Another Vlan Question X86 to 2xRT3200

Hi All,
I have decided to segment my network and did a lot of pre-work reading a lot of materials, so I was prepared to start playing with the Vlans. However when it came to execution - something doesn't work and I was able to lock myself on my main router, then recovered and before I make another unorthodox attempt - I decided to seek a help.
I have Cr15in ( x86) acting as my main router and 2x Belkin RT3200 as dumb AP. What I want to achieve is setup a guest network ( as a starting point as there is a lot of documentation how to create guest network on dumb AP) , which I will use for IoT. I have also Home Assistant server which I want to attach to the LAN, but also as part of the guest network.
X86 has 2 Lan ports - eth0 and eth2. Belkin attached to eth0 is connected to Hass server on port 2.
So, I decided to start simple and use the eth2 Belkin in order to understand the vlans and then to create the guest vlan on eth0 Belkin.
So far so good - I created the Vlans, but when I connect to the guest Wifi network on eth2 with my phone, the connection is rejected and starts reconnecting.
I will appreciate any help in this regards.
Thank you
Network x86


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd03:921d:dc10::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'
	option auto '0'
	option reqaddress 'try'
	option reqprefix 'auto'


config device 'guest_dev'
	option type 'bridge'
	option name 'br-guest'
	list ports 'eth2.10'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.3.1/24'

config device
	option type '8021q'
	option ifname 'eth2'
	option vid '10'
	option name 'eth2.10'

config device
	option type '8021q'
	option ifname 'eth2'
	option vid '20'
	option name 'eth2.20'

Firewall x86


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan wg_lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'IoT'
	option src 'lan'
	option dest 'wan'
	option target 'REJECT'
	list proto 'all'
	list src_ip '192.168.1.226'
	list src_ip '192.168.1.195'
	list src_ip '192.168.1.237'
	list src_ip '192.168.1.233'
	list src_ip '192.168.1.193'
	list src_ip '192.168.1.212'

config redirect
	option target 'DNAT'
	option name 'Intercept-DNS'
	option src 'lan'
	option src_dport '53'

config rule
	option name 'Allow-ZeroTier-Inbound'
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '9993'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'ZeroTier'

config forwarding
	option src 'vpn'
	option dest 'lan'

config forwarding
	option src 'vpn'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'vpn'

config rule 'wg'
	option name 'Allow-WireGuard-lan'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

config zone 'guest'
	option name 'guest'
	option network 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'

config forwarding 'guest_wan'
	option src 'guest'
	option dest 'wan'

config rule 'guest_dns'
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule 'guest_dhcp'
	option name 'Allow-DHCP-Guest'
	option src 'guest'
	option dest_port '67'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'

Network BelkinRT3200 eth2


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd20:7f27:8aef::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option auto '0'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option auto '0'
	option reqaddress 'try'
	option reqprefix 'auto'

config device 'guest_dev'
	option type 'bridge'
	option name 'br-guest'
	list ports 'lan4.10'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	list ipaddr '192.168.3.2'
	option gateway '192.168.3.1'
	list dns '192.168.1.1'

config device
	option type '8021q'
	option ifname 'lan4'
	option vid '10'
	option name 'lan4.10'

Wireless eth2 Belkin RT3200 - IK2.4 is the intended wireless guest network

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/18000000.wmac'
	option channel '11'
	option band '2g'
	option htmode 'HT40'
	option country 'PA'
	option cell_density '0'
	option noscan '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'guest'
	option mode 'ap'
	option ssid 'IK2.4'
	option encryption 'psk2'
	option key 'xxxxx'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option ieee80211k '1'
	option bss_transition '1'
	option time_advertisement '2'
	option time_zone 'EET-2EEST,M3.5.0/3,M10.5.0/4'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'HE160'
	option txpower '20'
	option country 'PA'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'IK5'
	option encryption 'psk2'
	option key 'xxxxxx'
	option ieee80211r '1'
	option mobility_domain '2222'
	option reassociation_deadline '20000'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option ieee80211k '1'
	option bss_transition '1'
	option time_advertisement '2'
	option time_zone 'EET-2EEST,M3.5.0/3,M10.5.0/4'
	option dtim_period '3'
	option pmk_r1_push '1'

Generally, it is best to start with the simple case and build up... you've got a few extra things going on (including firewall rules and such) that may complicate things. If we can't solve these easily, we may need to remove those extra complications.

But let's start with the simple things...
I see eth0 as lan only (untagged) and eth2 as carrying the lan (untagged) + guest (tagged, VLAN 10). Is that your intended configuration?

Turn off masquerading on the guest firewall zone. And while we're at it, temporarily make input = accept. This way there won't be any restrictions on the client devices being able to connect (better for troubleshooting; you can put it back to reject later once everything is known to be working).

Now, on your AP... we need to use DSA Bridge-VLAN syntax. Therefore, let's make the following changes:

Add bridge-VLAN stanzas for the lan (VLAN 1) and guest (VLAN 10)

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan4:t'

Edit the lan to use the device br-lan.1 (instead of br-lan) so that it looks like this:

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

next, delete this:

and this:

And finally, adjust the guest network. We're going to use device br-lan.10, and we also don't need the AP to have an address on this network, so we'll make it unmanaged:

config interface 'guest'
	option proto 'none'
	option device 'br-lan.10'

Restart your AP and try again.

Thank you very much! I was able to configurate eth2 and with the same steps eth0. Well I struggled a bit with eth0, as I wanted to replicate the steps with Luci and I was locked out, as I was saving and applying the settings one by one, but from the second try when I applied the setup at the end it worked. By using Luci I was able to understand what I am doing :slight_smile:
I have enabled then the masquerading and changed the firewall rule - and it worked like that as well.
However when I put the Home assistant server ( actually it is debian running HASS docker) in eth0.10 connected at port 2 - my wifi devices can not connect to it. I experimented with firewall input rules, masquerading, but I can not fix that. Probably I am doing something wrong. Here is the setup after I did the changes. Appreciate your help!
Firewall:


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan wg_lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'IoT'
	option src 'lan'
	option dest 'wan'
	option target 'REJECT'
	list proto 'all'
	list src_ip '192.168.1.226'
	list src_ip '192.168.1.195'
	list src_ip '192.168.1.237'
	list src_ip '192.168.1.233'
	list src_ip '192.168.1.193'
	list src_ip '192.168.1.212'

config redirect
	option target 'DNAT'
	option name 'Intercept-DNS'
	option src 'lan'
	option src_dport '53'

config rule
	option name 'Allow-ZeroTier-Inbound'
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '9993'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'ZeroTier'

config forwarding
	option src 'vpn'
	option dest 'lan'

config forwarding
	option src 'vpn'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'vpn'

config rule 'wg'
	option name 'Allow-WireGuard-lan'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

config zone 'guest'
	option name 'guest'
	option network 'guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding 'guest_wan'
	option src 'guest'
	option dest 'wan'

config rule 'guest_dns'
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule 'guest_dhcp'
	option name 'Allow-DHCP-Guest'
	option src 'guest'
	option dest_port '67'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'


eth0 network - I was using this AP as main router and it has configs which were from back then, however I belive I switched them off:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd90:606c:2adf::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.3'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	option auto '0'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option auto '0'
	option reqaddress 'try'
	option reqprefix 'auto'

config interface 'guest'
	option proto 'none'
	option device 'br-lan.10'

config interface 'Wgtesting'
	option proto 'wireguard'
	option peerdns '0'
	list dns 'xxxxx'
	option auto '0'
	option private_key 'xxxxxx'
	list addresses '10.49.0.3'

config wireguard_Wgtesting
	option description 'Imported peer configuration'
	option public_key 'xxxxx'
	option preshared_key 'xxxxx'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option endpoint_host 'xxxx'
	option endpoint_port '51820'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config device
	option name 'xxxxx'

config interface 'ZeroTier'
	option proto 'none'
	option device 'xxxx'
	option auto '0'

config interface 'wg_lan'
	option proto 'wireguard'
	option private_key 'xxxxxx'
	option listen_port '51820'
	list addresses '10.0.5.1/24'
	option mtu '1420'
	option auto '0'

config wireguard_wg_lan
	option public_key 'xxxxxx'
	option preshared_key 'xxxxxx'
	option description '1_lan_Alpha'
	list allowed_ips '10.0.5.2/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option endpoint_host 'xxxx'
	option private_key 'xxxxxx'
	option endpoint_port '51280'

config wireguard_wg_lan
	option public_key 'xxxxx'
	option preshared_key 'xxxx'
	option description '2_lan_Bravo'
	list allowed_ips '10.0.5.3/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config wireguard_wg_lan
	option public_key 'xxxxx'
	option preshared_key 'xxxx'
	option description '3_lan_Charlie'
	list allowed_ips '10.0.5.4/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config wireguard_wg_lan
	option public_key 'xxx'
	option preshared_key 'xxxxx'
	option description '4_lan_Delta'
	list allowed_ips '10.0.5.5/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '1'
	option name 'br-lan.1'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'
	option name 'br-lan.10'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan2:t'
	list ports 'lan4:t'


Wireless eth0:


config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/18000000.wmac'
	option band '2g'
	option country 'PA'
	option cell_density '0'
	option channel '6'
	option htmode 'HT40'
	option noscan '1'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'guest'
	option mode 'ap'
	option ssid 'IK2.4'
	option encryption 'psk2'
	option key 'xxxx'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option ieee80211k '1'
	option time_advertisement '2'
	option time_zone 'EET-2EEST,M3.5.0/3,M10.5.0/4'
	option bss_transition '1'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '5g'
	option country 'PA'
	option cell_density '0'
	option htmode 'HE80'
	option channel '100'
	option txpower '19'

config wifi-iface 'guest'
	option device 'radio0'
	option mode 'ap'
	option network 'guest'
	option ssid 'guest'
	option encryption 'psk2'
	option key 'xxxxx'
	option isolate '1'
	option disassoc_low_ack '0'
	option disabled '1'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option ssid 'IK5'
	option time_advertisement '2'
	option time_zone 'EET-2EEST,M3.5.0/3,M10.5.0/4'
	option bss_transition '1'
	option key 'xxxx'
	option ieee80211r '1'
	option mobility_domain '2222'
	option ft_psk_generate_local '1'
	option network 'lan'
	option ieee80211k '1'
	option reassociation_deadline '20000'
	option ft_over_ds '0'
	option encryption 'psk2'
	option dtim_period '3'
	option pmk_r1_push '1'


PS: I was rethinking the whole setup and probably a mistake in the current setup is the use of static IP addresses from LAN for my IOT devices and the Debian server. But defiantly this is not the only problem. Below DHCP config:


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	list server '/mask.icloud.com/'
	list server '/mask-h2.icloud.com/'
	list server '/use-application-dns.net/'
	list server '127.0.0.1#5053'
	list server '127.0.0.1#5054'
	list server '127.0.0.1#5055'
	option confdir '/tmp/dnsmasq.d'
	option doh_backup_noresolv '-1'
	option noresolv '1'
	list doh_backup_server '/mask.icloud.com/'
	list doh_backup_server '/mask-h2.icloud.com/'
	list doh_backup_server '/use-application-dns.net/'
	list doh_backup_server '127.0.0.1#5053'
	list doh_backup_server '127.0.0.1#5054'
	list doh_server '127.0.0.1#5053'
	list doh_server '127.0.0.1#5054'
	list doh_server '127.0.0.1#5055'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option ip '192.168.1.201'
	option mac 'xxxx'
	option name 'debian'
	option dns '1'

config domain
	option name 'Eon_spalnia'
	option ip '192.168.1.157'

config domain
	option name 'Eon_hol'
	option ip '192.168.1.214'

config domain
	option name 'Xiaomi_hub'
	option ip '192.168.1.195'

config domain
	option name 'LG_TV'
	option ip '192.168.1.151'

config domain
	option name 'TCL_TV'
	option ip '192.168.1.153'

config host
	option ip '192.168.1.213'
	option name 'Hass'
	option dns '1'
	option mac 'xxxxx'

config host
	option name 'TCLtv'
	option dns '1'
	option mac 'xxxxx'
	option ip '192.168.1.153'

config host
	option name 'S3cam'
	option dns '1'
	option ip '192.168.1.193'
	option mac 'xxxxx'

config host
	option name 'Xiaomih2'
	option dns '1'
	option mac 'xxx'
	option ip '192.168.1.226'

config host
	option name 'Xiaomihub'
	option dns '1'
	option mac 'xxxxx'
	option ip '192.168.1.195'

config host
	option name 'WIFIswitch'
	option dns '1'
	option mac 'xxxxx'
	option ip '192.168.1.237'

config domain
	option name 'WIFIswitch'
	option ip '192.168.1.237'

config domain
	option name 'debianHP'
	option ip '192.168.1.201'

config host
	option name 'Kidcam'
	option dns '1'
	option mac '38:AA:3C:77:AE:8D'
	option ip '192.168.1.212'

config host
	option name 'wiz_a98d5c'
	option ip '192.168.1.233'
	option mac '6C:29:90:A9:8D:5C'

config domain
	option name 'Kidcam'
	option ip '192.168.1.212'

config domain
	option name 'Wizplug'
	option ip '192.168.1.233'

config host
	option name 'BelkinBedroom'
	option dns '1'
	option ip '192.168.1.2'

config host
	option name 'BelkinHol'
	option dns '1'
	option ip '192.168.1.3'

config domain
	option name 'Alexa'
	option ip '192.168.1.158'

config domain
	option name 'Iphone'
	option ip '192.168.1.241'

config host
	option name 'GreeClima'
	option mac '94:24:B8:03:D5:B4'
	option ip '192.168.1.160'

config domain
	option name 'GreeClima'
	option ip '192.168.1.160'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '1h'
	option force '1'


Perfect - I think I got it working. However if someone knowledgeable can verify my firewall config after my intervention - it will be appreciated. I was playing a lot with the setup of VLANs and Firewall, so I am not sure If I messed up setup something/ missed to delete any wrong .
Once I am sure I got it right - I will try to explain my logic in getting the correct setup, if someone with my way of thinking and my experience finds it useful in the future ( From my perspective it included hundreds of restarts)
Below is my main router x86 firewall, where 192.168.1.201 is my Home assistant server and I want to access it from guest network setup on 2 dumb APs. Home assistant server is attached to a port on one of the dumb APs.


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan wg_lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'IoT'
	option src 'lan'
	option dest 'wan'
	option target 'REJECT'
	list proto 'all'
	list src_ip '192.168.1.226'
	list src_ip '192.168.1.195'
	list src_ip '192.168.1.237'
	list src_ip '192.168.1.233'
	list src_ip '192.168.1.193'
	list src_ip '192.168.1.212'

config redirect
	option target 'DNAT'
	option name 'Intercept-DNS'
	option src 'lan'
	option src_dport '53'

config rule
	option name 'Allow-ZeroTier-Inbound'
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '9993'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'ZeroTier'

config forwarding
	option src 'vpn'
	option dest 'lan'

config forwarding
	option src 'vpn'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'vpn'

config rule 'wg'
	option name 'Allow-WireGuard-lan'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

config zone 'guest'
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'guest'

config forwarding 'guest_wan'
	option src 'guest'
	option dest 'wan'

config rule 'guest_dns'
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule 'guest_dhcp'
	option name 'Allow-DHCP-Guest'
	option src 'guest'
	option dest_port '67'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Haas'
	option src 'guest'
	option dest 'lan'
	list dest_ip '192.168.1.201'
	option target 'ACCEPT'
	list proto 'all'

config rule
	option src 'lan'
	list src_ip '192.168.1.201'
	option dest 'guest'
	option target 'ACCEPT'
	list proto 'all'


Thank you
K

Looks generally okay.

You might consider limiting the Hass rule to only the required port(s)... typically you don't want to open the entire machine to the guest network, but rather just specific ports (like the web interface port or whatever else you need)

And you should turn off masquerading ont the guest zone.

1 Like