config redirect
option target 'DNAT'
option name 'dns hijack (kids lan 53)'
option src 'kids_zone'
option src_dport '53'
option dest_port '5153'
Finally noticed there's no option proto 'tcp udp' in this section, unlike in the adults_lan section.
Seems like a stretch, but maybe this is the cause?
no port defaults to tcp and udp, so that could not cause a problem (in theory).
I believe the OP is looking to make this work:
Instead, I think this would be a better approach:
i think OP idea (first figure) make sense, as different filtering is needed for adult than kid. so i think the idea is totally ok. now just need to fix implementation.
The two options I mentioned (Adguard Home and Pi-hole) both allow policies applied to devices and groups of devices. Trying to juggle two separate instances adds complexity.
ultimately id like two separate instances of adblock but that is not supported currently and would require a lot of scripting to pull in separate sets of rules.
I did look at forking the repo and creating a completely separate adblock instance.
I'm happy to not have any adblock configured on adults lan it is really to block the kids from doh, vpn's, proxyies social media and force safe search results and that works really well.
as my ap's don't have vlans I just want to force dns to the kids one that will enforce adblock, in time I will replace them that will over come this error.
Which is why I believe my suggested approach is both easier to implement and easier to administer.
Same local DNS to everyone, but bespoke content blocking policies enforced upstream from the local DNS. Adults get an "allow everything" policy, kids get a "block this rubbish" policy.
To add to this, AGH is available as an OpenWRT package via opkg, and is capable of providing DHCP, DNS, and content-blocking all in one package.
Full disclosure: my own setup is this:
dnsmasq provides DHCP and local DNS for multiple subnets, and passes upstream queries to...
Adguard Home, which provides content-filtering, and passes upstream queries to...
unbound, so I'm not dependent solely on my ISP's DNS servers.
That is how it works now when connected to the main router via the kids or adults lan segments.
Just on the ap's i have to attach them to one or the other network which is why i have tried making the dns span interfaces and separate the ports so I can create ipsets to force specific devices to use a specific dns.
The splitting the ports but just does not seem to work.
How about this?
Set up a single LAN, with the APs attached as access points, not routers, and DHCP reservations for each device; that way, every AP can be used by every device.
For example, adults get .100 to .150, and kids get .151 to .200. Associated DNS blocking policies can be defined for devices in those ranges.
You could go even wider. For example,:
192.168.0.0/23
Adults get 192.168.0.0/23
Kids get 192.168.1.0/23
Both ranges use the same gateway at 192.168.0.1/23 (or .1.254/23)
With RFC 1918 IP addressing, you can mix and match to your heart's content to meet the needs of your environment.
Edit: I just found the flaw in my own suggestion: MAC address randomisation for "privacy". However, that itself might not be a problem: have a content blocking policy for "all other devices", on the assumption that it won't take long for the kids to be "clever" and realise how to exploit a changing MAC address...
I wouldn't even know where to start to acomplish that and it is making it more complex and it is basically what i have any way as i have two pools of ip addresses ones filtered by adblock and one not.
More complex than juggling two instances of dnsmasq successfully? Respectfully, I disagree.
But I am curious. While I think your proposed approach is more complex than it needs to be to achieve your goal of applying blocks on the kids' traffic but not on the adults' traffic, it ought to be possible to achieve with dnsmasq.
So I'm going to fire up some VMs in my lab and see what I can do with dnsmasq x2. I'll tinker with it and report my findings. In the meantime, you or another forum member might successfully arrive at the solution to your problem.
you can detect random ip adresses andriod and apple conform to the standard.
RFC 7042 - IANA Considerations and IETF Protocol and Documentation Usage for IEEE 802 Parameters
If you can find and quote relevant RFCs at me, I think you're being modest with your claim that you wouldn't know where to start... 
You've come this far already; you obviously have the chops to get this done.
you can detect random ip adresses andriod and apple conform to the standard.
openwrt needs patches to support it with wildcards:
but that's what i'm suggesting to let it go. your whole idea is to separate networks makes absolute sense, the idea to use filtered dns for kids, makes sense, but i think you should follow this road and use a similar setup as i showed, i.e. to bind dnsmasq to respective network only.
that way you can setup both dns & dhcp as you want per network and you don't need port redirection at all: on each network default port 53 will be there for the clients. this approach furthermore would allow you to set additional protection like "hijacking" external dns traffic to your internal dns server. also if you have an adult client you want to filter it can be forced via dhcp option to use the kid dns [for that obviously you need to allow that specific traffic through between the zones].
my 2 cents.
i have had this setup worked fine for a long time but i too found AdGuard Home bit more comfortable, so @iplaywithtoys 's suggestion this regard is a good one. my AGH listens on all interfaces, have one dnsmasq instance which acts as single dhcp server with per network lease range and dhcp option pointing to respective interface, and in AGH i can set different filtering rules per ip, cdir range, per mac, per tag etc.
Missed this earlier.
The interface br-kids_lan isn't associated with any device.
Also, option type 'bridge' should be defined for the device, not for the interface. Compare with a default configuration for OpenWRT to see it in practice.
I only have 2 eth interfaces wan and adults lan kids lan is wifi only.
This is because i am required to use my providers 4g router as it has a tag locked sim.
The sim will only work with a device with an imei matching the sims pre stored id.
Of note: I have rewritten the imei number from my providers router onto my quectel ep06 modem fitted into my router so I can free my lan port to use for kids lan but:
I have found the whole 4g support in operwrt really sucks and disconects wont reconect and cant force bands easilly etc... it is just easier with the providers router.
The providers router seems to have some sort of mechinism or proxy to punch through the cgnat up stream so port forwards work and i cant replicate this with my openwrt router.
I suspect you may still need to define the bridge, even if you don't allocate any wired ports to it.
By the way, I'm still tinkering. I've got dnsmasq-full, https-dns-proxy and adblock installed, along with your custom /etc/config/ files. Got two working connections for adults and kids in my lab. Next up: prove that splitting dnsmasq in the way you've requested is possible.
It seems like aguard home might suit me better so individulise things i might give that a wirl.
I did find that adblock blocked too much things on the adults network and broke things like facebook redirects to web sites and that may be worth me playing with.