Firewall zone for loopback

I have two sites on my router:

  • Luci+uhttpd on available only from LAN zone. Actually the uhttpd by default listens but it rejects non private IPs (e.g. "internal firewall").
  • Lighttpd with a WebDAV share available from internet e.g. WAN zone. It uses DDNS so it has some domain but the IP changes.

They both need for 80 port.
I can solve this simply by starting two separate webservers on different IPs e.g. for Luci and <some ip> for Lighttpd.
But the IP is dynamic so I need to know it first and only then start the Lighttpd. If the internet connection lost then it won't be able to even start the webserver.
As a solution I can configure the Lighttpd to start on and then add a firewall rule to redirect incoming connections from WAN 80 to this device 8080. This solves the issue but also I can have a direct access to the Lighttpd from LAN by the 8080 port even when no Internet available. But the same 8080 port is again available directly from internet e.g. I can open my Lighttpd by this URLs:

It looks like it shouldn't be any issues. But for example the same trick won't work for Luci if I don't with to expose it to internet.

Now I thinking to go further: we have many IPs on loopback interface:, 127.0.x.x. So what if I'll start the Luci on, and the Lighttpd on and again make a forwarding rule like:

  • LAN 80 port -> for Luci
  • WAN 80 port -> for Lighttpd

Then I won't have the exposed additional ports on it would be easier to change the LAN zone settings e.g. change a network mask to Also this allows to remove the "internal firewall" from the uhttpd.

So here is my questions:

  1. Overall, how do you feel about the idea? Maybe I'm missing something.
  2. I don't see a pre-configured zone for loopback and even the lo interface in the Luci UI. Is this fine? Can anybody share a firewall rule to redirect from WAN to lo IP.

I don't want to use a reverse proxy. The main reason is because this an additional point of failure. I can setup a separate instance of the Lighttpd with mod_proxy but it may broke and then I'll loose my Luci admin panel. Also this have a performance penalty which may be high when using the WebDAV for files backup.

Another one task I need to solve is to keep my WebDAV domain working even when no internet and the DDNS didn't worked. In this case I won't be able to resolve and access my domain even if it's on my router.

I think that it should be possible to configure the dnsmasq DHCP to return a LAN IP address for the external domain
In such case all internal devices will connect by the LAN addeess but when I traveling I will connect to an external IP.
Here again we need to distinguish when to show a Luci on port 80 or the Lighttpd because now they both are opened from LAN.
So maybe instead it may be created a separate intranet zone like INTRA with own network like 10.1.x.x.
Then Luci can be binded to the, Lighttpd binded to

The dnsmasq DHCP/DNS for LAN will return this special address when the is requested.
Is it possible?

For any interface not in a zone, the General Firewall Settings would apply - this includes lo.


# in /etc/config/dhcp

config domain                  
        option ip ''
        option name ''

I assume you mean DNS?

What IP did you assign?

To clarify - it's possible to bind LuCI to a specific IP.

1 Like