How to open a pinhole DMZ -> LAN?

I am using OpenWrt on a small amd64 box with multiple NICs.
Specifically I have LAN, WAN, DMZ and BKP (backup uplink).

I have a WEB server on DMZ which needs to access my git server on LAN (on nonstandard port, if it matters).

gitserver has a DHCP served IPv4 address and I can access it by name from LAN.

I have two problems:

  1. webserver on DMZ doesn't resolve my git server name.

  2. I need to open a pinhole in firewall to be able to reach gitserver.

Can someone tell me how to do this (preferably using LUCI) or point me to relevant documentation? I tried searching but I got lost and I'm unsure.

TiA!

Network->Firewall->Traffic Rules tab.
Add a new rule.
Give it a distinctive name.
For protocol use TCP.
Source zone is DMZ.
Source address is the IP of the web server.
Destination zone is LAN.
Destination IP is the git sever IP.
Destination port is whatever port git server is listening.
Action is accept.

As for the first question, make sure that there is a domain name for the git server and that web server is using OpenWrt as nameserver.
If you still have questions:

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

Thanks trendy,
I have a strange behavior.
Here is info you requested (after opening pinhole as for your instructions):

root@openwrt:~# ubus call system board; \
> uci export network; \
> uci export dhcp; uci export firewall; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
{
	"kernel": "6.1.0-18-amd64",
	"hostname": "openwrt",
	"system": "Intel(R) Celeron(R) CPU N3450 @ 1.10GHz",
	"model": "AZW Gemini T34-M",
	"board_name": "azw-gemini-t34-m",
	"rootfs_type": "btrfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "x86/64",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}
package network

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.7.254'
	option netmask '255.255.255.0'
	option device 'eth0'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth1'

config interface 'dmz'
	option proto 'static'
	option ipaddr '192.168.77.254'
	option netmask '255.255.255.0'
	option device 'eth2'

config interface 'bkp'
	option proto 'dhcp'
	option device 'eth3'

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'incus'
	option mac '2A:97:A4:B9:2E:57'
	option ip '192.168.7.98'
	option leasetime 'infinite'

config dhcp 'dmz'
	option interface 'dmz'
	option start '100'
	option limit '150'
	option leasetime '12h'

config host
	option name 'webserver'
	option dns '1'
	option mac '00:16:3E:05:A2:04'
	option ip '192.168.77.110'
	option leasetime 'infinite'

config domain
	option name 'blog.condarelli.it'
	option ip '192.168.77.110'

config domain
	option name 'wiki.condarelli.it'
	option ip '192.168.77.110'

config domain
	option name 'git.condarelli.it'
	option ip '192.168.7.90'

config host
	option name 'cinderella'
	option dns '1'
	option mac 'E0:D5:5E:A0:21:0F'
	option ip '192.168.7.12'
	option leasetime 'infinite'

package firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'dmz'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'dmz'

config zone
	option name 'bp'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'bkp'

config forwarding
	option src 'lan'
	option dest 'bp'

config forwarding
	option src 'lan'
	option dest 'dmz'

config forwarding
	option src 'dmz'
	option dest 'bp'

config forwarding
	option src 'dmz'
	option dest 'wan'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
root@openwrt:~# ubus call system board; \
> uci export network; \
> uci export dhcp; uci export firewall; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
{
	"kernel": "6.1.0-18-amd64",
	"hostname": "openwrt",
	"system": "Intel(R) Celeron(R) CPU N3450 @ 1.10GHz",
	"model": "AZW Gemini T34-M",
	"board_name": "azw-gemini-t34-m",
	"rootfs_type": "btrfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "x86/64",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}
package network

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.7.254'
	option netmask '255.255.255.0'
	option device 'eth0'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth1'

config interface 'dmz'
	option proto 'static'
	option ipaddr '192.168.77.254'
	option netmask '255.255.255.0'
	option device 'eth2'

config interface 'bkp'
	option proto 'dhcp'
	option device 'eth3'

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'incus'
	option mac '2A:97:A4:B9:2E:57'
	option ip '192.168.7.98'
	option leasetime 'infinite'

config dhcp 'dmz'
	option interface 'dmz'
	option start '100'
	option limit '150'
	option leasetime '12h'

config host
	option name 'webserver'
	option dns '1'
	option mac '00:16:3E:05:A2:04'
	option ip '192.168.77.110'
	option leasetime 'infinite'

config domain
	option name 'blog.condarelli.it'
	option ip '192.168.77.110'

config domain
	option name 'wiki.condarelli.it'
	option ip '192.168.77.110'

config domain
	option name 'git.condarelli.it'
	option ip '192.168.7.90'

config host
	option name 'cinderella'
	option dns '1'
	option mac 'E0:D5:5E:A0:21:0F'
	option ip '192.168.7.12'
	option leasetime 'infinite'

package firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'dmz'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'dmz'

config zone
	option name 'bp'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'bkp'

config forwarding
	option src 'lan'
	option dest 'bp'

config forwarding
	option src 'lan'
	option dest 'dmz'

config forwarding
	option src 'dmz'
	option dest 'bp'

config forwarding
	option src 'dmz'
	option dest 'wan'

config rule
	option name 'Allow-websewrver-to-git'
	list proto 'tcp'
	option src 'dmz'
	list src_ip '192.168.77.110'
	option dest 'lan'
	list dest_ip '129.168.7.90'
	option dest_port '17022'
	option target 'ACCEPT'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    inet 192.168.2.60/24 brd 192.168.2.255 scope global eth1
       valid_lft forever preferred_lft forever
4: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    inet 192.168.1.2/24 brd 192.168.1.255 scope global eth3
       valid_lft forever preferred_lft forever
13: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.7.254/24 brd 192.168.7.255 scope global eth0
       valid_lft forever preferred_lft forever
14: eth2@if15: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.77.254/24 brd 192.168.77.255 scope global eth2
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eth3  src 192.168.1.2 
192.168.1.0/24 dev eth3 scope link  src 192.168.1.2 
192.168.2.0/24 dev eth1 scope link  src 192.168.2.60 
192.168.7.0/24 dev eth0 scope link  src 192.168.7.254 
192.168.77.0/24 dev eth2 scope link  src 192.168.77.254 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
local 192.168.1.2 dev eth3 table local scope host  src 192.168.1.2 
broadcast 192.168.1.255 dev eth3 table local scope link  src 192.168.1.2 
local 192.168.2.60 dev eth1 table local scope host  src 192.168.2.60 
broadcast 192.168.2.255 dev eth1 table local scope link  src 192.168.2.60 
local 192.168.7.254 dev eth0 table local scope host  src 192.168.7.254 
broadcast 192.168.7.255 dev eth0 table local scope link  src 192.168.7.254 
local 192.168.77.254 dev eth2 table local scope host  src 192.168.77.254 
broadcast 192.168.77.255 dev eth2 table local scope link  src 192.168.77.254 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
lrwxrwxrwx    1 root     root            16 Nov 14 13:38 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 May  6 23:06 /tmp/resolv.conf
-rw-r--r--    1 root     root           142 Apr 23 01:20 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root           142 Apr 23 01:20 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface bkp
nameserver 192.168.1.1
search homenet.telecomitalia.it
# Interface wan
nameserver 192.168.2.1
search homenet.telecomitalia.it
root@openwrt:~# 

First of all webserverseems unable to resolve git.condarelli.it; to avoid mixing issues I added a stanza:

192.168.7.90  git.condarelli.it

to my /etc/hosts on webserver and thus it resolves OK.

Unfortunately this doesn't seem enough as I get (the first error on ping is expected because I didn't redirect ICMP; that just shows git.condarelli.it is resolved correctly):

mcon@cinderella:~$ ssh blog.condarelli.it
Linux webserver 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May  7 09:55:02 2024 from 192.168.7.12
mcon@webserver:~$ cd vitepress
mcon@webserver:~/vitepress$ ping -c3 git.condarelli.it
ping: git.condarelli.it: Name or service not known
mcon@webserver:~/vitepress$ ping -c3 git.condarelli.it
PING git.condarelli.it (192.168.7.90) 56(84) bytes of data.
From OpenWrt.lan (192.168.77.254) icmp_seq=1 Destination Port Unreachable
From OpenWrt.lan (192.168.77.254) icmp_seq=2 Destination Port Unreachable
From OpenWrt.lan (192.168.77.254) icmp_seq=3 Destination Port Unreachable

--- git.condarelli.it ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2003ms

mcon@webserver:~/vitepress$ git pull
ssh: connect to host git.condarelli.it port 17022: Connection refused
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
mcon@webserver:~/vitepress$ ssh -p 17022 git.condarelli.it
ssh: connect to host git.condarelli.it port 17022: Connection refused
mcon@webserver:~/vitepress$ ssh -p 17022 -vvv git.condarelli.it
OpenSSH_9.2p1 Debian-2+deb12u1, OpenSSL 3.0.11 19 Sep 2023
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/mcon/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/mcon/.ssh/known_hosts2'
debug2: resolving "git.condarelli.it" port 17022
debug3: resolve_host: lookup git.condarelli.it:17022
debug3: ssh_connect_direct: entering
debug1: Connecting to git.condarelli.it [192.168.7.90] port 17022.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: connect to address 192.168.7.90 port 17022: Connection refused
ssh: connect to host git.condarelli.it port 17022: Connection refused
mcon@webserver:~/vitepress$ 

Note this works as expected from cinderella (my workstaion on LAN):

mcon@cinderella:/tmp$ ssh -p 17022 -vvv git.condarelli.it
OpenSSH_9.7p1 Debian-4, OpenSSL 3.2.2-dev 
debug1: Reading configuration data /home/mcon/.ssh/config
debug1: /home/mcon/.ssh/config line 124: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/mcon/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/mcon/.ssh/known_hosts2'
debug2: resolving "git.condarelli.it" port 17022
debug3: resolve_host: lookup git.condarelli.it:17022
debug3: channel_clear_timeouts: clearing
debug3: ssh_connect_direct: entering
debug1: Connecting to git.condarelli.it [192.168.7.90] port 17022.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: Connection established.
debug1: identity file /home/mcon/.ssh/id_rsa type 0
debug1: identity file /home/mcon/.ssh/id_rsa-cert type -1
debug1: identity file /home/mcon/.ssh/id_ecdsa type -1
debug1: identity file /home/mcon/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/mcon/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/mcon/.ssh/id_ecdsa_sk-cert type -1
...

What am I missing?

For the resolving, can you try:
dig @192.168.77.1 git.condarelli.it or nslookup git.condarelli.it 192.168.77.1 from the webserver? It might not be using the correct nameserver.

The firewall rule is correct, but since you get connection refused you are being blocked by a firewall. It is possible that there is a firewall on the git server blocking connections from other networks. Can you verify that?

Thanks trendy,
sorry for the late answer, I was "a little busy" :wink:

This is really funny.
After removing /etc/hosts entry I get:

mcon@webserver:~/vitepress$ dig @192.168.77.254 git.condarelli.it

; <<>> DiG 9.18.24-1-Debian <<>> @192.168.77.254 git.condarelli.it
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13394
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;git.condarelli.it.		IN	A

;; ANSWER SECTION:
git.condarelli.it.	0	IN	A	192.168.7.90

;; Query time: 0 msec
;; SERVER: 192.168.77.254#53(192.168.77.254) (UDP)
;; WHEN: Wed May 08 18:18:54 CEST 2024
;; MSG SIZE  rcvd: 62

mcon@webserver:~/vitepress$ cat /etc/resolv.conf 
# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0 trust-ad
search .
mcon@webserver:~/vitepress$ resolvectl status
Global
       Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub

Link 18 (eth0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.77.254
       DNS Servers: 192.168.77.254
mcon@webserver:~/vitepress$ ping -c3 git.condarelli.it
PING git.condarelli.it (192.168.7.90) 56(84) bytes of data.
From OpenWrt.lan (192.168.77.254) icmp_seq=1 Destination Port Unreachable
From OpenWrt.lan (192.168.77.254) icmp_seq=2 Destination Port Unreachable
From OpenWrt.lan (192.168.77.254) icmp_seq=3 Destination Port Unreachable

--- git.condarelli.it ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2004ms

mcon@webserver:~/vitepress$ git pull
ssh: Could not resolve hostname git.condarelli.it: Name or service not known
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
mcon@webserver:~/vitepress$ ssh -p 17022 -vv git.condarelli.it
OpenSSH_9.2p1 Debian-2+deb12u1, OpenSSL 3.0.11 19 Sep 2023
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolving "git.condarelli.it" port 17022
ssh: Could not resolve hostname git.condarelli.it: Name or service not known
mcon@webserver:~/vitepress$ 

which doesn't seem to be a OpenWrt problem... or is it?

Anyways my main problem is connection seems not to work as expected (the following is after re-enabling /etc/hosts/ stanza 192.168.7.90 git.condarelli.it):

mcon@webserver:~/vitepress$ ssh -p 17022 -vvv git.condarelli.it
OpenSSH_9.2p1 Debian-2+deb12u1, OpenSSL 3.0.11 19 Sep 2023
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/mcon/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/mcon/.ssh/known_hosts2'
debug2: resolving "git.condarelli.it" port 17022
debug3: resolve_host: lookup git.condarelli.it:17022
debug3: ssh_connect_direct: entering
debug1: Connecting to git.condarelli.it [192.168.7.90] port 17022.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: connect to address 192.168.7.90 port 17022: Connection refused
ssh: connect to host git.condarelli.it port 17022: Connection refused

while from a machine sitting on LAN (192.168.7.0/24) i get regular:

mcon@cinderella:/tmp$ ssh -p 17022 -vvv 192.168.7.90
OpenSSH_9.7p1 Debian-4, OpenSSL 3.2.2-dev 
debug1: Reading configuration data /home/mcon/.ssh/config
debug1: /home/mcon/.ssh/config line 124: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.7.90 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/mcon/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/mcon/.ssh/known_hosts2'
debug3: channel_clear_timeouts: clearing
debug3: ssh_connect_direct: entering
debug1: Connecting to 192.168.7.90 [192.168.7.90] port 17022.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: Connection established.
debug1: identity file /home/mcon/.ssh/id_rsa type 0
...
debug2: shell request accepted on channel 0

Using terminal commands to modify system configs, execute external binary
files, add files, or install unauthorized third-party apps may lead to system
damages or unexpected behavior, or cause data loss. Make sure you are aware of
the consequences of each command and proceed at your own risk.

Warning: Data should only be stored in shared folders. Data stored elsewhere
may be deleted when the system is updated/restarted.

mcon:~$ 

What should I check?
TiA!

No, it seems to work correctly.

Run a tcpdump
opkg update; opkg install tcpdump; tcpdump -i eth0 -vnn host 192.168.7.90 and host 192.168.77.110
Start a ping or ssh or wget, capture some packets and post here.

I issued this on webserver:

mcon@webserver:~/vitepress$ ssh -p 17022 -vvv git.condarelli.it
OpenSSH_9.2p1 Debian-2+deb12u1, OpenSSL 3.0.11 19 Sep 2023
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/mcon/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/mcon/.ssh/known_hosts2'
debug2: resolving "git.condarelli.it" port 17022
debug3: resolve_host: lookup git.condarelli.it:17022
debug3: ssh_connect_direct: entering
debug1: Connecting to git.condarelli.it [192.168.7.90] port 17022.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: connect to address 192.168.7.90 port 17022: Connection refused
ssh: connect to host git.condarelli.it port 17022: Connection refused

and this is the capture on OpenWrt:

root@openwrt:~# tcpdump -i any -vnn host 192.168.7.90 and host 192.168.77.110
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:18:21.238454 eth2  In  IP (tos 0x10, ttl 64, id 30664, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.77.110.52038 > 192.168.7.90.17022: Flags [S], cksum 0xd647 (incorrect -> 0x2168), seq 23186875, win 64240, options [mss 1460,sackOK,TS val 2602556812 ecr 0,nop,wscale 7], length 0
21:18:21.238500 eth2  Out IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.7.90.17022 > 192.168.77.110.52038: Flags [R.], cksum 0xd633 (incorrect -> 0xfcd4), seq 0, ack 23186876, win 0, length 0
^C
2 packets captured
3 packets received by filter
0 packets dropped by kernel

I also tried directly using git:

mcon@webserver:~/vitepress$ git pull
ssh: connect to host git.condarelli.it port 17022: Connection refused
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

with very similar results:

root@openwrt:~# tcpdump -i any -vnn host 192.168.7.90 and host 192.168.77.110
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:19:38.439138 eth2  In  IP (tos 0x10, ttl 64, id 40298, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.77.110.55792 > 192.168.7.90.17022: Flags [S], cksum 0xd647 (incorrect -> 0x3ec8), seq 875905355, win 64240, options [mss 1460,sackOK,TS val 2602634013 ecr 0,nop,wscale 7], length 0
21:19:38.439223 eth2  Out IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.7.90.17022 > 192.168.77.110.55792: Flags [R.], cksum 0xd633 (incorrect -> 0x47c7), seq 0, ack 875905356, win 0, length 0
^C
2 packets captured
4 packets received by filter
0 packets dropped by kernel

Interpretation is beyond me but "incorrect" checksum doesn't look good.

Note: I changed to -i any because the two segments (192.168.7.x aka LAN on eth0 and 192.168.77.x aka DMZ on eth2) are on separate NICs.
Capturing on -i eth0 does not show anything.

Thanks for your continued support.

AARGGHHH!!!
SORRY!!!
My BAD.
Forwarding problem was "just" I mistyped git server address in forwarding rule.
Of course it didn't allow it.

I am still fighting the DNS issue, though.

Many THANKS for your support.

For the DNS I don't see any issue from OpenWrt.
When you query the OpenWrt directly for the git address you are getting an answer.
You can setup a tcpdump on OpenWrt to verify that you receive the queries from the web server and you send the correct answers, otherwise it might be some adblocking or something similar on the web server hijacking the queries.
tcpdump -i eth2 -vnn port 53

I am positively getting crazy.

I'm not sure this is an OpenWrt problem, but I would appreciate your insight.

This is what I tried to do; notice the same command behaves differently a few seconds distance:

mcon@webserver:/root$ dig git.condarelli.it

; <<>> DiG 9.18.24-1-Debian <<>> git.condarelli.it
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21503
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;git.condarelli.it.		IN	A

;; ANSWER SECTION:
git.condarelli.it.	0	IN	A	192.168.7.90

;; Query time: 4 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Thu May 09 12:27:33 CEST 2024
;; MSG SIZE  rcvd: 62

This seems correct.

mcon@webserver:/root$ ssh -p 17022 -vvv git.condarelli.it
OpenSSH_9.2p1 Debian-2+deb12u1, OpenSSL 3.0.11 19 Sep 2023
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/mcon/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/mcon/.ssh/known_hosts2'
debug2: resolving "git.condarelli.it" port 17022
debug3: resolve_host: lookup git.condarelli.it:17022
debug3: ssh_connect_direct: entering
debug1: Connecting to git.condarelli.it [192.168.7.90] port 17022.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: Connection established.
... I can send the whole stuff, if useful ...
debug2: shell request accepted on channel 0

Using terminal commands to modify system configs, execute external binary
files, add files, or install unauthorized third-party apps may lead to system
damages or unexpected behavior, or cause data loss. Make sure you are aware of
the consequences of each command and proceed at your own risk.

Warning: Data should only be stored in shared folders. Data stored elsewhere
may be deleted when the system is updated/restarted.

mcon:~$ logout
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
...
Connection to git.condarelli.it closed.
Transferred: sent 4308, received 3904 bytes, in 4.1 seconds
Bytes per second: sent 1040.7, received 943.1
debug1: Exit status 0

This also seems OK.

mcon@webserver:/root$ cd
mcon@webserver:~$ cd vitepress
mcon@webserver:~/vitepress$ git pull
ssh: connect to host git.condarelli.it port 17022: No route to host
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

This is botched

mcon@webserver:~/vitepress$ ssh -p 17022 git.condarelli.it
ssh: connect to host git.condarelli.it port 17022: No route to host
mcon@webserver:~/vitepress$ 

... and this, which is exactly the same command as above (minus verbosity) also doesn't work anymore.

Here is the output of tcpdump -i eth2 -vnn port 53 on OpenWrt:

root@openwrt:~# tcpdump -i eth2 -vnn port 53
tcpdump: listening on eth2, link-type EN10MB (Ethernet), snapshot length 262144 bytes
10:26:07.906912 IP (tos 0x0, ttl 64, id 13017, offset 0, flags [none], proto UDP (17), length 63)
    192.168.77.110.36472 > 192.168.77.254.53: 53227+ A? git.condarelli.it. (35)
10:26:07.907144 IP (tos 0x0, ttl 64, id 18851, offset 0, flags [DF], proto UDP (17), length 79)
    192.168.77.254.53 > 192.168.77.110.36472: 53227* 1/0/0 git.condarelli.it. A 192.168.7.90 (51)
10:27:33.708289 IP (tos 0x0, ttl 64, id 10787, offset 0, flags [none], proto UDP (17), length 63)
    192.168.77.110.38548 > 192.168.77.254.53: 26187+ A? git.condarelli.it. (35)
10:27:33.708533 IP (tos 0x0, ttl 64, id 37772, offset 0, flags [DF], proto UDP (17), length 79)
    192.168.77.254.53 > 192.168.77.110.38548: 26187* 1/0/0 git.condarelli.it. A 192.168.7.90 (51)
10:27:52.518207 IP (tos 0x0, ttl 64, id 16147, offset 0, flags [none], proto UDP (17), length 63)
    192.168.77.110.36750 > 192.168.77.254.53: 49226+ A? git.condarelli.it. (35)
10:27:52.518455 IP (tos 0x0, ttl 64, id 37981, offset 0, flags [DF], proto UDP (17), length 79)
    192.168.77.254.53 > 192.168.77.110.36750: 49226* 1/0/0 git.condarelli.it. A 192.168.7.90 (51)
10:27:52.518641 IP (tos 0x0, ttl 64, id 26022, offset 0, flags [none], proto UDP (17), length 63)
    192.168.77.110.34771 > 192.168.77.254.53: 56935+ AAAA? git.condarelli.it. (35)
10:27:52.615723 IP (tos 0x0, ttl 64, id 37997, offset 0, flags [DF], proto UDP (17), length 151)
    192.168.77.254.53 > 192.168.77.110.34771: 56935 1/1/0 git.condarelli.it. CNAME mcon.ddnsking.com. (123)
10:27:52.616809 IP (tos 0x0, ttl 64, id 40811, offset 0, flags [none], proto UDP (17), length 63)
    192.168.77.110.56682 > 192.168.77.254.53: 38536+ AAAA? mcon.ddnsking.com. (35)
10:27:52.624396 IP (tos 0x0, ttl 64, id 38000, offset 0, flags [DF], proto UDP (17), length 120)
    192.168.77.254.53 > 192.168.77.110.56682: 38536 0/1/0 (92)
10:28:51.510157 IP (tos 0x0, ttl 64, id 4995, offset 0, flags [none], proto UDP (17), length 63)
    192.168.77.110.40423 > 192.168.77.254.53: 22288+ A? mcon.ddnsking.com. (35)
10:28:51.553377 IP (tos 0x0, ttl 64, id 39800, offset 0, flags [DF], proto UDP (17), length 79)
    192.168.77.254.53 > 192.168.77.110.40423: 22288 1/0/0 mcon.ddnsking.com. A 79.34.241.74 (51)
10:32:44.736500 IP (tos 0x0, ttl 64, id 1136, offset 0, flags [none], proto UDP (17), length 73)
    192.168.77.110.36123 > 192.168.77.254.53: 6005+ A? ipcast1.dynupdate.no-ip.com. (45)
10:32:44.736502 IP (tos 0x0, ttl 64, id 42606, offset 0, flags [none], proto UDP (17), length 73)
    192.168.77.110.47411 > 192.168.77.254.53: 41463+ AAAA? ipcast1.dynupdate.no-ip.com. (45)
10:32:44.742045 IP (tos 0x0, ttl 64, id 18536, offset 0, flags [DF], proto UDP (17), length 89)
    192.168.77.254.53 > 192.168.77.110.36123: 6005 1/0/0 ipcast1.dynupdate.no-ip.com. A 204.16.253.153 (61)
10:32:44.791809 IP (tos 0x0, ttl 64, id 18538, offset 0, flags [DF], proto UDP (17), length 124)
    192.168.77.254.53 > 192.168.77.110.47411: 41463 0/1/0 (96)
10:32:44.792983 IP (tos 0x0, ttl 64, id 24296, offset 0, flags [none], proto UDP (17), length 73)
    192.168.77.110.46163 > 192.168.77.254.53: 55546+ A? ipcast2.dynupdate.no-ip.com. (45)
10:32:44.793397 IP (tos 0x0, ttl 64, id 9973, offset 0, flags [none], proto UDP (17), length 73)
    192.168.77.110.45934 > 192.168.77.254.53: 44841+ AAAA? ipcast2.dynupdate.no-ip.com. (45)
10:32:44.843541 IP (tos 0x0, ttl 64, id 18551, offset 0, flags [DF], proto UDP (17), length 89)
    192.168.77.254.53 > 192.168.77.110.46163: 55546 1/0/0 ipcast2.dynupdate.no-ip.com. A 45.54.64.153 (61)
10:32:44.846986 IP (tos 0x0, ttl 64, id 18552, offset 0, flags [DF], proto UDP (17), length 124)
    192.168.77.254.53 > 192.168.77.110.45934: 44841 0/1/0 (96)
^C
20 packets captured
20 packets received by filter
0 packets dropped by kernel

Note git.condarelli.it is known on Internet side as a CNAME pointing to mcon.ddnsking.com which points to my public IP (i.e.: openwrt), but no ports are open or redirected on OpenWrt so nothing good happens there; I wanted to shortcut DMZ->LAN without going out to the Internet.

Any insight would be VERY appreciated.

Problem is that your applications try IPv6 first. Since there is no AAAA, it goes to the Internet nameservers to resolve it, gets the CNAME and then tries to access the wan interface and gets blocked.
Quick fix, add -4 in ssh. And something similar for git.
Long term fix, add a AAAA static record.

BINGO!

Thanks.
Is there some way I can completely disable IPv6 (which I don't use)?

modprobe -r ipv6 on the git, webserver.
However it is more easy to setup the AAAA record with a ULA address will get.

uci set network.globals=globals
uci set network.globals.ula_prefix='fdab:abcbd::/48'
uci commit network
service network restart

Thanks.
Your method won't work for webserver as it's a Debian and it has ipv6 compiled in (no module).
I solved adding:

###################################################################
# Disable IPv6
#
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
#

to /etc/sysctl.conf, but I'm curious about AAAA record; I fail to understand what ula_prefix is supposed to do. Can you point me to relevant documentation, please?

It's private address like 192.168.x.y and exists by default in any OpenWrt installation.