Firewall DNAT matching more than one src zone?

Hi guys :wink:
I've a redirect rule:

config redirect
   option target 'DNAT'
   option src 'some src zone'
   option dest 'some dst zone'
   option proto 'tcp udp'
   option src_dport 'some dport'
   option dest_ip 'some ip'
   option dest_port 'some dport'
   option name 'some name'

I would like to make it working for all src zones or at least more than one.
Is there an option other than creating more than one config section?
Maybe a wildcard or at least some sort of list?
Option src is mandatory for DNAT target.
And my testing result shows that multizone values, such as "*" or "zone1 zone2", are not acceptable.


ad 1. Yes, I found it
ad 2. I already tried things you posted, also tried 'any'

So, your options:

  • Add multiple redirects.
  • Use raw iptables commands.
  • Create a feature request.

You wouldn't have too many zones anyway, would you?

If it's a combination of few zones and several ports, you could try to make the ports number sequential (if you have control over that), so you can make a rule for a range of ports.


Ports are not the problem, I've plenty of IP addresses and vlans with separate zones and forward rules ;p

Then, what he @vgaetera said!


I concur with @vgaetera about a feature request. I've found no way to do this without specifying a rule for each individual [destination] zone. This is easy though, since I can copy and paste most of the data. Obviously, I use multiple redirects.


I don‘t understand how a dnat rule to many zones is conceptually supposed to work. Usually you need to specify a destination specific port or target ip, so one rule per target would be required anyway.

1 Like

I would like to use multiple source zones, not multiple dst zones.
From many zones, not to many zones.

1 Like

It supposed to be not "to" but "from", i.e. expand multiple sources into several rules.
In a similar way as multiple protocols expand to a number of rules:

firewall.@rule[x].proto="tcp udp icmp"

Has a feature request been made for this already? I am also looking for similar functionality :slight_smile:

Probably not, I don't remember if I did.

OpenWRT 21.02 added firewall.@redirect[*].reflection_zone which does exactly what I needed. Check it out guys as it may solve your problems too :wink:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.