I'm a bit confused about the port forwardings in OpenWRT. About the configuration:
What is the Destination Zone used for? It seems I can set anything and it still works as long as the Internal IP address is set correctly. I can even set the destination zone to a zone that does not contain the internal IP address. So what does it do?
What are the reflection zones used for?
Specific use case:
I have a server in zone DMZ that should be reachable from zone IOT. But I don't want to open the entire DMZ zone for the IOT devices, so I don't want to allow an entire zone forward. How woud I set up this port forwarding? Or would this require a traffic rule?
It tells the firewall which area of your network the traffic is entering so it can apply the correct safety rules for that specific zone.
To let your local devices use your public sites or domain to reach your server. Without this, you would have to use the server's private IP address whenever you are at home.
No zone forwarding required.
Firewall -> traffic rules:
Source zone: IOT
Destination zone: DMZ
Destination address: your server's IP
Destination port: specific port
Action: accept
But shouldn't that be obvious already by the destination IP? What would be the implication if set incorrectly? i could not notice any difference.
Ahh, so if I want IOT devices to reach my server using its domain, I have to add the IOT zone to the reflection zones in the 443 port forwarding, right?
At least that worked in combination with the traffic rule you mentioned.
Even if the router knows the server's address, it won't open the gate to that area unless the zone matches. You didn't notice bcz your firewall is currently set to "Allow all" by default. If you ever switch to a stricter "Reject" policy, the port forward would break if the zone is wrong.
Yep. Adding the IOT zone to the reflection list allows those devices to "loop back" through the public ip, domain to reach your server. Combined with your traffic rule this completes the path.