Validate / discuss 300 subnet "natting" behavior

[stephen304]

We may want to tweak the zone forwarding rules to make the 300 block behave like NAT+firewall. Anyone wanting to host a service should be technical enough to create a forward / rule and this will protect laypeople better. We should discuss briefly.

[wfleurant]

related: https://github.com/openwrt/odhcpd/pull/33

[wfleurant]

odhcpd from z and ruygg

by the way, have you tried to announce 300::/8 subnet and 200::/7 route to LAN clients?

[stephen304]

Via RA? Imo the current dhcpv6 behavior seems adequate. This ticket is re: v6 firewall behavior

[wfleurant]

so right now, i can get a 300::/64 address assigned via ULA but the big question remains do we firewall clients from the mesh.

mmm... yah.

[wfleurant]

to prevent traffic from mesh zone yggdrasil from entering lan zone 300::

1. go to Firewall - Zone Settings
2. under Zone ⇒ Forwardings look for yggdrasil ⇒ lan
3. click the edit button
4. find and deselect Allow forward to destination zones
5. save and apply.

firewall.cfg1aad58=forwarding
firewall.cfg1aad58.src='yggdrasil'
firewall.cfg1aad58.dest='lan'

to revert, and allow mesh zone to reach 300::/64 network

uci add firewall forwarding # =cfg1aad58
uci set firewall.@forwarding[-1].src='yggdrasil'
uci set firewall.@forwarding[-1].dest='lan'

[wfleurant]

[wfleurant]

[JamesVorder]

@stephen304 Do we want to add the firewall rule that @wfleurant mentioned above to our node builds by default? Seems straight-forward enough to me.

[stephen304]

I believe this is already done, it's easy to test in case we left it disabled.

Edit: I think we just need to remove lan from the yggdrasil forward.

[stephen304]

98