Configure LAN + DMZ Using DSA and Port-Isolated Subnets

Installing and Using OpenWrt Network and Wireless Configuration
1

First off, many thanks to the OpenWRT team for their work on the firmware.

I have an Archer A6 v3 running the OpenWRT 21.02 snapshot (openwrt-ramips-mt7621-tplink_archer-a6-v3-squashfs-factory.bin). I'm interested in configuring two subnets to isolate the LAN and DMZ interfaces from each other using DSA port isolation:

  • DMZ on port 1: 192.168.0.1/24
  • LAN on ports 2,3,4: 192.168.1.1/24

Turns out there is great documentation to show how this can be done:

Here's a snippet of my /etc/config/network:

config device
	option name 'lan1'

config interface 'DMZ'
	option proto 'static'
	option device 'lan1'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

I have some custom firewall rules to open WAN ports for the DMZ and to allow specific devices on the LAN to access the servers in the DMZ. Everything seems to be working perfectly, except that my TURN server in the DMZ fails to relay traffic. However if I move the server into the LAN, the same firewall rules (slightly adjusted) allow the TURN server to successfully relay traffic.

It seems like I'm missing something while configuring the DMZ firewall. Anybody have some tips on this? Here's a snippet of my /etc/config/firewall:

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config forwarding
	option src 'lan'
	option dest 'wan'

config zone
	option name 'dmz'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'DMZ'

config forwarding
	option src 'dmz'
	option dest 'wan'

...

config redirect
	option target 'DNAT'
	option name 'XMPP TURN Range'
	option src_dport '49152-49200'
	option dest_ip '192.168.0.100'
	option src 'wan'
	option dest 'dmz'

...

config rule
	option name 'Allow-admin'
	option src 'lan'
	list src_ip '192.168.1.30'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'
	option dest 'dmz'