I'm trying to set up the following:
WAN - openWRT router 10.0.1.1
|- lan1 10.0.1.0/24
|- lan2 10.0.2.0/24
|- lan3 10.0.3.0/24
`- lan4 - accespoint 10.0.1.100 - n wifi devices (10.0.4.0/24)
luci git-21.222.69112-b41f377) / OpenWrt 19.07.7 r11306-c4a6851c72
All ports are their own untagged switch for the respective VLANs (lan4 is more complex, it have lan1 untagged for the AP admin interface, and lan4 tagged, and the AP is a switch which tags all client traffic, but that is not important, i think, only mentioning in case i'm wrong )
DHCP is setup fine. everything works perfectly and is restricted to their own subnet.
My problem is the Firewall part. My goal is to have lan able to reach everything, and all the others going out only (later i plan to restrict traffic more, but i'm still failing on the basics)
At first i set up zones as:
- zone1(lan1) -> wan: accept,accept,accept,
[x] masquerade
- zone2(lan2,3,4) -> wan: accept,accept,accept,
[x] masquerade
(the above means, for line 1 for example, zone1, with covered networks lan1, allow forward destination to wan. then input,output,forward policies)
At this point all is fine. All devices access the internet via NAT. No cross subnet talk happens (except all lans can ping the router IPs, no matter the interface, which I dislike but haven't investigated)
My firewall troubles start when i try to add the rule: lan1 can access other lans. as such:
- zone3(lan1) -> zone2(lan2,3,4): accept,accept,accept,
[ ] masquerade
As soon as i press save on the dialog, luci ignores the zone3, and changes zone1 to be:
- zone1(lan1) -> wan,zone2(lan2,3,4): accept,accept,accept,
[x] masquerade
That is, luci adds the targete zone of the new rule (without masquerade) into the existing one that had masquerade...which will enable masquerade on everything, which is not my desire.
What am i doing wrong here?