Can you tell me if my network config is correct?

Hello community:

I'm newbie at this fantasic community and networking firmaware/world, I'm learning step by step reading the fantastic wiki that the community has written; first of all, I'm from Spain and because of that, english is not my native language, apologizes if you can't understand me well, hehehe.

Like the title says, if it's possible, can you take a look to my basic config (network, dhcp and firewall config files) to see if everything is ok or I've to make modifications?, because I've basic networking knowledgment and like I've said before, I'm learning and I'm not sure if everything is well configured.

####################################GENERAL INFO####################################
My router is a Linksys WRT 3200 ACM with stable OpenWRT 19.07.5 r11257-5090152ae3.

My home network has the next subnets (wan and local subnets), and their own devices:

####################################WAN Subnets####################################
WAN (ISP IPv4)

ONT (to be able to connect to the ONT directly from my desktop machine).

VPN WAN (right now is disable, but I've made its interface and firewall zone for a future use when I will need it, to work with a travel router like my old TP-link WDR4300 or a raspberry [but I don't have configured it yet]).

####################################LAN Subnets####################################
VoIP: Raspberry Pi 3B+ with Raspbx like telephony central + Grandstream-GXP1620 + 3 old Samsung Galaxy GT-S7580 (Trend Plus) like softphones at home (using the main 2.4 GHz AP).

Servidores [Servers]: Hyper-V Server + AD servers 1&2 + Multimedia server + IoT server + HP OfficeJet 6820 All-in-One printer.

Hosts: 4 Virtual machines at the Hyper-V server, 3 Raspberry Pi model 3B+/4 for remote desktop to the VMs with Remmina (it works very well), my PC Gamer and a Tablet PC (with ASIX USB 3.0 ethernet adapter).

Wireless: 5 GHz for our Wi-Fi devices (using the main 5GHz AP)

Wlessguests: Wi-Fi network for guests, both bands for compatibility (using the second AP).

VPN local (wireguard protocol): I named it local because it's for connect devices away from home, with 6 peers, 3 for the smartphones that we use and the other 3 for to be used with the raspberrys used for remote desktop with remmina, obviously, when we will be away from home (holidays...)

#################################SUBNETS AT LEVEL 2#################################

INFO: I've made a VLAN 802.1q for each subnet at my home network.

INFO2: Like you know, the Linksys WRT 3200 ACM has a double core CPU, and at the switch level, the WAN subnets are linked to the core1 and the LAN subnets are linked to the core0; the internal switch connections are:

Port0=LAN4 | Port1=LAN3 |Port2=LAN2 |Port3=LAN1 |Port4=WAN |Port 5=Core0 LAN| Port 6=Core 1WAN

INFO3: I want to make a link aggregation with the LAN ports 1&2 (Ports 2&3) with a Linksys-LGS308 that I will purchase when I have configured the network correctly.

##########################CONFIGURATION OF EACH SUBNET##########################

Ports 2&3 go to the room where the servers are (raspbx included).
Port 1 is the sitting room.
Port 0 is the living room.

1.20 = 4t 6t
1.21 = 4t 6
1.22 = 4t 6t (disabled right now)
0.25 = 1t 2t 3t 5t
0.30 = 2t 3t 5t
0.35 = 0 1t 2t 3t 5t
0.40 = 5t (bridge interface)
0.45 = 5t (bridge interface)
0.50 = 5t (I got doubts about this, because I don't know if I will have to link it to the wan or the lan core of both, but it's working very well right now).

#################################SUBNETS AT LEVEL 3#################################
INFO: I'm using VLSM for the local subnets, with CIDR /28, making a total of 16 subnets of 16 hosts each one, making possible to use 14 of them for both (networks and hosts).

INFO2: For DNS and DHCP I use "dnsmasq-full" package, with an only one DNS pool and multi DHCP pools for each subnet that I want to assign IP address with static leases (or diynamically for the wlessguests subnet), the only local subnet with static ip addresses is the "Servidores" subnet.
One exception is the VPN local that doesn't use the DHCP protocol / pools, the IP addresses are defined at the wireguard interface (peers section).

INFO3: I'm using DNSCrypt-ProxyV2 and the DNS pool has the use of the WAN peer DNS disabled, using the 127.0.0.53#53 server like the WIKI describe.

VoIP subnet (0.25) = 192.168.100.16/28
Servidores [Servers] (0.30) = 192.168.100.32/28
Hosts (0.35) = 192.168.100.48/28
Wireless (0.40) = 192.168.100.64/28
Wlessguests (0.45) = 192.168.100.80/28
VPN-Local (0.50) = 192.168.100.96/28

Finally, I'm so sorry for this bible, at the next post I will post the network, firewall and dhcp config files.
Kind regards.

P.S.: If you don't understand something about my intentions, configs or something, tell me and I will try to clarify you a.s.a.p.

Here are my config files:

Network config file

config globals 'globals'

#############################################
################CONFIG_SWITCH################
#############################################
config switch
        option name             'switch0'
        option enable_vlan      '1'
        option reset            '1'

#############################################
##############INTERFAZ_LOOPBACK##############
#############################################
config interface 'loopback'
        option ifname           'lo'
        option proto            'static'
        option ipaddr           '127.0.0.1'
        option netmask          '255.0.0.0'

#############################################
#####################WAN#####################
#############################################
#********************VLAN*******************#
config switch_vlan
        option device           'switch0'
        option vlan             '1'
        option ports            '4t 6t'
        option vid              '20'

#********************VLSM*******************#
config interface 'wan'
        option ifname           'eth1.20'
        option proto            'dhcp'
        option peerdns          '0'
        option delegate         '0'
        option auto             '1'
        option mtu              '1472'

#############################################
#####################ONT#####################
#############################################
#********************VLAN*******************#
config switch_vlan
        option device           'switch0'
        option vlan             '2'
        option ports            '4 6t'
        option vid              '21'

#********************VLSM*******************#
config interface 'ont'
        option ifname           'eth1.21'
        option proto            'static'
        option ipaddr           '192.168.10.6'
        option netmask          '255.255.255.252'
        option broadcast        '192.168.10.7'
        option delegate         '0'
        option auto             '0'
        option mtu              '1472'

#############################################
####################VPN-WAN##################
#############################################
#*********************VLAN******************#
#config switch_vlan
#        option device           'switch0'
#        option vlan             '3'
#        option ports            '4t 6t'
#        option vid              '22'

#********************VLSM*******************#
#config interface 'vpnwan'
#       option ifname           'eth1.22'
#       option proto            'static'
#       option ipaddr           ''
#       option netmask          ''
#       option broadcast        ''
#       option delegate         '0'
#       option auto             '0'
#       option mtu              '1472'

#############################################
#####################VoIP####################
#############################################
#********************VLAN*******************#
config switch_vlan
        option device           'switch0'
        option vlan             '4'
        option ports            '1t 2t 3t 5t'
        option vid              '25'

#********************VLSM*******************#
config interface 'voip'
        option ifname           'eth0.25'
        option proto            'static'
        option type             'bridge'
        option ipaddr           '192.168.100.17'
        option dns              '192.168.100.17'
        option broadcast        '192.168.100.31'
        option netmask          '255.255.255.240'
        option delegate         '0'
        option auto             '1'
        option mtu              '1472'


#############################################
##################SERVIDORES#################
#############################################
#********************VLAN*******************#
config switch_vlan
        option device           'switch0'
        option vlan             '5'
        option ports            '2t 3t 5t'
        option vid              '30'

#********************VLSM*******************#
config interface 'servidores'
        option ifname           'eth0.30'
        option proto            'static'
        option ipaddr           '192.168.100.33'
        option dns              '192.168.100.33'
        option broadcast        '192.168.100.47'
        option netmask          '255.255.255.240'
        option delegate         '0'
        option auto             '1'
        option mtu              '1472'

#############################################
#####################HOSTS###################
#############################################
#********************VLAN*******************#
config switch_vlan
        option device           'switch0'
        option vlan             '6'
        option vid              '35'
        option ports            '0 1t 2t 3t 5t'

#********************VLSM*******************#
config interface 'hosts'
        option ifname           'eth0.35'
        option proto            'static'
        option ipaddr           '192.168.100.49'
        option dns              '192.168.100.49'
        option broadcast        '192.168.100.63'
        option netmask          '255.255.255.240'
        option delegate         '0'
        option auto             '1'
        option mtu              '1472'

#############################################
###################WIRELESS##################
#############################################
#********************VLAN*******************#
config switch_vlan
        option device           'switch0'
        option vlan             '7'
        option vid              '40'
        option ports            '5t'

#********************VLSM*******************#
config interface 'wireless'
        option ifname           'eth0.40'
        option proto            'static'
        option type             'bridge'
        option ipaddr           '192.168.100.65'
        option dns              '192.168.100.65'
        option broadcast        '192.168.100.79'
        option netmask          '255.255.255.240'
        option delegate         '0'
        option auto             '1'
        option mtu              '1472'

#############################################
################WLESSGUESTS#################
#############################################
#********************VLAN*******************#
config switch_vlan
        option device           'switch0'
        option vlan             '8'
        option vid              '45'
        option ports            '5t'

#********************VLSM*******************#
config interface 'wlessguests'
        option ifname           'eth0.45'
        option proto            'static'
        option type             'bridge'
        option ipaddr           '192.168.100.81'
        option dns              '192.168.100.81'
        option broadcast        '192.168.100.95'
        option netmask          '255.255.255.240'
        option delegate         '0'
        option auto             '1'
        option mtu              '1472'


#############################################
##################VPN-LOCAL##################
#############################################
#********************VLAN*******************#
config switch_vlan
        option device           'switch0'
        option vlan             '9'
        option vid              '50'
        option ports            '5t'

#********************VLSM*******************#
config interface 'vpnlocal'
        option ifname           'eth0.50'
        option proto            'wireguard'
        option private_key      'xxxx'
        option listen_port      '52825'
        list addresses          '192.168.100.97/28'
        option mtu              '1420'

#*******************PARES*******************#
config wireguard_vpnlocal 'Alberto_VPN'
        option description      'Alberto_VPN'
        option public_key       'xxx'
        option preshared_key    'xxx'
        option persistent_keepalive '25'
        list allowed_ips        '192.168.100.98/32'

config wireguard_vpnlocal 'Luis_VPN'
        option description      'Luis_VPN'
        option public_key       'xxx'
        option preshared_key    'xxx'
        option persistent_keepalive '25'
        list allowed_ips        '192.168.100.99/32'

config wireguard_vpnlocal 'MariCarmen_VPN'
        option description      'MariCarmen_VPN'
        option public_key       'xxx'
        option preshared_key    'xxx'
        option persistent_keepalive '25'
        list allowed_ips        '192.168.100.100/32'

config wireguard_vpnlocal 'RDesktop1_VPN'
        option description      'RDesktop1_VPN'
        option public_key       'xxx'
        option preshared_key    'xxx'
        option persistent_keepalive '25'
        list allowed_ips        '192.168.100.101/32'

config wireguard_vpnlocal 'RDesktop2_VPN'
        option description      'RDesktop2_VPN'
        option public_key       'xxx'
        option preshared_key    'xxx'
        option persistent_keepalive '25'
        list allowed_ips        '192.168.100.102/32'

config wireguard_vpnlocal 'RDesktop3_VPN'
        option description      'RDesktop3_VPN'
        option public_key       'xxx'
        option preshared_key    ''
        option persistent_keepalive '25'
        list allowed_ips        '192.168.100.103/32'

#############################################

#############################################

DHCP config file

##########################################################################
###############################HOMEDOMAINHSH##############################
##########################################################################
#*******************************GLOBAL-DNS*******************************#
config dnsmasq
        option domainneeded             '1'
        option boguspriv                '1'
        option filterwin2k              '0'
        option local                    '/local.homedomainhsh.org/'
        option domain                   'local.homedomainhsh.org'
        option rebind_domain            '/local.homedomainhsh.org/'
        option rebind_protection        '1'
        option rebind_localhost         '1'
        option add_local_fqdn           '3'
        option fqdn                     '1'
        option expandhosts              '1'
        option authoritative            '1'
        option nohosts                  '1'
        option readethers               '0'
        option nonwildcard              '1'
        option localservice             '1'
        option localuse                 '1'
        option nonegcache               '0'
        option cachesize                '150'
        option dnssec                   '1'
        option dnsseccheckunsigned      '1'
        option localise_queries         '1'
        option logfacility              '/mnt/sda2/0.log_files/dnsmasq/dnsmasq_queries.log'
        option leasefile                '/tmp/dhcp.leases'
        option resolvfile               '/tmp/resolv.conf.auto'
        option confdir                  '/tmp/dnsmasq.d/'
        list server                     '127.0.0.53#53'

#*********************************ODHCPD*********************************#
config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

##########################################################################
##################################WAN#####################################
##########################################################################
#*********************************DHCP***********************************#
config dhcp 'wan'
        option interface        'wan'
        option networkid        'eth1.20'
        option ignore           '1'

##########################################################################
##################################ONT#####################################
##########################################################################
#*********************************DHCP***********************************#
config dhcp 'ont'
        option interface        'ont'
        option networkid        'eth1.21'
        option ignore           '1'

##########################################################################
################################VPN-WAN###################################
##########################################################################
#*********************************DHCP***********************************#
config dhcp 'wan'
        option interface        'wan'
        option networkid        'eth1.20'
        option ignore           '1'

##########################################################################
##################################ONT#####################################
##########################################################################
#*********************************DHCP***********************************#
config dhcp 'ont'
        option interface        'ont'
        option networkid        'eth1.21'
        option ignore           '1'

##########################################################################
################################VPN-WAN###################################
##########################################################################
#*********************************DHCP***********************************#
#config dhcp 'vpnwan'
#       option interface        'wan'
#       option networkid        'eth1.22'
#       option ignore           '1'

##########################################################################
###################################VoIP###################################
##########################################################################
#**********************************DHCP**********************************#
config dhcp 'voip'
        option interface        'voip'
        option networkid        'eth0.25'
        option dhcpv4           'server'
        option dhcpv6           'disabled'
        option gateway          '192.168.100.17'
        option dns              '192.168.100.17'
        option netmask          '255.255.255.240'
        option dynamicdhcp      '0'
        option start            '19'
        option limit            '4'
        option leasetime        'infinite'
        list dhcp_option        '42,192.168.100.17'

#**********************************HOSTS*********************************#
config domain
        option name             'Linksys-WRT3200VoIP'
        option ip               '192.168.100.17'

config domain
        option name             'VoIP-Server'
        option ip               '192.168.100.18'

config host
        option name             'Grandstream-GXP1620'
        option ip               '192.168.100.19'
        option mac              'C0:74:AD:0E:7D:FB'
        option leasetime        'infinite'
        option dns              '1'

config domain
        option name             'Grandstream-GXP1620'
        option ip               '192.168.100.19'

config host
        option name             'VoIP-Smartphone1'
        option ip               '192.168.100.20'
        option leasetime        'infinite'
        option dns              '1'

config domain
        option name             'VoIP-Smartphone1'
        option ip               '192.168.100.20'

config host
        option name             'VoIP-Smartphone2'
        option ip               '192.168.100.21'
        option leasetime        'infinite'
        option dns              '1'

config domain
        option name             'VoIP-Smartphone2'
        option ip               '192.168.100.21'

config host
        option name             'VoIP-Smartphone3'
        option ip               '192.168.100.22'
        option leasetime        'infinite'
        option dns              '1'

config domain
        option name             'VoIP-Smartphone3'
        option ip               '192.168.100.22'

##########################################################################
################################SERVIDORES################################
##########################################################################
#**********************************DHCP**********************************#
config dhcp 'servidores'
        option interface        'servidores'
        option networkid        'eth0.30'
        option ignore           '1'

#**********************************HOSTS*********************************#
config domain
        option name             'Linksys-WRT3200S'
        option ip               '192.168.100.33'

config domain
        option name             'Linksys-LGS308'
        option ip               '192.168.100.34'

config domain
        option name             'Admin-Servidores'
        option ip               '192.168.100.35'

config domain
        option name             'Hyperv-Server'
        option ip               '192.168.100.36'

config domain
        option name             'HomeDomain-Server1'
        option ip               '192.168.100.37'

config domain
        option name             'HomeDomain-Server2'
        option ip               '192.168.100.38'

config domain
        option name             'Multi-Server'
        option ip               '192.168.100.39'

config domain
        option name             'HPOfficeJet6820'
        option ip               '192.168.100.40'

##########################################################################
###################################HOSTS##################################
##########################################################################
#**********************************DHCP**********************************#
config dhcp 'hosts'
        option interface        'hosts'
        option networkid        'eth0.35'
        option dhcpv4           'server'
        option dhcpv6           'disabled'
        option gateway          '192.168.100.49'
        option dns              '192.168.100.49'
        option netmask          '255.255.255.240'
        option dynamicdhcp      '0'
        option start            '50'
        option limit            '10'
        option leasetime        'infinite'
        list dhcp_option        '42,192.168.100.49'

#*********************************HOSTS*********************************#
config domain
        option name             'Linksys-WRT3200H'
        option ip               '192.168.100.49'

config host
        option name             'Windows10-VM1'
        option ip               '192.168.100.50'
        option leasetime        'infinite'
        option dns              '1'

config domain
        option name             'Windows10-VM1'
        option ip               '192.168.100.50'

config host
        option name             'Windows10-VM2'
        option ip               '192.168.100.51'
        option leasetime        'infinite'
        option dns              '1'

config domain
        option name             'Windows10-VM2'
        option ip               '192.168.100.51'

config host
        option name             'Windows10-VM3'
        option ip               '192.168.100.52'
        option leasetime        'infinite'
        option dns              '1'

config domain
        option name             'Windows10-VM3'
        option ip               '192.168.100.52'

config host
        option name             'Debian-VM'
        option ip               '192.168.100.53'
        option leasetime        'infinite'
        option dns              '1'

config domain
        option name             'Debian-VM'
        option ip               '192.168.100.53'

config host
        option name             'RemoteDesktop1'
        option ip               '192.168.100.54'
        option leasetime        'infinite'
        option dns              '1'

config domain
        option name             'RemoteDesktop1'
        option ip               '192.168.100.54'

config host
        option name             'RemoteDesktop2'
        option ip               '192.168.100.55'
        option leasetime        'infinite'
        option dns              '1'

config domain
        option name             'RemoteDesktop2'
        option ip               '192.168.100.55'

config host
        option name             'RemoteDesktop3'
        option ip               '192.168.100.56'
        option leasetime        'infinite'
        option dns              '1'

config domain
        option name             'RemoteDesktop3'
        option ip               '192.168.100.56'

config host
        option name             'Raskaipika-PC'
        option ip               '192.168.100.57'
        option mac              'F0:79:59:65:1D:CC'
        option leasetime        'infinite'
        option dns              '1'

config domain
        option name             'Raskaipika-PC'
        option ip               '192.168.100.57'

config host
        option name             'ASI-AX88179'
        option ip               '192.168.100.58'
        option mac              '00:0E:C6:B3:23:AC'
        option leasetime        'infinite'
        option dns              '1'

config domain
        option name             'ASI-AX88179'
        option ip               '192.168.100.58'

config host
        option name             'SonyBravia-TV'
        option ip               '192.168.100.59'
        option mac              'AC:9B:0A:53:0E:53'
        option leasetime        'infinite'
        option dns              '1'

config domain
        option name             'SonyBravia-TV'
        option ip               '192.168.100.59'

##########################################################################
#################################WIRELESS#################################
##########################################################################
#**********************************DHCP**********************************#
config dhcp 'wireless'
        option interface        'wireless'
        option networkid        'eth0.40'
        option dhcpv4           'server'
        option dhcpv6           'disabled'
        option gateway          '192.168.100.65'
        option dns              '192.168.100.65'
        option netmask          '255.255.255.240'
        option dynamicdhcp      '0'
        option start            '66'
        option limit            '6'
        option leasetime        'infinite'
        list dhcp_option        '42,192.168.100.65'

#**********************************HOSTS********************************#
config domain
        option name             'Linksys-WRT3200PA'
        option ip               '192.168.100.65'

config host
        option name             'AlbertoSmartphone'
        option ip               '192.168.100.66'
        option mac              'A4:50:46:C6:8B:40'
        option leasetime        'infinite'
        option dns              '1'

config domain
        option name             'AlbertoSmartphone'
        option ip               '192.168.100.66'

config host
        option name             'LuisSmartphone'
        option ip               '192.168.100.67'
        option mac              'AC:36:13:EE:B0:B8'
        option leasetime        'infinite'
        option dns              '1'

config domain
        option name             'LuisSmartphone'
        option ip               '192.168.100.67'

config host
        option name             'MariCarmenSmartphone'
        option ip               '192.168.100.68'
        option mac              '04:B1:67:15:E9:78'
        option leasetime        'infinite'
        option dns              '1'

config domain
        option name             'MariCarmenSmartphone'
        option ip               '192.168.100.68'

config host
        option name             'Tablet-RD1'
        option ip               '192.168.100.69'
        option leasetime        'infinite'
        option dns              '1'

config domain
        option name             'Tablet-RD1'
        option ip               '192.168.100.69'

config host
        option name             'Tablet-RD2'
        option ip               '192.168.100.70'
        option leasetime        'infinite'
        option dns              '1'

config domain
        option name             'Tablet-RD2'
        option ip               '192.168.100.70'

config host
        option name             'Tablet-RD3'
        option ip               '192.168.100.71'
        option leasetime        'infinite'
        option dns              '1'

config domain
        option name             'Tablet-RD3'
        option ip               '192.168.100.71'

##########################################################################
###############################WLESSGUESTS################################
##########################################################################
#**********************************DHCP**********************************#
config dhcp 'wlessguests'
        option interface        'wlessguests'
        option networkid        'eth0.45'
        option dhcpv4           'server'
        option dhcpv6           'disable'
        option gateway          '192.168.100.81'
        option dns              '192.168.100.81'
        option netmask          '255.255.255.240'
        option dynamicdhcp      '1'
        option start            '82'
        option limit            '13'
        option leasetime        '1h'
        list dhcp_option        '42,192.168.100.81'

#**********************************HOSTS*********************************#
config domain
        option name             'Linksys-WRT3200WG'
        option ip               '192.168.100.81'

##########################################################################
################################VPNLOCAL##################################
##########################################################################
#**********************************DHCP**********************************#
config dhcp 'vpnlocal'
        option interface        'vpnlocal'
        option networkid        'eth0.50'
        option ignore           '1'

#**********************************HOSTS*********************************#
config domain
        option name             'Linksys-WRT3200VL'
        option ip               '192.168.100.97'

config domain
        option name             'Alberto_VPN'
        option ip               '192.168.100.98'

config domain
        option name             'Luis_VPN'
        option ip               '192.168.100.99'

config domain
        option name             'MariCarmen_VPN'
        option ip               '192.168.100.100'

config domain
        option name             'RDesktop1_VPN'
        option ip               '192.168.100.101'

config domain
        option name             'RDesktop2_VPN'
        option ip               '192.168.100.102'

config domain
        option name             'RDesktop3_VPN'
        option ip               '192.168.100.103'

##########################################################################

##########################################################################

INFO: I don't use the hosts and ethers files, because of that, there are "hosts" and "domains" for each hosts of the network, for hosts with static ipaddess (domain section only) and with dhcp leases (domain and host sections).

At the next post, I will post the firewall config, I can't post it here because of the carachters limit by post, sorry,

Firewall config file

###################################################
###############CONFIGURACION_GLOBAL################
###################################################
config defaults
        option input            'ACCEPT'
        option output           'ACCEPT'
        option forward          'REJECT'
        option disable_ipv6     '1'
        option synflood_protect '1'
        option drop_invalid     '1'
        option flow_offloading  '1'

config include
        option path     '/etc/firewall.user'

###################################################
###################ZONAS_FIREWALL##################
###################################################
config zone 'wan'
        option name     'wan'
        option input    'REJECT'
        option output   'ACCEPT'
        option forward  'REJECT'
        option masq     '1'
        option mtu_fix  '1'
        option network  'wan'

config zone 'ont'
        option name     'ont'
        option input    'REJECT'
        option output   'ACCEPT'
        option forward  'REJECT'
        option masq     '1'
        option mtu_fix  '1'
        option network  'ont'

#config zone 'vpnwan'
#        option name     'vpnwan'
#        option input    'REJECT'
#        option output   'ACCEPT'
#        option forward  'REJECT'
#        option masq     '1'
#        option mtu_fix  '1'
#        option network  'vpnwan'

config zone 'voip'
        option name     'voip'
        option input    'ACCEPT'
        option output   'ACCEPT'
        option forward  'ACCEPT'
        option network  'voip'

config zone 'servidores'
        option name     'servidores'
        option input    'ACCEPT'
        option output   'ACCEPT'
        option forward  'ACCEPT'
        option network  'servidores'

config zone 'hosts'
        option name     'hosts'
        option input    'ACCEPT'
        option output   'ACCEPT'
        option forward  'ACCEPT'
        option network  'hosts'

config zone 'wireless'
        option name     'wireless'
        option input    'ACCEPT'
        option output   'ACCEPT'
        option forward  'ACCEPT'
        option network  'wireless'

config zone 'wlessguests'
        option name     'wlessguests'
        option input    'ACCEPT'
        option output   'ACCEPT'
        option forward  'REJECT'
        option network  'wlessguests'

config zone 'vpnlocal'
        option name     'vpnlocal'
        option input    'ACCEPT'
        option output   'ACCEPT'
        option forward  'REJECT'
        option network  'vpnlocal'

#####################################################
################REENVIOS_ENTRE_ZONAS#################
#####################################################
#***********************WAN*************************#
#config forwarding
#        option dest     'wan'
#        option src      'vpnwan'

config forwarding
        option dest     'wan'
        option src      'voip'

config forwarding
        option dest     'wan'
        option src      'servidores'

config forwarding
        option dest     'wan'
        option src      'hosts'

config forwarding
        option dest     'wan'
        option src      'wireless'

config forwarding
        option dest     'wan'
        option src      'wlessguests'

config forwarding
        option dest     'wan'
        option src      'vpnlocal'

#***********************ONT*************************#
config forwarding
        option dest     'ont'
        option src      'hosts'

#**********************VPN-WAN**********************#
#config forwarding
#        option dest     'vpnwan'
#        option src      'wan'

#***********************VoIP************************#
config forwarding
        option dest     'voip'
        option src      'hosts'

config forwarding
        option dest     'voip'
        option src      'vpnlocal'

#********************SERVIDORES*********************#
config forwarding
        option dest     'servidores'
        option src      'hosts'

#**********************HOSTS************************#
config forwarding
        option dest     'hosts'
        option src      'servidores'

config forwarding
        option dest     'hosts'
        option src      'wireless'

config forwarding
        option dest     'hosts'
        option src      'vpnlocal'

#*********************WIRELESS**********************#
config forwarding
        option dest     'wireless'
        option src      'hosts'

#*********************VPN-LOCAL*********************#
config forwarding
        option dest     'vpnlocal'
        option src      'hosts'

config forwarding
        option dest     'vpnlocal'
        option src      'voip'

#####################################################
##################REGLAS_DE_TRAFICO##################
#####################################################

##################PERMITIR_GENERALES#################
config rule
        option name     'DHCPv4-WAN'
        option src      'wan'
        option proto    'udp'
        option dest_port '68'
        option family   'ipv4'
        option target   'ACCEPT'

config rule
        option name     'Permitir-IGMP'
        option src      'wan'
        option proto    'igmp'
        option family   'ipv4'
        option target   'ACCEPT'

config rule
        option name     'Permitir-IPSec-ESP'
        option src      'wan'
        option dest     'hosts'
        option proto    'esp'
        option family   'ipv4'
        option target   'ACCEPT'

config rule
        option name     'Permitir-ISAKMP'
        option src      'wan'
        option dest     'hosts'
        option dest_port '500'
        option proto    'udp'
        option target   'ACCEPT'

#****************PERMITIR_SERVIDORES****************#

#******************PERMITIR_HOSTS*******************#

#*****************PERMITIR_WIRELESS*****************#

#***************PERMITIR_WLESSGUESTS****************#
config rule
        option name     'HTTP/HTTPS-WLESSGUESTS'
        option src      'wlessguests'
        option proto    'tcp'
        option dest_port '80 8080 443'
        option family   'ipv4'
        option target   'ACCEPT'

#***************PERMITIR_VPNLOCAL****************#
config rule 'wg'
        option name     'Permitir_VPN-local'
        option src      'wan'
        option dest_port '52825'
        option proto    'udp'
        option target   'ACCEPT'

###################DENEGAR_GENERALES#################
config rule
        option name     'NoPing-WAN'
        option src      'wan'
        option src_ip   '0.0.0.0'
        option proto    'icmp'
        option icmp_type 'echo-request'
        option target   'REJECT'

config rule
        option name     'NoSSH-WAN'
        option src      'wan'
        option src_ip   '0.0.0.0'
        option proto    'tcp'
        option src_port '22'
        option target   'REJECT'

config rule
        option name     'NoHTTP/HTTPS-WAN'
        option src      'wan'
        option src_ip   '0.0.0.0'
        option proto    'tcp'
        option src_port '80 8080 443'
        option target   'REJECT'

#*****************DENEGAR_SERVIDORES****************#
config rule
        option name     'Rechazar_DNS_over_TLS-SERVIDORES'
        option src      'servidores'
        option dest     'wan'
        option proto    'tcp udp'
        option dest_port '853'
        option target   'REJECT'

#*******************DENEGAR_HOSTS*******************#
config rule
        option name     'Rechazar_DNS_over_TLS-HOSTS'
        option src      'hosts'
        option dest     'wan'
        option proto    'tcp udp'
        option dest_port '853'
        option target   'REJECT'

#******************DENEGAR_WIRELESS*****************#
config rule
        option name     'Rechazar_DNS_over_TLS-WIRELESS'
        option src      'wireless'
        option dest     'wan'
        option proto    'tcp udp'
        option dest_port '853'
        option target   'REJECT'

#****************DENEGAR_WLESSGUESTS****************#
config rule
        option name     'Rechazar_DNS_over_TLS-WLESSGUESTS'
        option src      'wlessguests'
        option dest     'wan'
        option proto    'tcp udp'
        option dest_port '853'
        option target   'REJECT'

#*****************DENEGAR_VPNLOCAL******************#
config rule
        option name     'Rechazar_DNS_over_TLS-VPNLOCAL'
        option src      'vpnlocal'
        option dest     'wan'
        option proto    'tcp udp'
        option dest_port '853'
        option target   'REJECT'

#####################################################
#################REENVIO_DE_PUERTOS##################
#####################################################

##################REENVIO_GENERALES##################

#*****************REENVIO_SERVIDORES****************#
config redirect
        option name     'Adblock-SERVIDORES'
        option proto    'tcp udp'
        option src      'servidores'
        option src_dport '53'
        option dest     'servidores'
        option dest_port '53'
        option target   'DNAT'

config redirect
        option name     'Adblock-SERVIDORES5353'
        option proto    'tcp udp'
        option src      'servidores'
        option src_dport '5353'
        option dest     'servidores'
        option dest_port '5353'
        option target   'DNAT'

config redirect
        option name     'DNS_Hijacking-SERVIDORES'
        option proto    'tcp udp'
        option src      'servidores'
        option src_dport '53'
        option dest_port '53'
        option target   'DNAT'

config redirect
        option name     'DNS_Hijacking-SERVIDORES5353'
        option proto    'tcp udp'
        option src      'servidores'
        option src_dport '5353'
        option dest_port '53'
        option target   'DNAT'

#*******************REENVIO_HOSTS*******************#
config redirect
        option name     'Adblock-HOSTS'
        option proto    'tcp udp'
        option src      'hosts'
        option src_dport '53'
        option dest     'hosts'
        option dest_port '53'
        option target   'DNAT'

config redirect
        option name     'Adblock-HOSTS5353'
        option proto    'tcp udp'
        option src      'hosts'
        option src_dport '5353'
        option dest     'hosts'
        option dest_port '5353'
        option target   'DNAT'

config redirect
        option name     'DNS_Hijacking-HOSTS'
        option proto    'tcp udp'
        option src      'hosts'
        option src_dport '53'
        option dest_port '53'
        option target   'DNAT'

config redirect
        option name     'DNS_Hijacking-HOSTS5353'
        option proto    'tcp udp'
        option src      'hosts'
        option src_dport '5353'
        option dest_port '53'
        option target   'DNAT'

#******************REENVIO_WIRELESS*****************#
config redirect
        option name     'Adblock-WIRELESS'
        option proto    'tcp udp'
        option src      'wireless'
        option src_dport '53'
        option dest     'wireless'
        option dest_port '53'
        option target   'DNAT'

config redirect
        option name     'Adblock-WIRELESS5353'
        option proto    'tcp udp'
        option src      'wireless'
        option src_dport '5353'
        option dest     'wireless'
        option dest_port '5353'
        option target   'DNAT'

config redirect
        option name     'DNS_Hijacking-WIRELESS'
        option proto    'tcp udp'
        option src      'wireless'
        option src_dport '53'
        option dest_port '53'
        option target   'DNAT'

config redirect
        option name     'DNS_Hijacking-WIRELESS5353'
        option proto    'tcp udp'
        option src      'wireless'
        option src_dport '5353'
        option dest_port '53'
        option target   'DNAT'

#*****************REENVIO_WLESSGUESTS***************#
config redirect
        option name     'Adblock-WLESSGUESTS'
        option proto    'tcp udp'
        option src      'wlessguests'
        option src_dport '53'
        option dest     'wlessguests'
        option dest_port '53'
        option target   'DNAT'

config redirect
        option name     'Adblock-WLESSGUESTS5353'
        option proto    'tcp udp'
        option src      'wlessguests'
        option src_dport '5353'
        option dest     'wlessguests'
        option dest_port '5353'
        option target   'DNAT'

config redirect
        option name     'DNS_Hijacking-WLESGUESTS'
        option proto    'tcp udp'
        option src      'wlessguests'
        option src_dport '53'
        option dest_port '53'
        option reflection '0'
        option target   'DNAT'

config redirect
        option name     'DNS_Hijacking-WLESGUESTS5353'
        option proto    'tcp udp'
        option src      'wlessguests'
        option src_dport '5353'
        option dest_port '53'
        option reflection '0'
        option target   'DNAT'

#******************REENVIO_VPNLOCAL*****************#
config redirect
        option name     'Adblock-VPNLOCAL'
        option proto    'tcp udp'
        option src      'vpnlocal'
        option src_dport '53'
        option dest     'vpnlocal'
        option dest_port '53'
        option target   'DNAT'

config redirect
        option name     'Adblock-VPNLOCAL5353'
        option proto    'tcp udp'
        option src      'vpnlocal'
        option src_dport '5353'
        option dest     'vpnlocal'
        option dest_port '5353'
        option target   'DNAT'

config redirect
        option name     'DNS_Hijacking-VPNLOCAL'
        option proto    'tcp udp'
        option src      'vpnlocal'
        option src_dport '53'
        option dest_port '53'
        option reflection '0'
        option target   'DNAT'

config redirect
        option name     'DNS_Hijacking-VPNLOCAL5353'
        option proto    'tcp udp'
        option src      'vpnlocal'
        option src_dport '5353'
        option dest_port '53'
        option reflection '0'
        option target   'DNAT'

#####################################################

#####################################################

INFO: Translations from spanish
Permitir = Allow
Denegar = Reject
ReenvĂ­o = Forward

INFO2: The forwarding rules (reenvio) for adblock is for intercept the DNS traffic for the Adblock app before to send the DNS requests to the DNSCrypt-ProxyV2. I don't know if tese rules are making any type of loop or are incorrect.

Like you can see, I don't have problems with make the same rule (allow or reject) for each subnet/zone, but if there is a better way to do this, tell me please.

Again, thank you so much for your support and help.

Kind regards.

There is no need to do that. Keep the default /24 for future expansion.

Why is there everywhere mtu 1472?

No need to use broadcast in any interface.

You are supposed to fill in a different dns server there, not itself.

Same here, and in interfaces hosts, wireless, wlessguests,

I wouldn't use this long name for local and domain.

gateway,dns, netmask are not needed. I would not give infinite leasetime, maybe 12h max. The same applies to the other dhcp pools too.

You may want to change that to reject.

They are all wrong. By default the input for wan zone is reject, so you don't need to add more rules to reject. Other than that you'll never get something from IP 0.0.0.0, since it is reserved, and source port means that a server is trying to send you traffic, which also doesn't happen.

DNAT is taking place before the blocking of the DNS, so it is not needed.

2 Likes

First of all, thanks for answer to the topic, about your answers:

I've divided the network with CIDR /28 because I want independent subnets at level 2 and 3, one VLAN for each IP subnet, I know (or that I thought) that this can make more complicated the managment of the network, but I don't have problem with that ( make firewall rules for each zone related to each VLAN/IP subnets etcetera).

If it's a newbie mistake or there is a better way, please, tell me.

I know that this is necessary for the WAN interface, and I tought that it was necessary for the rest of subnets, I will delete if from the config for the other subnets (LAN subnets), but, can I / do I have to establish MTU value for ONT and vpnlocal too??

Understood, I will remove it from the dhcp pools because I understand that with establish "127.0.0.53#53" at the DNS pool is enough for all local subnets.

I don't understand the meaning, I want to meant that I don't understand if the names are wrong (it has to be a name for the local and another for the domain), or if you only refer to the lenght of the name.

If it's the second situation, I named at this way because when I will set up the AD Servers, the domain will be "homedomainhsh.org", to be able to differentiate when the host are connected to the M$ domain and when the host are not logged to the M$ domain.

If there is a better way, again, please tell me.

You're right about the static leases time period, I'm agree with you, but about the gateway and netmask options, do you say that because the change to CIDR /24 mentioned above or is it independant of the CIDR used?

Firstly, I've set like you say (and WIKI too :relieved:), but at that way the wlessguests clients didn't obtain an IP address, because of that, I changed the "INPUT" field to ACCEPT.

I don't know if the clients of the wlessguests didn't obtain an IP address is because of another network/dhcp/wireless config mistake.

About the firewall rules, I put 0.0.0.0 like network because I believed that it represented any network, I forgot that 0.0.0.0 is a reserved IP, ahhh, a newbie mistake :sweat_smile:

Then I will delete them because they have no sense, OK, understood. One more thing about the firewall rules:

Then, the rules made for Adblock are well? , I want to meant if they are making some kind of DNS loop, becasue like I've said at the OP post, these rules are for Adblock before the DNSHijacking to DNSCrypt-ProxyV2.

Again, thank you so much for your time, help and tips about the configuration, this community is so helpful.

Regards.

P.S.= I forget it, about the link agreggation, I will take a look to the threads, thanks.

Separating the different hosts with vlans is fine. There is no need to limit your subnets to /28, use /24.

Use it only on wan if it is a requirement from your ISP. ONT is local, I don't think it would advertise a lower mtu. In any case measure it and then assign it.

I don't know about active directory and if it will conflict with the domain. However if you want to access some resource on the network there is no point to write all this lengthy fqdn. Just a .lan or .home is enough.

You need to allow the DHCP and the DNS when you set the input to reject.


DHCP needs only udp/67

Then it is 0.0.0.0/0 , but still it is pointless. You want to block everything that comes from wan, you don't care for the source address.

They seem fine to me. Try them yourself if they work or not.

3 Likes

Hi again, thank you so much for your recommendations and help, it has been so helpful.

I've applied all your recomendations, with the only exception about the CIDR, I know that is not needed to make VLSM at level 3, but I prefer to has a level 3 subnet for each VLAN, because use a subnet for each VLAN has no impact at the network performance (I believe :woozy_face:).

Of course, the wlessguests subnet (wireless Wi-Fi) works like a charm now.

About the Adblock rules, I've checked again an it is working well at every interfaces, but, is there any kind of interface like a monitor interface that I can use to see the reports at its Luci-App instead to have to change the monitor interface?

P.S.: I'm not going to need more IP addresses for each subnet.

It seems to me that you recently passed the CCNA/JNCIA
Forget about vlsm, classes(not applicable anymore) and whatever else you were taught.
Here you have all the private addresses at your disposal; you are not admin in a firm with a limited publicly routable address space which needs to be divided to smaller subnets.
What I am telling you all this time is to use larger subnets. Also make the network obvious to which vlan it belongs.

Famous newbie last words :smile:
Been there, suffered the pain of migrating to larger subnet when the lightbulbs became smart and connected to the wifi. If you still want to do it, by all means. If you ask me, go for the bigger one.

Regarding Adblock, I am not using it myself, so I am not sure what do you want to monitor or how to do it.

2 Likes

Yes, you're right about the CCNA, I understood all that you say, and I agree with you about the larger subnets, but for my home network and this subnets is enough. Other thing is what you say about the IoT future, I know that we will need a larger subnet for that beacause everything will be SMART, IoT..., but for that case, I had been thought to use a CIDR /24 subnet like 192.168.200.0/24.

Ahahaha, you're right, newbie here!!! learning step by step, reading and with the help of he community, and mainly, from my own mistakes that is most important, like the real life.

At adblock luci-app there is a section called "DNS report" that allows you to see which domains are allowed and which are dennied while you're browsing Internet, but you only can see the DNS report from a "X" interface, like in my case I got more than one local interface, if I want to see the domains reported from wireless interface for example, I've to change the "reported interface" to the wireless interface, and at this way each time that I want to check the report from the "X" inteface that I want to check.

Adblock for this purpose uses the package tcpdump-mini or tcpdump, I got installed the full version (tcpdump) and I know that's possible to create a monitor interface, but I don't know how.

Again, thank you so much for your time and help.

Kind regards.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.