Access Printer on Guest Zone from Guest zone

I have a guest network setup without interzone forwarding. In this guest network I have a printer. I can access the printer (ping/print) from lan but not from other devices in the guest network.

Those are my firewall settings (part of it)

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'
	list device 'phy0-ap0'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'Wireguard'

config forwarding
	option src 'guest'
	option dest 'Wireguard'

config forwarding
	option src 'lan'
	option dest 'guest'

config rule
	option name 'guest_print'
	option src 'guest'
	list dest_ip 'printer_ip'
	option target 'ACCEPT'
	option dest 'guest'
	option enabled '1'

Interestingly even when I set option forward 'ACCEPT' in the guest zone I can't access the printer from the guest zone.

Any help is appreciated!

Are you certain that the printer is indeed on the guest network?

How is it connected (ethernet or wifi)?

Meanwhile, remove the last line of this zone definition -- it doesn't belong there.

This rule does nothing and can be deleted.

Let's take a look at the complete configuration (you do not need to redact RFC1918 addresses):

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

ubus call system board

{
	"kernel": "6.1.82",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "Xiaomi Mi Router AX3000T",
	"board_name": "xiaomi,mi-router-ax3000t",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r25683-d4a40827ba",
		"target": "mediatek/filogic",
		"description": "OpenWrt SNAPSHOT r25683-d4a40827ba"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd8d:f2a8:feb8::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '168.0.0.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'wan'
	option macaddr 'cc:d8:43:14:14:f2'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option type 'bridge'
	option metric '1024'
	option peerdns '0'
	list dns '10.2.0.1'
	list dns '9.9.9.9'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'guest'
	option proto 'static'
	list ipaddr '168.0.1.1/24'

config interface 'WireguardMATCH'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	list addresses '10.2.0.2/32'
	option mtu '1412'
	list dns '10.2.0.1'

config wireguard_WireguardMATCH
	option description 'xxxxxxxxxxx'
	option public_key 'xxxxxxxx'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host 'xxxx'
	option endpoint_port 'xxxx'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option country 'CH'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'mainwlan'
	option encryption 'psk2'
	option key 'xxxxxxxxxxxxxxx'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option country 'xx'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'main'
	option encryption 'psk2'
	option key 'xxxxxxxxxxxxxxxxxxxxxxx'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'guestwlan'
	option encryption 'psk2'
	option key 'xxxxxxxxxxxxxxxxxxx'
	option network 'guest'
	**option isolate '1'**

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'guestwlan'
	option encryption 'psk2'
	option key 'xxxxxxxxxxxxxxxxxxxxx'
	option disabled '1'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'

config host
	option name 'BrotherPrinter'
	list mac 'xxxxxxxxxxxxxxxx'
	option ip '168.0.1.2'
	option leasetime 'infinite'

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'tun0'
	list device 'tun1'
	option masq6 '1'
	list network 'wan'
	list network 'wan6'

config zone
	option name 'Wireguard'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'WireguardMATCH'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'guest DNS'
	option src 'guest'
	option target 'ACCEPT'
	option dest_port '53'

config rule
	option name 'guest DHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67'
	option target 'ACCEPT'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'Wireguard'

config forwarding
	option src 'guest'
	option dest 'Wireguard'

config forwarding
	option src 'lan'
	option dest 'guest'

config rule
	option name 'guest_print'
	option src 'guest'
	list dest_ip '168.0.1.2'
	option target 'ACCEPT'
	option dest 'guest'
	option enabled '0'

When I remove option isolate '1' in the guestwifi I'm able to connect to the printer from guest and from lan. Even when the firewall rule guest_print is disabled. But shouldn't the setting option forward 'REJECT' in zone guest prevent this? At least that what I want. Devices on the guest network can't communicate with each other except I allow it specifically.

bridge forward is not routing.

Is this the actual address you are using 168.0.0.1 or did you obfuscate the addresses for this and the guest networks?

Because you have your guest network on two physical radios, you need to use a bridge. Add and edit:

config device
	option name 'br-guest'
	option type 'bridge'
	option bridge_empty '1'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	list ipaddr '192.168.10.1/24'

Remove the bridge line from the wan interface:

Isolate will prevent all wireless clients from reaching each other. This will absolutely mean that the guest clients will not be able to reach the printer on the same network. Remove the isolate option

This rule doesn't do anything and can be deleted:

Restart and try again.