Hi,
I'm building a dynamically routed setup of virtualized OpenWrt systems. I have 1 to 5 interfaces with which I connect to so called neighbors. I group them up because the same rules shall apply when it comes to networking interface as well as firewall configuration.
So what I intuitively did was to create only one firewall zone called NEIGHBORS. Why the hastle, right?
In the end data shall always be able to transit through a device but never into one's local network.
When I set the firewall policy for this neighbor zone to REJECT no data can transit. I verified with logging that - understandibly - packetes are being rejected. When I set policy to ACCEPT traffic CAN transit but so can data packets destined for my LAN which I shall protect from Neighbors, got it?
To me it seems logical to explicitly allow traffic coming from zone NEIBHBORS when again going out to NEIGHBORS. In fact the option to select such thing is diabled via LUCI.
What's wrong with my thinking? 