EAP245 v3 dumb AP config with two guest networks configuration check

Hi,
I have configured this AP that I plan to install in an apartment in our house.
It is a PoE AP with a second gigabit ethernet port.
It shall expand the existing private wifi as well as the guest wifi (dumb AP).
In addition to that it shall provide a separate wifi for the guests visiting the apartment.
The second LAN port on the device is accessible within the apartment only therefore it is
in the same "bridge".
I have also enabled WLAN roaming as there will be another AP in the house.

As far as I tested, the setup is working OK.
Could someone please check/review the settings and share what I should improve?
Thanks ahead!

Here is the configuration:

{
	"kernel": "5.10.176",
	"hostname": "AP-2",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "TP-Link EAP245 v3",
	"board_name": "tplink,eap245-v3",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.5",
		"revision": "r20134-5f15225c1e",
		"target": "ath79/generic",
		"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd33:4d76:adcc::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.158.18'
	option gateway '192.168.158.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 2'

config interface 'gast'
	option proto 'static'
	option device 'br-gast'
	list ipaddr '192.168.178.10/24'

config device
	option type 'bridge'
	option name 'br-gast'
	option bridge_empty '1'
	option mtu '1500'
	option ipv6 '0'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 5'
	option vid '2'

config interface 'mieter'
	option proto 'static'
	option device 'br-mieter'
	option broadcast '10.10.10.255'
	list ipaddr '10.10.10.10/24'

config device
	option type 'bridge'
	option name 'br-mieter'
	list ports 'eth0.2'
	option ipv6 '0'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option band '5g'
	option htmode 'VHT80'
	option channel 'auto'
	option cell_density '0'
	option country 'DE'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'privateSSID'
	option key 'privatepwd'
	option ieee80211w '0'
	option encryption 'psk2'
	option network 'lan'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option band '2g'
	option htmode 'HT40'
	option channel 'auto'
	option country 'DE'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'privateSSID'
	option encryption 'psk2'
	option key 'privatepwd'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid 'guestSSID'
	option encryption 'psk2'
	option key 'guestpwd'
	option network 'gast'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'

config wifi-iface 'wifinet4'
	option device 'radio1'
	option mode 'ap'
	option ssid 'guestSSID'
	option encryption 'psk2'
	option key 'guestpwd'
	option network 'gast'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'

config wifi-iface 'wifinet5'
	option device 'radio0'
	option mode 'ap'
	option ssid 'apartSSID'
	option encryption 'psk2'
	option network 'mieter'
	option key 'apartpwd'

config wifi-iface 'wifinet6'
	option device 'radio1'
	option mode 'ap'
	option ssid 'apartSSID'
	option encryption 'psk2'
	option key 'apartpwd'
	option network 'mieter'

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option rebind_protection '0'
	list server '192.168.158.7'
	list server '192.168.158.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '1'
	option dynamicdhcp '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'gast'
	option interface 'gast'
	option start '100'
	option limit '150'
	option leasetime '6h'

config dhcp 'mieter'
	option interface 'mieter'
	option start '100'
	option limit '150'
	option leasetime '12h'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'gast'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option family 'ipv4'
	list network 'gast'
	list network 'mieter'

config forwarding
	option src 'gast'
	option dest 'lan'

config rule
	option name 'gast DHCP'
	option family 'ipv4'
	list proto 'udp'
	option src 'gast'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'gast DNS'
	option family 'ipv4'
	option src 'gast'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Gast Block ins private Netz'
	option src 'gast'
	option dest 'lan'
	option target 'DROP'
	list proto 'all'
	list dest_ip '192.168.158.0/24'

config rule
	option name 'Gast block AP-Config GUI+SSH'
	option src 'gast'
	option dest_port '80 22'
	option target 'DROP'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: br-gast: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.178.10/24 brd 192.168.178.255 scope global br-gast
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.158.18/24 brd 192.168.158.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: br-mieter: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 10.10.10.10/24 brd 10.10.10.255 scope global br-mieter
       valid_lft forever preferred_lft forever
default via 192.168.158.1 dev br-lan 
10.10.10.0/24 dev br-mieter scope link  src 10.10.10.10 
192.168.158.0/24 dev br-lan scope link  src 192.168.158.18 
192.168.178.0/24 dev br-gast scope link  src 192.168.178.10 
broadcast 10.10.10.0 dev br-mieter table local scope link  src 10.10.10.10 
local 10.10.10.10 dev br-mieter table local scope host  src 10.10.10.10 
broadcast 10.10.10.255 dev br-mieter table local scope link  src 10.10.10.10 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.158.0 dev br-lan table local scope link  src 192.168.158.18 
local 192.168.158.18 dev br-lan table local scope host  src 192.168.158.18 
broadcast 192.168.158.255 dev br-lan table local scope link  src 192.168.158.18 
broadcast 192.168.178.0 dev br-gast table local scope link  src 192.168.178.10 
local 192.168.178.10 dev br-gast table local scope host  src 192.168.178.10 
broadcast 192.168.178.255 dev br-gast table local scope link  src 192.168.178.10 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
lrwxrwxrwx    1 root     root            16 Apr 27 22:28 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Sep 21 15:17 /tmp/resolv.conf
-rw-r--r--    1 root     root             0 Sep 21 15:09 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root             0 Sep 21 15:09 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==