even though they have their own firewall zone
quite recently we solved setting up interfaces
and came to the conclusion that it is best to use device '@lan'
I am doing the same now for tmp_old_lan interface, in an effort moving IoT devices from a previous network scheme over to the network scheme I am setting up now.
the problem is is that setting up such an interface looks like it imidiatly enables devices on that network segment to phone home.
uci export network; uci export firewall
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd2b:1367:f843::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.0.0'
option ipaddr '10.1.0.1'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
config interface 'virtualization'
option proto 'static'
option ipaddr '10.2.0.1'
option netmask '255.255.0.0'
option device '@lan'
config interface 'trusted'
option proto 'static'
option device 'eth0.40'
option ipaddr '10.4.0.1'
option netmask '255.255.0.0'
config interface 'guests'
option proto 'static'
option device 'eth0.50'
option ipaddr '10.5.0.1'
option netmask '255.255.0.0'
config interface 'iot'
option proto 'static'
option device 'eth0.60'
option ipaddr '10.6.0.1'
option netmask '255.255.0.0'
config interface 'peripherals'
option proto 'static'
option device 'eth0.70'
config interface 'tmp_old_lan'
option proto 'static'
option device '@lan'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'trusted'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option name 'virtualization'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'virtualization'
config zone
option name 'guests'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
list network 'guests'
config rule
option name 'Allow-DNS-DHCP-Guest'
option src 'guests'
option target 'ACCEPT'
option family 'ipv4'
list proto 'udp'
option dest_port '53 67'
config forwarding
option src 'guests'
option dest 'wan'
config zone
option name 'iot'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'iot'
config zone
option name 'peripherals'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'peripherals'
config zone
option name 'tmp_old_lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'tmp_old_lan'
how can I force interfaces device '@lan' to listen to their firewall zones or did I incorrectly configure the firewall zone?