Isolate TVs, but reach them from phones

Hi!

I'm new to OpenWRT. I flashed it to my TpLink TP-WR841N and set up 4 (5 if WAN6 is counted separately) interfaces: LAN, WAN and WAN6, GUEST and MULTIMEDIA.

I created 3 WLANs: Internal (Interface is LAN), Guest (GUEST) and Multimedia (MULTIMEDIA).

The LAN-Ports are connected:
1x WAN/WAN6
3x LAN
1x Multimedia

One Smart TV is connected to the LAN-Port with the Multimedia-Interface-VLAN.
The other two Smart TVs are connected to the Multimedia-WLAN.

PCs, Smartphones and Co are connected to LAN-Ports (LAN-Interface-VLAN) or in the Internal-WLAN.

I want, that I can reach the TVs from LAN to stream something to them from the Smartphones, but want, that the TVs don't reach PCs and Smartphones because of privacy.

I created firewall rules, so that ping from the Multimedia-WLAN to the Internal-WLAN is not possible, but vice versa it works.

Sadly the Apps on the Phones doesn't find the TVs, surely because of the different subnets. (192.168.1.0/24 and 192.168.2.0/24)

I tried to take the same subnet for LAN and MULTIMEDIA Interface and give different DHCP Ranges, but then even the Web-Interface doesn't work anymore.

Do you have some suggestions to solve my problem?
Thank you very much in advance and sorry for my bad English.

Best regards,
OpenWRTnewbie

What TV, what apps... ( what protocols )

Samsung Smart TVs of different series.
Apps are Samsung Smart View and Mirror for Samsung TVs.
But I think that's not the point. No app will find a TV in another subnet, even if the Firewall allows that. The point is the setup of the router, and I would need your help to correct it.

May of these apps and TVs rely on mdns for discovery and connections. You could start a test by using two networks and allowing forwarding between zones (completely open) AND install/enable the mdns reflector services. See if that works. Then tighten down the firewall so that forwarding from the trusted LAN > TV network is allowed, but not the other way (established/related connections should still be permitted, but that would be return traffic based on the trusted side initiating the connection).

If the devices are on the same network, though, it is much harder to limit the connectivity. You could use client isolation on the AP (for wifi connections), but that will isolate everything on the wireless network, so it would probably break the desired connectivity as well. A smart/managed switch could be used with port isolation features that allows you to specify what connections are allowed (so port 4 can talk to port 7, but no other ports), but that falls apart when there is wireless involved for other devices and in a bunch of other scenarios.

Can you paste the content of the files /etc/config/network and /etc/config/firewall

Hi!
Thanks for your answers.

Here is my /etc/config/network :

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd74:76ae:0750::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option ip6assign '60'
	option netmask '255.255.255.0'

config device 'lan_eth0_1_dev'
	option name 'eth0.1'
	option macaddr 'ANONYMIZED'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	list dns '9.9.9.9'
	list dns '208.67.222.222'
	option peerdns '0'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr 'ANONYMIZED'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	list dns '2620:fe::fe'
	option reqprefix 'auto'
	option reqaddress 'try'
	option peerdns '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '6t 1 2 3t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '6t 0'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '6t 3t 4'

config interface 'MULTIMEDIA'
	option ifname 'eth0.3'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option type 'bridge'
	option ipaddr '192.168.2.1'

config interface 'GAST'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

And here is my /etc/config/firewall :

config defaults
	option syn_flood '1'
	option input 'DROP'
	option forward 'DROP'
	option drop_invalid '1'
	option output 'DROP'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option network 'MULTIMEDIA'
	option name 'multimedia'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option network 'GAST'
	option forward 'DROP'
	option name 'gast'
	option input 'ACCEPT'
	option output 'ACCEPT'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'DROP'
	option forward 'DROP'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config forwarding
	option dest 'wan'
	option src 'multimedia'

config forwarding
	option dest 'wan'
	option src 'gast'

config forwarding
	option dest 'multimedia'
	option src 'lan'

Thanks for your replies and please write it too when you recognize a security risk.

Best regards