The topology of my network is the same as described in this article. The laptop with ip in range 172.10.3.0/24 connect to main router 192.168.1.1 via gate 192.168.1.2, the samba service is on 192.168.1.3.
The AP with ip 192.168.1.2, and the samba server is connected to the same switch, which connect to the main router.
It worked well, until I decided to try disable ipv6 in my main router and I did. Then I found the laptop connected to WiFi with ip 172.10.3.x cannot access the samba server 192.168.1.3 anymore.
I suspect the former working condition probably was with the help of ipv6 even I didn't realize it. Now I am struggling to get it back to work with bare ipv4, how can I do that?
The network config of the AP which also running OpenWRT:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxxx::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.2'
option gateway '192.168.1.1'
list dns '192.168.1.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
config interface 'guest1'
option proto 'static'
option ipaddr '172.10.3.1'
option netmask '255.255.255.0'
config interface 'guest2'
option proto 'static'
option ipaddr '172.10.4.1'
option netmask '255.255.255.0'
and the firewall config:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option network 'guest1'
option name 'guest1'
option output 'ACCEPT'
list device 'wlan0'
option input 'REJECT'
option forward 'REJECT'
config zone
option network 'guest2'
option forward 'REJECT'
option name 'guest2'
option output 'ACCEPT'
option input 'REJECT'
list device 'wlan1'
config rule
option dest_port '53'
option src 'guest1'
option name 'Allow Guest1 DNS'
option target 'ACCEPT'
option proto 'tcp udp'
config rule
option dest_port '53'
option src 'guest2'
option name 'Allow Guest2 DNS'
option target 'ACCEPT'
option proto 'tcp udp'
option family 'ipv4'
config rule
option src 'guest1'
option name 'Allow Guest1 DHCP'
option target 'ACCEPT'
option dest_port '67-68'
option proto 'udp'
option src_port '67-68'
config rule
option src 'guest2'
option name 'Allow Guest2 DHCP'
option target 'ACCEPT'
option dest_port '67-68'
option proto 'udp'
option src_port '67-68'
config include 'bcp38'
option type 'script'
option path '/usr/lib/bcp38/run.sh'
option family 'IPv4'
option reload '1'
config forwarding
option dest 'lan'
option src 'guest1'
config forwarding
option dest 'lan'
option src 'guest2'
config rule
option dest_port '137-138 445'
option src 'guest1'
option name 'Allow Guest1 Access Samba #1'
option dest 'lan'
list dest_ip '192.168.1.3'
option target 'ACCEPT'
list proto 'udp'
config rule
option dest_port '139 445'
option src 'guest1'
option name 'Allow Guest1 Access Samba #2'
option dest 'lan'
list dest_ip '192.168.1.3'
option target 'ACCEPT'
list proto 'tcp'
And the config of my main router:
Netwrok:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
config device 'lan_eth0_1_dev'
option name 'eth0.1'
option macaddr 'xx:xx:xx:xx:xx:90'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr 'xx:xx:xx:xx:xx:93'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 6t'
config interface 'vpn'
option ifname 'vpns+'
option proto 'static'
config route 'wifi0'
option interface 'lan'
option target '172.10.3.0'
option netmask '255.255.255.0'
option gateway '192.168.1.2'
config route 'wifi1'
option interface 'lan'
option target '172.10.4.0'
option netmask '255.255.255.0'
option gateway '192.168.1.2'
firewall:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option family 'ipv4'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'wan'
option src 'guest0'
config forwarding
option dest 'wan'
option src 'guest1'
What do I missing?