Multiple forwardings between separate LAN and WAN zones

First, please take a gander at the screenshot of what I'm trying to realize:

To summarize, I've three WAN zones:

  • self-explanatory wan
  • WGZ1: first WireGuard VPN connection
  • WGZ2: second WireGuard VPN connection

What I'm trying to accomplish here is, have different Ethernet ports provide access to either of the above connections separately, e.g. ports 1 and 2 connects to regular local WAN, port 3 (VPZ1) connects to first VPN and port 4 (VPZ2) to the second.

I honestly thought this would be a pretty straightforward setting, have different interfaces and have the firewall forward between them. But in practice, I found only one of the LAN zones actually gets to forward anything to the WAN zones. What am I doing wrong? Do I need to reshuffle the firewall rules, what needs to come first?

NB All the firewall forwarding configurations were done over LuCi, not SSH.

1 Like

VPN policy routing does seem to be the thing I'm looking for, but do you have any guides or examples on its usage? I can understand individual bits, but not how to use them to do my bidding.

Also, while not important to me right now, how does it interact with the default firewall rules?

Both docs and examples are linked in the above article.
Although you may find the app's web interface more intuitive.

I've seen them both, but I can't figure out how to make an interface-based policy. Maybe use the IP address range assigned to the said interface?

1 Like

VPN policy routing helps with domains, IP sets, and MACs.
So, you can create policies based on the source subnet.
But rules by the source interface are only available with netifd.

Oh, I ignored netifd because of the "VPN" in the "VPN Policy-Based Routing." But it is still confusing to me. If PBR can affect routing, isn't it overlapping with firewall? Should I expect to debug conflicts? Am I supposed to create a VPN zone like normal and then apply the netifd rules?

Routing and firewall may appear to overlap to some extent.
However, there are distinctive differences.

Routing is primary and essential, and even stateless NAT can be implemented.
So, network can work with just routing, but cannot work with just firewall.

Firewall provides precise permission control and traffic manipulation.
This makes possible to filter local input/output and transit ingress/egress traffic.

Thus, both routing and firewall should be configured accordingly.

By the way, custom rules for netifd should look like this:

uci -q delete network.lan_wan
uci set network.lan_wan="rule"
uci set"lan"
uci set network.lan_wan.lookup="wan"
uci set network.lan_wan.priority="30000"
uci -q delete network.vpz1_wgz1
uci set network.vpz1_wgz1="rule"
uci set"vpz1"
uci set network.vpz1_wgz1.lookup="wgz1"
uci set network.vpz1_wgz1.priority="30000"
uci -q delete network.vpz2_wgz2
uci set network.vpz2_wgz2="rule"
uci set"vpz2"
uci set network.vpz2_wgz2.lookup="wgz2"
uci set network.vpz2_wgz2.priority="30000"
uci commit network
/etc/init.d/network restart