WAN Interface has wrong Identifier op1 instead of wan

[bamf]

Hi,

my WAN interface has the Identifier

Code Select Expand

opt1 instead of

Code Select Expand

wan.

Do I need to change something here to get correct default firewall rules for the WAN interface? If yes, what's the correct way to migrate it while keeping all custom firewall rules, VLAN assignments etc.?

[franco]

In the scope of your question this can be perfectly normal.


Cheers,
Franco

[bamf]

So there are no security implications?

Right now opt1 is assigned to my pppoe0 device.

Is there no difference in automatically generated rules for LAN and WAN interfaces?

[franco]

Not in this constellation, no. The loss of the "lan" interface identifier has impact on the anti-lockout behaviour, but you can always disable anti-lockout (making sure to not lock yourself out).


Cheers,
Franco

[bamf]

There are auto-generated rules on my WAN (opt1) interface:

       IPv4+6 TCP    <sshlockout>    *    (self)    22 (SSH)    *    *    *    sshlockout    
      IPv4+6 TCP    <sshlockout>    *    (self)    80 (HTTP)    *    *    *    sshlockout

Shouldn't these only apply to the LAN interface?

I activated "Disable anti-lockout" but the rules are still present. How to remove them?

[franco]

In this case you should have started with the right question? :)

It's relatively evident that the "lan" is missing as well then.

[bamf]

No, I have a LAN interface. But this interface also has a global IPv6 address assigned.

[franco]

Ok fair enough, the sshlockout is for protecting GUI and SSH which is normal on every interface, but it's not the anti-lockout. Sorry for the confusion.


Cheers,
Franco

[bamf]

Ah. Sure. These are blocking rules, missed that, sorry :)

Indeed, there are lockout rules on the "lan" interface which disappear when I check "Disable anti-lockout". No such rules on my opt1 interface.

So I can just keep everything like it is? No need to bother about the missing wan interface identifier?