Hello,
I continue to discover openwrt and I have a strange behaviour...
I create a VLAN 10 on interface 2 of my linksys
I create a dedicted zone to this VLAN
I disable the forward between my 2 network.
When I am connected tho the network 192.168.2.0 I can access to the 192.168.10.0
What's wrong with my configuration?
Disabling forward prevents connections originating on that network from forwarding it doesn't prevent them from replying to stuff originating elsewhere. To completely isolate a network prevent forwarding from other places to that network as well.
You'll need to post your configuration first: uci export network; uci export firewall
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdda:0d63:1557::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
option vid '2'
config switch_vlan
option device 'switch0'
option vlan '10'
option ports '2 5t'
option vid '10'
config interface 'WAN_Nume'
option proto 'static'
option netmask '255.255.255.0'
option type 'bridge'
option ifname 'eth0.10'
option ipaddr '192.168.10.1'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option log '1'
option network 'lan'
option forward 'REJECT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option input 'ACCEPT'
option forward 'REJECT'
option name 'WAN_Numeri'
option output 'ACCEPT'
option network 'WAN_Nume'
And you mean devices in the 192.168.10.0/24 network? Access to any IP address of the OpenWrt router itself is controlled via the input setting of the source zone, i.e. the lan zone in the case above.
Configuration looks correct, can you show us the text output or a screenshot of the host in 192.168.2.X that can connect to the hosts in 192.168.10.X ?
I reset router and try again....
When I am in the network 192.168.10.X I can access to the LuCi web interface on 192.168.2.X normal?
Very normal, the INPUT of the WAN_Numeri zone is ACCEPT.
As long as you are trying to access the router itself, regardless of the IP, the policy is mandated by INPUT.
Thanks for the tips.
Any documentation about this system ?
Hello,
Thanks for the doc 
When I compar the LuCI web interface switch and the file in /etc/config/network it's seems to be different :
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdfb:c58d:c11b::/48'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
option vid '2'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '14'
option ports '3t 5t'
config interface 'WAN_Nume'
option proto 'static'
option ifname 'eth0.14'
option type 'bridge'
option netmask '255.255.255.0'
option ipaddr '10.0.14.1'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '24'
option ports '2t 5t'
config interface 'LAN_Nume'
option proto 'static'
option ifname 'eth0.24'
option type 'bridge'
option netmask '255.255.255.0'
option ipaddr '10.0.24.1'
config switch_vlan
option device 'switch0'
option vlan '5'
option vid '54'
option ports '0 5t'
config interface 'LAN_Home'
option proto 'static'
option type 'bridge'
option netmask '255.255.255.0'
option ipaddr '10.0.34.1'
option ifname 'eth0.34'
option stp '1'
config switch_vlan
option device 'switch0'
option vlan '6'
option vid '34'
option ports '1t 5t'
config interface 'DMZ_Nume'
option proto 'static'
option type 'bridge'
option netmask '255.255.255.0'
option ipaddr '10.0.54.1'
option delegate '0'
option force_link '0'
option ifname 'eth0.54'
I don't really understand the "number" of ports in network config file :
Port number 2 is the physical port eth 2 on my router ?
From the mapping it seems that:
LAN1 port 3
LAN2 port 2
LAN3 port 1
LAN4 port 0
WAN port 4
Whet a beautiful idea to invert the id of physicall port and number 
Other question ... (Sorry I try to understand how openwrt work)
I have a DHCP server on 3 interface.
But into the LAN_HOME network, DHCP not work.
Problem with vlan ?
What is the output of uci export dhcp; uci export firewall ?
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'LAN_Home'
option interface 'LAN_Home'
option start '100'
option leasetime '12h'
option limit '150'
config dhcp 'LAN_Nume'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'LAN_Nume'
config dhcp 'DMZ_Nume'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'DMZ_Nume'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
option input 'ACCEPT'
option log '1'
option forward 'REJECT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option network 'WAN_Nume'
option input 'ACCEPT'
option name 'WAN_Nume'
option output 'ACCEPT'
option log '1'
option forward 'REJECT'
config zone
option network 'LAN_Nume'
option input 'ACCEPT'
option name 'LAN_Nume'
option output 'ACCEPT'
option log '1'
option forward 'REJECT'
config zone
option network 'LAN_Home'
option input 'ACCEPT'
option name 'LAN_Home'
option output 'ACCEPT'
option log '1'
option forward 'REJECT'
config forwarding
option dest 'wan'
option src 'LAN_Home'
config forwarding
option dest 'wan'
option src 'WAN_Nume'
config forwarding
option dest 'wan'
option src 'LAN_Nume'
config zone
option network 'DMZ_Nume'
option input 'ACCEPT'
option name 'DMZ_Nume'
option output 'ACCEPT'
option log '1'
option forward 'REJECT'
config redirect
option dest_port '80'
option name 'revproxy-80'
option src_dport '80'
option target 'DNAT'
option dest 'DMZ_Nume'
option src 'wan'
option dest_ip '10.0.54.11'
config redirect
option dest_port '443'
option src 'wan'
option name 'revproxy-443'
option src_dport '443'
option target 'DNAT'
option dest_ip '10.0.54.11'
option dest 'DMZ_Nume'
config nat
option src_port '80'
list proto 'tcp'
list proto 'udp'
option name 'Revproxy-80'
option dest_port '443'
option src 'wan'
option dest_ip '10.0.54.11'
option target 'ACCEPT'
config nat
option src_port '443'
option src 'wan'
option name 'Revproxy-443'
option target 'ACCEPT'
option dest_port '443'
list proto 'tcp'
list proto 'udp'
option dest_ip '10.0.54.11'
config forwarding
option dest 'wan'
option src 'DMZ_Nume'
It is correct, maybe the problem is elsewhere. If you connect a hot with static IP does it work?
Also you may want to change the global defaults firewall policy for FORWARD to REJECT, otherwise all zones will be able to communicate with each other.
Not working with a static ip.
I have a wifi network brige into this interface and in wifi I have a DHCP and internet connection 
Then temporarily change from tagged to untagged, connect a PC directly without switch on the LAN3 port, and check again.
If it works, then you have some issues with the downstream switch and the vlan settings.
I change to untagged and my computer directly take a DHCP lease.
What is the problem ?
Obviously the device that you connect there doesn't understand tagged frames.