Hello. I have subnet for garbage devices tuned on wifi2 interface with some restrictions in firewall. I remember it was working, but I noticed it doesn’t now. Tcp chain works fine, device in IoT zone increments counters on jump rule and accept rule, but all counters of iot chain are zero. They use DHCP and DNS so i think counters have to show it. I’m really sure it was working and i don’t remember if i change something, just updated firmware. ROS version 7.20.4.
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp \
src-address=0.0.0.0 src-port=68
add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=IoT protocol=udp \
src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv4 log-prefix="bad_ipv4 dst"
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment="defconf: drop forward to local lan from WAN" dst-address=192.168.0.0/16 in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" in-interface-list=LAN log-prefix=\
"drop local if not from default IP range" src-address=!192.168.0.0/24
add action=jump chain=prerouting comment="jump to IoT chain" in-interface-list=IoT jump-target=iot
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment="defconf: accept everything else from IoT" in-interface-list=IoT
add action=accept chain=iot comment="defconf: accept local traffic between router interfaces" src-address-type=local
add action=drop chain=prerouting comment="drot the rest from IoT debug rule" in-interface-list=IoT
add action=drop chain=prerouting comment="defconf: drop the rest" log=yes log-prefix="drop the rest"
add action=accept chain=iot comment="accept DHCP renew from IoT" dst-address=192.168.10.1 dst-port=67 protocol=udp src-port=68
add action=accept chain=iot comment="accept DNS from IoT" dst-address=192.168.10.1 dst-port=53 protocol=udp
add action=drop chain=iot comment="defconf: drop forward to LAN from IoT" dst-address=192.168.0.0/24
add action=accept chain=iot comment="accept ICMP from IoT" protocol=icmp
add action=drop chain=iot comment="drop input from IoT" dst-address=192.168.10.1 log=yes log-prefix="drop input from IoT"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 protocol=tcp
