Hi there,
i tried different stuff and i cant figure out the problem.
i want the following:
for now:
zone: security wan/internet access.
zone lan: acces to zone security
later:
zone: security no wan, just smtp ports for ip 192.168.60.240 no one else should have access to wan.
my firewall:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan vpn'
config zone 'lan_guest'
option name 'lan_guest'
option output 'ACCEPT'
option input 'REJECT'
option forward 'REJECT'
option network 'lan_guest'
config zone
option output 'ACCEPT'
option network 'IoT_Online'
option name 'iot_online2'
option input 'REJECT'
option forward 'REJECT'
config zone
option name 'security'
option output 'ACCEPT'
option forward 'REJECT'
option network 'security'
option input 'REJECT'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
option dest 'lan'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option dest 'lan'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
option reload '1'
config rule
option src 'lan_guest'
option target 'ACCEPT'
option name 'Guest allowed to DHCP'
list proto 'udp'
option src_port '68'
option dest_port '67'
config rule
option name 'Guest allowed PiHole'
option src 'lan_guest'
option dest_port '53'
option dest 'lan'
option target 'ACCEPT'
list proto 'udp'
list dest_ip '192.168.0.10'
config forwarding
option src 'lan_guest'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'lan_guest'
config zone
option name 'iot_offline'
option network 'IoT'
option forward 'REJECT'
option output 'ACCEPT'
option input 'DROP'
config rule
option name 'Allow DHCP iot_offline'
list proto 'udp'
option src 'iot_offline'
option target 'ACCEPT'
option src_port '68'
option dest_port '67'
config forwarding
option src 'lan'
option dest 'iot_offline'
config rule
option name 'Allow DHCP iot_online'
list proto 'udp'
option src 'iot_online2'
option src_port '68'
option dest_port '67'
option target 'ACCEPT'
config forwarding
option src 'iot_online2'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'iot_online2'
config rule
option name 'Allow PiHole to iot_online'
list proto 'udp'
option src 'iot_online2'
option dest 'lan'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Security Allow DHCP'
list proto 'udp'
option src 'security'
option src_port '68'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'Security Allow PiHole'
option src 'security'
option dest 'lan'
list dest_ip '192.168.0.10'
option dest_port '53'
option target 'ACCEPT'
list proto 'udp'
config forwarding
option src 'security'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'security'
my interface:
config interface 'security'
option proto 'static'
option ifname 'eth0.60'
option ipaddr '192.168.60.1'
option netmask '255.255.255.0'
list dns '192.168.0.10'
thank you so much.