I have a switch plugged into my router on eth0.1 and the router itself is my access point how do I configure the wireless clients to be in a different dhcp subnet than wired clients.
172.22.10.0 /27 for Wired
172.22.20.0 /27 for Wireless
I have tried several ways, like making a new 'wlan' interface and bridging my routers two separate radios into that interface and dhcp worked as expected but the wireless devices had to internet connectivity.
You were almost there, you have to make a new firewall zone and add a rule which allows forwarding from "WLAN-Interface" to "WAN". There should already be one for "LAN" -> "WAN", which enables Internet for your wired clients.
To allow communication between the "WLAN-Interface" and the normal "LAN" you need to another two rules:
vim /etc/config/firewall
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'WLAN-Interface'
option network 'WLAN-Interface'config forwarding
option dest 'wan'
option src 'WLAN-Interface'config forwarding
option src 'lan'
option dest 'WLAN-Interface'config forwarding
option dest 'lan'
option src 'WLAN-Interface'
Note: The zones can have the same name as the interface but that doesn't have to be the case.
Wow, thank you for the help I was beginning to think about the firewall being the issue. Now I have one last thing I need help with. I want my device management to have its own subnet, 172.22.33.0 /29 and I don't want to be able to access the login for LEDE from the other Interface IPs of 172.22.20.1 or 172.22.10.1, only from the 33. I have a Cisco 2960 switch that does the intervlan routing so my LEDE router doesn't need to be in a VLAN I don't think but I also need to set the eth0.1 interface to an ip inside of the switches management ip subnet to be able to communicate. So I created interface MGM on port eth0.1 and gave it a static ip of 172.22.33.1 and I can access it, but how do I block the other subnets from being able to login to the LEDE admin page?
For SSH:
config rule
option name 'Deny SSH in'
option src 'interface-name'
option dest_port '22'
option proto 'tcp'
option target 'DROP'
Concerning Webinterface access I am not sure. You may need to find that out on your own. There should be numerous examples on openwrt but I don't exactly know how to block the webinterface for subnets. But I would guess a filter with Iptables or a suitable HTTPd config could do the trick. Also, have a look here:
https://wiki.openwrt.org/doc/howto/secure.access
https://wiki.openwrt.org/doc/uci/uhttpd
You could shutdown the webinterface completely and only start it when needed with ssh
/etc/init.d/uhttpd disable /etc/init.d/uhttpd stop