Guest WiFi via private network uplink

I recently got a new router, which I installed OpenWrt on. I have a private network with a private WiFi connecting to the Internet via a second router. This works fine.

I also configured a guest WiFi in OpenWrt. I followed the steps to configure br-guest, and the firewall as described by the guide. When connecting to the guest WiFi, the client gets an IP address in the guest network, which is different from the private network.

However, the Internet uplink is via the Internet router, which has an IP address in the private network. I guess this might be a routing/firewall issue. I appreciate any ideas.

I now set Firewall Zone Settings --> General Settings --> Forward to accept and it works. Is this the best/secure way to do it?

What do you mean by this? Can you be more specific? What addresses are you talking about here?

Is your goal to make the "private wifi" a different network relative to the network of the "internet router" or is it supposed to be the same (i.e. a "dumb AP")?

This isn't clear... we really need to see your config to know what you're changing and what is currently setup...

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

There's a lot of unusual stuff in this config including packet marking and other things... was this stuff you added?
Please provide the output of

ubus call system board

The fundamental issue is that your wan and lan networks overlap, which will break the routing. But there may be other things going on here, and you didn't answer if this is intended to be a dumb AP on the "private wifi" or a seperate and protected network relative to the upstream.

It would appear, then, that you are using the GL-inet firmware? If so, you need to refer to their support channels/forums for help since the firmware is considerably modified relative to official OpenWrt.

But I can advise here -- remove the wan interface and make sure you connect via the lan port since you want to make the private wifi a dumb ap.

A single reject rule based on destination IP can be used to block guests from reaching your LAN devices.

config rule 'guest_block_192_lans'
        option dest 'lan'
        option dest_ip ''
        option proto 'all'
        option src 'guest'
        option target 'REJECT'