Not sure why routing to local DNS on separate subnet is broken?

I started using OpenWrt earlier this year on a GL.iNet Flint 2 (GL -MT6000). I flashed the firmware to stock OpenWrt 24.10.0, r28427-6df0e3d02a, and the defaults have been great. I made some tweaks such as adding some static ips and adding a dhcp option to advertise my local dns server (added unbound to a pihole installation) to clients. That's all working, but now I want to set up a subnet for IoT devices. The problem is, I don't want the IoT network to communicate with my main lan except for requests to the dns server. i thought everything was configured correctly (I followed the OpenWrt Guest Network guide and added some additional forwarding rules), but traffic can't flow to the dns server. Right now, the IoT network is wireless only. I'd appreciate some assistance.

In the image, purple is IoT and green is the default LAN. I did test connecting a device and then adding a public dns server manually, and that worked. So I know the issue is either reaching the local dns server or coming back.

IMG_5813895×873 45.6 KB

Below (I think) are the necessary config files.

# /etc/conf/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix *****
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.33.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config device
        option type 'bridge'
        option name 'br-iot'
        option bridge_empty '1'

config interface 'iot'
        option proto 'static'
        option device 'br-iot'
        option ipaddr '192.168.25.1'
        option netmask '255.255.255.0'

# /etc/conf/firewall
config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip ******
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'iot'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'iot'
        option log '1'

config forwarding
        option src 'iot'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'iot'

config rule

config rule
        option name 'Allow-DNS-iot'
        option src 'iot'
        option dest_port '53'
        option target 'ACCEPT'
        option dest 'lan'
        list dest_ip '192.168.33.2'

config rule
        option name 'Allow-DHCP-iot'
        list proto 'udp'
        option src 'iot'
        option dest_port '67'
        option target 'ACCEPT'

Output of ip route show

default via <public_ip> dev eth1  src <public_ip> 
<public_ip> dev eth1 scope link  src <public_ip> 
192.168.25.0/24 dev br-iot scope link  src 192.168.25.1 
192.168.33.0/24 dev br-lan scope link  src 192.168.33.1

Is Pi-Hole configured to allow queries from 192.168.25.0/24?

I changed the pihole's interface setting to Respond only on interface eth0. With that paired with the traffic rule previously configured, custom DNS is working. I'm not sure if that pihole setting is ideal from a security standpoint. I saw some suggestions online about configuring multiple ips on a single interface, so the pihole can be on each subnet "locally", but I'm not entirely sure how to set that up. Something to look into I guess. Thanks for your help.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.