I was thinking about how to use these more effectively and efficiently. I typically use an interface-list for WAN and MGMT but use firewall address-list for LAN segregation. Most of the time ether1 is the only interface in the WAN list so I am not sure what I am really saving. I suppose it is easier to think about?

My rudimentary understanding is that you can achieve similar things in the firewall but with interface-list you can specify an entire VLAN or physical interfaces. When using multiple VLANs perhaps this is easier to use rather than creating multiple FW address-lists. I also see others use the concept of trusted, untrused, internet_only, etc.. in their interface-lists which all seem like a valid approaches depending on your use case.

Do you create an interface-list for your LAN and use that as opposed to in or addition to firewall address-list? In general terms, how are you using these in your firewalls?

I too do similar with my setup.
Interface list as an example "WANs" for my 2 WAN interfaces which is good for firewall & NAT rules and make use of address lists in multiple ways.
I think of it more as interface-list for hardware interfaces and address-lists for IP related. Sometimes both will suit and sometimes only one will match.

In general lists require less processing power in that you then don't have to make multiple rules for different ranges/interfaces checking the same things.

I use a mixture of both.

As you mentioned, Interface List is like "Zone" based, "trusted", "untrusted", etc. but sometimes need to be more granular, then I use Address Lists, etc

I too do similar with my setup.
Interface list as an example "WANs" for my 2 WAN interfaces which is good for firewall & NAT rules and make use of address lists in multiple ways.
I think of it more as interface-list for hardware interfaces and address-lists for IP related. Sometimes both will suit and sometimes only one will match.

In general lists require less processing power in that you then don't have to make multiple rules for different ranges/interfaces checking the same things.

Thanks for your reply Steveocee!

I use a mixture of both.

As you mentioned, Interface List is like "Zone" based, "trusted", "untrusted", etc. but sometimes need to be more granular, then I use Address Lists, etc

Thanks CZFan - the granular part makes good sense. Never thought of it like that. I am still getting my head wrapped around the Zone concept. Trusted and untrused seem like they could be foggy definitions. I assume trusted means allows to communicate? I was thinking about using trusted out list to simplify the firewall rule for allowing bunch of VLANs out in one rule, but I don't think that is way trusted is mean in the typical definition.

Thanks again.

You can't compare similar named interface lists on different routers as the real meaning is entirely dependent on firewall rules. So you can name lists in the way which is most meaningfull to you. Default config knows about LAN and WAN lists, so I would expect most users to stick to this scheme.

Some Examples, but must use what makes sense to you,i.e.
Trusted Zone = LAN Zone
Untrusted Zone = WAN / Internet Zone
Semi Trusted Zone = DMZ Zone
etc

Its worthwhile stating that one can make up numerous Interface Lists (subset1, newlist23, etc) but the options for each list is fixed at interfaces.
Valid entries are: WAN entries, LAN entries, dynamic entries, or No entries
They are applied as an Inclusion Entry or an Exclulsion entry.

So there is indeed some flexibility to create interface lists as arguments in rules where its deemed to be efficient.
Some really cool examples would be great and I know Ive read some in the past but obviously none at the tip of my tongue........

I can think of possibly using interface lists to control which interfaces are source natted to specific WANIPs, and thus possibly routing as well??

Its worthwhile stating that one can make up numerous Interface Lists (subset1, newlist23, etc) but the options for each list is fixed at interfaces.
Valid entries are: WAN entries, LAN entries, dynamic entries, or No entries
They are applied as an Inclusion Entry or an Exclulsion entry.

So there is indeed some flexibility to create interface lists as arguments in rules where its deemed to be efficient.
Some really cool examples would be great and I know Ive read some in the past but obviously none at the tip of my tongue........

I can think of possibly using interface lists to control which interfaces are source natted to specific WANIPs, and thus possibly routing as well??

That is not my experience. Interface lists can be applied as and how and where you want. What context are you using this in?