Firwall: define DMZ on router not connected directly to internet

Hi all,

I have the following configuration:
Internet <-> Router1 <-> Router2

Router2 config has "lan", connected to router1, and "dmz", connected to eth1. I'm trying to get "dmz" to only be able to talk to the internet, not to "lan".

Attached is my firewall config file. I'm a bit at a loss on how to define this. Somewhere along my attempts, I've also screwed up the ability to DHCP on eth1, and I have no idea how.

This is my /etc/config/firewall file:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'lan'
        option forward 'REJECT'

config zone
        option name 'dmz'
        list device 'eth1'
        option network 'DMZ'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option mtu_fix '1'
        list subnet '0.0.0.0/0'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
        option src 'dmz'

config rule
        option name 'Allow-Ping'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'
        option src 'dmz'

config rule
        option name 'Allow-IGMP'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option src 'dmz'

config rule
        option name 'Allow-DHCPv6'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'dmz'
        list dest_ip 'fc00::/6'
        list src_ip 'fc00::/6'

config rule
        option name 'Allow-MLD'
        option proto 'icmp'
        option family 'ipv6'
        option target 'ACCEPT'
        list src_ip 'fe80::/10'
        option src 'dmz'

config rule
        option name 'Allow-ICMPv6-Input'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'packet-too-big'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'
        option src 'dmz'

config rule
        option name 'Allow-ICMPv6-Forward'
        option dest '*'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        option src 'dmz'

config rule
        option name 'Allow-IPSec-ESP'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
        option src 'dmz'

config rule
        option name 'Allow-ISAKMP'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option src 'dmz'

config include
        option path '/etc/firewall.user'

config forwarding
        option dest 'wan'
        option src 'dmz'

config forwarding
        option dest 'dmz'
        option src 'lan'

The file is quite messed up, I'd advise to start from scratch.
Use the dumbAP guest guide.
Instead of guest use the name dmz.