New VLAN – sanity check: firewall and network config

Hi,

I have being playing around with Vlans and changed a lot in my network and firewall setups. Can I please ask for a sanity check if all is fine?

My setup is Main AP with guest network and VLAN30 going to a dumb AP via Moca adapter and TV on lan4 which I added in VLAN 30. It seems to be working, but with so many changes made and at least 30 times locking myself out on my Dumb AP, I am not sure if I broke something. Here my network and firewall config on the Main Router:

Network:

root@Zyxel:~# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='xxxxxx'
network.globals.packet_steering='1'
network.globals.steering_flows='128'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan1' 'lan2' 'lan3' 'lan4'
network.@device[0].vlan_filtering='1'
network.lan=interface
network.lan.device='br-lan.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.device='eth1'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.device='eth1'
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.wan6.norelease='1'
network.@device[1]=device
network.@device[1].name='xxxx'
network.ZeroTier=interface
network.ZeroTier.proto='none'
network.ZeroTier.device='xxx'
network.ZeroTier.disabled='1'
network.wg_lan=interface
network.wg_lan.proto='wireguard'
network.wg_lan.private_key='xxxxxxxx'
network.wg_lan.listen_port='51820'
network.wg_lan.addresses='10.0.5.1/24'
network.@wireguard_wg_lan[0]=wireguard_wg_lan
xxxxxxx
network.@device[2]=device
network.@device[2].name='eth1'
network.@device[2].macaddr='xxxxxxx2'
network.@device[3]=device
network.@device[3].name='phy1-ap0'
network.@device[4]=device
network.@device[4].name='phy0-ap0'
network.guest_dev=device
network.guest_dev.type='bridge'
network.guest_dev.name='br-guest'
network.guest=interface
network.guest.proto='static'
network.guest.device='br-guest'
network.guest.ipaddr='192.168.3.1/24'
network.@bridge-vlan[0]=bridge-vlan
network.@bridge-vlan[0].device='br-lan'
network.@bridge-vlan[0].vlan='30'
network.@bridge-vlan[0].ports='lan1:t lan4:u'
network.@device[6]=device
network.@device[6].name='br-lan.30'
network.@device[6].type='8021q'
network.@device[6].ifname='br-lan'
network.@device[6].vid='30'
network.@bridge-vlan[1]=bridge-vlan
network.@bridge-vlan[1].device='br-lan'
network.@bridge-vlan[1].vlan='1'
network.@bridge-vlan[1].ports='lan1:u lan2:u lan3:u phy0-ap0:u phy1-ap0:u'
network.@bridge-vlan[2]=bridge-vlan
network.@bridge-vlan[2].device='br-lan'
network.@bridge-vlan[2].vlan='30'
network.@bridge-vlan[2].ports='lan1:t lan4:u'
network.tv=interface
network.tv.proto='static'
network.tv.ipaddr='192.168.30.1'
network.tv.netmask='255.255.255.0'
network.tv.ip6assign='0'
network.tv.device='br-lan.30'

Firewall:

root@Zyxel:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='REJECT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@defaults[0].drop_invalid='1'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.network='lan' 'wg_lan'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.wan.network='wan' 'wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-IPSec-ESP'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='lan'
firewall.@rule[6].proto='esp'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-ICMPv6-Forward'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='*'
firewall.@rule[7].proto='icmp'
firewall.@rule[7].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[7].limit='1000/sec'
firewall.@rule[7].family='ipv6'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='IoT'
firewall.@rule[9].src='lan'
firewall.@rule[9].dest='wan'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].proto='all'
firewall.@rule[9].src_ip='192.168.1.195' '192.168.1.193' '192.168.1.212' '192.168.1.233' '192.168.1.205' 'fe80::32be:29ff:fea2:8b4f' 'fe80::aa31:62ff:fe8a:8180' '192.168.1.240' '192.168.1.196'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='Intercept-DNS'
firewall.@redirect[0].src='lan'
firewall.@redirect[0].src_dport='53'
firewall.@zone[2]=zone
firewall.@zone[2].name='vpn'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[2].masq='1'
firewall.@zone[2].network='ZeroTier'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='vpn'
firewall.@forwarding[1].dest='lan'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='vpn'
firewall.@forwarding[2].dest='wan'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].src='lan'
firewall.@forwarding[3].dest='vpn'
firewall.wg=rule
firewall.wg.name='Allow-WireGuard-lan'
firewall.wg.src='wan'
firewall.wg.dest_port='51820'
firewall.wg.proto='udp'
firewall.wg.target='ACCEPT'
firewall.guest=zone
firewall.guest.name='guest'
firewall.guest.input='REJECT'
firewall.guest.output='ACCEPT'
firewall.guest.forward='REJECT'
firewall.guest.network='guest'
firewall.guest_wan=forwarding
firewall.guest_wan.src='guest'
firewall.guest_wan.dest='wan'
firewall.guest_dns=rule
firewall.guest_dns.name='Allow-DNS-Guest'
firewall.guest_dns.src='guest'
firewall.guest_dns.dest_port='53'
firewall.guest_dns.proto='tcp udp'
firewall.guest_dns.target='ACCEPT'
firewall.guest_dhcp=rule
firewall.guest_dhcp.name='Allow-DHCP-Guest'
firewall.guest_dhcp.src='guest'
firewall.guest_dhcp.dest_port='67'
firewall.guest_dhcp.proto='udp'
firewall.guest_dhcp.family='ipv4'
firewall.guest_dhcp.target='ACCEPT'
firewall.@redirect[1]=redirect
firewall.@redirect[1].name='Elementum'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].src_dport='6893'
firewall.@redirect[1].dest_ip='192.168.30.102'
firewall.@redirect[1].dest_port='6893'
firewall.@redirect[1].proto='tcp udp'
firewall.@redirect[2]=redirect
firewall.@redirect[2].name='Elementum'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].src_dport='6892'
firewall.@redirect[2].dest_ip='192.168.30.156'
firewall.@redirect[2].dest_port='6892'
firewall.@redirect[2].proto='tcp udp'
firewall.@redirect[3]=redirect
firewall.@redirect[3].name='Elementum'
firewall.@redirect[3].src='wan'
firewall.@redirect[3].dest='lan'
firewall.@redirect[3].src_dport='6891'
firewall.@redirect[3].dest_ip='192.168.30.155'
firewall.@redirect[3].dest_port='6891'
firewall.@redirect[3].proto='tcp udp'
firewall.@rule[13]=rule
firewall.@rule[13].src='lan'
firewall.@rule[13].dest='guest'
firewall.@rule[13].name='Allow HA Discovery to IoT'
firewall.@rule[13].src_ip='192.168.1.103'
firewall.@rule[13].target='ACCEPT'
firewall.@rule[13].dest_ip='192.168.3.136' '192.168.3.160'
firewall.@rule[13].enabled='0'
firewall.@rule[14]=rule
firewall.@rule[14].src='lan'
firewall.@rule[14].name='Allow mdns'
firewall.@rule[14].proto='udp'
firewall.@rule[14].dest_port='5353'
firewall.@rule[14].target='ACCEPT'
firewall.@rule[14].src_ip='192.168.1.103'
firewall.@rule[14].enabled='0'
firewall.@rule[15]=rule
firewall.@rule[15].src='guest'
firewall.@rule[15].name='Allow mdns'
firewall.@rule[15].proto='udp'
firewall.@rule[15].dest_port='5353'
firewall.@rule[15].target='ACCEPT'
firewall.@rule[15].src_ip='192.168.1.103'
firewall.@rule[15].enabled='0'
firewall.@zone[4]=zone
firewall.@zone[4].name='tv'
firewall.@zone[4].network='tv'
firewall.@zone[4].input='REJECT'
firewall.@zone[4].output='ACCEPT'
firewall.@zone[4].forward='REJECT'
firewall.@forwarding[5]=forwarding
firewall.@forwarding[5].src='tv'
firewall.@forwarding[5].dest='wan'
firewall.@rule[16]=rule
firewall.@rule[16].name='Allow-DHCP-TV'
firewall.@rule[16].src='tv'
firewall.@rule[16].proto='udp'
firewall.@rule[16].dest_port='67 68'
firewall.@rule[16].target='ACCEPT'
firewall.@rule[17]=rule
firewall.@rule[17].name='Allow-DNS-TV'
firewall.@rule[17].src='tv'
firewall.@rule[17].proto='tcp udp'
firewall.@rule[17].dest_port='53'
firewall.@rule[17].target='ACCEPT'
firewall.@rule[18]=rule
firewall.@rule[18].name='Allow-mDNS-LAN-to-TV'
firewall.@rule[18].src='lan'
firewall.@rule[18].dest='tv'
firewall.@rule[18].proto='udp'
firewall.@rule[18].dest_port='5353'
firewall.@rule[18].target='ACCEPT'
firewall.@rule[19]=rule
firewall.@rule[19].name='Allow-mDNS-TV-to-LAN'
firewall.@rule[19].src='tv'
firewall.@rule[19].dest='lan'
firewall.@rule[19].proto='udp'
firewall.@rule[19].dest_port='5353'
firewall.@rule[19].target='ACCEPT'
firewall.@rule[20]=rule
firewall.@rule[20].name='Allow-Multicast-LAN-to-TV'
firewall.@rule[20].src='lan'
firewall.@rule[20].dest='tv'
firewall.@rule[20].proto='udp'
firewall.@rule[20].dest_ip='224.0.0.0/4'
firewall.@rule[20].target='ACCEPT'
firewall.@rule[21]=rule
firewall.@rule[21].name='Allow-Multicast-TV-to-LAN'
firewall.@rule[21].src='tv'
firewall.@rule[21].dest='lan'
firewall.@rule[21].proto='udp'
firewall.@rule[21].dest_ip='224.0.0.0/4'
firewall.@rule[21].target='ACCEPT'
firewall.@rule[22]=rule
firewall.@rule[22].name='Allow-Cast-Control-LAN-to-TV'
firewall.@rule[22].src='lan'
firewall.@rule[22].dest='tv'
firewall.@rule[22].proto='tcp udp'
firewall.@rule[22].dest_port='8008 8009 8010 5556 5557 5558 1900'
firewall.@rule[22].target='ACCEPT'

Dumb AP Network:

root@Zyxel2:~# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='xxxxx'
network.globals.packet_steering='1'
network.globals.steering_flows='128'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan1' 'lan2' 'lan3' 'lan4'
network.@bridge-vlan[0]=bridge-vlan
network.@bridge-vlan[0].device='br-lan'
network.@bridge-vlan[0].vlan='1'
network.@bridge-vlan[0].ports='lan1:u*' 'lan2' 'lan3'
network.@bridge-vlan[1]=bridge-vlan
network.@bridge-vlan[1].device='br-lan'
network.@bridge-vlan[1].vlan='30'
network.@bridge-vlan[1].ports='lan1:t' 'lan4:u*'
network.lan=interface
network.lan.device='br-lan.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.2'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.gateway='192.168.1.1'
network.lan.dns='192.168.1.1'
network.tv=interface
network.tv.proto='static'
network.tv.device='br-lan.30'
network.tv.ipaddr='192.168.30.2'
network.tv.netmask='255.255.255.0'
network.tv.ip6assign='60'
network.tv.gateway='192.168.1.1'
network.tv.dns='192.168.1.1'
network.wan=interface
network.wan.device='eth1'
network.wan.proto='dhcp'
network.wan.disabled='1'
network.wan.auto='0'
network.wan6=interface
network.wan6.device='eth1'
network.wan6.proto='dhcpv6'
network.wan6.disabled='1'
network.wan6.auto='0'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.wan6.norelease='1'
root@Zyxel2:~#

Thank you

Kind regards

K

Please edit your post

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

Thanks @brada4 - In the meantime using some AI i managed to lock down myself 2 times, but I think I may have fixed some of the problems in my previous config…I will not touch it anymore- it is working again, but I am not sure if that’s correct:

Main AP:

login as: root
root@192.168.1.1's password:


BusyBox v1.36.1 (2025-11-29 00:26:18 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 24.10.4, r28959-29397011cc
 -----------------------------------------------------
root@Zyxel:~# ubus call system board
{
        "kernel": "6.6.110",
        "hostname": "Zyxel",
        "system": "ARMv8 Processor rev 4",
        "model": "Zyxel EX5601-T0 ubootmod",
        "board_name": "zyxel,ex5601-t0-ubootmod",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.4",
                "revision": "r28959-29397011cc",
                "target": "mediatek/filogic",
                "description": "OpenWrt 24.10.4 r28959-29397011cc",
                "builddate": "1760891865"
        }
}
root@Zyxel:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxx8'
        option packet_steering '1'
        option steering_flows '128'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option norelease '1'

config device
        option name 'zt44xegtq5'

config interface 'ZeroTier'
        option proto 'none'
        option device 'zt44xegtq5'
        option disabled '1'

config interface 'wg_lan'
        option proto 'wireguard'
        option private_key xxxxxx

config device
        option name 'eth1'
        option macaddr 'xxxx2'

config device
        option name 'phy1-ap0'

config device
        option name 'phy0-ap0'

config device 'guest_dev'
        option type 'bridge'
        option name 'br-guest'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.3.1/24'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        option ports 'lan1:t lan4:u*'

config device
        option name 'br-lan.30'
        option type '8021q'
        option ifname 'br-lan'
        option vid '30'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        option ports 'lan1:u* lan2:u* lan3:u*'

config interface 'tv'
        option proto 'static'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'
        option ip6assign '0'
        option device 'br-lan.30'

config device
        option name 'br-lan.1'
        option type '8021q'
        option ifname 'br-lan'
        option vid '1'

root@Zyxel:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'
        list server '/mask.icloud.com/'
        list server '/mask-h2.icloud.com/'
        list server '/use-application-dns.net/'
        list server '127.0.0.1#5053'
        list server '127.0.0.1#5054'
        list server '127.0.0.1#5055'
        option doh_backup_noresolv '-1'
        option noresolv '1'
        list doh_backup_server '/mask.icloud.com/'
        list doh_backup_server '/mask-h2.icloud.com/'
        list doh_backup_server '/use-application-dns.net/'
        list doh_backup_server '127.0.0.1#5053'
        list doh_backup_server '127.0.0.1#5054'
        list doh_server '127.0.0.1#5054'
        list doh_server '127.0.0.1#5053'
        list doh_server '127.0.0.1#5055'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ra 'server'
        option dhcpv6 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piofolder '/tmp/odhcpd-piofolder'

config host
        option ip '192.168.1.201'
        option mac 'xxxxx'
        option name 'debian'
        option dns '1'

config domain
        option name 'Eon_hol'
        option ip '192.168.1.214'

config domain
        option name 'Xiaomi_hub'
        option ip '192.168.1.195'

config domain
        option name 'TCL_TV'
        option ip '192.168.1.153'

config host
        option ip '192.168.1.213'
        option name 'Hass'
        option dns '1'
        option mac 'xxxxx'

config host
        option name 'S3cam'
        option dns '1'
        option ip '192.168.1.193'
        option mac 'xxxxx'

config host
        option name 'Xiaomihub'
        option dns '1'
        option mac 'xxx'
        option ip '192.168.1.195'

config domain
        option name 'debianHP'
        option ip '192.168.1.201'

config host
        option name 'Kidcam'
        option dns '1'
        option mac 'xxx'
        option ip '192.168.1.212'

config domain
        option name 'Kidcam'
        option ip '192.168.1.212'

config domain
        option name 'GreeClima'
        option ip '192.168.1.160'

config host
        option name 'android-49c191d86d3e81c6'
        option ip '192.168.1.133'
        option mac 'Fxxxx'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '1h'

config domain
        option name 'Gree'
        option ip '192.168.3.160'

config domain
        option name 'Chromecast'
        option ip '192.168.1.132'

config host
        option name 'wizswitch'
        option ip '192.168.1.233'
        option mac 'xxxxxC'

config domain
        option name 'Wizswitch'
        option ip '192.168.1.233'

config domain
        option name 'Proxmox'
        option ip '192.168.1.125'

config domain
        option name 'HomeAssistant'
        option ip '192.168.1.103'

config host
        option name 'nextcloudpi'
        option ip '192.168.1.176'
        list mac 'xxx2'

config host
        option ip '192.168.1.225'
  xxxx
        option name 'PS5'

config host
        option name 'NOMI-IPC-K7C-3H1WE1-E4FE'
        option ip '192.168.1.240'
xxx

config host
        option name 'IPCamera'
        option ip '192.168.1.205'
xxxx

config domain
        option name 'GreeHol'
        option ip '192.168.3.136'

config host
        option ip '192.168.1.112'
xxxx

config domain
        option name 'Outsidecam'
        option ip '192.168.1.112'

config domain
        option name '50TCL'
        option ip '192.168.1.207'

config host
        option name 'Proxmox'
        option ip '192.168.1.125'
XX
config host
        option name 'motioneye-lxc'
        option ip '192.168.1.114'
xxx

config host
        option name 'samba-lxc'
        option ip '192.168.1.104'
xxx

config host
        option name 'wlan0'
        option ip '192.168.3.207'
xxx

config domain
        option name 'Tuyaplug'
        option ip '192.168.3.207'

config host
        option name 'wyoming-whisper'
        option ip '192.168.1.138'
xxx

config domain
        option name 'Zyxel2'
        option ip '192.168.1.2'

config host
        option name 'C110'
        option ip '192.168.1.196'
xxxx

config dhcp 'tv'
        option interface 'tv'
        option start '50'
        option limit '150'
        option leasetime '12h'
        option force '1'

config host
        option name 'TCL50Bedroom'
        option ip '192.168.30.155'

config host
        option name 'TCL65Livingroom'
        option ip '192.168.30.102'

config host
        option name 'EON'
        option ip '192.168.30.156'

root@Zyxel:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg_lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'IoT'
        option src 'lan'
        option dest 'wan'
        option target 'REJECT'
        list proto 'all'
        list src_ip '192.168.1.195'
        list src_ip '192.168.1.193'
        list src_ip '192.168.1.212'
        list src_ip '192.168.1.233'
        list src_ip '192.168.1.205'
        list src_ip 'xxxxf'
        list src_ip 'xxx'
        list src_ip '192.168.1.240'
        list src_ip '192.168.1.196'

config redirect
        option target 'DNAT'
        option name 'Intercept-DNS'
        option src 'lan'
        option src_dport '53'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'ZeroTier'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'vpn'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'vpn'

config rule 'wg'
        option name 'Allow-WireGuard-lan'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

config zone 'guest'
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config forwarding 'guest_wan'
        option src 'guest'
        option dest 'wan'

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-Guest'
        option src 'guest'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config redirect
        option name 'Elementum'
        option src 'wan'
        option dest 'lan'
        option src_dport '6893'
        option dest_ip '192.168.30.102'
        option dest_port '6893'
        option proto 'tcp udp'

config redirect
        option name 'Elementum'
        option src 'wan'
        option dest 'lan'
        option src_dport '6892'
        option dest_ip '192.168.30.156'
        option dest_port '6892'
        option proto 'tcp udp'

config redirect
        option name 'Elementum'
        option src 'wan'
        option dest 'lan'
        option src_dport '6891'
        option dest_ip '192.168.30.155'
        option dest_port '6891'
        option proto 'tcp udp'

config rule
        option src 'lan'
        option dest 'guest'
        option name 'Allow HA Discovery to IoT'
        list src_ip '192.168.1.103'
        option target 'ACCEPT'
        list dest_ip '192.168.3.136'
        list dest_ip '192.168.3.160'
        option enabled '0'

config rule
        option src 'lan'
        option name 'Allow mdns'
        list proto 'udp'
        option dest_port '5353'
        option target 'ACCEPT'
        list src_ip '192.168.1.103'
        option enabled '0'

config rule
        option src 'guest'
        option name 'Allow mdns'
        list proto 'udp'
        option dest_port '5353'
        option target 'ACCEPT'
        list src_ip '192.168.1.103'
        option enabled '0'

config zone
        option name 'tv'
        list network 'tv'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding
        option src 'tv'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-TV'
        option src 'tv'
        option proto 'udp'
        option dest_port '67 68'
        option target 'ACCEPT'

config rule
        option name 'Allow-DNS-TV'
        option src 'tv'
        option proto 'tcp udp'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Allow-mDNS-LAN-to-TV'
        option src 'lan'
        option dest 'tv'
        option proto 'udp'
        option dest_port '5353'
        option target 'ACCEPT'

config rule
        option name 'Allow-mDNS-TV-to-LAN'
        option src 'tv'
        option dest 'lan'
        option proto 'udp'
        option dest_port '5353'
        option target 'ACCEPT'

config rule
        option name 'Allow-Multicast-LAN-to-TV'
        option src 'lan'
        option dest 'tv'
        option proto 'udp'
        option dest_ip '224.0.0.0/4'
        option target 'ACCEPT'

config rule
        option name 'Allow-Multicast-TV-to-LAN'
        option src 'tv'
        option dest 'lan'
        option proto 'udp'
        option dest_ip '224.0.0.0/4'
        option target 'ACCEPT'

config rule
        option name 'Allow-Cast-Control-LAN-to-TV'
        option src 'lan'
        option dest 'tv'
        option proto 'tcp udp'
        option dest_port '8008 8009 8010 5556 5557 5558 1900'
        option target 'ACCEPT'

Dumb AP:

root@Zyxel2:~# ubus call system board
{
        "kernel": "6.6.110",
        "hostname": "Zyxel2",
        "system": "ARMv8 Processor rev 4",
        "model": "Zyxel EX5601-T0 ubootmod",
        "board_name": "zyxel,ex5601-t0-ubootmod",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.4",
                "revision": "r28959-29397011cc",
                "target": "mediatek/filogic",
                "description": "OpenWrt 24.10.4 r28959-29397011cc",
                "builddate": "1760891865"
        }
}
root@Zyxel2:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd72:b341:9239::/48'
        option packet_steering '1'
        option steering_flows '128'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:t*'
        list ports 'lan2'
        list ports 'lan3'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'lan1:t'
        list ports 'lan4:u*'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.2'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.1'
        list dns '192.168.1.1'

config interface 'tv'
        option proto 'static'
        option device 'br-lan.30'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.1'
        list dns '192.168.1.1'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option disabled '1'
        option auto '0'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option disabled '1'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'
        option norelease '1'

config device
        option name 'br-lan.1'
        option type '8021q'
        option ifname 'br-lan'
        option vid '1'

config device
        option name 'br-lan.30'
        option type '8021q'
        option ifname 'br-lan'
        option vid '30'

root@Zyxel2:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list server '192.168.1.1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piofolder '/tmp/odhcpd-piofolder'

root@Zyxel2:~# cat /etc/config/firewall

Thanks

Kr

K

It is not necessary to tag br-lan (the default network) - one network can live untagged alongside 4095 virtual ones.
Otherwise i see no deficiencies.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.