To make things easy i use two subnets, home and secure.
Home has no connection secure does.
When i change those interfaces to the firewall zone of the other, home has internet and secure doesn't has a connection.
here under a better explanation:
network home > firewall zone: home> no internet
network secure > firewall zone: secure >internet
3 network secure > firewall zone: home > no internet
4 network home > firewall zone: secure > internet
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'Guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'gast'
config zone
option name 'Home'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'home'
config zone
option name 'IoT'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'IOT'
config zone
option name 'Crypt'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'crypt'
config zone
option name 'Secure'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'secure'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list network 'wan'
list network 'wan6'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
option dest 'Home'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option dest 'Home'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config forwarding
option src 'Guest'
option dest 'wan'
config forwarding
option src 'Home'
option dest 'wan'
config forwarding
option src 'IoT'
option dest 'wan'
config forwarding
option src 'Crypt'
option dest 'wan'
config forwarding
option src 'Secure'
option dest 'wan'
config rule
option name 'Guest DHCP & DNS'
option target 'ACCEPT'
option dest_port '53 67 68'
option src 'Guest'
config rule
option dest_port '53 67 68'
option target 'ACCEPT'
option name 'Home DHCP & DNS'
option src 'Home'
option src_port '53 67 68'
config rule
option name 'IoT DHCP & NAT'
option target 'ACCEPT'
option dest_port '53 67 68'
option src 'IoT'
config rule
option name 'Crypt DHCP & DNS'
option dest_port '53 67 68'
option target 'ACCEPT'
option src 'Crypt'
config rule
option name 'Secure DHCP & DNS '
option dest_port '53 67 68'
option target 'ACCEPT'
option src 'Secure'
config zone
option name 'securevpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list network 'securevpn'
config forwarding
option src 'Secure'
option dest 'securevpn'
Who has the answer to get a connection with the firewall home zone?
i think i found a problem in secure ip adres and gateway and rest of the settings are good, but when connecting to home i get a ip adres that i never have set and also there is no gateway adres
The only network that has a gateway is the wan, since it is how everyone reaches the Internet. Do not put an option gateway in the LAN type networks. The DHCP server will advertise your router as the gateway for a lan user. If you are manually configuring the endpoints you need to set your router as their gateway.
I got it working.
What i did was a backup of a openwrt backup what kind of worked.
Then i made some changed in this backup and made a backup of this, then a fresh start with openwrt.
After that i made a connection with winSCP and copied some files from the backup to the router and did a reboot.
I think there was something screwed up somewhere in another openwrt file, if you like i can send those files just ask.
Now everything is working and made a backup of this.
Now i have started to get a vpn connection and think i strumbled upon another problem, i think there is a problem or a bug in openvpn.