Firewall Zones Grouping / Aggregation?

Hi all,

I understand that a network / interface can be only covered by exactly 1 firewall zone.
I also understand that a traffic rule can only use exactly 1 source zone.

Still, one would sometimes want to have traffic rules that match several zones to aggregate all networks that are covered by the enumerated zones.


To protect the router you might want to set the zone input to reject instead of accept.
If you do that you have to expose dnsmasq ports for DHCP and DNS so that clients in the zone may use the routers DNS and DHCP services. If you do that for a number of zones this means that you need repeat these rules for each zone!

This is just cumbersome and makes the rule set hard to overview and handle.
Instead one wants to have only 1 rule per exposed port which covers all source zones or networks at once.

Is there a way that this can be achieved by grouping zones?

Something I tried but what did not work: I created an "allclients" zone which covered 0 networks, but that allowed to forward to and from all zones that should use DNS and DHCP. It made no difference whether input/output/forwarding were set to accept or reject. It just did not work.

Better ideas?