Help with setting up a new subnet

I want to create a new subnet to separate the home automation devices from the main network. Since I have several home automation devices, to avoid reconfiguring them all, including Home Assistant, I decided to create a new main network for the PC and smartphone and let the old network manage only the home automation devices.
So, following this guide,

I created a new device called "br-main", a new interface called "main", and a new SSID "Casa_Main".
So, the old main network IP is 192.168.1.1, the new network IP is 192.168.2.1
So far, so good. But I need help configuring the new subnet correctly.
Goals:

1. The new network must access the old network and not vice versa;
2. My AP, the Zyxel NWA50AX, must broadcast both networks;
3. My switch, a Zyxel GS1200-8HP v2, should handle everything; I don't know if it's necessary to create a dedicated VLAN.

Sorry for my English, I use Google Translate.

This is a simple firewall zone forward. New > old, just like lan > wan that is in the firewall by default

If you need more specific guidance, we would need to see the configs.

Is this running the vendor firmware or OpenWrt?

This is not supported by openwrt, but does support VLANs. You will likely need to consult the documentation for how to use VLANs on your switch - you will be utilizing them on your router, switch, and AP.

For the ability to send both networks through the switch and AP, you’ll need to connect the new network to Ethernet (using VLANs) in the router first (likely not done yet since it’s not part of the guest WiFi guide). To provide specifics on that, we will need to see the network config.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Thanks for the reply.

this running the vendor firmware

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.93",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Zyxel EX5601-T0 (stock layout)",
        "board_name": "zyxel,ex5601-t0-stock",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.2",
                "revision": "r28739-d9340319c6",
                "target": "mediatek/filogic",
                "description": "OpenWrt 24.10.2 r28739-d9340319c6",
                "builddate": "1750711236"
        }
}

root@OpenWrt:~# cat etc/config/network
cat: can't open 'etc/config/network': No such file or directory
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd54:3d71:dfc8::/48'
        option packet_steering '2'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '64'

config interface 'wan'
        option device 'eth1.100'
        option proto 'pppoe'
        option username 'XXX'
        option password 'XXX'
        option ipv6 'auto'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device
        option type 'bridge'
        option name 'br-main'
        option bridge_empty '1'
        list ports 'lan1'

config interface 'main'
        option proto 'static'
        option device 'br-main'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option band '2g'
        option channel '1'
        option htmode 'HE20'
        option cell_density '0'
        option country 'IT'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'FASTWEB-7HpvD6-2.4GHZ'
        option encryption 'psk2'
        option key 'xxx'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option band '5g'
        option channel '36'
        option htmode 'HE80'
        option cell_density '0'
        option country 'IT'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'FASTWEB-7HpvD6-5GHZ'
        option encryption 'sae-mixed'
        option key 'xxx'
        option ocv '0'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Casa_Main'
        option encryption 'none'
        option network 'main'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '2'
        option limit '248'
        option leasetime '1h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'FritzBox'
        option ip '192.168.1.2'
        list mac '0c:72:74:e6:64:dd'

config host
        option name 'Switch'
        option ip '192.168.1.3'
        list mac '4e:5d:35:5d:2c:fc'

config host
        option name 'Proxmox'
        list mac '44:8a:5b:b5:c5:67'
        option ip '192.168.1.68'

config host
        option name 'HomeAssistant'
        list mac '02:4d:3d:15:6b:fc'
        option ip '192.168.1.69'

config host
        option name 'P105'
        list mac '24:2f:d0:50:6e:66'
        option ip '192.168.1.4'

config host
        option name 'P125M'
        list mac '24:2f:d0:2e:55:b1'
        option ip '192.168.1.5'

config host
        option name 'Meross1'
        list mac '48:e1:e9:d9:0a:f9'
        option ip '192.168.1.6'

config host
        option name 'Meross2'
        list mac '48:e1:e9:d8:ea:40'
        option ip '192.168.1.7'

config host
        option name 'Meross3'
        list mac '48:e1:e9:d8:ff:33'
        option ip '192.168.1.8'

config host
        option name 'Meross4'
        list mac '48:e1:e9:d8:ea:3c'
        option ip '192.168.1.9'

config host
        option name 'MeterEsp32'
        list mac 'b0:a7:32:db:77:04'
        option ip '192.168.1.10'

config host
        option name 'EnMonEsp32'
        list mac 'b0:b2:1c:a7:7c:e4'
        option ip '192.168.1.11'

config host
        option name 'LGDryeer'
        list mac '34:e6:e6:50:8a:5d'
        option ip '192.168.1.13'

config host
        option name '1744925071'
        option ip '192.168.1.35'
        list mac '34:EA:E7:30:58:42'

config dhcp 'main'
        option interface 'main'
        option start '100'
        option limit '150'
        option leasetime '12h'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'
        option ipv6_filter '0'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option src 'lan'
        option dest 'wan'
        option name 'Blocca IPv6 Refoss'
        option family 'ipv6'
        list src_mac '90:11:95:EB:2A:C2'
        option target 'REJECT'

config zone
        option name 'main'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'main'

config forwarding
        option src 'main'
        option dest 'wan'

config forwarding
        option src 'main'
        option dest 'lan'