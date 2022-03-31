Not grasping LAN-In/Out firewall rules...

OpenSource Ghost

Ubiquiti has the following firewall chains (IPTables-based):
- WAN-In (from WAN to LAN)
- WAN-Out (from LAN to WAN)
- WAN-Local (from WAN to router localhost)
- LAN-In (???)
- LAN-Out (???)
- LAN-Local (from LAN to router localhost)

I am not grasping the LAN-In and LAN-Out sections. Here's how Ubiquiti defines them:
LAN In Applies to traffic that enters the LAN (ingress), destined for other networks (default accept).
LAN Out Applies to traffic that exists the LAN (egress), destined for this network (default accept).
If I create a LAN-Out firewall rule that drops all traffic, except TCP and UDP packets where:
Source = my LAN subnet, Destination = any network
Then WAN doesn't work

If I create a LAN-Out firewall rule that drop all traffic, except TCP and UDP packets where:
Source = any network, Destination - my LAN subnet
Then WAN works

Shouldn't it be the other way around?
 
Nobu

Nobu

LAN-in/-out is for traffic that is passing through the LAN or WAN, whose destination is the opposite. For instance, if you get a packet from WAN intering your LAN, whose destination is the WAN, that's LAN-in. If you get a packet exiting your LAN, whose destination is your LAN, that's LAN-out.

I'm not sure what kind of service would have those traffic characteristics, however.
 
B

BlueLineSwinger

You have to imagine it from the perspective of the firewall itself, and think in packets and not connections. I'm guessing you're testing from a LAN host?

OpenSource Ghost said:
If I create a LAN-Out firewall rule that drops all traffic, except TCP and UDP packets where:
Source = my LAN subnet, Destination = any network
Then WAN doesn't work
These are blocked because any packets leaving the router/firewall via the LAN interface (e.g., those coming from the WAN) will not have a source IP address in the LAN's subnet.


OpenSource Ghost said:
If I create a LAN-Out firewall rule that drop all traffic, except TCP and UDP packets where:
Source = any network, Destination - my LAN subnet
Then WAN works
As expected. A packet leaving the firewall via the LAN interface would be expected to have a source IP address of virtually anything, and a destination as a LAN IP address.
 
