I have a dumb AP set up with both regular LAN and guest networks successfully working. I also have a main firewall/switch as a public facing device. Both are running the latest stable OpenWRT.
What I would like to add is a separate SSID/firewall zone to the AP for local smart devices. I would like to have 2 way communication between anything in the IoT zone and any other local device (aside from guest), but the IoT zone should have no access to the internet.
I'm not quite sure the best way to go about this. I've done a lot of reading and tried several permutations of zone forwardings, subnet blocking at the firewall level, etc. Either the IoT zone can ping everything, or it can ping nothing. I'm also finding that I can't ping anything inside the IoT zone from the rest of the LAN. I can ping devices connected to the LAN zone of the dumb AP, but nothing else, seemingly regardless of forwarding settings.
Roughly, what should this setup look like? Are zones even the right way to do it when dealing with multiple devices?
If I'm understanding your setup, you have an OpenWrt main router that is facing the internet, and then an AP behind that. Is that correct? Is there anything else (in terms of network infrastructure) upstream (other than a modem), downstream, or between these two main devices?
Assuming no complications and that the infrastructure is simple, you'll setup a guest wifi network on your main router. From there, you'll also attach it to ethernet as a VLAN and then you can setup your AP to broadcast that network (it will be a simple unmanaged network on the AP).
As far as the firewall is concerned, you'll create this IoT (guest) network and put it in its own zone. From there, you'll allow forwarding to and from the lan, and not allow it access to the wan by simply not creating that zone forward rule.
If you need specific help, please post your configs (for both devices) and we can work through the adjustments.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
The easiest to understand and manage would be to use vlans; however, vlans may not be easy for some to setup. For what you want to do:
Vlan 10 - Main
Vlan 20 - Guest
Vlan 30 - IOT
+
firewall zones for controlling intervlan routing