Access LAN to Guest

Hi I have network LAN & network GUEST
i create guest network using openwrt wiki and it work good, i put nodogsplash on guest network too.
i have 1 router as repeater in guest network and i want to access it from my lan network
how to do it? i already create port forwarding from lan to guest not working, allow connection from lan to guest not working too

this is my config

Firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option syn_flood '1'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 WAN'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone 'guest_zone'
	option name 'guest'
	option network 'guest'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding 'guest_forwarding'
	option src 'guest'
	option dest 'wan'

config rule
	option name 'lan to guest'
	list proto 'all'
	option src 'lan'
	option dest 'guest'
	option target 'ACCEPT'
	option enabled '0'

config rule 'guest_rule_dns'
	option name 'Allow DNS Queries'
	option src 'guest'
	option dest_port '53'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'guest_rule_dhcp'
	option name 'Allow DHCP request'
	option src 'guest'
	option src_port '68'
	option dest_port '67'
	option proto 'udp'
	option target 'ACCEPT'

config include 'nodogsplash'
	option type 'script'
	option path '/usr/lib/nodogsplash/restart.sh'

config redirect
	option target 'DNAT'
	option name 'test'
	option src_dport '2222'
	option dest 'guest'
	option dest_ip '2.2.2.10'
	option src 'lan'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'
	option dest_port '80'
	option enabled '0'

config rule
	option name 'guest to lan'
	list proto 'all'
	option src 'guest'
	option dest 'lan'
	option target 'ACCEPT'
	option enabled '0'

config redirect
	option target 'DNAT'
	option name 'guest test'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'
	option src 'guest'
	option src_dport '2200'
	option dest 'lan'
	option dest_ip '1.1.1.10'
	option enabled '0'

config nat
	option name 'test'
	option src 'lan'
	option dest_ip '2.2.2.10'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'lan to guest'
	option src 'lan'
	option dest 'guest'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'
	list proto 'igmp'
	list proto 'esp'
	option dest_port '80'
	option enabled '0'

config redirect
	option target 'DNAT'
	option name 'abc'
	option src 'lan'
	option src_dport '1234'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'
	option dest_ip '1.1.1.4'
	option dest_port '80'
	option enabled '0'

Network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdde:708f:4239::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '1.1.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device 'lan_eth0_dev'
	option name 'eth0'
	option macaddr '98:da:c4:84:af:5a'

config interface 'WAN'
	option proto 'dhcp'
	option ifname 'eth0'

config interface 'guest'
	option proto 'static'
	option ipaddr '2.2.2.2'
	option netmask '255.255.255.0'

DHCP

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	option enable_tftp '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option force '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config dhcp 'guest'
	option interface 'guest'
	option start '50'
	option limit '200'
	option leasetime '1h'
	option force '1'

nope

There is one rule to allow everything from lan to guest, but it is disabled. Enable it and you can narrow it down to just the IP address of the repeater in the guest zone.

which one ?
all config above which disabled, i ever test it and still cant access ip in guest from lan

The lan to guest
Add the following rule, after you adapt the destination IP for the repeater.

config rule
	option src 'lan'
	option name 'lan to guest'
	option dest 'guest'
	list dest_ip '172.17.17.100'
	option target 'ACCEPT'
	option family 'ipv4'

If it still doesn't work post here the output of iptables-save -c

hi @trendy, i tried it and still not working
please check this link https://drive.google.com/file/d/13v_SYNpzOQ6xb6Yo0FxOim4Gr-vRSbxO/view?usp=sharing, to see my screenrecord

I specifically asked for the output of iptables-save -c not some screenrecord with random commands.

oh sorry i didnt read ur request
i suscpect it not working because nodogsplash firewall, but i not expert on firewall rule

this is my iptables-save

# Generated by iptables-save v1.8.3 on Fri Jun  5 21:28:06 2020
*raw
:PREROUTING ACCEPT [371187:287908674]
:OUTPUT ACCEPT [34730:3129845]
:zone_guest_helper - [0:0]
:zone_lan_helper - [0:0]
[129410:23316465] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[2206:181784] -A PREROUTING -i wlan0-1 -m comment --comment "!fw3: guest CT helper assignment" -j zone_guest_helper
COMMIT
# Completed on Fri Jun  5 21:28:06 2020
# Generated by iptables-save v1.8.3 on Fri Jun  5 21:28:06 2020
*nat
:PREROUTING ACCEPT [8965:1137680]
:INPUT ACCEPT [1074:74570]
:OUTPUT ACCEPT [7018:447449]
:POSTROUTING ACCEPT [38:3327]
:ndsOUT - [0:0]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[1200:95808] -A PREROUTING -i wlan0-1 -j ndsOUT
[8965:1137680] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[8962:1137584] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[3:96] -A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i wlan0-1 -m comment --comment "!fw3" -j zone_guest_prerouting
[14085:1344938] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[8:1124] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[14047:1341611] -A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_wan_postrouting
[3:496] -A POSTROUTING -o wlan0-1 -m comment --comment "!fw3" -j zone_guest_postrouting
[0:0] -A ndsOUT -m mark --mark 0x20000/0x30000 -j RETURN
[0:0] -A ndsOUT -m mark --mark 0x30000/0x30000 -j RETURN
[0:0] -A ndsOUT -p tcp -m tcp --dport 80 -j DNAT --to-destination 2.2.2.2:2050
[1200:95808] -A ndsOUT -j ACCEPT
[3:496] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
[0:0] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
[8:1124] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[8962:1137584] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[14047:1341611] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[14047:1341611] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[3:96] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Fri Jun  5 21:28:06 2020
# Generated by iptables-save v1.8.3 on Fri Jun  5 21:28:06 2020
*mangle
:PREROUTING ACCEPT [371190:287908950]
:INPUT ACCEPT [24489:8727301]
:FORWARD ACCEPT [345879:279016094]
:OUTPUT ACCEPT [34730:3129845]
:POSTROUTING ACCEPT [379407:282053867]
:ndsALW - [0:0]
:ndsBLK - [0:0]
:ndsINC - [0:0]
:ndsOUT - [0:0]
:ndsTRU - [0:0]
[2206:181784] -A PREROUTING -i wlan0-1 -j ndsOUT
[2206:181784] -A PREROUTING -i wlan0-1 -j ndsBLK
[2206:181784] -A PREROUTING -i wlan0-1 -j ndsTRU
[7515:376700] -A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[2844:259664] -A POSTROUTING -o wlan0-1 -j ndsINC
[0:0] -A ndsTRU -m mac --mac-source 44:6D:57:39:04:AE -j MARK --set-xmark 0x20000/0x20000
COMMIT
# Completed on Fri Jun  5 21:28:06 2020
# Generated by iptables-save v1.8.3 on Fri Jun  5 21:28:06 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:ndsAUT - [0:0]
:ndsNET - [0:0]
:ndsRTR - [0:0]
:ndsTRT - [0:0]
:ndsTRU - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[1006:85976] -A INPUT -i wlan0-1 -j ndsRTR
[2720:282081] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[20763:8359244] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[19289:8245049] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[112:6708] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[1471:114099] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[3:96] -A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i wlan0-1 -m comment --comment "!fw3" -j zone_guest_input
[1200:95808] -A FORWARD -i wlan0-1 -j ndsNET
[344679:278920286] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[331002:277443961] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[13677:1476325] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wlan0-1 -m comment --comment "!fw3" -j zone_guest_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[2720:282081] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[32010:2847764] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[19403:2001443] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1159:101285] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[10428:658868] -A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
[1020:86168] -A OUTPUT -o wlan0-1 -m comment --comment "!fw3" -j zone_guest_output
[0:0] -A ndsAUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A ndsAUT -j ACCEPT
[0:0] -A ndsAUT -j REJECT --reject-with icmp-port-unreachable
[0:0] -A ndsNET -m mark --mark 0x10000/0x30000 -j DROP
[0:0] -A ndsNET -m conntrack --ctstate INVALID -j DROP
[0:0] -A ndsNET -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A ndsNET -m mark --mark 0x20000/0x30000 -j ACCEPT
[0:0] -A ndsNET -m mark --mark 0x30000/0x30000 -j ndsAUT
[1200:95808] -A ndsNET -j REJECT --reject-with icmp-port-unreachable
[0:0] -A ndsNET -j REJECT --reject-with icmp-port-unreachable
[0:0] -A ndsRTR -m mark --mark 0x10000/0x30000 -j DROP
[0:0] -A ndsRTR -m conntrack --ctstate INVALID -j DROP
[1002:84168] -A ndsRTR -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A ndsRTR -p tcp -m tcp ! --tcp-option 2 --tcp-flags SYN SYN -j DROP
[0:0] -A ndsRTR -p tcp -m tcp --dport 2050 -j ACCEPT
[0:0] -A ndsRTR -m mark --mark 0x20000/0x30000 -j ACCEPT
[0:0] -A ndsRTR -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A ndsRTR -p tcp -m tcp --dport 23 -j ACCEPT
[0:0] -A ndsRTR -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A ndsRTR -p udp -m udp --dport 53 -j ACCEPT
[2:1152] -A ndsRTR -p udp -m udp --dport 67 -j ACCEPT
[0:0] -A ndsRTR -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A ndsRTR -p tcp -m tcp --dport 443 -j ACCEPT
[2:656] -A ndsRTR -j REJECT --reject-with icmp-port-unreachable
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[3:96] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[112:6708] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1020:86168] -A zone_guest_dest_ACCEPT -o wlan0-1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guest_dest_REJECT -o wlan0-1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
[0:0] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
[0:0] -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Allow DNS Queries" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --sport 68 --dport 67 -m comment --comment "!fw3: Allow DHCP request" -j ACCEPT
[0:0] -A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
[1020:86168] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
[1020:86168] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[0:0] -A zone_guest_src_REJECT -i wlan0-1 -m comment --comment "!fw3" -j reject
[1159:101285] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[13677:1476325] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[13677:1476325] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1471:114099] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1471:114099] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[1159:101285] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[1159:101285] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1471:114099] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[17:1245] -A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[24088:2133948] -A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[3:96] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[3:96] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[10428:658868] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[10428:658868] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[3:96] -A zone_wan_src_REJECT -i eth0 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Jun  5 21:28:06 2020

There isn't any rule to allow the lan to guest rule. Run fw3 restart and paste here the output.

paste the output for fw3 restart right?

i named it to be Rule 'lan to guest 2'

root@Pizarro_Router:~# fw3 restart
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @zone[1] (wan) cannot resolve device of network 'wan'
Warning: Section @zone[1] (wan) cannot resolve device of network 'wan6'
Warning: Section @rule[14] (lan to guest 2) does not specify a protocol, assuming TCP+UDP
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv4 raw table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'Allow DNS Queries'
   * Rule 'Allow DHCP request'
   * Rule 'lan to guest 2'
   * Forward 'lan' -> 'wan'
   * Forward 'guest' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guest'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guest'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guest'
 * Populating IPv4 raw table
   * Zone 'lan'
     - Using automatic conntrack helper attachment
   * Zone 'wan'
   * Zone 'guest'
     - Using automatic conntrack helper attachment
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'
 * Running script '/usr/lib/nodogsplash/restart.sh'

The rule should be there. Verify with iptables-save -c | grep "lan to guest"
If it is not there, it means that one of the scripts running at the end (firewall.user and nodogsplash) are deleting it.

root@Pizarro_Router:~# iptables-save -c | grep "lan to guest"
[929:66957] -A zone_lan_forward -m comment --comment "!fw3: lan to guest" -j zone_guest_dest_ACCEPT

i found it. but still cant access guest device from lan

This is a working rule that I use. I think you are missing option photo...

config rule                                
        option target 'ACCEPT'             
        option src 'lan'                   
        option name 'LAN to Guest'         
        option proto 'all'                 
        option family 'ipv4'               
        option dest 'guest'                

The rules are processed sequentially: do you have a rule before this one that explicitly blocks all the communications from LAN to Guest?

The rule is there and has hits, so the firewall is not blocking you.
Maybe the guest host has its own firewall, usually Windows block traffic from different networks.

That would be the case if there were no hits.

fw3 corrects that, but sure it doesn't hurt to add it.
Warning: Section @rule[14] (lan to guest 2) does not specify a protocol, assuming TCP+UDP

what is photo?
u mean proto?
i already put proto with value "all" anyway

im really sucks at reading firewall
this is full log of my iptables

# Generated by iptables-save v1.8.3 on Thu Jun 18 21:08:00 2020
*raw
:PREROUTING ACCEPT [19435996:15080469882]
:OUTPUT ACCEPT [1678482:737921053]
:zone_guest_helper - [0:0]
:zone_lan_helper - [0:0]
[7040620:911050518] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[4787:421869] -A PREROUTING -i wlan0-1 -m comment --comment "!fw3: guest CT helper assignment" -j zone_guest_helper
COMMIT
# Completed on Thu Jun 18 21:08:00 2020
# Generated by iptables-save v1.8.3 on Thu Jun 18 21:08:00 2020
*nat
:PREROUTING ACCEPT [287829:32769719]
:INPUT ACCEPT [64992:5111483]
:OUTPUT ACCEPT [25901:1854266]
:POSTROUTING ACCEPT [406:47551]
:ndsOUT - [0:0]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[3095:202563] -A PREROUTING -i wlan0-1 -j ndsOUT
[288162:32793199] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[287937:32775322] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[195:15747] -A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_wan_prerouting
[30:2130] -A PREROUTING -i wlan0-1 -m comment --comment "!fw3" -j zone_guest_prerouting
[237050:27563268] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[74:20190] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[236643:27515654] -A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_wan_postrouting
[38:7508] -A POSTROUTING -o wlan0-1 -m comment --comment "!fw3" -j zone_guest_postrouting
[0:0] -A ndsOUT -m mark --mark 0x20000/0x30000 -j RETURN
[30:2130] -A ndsOUT -m mark --mark 0x30000/0x30000 -j RETURN
[104:6240] -A ndsOUT -p tcp -m tcp --dport 80 -j DNAT --to-destination 2.2.2.2:2050
[2961:194193] -A ndsOUT -j ACCEPT
[38:7508] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
[30:2130] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
[74:20190] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[287937:32775322] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[236643:27515654] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[236643:27515654] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[195:15747] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Jun 18 21:08:00 2020
# Generated by iptables-save v1.8.3 on Thu Jun 18 21:08:00 2020
*mangle
:PREROUTING ACCEPT [2022950:1455464660]
:INPUT ACCEPT [235468:54339941]
:FORWARD ACCEPT [1783636:1400549643]
:OUTPUT ACCEPT [272684:156742475]
:POSTROUTING ACCEPT [2055040:1557218081]
:ndsALW - [0:0]
:ndsBLK - [0:0]
:ndsINC - [0:0]
:ndsOUT - [0:0]
:ndsTRU - [0:0]
[4787:421869] -A PREROUTING -i wlan0-1 -j ndsOUT
[4787:421869] -A PREROUTING -i wlan0-1 -j ndsBLK
[4787:421869] -A PREROUTING -i wlan0-1 -j ndsTRU
[252900:13193808] -A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[79380:7597487] -A POSTROUTING -o wlan0-1 -j ndsINC
[0:0] -A ndsTRU -m mac --mac-source 44:6D:57:39:04:AE -j MARK --set-xmark 0x20000/0x20000
[0:0] -A ndsTRU -m mac --mac-source A8:9C:ED:0C:6C:47 -j MARK --set-xmark 0x20000/0x20000
COMMIT
# Completed on Thu Jun 18 21:08:00 2020
# Generated by iptables-save v1.8.3 on Thu Jun 18 21:08:00 2020
*filter
:INPUT ACCEPT [3:156]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:ndsAUT - [0:0]
:ndsNET - [0:0]
:ndsRTR - [0:0]
:ndsTRT - [0:0]
:ndsTRU - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[2401:218450] -A INPUT -i wlan0-1 -j ndsRTR
[345193:38624410] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[1053664:339142811] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[982607:333562479] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[4457:267276] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[70761:5559274] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[296:21058] -A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i wlan0-1 -m comment --comment "!fw3" -j zone_guest_input
[1686:169402] -A FORWARD -i wlan0-1 -j ndsNET
[18020097:14700341977] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[17591389:14658245420] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[428708:42096557] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wlan0-1 -m comment --comment "!fw3" -j zone_guest_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[345338:38636010] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[1333173:699288111] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[1114647:681316080] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[111486:9395840] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[30399:2126127] -A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
[76641:6450064] -A OUTPUT -o wlan0-1 -m comment --comment "!fw3" -j zone_guest_output
[319:53709] -A ndsAUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[18:1112] -A ndsAUT -j ACCEPT
[0:0] -A ndsAUT -j REJECT --reject-with icmp-port-unreachable
[0:0] -A ndsNET -m mark --mark 0x10000/0x30000 -j DROP
[0:0] -A ndsNET -m conntrack --ctstate INVALID -j DROP
[1296:77760] -A ndsNET -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A ndsNET -m mark --mark 0x20000/0x30000 -j ACCEPT
[337:54821] -A ndsNET -m mark --mark 0x30000/0x30000 -j ndsAUT
[1349:114581] -A ndsNET -j REJECT --reject-with icmp-port-unreachable
[0:0] -A ndsNET -j REJECT --reject-with icmp-port-unreachable
[0:0] -A ndsRTR -m mark --mark 0x10000/0x30000 -j DROP
[0:0] -A ndsRTR -m conntrack --ctstate INVALID -j DROP
[1298:141661] -A ndsRTR -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A ndsRTR -p tcp -m tcp ! --tcp-option 2 --tcp-flags SYN SYN -j DROP
[187:11220] -A ndsRTR -p tcp -m tcp --dport 2050 -j ACCEPT
[0:0] -A ndsRTR -m mark --mark 0x20000/0x30000 -j ACCEPT
[0:0] -A ndsRTR -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A ndsRTR -p tcp -m tcp --dport 23 -j ACCEPT
[0:0] -A ndsRTR -p tcp -m tcp --dport 53 -j ACCEPT
[210:14096] -A ndsRTR -p udp -m udp --dport 53 -j ACCEPT
[52:17257] -A ndsRTR -p udp -m udp --dport 67 -j ACCEPT
[0:0] -A ndsRTR -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A ndsRTR -p tcp -m tcp --dport 443 -j ACCEPT
[654:34216] -A ndsRTR -j REJECT --reject-with icmp-port-unreachable
[191:15493] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[105:5565] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[4457:267276] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[76661:6451264] -A zone_guest_dest_ACCEPT -o wlan0-1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guest_dest_REJECT -o wlan0-1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
[0:0] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
[0:0] -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Allow DNS Queries" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --sport 68 --dport 67 -m comment --comment "!fw3: Allow DHCP request" -j ACCEPT
[0:0] -A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
[76641:6450064] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
[76641:6450064] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[0:0] -A zone_guest_src_REJECT -i wlan0-1 -m comment --comment "!fw3" -j reject
[111486:9395840] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[428708:42096557] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[428708:42096557] -A zone_lan_forward -m comment --comment "!fw3: lan to guest" -j zone_guest_dest_ACCEPT
[428688:42095357] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[70761:5559274] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[70761:5559274] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[111486:9395840] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[111486:9395840] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[70758:5559118] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[6399:588787] -A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[452688:43632697] -A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[296:21058] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[296:21058] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[30399:2126127] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[30399:2126127] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[296:21058] -A zone_wan_src_REJECT -i eth0 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Jun 18 21:08:01 2020

could you review my iptables from my post above sir?

Everything is in order.
You can verify with a tcpdump -i wlan0-1 -evn net 1.1.1.0/24 or whatever your lan network is.

this is the result when i run tcpdump then access my repeater from guest network

tcpdump -i wlan0-1 -evn net 1.1.1.0/24
tcpdump: listening on wlan0-1, link-type EN10MB (Ethernet), capture size 262144 bytes
21:53:59.698807 9a:da:c4:84:af:5a > 76:da:88:0b:a4:10, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 63, id 11057, offset 0, flags [DF], proto TCP (6), length 60)
    1.1.1.4.48388 > 2.2.2.20.80: Flags [S], cksum 0xd1ad (correct), seq 2534815732, win 64240, options [mss 1460,sackOK,TS val 329045323 ecr 0,nop,wscale 7], length 0
21:53:59.949908 9a:da:c4:84:af:5a > 76:da:88:0b:a4:10, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 63, id 55954, offset 0, flags [DF], proto TCP (6), length 60)
    1.1.1.4.48390 > 2.2.2.20.80: Flags [S], cksum 0x25af (correct), seq 3043280038, win 64240, options [mss 1460,sackOK,TS val 329045575 ecr 0,nop,wscale 7], length 0
21:54:00.700904 9a:da:c4:84:af:5a > 76:da:88:0b:a4:10, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 63, id 11058, offset 0, flags [DF], proto TCP (6), length 60)
    1.1.1.4.48388 > 2.2.2.20.80: Flags [S], cksum 0xcdc2 (correct), seq 2534815732, win 64240, options [mss 1460,sackOK,TS val 329046326 ecr 0,nop,wscale 7], length 0
21:54:00.956909 9a:da:c4:84:af:5a > 76:da:88:0b:a4:10, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 63, id 55955, offset 0, flags [DF], proto TCP (6), length 60)
    1.1.1.4.48390 > 2.2.2.20.80: Flags [S], cksum 0x21c0 (correct), seq 3043280038, win 64240, options [mss 1460,sackOK,TS val 329046582 ecr 0,nop,wscale 7], length 0
21:54:02.716891 9a:da:c4:84:af:5a > 76:da:88:0b:a4:10, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 63, id 11059, offset 0, flags [DF], proto TCP (6), length 60)
    1.1.1.4.48388 > 2.2.2.20.80: Flags [S], cksum 0xc5e2 (correct), seq 2534815732, win 64240, options [mss 1460,sackOK,TS val 329048342 ecr 0,nop,wscale 7], length 0
21:54:02.972891 9a:da:c4:84:af:5a > 76:da:88:0b:a4:10, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 63, id 55956, offset 0, flags [DF], proto TCP (6), length 60)
    1.1.1.4.48390 > 2.2.2.20.80: Flags [S], cksum 0x19e0 (correct), seq 3043280038, win 64240, options [mss 1460,sackOK,TS val 329048598 ecr 0,nop,wscale 7], length 0
21:54:06.962757 9a:da:c4:84:af:5a > 76:da:88:0b:a4:10, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 63, id 11060, offset 0, flags [DF], proto TCP (6), length 60)
    1.1.1.4.48388 > 2.2.2.20.80: Flags [S], cksum 0xb562 (correct), seq 2534815732, win 64240, options [mss 1460,sackOK,TS val 329052566 ecr 0,nop,wscale 7], length 0
21:54:07.277923 9a:da:c4:84:af:5a > 76:da:88:0b:a4:10, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 63, id 55957, offset 0, flags [DF], proto TCP (6), length 60)
    1.1.1.4.48390 > 2.2.2.20.80: Flags [S], cksum 0x0960 (correct), seq 3043280038, win 64240, options [mss 1460,sackOK,TS val 329052822 ecr 0,nop,wscale 7], length 0
21:54:15.249466 9a:da:c4:84:af:5a > 76:da:88:0b:a4:10, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 63, id 11061, offset 0, flags [DF], proto TCP (6), length 60)
    1.1.1.4.48388 > 2.2.2.20.80: Flags [S], cksum 0x9562 (correct), seq 2534815732, win 64240, options [mss 1460,sackOK,TS val 329060758 ecr 0,nop,wscale 7], length 0
21:54:15.389177 9a:da:c4:84:af:5a > 76:da:88:0b:a4:10, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 63, id 55958, offset 0, flags [DF], proto TCP (6), length 60)
    1.1.1.4.48390 > 2.2.2.20.80: Flags [S], cksum 0xe95f (correct), seq 3043280038, win 64240, options [mss 1460,sackOK,TS val 329061014 ecr 0,nop,wscale 7], length 0
21:54:31.270376 9a:da:c4:84:af:5a > 76:da:88:0b:a4:10, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 63, id 11062, offset 0, flags [DF], proto TCP (6), length 60)
    1.1.1.4.48388 > 2.2.2.20.80: Flags [S], cksum 0x5662 (correct), seq 2534815732, win 64240, options [mss 1460,sackOK,TS val 329076886 ecr 0,nop,wscale 7], length 0
21:54:31.609815 9a:da:c4:84:af:5a > 76:da:88:0b:a4:10, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 63, id 55959, offset 0, flags [DF], proto TCP (6), length 60)
    1.1.1.4.48390 > 2.2.2.20.80: Flags [S], cksum 0xaa5b (correct), seq 3043280038, win 64240, options [mss 1460,sackOK,TS val 329077146 ecr 0,nop,wscale 7], length 0

Firewall is not blocking. There is no reply back, so either 2.2.2.20 is blocking the incoming requests or doesn't have default gateway or route towards 1.1.1.0/24.