Firewall config with guest network not connecting to upstream

Hey everyone,
I am kinda ashamed asking here, but I'm stuck and have been for the last hours. Let me explain my network situation:

I've got a router (192.168.1.1) connected to my OpenWrt "controller" (ServerWrt), creating 2 networks: lan and iot. Both are working as expected. Now, I want to add a 3rd one: guest. I tried more or less copying the config from the iot network, but it still isn't working.

Not working = devices can connect to the ServerWrt from the guest network, but cannot reach the internet or the upstream router (192.168.1.1). I'd really appreciate your help!

/etc/config/network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config interface 'wan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.190'
        option device 'br-wan'
        option gateway '192.168.1.1'
        list dns '1.1.1.1'

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth0'

config device
        option name 'br-wan'
        option type 'bridge'
        list ports 'eth0'

config interface 'home'
        option proto 'static'
        option device 'pve1.100'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'
        list dns '1.1.1.1'
        list dns '9.9.9.9'

config interface 'iot'
        option proto 'static'
        option device 'pve1.111'
        option ipaddr '192.168.111.1'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'

config route
        option interface 'home'
        option target '192.168.100.0/24'
        option gateway '192.168.1.190'
        option disabled '1'

config device
        option type '8021q'
        option ifname 'pve1'
        option vid '100'
        option name 'pve1.100'

config device
        option type '8021q'
        option ifname 'pve1'
        option vid '111'
        option name 'pve1.111'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'NOPE'
        list addresses '10.10.10.1/24'
        option listen_port '51820'

config interface 'guest'
        option proto 'static'
        option device 'pve1.120'
        option ipaddr '192.168.120.1'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'

config device
        option type '8021q'
        option ifname 'pve1'
        option vid '120'
        option name 'pve1.120'


config route
    option interface 'guest'
    option target '0.0.0.0/0'
    option gateway '192.168.1.1'

/etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'home'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'br-wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'iot'
        option input 'REJECT'
        option output 'REJECT'
        option forward 'ACCEPT'
        list network 'iot'

config forwarding
        option src 'lan'
        option dest 'iot'

config rule
        option name 'Allow iot'
        option src 'iot'
        option target 'ACCEPT'
        list proto 'all'

config rule
        option name 'Allow all from this to iot'
        list proto 'all'
        option dest 'iot'
        option target 'ACCEPT'

config rule
        option src 'iot'
        option dest 'wan'
        option target 'REJECT'
        list dest_ip '192.168.1.0/24'
        option name 'iot auf privat verbieten'
        list proto 'all'

config forwarding
        option src 'iot'
        option dest 'wan'

config rule
        option name 'Allow mDNS'
        list proto 'udp'
        option src '*'
        option src_port '5353'
        list dest_ip '224.0.0.251'
        option dest_port '5353'
        option target 'ACCEPT'

config nat
        option name 'Allow HomeAssistant'
        list proto 'all'
        option src 'lan'
        option src_ip '192.168.1.190'
        option target 'SNAT'
        option snat_ip '192.168.100.1'
        option enabled '0'

config redirect
        option dest 'iot'
        option target 'DNAT'
        option name '4702'
        option src 'wan'
        option dest_ip '192.168.111.168'
        option src_dport '4702'
        list proto 'tcp'
        list proto 'udp'
        option dest_port '4702'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name '30730'
        option src 'wan'
        option src_dport '30730'
        option dest_ip '192.168.111.52'
        option dest_port '30730'

config zone
        option name 'wg'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wg0'

config forwarding
        option src 'lan'
        option dest 'wg'

config rule
        option name 'Wiregard'
        list proto 'udp'
        option dest 'wan'
        option dest_port '51820'
        option target 'ACCEPT'
        option src 'lan'

config forwarding
        option src 'wg'
        option dest 'iot'

config forwarding
        option src 'wg'
        option dest 'lan'

config forwarding
        option src 'wg'
        option dest 'wan'

config rule
        option name 'Allow wireguard to any'
        list proto 'all'
        option src 'wg'
        option dest '*'
        option target 'ACCEPT'

config forwarding
        option src 'wan'
        option dest 'wg'

config zone
        option name 'guest'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'Allow guest'
        list proto 'all'
        option src 'guest'
        option target 'ACCEPT'

config rule
        option name 'Allow all from this to guest'
        list proto 'all'
        option dest 'guest'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'guest'

config forwarding
        option src 'wg'
        option dest 'guest'

config rule
        option name 'Allof from guest to FB'
        option src 'guest'
        list dest_ip '192.168.1.1'
        option target 'ACCEPT'
        list proto 'all'
        option dest 'wan'
        option enabled '0'

Thanks for the help again!

This is incorrect, you told your router that the IPv4 Internet (0.0.0.0/0) is on the Guest interface (incorrect) and the gateway is 192.168.1.1 (which is not on the Guest interface).

Likewise:

1.190 isn't on the home interface.

Likewise:

Remove this from:

• IoT
• Guest

It is up to you to map proxmox vlans to ports.

No, that is indeed correct, as it is working. Both home and iot are working and have been for months. This is because all traffic has to go thorugh the 192.168.1.1 to get into the internet

That has nothing to do with that, as I am working with VLANs, so this is irrelevant. As you can see here, VLANs don't play a role on proxmox.

image1058×108 13.2 KB

If you insist.

Those configs don't accomplish that. I'm not sure why you believe a network can have a gateway config that's not on the same subnet - but in any case it's incorrect.