Default Firewall configuration in Gargoyle

If your problem doesn't fall into one of the other categories, report it here.

Moderator: Moderators

Post Reply
vplessky
Posts: 60
Joined: Sun Oct 31, 2010 10:31 am
Location: Moscow, Russia
Contact:

Default Firewall configuration in Gargoyle

Post by vplessky »

It seems default Firewall configuration in Gargoyle doesn't work.

For example see this post WR1043ND - no routing or packet forwarding LAN->WAN ?

If you use Gargoyle just as Access Point or in AP+WDS mode, and specify another host as Gateway for your LAN, this would not affect you.
But if you want to use Gargoyle router as Router, with Firewall (enabled), and WAN port for Internet connectivity, there is a problem.

According to my test, this affects setup with either StaticIP or PPPoE for WAN interface.
I can ping external site (provider's web site, http://www.google.com) from ssh session (CLI) connected to router.
But if I try to ping same host from PC connected to router (via Ethernet cable), ping is not coming through.

So it seems firewall rejects connections from LAN (in its default configuration).
All QoS settings are set as default (not touched them, so they are disabled)

I partially overcome this by adding All Hosts, All days to White list
(added one rule).
After it I can ping http://www.google.com and other sites.
But ping remains unstable, 1 or 2 pings out of 10 can be lost.
If you try to open some web site in browser, it opens very slowly and sometimes I get timeouts.
Therefor something is still wrong in setup.

Does some one has it working?
What are your settings? (and type of WAN connection)

I also considered turning firewall completely off. At least for testing purposes. But there is no such an option in User Interface.
Please consider adding such option to Gargoyle web UI.

I am concerned that this problem - if not fixed- can affect new users, as they would not get Gargoyle working out-of-the-box.

User avatar
DoesItMatter
Moderator
Posts: 1373
Joined: Thu May 21, 2009 3:56 pm

Re: Default Firewall configuration in Gargoyle

Post by DoesItMatter »

For 'Testing' purposes - you could always put one of the PC's
into the DMZ - it's under the Firewall tab

Just check-mark "Use DMZ" and enter in the IP of the test PC

If pings or other connectivity issues still occur, its not the firewall
:twisted: Soylent Green Is People! :twisted:
2x Asus RT-N16 = Asus 3.0.0.4.374.43 Merlin
2x Buffalo WZR-HP-G300NH V1 A0D0 = Gargoyle 1.9.x / LEDE 17.01.x
2x Engenius - ESR900 Stock 1.4.0 / OpenWRT Trunk 49400

vplessky
Posts: 60
Joined: Sun Oct 31, 2010 10:31 am
Location: Moscow, Russia
Contact:

Re: Default Firewall configuration in Gargoyle

Post by vplessky »

DoesItMatter wrote:For 'Testing' purposes - you could always put one of the PC's
into the DMZ - it's under the Firewall tab

Just check-mark "Use DMZ" and enter in the IP of the test PC

If pings or other connectivity issues still occur, its not the firewall
Good idea, thank you.
I would put into DMZ zone one of my Linux PCs.

vplessky
Posts: 60
Joined: Sun Oct 31, 2010 10:31 am
Location: Moscow, Russia
Contact:

Re: Default Firewall configuration / Mac address cloning

Post by vplessky »

It seems I found reason why there were problems with connection.

It was caused by cloning Mac address from local PC to WAN interface.

Let's suggest PC mac address is: 00-23-54-AA-BB-CC
You set it as Mac address for WAN interface.

Code: Select all

config 'interface' 'wan'
        option 'ifname' 'eth0.2'
        option 'proto' 'pppoe'
        option 'macaddr' '00:23:54:aa:bb:cc'
        option 'username' 'myusername'
        option 'password' 'mypassword'
        option 'keepalive' '10'
        option 'peerdns' '1'
And there are two hosts known to router with same Mac address - one in LAN, and another on WAN.
This doesn't cause problem with DD-Wrt, or TP-Link factory firmware. But it's a problem with OpenWrt/Gargoyle.

To overcome this, I changed Mac address on Ethernet adapter (in Windows Vista) to: 00-23-54-11-22-33

Everything works now.

Most likely, something needs to be fixed in network or firewall setup.
But hope information above would be helpful for people looking for workaround.

Post Reply