my Setup
TP-Link Archer C7 v2
OpenWrt 19.07.1 r10911-c155900f66 / LuCI openwrt-19.07 branch git-20.029.45734-adbbd5c
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option src_port '67-68'
option src 'lan'
option name 'Allow DHCP'
list src_ip '10.0.1.11'
option dest 'lan'
option target 'ACCEPT'
option dest_port '67-68'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'guest'
option network 'guest GUEST'
option output 'ACCEPT'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option dest 'wan'
option src 'guest'
config forwarding
option dest 'guest'
option src 'lan'
config rule
option dest_port '53'
option src 'guest'
option name 'Allow Guest DNS Queries'
option target 'ACCEPT'
option dest '*'
config rule
option src_port '67-68'
option src 'guest'
option name 'Allow Guest DHCP request'
option dest '*'
option target 'ACCEPT'
option dest_port '67-68'
list proto 'udp'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option src 'guest'
option src_port '67-68'
option dest_port '67-68'
option proto 'udp'
option target 'ACCEPT'
option dest 'guest'
option name 'Allow Guest > Guest DHCP request'
config rule
option src 'guest'
option target 'ACCEPT'
option dest 'guest'
option name 'Allow Guest > Guest DNS Queries'
list proto 'all'
config rule
option name 'Allow Guest -> WAN http'
option src 'guest'
option proto 'tcp'
option dest_port '80'
option target 'ACCEPT'
option dest 'wan'
config rule
option name 'Allow Guest -> WAN https'
option src 'guest'
option proto 'tcp'
option dest_port '443'
option target 'ACCEPT'
option dest 'wan'
config rule
option name 'Deny Guest -> LAN'
option src 'guest'
option dest 'lan'
option proto 'all'
option target 'DROP'
config rule
option name 'Deny Guest -> WAN'
option src 'guest'
option dest 'wan'
option proto 'all'
option target 'DROP'
config zone
option name 'smart'
option input 'REJECT'
option forward 'REJECT'
option network 'smart SMART'
option output 'ACCEPT'
config forwarding
option dest 'wan'
option src 'smart'
config forwarding
option dest 'smart'
option src 'lan'
config forwarding
option src 'smart'
option dest 'wan'
config rule
option name 'Allow SMART - DHCP request'
option src 'smart'
option src_port '67-68'
option dest_port '67-68'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Allow SMART - DNS Queries'
option src 'smart'
option dest_port '53'
option proto 'tcpudp'
option target 'ACCEPT'
config rule
option dest 'lan'
option src 'smart'
option name 'Deny Smart -> LAN'
option target 'DROP'
config redirect
option dest_port '443'
option src 'wan'
option name 'SERVER 443'
option src_dport '443'
option target 'DNAT'
option dest 'lan'
option dest_ip '10.0.1.14'
list proto 'tcp'
config redirect
option dest_port '80'
option src 'wan'
option name 'SERVER 80'
option src_dport '80'
option target 'DNAT'
option dest 'lan'
option dest_ip '10.0.1.14'
Question
I have 3 VLANS: lan (10.0.1.1/24), smart (10.0.2.1/24) and guest (10.0.3.1/24)
The Server in lan (10.0.1.14) and a device/phone on guest (10.0.3.33)
This Server has a port forward for ports 443 and 80
I can access the server from lan and outside (WAN) through its IP and DNS.
My devices in vlan guest, are not able to connect through my WAN / DNS... but they are able its lan IP 10.0.1.14.
I think i need a route/bridge or something, to make my devices be able to connect via the Router WAN Port.
Tried with
config rule
option name 'ALLOW MY DEVICE'
option src 'guest'
option proto 'all'
option target 'ACCEPT'
option dest '*'
list src_mac '00:0D:EV:MA:C0:00'