After continuing to struggle with this, I made some changes to the setup.
On the DGS-1210-10P switch:
VLAN 1 - Guest network 192.168.3.0/24 (Ports 3 - 6)
VLAN 2 - IP cam network 10.1.1.0/24 (Ports 7 - 8)
VLAN 3 - Personal network 192.168.2.0/24 (Port 2)
VLAN 4 - wired connection to internet router 192.168.1.0/24 (Port 1)
Interfaces on switch:
lan - 192.168.3.1 (WAP 192.168.3.2)
IPCams - 10.1.1.222
Personal - 192.168.2.1 (WAP 192.168.2.2)
WAN - 192.168.1.2 (router 192.168.1.1)
It was as easy as simply setting up a static route on my laptop (connected to 192.168.2.2 WAP) to the IPCam network and I am able to access the IP cams without issue.
10.1.1.0/24 via 192.168.2.1
Setting up the following static route on my laptop, I am unable to access 192.168.1.1) or the internet.
192.168.1.0/24 via 192.168.2.1
I am able to ping 192.168.1.2 (the switch interface on the 192.168.1.0/24 subnet) but I cannot ping 192.168.1.1
What am I missing? This should be as simple as accessing the IP cams, no?
Output of 'cat /etc/config/network':
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdbf:e377:9544::/48'
config device 'switch'
option name 'switch'
option type 'bridge'
option macaddr 'REDACTED'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
list ports 'lan6'
list ports 'lan7'
list ports 'lan8'
list ports 'lan9'
list ports 'lan10'
option bridge_empty '1'
option ipv6 '0'
config bridge-vlan 'lan_vlan'
option device 'switch'
option vlan '1'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
list ports 'lan6'
config device
option name 'switch.1'
option macaddr 'REDACTED'
option ipv6 '0'
config interface 'lan'
option device 'switch.1'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.1'
option broadcast '192.168.3.255'
option delegate '0'
config interface 'IPCams'
option proto 'static'
option device 'switch.2'
option ipaddr '10.1.1.222'
option netmask '255.255.255.0'
option broadcast '10.1.1.255'
config interface 'Personal'
option proto 'static'
option device 'switch.3'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option broadcast '192.168.2.255'
config bridge-vlan
option device 'switch'
option vlan '2'
list ports 'lan7'
list ports 'lan8'
config bridge-vlan
option device 'switch'
option vlan '3'
list ports 'lan2'
config device
option name 'switch.3'
option type '8021q'
option ifname 'switch'
option vid '3'
option ipv6 '0'
config bridge-vlan
option device 'switch'
option vlan '4'
list ports 'lan1'
config interface 'WAN'
option proto 'static'
option device 'switch.4'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
option gateway '192.168.1.1'
option broadcast '192.168.1.255'
config device
option name 'switch.2'
option type '8021q'
option ifname 'switch'
option vid '2'
option ipv6 '0'
config device
option name 'switch.4'
option type '8021q'
option ifname 'switch'
option vid '4'
option ipv6 '0'
Output of 'cat /etc/config/firewall':
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'IPCams'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'IPCams'
config zone
option name 'Personal'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'Personal'
option masq '1'
config forwarding
option src 'Personal'
option dest 'IPCams'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config forwarding
option src 'Personal'
option dest 'lan'
config zone
option name 'WAN'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'WAN'
config forwarding
option src 'Personal'
option dest 'WAN'
config forwarding
option src 'lan'
option dest 'WAN'
As I stated initally, the IP cams need to be isolated from the internet and only the Personal network should be able to access them.
The Guest network should only be able to access the internet and Personal should be able to access everything.
What am I missing to be able to access the 192.168.1.0/24 subnet?
Thanks