i would use the guest network also for some iot stuff.
I would like to give access to all or some of my clients on the main lan to get access to the guest devices ( like accessing webui or data ) but not the other way around.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
Yes. Either reboot the device or restart the firewall service (/etc/init.d/firewall restart).
Yes. The guest network is isolated from the lan as well as the router itself (specifically the administration via ssh and web, and any other services you are running; only allowing DHCP and DNS). I would consider this sufficient and best practice, unless you have any specific requirements or other goals beyond this.
VLANs are a subset of what you've already done. Specifically, VLANs apply when you are using ethernet and carrying multiple networks over the same physical port/cable.
use DHCP option 6 to advertise the Pi as a DNS server.
use DNS hijacking if you wish to redirect/force DNS that is destined for other DNS servers to be sent to your Pi.
Set the router's own system resolver to the Pi, and have clients use the OpenWrt router as their DNS servers. This can be combined with #2 to enforce it.
Don't forget that if the Pi is on a different network than (some of) the clients, you need to ensure that the firewall allows forwarding of dns accordingly.
it only works if your Pi's DNS server is working properly and that it isn't relying on the OpenWrt router for DNS.
it doesn't prohibit other DNS servers from being used (I.e. no hijacking).
generally, that field should be reserved for external/public DNS servers, not inside your network.
There is an option in the Dnsmasq settings to set the desired system resolver (separate from the wan), which allows you to specify another DNS address like your Pi.