EAP225 Outdoor v1 dumb AP setup with guest wifi

After clarifying the setup of the first AP, here is the second device.
Hardware wise this is a PoE device with only one ethernet port aka sinlge port device.

The AP is working, but I can't remember how I managed to set it up like this.
It is running the latest software 23.05.0-RC3.
It is set up as a dumb AP but there is a setting that can't be found in the how-tos.
The guest wifi will not working if the setup is done only according to the guide.

I would like to learn what is different and why.
My guess is that the misconfiguration is due to the missing wan interface - but I might be wrong.
That's the reason for this thread.

The problem with the guest wifi is as follows:
If a client connects to the guest wifi it will obtain a correct IP in the guest IP range,
but it will not have an internet connection.
It seems the DNS can't be reached. So there must be a routing issue.

Here are the zone settings:

01_EAP225-Zones1268×229 5.73 KB

Here are the firewall settings:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config zone
        option name 'gast'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        option family 'ipv4'
        list network 'GAST'

config rule
        option name 'Gast DHCP'
        option src 'gast'
        option dest_port '67 68'
        option target 'ACCEPT'
        option family 'ipv4'
        list proto 'udp'

config rule
        option name 'Gast DNS'
        option src 'gast'
        option target 'ACCEPT'
        option family 'ipv4'
        option dest_port '53'

config rule
        option src 'gast'
        option dest 'lan'
        list dest_ip '192.168.158.0/24'
        option target 'DROP'
        option family 'ipv4'
        option name 'Gast block nach Privat'
        list proto 'all'

config rule
        option family 'ipv4'
        option src 'gast'
        option target 'DROP'
        option name 'Gast block AP-Config GUI+SSH'
        option dest_port '80 22'

config forwarding
        option src 'gast'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'gast'

Traffic rules to allow DHCP and DNS traffic are in place.

Once the below route is added to the network config, the issue is solved.
Due to my lacking knowledge I can't judge if this is a good and secure solution.

config route 'net'
        option interface 'lan'
        option target '0.0.0.0/0'
        option netmask '255.255.255.0'
        option gateway '192.168.158.1'

Q1: Is this static route the only configuration option? Why?
Q2:Can the routing be done with zone configuration like on the other AP?

I wonder why there is little information on this matter. I searched the net before posting, but to no avail.

This is not needed, remove it.

Most likely you didn't add a gateway in lan interface, post the uci export network

Can you explain a bit more in detail why it is not needed?

No, the gateway is specified.
I forgot to mention, that the private wifi (via the bridge to lan) is working without issues.
Here is the full network config:

package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.158.15'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option peerdns '0'
        option dhcpv6 'disabled'
        option ipv6 '0'
        list dns '192.168.158.7'
        option gateway '192.168.158.1'

config route 'net'
        option interface 'lan'
        option target '0.0.0.0/0'
        option netmask '255.255.255.0'
        option gateway '192.168.158.1'

config device
        option name 'wlan0'
        option ipv6 '0'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option name 'wlan0-1'
        option ipv6 '0'

config device
        option name 'wlan1'
        option ipv6 '0'

config device
        option name 'wlan1-1'
        option ipv6 '0'

config device
        option type 'bridge'
        option name 'br-GAST'
        option bridge_empty '1'
        option ipv6 '0'

config interface 'GAST'
        option proto 'static'
        option delegate '0'
        list ipaddr '192.168.178.15/24'
        option force_link '0'
        option device 'br-GAST'

Because there is no use of lan users to initiate traffic towards the guest segment.

Can you remove the static route and post the following:

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

Remember to redact passwords, MAC addresses and any public IP addresses you may have

OK, here you go.
While redacting, I think I saw some unused entries.
I can't find this setting in the LuCI for example.

config dhcp 'glan'
        option interface 'glan'
        option ignore '1'
        list ra_flags 'none'

> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
{
        "kernel": "5.15.127",
        "hostname": "AP2 redacted",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "TP-Link EAP225-Outdoor v1",
        "board_name": "tplink,eap225-outdoor-v1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0-rc3",
                "revision": "r23389-5deed175a5",
                "target": "ath79/generic",
                "description": "OpenWrt 23.05.0-rc3 r23389-5deed175a5"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.158.15'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option peerdns '0'
        option dhcpv6 'disabled'
        option ipv6 '0'
        list dns '192.168.158.7'
        option gateway '192.168.158.1'

config route 'net'
        option interface 'lan'
        option target '0.0.0.0/0'
        option netmask '255.255.255.0'
        option gateway '192.168.158.1'
        option disabled '1'

config device
        option name 'wlan0'
        option ipv6 '0'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option name 'wlan0-1'
        option ipv6 '0'

config device
        option name 'wlan1'
        option ipv6 '0'

config device
        option name 'wlan1-1'
        option ipv6 '0'

config device
        option type 'bridge'
        option name 'br-GAST'
        option bridge_empty '1'
        option ipv6 '0'

config interface 'GAST'
        option proto 'static'
        option delegate '0'
        list ipaddr '192.168.178.15/24'
        option force_link '0'
        option device 'br-GAST'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option band '5g'
        option htmode 'VHT80'
        option channel 'auto'
        option country 'DE'
        option cell_density '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option band '2g'
        option country 'DE'
        option cell_density '0'
        option htmode 'HT40'
        option channel 'auto'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'private SSID'
        option encryption 'psk2'
        option key removed by me

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'private SSID'
        option encryption 'psk2'
        option key removed by me
        option network 'lan'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'guest SSID'
        option encryption 'psk2'
        option key removed by me
        option network 'GAST1 GAST'

config wifi-iface 'wifinet4'
        option device 'radio0'
        option mode 'ap'
        option ssid 'guest SSID'
        option encryption 'psk2'
        option key removed by me
        option network 'GAST1 GAST'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list server '192.168.158.7'
        option rebind_protection '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'
        option dynamicdhcp '0'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'glan'
        option interface 'glan'
        option ignore '1'
        list ra_flags 'none'

config dhcp 'gast'
        option interface 'gast'
        option start '100'
        option leasetime '6h'
        option limit '20'
        list ra_flags 'none'

config dhcp 'GAST1'
        option interface 'GAST1'
        option start '100'
        option limit '25'
        option leasetime '6h'
        list ra_flags 'none'

config dhcp 'GAST'
        option interface 'GAST'
        option start '100'
        option limit '25'
        option leasetime '6h'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config zone
        option name 'gast'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        option family 'ipv4'
        list network 'GAST'

config rule
        option name 'Gast DHCP'
        option src 'gast'
        option dest_port '67 68'
        option target 'ACCEPT'
        option family 'ipv4'
        list proto 'udp'

config rule
        option name 'Gast DNS'
        option src 'gast'
        option target 'ACCEPT'
        option family 'ipv4'
        option dest_port '53'

config rule
        option src 'gast'
        option dest 'lan'
        list dest_ip '192.168.158.0/24'
        option target 'DROP'
        option family 'ipv4'
        option name 'Gast block nach Privat'
        list proto 'all'

config rule
        option family 'ipv4'
        option src 'gast'
        option target 'DROP'
        option name 'Gast block AP-Config GUI+SSH'
        option dest_port '80 22'

config forwarding
        option src 'gast'
        option dest 'lan'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.158.15/24 brd 192.168.158.255 scope global br-lan
       valid_lft forever preferred_lft forever
32: br-GAST: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.178.15/24 brd 192.168.178.255 scope global br-GAST
       valid_lft forever preferred_lft forever
192.168.158.0/24 dev br-lan scope link  src 192.168.158.15
192.168.178.0/24 dev br-GAST scope link  src 192.168.178.15
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
local 192.168.158.15 dev br-lan table local scope host  src 192.168.158.15
broadcast 192.168.158.255 dev br-lan table local scope link  src 192.168.158.15
local 192.168.178.15 dev br-GAST table local scope host  src 192.168.178.15
broadcast 192.168.178.255 dev br-GAST table local scope link  src 192.168.178.15
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
lrwxrwxrwx    1 root     root            16 Aug 19 16:01 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Sep 14 11:47 /tmp/resolv.conf
-rw-r--r--    1 root     root            41 Sep 10 10:15 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            41 Sep 10 10:15 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface lan
nameserver 192.168.158.7

remove GAST1.

Remove these.

Other than that, the gateway is not applied on the lan interface. lan clients work because the get settings directly from the main router dhcp. Given that you are on RC3 version of 23.05, I would first suggest to try DHCP protocol, clean up the following, otherwise roll back to a stable release.

Especially the last one should be in DHCP not under interface.

Very well!
I adapted the settings as per your instructions and now it works as expected - without the static route.
Really impressive how you guys can see through this config mess.
I suppose configuration via LuCI can lead to such artifacts since I never configured anything via console.

This is the new config after a reboot.

package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.158.15'
        option netmask '255.255.255.0'
        option ipv6 '0'
        list dns '192.168.158.7'
        option gateway '192.168.158.1'

config route 'net'
        option interface 'lan'
        option target '0.0.0.0/0'
        option netmask '255.255.255.0'
        option gateway '192.168.158.1'
        option disabled '1'

config device
        option name 'wlan0'
        option ipv6 '0'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option name 'wlan0-1'
        option ipv6 '0'

config device
        option name 'wlan1'
        option ipv6 '0'

config device
        option name 'wlan1-1'
        option ipv6 '0'

config device
        option type 'bridge'
        option name 'br-GAST'
        option bridge_empty '1'
        option ipv6 '0'

config interface 'GAST'
        option proto 'static'
        option delegate '0'
        list ipaddr '192.168.178.15/24'
        option force_link '0'
        option device 'br-GAST'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option band '5g'
        option htmode 'VHT80'
        option channel 'auto'
        option country 'DE'
        option cell_density '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option band '2g'
        option country 'DE'
        option cell_density '0'
        option htmode 'HT40'
        option channel 'auto'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'private SSID'
        option encryption 'psk2'
        option key redacted

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'private SSID'
        option encryption 'psk2'
        option key redacted
        option network 'lan'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'guest SSID'
        option encryption 'psk2'
        option key redacted
        option network 'GAST'

config wifi-iface 'wifinet4'
        option device 'radio0'
        option mode 'ap'
        option ssid 'guest SSID'
        option encryption 'psk2'
        option key redacted
        option network 'GAST'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list server '192.168.158.7'
        option rebind_protection '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'
        option dynamicdhcp '0'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'glan'
        option interface 'glan'
        option ignore '1'
        list ra_flags 'none'

config dhcp 'GAST'
        option interface 'GAST'
        option start '100'
        option limit '25'
        option leasetime '6h'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config zone
        option name 'gast'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        option family 'ipv4'
        list network 'GAST'

config rule
        option name 'Gast DHCP'
        option src 'gast'
        option dest_port '67 68'
        option target 'ACCEPT'
        option family 'ipv4'
        list proto 'udp'

config rule
        option name 'Gast DNS'
        option src 'gast'
        option target 'ACCEPT'
        option family 'ipv4'
        option dest_port '53'

config rule
        option src 'gast'
        option dest 'lan'
        list dest_ip '192.168.158.0/24'
        option target 'DROP'
        option family 'ipv4'
        option name 'Gast block nach Privat'
        list proto 'all'

config rule
        option family 'ipv4'
        option src 'gast'
        option target 'DROP'
        option name 'Gast block AP-Config GUI+SSH'
        option dest_port '80 22'

config forwarding
        option src 'gast'
        option dest 'lan'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-GAST: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.178.15/24 brd 192.168.178.255 scope global br-GAST
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.158.15/24 brd 192.168.158.255 scope global br-lan
       valid_lft forever preferred_lft forever
default via 192.168.158.1 dev br-lan
192.168.158.0/24 dev br-lan scope link  src 192.168.158.15
192.168.178.0/24 dev br-GAST scope link  src 192.168.178.15
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
local 192.168.158.15 dev br-lan table local scope host  src 192.168.158.15
broadcast 192.168.158.255 dev br-lan table local scope link  src 192.168.158.15
local 192.168.178.15 dev br-GAST table local scope host  src 192.168.178.15
broadcast 192.168.178.255 dev br-GAST table local scope link  src 192.168.178.15
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
lrwxrwxrwx    1 root     root            16 Aug 19 16:01 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Sep 14 22:17 /tmp/resolv.conf
-rw-r--r--    1 root     root            41 Sep 14 22:14 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            41 Sep 14 22:14 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface lan
nameserver 192.168.158.7

Can you confirm, this section can also be removed.

config dhcp 'glan'
        option interface 'glan'
        option ignore '1'
        list ra_flags 'none'

Thank you for your support!

It shouldn't, that's why it's not a good idea to install Release Candidates if you are not testing.

Sure.

Anytime!

Is this some sort of default setting or can it be deleted also?

It's default and you should leave it.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.