Guide to set up DMZ via Luci - Question

Frood42 · November 29, 2018, 5:56pm

Good timing - nice guide (Guide to set up DMZ via LUCI) in addition to https://openwrt.org/docs/guide-user/network/vlan/switch_untaggedvlan_howto

I did the same config yesterday with very small differences;
My use case is a Cisco SPA VoIP adapter inside of my network. It requires incoming connections / port forwarding and hey, it is Cisco, so it needs to be strictly isolated
On LAN 4 the device is connected.
Screenshot_20181129_191305

I understand that I will not be able to connect to this device from my regular LAN (zone) anymore.
Therefore (and for testing connections), I have created a "maintenance" Wifi Station that is assigned to the DMZ interface / network only (I called it TEL).

Screenshot_20181129_183536

This is bridged in the interface definition the TEL

Screenshot_20181129_185313
Screenshot_20181129_184347
Screenshot_20181129_190848

and the TEL zone is set up as follows:
Screenshot_20181129_184854

Everything works as expected; LAN 1 is reachable from the new wifi only, and not from LAN interface.
The regular LAN subnet on 192.168.1.1/24 is not reachable from TEL 192.168.160.1/24

but:

192.168.1.1 is reachable.

Why?

mikma · November 29, 2018, 6:34pm

All IP addresses of the OpenWrt router are reachable from the TEL zone when you have Input:accept on that zone. I don't think it should be a problem.

lleachii · November 29, 2018, 6:45pm

@Frood42, in addition, if you wanted to change the TEL zone INPUT to BLOCK or REJECT - and use the router's DNS and DHCP for that zone, you will have to make individual INPUT rules for DHCP and DNS.

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67'
	option family 'ipv4'
	option src_port '68'
	option name 'Allow-tel_net_DHCP'
	option src 'tel'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '53'
	option family 'ipv4'
	option src 'tel'
	option name 'Allow-tel_net_DNS'