Security review home network configuration

Installing and Using OpenWrt
1

Hi everyone,

it is time for a little security review of my home network, as I got a little confused when changing from swconfig to DSA and want to make sure after implementing a new firewall zone for some smart home devices that my configuration is fine.

In general my logic:

I have zone LAN (LAN1 and wifi 1) for my one Laptop and the only zone for reaching the OpenWRT interface and SSH directly (over LAN and wifi).
I have zone NOLAN with LAN2 and 3 and 2 wifis. All devices connected to those networks should not have the possibility to talk to each other or even see and reach each other.
And last I have zone SmartHome with LAN4 and one wifi, as both zones need to be in the same network to control my smart home devices via my smartphone.

Here is my network config:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix ''

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option username ''
	option password ''
	option ipv6 'auto'
	option peerdns '0'
	option dns '127.0.0.1'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option peerdns '0'
	option dns '0::1'

config interface 'LAN3'
	option device 'lan3'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '192.168.3.1/24'

config interface 'LAN2'
	option proto 'static'
	option device 'lan2'
	option ip6assign '60'
	list ipaddr '192.168.2.1/24'

config interface 'WIFIBUSINESS'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '192.168.4.1/24'

config interface 'WIFIGUESTS'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '192.168.7.1/24'

config device
	option name 'lan4'

config device
	option type 'bridge'
	option name 'br-smarthome'
	list ports 'lan4'

config interface 'SMARTHOME'
	option proto 'static'
	option device 'br-smarthome'
	option ipaddr '192.168.6.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

my wireless config:

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path ''
	option htmode 'HT20'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option network 'WIFIBUSINESS'
	option ieee80211w '1'
	option key ''
	option encryption 'sae-mixed'
	option ssid 'L_Business'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option isolate '1'
	option key ''
	option network 'WIFIGUESTS'
	option ieee80211w '1'
	option encryption 'sae-mixed'
	option ssid 'L_Guests'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path ''
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option key ''
	option network 'lan'
	option ieee80211w '2'
	option encryption 'sae-mixed'
	option ssid 'L_T1'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option isolate '1'
	option key ''
	option ieee80211w '2'
	option encryption 'sae'
	option ssid 'L_T2'
	option network 'SMARTHOME'

and here is my firewall config:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'DROP'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option input 'DROP'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option src 'wan'
	option proto 'icmp'
	option family 'ipv4'
	option name 'Drop-Ping'
	list icmp_type 'echo-request'
	option target 'DROP'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip ''
	option dest_ip ''
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip ''
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config rule
	option dest_port '53'
	option target 'ACCEPT'
	option name 'AllowDNS-NOLAN'
	option src 'NOLAN'

config rule
	option dest_port '67-68'
	option target 'ACCEPT'
	option src 'NOLAN'
	option name 'AllowDHCP-NOLAN'

config zone
	option name 'NOLAN'
	option input 'DROP'
	option forward 'DROP'
	option output 'ACCEPT'
	list network 'LAN2'
	list network 'LAN3'
	list network 'WIFIBUSINESS'
	list network 'WIFIGUESTS'

config forwarding
	option dest 'wan'
	option src 'NOLAN'

config zone
	option name 'SmartHome'
	option output 'ACCEPT'
	list network 'SMARTHOME'
	option input 'DROP'
	option forward 'ACCEPT'

config forwarding
	option src 'SmartHome'
	option dest 'wan'

config rule
	option name 'AllowDNS-SmartHome'
	option src 'SmartHome'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'AllowDHCP-SmartHome'
	option src 'SmartHome'
	option dest_port '67-68'
	option target 'ACCEPT'

Should I include any other config for this purpose?

Any fatal mistakes or tips for my home network?
Thanks in advance

Cheers,
Lasko