Firewall rules for guest wifi and local DNS. Help needed

I just set up guest wifi following below tutorials and making proper adjustments along the way to accommodate for different subnets, bridge on lan/wlan and lack of WAN connection (ports not used).
First was struggling a bit with DNS traffic as none of the tutorials said settings presented were only good if you use external DNS. Since I tried to use internal DNS I had to set up "dhcp-option" to force different subnet dns (from main LAN), otherwise guest-wifi would get DNS same as gateway - and no internet. I think that should be included in "guestwifi_dumbap" wiki. (OpenWRT wiki admin anyone?)

Anyways with that out of the picture I finally got internet in guest. Problem now is guest clients can browse local resources, they can get to admin portal of ISP router, which ofc holds dhcp and dns for entire network. With only two rules created for dhcp and dns all works as described (first two on the screenshot). When I turn on 3rd rule "Block-Guest2LAN" to drop forward traffic from guest to lan (rule being lower than dhcp and dns accept rules) all traffic dies. Turns out it won't work if you're trying to use internal DNS or a pihole on main lan. Seems rule priority is not working here.

Using different rules from "guestwifi/extras" doesn't seem to do what I want either. "Allow-Guest-Forward" has both internet and main router admin page working "Allow-HTTP/HTTPS-Guest-Forward" same as above.
The only thing that's consistent no matter the rules is no OpenWRT admin webpage for dumbAP

With some additional devices and services in mind I'd like to stop traffic from guest to private lan altogether and leave only internet.

No to the point. How to configure the firewall to use internal DNS servers? I mean it works with external, sure, but that means if I had a pihole locally I wouldn't be able to use it or had to make a separate subnet just for it so it doesn't fall under "block" rule.

Can anyone help me, please? Thanks.

Delete Allow-Guest-Forward and Allow-HTTP-Guest-Forward or keep them disabled.
Edit Allow-DNS-Guest and use Destination zone lan, Destination Address
The rest is fine.

If you have such a dumbAP with guest, it is more common to separate the traffic with vlans, so the main router handles dhcp, dns, etc.

That was pretty stupid of me. Had previously lan/ set up for DNS. Didn't think of adding concrete IP. Instead removed it completely and switched to this device.

So is this setting working cause of being main gateway?
And why it didn't with I would figure it would let any dns traffic to any recipient through.

Now it's working OK. And no matter what IP i put in dhcp-option, whether internal or external, it works just fine and no dns leaks.

That can also work, but there is no need to open all your subnet to the guests.

No, because it has a dns server :slight_smile:

Most likely something else was wrong there.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.