Help verifying my OpenWrt config

Hi,

I installed OpenWrt on MT-6000 and I configured my network to have the following interfaces:

• Personal VLAN (wifi + lan)
• Homelab VLAN (lan only)
• IOT (wifi only, no VLAN)
• Wireguard server

The zones design I want to go for is:

• personal → wan, homelab, iot, wg
• wg → wan, homelab
• homelab → wan, iot
• iot → reject
• wan → reject

Additionally:

• There is a managed switch on lan1 port
• I run AdGuardHome directly on the router.
• I’ve deleted IPv6 as I had some issues and wanted to have this setup ready before moving on in that direction.

Main files:

• /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd...'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'

config interface 'lan'
        option device 'br-lan.99'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option delegate '0'

config interface 'wan'
        option device 'eth1'
        option proto 'pppoe'
        option username 'redacted'
        option password 'redacted'
        option peerdns '0'
        option ipv6 'auto'
        option norelease '1'

config device
        option type 'bridge'
        option name 'br-iot'
        option bridge_empty '1'
        option ipv6 '0'

config interface 'iot'
        option proto 'static'
        option device 'br-iot'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan1:t'
        list ports 'lan2'

config bridge-vlan
        option device 'br-lan'
        option vlan '99'
        list ports 'lan1:t'

config interface 'homelab'
        option proto 'static'
        option device 'br-lan.10'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'redacted'
        option listen_port 'redacted'
        list addresses '10.0.0.1/24'

config wireguard_wg0
        option public_key 'redacted'
        option private_key 'redacted'
        option description 'Peer'
        option preshared_key 'redacted'
        list allowed_ips '10.0.0.2'
        option endpoint_port 'redacted'
        option persistent_keepalive '25'

• /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wg'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg0'

config zone
        option name 'homelab'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'homelab'

config zone
        option name 'iot'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'iot'

config zone
        option name 'wan'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option src 'homelab'
        option name 'Allow-DHCP-homelab'
        option family 'ipv4'
        list proto 'udp'
        option dest_port '67'
        option target 'ACCEPT'
        option src_port '68'

config rule
        option src 'homelab'
        option name 'Allow-DNS-homelab'
        option family 'ipv4'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option src 'iot'
        option name 'Allow-DHCP-iot'
        list proto 'udp'
        option src_port '68'
        option dest_port '67'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option src 'iot'
        option name 'Allow-DNS-iot'
        option dest_port '53'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option src 'iot'
        option dest 'wan'
        option name 'Allow-iot-8886-outbound'
        list proto 'tcp'
        list src_ip '192.168.20.x'
        option dest_port '8886'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option src 'wg'
        option name 'Allow-DNS-wg0'
        option dest_port '53'
        option target 'ACCEPT'
        option family 'ipv4'

config forwarding
        option src 'homelab'
        option dest 'iot'

config forwarding
        option src 'lan'
        option dest 'homelab'

config forwarding
        option src 'homelab'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'iot'

config forwarding
        option src 'wg'
        option dest 'homelab'

config forwarding
        option src 'wg'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'wg'

config rule
        option src 'wan'
        option name 'Allow-INCOMING-wg0'
        list proto 'udp'
        option dest_port 'redacted'
        option target 'ACCEPT'
        option family 'ipv4'

config redirect
        option target 'DNAT'
        option name 'DNS-interception-lan'
        list proto 'udp'
        option src 'lan'
        option src_dport '53'
        option dest_ip '192.168.1.1'
        option dest_port '53'

config redirect
        option target 'DNAT'
        option name 'DNS-interception-homelab'
        list proto 'udp'
        option src 'homelab'
        option src_dport '53'
        option dest_ip '192.168.10.1'
        option dest_port '53'

config redirect
        option target 'DNAT'
        option name 'DNS-interception-iot'
        list proto 'udp'
        option src 'iot'
        option src_dport '53'
        option dest_ip '192.168.20.1'
        option dest_port '53'

• /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option port '54'
        option cachesize '0'
        option noresolv '1'
        option bind_interfaces '1'
        list interface 'homelab'
        list interface 'iot'
        list interface 'lan'
        list notinterface 'wan'
        list notinterface 'wan6'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list dhcp_option '6,192.168.1.1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piofolder '/tmp/odhcpd-piofolder'

config host
        option name 'desktop-1'
        list mac 'redacted'
        option ip '192.168.1.2'

config dhcp 'iot'
        option interface 'iot'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,192.168.20.1'

config dhcp 'homelab'
        option interface 'homelab'
        option start '110'
        option limit '150'
        option leasetime '12h'

I have 2 main questions:

• Is this configuration correct and safe? I followed some guides and tried to understand everything beforehand but I think having some feedback from real users would be great.
• I tried removing the dhcp_option to specify the DNS from lan and iot interfaces. However, it breaks the wan access on Wifi devices (ethernet works fine). It is like then they don’t obtain DNS IPv4, I’m not sure why.

Thanks

Can anyone help? I know the question is too generic and nothing is completely safe. The tools I use to test the configuration are:

• arp-scan from time to time to verify only the expected devices are on my network
• netstat to confirm I’m not openning any unneeded port

Apart from that I did not notice anything weird, maybe I’m being paranoid but l just started using Openwrt recently and there are too many options I can easily misconfigure.

I think I’m looking for a process I can follow to ensure I’m safe after changing the configuration.

When you change dnsmasq’s port to anything besides 53, it doesn’t automatically advertise itself as the DNS server. So the dhcp_option is necessary (I assume you’re running AGH?).

This limit is invalid. The limit is the size of the range, not the end of the range. You are asking for 110-259, but probably want 110-150, so the limit should be 50 or 51.

That makes sense. Yes, I’m running AGH.