Single network interface in multiple firewall zones?

Is it possible to have a single interface appearing on multiple zones? For example:

config zone
	option name 'inet_usr'
	list network 'lan'
	list network 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'srv_usr'
	list network 'lan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'servers'
	list network 'servers'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'inet_usr'
	option dest 'wan'

config forwarding
	option src 'srv_usr'
	option dest 'servers'

I want both guests and lan to access Internet, but only lan is allowed to access servers. Are such configurations valid?

No. An interface must only appear in a single firewall zone.

Not a problem. Two ways this can be done:

  1. Make a firewall zone for the guest network. Allow forwarding from guest > wan. The guest network will be able to reach the wan, but not the lan or the servers
  2. Similar to above, but put the server network into the lan zone. By default, the lan zone has forward = accept, which will allow forwarding from lan > server networks (and also server > lan).

For some reason, the LuCI interface lets me do that. After a fresh installation of 23.05.0-rc1, it allows me to add wan and wan6 to lan zone:

After save & apply, these interfaces remain in wan zone, too.

the wan network must never be in the lan firewall zone. It will not work properly, and worse it will open your router and network directly to the internet (i.e. bypassing the entire firewall).

Let's see your current complete firewall file.

I know what you mean. Above was just a bad example of what could be done via LuCI.

My firewall configuration is complex, and it is not very readable if you do not understand my network topology. I have ~15 departments, some of them need to access specific network resources (servers, CCTV, printers... etc) but the list overlaps. For example:

  • The Accounting department needs to access servers.
  • The Accounting department and Purchasing department need to access printers.
  • The Purchasing department and Human Resources department need to access CCTV system.

Each department is on their own subnet. I am wondering if I can put a network interface in multiple zones (svr_usr, prt_usr, cctv_users) -- it is the purpose of the question.

No. You cannot (even if is physically possible to do it via LuCI). Your firewall will not work properly or predictably if you attempt this.

Each network must be assigned to at most one firewall zone (typically it would be exaclty one, but you can actually leave a network unassociated with a firewall zone). You can allow or deny intra-zone forarding, allow zone > zone forwardings (or deny them by not explicitly allowing them), and/or you can make more granular rules at the network or host level by IP addresses/subnets.

Should this be considered a bug of LuCI, which allows invalid configurations? If yes, I think we need to open a bug report.

I'm not sure that it would fully qualify as a bug, but it is certainly an inconsistency that could be addressed. It would require some additional parsing logic.

In the network interfaces section, you can only assign the network to a single firewall zone. However, in the firewall configuration, you can assign any network(s) to a given firewall zone, then edit another firewall zone and it will allow the selection of the same network(s) in this second zone. Logic would have to be built that would 'gray-out' the network(s) that are already associated with a firewall zone such that it cannot be added to a second zone.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.