Firewall Rules

I have seen many guides on VPN provider websites with different firewall rules to those used by GL and would welcome comments:

LAN: A,A,R (input,output,forward) whereas GL sets A,A,A

WAN: A,A,R whereas GL sets R,A,R with Masquerading enabled

VPN: R,A,R (input,output,forward) with Masquerading whereas GL sets A,A,R with Masquerading

Regarding the latter, I have also seen MSS Clamping enabled whereas GL does not apply this fix.



Is the rules recommended in VPN providers website for OpenWrt or routers? Can you give me a link?

LAN, you can reject forward because there is another rule defining forwarding rules from LAN to vpn. This should not be a problem.

WAN, should not have Accept in input. WAN should not accept data otherwise it cannot be a firewall. Users can ssh to your router from WAN.

VPN, yes you can use Reject for input to make sure there is no input from your vpn server.

I am not sure how MSS clamping will affect the traffic.

So you can use Reject if you can in LAN forwarding and WAN input.

As ever, thank you alzhao for taking the time to reply!

This is one of quite a few articles that I found: Njalla — IPredator is moving to Njalla

Specifically, look under “Firewall zones” and Interface and Firewall overview"

The line that particularly caught my eye was “Traffic from the lan zone is only allowed to exit masqueraded through the ipr zone. Masquerading on the wan zone is disabled.”

I checked and I think it is the same as our.

There is only one forward rule like this. No data is forwarded to WAN so this is how data will not goes to WAN. If you don’t check “force vpn” in our web UI, data will Masquerade in WAN.

config forwarding
	option dest 'ipr'
	option src 'lan'

This is different:

Masquerading on the wan zone is disabled.” (you allow it).


Just asked my engineer. WAN has to have Masquerading. Otherwise it doesn’t work.

Anyway, because of the forwarding rule, all data goes to ipr, not WAN. So I think there is no problem

Indeed, it seems if masquerading is disabled on the WAN, the input has to be “accept” (this was the recommended setting from my VPN provider).

Thats was the crux of my original query - ie. what is the difference between:

WAN: A,A,R versus R,A,R with Masquerading enabled

Seems like the answer is nothing, or at least, not much!

According to Routed Client [Old OpenWrt Wiki]

masquerading is necessary for NAT so that is why WAN has to enable masquerading.

Don’t enable ACCEPT in WAN. If you enable ACCEPT, it means the router can accept connection from the WAN, e.g. 22 or samba. That means all port is opened in WAN and your router is under serious risk.

Think about the “wanna cry” virus this week. It will try to use samba port and spread itself. While if you have a router above your PC, you should not be affected.

Thanks for the clarification…with the idea that “more is beter”, for now I am going with:

LAN: A,A,R (input,output,forward)

WAN: R,A,R with Masquerading enabled

VPN: R,A,R with Masquerading

I will report back with any problems, if any.