VLANs & Inter-Zone-Forwarding

Hello,
I am a newbie. The following configuration somehow does not work (Turris OS version 3.10.8)!

wan (eth1) --> wolke (eth2) --> (okay)
lan (eth0) --> wolke (eth2) --> (?)
musik (eth0) --> wolke (eth2) --> (?)

I am able to connect from the outside to the server “wolke” but not from “lan” nor “musik”. The server on wolke does not get any lets encrypt certificate.

a) /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxx:xxxx::/48'

config interface 'lan'
	option force_link '1'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6hint '1000'
	option _orig_ifname 'eth0 eth2 wlan0 wlan1'
	option _orig_bridge 'true'
	option ifname 'eth0.1'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'
	option ipv6 '1'

config interface 'wan6'
	option ifname '@wan'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 5t'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '4 6'

config interface 'guest_turris'
	option type 'bridge'
	option proto 'static'
	option bridge_empty '1'
	option enabled '1'
	option ipaddr '10.111.222.1'
	option netmask '255.255.255.0'
	list ifname 'guest_turris_0'
	list ifname 'guest_turris_1'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '3 5t'

config interface 'musik'
	option force_link '1'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option ifname 'eth0.3'
	option ip6assign '64'
	option ip6hint '3000'

config interface 'wolke'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option gateway '192.168.2.1'
	option ip6assign '64'
	option ip6hint '2000'
	option _orig_ifname 'eth2'
	option _orig_bridge 'false'
	option ifname 'eth2'

b) /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fe80::/10'
	option src_port '547'
	option dest_ip 'fe80::/10'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include
	option path '/usr/share/firewall/turris'
	option reload '1'

config include
	option path '/etc/firewall.d/with_reload/firewall.include.sh'
	option reload '1'

config include
	option path '/etc/firewall.d/without_reload/firewall.include.sh'
	option reload '0'

config rule
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config rule 'turris_wan_6in4_rule'
	option enabled '0'

config zone 'guest_turris'
	option name 'guest_turris'
	option input 'REJECT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option enabled '1'
	list network 'guest_turris'

config forwarding 'guest_turris_forward_wan'
	option name 'guest to wan forward'
	option src 'guest_turris'
	option dest 'wan'
	option enabled '1'

config rule 'guest_turris_dns_rule'
	option name 'guest dns rule'
	option src 'guest_turris'
	option proto 'tcpudp'
	option dest_port '53'
	option target 'ACCEPT'
	option enabled '1'

config rule 'guest_turris_dhcp_rule'
	option name 'guest dhcp rule'
	option src 'guest_turris'
	option proto 'udp'
	option src_port '67-68'
	option dest_port '67-68'
	option target 'ACCEPT'
	option enabled '1'

config zone
        option name 'musik'
        list network 'musik'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'musik'
        option dest 'wan'

config zone
        option name 'wolke'
        list network 'wolke'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'wolke'
        option dest 'wan'

config rule
        option enabled '1'
        option target 'ACCEPT'
        option src 'wan'
        option dest 'wolke'
        option name 'wolke HTTPS'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'wolke'
        option proto 'tcp'
        option dest_ip '192.168.2.80'
        option name 'wolke'

config forwarding
        option src 'wolke'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'wolke'

c) /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option port '0'
	option localservice '1'
	option nonwildcard '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	list dhcp_option '6,192.168.1.1'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'

config dhcp 'guest_turris'
	option interface 'guest_turris'
	option start '200'
	option limit '50'
	option leasetime '1h'
	option ignore '0'
	list dhcp_option '6,10.111.222.1'

config dhcp 'musik'
	option interface 'musik'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	list dhcp_option '6,192.168.3.1'
	option ra_management '1'

config dhcp 'wolke'
	option interface 'wolke'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	list dhcp_option '6,192.168.2.1'
	option ra_management '1'

config host
	option name 'server'
	option mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.2.80'

d) /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option country 'CZ'
	option hwmode '11a'
	option path 'soc/soc:pcie-controller/pci0000:00/0000:00:02.0/0000:02:00.0'
	option htmode 'VHT80'
	option disabled '0'

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option disabled '0'
	option ssid 'lanWLAN5'
	option hidden '0'
	option encryption 'psk2+ccmp'
	option wpa_group_rekey '86400'
	option key 'xxxxxxxxxxxxxxxx'
	option network 'lan'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option country 'CZ'
	option hwmode '11g'
	option path 'soc/soc:pcie-controller/pci0000:00/0000:00:01.0/0000:01:00.0'
	option htmode 'HT20'
	option disabled '0'

config wifi-iface
	option device 'radio1'
	option mode 'ap'
	option disabled '0'
	option ssid 'lanWLAN'
	option hidden '0'
	option encryption 'psk2+ccmp'
	option wpa_group_rekey '86400'
	option key 'xxxxxxxxxxxxxxx'
	option network 'lan'

config wifi-iface 'guest_iface_0'
	option device 'radio0'
	option disabled '0'
	option mode 'ap'
	option ssid 'homeGAST5'
	option network 'guest_turris'
	option encryption 'psk2+ccmp'
	option wpa_group_rekey '86400'
	option key 'xxxxxxxxxxx'
	option ifname 'guest_turris_0'
	option isolate '1'

config wifi-iface 'guest_iface_1'
	option device 'radio1'
	option disabled '0'
	option mode 'ap'
	option ssid 'homeGAST'
	option network 'guest_turris'
	option encryption 'psk2+ccmp'
	option wpa_group_rekey '86400'
	option key 'xxxxxxxxxxxxx'
	option ifname 'guest_turris_1'
	option isolate '1'

config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option disabled '0'
        option ssid 'homeMUSIK5'
        option hidden '0'
        option encryption 'psk2+ccmp'
        option wpa_group_rekey '86400'
        option key 'xxxxxxxxxxxxxxxxx'
        option network 'musik'

nano /etc/config/resolver

–> section ‘kresd’
list hostname_config ‘/etc/hosts’

nano /etc/hosts

192.168.2.80 x.y.z
192.168.2.80 a.b.c

instead in /etc/config/dhcp