Last active
May 17, 2021 23:16
-
-
Save amasover/bf01963f1bf2f45756727843b62d9817 to your computer and use it in GitHub Desktop.
Google Fiber OpenWRT firewall rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This file is interpreted as shell script. | |
# Put your custom iptables rules here, they will | |
# be executed with each firewall (re-)start. | |
# Internal uci firewall chains are flushed and recreated on reload, so | |
# put custom rules into the root chains e.g. INPUT or FORWARD or into the | |
# special user chains, e.g. input_wan_rule or postrouting_lan_rule. | |
################################################################################ | |
### Firewall rules to use an OpenWRT router at the edge of your network ### | |
### instead of the Google Fiber Network Box. ### | |
### Reference: https://pastebin.com/dWABB4ih ### | |
### See also: https://forum.archive.openwrt.org/viewtopic.php?id=50376 ### | |
### https://forum.openwrt.org/t/set-vlan-cos-priority-for-google-fiber/25288 ### | |
################################################################################ | |
# Note: the following requires ip-full package | |
ip link set eth1.2 type vlan egress 0:3 | |
ip link set eth1.2 type vlan egress 2:2 | |
ip link set eth1.2 type vlan egress 6:6 | |
iptables -t mangle -A POSTROUTING -p udp -m udp --sport 68 --dport 67 -j CLASSIFY --set-class 0:2 | |
iptables -t mangle -A POSTROUTING -p igmp -j CLASSIFY --set-class 0:6 | |
# Note: the above rules will only be loaded on router boot if the include for firewall.rules has | |
# option reload set to 1. I believe this is because the eth1.2 vlan is not yet started when the | |
# firewall first comes up. | |
# To set option reload, from OpenWRT busybox shell: | |
# $ uci set firewall.@include[0].reload="1" | |
# $ uci commit firewall | |
# $ service firewall restart | |
# Or add directly to /etc/config/firewall : | |
# config include | |
# option path '/etc/firewall.user' | |
# option reload '1' | |
# See: | |
# https://openwrt.org/docs/guide-user/firewall/firewall_configuration#includes | |
# https://dev.archive.openwrt.org/ticket/20249.html | |
# https://forum.openwrt.org/t/problem-installing-custom-etc-firewall-user-file/24826/10 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Needed to
opkg install iptables-mod-ipopt
to get theCLASSIFY
/--set-class
option oniptables
to work.Example errors without it: