I want a host in my DMZ to be accessible by IPv4 from inside or outside my LAN. I'm willing to dedicate the relevant ports (http and https) on my one external dynamic IPv4 address to this.
I have three cases:
wan: works fine. I set up port forward rules from
dmz. I use ddns to point the hostname to my openwrt router.
trustedusing openwrt's DNS resolver: works fine. if hosts in my
trustedzone use openwrt's DNS resolver, the hostname resolves to the DMZ host's internal IP, and I allow
dmzconnections, so no port forwarding is necessary.
trustedusing external DNS: this is the problem. Sometimes I have guests who have hardcoded Google Public DNS, or I noticed Firefox uses DNS-over-HTTPS to somewhere else.
If I just set up a DNAT rule like the following...
config redirect option target 'DNAT' option name 'https/trusted' list proto 'tcp' option src 'trusted' option src_dport '443' option dest 'dmz' option dest_ip '192.168.8.3' option dest_port '443' option reflection '0'
...it breaks everything. It redirects outbound connections to any site on the Internet. It redirects connections to openwrt's LAN-side IP address.
If I go to the advanced settings tab and select External IP address: "my.external.ip.here (wan)" it adds this to the config:
option src_dip 'my.external.ip.here'
and everything works...for now. But my external IP is dynamic, and this breaks when it changes.
Is there an easy way to tell it to redirect stuff bound for a given interface's IPv4 address and have it keep working when that changes?