VLAN no internet

nohspamjose · August 27, 2025, 6:11pm

I have a Linksys router WRT3200ACM with four ethernet ports. The house is wired for ethernet and there are 16 port GB switches attached to 1 & 3. 1 for the adults and 3 for the kids.

I think I’ve set it up so the LAN and WAN (internet) are available on 1,2 & 4 and a VLAN for 3. The intention is that devices connected to 3 (my kid’s Windows & Apple boxes) can access only the internet and not the LAN.

To test it, I have a raspberry pi wired to the switch that’s plugged into port 3 on the router but also has wireless access to the router. I can access the internet via wireless (192.168.7.1/24) but if I disable wireless, wired (192.168.8.1/24) cannot access the internet but can access local web pages on the LAN

/etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'numbers::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan4'

config interface 'lan'
	option device 'br-home'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '192.168.7.1/24'
	option dns_metric '300'

config device
	option name 'wan'
	option macaddr 'numbers'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	list dns '2606:4700:4700::64'
	list dns '2606:4700:4700::6400'

config device
	option type 'bridge'
	option name 'br-home'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan4'

config device
	option type 'bridge'
	option name 'kids'
	list ports 'lan3'

config interface 'kids'
	option proto 'static'
	option device 'kids'
	option ipaddr '192.168.8.1'
	option netmask '255.255.255.0'
	option dns_metric '300'
	option ip6assign '64'

/etc/config/firewall: (edited)

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'kids'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

<snipped various rules & redirects>

config zone
	option name 'VLAN2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'VLAN2'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'VLAN2'

I have PiHole running, if that’s relevant - do I need to adapt that for VLAN2?

What am I missing?

Thanks

Greg

psherman · August 27, 2025, 11:18pm

You've got a few issues related to the bridges -- you should use only a single bridge, and each port can only be a member of one bridge anyway. From there, you will use bridge-vlans (DSA syntax). Similarly, networks can only be in a single firewall zone.

Starting with the network config...

Delete these:

nohspamjose:

config device
	option type 'bridge'
	option name 'br-home'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan4'

config device
	option type 'bridge'
	option name 'kids'
	list ports 'lan3'

Put port lan3 back into br-lan:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

Now, create two bridge-vlans:

config bridge-vlan
	option device 'br-lan'
	option vlan '7'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '8'
	list ports 'lan3:u*'

Now, edit your networks to use device br-lan.x where x is the VLAN ID:

config interface 'lan'
	option device 'br-lan.7'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '192.168.7.1/24'
	option dns_metric '300'

config interface 'kids'
	option proto 'static'
	option device 'br-lan.8'
	option ipaddr '192.168.8.1'
	option netmask '255.255.255.0'
	option dns_metric '300'
	option ip6assign '64'

Moving on to the firewall:

Delete all of this:

nohspamjose:

config zone
	option name 'VLAN2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'VLAN2'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'VLAN2'

This will work, but will not isolate the networks:

If you want the networks fully isolated, create a new firewall zone (kids), and remove the kids network from the lan firewall zone. For added security (your choice), we'll set the input rule to REJECT to prevent those devices from having access to the router. We'll add 2 rules to allow DHCP and DNS.

config zone
	option name 'kids'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'kids'

config forwarding
	option src 'kids'
	option dest 'wan'

config rule
	option name 'Allow-kids-dhcp'
	option src 'kids'
	option dest_port '67'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow-kids-dns'
	option src 'kids'
	option dest_port '53'
	option target 'ACCEPT'

nohspamjose · August 28, 2025, 11:37am

Thanks, @psherman

That worked perfectly for the raspberry pi and my son’s windows machine but can’t get a network connection for my daughter’s AppleTV. It has picked up the DHCP details but also can’t establish an internet connection. What should I look out for?

I could supply my full router firewall spec (providing that doesn’t compromise my network security?) and would my PiHole have anything to do with this?

psherman · August 28, 2025, 2:10pm

Let’s review the full config to see if there are any other issues or suspected problems.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

albertux · August 28, 2025, 11:00pm

I'm not having a VLAN however I have two subnets Iot is isolated in a way that Lan can talk to IoT but IoT can not talk to Lan and both have internet access (wan) sharing important parts of firewall and network

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg'

config zone
	option name 'iot'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'iot'

config forwarding
	option src 'iot'
	option dest 'wan'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config device
	option type 'bridge'
	option name 'br-iot'
	list ports 'lan2'
	list ports 'lan3'

config interface 'iot'
	option proto 'static'
	option device 'br-iot'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

psherman · August 28, 2025, 11:48pm

@albertux - are you providing this as an example config for the OP, or are you experiencing an issue for which you are hoping to get a resolution?

If the latter, it's best if you start your own thread as not to confuse the configs and goals.

albertux · August 29, 2025, 12:32am

Its an example of my own config that works I hope this example helps OP

Lan -> Iot, Wan
IoT -> Wan

nohspamjose · August 29, 2025, 9:40am

{
        "kernel": "5.15.150",
        "hostname": "FINBAR",
        "system": "ARMv7 Processor rev 1 (v7l)",
        "model": "Linksys WRT3200ACM",
        "board_name": "linksys,wrt3200acm",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

nohspamjose · August 29, 2025, 9:45am

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd81:0c5e:4bd8::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '7'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '8'
	list ports 'lan3:u*'

config interface 'lan'
	option device 'br-lan.7'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '192.168.7.1/24'
	option dns_metric '300'

config interface 'kids'
	option proto 'static'
	option device 'br-lan.8'
	option ipaddr '192.168.8.1'
	option netmask '255.255.255.0'
	option dns_metric '300'
	option ip6assign '64'

config device
	option name 'wan'
	option macaddr '--:--:--:--:--:--'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	list dns '2606:4700:4700::64'
	list dns '2606:4700:4700::6400'

nohspamjose · August 29, 2025, 9:58am

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option country 'GB'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option macaddr 'redacted'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option country 'GB'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option macaddr 'redacted'
	option disabled '1'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
	option channel '34'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid 'FINBAR5'
	option encryption 'psk2'
	option key 'redacted'
	option network 'lan'

config wifi-iface 'wifinet4'
	option device 'radio1'
	option mode 'ap'
	option ssid 'FINBAR24'
	option encryption 'psk2'
	option network 'lan'
	option key 'redacted'

nohspamjose · August 29, 2025, 10:04am

/etc/config/dhcp


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '0'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,192.168.7.77'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config domain
	option name 'TRA----'
	option ip '192.168.7.7'

config domain
	option name 'NAI----'
	option ip '192.168.7.13'

config domain
	option name 'NAK----'
	option ip '192.168.7.14'

config domain
	option name 'RED----'
	option ip '192.168.7.124'

config domain
	option name 'Gs----'
	option ip '192.168.7.204'

config domain
	option name 'Hs----'
	option ip '192.168.7.183'

config host
	option mac 'redacted'
	option dns '1'
	option name 'lyrionServer'
	option ip '192.168.7.105'
	option leasetime '24h'

config ipset 'filter'
	list name 'filter'
	list name 'filter6'
	list domain 'example.com'
	list domain 'example.net'

config host
	option name 'DESKTOP-DP4J8RP'
	option duid '00010redacted375DF7'
	option mac 'redacted'

config host
	option name 'tra----'
	option duid '0004EF805redacted6F5B20F4C4A9'

config host
	option name 'Car----'
	option ip '192.168.7.214'
	option mac 'redacted5'

config dhcp 'kids'
	option interface 'kids'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,192.168.7.77,192.168.8.77'

nohspamjose · August 29, 2025, 10:10am

/etc/config/firewall


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'kids'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'kids'

config forwarding
	option src 'kids'
	option dest 'wan'

config rule
	option name 'Allow-kids-dhcp'
	option src 'kids'
	option dest_port '67'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow-kids-dns'
	option src 'kids'
	option dest_port '53'
	option target 'ACCEPT'
    
config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option weekdays 'Sun Mon Tue Wed Thu'
	option src 'lan'
	option name 'Isaac-Steam8pm2Midnight'
	option stop_time '23:59:59'
	option dest 'wan'
	option start_time '20:00:00'
	option target 'REJECT'
	option dest_port '27000-27100'
	list proto 'tcp'
	list proto 'udp'

config rule
	option src 'lan'
	option name 'Lunchbreak'
	option stop_time '14:00:00'
	option dest 'wan'
	option start_time '12:00:00'
	option target 'REJECT'
	list src_mac 'redacted'
	list src_mac 'redacted'
	list src_mac 'redacted'
	list src_mac 'redacted'
	option enabled '0'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option dest_port '80'
	option src 'wan'
	option name 'GardenCam'
	option src_dport '10110'
	option target 'DNAT'
	option dest 'lan'
	list proto 'tcp'
	list proto 'udp'
	option dest_ip '192.168.7.205'

config redirect
	option dest_port '2283'
	option src 'wan'
	option name 'Immich'
	option src_dport '2283'
	option target 'DNAT'
	option dest 'lan'
	list proto 'tcp'
	list proto 'udp'
	option dest_ip '192.168.7.7'

config redirect
	option dest_port '80'
	option src 'wan'
	option name 'Drive Cam'
	option src_dport '10112'
	option target 'DNAT'
	option dest_ip '192.168.7.112'
	option dest 'lan'

config redirect
	option dest_port '22'
	option src 'wan'
	option name 'TranqSSH'
	option src_dport '2963'
	option target 'DNAT'
	option dest_ip '192.168.7.7'
	option dest 'lan'
	list proto 'tcp'

config redirect
	option dest_port '22'
	option src 'wan'
	option name 'DiningPi'
	option target 'DNAT'
	option dest_ip '192.168.7.106'
	option dest 'lan'
	option src_dport '2968'

config redirect
	option dest_port '80'
	option src 'wan'
	option name 'DAVx'
	option dest_ip '192.168.7.245'
	option dest 'lan'
	option src_dport '24580'

config redirect
	option dest_port '8000'
	option src 'wan'
	option name 'Pi4Cam'
	option src_dport '8000'
	option target 'DNAT'
	option dest_ip '192.168.7.213'
	option dest 'lan'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'FinbarWAN'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option src_dport '888'
	option dest_ip '192.168.7.1'
	option dest_port '888'

config rule
	option name 'NTP'
	list proto 'udp'
	option src 'lan'
	option src_port '123'
	option dest 'wan'
	option dest_port '123'
	option target 'ACCEPT'

config rule 'fwd_filter'
	option name 'Filter-IPset-DNS-Forward'
	option src 'lan'
	option dest 'wan'
	option proto 'all'
	option family 'ipv4'
	option ipset 'filter dest'
	option target 'REJECT'
	option enabled '0'

config rule 'fwd_filter6'
	option name 'Filter-IPset-DNS-Forward'
	option src 'lan'
	option dest 'wan'
	option proto 'all'
	option family 'ipv6'
	option ipset 'filter6 dest'
	option target 'REJECT'
	option enabled '0'

config include 'estab'
	option path '/etc/nftables.d/estab.sh'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Redirect-DNS'
	option src 'lan'
	option src_ip '192.168.7.77'
	option src_port '53'
	option src_dport '53'
	option dest_ip '192.168.7.77'
	option dest_port '53'

config nat
	option name 'Masquerade-DNS'
	list proto 'tcp'
	list proto 'udp'
	option src 'lan'
	option dest_ip '192.168.7.77'
	option dest_port '53'
	option target 'MASQUERADE'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'pihole'
	option src 'wan'
	option dest_ip '192.168.7.77'
	list proto 'tcp'
	list proto 'udp'
	option src_dport '2941'
	option dest_port '80'

config rule
	option name 'Android Default DNS block'
	option src 'lan'
	option dest 'wan'
	list dest_ip '2001:4860:4860::8888'
	list dest_ip '8.8.8.8'
	list dest_ip '8.8.4.4'
	list dest_ip '2001:4860:4860::8844'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Immich'
	option src 'wan'
	option src_dport '8212'
	option dest_ip '192.168.7.14'
	option dest_port '8212'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'PickUpAFileeFrom NGINX'
	list proto 'tcp'
	option src 'wan'
	option src_dport '8910'
	option dest_ip '192.168.7.7'
	option dest_port '80'
	option enabled '0'

nohspamjose · August 29, 2025, 11:52am

This is the relevant part of my home network topology (there are 3 more switches linked to the Loft Switch - 192.168.7.1/24)

psherman · August 30, 2025, 5:45am

The only problem is the AppleTV, right? That seems to be on VLAN 8 -- kids.

I am guessing it might be a DNS issue. Try changing the DHCP advertised DNS to a public DNS as a test:

Change the above to 8.8.8.8 or 1.1.1.1. Then reboot your AppleTV and see if it works.

nohspamjose · August 30, 2025, 3:46pm

Thank you @psherman that worked

albertux · August 31, 2025, 11:22pm

your zones should be like this

psherman · August 31, 2025, 11:24pm

The problem is already solved, and it was not related to zone configs -- the problem was DNS related.

albertux · August 31, 2025, 11:27pm

but how kids use internet if they have REJECT

I guess is OUTPUT only need it I need INPUT for some IoT devices, nvm ignore this

psherman · August 31, 2025, 11:30pm

The input rule controls the ability to reach the router itself from networks in the zone. This is typically for management o the router and/or other services that might be running on the router itself.

The only services required in most cases would be DHCP and DNS, and of course forwarding to the wan zone. The following rules are in place:

nohspamjose:

config forwarding
	option src 'kids'
	option dest 'wan'

config rule
	option name 'Allow-kids-dhcp'
	option src 'kids'
	option dest_port '67'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow-kids-dns'
	option src 'kids'
	option dest_port '53'
	option target 'ACCEPT'

The first rule allows the kids network to reach the wan (internet). The second permits the kids network to reach the router's DHCP server so that the hosts on that network can obtain DHCP leases. And the third rule allows the network to reach the router for DNS services.

system · September 10, 2025, 11:30pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.