Please help me organize network into zones/subnets for management

Hello,

I need some help organizing my home network into zones or easily partitioned subnets so I can apply different rules to different parts.

My current network consists of:

• router
• 2 piholes for DNS (one for children, one for everyone else)
• 3 switches
• SmartThings/Philips hubs
• devices needing static IPs
• childsafe zone
• general zone

I'd like to divide the network into at least 4 chunks: infrastructure, static IPs, childsafe zone, and everyone else. I need to be able to apply different firewall & port forwarding rules based on those chunks. For example:

• If you are in the general zone, you get pihole #1 for DNS, and any outgoing requests to 53 get captured and redirected back to the pihole #1 using NAT.
• if you are in the childsafe zone, you get pihole #2 for DNS and any outgoing requests to 53 get captured and redirected back to the pihole #2 using NAT.
• If you are in the infrastructure zone, your outgoing DNS requests don't get redirected, since the piholes need to be able to make requests.

What's the best way to do this so I can make firewall rules that are easy to maintain and apply specifically to certain groups? Do I create more zones (in Luci->Network->Firewall - Zones?) Do I group them using manageable CIDRs, like 192.168.1.1/28 -- it doesn't seem like I can apply firewall rules or forwarding rules based on CIDR ranges in LUCI at least.

I don't want to overcomplicate this, so I'm open to any suggestions.

My suggestion is to divide into:

1. iot
2. kids
3. servers
4. lan/general
5. guests
6. wan
   You can have one interface per zone or combine interfaces into one zone.
   With zones you can manage the interzone and intrazone traffic, so you probably want all zones to forward to wan. Then you can have rules to fine tune the firewall settings.

yes, it is possible in traffic rules, not in zones.
Some documentation.

I was looking over those docs and wondered, can I use netmasks/CIDR in src_ip when defining redirects? The docs say src_ip type is "ip address", which implies to me that it is a single IP?

ie:

config redirect
        option target 'DNAT'
        option name 'Redirect DNS queries to Pihole'
        option src 'lan'
        option src_ip '192.168.1.128/25'
        option src_dport '53'
        option dest 'lan'
        option dest_ip '192.168.1.3'
        option dest_port '53'

Hey there.

You most likely want to have different network interface.

OpenWRT comes with a vlan called "lan" by default. That one uses vlan 1 on eth0, so "eth0.1" is most likely what you have already in your network configuration somewhere.

Let's say you have 192.168.1.1 for your router and 255.255.255.0 as subnet.
Let's say you want to use 192.168.1.0/28 for "servers", 192.168.1.16/28 for "kids" and 192.168.1.32/28 for "IoT".
How do you make sure your kids will always stay in that range? Static DHCP leases on your router? What if your kids learn how IP addresses are set statically e.g. on android and just put "192.168.1.8" in there?

Splitting a given network with no actual internal firewalling into several smaller subnets can be a strategic thing, a rule of thumb when trying to remember your devices by IP. But if it comes to network security, you will not get around setting up actual different interfaces on your router.

So I suggest you

• read up on how OpenWRT deals with vlans,
• set up different interfaces on your router (192.168.1.1/24 for LAN, 192.168.2.1/24 for IoT, 192.168.3.1/24 for kids)
• and create firewall rules based on OpenWRT interfaces instead of IP ranges.

There might be a chance to partitioning a single network into smaller segments by fiddling around with those firewall rules. But since every working example you will find on the internet isn't going to apply, I strongly advice against that.

As to your redirect question: To my knowledge, the "src_ip" really is only a single IP address. So what you're drafting will not work. Please go to Web UI (LuCI) and add your redirect there. There's some validation that will prevent you from saving if you did something wrong.

If you want to have any DNS traffic on a single interface hit the pi hole instead of your OpenWRT, you might just adjust this OpenWRT interfaces DHCP setting and directly announce 192.168.1.3 as DNS server. Your clients will ask the pi hole directly ans your OpenWRT won't have any DNS traffic to handle at all, neither by directly responding nor by redirecting requests.

Regards,
Stephan.

Thanks - yes, the kid's devices get a static IP based on the MAC address.

I'm not worried so much about my kid trying to circumvent the system. There is always going to be some way for them to work around it, so the system does not have to be bulletproof. (Use cellular, at a friend's house, etc etc) I mainly want to protect her against internet nastiness.

Wouldn't the vlan idea of having a whole Class C for kids have the same issue with assigning static IPs? Why can't they just go in and still another IP assignment in there?

The issue with doing all this in Luci is that not all valid options exist in Luci. For example, IPsets are valid for firewall rules but Luci doesn't seem to let you use them.

If you go with vlans, your router will look like this:

interface "lan":

• IP 192.168.1.1/24
• dynamic DHCP from 192.168.1.100 to 192.168.1.200
• enough headroom for static IPs from 192.168.1.2 to 192.168.1.99

interface "kids":

• IP 192.168.2.1/24
• dynamic DHCP from 192.168.2.100 to 192.168.2.200
• enough headroom for static IPs from 192.168.2.2 to 192.168.2.99

Firewall rules will only be defined "from kids to WAN", without any "source IP" to be typed in.

If your kids go and put e.g. 192.168.1.8 as static IP addresses in, they will simply not be able to establish any network connections because the router leg they are wired to doesn't accept anything from 192.168.1.* but only from 192.168.2.*.
And if they go and put e.g. 192.168.2.8 as static IP address in, they will be able to establish network connections to the router and to the internet, but they will be undergo the very same firewall rules they would have if they had used dynamic DHCP.

Sorry, I'm about to go read and watch some videos on VLANs, but most of their devices are wireless. Am I being too literal when reading what you wrote about "leg they are wired to"?

The leg is just a figure of speech. I'm not sure if you even find something in any kind of literature about that.

Your router has five different hardware ports. One is labeled "wan", four are labeled "lan1" to "lan4".

OpenWRT default setting is:

• Internal interface "lan" is set to "br0.1", which is vlan 1.
• Internal interface "wan" is set to "br0.2", which is vlan 2.
• br0 is bridged to the hardware switch exposing those 5 ports.
• hardware outlet "wan" is tagged as "vlan 2 untagged", which means it exposees whatever "br0.2", hence, whatever the internal "wan" port has to offer in terms of traffic.
• hardware outlet "lan 1" to "lan port 4" are tagged as "vlan 1", which means they expose whatever "br0.1", hence, whatever internal port "lan" brings.

So by default, the internal interface "lan" and the hardware ports "lan 1" to "lan 4" alligned.

Now imagine you invent an internal interface "kids".
Use vlan 3 for them.
Make the hardware port "lan 4" not be tagged "vlan 1 untagged" but rather "vlan 3 untagged".
Now lan ports 1 to 3 are "lan" and lan port 4 is "kids".

Now add a new kids SSID.
Technically, you don't wire the SSID to the hardware port "lan 4" but to the internal interface called "kids".

This internal interface has the IP address 192.168.2.1.

Now imagine your kids using an android device connected to the kids SSID.
What will be the default gateway they are useing?
It's 192.168.2.1 on the internal interface "kids".
If you hook up a regular computer on lan 4 and sniff all packages there, you will see traffic between your kids and your routers 192.168.2.1 -- but no traffic at all from any of your devices on your "lan" network. They are completely separated.

I'm just lacking a professional name for that "internal interface" thingy. Interfaces are all of them. The wifi is an interface, the hardware outlet is an interface, the internal (logical) device that has an IP address assigned to it is an interface.

So whenever I talk about a direct connection with no routing involved but only "layer 2" in terms of OSI, that's when I'm calling it "the router has a leg in this network". Quite literally.

But as mentioned, that's no where near an official term.
Sorry for the confusion

You can use cidr notation.

Regarding how to make sure the kids will stay in the kids' network, you can create a separate SSID for their devices which will be attached to a kids interface and assign it to the kids firewall zone. Same applies for all the other zones/interfaces. There is no need to mess with vlans, unless there are wired devices.

Also cross-posted on reddit -

Ah yes, I'm starting to see how this would work and have been able to set up SSIDs for a kids network that uses the correct pihole for DNS. One issue, however, is that because it is on a different zone than the pihole, all the DNS requests appear to come from the router instead of the device. Is there a way around this?

Advertise pihole as dns with option 6.
DNAT to pihole everything going to port 53 and not to the pihole.

OK, I'm definitely making progress I think. I have a Wifi SSID set up for IOT assigned to 192.168.3.1/24. Now, I have a few hubs (SmartThings, Hue) that have ethernet connections instead of Wifi. Is it possible to get them a static or dynamic IP in that range as well? If I just assign one using the normal LUCI interface, it doesn't work.

Yes, it is possible. They need to be assigned to the correct interface/vlan/port.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

OK, it's long....

{
	"kernel": "5.4.179",
	"hostname": "router",
	"system": "ARMv7 Processor rev 0 (v7l)",
	"model": "Netgear Nighthawk X4 R7500v2",
	"board_name": "netgear,r7500v2",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02.2",
		"revision": "r16495-bf0c965af0",
		"target": "ipq806x/generic",
		"description": "OpenWrt 21.02.2 r16495-bf0c965af0"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf1:fab2:3931::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '192.168.1.3'
	option ipv6 '0'
	option delegate '0'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option ipv6 '0'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'Guest'
	option proto 'static'
	option ipaddr '192.168.99.1'
	option netmask '255.255.255.0'
	list dns '9.9.9.11'
	list dns '149.112.112.11'
	option device 'if_guest'

config interface 'kidzone'
	option proto 'static'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'
	list dns '192.168.1.54'
	option device 'if_kidzone'

config interface 'iot'
	option proto 'static'
	option device 'if_iot'
	option netmask '255.255.255.0'
	list dns '192.168.1.3'
	option ipaddr '192.168.3.1'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'VHT80'
	option cell_density '0'
	option channel '144'
	option country 'US'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option key 'mypassword'
	option ieee80211w '1'
	option ssid 'my5G'
	option encryption 'sae-mixed'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
	option cell_density '0'
	option htmode 'HT40'
	option channel '11'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option key 'mypassword'
	option ssid 'my24g'
	option encryption 'psk2'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Guest'
	option isolate '1'
	option encryption 'psk2'
	option key 'mypassword'
	option wpa_disable_eapol_key_retries '1'
	option network 'Guest'
	option ifname 'if_guest'

config wifi-iface 'wifinet4'
	option device 'radio1'
	option mode 'ap'
	option ssid 'kidzone'
	option encryption 'sae-mixed'
	option key 'mypassword'
	option network 'kidzone'
	option ifname 'if_kidzone'

config wifi-iface 'wifinet5'
	option device 'radio1'
	option mode 'ap'
	option ssid 'iot'
	option encryption 'sae-mixed'
	option ifname 'if_iot'
	option key 'mypassword'
	option ieee80211r '1'
	option ft_over_ds '1'
	option ft_psk_generate_local '1'
	option wpa_disable_eapol_key_retries '1'
	option network 'iot'

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list rebind_domain 'plex.direct'

config dhcp 'lan'
	option interface 'lan'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list dhcp_option '6,192.168.1.3'
	option start '128'
	list ra_flags 'none'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option mac '[redacted]'
	option dns '1'
	option name 'switch1'
	option ip '192.168.1.2'

config host
	option name 'pi'
	option dns '1'
	option mac '[redacted]'
	option ip '192.168.1.3'

config host
	option name 'switch2'
	option dns '1'
	option mac '[redacted]'
	option ip '192.168.1.4'

config host
	option name 'switch3'
	option dns '1'
	option mac '[redacted]'
	option ip '192.168.1.5'

config host
	option name 'kid-iPad'
	option dns '1'
	option mac '[redacted]'
	option ip '192.168.1.96'
	option tag 'child_zone'

config host
	option mac '[redacted]'
	option dns '1'
	option name 'kid_tablet'
	option ip '192.168.1.97'
	option tag 'child_zone'

config tag 'child_zone'
	option dhcp_option '6,192.168.1.54'

config dhcp 'Guest'
	option interface 'Guest'
	option limit '150'
	option leasetime '12h'
	option start '128'
	list dhcp_option '6,9.9.9.11,149.112.112.11'
	list ra_flags 'none'

config dhcp 'kidzone'
	option interface 'kidzone'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,192.168.1.54'
	list ra_flags 'none'

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,192.168.1.3'
	list ra_flags 'none'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config ipset
	option name 'piholes'
	option match 'src_ip'
	option storage 'hash'
	option enabled '1'
	list entry '192.168.1.3'
	list entry '192.168.1.54'

config ipset
	option name 'infrastructure'
	option match 'src_ip'
	option storage 'hash'
	option enable '1'
	list entry '192.168.1.1/27'

config ipset
	option name 'static_zone'
	option match 'src_ip'
	option storage 'hash'
	option enable '1'
	list entry '192.168.1.32/27'

config ipset
	option name 'child_zone'
	option match 'src_ip'
	option storage 'hash'
	option enabled '1'
	list entry '192.168.1.96/27'

config ipset
	option name 'general_zone'
	option match 'src_ip'
	option storage 'hash'
	option enabled '1'
	list entry '192.168.1.128/25'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config rule
	option name 'HTTP'
	option family 'ipv4'
	option src 'wan'
	option dest_port '80'
	option target 'ACCEPT'
	list proto 'tcp'
	option enabled '0'

config rule
	option name 'HTTPS'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option dest_port '443'
	option target 'ACCEPT'

config redirect
	option dest_port '32400'
	option src 'wan'
	option name 'Plex'
	option src_dport '32400'
	option target 'DNAT'
	option dest_ip '192.168.1.54'
	option dest 'lan'

config redirect
	option src 'wan'
	option name 'rTorrent'
	option target 'DNAT'
	option dest_ip '192.168.1.54'
	option dest 'lan'
	option src_dport '42347-42354'
	option dest_port '42347-42354'

config redirect
	option target 'DNAT'
	option name 'HTTPS'
	option src_dport '443'
	option dest 'lan'
	option dest_ip '192.168.1.54'
	option dest_port '443'
	option src 'wan'

config redirect
	option target 'DNAT'
	option name 'HTTP'
	option src 'wan'
	option src_dport '80'
	option dest 'lan'
	option dest_ip '192.168.1.54'
	option dest_port '80'

config nat
	option name 'Prevent unexpected source errors from DNS clients'
	list proto 'tcp'
	list proto 'udp'
	option src 'lan'
	option dest_ip '192.168.1.3'
	option dest_port '53'
	option target 'MASQUERADE'
	option enabled '0'

config include
	option path '/etc/firewall.cs'
	option enabled '1'
	option reload '1'

config redirect
	option target 'DNAT'
	option name 'Wireguard'
	option src 'wan'
	option src_dport '51820'
	option dest 'lan'
	option dest_ip '192.168.1.54'
	option dest_port '51820'
	list proto 'tcp'
	list proto 'udp'
	option reflection_src 'external'

config rule
	option name 'Wireguard NAT'
	option src 'wan'
	option src_port '51820'
	option dest 'lan'
	list dest_ip '192.168.1.54'
	option dest_port '51280'
	option target 'ACCEPT'

config redirect
	option target 'DNAT'
	option name 'Webdav'
	option src 'wan'
	option src_dport '5001'
	option dest 'lan'
	option dest_ip '192.168.1.54'
	option dest_port '5001'

config rule
	option name 'Parental Kill Switch'
	option src 'lan'
	list src_mac '[redacted]'
	list src_mac '[redacted]'
	option dest 'wan'
	option target 'REJECT'
	option enabled '0'

config zone
	option name 'Guest'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'ACCEPT'
	list network 'Guest'

config forwarding
	option src 'Guest'
	option dest 'wan'

config rule
	option name 'Guest DHCP'
	option src 'Guest'
	option dest 'lan'
	option target 'ACCEPT'
	list proto 'udp'
	list dest_ip '192.168.1.1'
	option src_port '68'
	option dest_port '67'

config zone
	option name 'kidzone'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'kidzone'

config forwarding
	option src 'kidzone'
	option dest 'lan'

config forwarding
	option src 'kidzone'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'kidzone'

config nat
	list proto 'tcp'
	list proto 'udp'
	option dest_port '53'
	option target 'MASQUERADE'
	option dest_ip '192.168.1.54'
	option name 'Prevent source errors from DNS'
	option src 'lan'
	option enabled '0'

config include 'bcp38'
	option type 'script'
	option path '/usr/lib/bcp38/run.sh'
	option family 'IPv4'
	option reload '1'

config zone
	option name 'iot'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

config forwarding
	option src 'lan'
	option dest 'iot'

config rule
	option name 'iot DHCP'
	option src 'iot'
	option src_port '68'
	option dest 'lan'
	list dest_ip '192.168.1.1'
	option dest_port '67'
	option target 'ACCEPT'

config forwarding
	option src 'iot'
	option dest 'wan'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc cake state UP group default qlen 1000
    inet [redacted-externalIP]/24 brd [redacted-externalIP] scope global eth0.2
       valid_lft forever preferred_lft forever
32: if_guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.99.1/24 brd 192.168.99.255 scope global if_guest
       valid_lft forever preferred_lft forever
33: if_kidzone: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.4.1/24 brd 192.168.4.255 scope global if_kidzone
       valid_lft forever preferred_lft forever
34: if_iot: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.3.1/24 brd 192.168.3.255 scope global if_iot
       valid_lft forever preferred_lft forever
default via [redacted-externalIP] dev eth0.2 proto static src [redacted-externalIP] 
[redacted-externalIP]/24 dev eth0.2 proto kernel scope link src [redacted-externalIP] 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.3.0/24 dev if_iot proto kernel scope link src 192.168.3.1 
192.168.4.0/24 dev if_kidzone proto kernel scope link src 192.168.4.1 
192.168.99.0/24 dev if_guest proto kernel scope link src 192.168.99.1 
broadcast [redacted-externalIP] dev eth0.2 table local proto kernel scope link src [redacted-externalIP] 
local [redacted-externalIP] dev eth0.2 table local proto kernel scope host src [redacted-externalIP] 
broadcast [redacted-externalIP] dev eth0.2 table local proto kernel scope link src [redacted-externalIP] 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1 
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1 
broadcast 192.168.3.0 dev if_iot table local proto kernel scope link src 192.168.3.1 
local 192.168.3.1 dev if_iot table local proto kernel scope host src 192.168.3.1 
broadcast 192.168.3.255 dev if_iot table local proto kernel scope link src 192.168.3.1 
broadcast 192.168.4.0 dev if_kidzone table local proto kernel scope link src 192.168.4.1 
local 192.168.4.1 dev if_kidzone table local proto kernel scope host src 192.168.4.1 
broadcast 192.168.4.255 dev if_kidzone table local proto kernel scope link src 192.168.4.1 
broadcast 192.168.99.0 dev if_guest table local proto kernel scope link src 192.168.99.1 
local 192.168.99.1 dev if_guest table local proto kernel scope host src 192.168.99.1 
broadcast 192.168.99.255 dev if_guest table local proto kernel scope link src 192.168.99.1 
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default

Here you don't declare the DNS that will be advertised to the users, but the upstream DNS. For the first one you need to use option 6 in dhcp options. Same applies to kidzone and iot.

Change this into:

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '3 6t'

config device
	option name 'br-iot'
	option type 'bridge'
	list ports 'eth1.3'
	option ipv6 '0'

config interface 'iot'
	option proto 'static'
	option device 'br_iot'
	option netmask '255.255.255.0'
	option ipaddr '192.168.3.1'

Restart network and now port 3 (or whatever port is connected to switchport 3) will belong to iot.

Cool, thanks! So both devices coming in via the IOT wifi and attached to that port will get IPs in the 192.168.1.3 range?

I'm a little confused by what you mean by "upstream DNS". Do I need to put anything there if I'm using option 6 in DHCP?

Yes

Upstream DNS is used by the router and for lan devices querying the router.

Thanks. I have an existing config interface 'iot' line in networks already. Do I need to rename one?

Hmm, I'm having trouble making this work. I assume the br-iot/br_iot difference is just a typo? I made them both br_iot.

Anyway, it isn't working and it seems to mess up the 5G radio for some reason which makes no sense to me!

I tried looking and following a YouTube video to just get the initial vlan working, but the example kept showing lan0 and lan1 interfaces and I'm not sure how to recreate that on my device. I see eth0.0 (vlan0) is assigned to the physical LAN ports and eth0.1 (vlan1) is to the physical WAN port. br-lan bridges the LAN and WIFI.

I have an additional WIFI ssid for IOT, so how do I combine that WiFi with a devices on a physical LAN port?