I have different LANs with different routing tables etc. I want to allow any LAN to connect to its OpenWRT Interface for DNS but not for other things so I can’t just use accept in input. How can I achieve that within LUCI without creating a separate traffic rule for every LAN-interface.
Just select “any zone” for source zone in traffic rule.
1 Like
That would include all the WAN-interfaces too? Not the right solution for me then.
Then it is a list of interfaces there….
Seems unwise to open the firewall for WAN side DNS request, you should close this hole immediately.
Any serious answers, guys. I see none in this thread.
If you insist on a single rule to allow all networks (except WAN), just make an explicit block rule for WAN prior to the allow rule.
The suggestion to use the subnets is also a good idea (I'd actually prefer it, as the positioning of rules wouldn't matter).
Kinda harsh/rude, don't you think?
Only reason not to bind to WAN would be because of fw being down/open, which you were told.
There's no other reason to remove WAN.
SSH binds to WAN too, but you don't seem to mind...
1 Like
Have you read the answers to this point?
Thanks to pavelgl, as always.
I had another thought, maybe I can create another zone, this time including all the LANs, and create the DNS-rule just for that. But then, I don’t know how the whole zones behave if I have “redundant” zones…
I like to click though.
Well, that sounds reasonable, except for the "redundant zones" part I don't quite understand. I assume this means you plan to remove the interfaces from the other zones, correct?
You don't want to add interfaces to multiple zones (especially when the desired outcome is to have conflicting rules).
1 Like
Is it impossible or is there a safe way to do this. What takes presidence over what or is it impossible in my usecase.