description "Allow EST/Related Traffic"
state {
established enable
related enable
}
}
}
name WAN-INT {
default-action drop
rule 5 {
action accept
description "Allow EST/Related Traffic"
state {
established enable
related enable
}
}
rule 20 {
action accept
protocol icmp
state {
new enable
}
}
}
name WAN-LOCAL {
default-action drop
rule 5 {
action accept
description "Allow EST/Related Traffic"
state {
established enable
related enable
}
}
rule 20 {
action accept
protocol icmp
state {
new enable
}
}
rule 30 {
action accept
description WireGuard
destination {
port 51820
}
protocol udp
}
rule 39 {
action drop
description "SSH Management"
destination {
port 22
}
protocol tcp
recent {
count 5
time 60
}
state {
new enable
}
}
rule 40 {
action accept
description "Limit SSH when brute force is used"
destination {
port 22
}
protocol tcp
state {
new enable
}
}
}
name WIREGUARD-INT {
default-action accept
}
name WIREGUARD-LOCAL {
default-action accept
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
bridge br21 {
address 192.168.21.254/24
aging 300
bridged-conntrack disable
description skylounge.INT
firewall {
in {
modify Modify_Local_In_Mark
}
}
hello-time 2
max-age 20
priority 32768
promiscuous disable
stp false
}
bridge br31 {
address 192.168.31.254/24
aging 300
bridged-conntrack disable
description skylounge.GUEST
firewall {
in {
modify Modify_Local_In_Mark
}
}
hello-time 2
max-age 20
priority 32768
promiscuous disable
stp false
}
ethernet eth0 {
address 192.168.80.11/24
duplex auto
firewall {
in {
modify WAN_MOD_IN
}
}
poe {
output off
}
speed auto
}
ethernet eth1 {
bridge-group {
bridge br21
}
description skylounge.INT
duplex auto
poe {
output off
}
speed auto
}
ethernet eth2 {
bridge-group {
bridge br31
}
description skylounge.GUEST
duplex auto
poe {
output off
}
speed auto
}
ethernet eth3 {
bridge-group {
bridge br21
}
description skylounge.WIFI
duplex auto
poe {
output off
}
speed auto
vif 21 {
bridge-group {
bridge br21
}
}
vif 31 {
bridge-group {
bridge br31
}
}
}
ethernet eth4 {
address dhcp
duplex auto
poe {
output off
}
speed auto
}
ethernet eth5 {
duplex auto
speed auto
}
loopback lo {
}
wireguard wg0 {
address 192.168.41.254/24
description skylounge.WIREGUARD
listen-port 51820
mtu 1420
peer xxxx{
allowed-ips 192.168.41.2/32
}
peer xxxx {
allowed-ips 192.168.41.1/32
}
private-key xxxx
route-allowed-ips true
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 192.168.80.254 {
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name skylounge.GUEST {
authoritative disable
subnet 192.168.31.0/24 {
default-router 192.168.31.254
dns-server 208.67.222.123
dns-server 208.67.220.123
lease 86400
start 192.168.31.100 {
stop 192.168.31.150
}
}
}
shared-network-name skylounge.INT {
authoritative disable
subnet 192.168.21.0/24 {
default-router 192.168.21.254
dns-server 1.1.1.1
lease 86400
start 192.168.21.100 {
stop 192.168.21.150
}
}
}
static-arp disable
use-dnsmasq disable
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5021 {
description "skylounge.INT to WAN"
outbound-interface eth0
protocol all
source {
address 192.168.21.0/24
}
type masquerade
}
rule 5031 {
description "skylounge.GUEST to WAN"
outbound-interface eth0
protocol all
source {
address 192.168.31.0/24
}
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
}
}
system {
analytics-handler {
send-analytics-report false
}
config-management {
commit-revisions 100
}
crash-handler {
send-crash-report false
}
host-name xxxx
login {
user skylounge-admin {
authentication {
encrypted-password xxxx
plaintext-password ""
public-keys lobo@lobo-hp-g7 {
key xxxxx
type ssh-rsa
}
}
level admin
}
}
name-server 1.1.1.1
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Europe/Vienna
traffic-analysis {
dpi disable
export enable
}
}
traffic-control {
advanced-queue {
branch {
queue 10 {
bandwidth 10mbit
description BRANCH_UP
parent 1
priority 0
}
queue 20 {
bandwidth 40mbit
description BRANCH_DOWN
parent 2
priority 3
}
}
filters {
match 1 {
attach-to 1
description WAN_Root_to_Branch_UP
target 10
}
match 2 {
attach-to 2
description Global_Root_to_Branch_Down
target 20
}
match 1000 {
attach-to 10
description VOIP_Up_Filter
mark 1
target 100
}
match 1100 {
attach-to 10
description Int_Up_Filter
mark 10
target 110
}
match 1200 {
attach-to 10
description Guest_Up_Filter
mark 20
target 120
}
match 2000 {
attach-to 20
description VOIP_Down_Filter
mark 1
target 200
}
match 2100 {
attach-to 20
description Int_Down_Filter
mark 10
target 210
}
match 2200 {
attach-to 20
description Guest_Down_Filter
mark 20
target 220
}
}
leaf {
queue 100 {
bandwidth 1mbit
ceiling 2mbit
description VOIP_Up_Leaf
parent 10
priority 1
queue-type FQ_Codel_Up
}
queue 110 {
bandwidth 4mbit
ceiling 10mbit
description Int_Up_Leaf
parent 10
priority 3
queue-type FQ_Codel_Up
}
queue 120 {
bandwidth 5mbit
ceiling 10mbit
description Guest_Up_Leaf
parent 10
priority 5
queue-type FQ_Codel_Up
}
queue 200 {
bandwidth 1mbit
ceiling 5mbit
description VOIP_Down_Leaf
parent 20
priority 1
queue-type FQ_Codel_Down
}
queue 210 {
bandwidth 19mbit
ceiling 40mbit
description Int_Down_Leaf
parent 20
priority 3
queue-type FQ_Codel_Down
}
queue 220 {
bandwidth 21mbit
ceiling 40mbit
description Guest_Down_Leaf
parent 20
priority 5
queue-type FQ_Codel_Down
}
}
queue-type {
fq-codel FQ_Codel_Down {
ecn disable
flows 65535
interval 28ms
quantum 300
target 7ms
}
fq-codel FQ_Codel_Up {
ecn disable
interval 16ms
quantum 300
target 4ms
}
}
root {
queue 1 {
attach-to eth0
bandwidth 10mbit
description WAN_Root
}
queue 2 {
attach-to global
bandwidth 40mbit
description DOWNLOAD_ROOT
}
}
}
}
zone-policy {
zone GUEST {
default-action drop
from WAN {
firewall {
name WAN-GUEST
}
}
interface br31
}
zone INT {
default-action drop
from WAN {
firewall {
name WAN-INT
}
}
from WIREGUARD {
firewall {
name WIREGUARD-INT
}
}
interface br21
}
zone LOCAL {
default-action drop
from INT {
firewall {
name INT-LOCAL
}
}
from WAN {
firewall {
name WAN-LOCAL
}
}
from WIREGUARD {
firewall {
name WIREGUARD-LOCAL
}
}
local-zone
}
zone WAN {
default-action drop
from GUEST {
firewall {
name GUEST-WAN
}
}
from INT {
firewall {
name INT-WAN
}
}
interface eth0
}
zone WIREGUARD {
default-action reject
from INT {
firewall {
name INT-WIREGUARD
}
}
interface wg0
}
}