I am using a BT Home Hub 5A with OpenWrt 21.02.0 r16279-5cc0535800.
I have set up my Virgin Hub 3.0 in modem mode. I connected port 1 of the hub to the WAN port of the BT Home Hub 5A.
I read the steps in the PDF installation manual, section 9.3 regarding usage of the red WAN port via eth0.2 for the BT Home Hub 5a, "Quick DHCP client setup for WAN port", and I selected eth0.2 as the device for the WAN interface.
The Virgin Hub 3.0 seems to be sending me back a public IP, but I can't connect to any websites.
What might be causing this problem? Is there anything I need to change in LAN, to make sure requests to external IPs are sent to WAN correctly?
A quick check reveals that masquerading is not enabled on your wan zone (firewall). This would cause the problem you are seeing. I didn't check everything, but this should be fixed and tested first.
EDIT: I am seeing other issues that I'd recommend fixing, but they aren't related to your main issue.... I'll make those recommendations in another comment.
I disabled masquerading earlier today as I saw somewhere that it might fix the problem, but perhaps they meant the opposite (I am not sure what it does in all honesty)
I have re-enabled it, and it seems to have solved the problem, even though oddly I did have it enabled earlier and had the same issue - perhaps something I changed after, or a reboot, fixed it, but I wouldn't have noticed as I had this setting disabled.
In your dhcp config, you have several dhcp scopes that don't have associated networks... this is one of them
The others are SMART_5 and LAN_wifi.
In your firewall, it appears that you are trying to limit what the SMART network zone can do, especially with respect to accessing the router itself. As such, set input to reject or drop (currently it is set to accept). Then, you can remove the firewall rule "smart no router"
You don't need the following rules:
smart no wan (you have not enabled forwarding from smart > wan, so it is not allowed anyway, this rule is not necessary)
smart no outgoing (this is actually broader than the above rule, but again, you have not allowed forwarding from smart to any other zones, so again, this is already not allowed)
smart no incoming (similar, you have not enabled forwarding from any zones to smart, so this is not necessary because it is not enabled in the first plce)
dhcp incoming smart (this one is actually wrong -- port 80 is for http, but it is not enabled so it is not relevant)
Finally, on the redirect "zm" rule -- be careful about exposing port 80 to the internet on any devices... if the host at 192.168.1.224 isn't properly hardened, it will get compromised. A VPN is a preferred method of access and far more secure. This obviously depends on what is being hosted on that web server, why it is being exposed to the wan, and if VPN or other options are possible for the remote clients.
I'll go through your post in detail tomorrow and fix the issues, as it's late here - I shall sleep better knowing the WAN issue is resolved though. Thanks for being so helpful!