i have an OpenWrt device behind the provider box (router) with network 192.168.3.x in this network are all my devices, except a special protected MacBook.
In front of the specially protected MacBook is an OpenWrt with 192.168.2.x. With this specially protected device I drop everything except HTTPS/HTTP. Now I want to access the rest of the network from this device via Jellyfin 8096 (i.e. from 192.168.2.x to 192.168.3.x).
The firewall rule does not work, only the rules on the Internet work, I can not reach the other LAN.
cat etc/config/firewall
config defaults
option output 'ACCEPT'
option synflood_protect '1'
option flow_offloading '1'
option input 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
option input 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Jellyfin'
list proto 'tcp'
option src 'lan'
list src_ip '192.168.2.122'
option dest 'wan'
option dest_port '8096'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-HTTPS-Forward'
option src 'lan'
option dest 'wan'
option dest_port '443'
option proto 'tcp'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-HTTP-Forward'
option src 'lan'
option dest 'wan'
option dest_port '80'
option proto 'tcp'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-POP'
option src 'lan'
list src_ip '192.168.2.122'
option dest 'wan'
option target 'ACCEPT'
option family 'ipv4'
option dest_port '110'
config rule
option name 'Allow-IMAP'
option src 'lan'
list src_ip '192.168.2.122'
option dest 'wan'
option dest_port '993'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-SMTP'
option src 'lan'
list src_ip '192.168.2.122'
option dest 'wan'
option target 'ACCEPT'
option family 'ipv4'
option dest_port '587'
config rule
option name 'Allow-IMAP-2'
option family 'ipv4'
option src 'lan'
list src_ip '192.168.2.122'
option dest 'wan'
option dest_port '995'
option target 'ACCEPT'
config rule
option src 'lan'
list src_ip '192.168.2.122'
option dest 'wan'
option dest_port '143'
option target 'ACCEPT'
option name 'Allow-IMAP-3'
config rule
option name 'Allow-IMAP-4'
option family 'ipv4'
option src 'lan'
list src_ip '192.168.2.122'
option dest 'wan'
option dest_port '993'
option target 'ACCEPT'
Hi
After all, you newer told us, how you connected two OpenWRT router ?
if i get it right, one WRT is for 2.x/24 and second WRT is for 3.x/24