Dnsmasq+adguard on multiple vlan-bridges = DHCP-leases for each interface only from lan possible?

Hello! :wave:

I have followed some instructions from the wiki and configured my Openwrt-device (R-Pi4) for the network so far. Now I want to adjust some settings before I continue with other services (samba4-server is installed and is set up in it's default settings).

The current headache for me is adguardhome + dnsmasq. My network is divided into several subnets:

LAN | MGMNT | IOT | GAST | WAN

I have deactivated Ipv6 to avoid errors and would like to deal with this later when everything is configured.
Currently everything is working as I would like it to. Well, almost... When I enter ss -tulpn, I get the following result (shortened):

ss -tulpn

Netid State  Recv-Q Send-Q  Local Address:Port  Peer Address:PortProcess                                 
udp   UNCONN 0      0        192.168.12.3:53         0.0.0.0:*    users:(("AdGuardHome",pid=2770,fd=38)) 
udp   UNCONN 0      0           127.0.0.1:53         0.0.0.0:*    users:(("AdGuardHome",pid=2770,fd=36)) 
udp   UNCONN 0      0           127.0.0.1:54         0.0.0.0:*    users:(("dnsmasq",pid=5973,fd=14))     
udp   UNCONN 0      0        192.168.12.3:54         0.0.0.0:*    users:(("dnsmasq",pid=5973,fd=12))     
udp   UNCONN 0      0        192.168.13.1:54         0.0.0.0:*    users:(("dnsmasq",pid=5973,fd=10))     
udp   UNCONN 0      0        192.168.22.4:54         0.0.0.0:*    users:(("dnsmasq",pid=5973,fd=8))      
udp   UNCONN 0      0        192.168.99.7:54         0.0.0.0:*    users:(("dnsmasq",pid=5973,fd=6))      
udp   UNCONN 0      0             0.0.0.0:67         0.0.0.0:*    users:(("dnsmasq",pid=5973,fd=4))      
udp   UNCONN 0      0                   *:123              *:*    users:(("ntpd",pid=21310,fd=3))        
tcp   LISTEN 0      0        192.168.12.3:53         0.0.0.0:*    users:(("AdGuardHome",pid=2770,fd=40)) 
tcp   LISTEN 0      0        192.168.12.3:54         0.0.0.0:*    users:(("dnsmasq",pid=5973,fd=13))     
tcp   LISTEN 0      0        192.168.12.3:8443       0.0.0.0:*    users:(("AdGuardHome",pid=2770,fd=31)) 
tcp   LISTEN 0      0        192.168.13.1:54         0.0.0.0:*    users:(("dnsmasq",pid=5973,fd=11))     
tcp   LISTEN 0      0        192.168.12.3:443        0.0.0.0:*    users:(("uhttpd",pid=26052,fd=3))      
tcp   LISTEN 0      0        192.168.22.4:54         0.0.0.0:*    users:(("dnsmasq",pid=5973,fd=9))      
tcp   LISTEN 0      0           127.0.0.1:54         0.0.0.0:*    users:(("dnsmasq",pid=5973,fd=15))     
tcp   LISTEN 0      0           127.0.0.1:53         0.0.0.0:*    users:(("AdGuardHome",pid=2770,fd=37)) 
tcp   LISTEN 0      0        192.168.99.7:54         0.0.0.0:*    users:(("dnsmasq",pid=5973,fd=7))      
tcp   LISTEN 0      0        192.168.99.7:443        0.0.0.0:*    users:(("uhttpd",pid=26052,fd=4))      
tcp   LISTEN 0      0        192.168.12.3:8080       0.0.0.0:*    users:(("AdGuardHome",pid=2770,fd=35))

My goal is to run dnsmasq-port "54" only on the LAN-Interface. If possible, it's DHCP-daemon should also run on the LAN-interface and the subnets from other interfaces should get the leases from LAN with the configured IP-range for each interface, except WAN. Is this possible with 1x dnsmasq instance? I have not yet been able to get DHCP relay to work...

Could someone tell me if this is possible what i am trying to achieve or maybe even show the wrong settings?

some infos from the device:

network

uci export network
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option ipv6 '0'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'eth0.12'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.12.3'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipv6 '0'
	option device 'br-lan'

config interface 'wan'
	option proto 'static'
	option gateway '192.168.120.1'
	option delegate '0'
	list ipaddr '192.168.120.5/28'
	option ipv6 '0'
	option device 'eth1'

config interface 'mgmnt'
	option proto 'static'
	option delegate '0'
	list ipaddr '192.168.99.7/27'
	option ipv6 '0'
	option device 'eth0.99'

config interface 'gast'
	option proto 'static'
	option ipaddr '192.168.22.4'
	option netmask '255.255.255.128'
	option ipv6 '0'
	option delegate '0'
	option device 'br-gast'

config interface 'iot'
	option proto 'static'
	option device 'br-iot'
	option delegate '0'
	option ipaddr '192.168.13.1'
	option netmask '255.255.255.224'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-iot'
	option ipv6 '0'
	list ports 'eth0.13'
	option macaddr '00:AA:99:FF:12:34'

config device
	option name 'eth1'
	option macaddr '1A:00:7F:FF:FF:99'
	option ipv6 '0'

config device
	option name 'eth0.13'
	option type '8021q'
	option ifname 'eth0'
	option vid '13'
	option macaddr '00:AA:99:FF:f0:13'

config device
	option name 'eth0.99'
	option type '8021q'
	option ifname 'eth0'
	option vid '99'
	option macaddr 'DC:A6:32:FC:f9:97'
	option ipv6 '0'

config device
	option name 'eth0.200'
	option type '8021q'
	option ifname 'eth0'
	option vid '200'
	option macaddr '1a:20:0f:20:02:00'
	option ipv6 '0'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option name 'eth0.12'
	option type '8021q'
	option ifname 'eth0'
	option vid '12'
	option macaddr 'DC:A6:32:FC:f1:23'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-gast'
	list ports 'eth0.200'
	option macaddr 'a1:9f:00:7f:20:02'
	option ipv6 '0'

DHCP

uci export dhcp

package dhcp

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '24h'
list dhcp_option '6,192.168.12.3'
list dhcp_option '3,192.168.12.3'
list dhcp_option '119,wilddomain.lan'
list dhcp_option '42,0.0.0.0'
list dhcp_option '44'
option force '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
option dhcpv6 'disabled'

config dhcp 'mgmnt'
option interface 'mgmnt'
option start '10'
option limit '20'
option leasetime '1d'
list dhcp_option '6,192.168.12.3'
list dhcp_option '42,192.168.12.3'
list dhcp_option '44'

config dhcp 'gast'
option interface 'gast'
option start '44'
option limit '75'
option leasetime '12h'
list dhcp_option '6,192.168.12.3'
list dhcp_option '42,192.168.12.3'
list dhcp_option '44'

config dhcp 'iot'
option interface 'iot'
option start '10'
option limit '20'
option leasetime '12h'
list dhcp_option '6,192.168.12.3'
list dhcp_option '42,192.168.12.3'
list dhcp_option '44'

config host
option name 'vigor'
option ip '192.168.99.5'
option leasetime 'infinite'
list match_tag 'known-othernet'
option instance '0'
list mac '00:1D:AA:3F:DB:AF'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config dnsmasq 'dns4lan'
option rebind_protection '0'
option localservice '0'
option bind_interfaces '1'
option nonwildcart '0'
option local '/wilddomain.lan/'
option domain 'wilddomain.lan'
option domainneeded '1'
option expandhosts '1'
option localise_queries '1'
option add_local_fqdn '3'
option fqdn '1'
option readethers '1'
option authoritative '1'
option nohosts '1'
list addnhosts '/etc/dnsmasq.d/dnsmasq.hosts'
option logdhcp '1'
option leasefile '/tmp/dhcp.leases'
option logqueries '1'
option logfacility '/tmp/log/querydns.log'
option cachesize '1000'
list server '192.168.12.3'
option port '54'
option confdir '/etc/dnsmasq.d,*.conf'
list notinterface 'wan'
list interface 'gast'
list interface 'iot'
list interface 'lan'
list interface 'mgmnt'

additional DHCP-conf

cat /etc/dnsmasq.d/dnsmasq-dhcp.conf

#interface-name=raspi.wilddomain.lan,br-lan/4
#dhcp-range=set:lan,192.168.12.100,192.168.12.249,255.255.255.0,24h
#dhcp-option=lan,6,192.168.12.3
#dhcp-option=lan,3,192.168.12.3
#dhcp-option=lan,42,192.168.12.3
#dhcp-option=lan,119,wilddomain.lan
#domain=mgmnt.wilddomain.lan,192.168.99.7/27,local
#interface-name=mgmnt.wilddomain.lan,eth0.99/4
#dhcp-range=set:mgmnt,192.168.99.10,192.168.99.29,255.255.255.224,1d
#dhcp-option=mgmnt,6,192.168.12.3
#interface-name=br-iot.wilddomain.lan,br-iot
#dhcp-range=set:iot,192.168.13.10,192.168.13.29,255.255.255.224,12h
#dhcp-option=iot,6,192.168.12.3
no-dhcp-interface=eth1
no-dhcpv6-interface=lan
no-dhcpv6-interface=mgmnt
no-dhcpv6-interface=iot
no-dhcpv6-interface=gast
dns-loop-detect

additional DHCP-hosts

cat /etc/dnsmasq.d/dnsmasq.hosts

#192.168.12.3 raspi
192.168.13.1 io-gu
192.168.99.7 mgmnt
192.168.22.4 srv4g
192.168.120.1 fritzbox
192.168.120.5 ns2wan

#192.168.99.7 mgmnt.raspi.wilddomain.lan mgmnt-rter
#192.168.22.4 blackraspi.wilddomain.lan gast
#192.168.120.1 fritzbox.wilddomain.lan frik-box
#192.168.120.5 ns2.wilddomain.lan

#192.168.12.3 raspi router
#::1 localhost ip6-localhost ip6-loopback
#ff02::1 ip6-allnodes
#ff02::2 ip6-allrouters

firewall (shortened):

uci export firewall

package firewall

config defaults
option input 'DROP'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
option flow_offloading '1'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option family 'ipv4'
list network 'lan'

config zone
option name 'mgmnt'
option input 'DROP'
option output 'ACCEPT'
option forward 'REJECT'
option family 'ipv4'
list network 'mgmnt'

config zone
option name 'gast'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option family 'ipv4'
list network 'gast'

config zone
option name 'iot'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option family 'ipv4'
list network 'iot'

config zone
option name 'wan'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option mtu_fix '1'
option family 'ipv4'
list network 'wan'
option masq '1'

config forwarding
option src 'lan'
option dest 'wan'

config forwarding
option src 'mgmnt'
option dest 'wan'

config rule
option name 'ALLOW---DHCP-4-mgmnt'
option family 'ipv4'
list proto 'udp'
option src 'mgmnt'
option dest_port '67 68'
option target 'ACCEPT'

config rule
option name 'testdhcp'
option family 'ipv4'
list proto 'udp'
option src '*'
option dest 'mgmnt'
option dest_port '67 68'
option target 'ACCEPT'

config rule
option name 'ALLOW---DNS-4-mgmnt'
option family 'ipv4'
option src 'mgmnt'
option dest_port '53'
option target 'ACCEPT'

config rule
option name 'ALLOW---HTTP+S-4-mgmnt'
option family 'ipv4'
list proto 'tcp'
option src 'mgmnt'
option dest_port '80 443'
option target 'ACCEPT'

config rule
list proto 'tcp'
option src 'gast'
option dest '*'
option dest_port '80 443'
option target 'DROP'
option name 'BLOCK---HTTPs-local-4-gast'
option ipset 'IPset-DST_private_IPs'

config forwarding
option src 'gast'
option dest 'wan'

config rule
option name 'ALLOW---DHCP-4-gast'
option family 'ipv4'
list proto 'udp'
option src 'gast'
option dest_port '67 68'
option target 'ACCEPT'

config rule
option name 'ALLOW---DNS-4-gast'
option family 'ipv4'
option src 'gast'
option dest_port '53'
option target 'ACCEPT'

config rule
option name 'ALLOW---HTTP+s-4-gast'
option family 'ipv4'
list proto 'tcp'
option src 'gast'
option dest 'wan'
option dest_port '80 443'
option target 'ACCEPT'

config forwarding
option src 'lan'
option dest 'gast'

config forwarding
option src 'iot'
option dest 'wan'

config rule
option name 'BLOCK---HTTPs-local-4-iot'
list proto 'tcp'
option src 'iot'
option dest '*'
option dest_port '80 443'
option target 'DROP'
option ipset 'IPset-DST_private_IPs'

config rule
option name 'ALLOW---DHCP-4-iot'
option family 'ipv4'
list proto 'udp'
option src 'iot'
option dest_port '67 68'
option target 'ACCEPT'

config rule
option src 'iot'
option dest_port '53'
option target 'ACCEPT'
option name 'ALLOW---DNS-4-iot'
option family 'ipv4'

config rule
option name 'FWD---HTTPs-4-iot'
option family 'ipv4'
list proto 'tcp'
option src 'iot'
option dest 'wan'
option dest_port '80 443'
option target 'ACCEPT'

config forwarding
option src 'lan'
option dest 'iot'

config ipset
option name 'IPset-DST_private_IPs'
option family 'ipv4'
option loadfile '/etc/customized-settings/IPsets/IPset_192-168-_private-IPs.txt'
option counters '1'
list match 'dest_net'

config rule
option name 'ALLOW--NTP-4-locals'
option family 'ipv4'
list proto 'udp'
option src '*'
option src_port '123'
option dest 'lan'
list dest_ip '192.168.12.3'
option dest_port '123'
option target 'ACCEPT'
list src_ip '192.168.12.0/24'
list src_ip '192.168.13.0/27'
list src_ip '192.168.22.0/25'
list src_ip '192.168.99.7/27'

Thank you in advance :slightly_smiling_face: