Hi,
i have a seperat VLAN for my IoT with Internet Acces and another without and another with my local trusted servers.
I try to use MQTT and forward this. there shouldnt be any other possible access.
Firewall
Traffic Rule
But i cant see the device information on my 192.168.0.47 server
thanks for help.
edit: interface screen
would need to seem more info...
but you NOWAN(zone) => REJECT is likely too broad...
add seperate ones per ZONE...
Hi wulfy23
what kind of infos? i thought this are all the relevant stuff 
but who am i, haha.
here the config:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan_guest'
option name 'lan_guest'
option output 'ACCEPT'
option network 'lan_guest IoT_Online'
option input 'REJECT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan vpn'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config include
option path '/etc/firewall.user'
option reload '1'
config rule
option src 'lan_guest'
option target 'ACCEPT'
option name 'Guest allowed to DHCP'
list proto 'udp'
option src_port '68'
option dest_port '67'
config rule
list proto 'udp'
option src_port '68'
option dest_port '67'
option target 'ACCEPT'
option src 'no_wan'
option name 'noWAN allowed to DHCP'
config rule
option name 'Guest allowed PiHole'
option src 'lan_guest'
option dest_port '53'
option dest 'lan'
option target 'ACCEPT'
list proto 'udp'
list dest_ip '192.168.0.10'
config forwarding
option src 'lan_guest'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config zone
option name 'no_wan'
option network 'IoT'
option output 'ACCEPT'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'no_wan'
config rule
option name 'Allow MQTT to IOBroker'
option family 'ipv4'
list proto 'tcp'
option src 'no_wan'
option dest 'lan'
list dest_ip '192.168.0.47'
option target 'ACCEPT'
option src_port '1884'
option dest_port '1884'
config rule
option name 'Allow MQTT to Device'
list proto 'tcp'
option src 'no_wan'
option target 'ACCEPT'
option family 'ipv4'
option src_port '1884'
option dest_port '1884'
Network:
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.0.1'
list dns '192.168.0.10'
option ifname 'eth0'
config interface 'wan'
option proto 'dhcp'
option ifname 'eth1'
option hostname 'router'
config interface 'lan_guest'
option proto 'static'
option ifname 'eth0.30'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'
option delegate '0'
option force_link '0'
config interface 'IoT'
option proto 'static'
option ifname 'eth0.50'
list ipaddr '192.168.50.1/24'
list dns '192.168.0.10'
config interface 'IoT_Online'
option ifname 'eth0.55'
option proto 'static'
option ipaddr '192.168.55.1'
option netmask '255.255.255.0'
list dns '192.168.0.10'
Thankyou
probably worth getting this too... just to make sure...
uci show wireless | grep -e network -e device
uci show wireless | grep -e network -e device
wireless.radio0=wifi-device
It works if i do it like this, without any traffic rule...
i think i dont know how this zones works...
or the traffic rules dont work.
i wont access rest of lan/wan, so this seems wrong settings, i already tried severall stuff 
see the wiki tutorial below...
wiki guest
in particular... the wireless side of things... i'm not convinced yours is fully setup and this will complicate things...
(when you get to the 'INPUT' rules... in your case the mqqt side of things are 'FORWARD' and how you structure them will depend on the default policy for the ZONE )
in your case you will need 'forwarding' to IOT<=>lan(not wan)... and then the additional rules... to allow what you want then dissallow the rest...
it is much easier testing first time setups of these ZONE isolations;
i dont understand this so far i tried your tutorial.
i want only disable all and just enable traffic from specified port to specified ip.
this shouldnt be that hard or is it possible to disallow all except 1 port via traffic rules. i dont want set up traffic rules for every protokoll that exists.
can you help me to set it up ?
this is clear... and you have provided most of the info to help... ( mqqt conf access lists? routing table of mqqt server? )
all I was doing was trying to get that information and clarify what the purpose of each 'step' is, in a general sense... and highlight that the simpler you make your setup... then the easier it is to test such things...
( I think your wireless config is potentially incorrect... no amount of firewall rules will correct this )
i'm sure someone will be able to give you some more specific answers... ( can take time )...
i have no wireless on my rpi4 ?
i have 2 x EAP245 with 4 different WLAN 3 of them different VLAN port.
i can connect to each of them.
you think something is wrong on this setup and not my openwrt pi4 ?
right... so you are saying that wireless is not provided by the device doing the firewalling... apologies... I had missed that point...
what is setup in regards to the above?
nothing 
no acceslist. mqtt server starts on tcp port 1884 its an build in function of the server.
i only use ip,login,passwort on all my mqtt devices. and it works.
if they in the same wlan/firewall, called "lan" above
this doesn't answer what other networks it can reach with or without a firewall...
there is no other firewall that i know. proxmox firewall disabled.
mqtt servers defaultgateway should be 192.168.0.1
and i just added the same on the interface .
but still no connection. 
the gateway in your screenshot is for the IOT-Offline gateway interface... ( irrelevant to clients... you should remove that )
I asked about what gateway was set on the MQQT server... ( which is either statix on the device/empty... or in your dhcp settings for that segment )
if you type 'ip -4 route' on the MQQT server it will print it's routing table...
great! i'm setting up what your trying to do now... so if nobody spots the issue with your firewall (and your APs are all setup correct )... I can provide you with some working config once i'm done...
boa that would be great, as i remember from previous threads we both has almost same setup.
not saying this is perfect or correct... but you can see the default ZONE policy is to ACCEPT input and output... this should take care of dhcp/dns(aka services direct from the router)... ( I do not show this part of the setup )
I then create two rules to allow the MQQT traffic in both directions... (adding only the actual IP of the server would make these rules more secure)
network.iotnowan=interface
network.iotnowan.proto='static'
network.iotnowan.ipaddr='192.168.90.1'
network.iotnowan.netmask='255.255.255.0'
network.iotnowan.ifname='eth0.90'
############################################ firewall-default
firewall.@zone[3]=zone
firewall.@zone[3].name='iotnowan'
firewall.@zone[3].input='ACCEPT'
firewall.@zone[3].output='ACCEPT'
firewall.@zone[3].forward='REJECT'
firewall.@zone[3].network='iotnowan
firewall.@rule[11]=rule
firewall.@rule[11].limit='1000/sec'
firewall.@rule[11].family='ipv4'
firewall.@rule[11].name='nowantomqqtroserver'
firewall.@rule[11].src='iotnowan'
firewall.@rule[11].dest='lan'
firewall.@rule[11].dest_port='1884'
firewall.@rule[11].proto='tcp'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[12]=rule
firewall.@rule[12].limit='1000/sec'
firewall.@rule[12].family='ipv4'
firewall.@rule[12].name='nowantomqqtreturn'
firewall.@rule[12].src='lan'
firewall.@rule[12].dest='iotnowan'
firewall.@rule[12].src_port='1884'
firewall.@rule[12].proto='tcp'
firewall.@rule[12].target='ACCEPT'
NOTE1
and here you can see those rules having been applied as FORWARD rules..
[root@dca632 /usbstick 48°]# iptables-save -c | grep 188
[0:0] -A zone_iotnowan_forward -p tcp -m tcp --dport 1884 -m limit --limit 1000/sec -m comment --comment "!fw3: nowantomqqtin" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_forward -p tcp -m tcp --sport 1884 -m limit --limit 1000/sec -m comment --comment "!fw3: nowantomqqtback" -j zone_iotnowan_dest_ACCEPT
(edit: changed udp > tcp)
if you do it the other way around and add iotnowan<->lan zone forwarding by default... (but still want a 'permissive' ruleset) you need a final rule at the bottom which will REJECT...
here I invert the earlier PERMIT rule... and use it as the FINAL REJECT and allow if MQQT || REJECT everything else ( hitting forward_iotnomqqt->lan || forward_lan->iotnomqqt )
firewall.iotnowan_mqqtin=rule
firewall.iotnowan_mqqtin.name='nowantomqqtin'
firewall.iotnowan_mqqtin.limit='1000/sec'
firewall.iotnowan_mqqtin.family='ipv4'
firewall.iotnowan_mqqtin.src='iotnowan'
firewall.iotnowan_mqqtin.dest='lan'
firewall.iotnowan_mqqtin.dest_port='!1884'
firewall.iotnowan_mqqtin.proto='tcp'
firewall.iotnowan_mqqtin.target='REJECT'
firewall.iotnowan_mqqtback=rule
firewall.iotnowan_mqqtback.name='nowantomqqtback'
firewall.iotnowan_mqqtback.limit='1000/sec'
firewall.iotnowan_mqqtback.family='ipv4'
firewall.iotnowan_mqqtback.src='lan'
firewall.iotnowan_mqqtback.dest='iotnowan'
firewall.iotnowan_mqqtback.src_port='!1884'
firewall.iotnowan_mqqtback.proto='tcp'
firewall.iotnowan_mqqtback.target='REJECT'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='iotnowan'
firewall.@forwarding[2].dest='lan'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].src='lan'
firewall.@forwarding[3].dest='iotnowan'
by default the above probably won't work... check the default policies... lan>iot is ok... but iot>lan is still setup as REJECT forwarding by default... so I either need to change that... or make an ACCEPT rule in that direction...
(edit: changed udp to tcp )
