Separate other router via VLAN

Hi,

I'm trying to create two completely separated networks with two routers, but I'm having some issues with my setup and was hoping someone could point me in the right direction. I have the following setup:

  • TP-link Archer C7 running OpenWRT (router A)
  • An ASUS router running the stock firmware (router B)

I want to share the internet connection from router A to router B using wire, where LAN port 4 of router A is connected to the WAN port of router B. I would like to make the network of router A completely inaccessible from router B and vice versa, i.e. I want to share the internet connection from router A to router B only and nothing more.

I have done all my configuration on router A, i.e. my OpenWRT router assuming that router B would just blindly think it has a regular internet connection. The configuration on router A is as follows:

  • I created a VLAN for LAN port 4 with ID 30.
  • I created an interface, isolated_if4, with static IP 192.168.200.1 in order for router B to have 192.168.200.0/24 as its WAN address. Under Physical Settings - Interface, I selected my new VLAN and under Firewall Settings, I assigned the interface to a new firewall rule.
  • Being a new user, I'm not allowed to post more than 1 image, but the new firewall, isolated_4, applies to the new interface, isolated_if4, and allows forward to destination zone wan only. Input and forward are set to reject and output is set to accept.

However, using this configuration, I noticed the following issues:

  • Router B can still access the LUCI interface of router A by going to 192.168.200.1, i.e. it does not seem to be isolated.
  • Router B can still access the internet even if I set the outbound traffic to reject for the firewall zone.

I'm fairly new to networking despite having good knowledge of Linux systems etc so please bare with me :slight_smile:

Any help is appreciated!
Thanks

Hello,
first move the tagged port for vlan30 from CPU eth0 to CPU eth1.

Other than that post the following to see what is missing:
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; ip6tables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \

You just plug in.

:confused:

But it's downstream...

See: OpenWrt guests can see hosts in upstream LAN

Aaaah, I see, you're making an Isolated network, cool!

In the following scenario with no special setup other than ensuring that the LAN networks are not the same between the two routers:

Internet > Router A > Router B

If router B has a firewall enabled (and usually NAT), devices connected to Router A will not be able to connect to those connected to Router B. But router B's devices can connect to Router A's hosts. So by default, there is a one-way restriction. If you wish to restrict in both directions, you would do this by adding a rule to router B's firewall. The downside here is that router B's devices are double-NAT'd which can sometimes cause issues, is less efficient, and the overall system is harder to administer.

That said, you could consider only using router A and setting up VLANs to create the 2 distinct networks, both of which operate without double-NAT, but can be allowed to connect to each other entirely or selectively, or completely isolated, if desired. VLANs is the more efficient method of configuration.

1 Like

Thank you for your reply. I have moved the tagged port to CPU eth1 as you suggested. Below is the output for each double command line where any "xyz" is a replacement for IPs etc. /etc/firewall.user only contains comments (confirmed with cat and not only head) so no need to post that.

Due to the length of the post, I'll divide it into two parts as only 32000 characters are allowed per post.

root@OpenWrt:~# uci export network; uci export wireless
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xyz'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option peerdns '0'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option reqprefix 'auto'
	option reqaddress 'try'
	option peerdns '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '4 3 2 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '6t 1'
	option vid '2'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.100.1'
	option netmask '255.255.255.0'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '30'
	option ports '5 0t'

config interface 'isolated_if4'
	option ifname 'eth0.30'
	option proto 'static'
	option ipaddr '192.168.200.1'
	option netmask '255.255.255.0'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0'
	option htmode 'VHT80'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option wpa_disable_eapol_key_retries '1'
	option key 'xyz'
	option ssid 'xyz'
	option encryption 'psk2+ccmp'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/ahb/18100000.wmac'
	option htmode 'HT20'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option wpa_disable_eapol_key_retries '1'
	option key 'xyz'
	option ssid 'xyz'
	option encryption 'psk2+ccmp'

config wifi-iface 'wifinet2'
	option network 'guest'
	option wpa_disable_eapol_key_retries '1'
	option ssid 'xyz'
	option encryption 'psk2+ccmp'
	option device 'radio1'
	option mode 'ap'
	option isolate '1'
	option key 'xyz'
root@OpenWrt:~# uci export dhcp; uci export firewall;
package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option start '100'
	option limit '150'
	option interface 'guest'
	option leasetime '6h'

config dhcp 'isolated_if4'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'isolated_if4'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option network 'guest'
	option forward 'REJECT'
	option name 'guest'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding
	option dest 'wan'
	option src 'guest'

config rule
	option dest_port '53'
	option src 'guest'
	option name 'Guest DNS'
	option target 'ACCEPT'

config rule
	option src 'guest'
	option target 'ACCEPT'
	list proto 'udp'
	option name 'Guest DHCP'
	option dest_port '67-68'

config forwarding
	option dest 'wan'
	option src 'isolated_4'

config rule
	option dest_port '53'
	option src 'isolated_4'
	option name 'Isolated port 4 DNS'
	option target 'ACCEPT'

config rule
	option dest_port '67-68'
	option src 'isolated_4'
	option name 'Isolated port 4 DHCP'
	option target 'ACCEPT'
	list proto 'udp'

config zone
	option name 'isolated_4'
	option input 'REJECT'
	option forward 'REJECT'
	option network 'isolated_4 isolated_if4'
	option output 'ACCEPT'

Continuing:

cating /etc/firewall.user just showed comments so no need to post it.

root@OpenWrt:~# iptables-save -c; ip6tables-save -c;
# Generated by iptables-save v1.8.3 on Wed May 20
*nat
:PREROUTING ACCEPT [3703:808833]
:INPUT ACCEPT [687:47523]
:OUTPUT ACCEPT [608:52431]
:POSTROUTING ACCEPT [75:9765]
:postrouting_guest_rule - [0:0]
:postrouting_isolated_4_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_isolated_4_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_isolated_4_postrouting - [0:0]
:zone_isolated_4_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[3703:808833] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[2803:757816] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[774:43078] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i wlan1-1 -m comment --comment "!fw3" -j zone_guest_prerouting
[126:7939] -A PREROUTING -i eth0.30 -m comment --comment "!fw3" -j zone_isolated_4_prerouting
[1920:445268] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[12:2541] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[1845:435503] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o wlan1-1 -m comment --comment "!fw3" -j zone_guest_postrouting
[2:376] -A POSTROUTING -o eth0.30 -m comment --comment "!fw3" -j zone_isolated_4_postrouting
[0:0] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
[0:0] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
[2:376] -A zone_isolated_4_postrouting -m comment --comment "!fw3: Custom isolated_4 postrouting rule chain" -j postrouting_isolated_4_rule
[126:7939] -A zone_isolated_4_prerouting -m comment --comment "!fw3: Custom isolated_4 prerouting rule chain" -j prerouting_isolated_4_rule
[12:2541] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[2803:757816] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[1845:435503] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[1845:435503] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[774:43078] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Wed May 20
# Generated by iptables-save v1.8.3 on Wed May 20
*mangle
:PREROUTING ACCEPT [802152:1003957299]
:INPUT ACCEPT [6141:638677]
:FORWARD ACCEPT [794367:1002964667]
:OUTPUT ACCEPT [6228:2374118]
:POSTROUTING ACCEPT [800567:1005337557]
[156:9384] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed May 20
# Generated by iptables-save v1.8.3 on Wed May 20
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_isolated_4_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guest_rule - [0:0]
:input_isolated_4_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_guest_rule - [0:0]
:output_isolated_4_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_isolated_4_dest_ACCEPT - [0:0]
:zone_isolated_4_dest_REJECT - [0:0]
:zone_isolated_4_forward - [0:0]
:zone_isolated_4_input - [0:0]
:zone_isolated_4_output - [0:0]
:zone_isolated_4_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[1045:99184] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[5098:539597] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[3007:415483] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[914:41404] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[722:53362] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[1249:62669] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i wlan1-1 -m comment --comment "!fw3" -j zone_guest_input
[120:8083] -A INPUT -i eth0.30 -m comment --comment "!fw3" -j zone_isolated_4_input
[794367:1002964667] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[793457:1002491549] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[902:472606] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wlan1-1 -m comment --comment "!fw3" -j zone_guest_forward
[8:512] -A FORWARD -i eth0.30 -m comment --comment "!fw3" -j zone_isolated_4_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[1045:99184] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[5185:2275806] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[4610:2226495] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[20:5181] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[552:43426] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o wlan1-1 -m comment --comment "!fw3" -j zone_guest_output
[3:704] -A OUTPUT -o eth0.30 -m comment --comment "!fw3" -j zone_isolated_4_output
[1187:48874] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[62:13795] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[914:41404] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_guest_dest_ACCEPT -o wlan1-1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guest_dest_REJECT -o wlan1-1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
[0:0] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
[0:0] -A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Guest DNS" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Guest DNS" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: Guest DHCP" -j ACCEPT
[0:0] -A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
[0:0] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
[0:0] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[0:0] -A zone_guest_src_REJECT -i wlan1-1 -m comment --comment "!fw3" -j reject
[3:704] -A zone_isolated_4_dest_ACCEPT -o eth0.30 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_isolated_4_dest_REJECT -o eth0.30 -m comment --comment "!fw3" -j reject
[8:512] -A zone_isolated_4_forward -m comment --comment "!fw3: Custom isolated_4 forwarding rule chain" -j forwarding_isolated_4_rule
[8:512] -A zone_isolated_4_forward -m comment --comment "!fw3: Zone isolated_4 to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_isolated_4_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_isolated_4_forward -m comment --comment "!fw3" -j zone_isolated_4_dest_REJECT
[120:8083] -A zone_isolated_4_input -m comment --comment "!fw3: Custom isolated_4 input rule chain" -j input_isolated_4_rule
[0:0] -A zone_isolated_4_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Isolated port 4 DNS" -j ACCEPT
[118:7427] -A zone_isolated_4_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Isolated port 4 DNS" -j ACCEPT
[2:656] -A zone_isolated_4_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: Isolated port 4 DHCP" -j ACCEPT
[0:0] -A zone_isolated_4_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_isolated_4_input -m comment --comment "!fw3" -j zone_isolated_4_src_REJECT
[3:704] -A zone_isolated_4_output -m comment --comment "!fw3: Custom isolated_4 output rule chain" -j output_isolated_4_rule
[3:704] -A zone_isolated_4_output -m comment --comment "!fw3" -j zone_isolated_4_dest_ACCEPT
[0:0] -A zone_isolated_4_src_REJECT -i eth0.30 -m comment --comment "!fw3" -j reject
[20:5181] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[902:472606] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[902:472606] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[722:53362] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[722:53362] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[20:5181] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[20:5181] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[722:53362] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[28:1228] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[1434:515316] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[1249:62669] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1249:62669] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[552:43426] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[552:43426] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[1249:62669] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed May 20
# Generated by ip6tables-save v1.8.3 on Wed May 20
*mangle
:PREROUTING ACCEPT [251:33831]
:INPUT ACCEPT [116:9713]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [239:32440]
:POSTROUTING ACCEPT [241:32544]
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed May 20
# Generated by ip6tables-save v1.8.3 on Wed May 20
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [3:268]
:forwarding_guest_rule - [0:0]
:forwarding_isolated_4_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guest_rule - [0:0]
:input_isolated_4_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_guest_rule - [0:0]
:output_isolated_4_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_isolated_4_dest_ACCEPT - [0:0]
:zone_isolated_4_dest_REJECT - [0:0]
:zone_isolated_4_forward - [0:0]
:zone_isolated_4_input - [0:0]
:zone_isolated_4_output - [0:0]
:zone_isolated_4_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[116:9713] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[55:4833] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[3:240] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[59:4776] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[2:104] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i wlan1-1 -m comment --comment "!fw3" -j zone_guest_input
[0:0] -A INPUT -i eth0.30 -m comment --comment "!fw3" -j zone_isolated_4_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wlan1-1 -m comment --comment "!fw3" -j zone_guest_forward
[0:0] -A FORWARD -i eth0.30 -m comment --comment "!fw3" -j zone_isolated_4_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[239:32440] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[86:11154] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[55:7180] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[91:13454] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[4:384] -A OUTPUT -o wlan1-1 -m comment --comment "!fw3" -j zone_guest_output
[0:0] -A OUTPUT -o eth0.30 -m comment --comment "!fw3" -j zone_isolated_4_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[3:240] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[4:384] -A zone_guest_dest_ACCEPT -o wlan1-1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guest_dest_REJECT -o wlan1-1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
[0:0] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
[0:0] -A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Guest DNS" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Guest DNS" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: Guest DHCP" -j ACCEPT
[0:0] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
[4:384] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
[4:384] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[0:0] -A zone_guest_src_REJECT -i wlan1-1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_isolated_4_dest_ACCEPT -o eth0.30 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_isolated_4_dest_REJECT -o eth0.30 -m comment --comment "!fw3" -j reject
[0:0] -A zone_isolated_4_forward -m comment --comment "!fw3: Custom isolated_4 forwarding rule chain" -j forwarding_isolated_4_rule
[0:0] -A zone_isolated_4_forward -m comment --comment "!fw3: Zone isolated_4 to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_isolated_4_forward -m comment --comment "!fw3" -j zone_isolated_4_dest_REJECT
[0:0] -A zone_isolated_4_input -m comment --comment "!fw3: Custom isolated_4 input rule chain" -j input_isolated_4_rule
[0:0] -A zone_isolated_4_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Isolated port 4 DNS" -j ACCEPT
[0:0] -A zone_isolated_4_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Isolated port 4 DNS" -j ACCEPT
[0:0] -A zone_isolated_4_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: Isolated port 4 DHCP" -j ACCEPT
[0:0] -A zone_isolated_4_input -m comment --comment "!fw3" -j zone_isolated_4_src_REJECT
[0:0] -A zone_isolated_4_output -m comment --comment "!fw3: Custom isolated_4 output rule chain" -j output_isolated_4_rule
[0:0] -A zone_isolated_4_output -m comment --comment "!fw3" -j zone_isolated_4_dest_ACCEPT
[0:0] -A zone_isolated_4_src_REJECT -i eth0.30 -m comment --comment "!fw3" -j reject
[55:7180] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[59:4776] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[59:4776] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[55:7180] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[55:7180] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[59:4776] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[91:13454] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[2:104] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[2:104] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[91:13454] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[91:13454] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed May 20
root@OpenWrt:~# ip -4 addr ; ip -4 ro li tab all ; ip -4 ru;
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: eth0.30@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.200.1/24 brd 192.168.200.255 scope global eth0.30
       valid_lft forever preferred_lft forever
10: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet xyz/24 brd xyz scope global eth0.2
       valid_lft forever preferred_lft forever
13: wlan1-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.100.1/24 brd 192.168.100.255 scope global wlan1-1
       valid_lft forever preferred_lft forever
default via xyz dev eth0.2  src xyz 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
192.168.100.0/24 dev wlan1-1 scope link  src 192.168.100.1 
192.168.200.0/24 dev eth0.30 scope link  src 192.168.200.1 
xyz/24 dev eth0.2 scope link  src xyz 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local scope link  src 192.168.1.1 
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1 
broadcast 192.168.100.0 dev wlan1-1 table local scope link  src 192.168.100.1 
local 192.168.100.1 dev wlan1-1 table local scope host  src 192.168.100.1 
broadcast 192.168.100.255 dev wlan1-1 table local scope link  src 192.168.100.1 
broadcast 192.168.200.0 dev eth0.30 table local scope link  src 192.168.200.1 
local 192.168.200.1 dev eth0.30 table local scope host  src 192.168.200.1 
broadcast 192.168.200.255 dev eth0.30 table local scope link  src 192.168.200.1 
broadcast xyz dev eth0.2 table local scope link  src xyz 
local xyz dev eth0.2 table local scope host  src xyz 
broadcast xyz dev eth0.2 table local scope link  src xyz 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default

Thank you for your suggestion. However, the two router setup is needed to provide different networks in a relatively large area where I can't use wifi or a mesh network. Router B will be used by guests only, which is why I want that router's network separated from the network of router A.

The optimal situation here is to setup router A with VLANs -- a trusted LAN + a guest network. The guest network would be configured with complete isolation and no access to the router itself (except for DHCP and DNS), and it would be associated with one of the physical ports on the router. From there, you'd connect an ethernet cable to router B -- router B would be configured as a dumb AP.

Doing it this way gives you complete management control over the networks, including bandwidth limiting of the guest network, if desired.

Thank you for confirming the setup I'm trying to achieve. This is exactly what I'am trying set up :slight_smile: The guest network uses VLAN 30 with interface isolated_if4 and firewall zone isolated_4 mentioned in my previous posts. The guest network is not to be confused with the guest wifi which I also have on router B. The guest wifi simply uses an interface and a firewall zone called "guest".

I would recommend approaching this in 2 parts. Order is not critical, but configure and test each part on its own so that you don't chase your tail if things don't work.

Create your guest VAN on OpenWrt

Configure a dumb AP.

Personally, I'd start with the guest VLAN and test it via hardwired connection to verify that it is working. You'll want to include firewall rules to prohibit inter-VLAN routing and to block access to the router except for DHCP and DNS. After I had proven to myself that this was functioning as desired, I'd setup the dumb AP. Once connected to the guest VLAN, the dumb AP should create your guest wifi network and you'll be golden. You may also want to create a separate management network either on the dumb AP itself or between both routers so that you can manage the dumb AP but ensure that only you can administer it and prohibit guests from accessing the router at all.

There are lots of threads on the forums of people doing these exact same things -- so between the documentation and the forums, you should have lots of info. But if you get stuck, we can help -- just be sure to ask specific questions and to post your relevant config files (remember to redact passwords, MAC adresses and any public IP addresses you may have):

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

When posting, please use the "Preformatted text </>" button for logs, scripts, configs and general console output.
grafik

Thanks, I have set up my VLAN together with an interface and firewall rules that should allow DNS and DHCP as described in my opening post. The information about the interfaces, firewall zones and IP tables can be seen in here and here

Your configuration is correct.
I don't see the reason for enabling dhcp on isolated_if4 interface, since only the Asus router will connect and you can setup static IP.
Other than that there are no hits on the firewall for traffic from isolated_if4.

[0:0] -A INPUT -i eth0.30 -m comment --comment "!fw3" -j zone_isolated_4_input
[0:0] -A FORWARD -i eth0.30 -m comment --comment "!fw3" -j zone_isolated_4_forward
[0:0] -A OUTPUT -o eth0.30 -m comment --comment "!fw3" -j zone_isolated_4_output

Is it connected? ip -s link

If the downstream router is configured as a dumb AP, DHCP should indeed be enabled. But if that downstream device is in full router mode, I agree that there isn't a necessity to have DHCP enabled on the upstream one.

Router B is running on stock firmware and is connected in wan port. I doubt it will be a dumbAP.

2 Likes

Thank you for checking my configuration. Now that I changed VLAN 30 to be untagged for CPU eth1, the ASUS router (router B) says that the DHCP configuration from my ISP is incorrect. Since the ASUS router is connected to my OpenWRT router, it obviously means that the DHCP configuration of my OpenWRT router is incorrect. I don't really see what is wrong because ports 67-68 are open for the isolated interface?

However, if I should go with your suggestion to use a static IP for the ASUS router, what would the setup be for that router? In the ASUS router, I need to configure the static IP, subnet mask and gateway. I understand that the static IP in the ASUS router should be set to whatever I set in OpenWRT, which could be e.g. 192.168.200.2, but what about the subnet mask? Should it be 255.255.255.255 or 255.255.255.0? And should the gateway be set to 192.168.200.1, i.e. the IP of the isolated interface, or should it be something else?

Regarding your question if the ASUS router was connected, I can't remeber to be honest, but I think so... I will double check.

Thank you.

Thank you for your suggestion. However, router B is not a dumb AP but will be used just a regular router. Preferably, I would like to make as few changes to its configuration as possible and do as much configuration as I can to my OpenWRT router (router A).

I didn't tell you to do that. Vlan30 should be tagged in eth1 CPU, untagged in LAN4, and off in anything else.

Sorry, that was a typo. VLAN 30 is tagged in CPU eth1, untagged for LAN 4 and off for everything else

Ok then, post once again the following to see where is the issue:

uci export network; uci export dhcp; uci export firewall; \
iptables-save -c; \
ip -s link; ip -4 addr; ip -4 ro li tab all ; ip -4 ru; \
swconfig dev switch0 show

The output is below and router B, the ASUS router, was connected to LAN 4 when the commands were run. The ASUS router has its default configuration where it tries to obtain an IP via DHCP. Although I assume it is not important, the ASUS LAN IP is 192.168.150.x and the OpenWRT tries to give it a WAN IP in 192.168.200.x.

root@OpenWrt:~# uci export network; uci export dhcp; uci export firewall;
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xyz:xyz:xyz::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option peerdns '0'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option reqprefix 'auto'
	option reqaddress 'try'
	option peerdns '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '4 3 2 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '6t 1'
	option vid '2'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.100.1'
	option netmask '255.255.255.0'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '30'
	option ports '5 0t'

config interface 'isolated_if4'
	option ifname 'eth0.30'
	option proto 'static'
	option ipaddr '192.168.200.1'
	option netmask '255.255.255.0'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option start '100'
	option limit '150'
	option interface 'guest'
	option leasetime '6h'

config dhcp 'isolated_if4'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'isolated_if4'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option network 'guest'
	option forward 'REJECT'
	option name 'guest'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding
	option dest 'wan'
	option src 'guest'

config rule
	option dest_port '53'
	option src 'guest'
	option name 'Guest DNS'
	option target 'ACCEPT'

config rule
	option src 'guest'
	option target 'ACCEPT'
	list proto 'udp'
	option name 'Guest DHCP'
	option dest_port '67-68'

config forwarding
	option dest 'wan'
	option src 'isolated_4'

config rule
	option dest_port '53'
	option src 'isolated_4'
	option name 'Isolated port 4 DNS'
	option target 'ACCEPT'

config rule
	option dest_port '67-68'
	option src 'isolated_4'
	option name 'Isolated port 4 DHCP'
	option target 'ACCEPT'
	list proto 'udp'

config zone
	option name 'isolated_4'
	option forward 'REJECT'
	option network 'isolated_4 isolated_if4'
	option output 'ACCEPT'
	option input 'REJECT'
root@OpenWrt:~# iptables-save -c;
# Generated by iptables-save v1.8.3 on Sat May 23
*nat
:PREROUTING ACCEPT [129:15273]
:INPUT ACCEPT [57:3837]
:OUTPUT ACCEPT [81:6171]
:POSTROUTING ACCEPT [8:884]
:postrouting_guest_rule - [0:0]
:postrouting_isolated_4_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_isolated_4_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_isolated_4_postrouting - [0:0]
:zone_isolated_4_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[129:15273] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[76:6401] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[53:8872] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i wlan1-1 -m comment --comment "!fw3" -j zone_guest_prerouting
[0:0] -A PREROUTING -i eth0.30 -m comment --comment "!fw3" -j zone_isolated_4_prerouting
[118:7871] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[2:376] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[110:6987] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o wlan1-1 -m comment --comment "!fw3" -j zone_guest_postrouting
[0:0] -A POSTROUTING -o eth0.30 -m comment --comment "!fw3" -j zone_isolated_4_postrouting
[0:0] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
[0:0] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
[0:0] -A zone_isolated_4_postrouting -m comment --comment "!fw3: Custom isolated_4 postrouting rule chain" -j postrouting_isolated_4_rule
[0:0] -A zone_isolated_4_prerouting -m comment --comment "!fw3: Custom isolated_4 prerouting rule chain" -j prerouting_isolated_4_rule
[2:376] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[76:6401] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[110:6987] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[110:6987] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[53:8872] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Sat May 23
# Generated by iptables-save v1.8.3 on Sat May 23
*mangle
:PREROUTING ACCEPT [1828:221344]
:INPUT ACCEPT [1456:128628]
:FORWARD ACCEPT [364:90812]
:OUTPUT ACCEPT [1956:477574]
:POSTROUTING ACCEPT [2286:567026]
[11:660] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat May 23
# Generated by iptables-save v1.8.3 on Sat May 23
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_isolated_4_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guest_rule - [0:0]
:input_isolated_4_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_guest_rule - [0:0]
:output_isolated_4_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_isolated_4_dest_ACCEPT - [0:0]
:zone_isolated_4_dest_REJECT - [0:0]
:zone_isolated_4_forward - [0:0]
:zone_isolated_4_input - [0:0]
:zone_isolated_4_output - [0:0]
:zone_isolated_4_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[46:4781] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[1412:123951] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[1231:106459] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[40:2072] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[85:6179] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[96:11313] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i wlan1-1 -m comment --comment "!fw3" -j zone_guest_input
[0:0] -A INPUT -i eth0.30 -m comment --comment "!fw3" -j zone_isolated_4_input
[364:90812] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[353:90152] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[11:660] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wlan1-1 -m comment --comment "!fw3" -j zone_guest_forward
[0:0] -A FORWARD -i eth0.30 -m comment --comment "!fw3" -j zone_isolated_4_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[46:4781] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[1912:474065] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[1801:466381] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[4:1037] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[107:6647] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o wlan1-1 -m comment --comment "!fw3" -j zone_guest_output
[0:0] -A OUTPUT -o eth0.30 -m comment --comment "!fw3" -j zone_isolated_4_output
[68:6605] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[28:4708] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[40:2072] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_guest_dest_ACCEPT -o wlan1-1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guest_dest_REJECT -o wlan1-1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
[0:0] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
[0:0] -A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Guest DNS" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Guest DNS" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: Guest DHCP" -j ACCEPT
[0:0] -A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
[0:0] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
[0:0] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[0:0] -A zone_guest_src_REJECT -i wlan1-1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_isolated_4_dest_ACCEPT -o eth0.30 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_isolated_4_dest_REJECT -o eth0.30 -m comment --comment "!fw3" -j reject
[0:0] -A zone_isolated_4_forward -m comment --comment "!fw3: Custom isolated_4 forwarding rule chain" -j forwarding_isolated_4_rule
[0:0] -A zone_isolated_4_forward -m comment --comment "!fw3: Zone isolated_4 to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_isolated_4_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_isolated_4_forward -m comment --comment "!fw3" -j zone_isolated_4_dest_REJECT
[0:0] -A zone_isolated_4_input -m comment --comment "!fw3: Custom isolated_4 input rule chain" -j input_isolated_4_rule
[0:0] -A zone_isolated_4_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Isolated port 4 DNS" -j ACCEPT
[0:0] -A zone_isolated_4_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Isolated port 4 DNS" -j ACCEPT
[0:0] -A zone_isolated_4_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: Isolated port 4 DHCP" -j ACCEPT
[0:0] -A zone_isolated_4_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_isolated_4_input -m comment --comment "!fw3" -j zone_isolated_4_src_REJECT
[0:0] -A zone_isolated_4_output -m comment --comment "!fw3: Custom isolated_4 output rule chain" -j output_isolated_4_rule
[0:0] -A zone_isolated_4_output -m comment --comment "!fw3" -j zone_isolated_4_dest_ACCEPT
[0:0] -A zone_isolated_4_src_REJECT -i eth0.30 -m comment --comment "!fw3" -j reject
[4:1037] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[11:660] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[11:660] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[85:6179] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[85:6179] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[4:1037] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[4:1037] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[85:6179] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[34:1360] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[84:5947] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[96:11313] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[96:11313] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[107:6647] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[107:6647] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[96:11313] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat May 23

Not sure if ip -s link provided the expected output because it also printed the options information so I'm providing ip link too (without the -s option).

root@OpenWrt:~# ip link; ip -s link; ip -4 addr; ip -4 ro li tab all; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether xyz:xyz:xyz:xyz:xyz:xyz brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether xyz:xyz:xyz:xyz:xyz:xyz brd ff:ff:ff:ff:ff:ff
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether xyz:xyz:xyz:xyz:xyz:xyz brd ff:ff:ff:ff:ff:ff
8: eth1.1@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether xyz:xyz:xyz:xyz:xyz:xyz brd ff:ff:ff:ff:ff:ff
9: eth0.30@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether xyz:xyz:xyz:xyz:xyz:xyz brd ff:ff:ff:ff:ff:ff
10: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether xyz:xyz:xyz:xyz:xyz:xyz brd ff:ff:ff:ff:ff:ff
11: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether xyz:xyz:xyz:xyz:xyz:xyz brd ff:ff:ff:ff:ff:ff
12: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether xyz:xyz:xyz:xyz:xyz:xyz brd ff:ff:ff:ff:ff:ff
13: wlan1-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether xyz:xyz:xyz:xyz:xyz:xyz brd ff:ff:ff:ff:ff:ff
BusyBox v1.30.1 () multi-call binary.

Usage: ip [OPTIONS] address|route|link|neigh|rule [ARGS]

OPTIONS := -f[amily] inet|inet6|link | -o[neline]

ip addr add|del IFADDR dev IFACE | show|flush [dev IFACE] [to PREFIX]
ip route list|flush|add|del|change|append|replace|test ROUTE
ip link set IFACE [up|down] [arp on|off] [multicast on|off]
	[promisc on|off] [mtu NUM] [name NAME] [qlen NUM] [address MAC]
	[master IFACE | nomaster]
ip neigh show|flush [to PREFIX] [dev DEV] [nud STATE]
ip rule [list] | add|del SELECTOR ACTION
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: eth0.30@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.200.1/24 brd 192.168.200.255 scope global eth0.30
       valid_lft forever preferred_lft forever
10: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet xyz.xyz.xyz.xyz/24 brd xyz.xyz.xyz.xyz scope global eth0.2
       valid_lft forever preferred_lft forever
13: wlan1-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.100.1/24 brd 192.168.100.255 scope global wlan1-1
       valid_lft forever preferred_lft forever
default via xyz.xyz.xyz.xyz dev eth0.2  src xyz.xyz.xyz.xyz 
xyz.xyz.xyz.xyz/24 dev eth0.2 scope link  src xyz.xyz.xyz.xyz 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
192.168.100.0/24 dev wlan1-1 scope link  src 192.168.100.1 
192.168.200.0/24 dev eth0.30 scope link  src 192.168.200.1 
broadcast xyz.xyz.xyz.xyz dev eth0.2 table local scope link  src xyz.xyz.xyz.xyz 
local xyz.xyz.xyz.xyz dev eth0.2 table local scope host  src xyz.xyz.xyz.xyz 
broadcast xyz.xyz.xyz.xyz dev eth0.2 table local scope link  src xyz.xyz.xyz.xyz 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local scope link  src 192.168.1.1 
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1 
broadcast 192.168.100.0 dev wlan1-1 table local scope link  src 192.168.100.1 
local 192.168.100.1 dev wlan1-1 table local scope host  src 192.168.100.1 
broadcast 192.168.100.255 dev wlan1-1 table local scope link  src 192.168.100.1 
broadcast 192.168.200.0 dev eth0.30 table local scope link  src 192.168.200.1 
local 192.168.200.1 dev eth0.30 table local scope host  src 192.168.200.1 
broadcast 192.168.200.255 dev eth0.30 table local scope link  src 192.168.200.1 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default
root@OpenWrt:~# swconfig dev switch0 show
Global attributes:
	enable_vlan: 1
	ar8xxx_mib_poll_interval: 0
	ar8xxx_mib_type: 0
	enable_mirror_rx: 0
	enable_mirror_tx: 0
	mirror_monitor_port: 0
	mirror_source_port: 0
	arl_age_time: 300
	arl_table: address resolution table
Port 0: MAC xyz:xyz:xyz:xyz:xyz:xyz
Port 0: MAC xyz:xyz:xyz:xyz:xyz:xyz
Port 1: MAC xyz:xyz:xyz:xyz:xyz:xyz
Port 1: MAC xyz:xyz:xyz:xyz:xyz:xyz
Port 1: MAC xyz:xyz:xyz:xyz:xyz:xyz
Port 1: MAC xyz:xyz:xyz:xyz:xyz:xyz
Port 1: MAC xyz:xyz:xyz:xyz:xyz:xyz
Port 1: MAC xyz:xyz:xyz:xyz:xyz:xyz
Port 1: MAC xyz:xyz:xyz:xyz:xyz:xyz
Port 1: MAC xyz:xyz:xyz:xyz:xyz:xyz
Port 1: MAC xyz:xyz:xyz:xyz:xyz:xyz
Port 1: MAC xyz:xyz:xyz:xyz:xyz:xyz
Port 1: MAC xyz:xyz:xyz:xyz:xyz:xyz
Port 1: MAC xyz:xyz:xyz:xyz:xyz:xyz
Port 1: MAC xyz:xyz:xyz:xyz:xyz:xyz
Port 1: MAC xyz:xyz:xyz:xyz:xyz:xyz
Port 1: MAC xyz:xyz:xyz:xyz:xyz:xyz
Port 1: MAC xyz:xyz:xyz:xyz:xyz:xyz
Port 1: MAC xyz:xyz:xyz:xyz:xyz:xyz
Port 1: MAC xyz:xyz:xyz:xyz:xyz:xyz
Port 1: MAC xyz:xyz:xyz:xyz:xyz:xyz
Port 1: MAC xyz:xyz:xyz:xyz:xyz:xyz
Port 5: MAC xyz:xyz:xyz:xyz:xyz:xyz
Port 6: MAC xyz:xyz:xyz:xyz:xyz:xyz

	igmp_snooping: 0
	igmp_v3: 0
Port 0:
	mib: ???
	enable_eee: ???
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 0
	link: port:0 link:up speed:1000baseT full-duplex txflow rxflow 
Port 1:
	mib: ???
	enable_eee: 0
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 2
	link: port:1 link:up speed:1000baseT full-duplex txflow rxflow eee100 eee1000 auto
Port 2:
	mib: ???
	enable_eee: 0
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 1
	link: port:2 link:down
Port 3:
	mib: ???
	enable_eee: 0
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 1
	link: port:3 link:down
Port 4:
	mib: ???
	enable_eee: 0
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 1
	link: port:4 link:down
Port 5:
	mib: ???
	enable_eee: 0
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 3
	link: port:5 link:up speed:100baseT full-duplex txflow rxflow eee100 auto
Port 6:
	mib: ???
	enable_eee: ???
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 0
	link: port:6 link:up speed:1000baseT full-duplex txflow rxflow 
VLAN 1:
	vid: 1
	ports: 0t 2 3 4 
VLAN 2:
	vid: 2
	ports: 1 6t 
VLAN 3:
	vid: 30
	ports: 0t 5

I actually think I solved this! I will confirm and write all steps I took once I confirmed it's working as expected.

The reason why things seemed OK but didn't work was the fact that when I changed eth0 to off and eth1 to tagged for VLAN 30, my interface, interface_if4, didn't get updated automatically to use eth1.30. Instead, interface_if4 still had eth0.30 in its configuration. Once I changed interface_if4 to use eth1.30, things seem to be working.

Understood. Personally, I would put router B in dumb AP mode because it allows you to do essentially all the configuration and guest control in router A. But there are lots of ways to achieve your goals, and it looks like you are up and running.