Weird dynamic routed setup firewall question


I'm building a dynamically routed setup of virtualized OpenWrt systems. I have 1 to 5 interfaces with which I connect to so called neighbors. I group them up because the same rules shall apply when it comes to networking interface as well as firewall configuration.

So what I intuitively did was to create only one firewall zone called NEIGHBORS. Why the hastle, right?
In the end data shall always be able to transit through a device but never into one's local network.
When I set the firewall policy for this neighbor zone to REJECT no data can transit. I verified with logging that - understandibly - packetes are being rejected. When I set policy to ACCEPT traffic CAN transit but so can data packets destined for my LAN which I shall protect from Neighbors, got it?

To me it seems logical to explicitly allow traffic coming from zone NEIBHBORS when again going out to NEIGHBORS. In fact the option to select such thing is diabled via LUCI.
What's wrong with my thinking? :sob:

Forward zone policy applies only to forward traffic when source and destination is in the same zone.
It shouldn't affect the forwarding between different zones.
Make sure your interface to zone assignment is correct and verify iptables-save.


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.