My router have a feature name "WAN IP Alias" and I never aware that, it is something like you can add a virtual IP to your WAN.
With those WAN IPs, you can open port and loop back to local. The advantage was it so easy for routing different subnet / vlan traffic to local, the drawback was source IP will change to WAN IP then you can't identify the traffic from which local client.
With "IP alias", you can set additional IP under WAN I/F, then when you access those Internet IP, it will route to your local service. Because I limit the source IP must be same as alias, so basically no Internet traffic will route to local.
With those setting, now I can
- Access 192.168.6.6 "WAN IP" to different service which host in other subnet, even actual WAN IP change, I don't need change again.
- Traditional DNS resolve to 8.8.8.8 / 9.9.9.9 will redirect to local DNS ( 192.168.2.5 )
- Once local DNS down or maintenance, I can simple disable the alias, then those traffic will go to Internet as usual.
Now you will found 8.8.8.8 and 9.9.9.9 record in your DNS server. I also add other DNS traffic ( i.e. DNS resolve not follow DNS setting ) to local too.