Firewall/NAT

Hello,

I am looking for a way to allow any source ip coming from a lan subnet to be passed, regardless of what it is. Yes, I know that:

- this is a security issue
- there is no way in the GUI to allow this to happen
- there is an anti-spoofing feature built in that takes precedence over the firewall rules

I am looking for a way to either disable this built-in checking completely, or allow the firewall rules to be checked first so that the packets are passed before they can be blocked by the built-in checking. I have tried modifying the /etc/inc/filter.inc file, but I think this file is just there to state the order of firewall rules, and not to actually create them. Plus, it seems to get over-written on reboot anyway. What file(s) do I need to edit in order to make this happen, or what is the simplest way to get this working?

Once again I know this is not recommended, and I am aware of the repercussions of making such changes, but I don't care. Thanks for the help!

I'm curious since I dont understand the question really.
You have a LAN 192.168.0.0/24, and you want to be able to plug in a pc with address 192.168.10.0/24 and let him send packets, or just spoof source IP maybe since the other method probably dont work at all.

Thats it?

Correct.

- A subnet of 192.168.0.0/24 will only pass traffic coming from that subnet (by default).
- No firewall rules, or anything in the GUI can disable this built-in rule.

I am looking for a way to allow all traffic to pass, regardless of what the source IP is. So if 10.20.30.40 wants to send out traffic on the 192.168.0.0/24 subnet, he will be allowed to. If 192.168.10.2 wants to send out traffic, he can too. Currently, the firewall drops and logs all packets that are not in the subnet range.

If someone knows a way for the firewall to check the custom firewall rules first, that would work. Or if there is a way to completely disable the built-in checking, that would work too. Hope that clears up the question. Thanks 

What happens if you define a network you use a netmask of 0.0.0.0 ?

What happens if you define a network you use a netmask of 0.0.0.0 ?

I don't think 0.0.0.0 is possible, considering there would be no broadcast/network address (just all hosts). But that is a good suggestion because I can do an address/bit count of 192.168.0.0/1 which will give me:

[ Network 128.0.0.0 ] [ Hosts: 128.0.0.1 - 255.255.255.254] [ Broadcast: 255.255.255.255 ]

or 10.0.0.0/1 which would give me:

[ Network 0.0.0.0 ] [ Hosts: 0.0.0.1 - 127.255.255.254] [ Broadcast: 127.255.255.255 ]

Pretty large broadcast domains, but it's partially solves my problem by allowing me to pick 1 subnet and allow any hosts in it. However, it is not a complete solution which is what I was hoping for. I just sort of want that built-in rule turned off, or a way to allow my custom rules to take priority over any other rules first.

But I might give one of the "big" subnets above a try; however, if anyone has a complete solution that would be awesome, please let me know  . Thanks

The antispoofing rules prevent that because it wouldn't know how to return that traffic anyway. If you enter static routes it opens the antispoofing rules to allow that traffic. You'll need those to direct the traffic appropriately to whatever device is routing anyway, so there is never a need to open the antispoofing rules.

Note the default LAN rule has a source of LAN subnet, you'll have to change that as well.