I did manage to set it up on two networks. By this I mean, network 1 has a different dns than network 2, and you can't use any other dns. The reason I did this was because network 2 was being too slow at resolving addresses (this is because I use a local dns resolver, Pi-Hole)
The problem with this is that since then I had been having issues that I had been tolerating for a long while now. This just hasn't been that bad. It may have something to do with nat rules, the errors I get are
daemon.warn Tor[1825]: Rejecting request for anonymous connection to private address [scrubbed] on a TransPort or NATDPort. Possible loop in your NAT rules? [1 similar message(s) suppressed in last 960 seconds] (this may be because of intercept dns rule)
Sometimes one device is unable to get a tor or internet connection, but another device is able to (due to the tor error?)
Memory is overloaded. Maybe tor is the culprit (not the error)
These issues only started happening after I set up a second network with dns hijacking. I think I made a mistake with my configuration files, you can find them below, only the ones that I changed and are relevant are shown, you can ask for more info
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wwan'
option input 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.user'
config redirect
option target 'DNAT'
option name 'Transparent Proxy Redirect'
option src 'lan'
option proto 'tcp'
option dest_port '8888'
option src_dport '80'
option src_dip '!192.168.1.1'
option dest 'guest'
option dest_ip '192.168.1.1'
config include 'nat6'
option path '/etc/firewall.nat6'
option reload '1'
config rule 'doh_fwd'
option name 'Deny-DoH'
option src 'lan'
option dest 'wan'
option dest_port '443'
option proto 'tcp udp'
option family 'ipv4'
option ipset 'doh dest'
option target 'REJECT'
config nat 'dns_masq'
option name 'Masquerade-DNS'
option src 'lan'
option dest_ip '192.168.1.96'
option dest_port '53'
option proto 'tcp udp'
option target 'MASQUERADE'
option enabled '0'
config zone 'guest'
option name 'guest'
option network 'guest'
option output 'ACCEPT'
option input 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config forwarding 'guest_wan'
option src 'guest'
option dest 'wan'
option enabled '1'
config rule 'guest_dns'
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule 'guest_dhcp'
option name 'Allow-DHCP-Guest'
option src 'guest'
option dest_port '67'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
config ipset 'tor'
option name 'tor'
option family 'ipv4'
option storage 'hash'
option match 'net'
list entry '127.0.0.0/8 nomatch'
list entry '192.168.2.1/24 nomatch'
list entry '0.0.0.0/1'
list entry '128.0.0.0/1'
config ipset 'tor6'
option name 'tor6'
option family 'ipv6'
option storage 'hash'
option match 'net'
list entry '::1/128 nomatch'
list entry 'fe80::/10 nomatch'
list entry ' nomatch'
list entry '::/1'
list entry '8000::/1'
config redirect 'tcp_int'
option name 'Intercept-TCP'
option src 'guest'
option dest_port '9040'
option proto 'tcp'
option extra '--syn'
option ipset 'tor dest'
option target 'DNAT'
config rule
option name 'Allow-IGMP-Guest'
option src 'guest'
option target 'ACCEPT'
list proto 'igmp'
option family 'ipv4'
config redirect
option target 'DNAT'
option src 'lan'
option src_ip '!192.168.1.96'
option src_dport '53'
option dest 'lan'
option dest_ip '192.168.1.96'
option dest_port '53'
option name 'Intercept-DNS'
config redirect
option target 'DNAT'
option name 'Intercept-DNS2'
option src 'guest'
option src_ip '!192.168.2.16'
option src_dport '53'
option dest 'guest'
option dest_ip '192.168.2.16'
option dest_port '53'
config nat
option name 'Masquerade-DNS2'
option target 'MASQUERADE'
list proto 'tcp'
list proto 'udp'
option dest_port '53'
option dest_ip '192.168.2.16'
option src 'lan'
option src_ip '192.168.2.1/24'
option enabled '0'
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdb2:4498:a235::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.0.1'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wwan'
option proto 'dhcp'
option peerdns '0'
list dns '192.168.1.96'
list dns '192.168.2.16'
config device 'guest_dev'
option type 'bridge'
option name 'br-guest'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
Guest zone is not actually for guests, that's the tor network. I have these enabled to be able to access my apache server, my live camera, my main router that has a stock firmware (192.168.0.1), and other services that are not available on the tor network.
I did mess around here a lot with this issue. A lot of changes probably were unnecessary
Would this interfere with my services? I'll switch it to accept if I find any problems
You'd need to enable Masquerade-DNS and Masquerade-DNS2, otherwise the clients will receive the answer from an unexpected server.
I think I disabled it recently and forgot to enable it, thanks for letting me know. This was while trying to fix "daemon.warn Tor[1825]: Rejecting request for anonymous connection to private address [scrubbed] on a TransPort or NATDPort. Possible loop in your NAT rules?"
This will allow all forwardings, especially the ones you wouldn't want, like wan->lan. It's good that you fixed it.
Wan zone has still ACCEPT on INPUT and FORWARD!
dns should be advertised in lan and guest interfaces respectively, not wwan.
Remove masquerade from guest zone.
That specifies for the nat rule to masquerade DNS, and you have done that in your config nat 'dns_masq' rule.
That step does not ask you to enable masquerading on the firewall zone. You have enabled masquerading in the last line of your guest zone -- this should not be enabled. Remove the last line.
Let me see if I understand this. Masquerade should be on for wan because that is what's providing internet access to the network, but it shouldn't be enabled on guest because guest already has internet?
On another note, I might take time to follow up now. Like a day. Long story short, everything became chaotic in the matter of 10 minutes (which is why I didn't respond immediately)
Edit: I can confirm masquerade is off at least. This is a bad moment to test rejecting on wan, I might lose internet, so I'll try that at a better time
Edit2: To update on why I am doing this at another time. There's a strong wind on my area, I lost electricity for a good moment and it came back later on. I also can't think clearly because my cat is in heat, makes a lot of noise and keeps getting in the way, I can't spay her rn. Somehow while messing with firewall settings my router decided to set my lan to reject on input and forward, maybe it did that on it's own or it was me. Getting to failsafe mode was annoying. I'll just try this tomorrow, or at least when I am not stressed out, I don't want to lose internet right when my electricity goes off again.
Also, first time experiencing a house shaking due to strong winds, quora says it's normal so I won't worry. That was scary.
Masquerade should be on for WAN because that network will not route packets with a source IP address that is private, thus all outgoing traffic must have the source IP address masqued as if it was originated from the public IP address on the router
Changing forward default to reject had an issue with my applications not working, such as tor network windows not being able to ping devices on the wan network, or wan network musicbee remote not being able to connect to a device in the tor network.
I rather just leave the firewall settings as it is, because changing them doesn't benefit me, it's time consuming, and it's only going to cause me issues. I can change them and test each change when I have time to waste, for extra security, but I see no need to do it soon and I don't think it will solve the issues I am having with dns hijacking.
To clarify. The tor network is the guest network. No guests are allowed on the guest network, no one is allowed, only I am allowed on this network. It is misleading but at the time of following the instructions to create this network, I did not have enough knowledge to safely name this network whatever I wanted.
If you are having trouble when the masquerading is set as it should be in a default configuration, it likely means that other things aren't quite right. If the system is working well enough, you may not need to do anything. But if you want to solve any lingering issues, you should probably start by backing up and then resetting the device to defaults. Then, install your packages and configure things again (leaving the firewall alone for masquerading settings).
I don't know what is causing the memory overload issue or the tor reject request issue, so I don't know if masquerade is the problem. It would also not be possible to achieve my tor install without changing firewall settings (tor needs to be network wide, and only apply on one network)
Maybe I can try to reset some day, that may fix the issue with tor if there's an error with my configuration.