Firewall: Routing traffic between Zones

I was looking into the Openwrt example how to use Tor. Currently, I have problems to understand how the concept of Firewall Zones work and how traffic can be moved from one zone to another.

I'm curious if its possible to achieve the following:

• By default, allow forward from LAN to WAN
• If traffic matches a specific criteria (e.g. MAC/IP), forward it to a different Zone (named "tor" in this example)
• In the new zone, apply different filters etc. Or for the example with tor, apply a redirect to the openwrt device and perform DNAT.

                                         ┌────────┐
                                         │        │
                                   ┌─────► wan    ├─────────────────────────────────────┐
                                   │     │        │                                     │
                                   │     └────────┘                                     │
                  ┌──────────┐     │                                                    ▼
                  │          ├─────┘     ┌────────┐           ┌─────────────┐      ┌──────────┐
                  │          │           │        │           │             │      │          │
                  │ lan-zone ├──────────►│  tor   ├──────────►│ device dnat ├─────►│ internet │
                  │          │           │        │           │             │      │          │
                  └──────────┘           └────────┘           └─────────────┘      └──────────┘
traffic from lan-bridge       forward based          for all traffic
                              on criteria            apply dnat
                              e.g. MAC or IP

My idea was to do the following (all steps in LUCI)

• Create the firewall zones: LAN, WAN & TOR
• Allow forward from LAN to WAN & LAN to TOR
• Add a traffic rule to match a specific device (see screenshot)
  
  

  Screenshot 2023-08-17 at 23.31.461980×200 23.7 KB
• Add a port forward rule, that matches some ports and forwards them to openwrt device
  
  

  Screenshot 2023-08-17 at 23.33.432040×730 77.5 KB

With the config from the screenshots, my expectation was that all traffic from device with IP 10.144.144.235 should end up in the tor firewall zone and from there the port forwarding should be applied.
However, this was not the case and all traffic was sent via the usual LAN-WAN forwarding. Why is this the case?

Thanks in advance!

From my understanding the tor opkg works like a proxy server on 0.0.0.0:9040 as default, also I can't remember it to be a device but maybe it is personally I have never configurated it like that.

Tor often only routes 80,443,53, so what you can do is using a portforward instead of traffic rule, or... like in my setup make use of a package called luci-app-pbr this opkg makes it really easy to route different routes exactly like your snippet example.

Here are some usefull links to get your started:

And PBR:

I'm not entirely sure about this either. But thats also a point, which is not clear to me yet: Does a firewall zone always have to cover a device? At least in Luci, its possible to create a zone without a corresponding device.

Thanks for the hint with the pbr, will definitely check it out!

Yes and no, usually it is a no, but in some situations some opkgs may use it with something internal invoked from a background script.

edit: to add

And sometimes you don't need a firewall zone because the configs handle it and either always prioritize from device to wan through internal nfttables rule.

as for tor I don't think its default in vanilla OpenWrt, but it may or may not created a tor device if that is true it should be shown in the devices tab under network.

Usually a firewall zone should cover a device, if it has no zone it allows all basicly.

In my case I did not configurated as a firewall zone rather use it as proxy and used PBR.

0.0.0.0 means the device/router itself so basicly the default tor config hosts it as a server.