Installation causes UdmPro firewall rules to stop working. Wireguard

[powellcn]

I'm still investigating this.

How to reproduce:

1. Factory Reset.
2. Configure Udm Pro.
3. Create multiple networks with vlans
4. Create and test Firewall rules. Ensure some rules allow communication between vlans
5. Test firewall rules to ensure everything is working.
6. Install split-vpn/wireguard/udm-utilities boot script.
7. Test firewall rules. Note that communication between vlans is now blocked.

I am not sure at which stage the firewall breaks. I suspect it is the boot script. I have a backup as of step 5. I will try step 6 tonight and try to figure out where the problem is created. I've done this twice now and both times the firewall broke.

[peacey]

Hi @powellcn,

Are you configuring split-vpn to force some VLANs to the VPN and running it in your tests? Because by default the script blocks inter-VLAN communication to forced networks unless you add them to the EXEMPT list.

Other than that, I can't see how split-vpn or the boot script would cause firewall rules to stop working, there is nothing in the boot script or the script that touches firewall rules or overrides them (other than for forced networks while the VPN is running).

[powellcn]

Hi @peacey Once again, thanks for everything!

The way I had it configured:

So the way I had it configured, was following the READ.ME for Wireguard. I have networks br0, br20, br30, br40. I then added 2 of my 4 networks to FORCED_SOURCE_IPV4. i.e. FORCED_SOURCE_IPV4=br0 br20 I did not use the EXEMPT list. It sounds like the exempt list will remove a specific ip from the VPN.

Use Case:

I have a server on br0 that needs to be accessible locally from br20, br30 and br40 on LAN, but also needs to use the VPN on WAN. My plan was to use the Firewall for controlling inter-VLAN communication.

hmmmmm.... is this where EXEMPT_SOURCE_IPV4_PORT and EXEMPT_DESTINATIONS_IPV4 come into play?

[peacey]

So by default ALL traffic from a forced VLAN gets routed through the VPN, this includes inter-VLAN traffic. So your inter-VLAN packets are getting into the VLAN, but on the way out they are getting routed through the VPN.

You need to add the VLAN subnets you want to be able to communicate with to the EXEMPT_DESTINATIONS_IPV4 option, so packets destined to those subnets don't get routed through the VPN. For example, to allow communication with subnets 192.168.2.0/24 and 192.168.3.0/24:

EXEMPT_DESTINATIONS_IPV4="192.168.2.0/24 192.168.3.0/24"

Also, if you want to force a VLAN (brX) you should be using FORCED_SOURCE_INTERFACE not FORCED_SOURCE_IPV4 (which is for subnets not interfaces). Example:

FORCED_SOURCE_INTERFACE="br0 br20"

Make sure to use quotes when listing multiple interfaces or subnets in your configuration.

Your firewall rules will still work. For example, if you add firewall rules to block inter-VLAN traffic, the traffic will still be blocked even if you added the exemptions above.

[powellcn]

Hi @peacey Sorry I copied the wrong configuration variable from the README. I was using FORCED_SOURCE_INTERFACE="br0 br20".

I'll reinstall tonight and try out what you are suggesting. I suppose I was interpreting the EXEMPT_DESTINATIONS_IPV4= as a way to exempt an ip (or range) from VPN that was already forced. i.e. if I had br0 forced, and I didn't want 192.168.1.7 going to the VPN then I would add it there.

Thanks again for the help. Now I know why the problem is occurring and where to fix it!

[peacey]

Sorry for the confusion. So there are EXEMPTSOURCE and EXEMPTDESTINATIONS options. The source options are for exempting sources (traffic originating from those sources), while the destination options are for exempting destinations (traffic destined to those destinations).

[powellcn]

Hi @peacey I redid the install and it worked great this time. I did as you suggested and added the following:

EXEMPT_DESTINATIONS_IPV4="192.168.0.0/16"

Thanks!