I have two Netgear wireless routers running OpenWRT. They are connected to my main internet-connected router (ASUS RT-68U running Asuswrt-Merlin) via the wan ports on the Netgears and a couple of LAN ports on the ASUS. I use the Netgears for my Internet of Things devices in an effort to keep them isolated from my other devices in the house.
LAN Network on the ASUS is 10.10.16.0/24. The LAN Networks on the Netgears are both 192.168.1.0/24. The WAN IP addresses for the Netgears are 10.10.16.2 and 10.10.16.3. Everything (including the IoT devices on the Netgears) can connect just fine to the internet through the ASUS (gateway of 10.10.16.1).
However, I'm not getting the traffic separation I'm looking for. If I hook up a laptop to one of the Netgears on their LAN network (192.168.1.0/24), I can get definitely get to the internet just fine through the ASUS (gateway of 10.10.16.1) as well as other devices on the 192.168.1.0/24 network on the Netgear. However, I can also get to other devices on the 10.10.16.0/24 LAN on my ASUS (effectively the WAN network to the Netgears). Kind of defeats the purpose of isolating the IoT devices if they can still get to my laptops, desktops, and such on my main network.
Looking for help in setting up the OpenWRT firewall to restrict devices on the Netgears from talking to devices on their WAN networks (10.10.16.0/24) aside from outbound internet traffic passing through 10.10.16.1.
Here is what I do for a locally routed IoT / guest network.
config zone
option name 'iot'
option network 'iot'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding
# use wan or lan as the destination depending on if the router is routing, or
# is it a dumb AP.
# When LAN is the destination, must set masq and mtu_fix on the lan zone.
option dest 'wan'
option src 'iot'
config rule
option target 'ACCEPT'
option src 'iot'
option name 'IOT-DHCP'
option family 'ipv4'
option proto 'udp'
# DHCP requests are input to port 67
option dest_port '67'
config rule
option src 'iot'
option proto 'tcp udp'
option name 'IOT-DNS'
option family 'ipv4'
option dest_port '53'
option target 'ACCEPT'
config rule
option src 'iot'
option proto 'all'
# The private network upstream.
option dest_ip '192.168.0.0/16'
option target 'REJECT'
option name 'Deny-IOT-Upstream'
option dest '*'
config rule
option enabled '1'
option name 'Deny-IOT-Local'
option proto 'all'
option src 'iot'
option target 'REJECT'
Here you'd change the upstream to your 10.x network. It is OK to block all of 10.0.0.0/8 since nothing on the Internet has that address.
This does not prevent IoT traffic from gatewaying through your main router. The blocking works on the final destination IP the client requested.
It would be straightforward to set up the WAN network in the Netgears as a bridge and add an additional SSID to make them additionally serve as dumb AP's for your main network. Open ports 22 and 80 from the WAN so you can administer them from the main network.