I have setup three zones on my network; wan, lan, and "server-side." The lan side is where all of the consumer devices live and the "server-side" zone is where the home server lives. I've setup an additional vlan for this zone as well and a port-forward for me to access services outside my network. I've followed different guides on creating a DMZ which has led me here. Currently the "server-side" zone is able to access other hosts inside that zone when I have the redirect set:
config redirect
option target 'DNAT'
option src 'wan'
option proto 'tcp'
option src_dport '443'
option dest_ip '192.168.26.xx'
option dest_port '443'
option name 'Apache'
option dest 'ServerZone'
Yet when I change the destination zone to lan, I am able to access the services through their FQDN but the services (run in LXC containers) are not able to access or lookup any DNS records to each other. This wouldn't be a big issue at first glance but I am starting to test out services that need to talk to different LXC containers and use SSL certificates for validation and security. They connect to each other through their FQDN.
I've made attempts to setup the forwarding between zones but that doesn't work, I've added rules to allow port 53 to communicate across the zone but that doesn't work. I've tried looking at the kernal logs (which are dog slow to populate by the way) and they say that port 53 is being blocked all around, even from within the zone to itself.
Here is a copy of my current firewall config:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option conntrack '1'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'REJECT'
option network 'wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'DROP'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'DROP'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option output 'ACCEPT'
option name 'ServerZone'
option network 'Server_Side'
option log '1'
option input 'ACCEPT'
option forward 'ACCEPT'
config rule
option target 'ACCEPT'
option src 'lan'
option name 'Nextcloud Sync'
option src_ip '192.168.25.5'
option dest 'ServerZone'
option dest_ip '192.168.26.14'
option dest_port '80'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option src_dport '3367'
option dest_ip '192.168.25.4'
option dest_port '3367'
option name 'vpn'
option proto 'udp'
config forwarding
option dest 'ServerZone'
option src 'lan'
config redirect
option target 'DNAT'
option src 'wan'
option proto 'tcp'
option src_dport '443'
option dest_ip '192.168.26.12'
option dest_port '443'
option name 'Apache'
option dest 'ServerZone'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '53'
option name 'DNS'
option src 'ServerZone'
option family 'ipv4'
config rule
option target 'ACCEPT'
option name 'HttpsSS'
option src_port '443'
option dest_port '443'
option proto 'tcp'
option src 'lan'
option dest 'ServerZone'
option enabled '0'
config forwarding
option dest 'wan'
option src 'ServerZone'
config forwarding
option dest 'wan'
option src 'lan'
The few rules that allow traffic to pass from lan to server-side zone do work but for some reason I am not able to get the DNS port 53 to pass and not be rejected. Here is a copy of the kernal message:
REJECT ServerZone in: IN=eth0.26 OUT= MAC=ADDRESS XX-XX-XX-XX SRC=192.168.26.20 DST=192.168.26.1 LEN=62 TOS=0x00 PREC=0x00 TTL=128 ID=3780 PROTO=UDP SPT=56094 DPT=53 LEN=42
I've been beating my head against the wall trying to figure this one out. I want traffic to pass from lan to server-side through their FQDN and allow the server-side LXC services to be able to talk as well.