I want a host in my DMZ to be accessible by IPv4 from inside or outside my LAN. I'm willing to dedicate the relevant ports (http and https) on my one external dynamic IPv4 address to this.
I have three cases:
- from
wan
: works fine. I set up port forward rules fromwan
todmz
. I use ddns to point the hostname to my openwrt router. - from
trusted
using openwrt's DNS resolver: works fine. if hosts in mytrusted
zone use openwrt's DNS resolver, the hostname resolves to the DMZ host's internal IP, and I allowtrusted
->dmz
connections, so no port forwarding is necessary. - from
trusted
using external DNS: this is the problem. Sometimes I have guests who have hardcoded Google Public DNS, or I noticed Firefox uses DNS-over-HTTPS to somewhere else.
If I just set up a DNAT rule like the following...
config redirect
option target 'DNAT'
option name 'https/trusted'
list proto 'tcp'
option src 'trusted'
option src_dport '443'
option dest 'dmz'
option dest_ip '192.168.8.3'
option dest_port '443'
option reflection '0'
...it breaks everything. It redirects outbound connections to any site on the Internet. It redirects connections to openwrt's LAN-side IP address.
If I go to the advanced settings tab and select External IP address: "my.external.ip.here (wan)" it adds this to the config:
option src_dip 'my.external.ip.here'
and everything works...for now. But my external IP is dynamic, and this breaks when it changes.
Is there an easy way to tell it to redirect stuff bound for a given interface's IPv4 address and have it keep working when that changes?