I did it wrong but it works?-

So i dont super understand how the zones work but i managed to cobble together the result that i wanted, the guest network not having access to my lan and a NoInternet zone for my iot stuff letting it only access my local network. But then i saw this post: How to set up firewall rules/zones correctly for VLANs? and im not sure what to do. I don't know if i set my stuff up properly and if i should change it to be similar to how it is in the post.

In your picture you have opened the whole internet wan to the guest and lan zone.

Yes this "works" because it is way too permissive, and thus insecure.

  • Do not allow input on the wan zone
  • Do not generally forward from wan to anywhere.
  • Insecure zones (guest, IoT) also should not allow input. Write rules sepecific for needed services like DHCP and DNS.
  • Don't generally forward from IoT to lan. Write a specific rule for the machine(s) and port(s) required. It is better to forward only lan->iot and not allow IoTs to initiate connections.
  • If you have a server machine in lan that primarily serves IoTs (e.g. a network video recorder), you may want to move it to the IoT network or create a new sequestered network for that server (often called a DMZ)

Does this look any better?

I do have a server machine in lan but not just for IoTs, I host a minecraft server on it. Should i still move it into a dmz?