It works with this rule, but at the end of the day, this rule is kind of the same I have currently. So why bother having 2 distinct rules indead of the one I currently have? Is it really correct / the intended way to have the destination to LAN when the IP is 172.16.0.0/24? I can't wrap my head around this rule
- Rule one: allow WAN traffic to server
- Rule two: allow LAN traffic to server
Rationale for rule 2:
Instead of a firewall rule - the other option is to create an internal DNS hostname for the server instead:
# in /etc/config/dhcp
config domain
option ip '172.16.0.101'
option name 'foo.example.com' #<---this would be the Global FQDN of the server
You don't need to set up any DNS server, the built-in dnsmasq works fine.
If you don't want to do that, you'll have to make a DNAT rule matching from lan to wan IP http(s) to send it to the server in dmz. Which is making the OpenWrt a proxy and is a waste of resource.
1 Like
Ok, thanks to you both.
I ended up using a lan to dmz rule instead of the wan to lan rule as it made more sense to me. And I fixed the fact of having no longer access to luci by specifying the src_dip to "wan".
So in the end I have:
config redirect
option target 'DNAT'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option name 'http'
option dest_ip '172.16.0.101'
option dest 'dmz'
config redirect
option target 'DNAT'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option name 'https'
option dest_ip '172.16.0.101'
option dest 'dmz'
config redirect
option name 'http-lan'
option dest 'dmz'
option target 'DNAT'
list proto 'tcp'
option src 'lan'
option src_dport '80'
option dest_ip '172.16.0.101'
option src_dip 'wan'
option reflection_src 'external'
config redirect
option name 'https-lan'
option dest 'dmz'
option target 'DNAT'
list proto 'tcp'
option src 'lan'
option src_dport '443'
option dest_ip '172.16.0.101'
option src_dip 'wan'
option reflection_src 'external'
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.