Hi,
I have a TP-Link Archer7v2 (V22.03.3),configured as router, and four Xiaomi 4A 100M (SNAPSHOT r21626) devices, configured as APs following the great videos from OneMarcFifty in a batman-adv mesh.
Like Marc, I have three zones configured in the firewall 'lan' 'guest' 'iot'
Everything works as expected, only one thing does not:
I can't access the devices in the 'iot' zone from the 'lan' zone, but the forwarding is setup to do so.
I can ping the devices from the router (ssh). If I attach a device via Wifi to the 'iot' network I can access the devices.
Maybe someone can give me a hint, I tried it for two days without success.
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option flow_offloading '1'
option forward 'ACCEPT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config zone
option name 'iot'
option output 'ACCEPT'
option forward 'ACCEPT'
option input 'ACCEPT'
list network 'IOT'
config zone
option name 'guest'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
option input 'REJECT'
config forwarding
option src 'lan'
option dest 'iot'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'guest'
option dest 'wan'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'TestMosquitoo'
option src_dip '192.168.178.100'
option src_dport '1883'
option dest_ip '192.168.1.20'
option dest_port '1883'
option src 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Guest DHCP and DNS'
option src 'guest'
option dest_port '53 67 68'
option target 'ACCEPT'
config rule
option src 'iot'
option dest_port '53 67 68'
option target 'ACCEPT'
option name 'IOT DHCP and DNS'
Wait, your are allowing everything also from the iot zone. Anyway are you sure about the name? Since you called the rule iot but the listed network is IOT.
To reduce the confusion I renamed the zones to 'iotzone', 'lanzone' and 'guestzone'.
I checked the network name, it was indeed 'IOT'. I changed that to 'iot'...
The current config is not working either:
firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option flow_offloading '1'
option forward 'ACCEPT'
config zone
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'lanzone'
config zone
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option name 'wanzone'
config zone
option output 'ACCEPT'
option forward 'ACCEPT'
option input 'ACCEPT'
list network 'iot'
option name 'iotzone'
config zone
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
option input 'REJECT'
option name 'guestzone'
config forwarding
option dest 'iotzone'
option src 'lanzone'
config forwarding
option src 'lanzone'
option dest 'wanzone'
config forwarding
option src 'guestzone'
option dest 'wanzone'
config redirect
option target 'DNAT'
option name 'TestMosquitoo'
option src_dip '192.168.178.100'
option src_dport '1883'
option dest_ip '192.168.1.20'
option dest_port '1883'
option dest 'lanzone'
option src 'wanzone'
config rule
option name 'Allow-DHCP-Renew'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
option src 'wanzone'
config rule
option name 'Allow-Ping'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option src 'wanzone'
config rule
option name 'Allow-IGMP'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
option src 'wanzone'
config rule
option name 'Allow-DHCPv6'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option src 'wanzone'
config rule
option name 'Allow-MLD'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option src 'wanzone'
config rule
option name 'Allow-ICMPv6-Input'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option src 'wanzone'
config rule
option name 'Allow-ICMPv6-Forward'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option src 'wanzone'
config rule
option name 'Allow-IPSec-ESP'
option proto 'esp'
option target 'ACCEPT'
option dest 'lanzone'
option src 'wanzone'
config rule
option name 'Allow-ISAKMP'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option dest 'lanzone'
option src 'wanzone'
config rule
option name 'Guest DHCP and DNS'
option dest_port '53 67 68'
option target 'ACCEPT'
option src 'guestzone'
config rule
option dest_port '53 67 68'
option target 'ACCEPT'
option name 'IOT DHCP and DNS'
option src 'iotzone'
I don't want to take the lead on helping but I have a suggestion.
Assuming your 'device' in the 'lan' that you are testing connectivity is a desktop type computer, I will refer to it as 'pc'.
Is your pc network config using 192.168.1.1 as its default gateway?
Can the pc ping 192.168.2.1 ?
That is strange... I can Ping from my PC in the lan network to 192.168.2.1, but not to one of the devices...like 192.168.2.50
Ping wird ausgeführt für 192.168.2.1 mit 32 Bytes Daten:
Antwort von 192.168.2.1: Bytes=32 Zeit=4ms TTL=64
Antwort von 192.168.2.1: Bytes=32 Zeit=1ms TTL=64
Antwort von 192.168.2.1: Bytes=32 Zeit=11ms TTL=64
Antwort von 192.168.2.1: Bytes=32 Zeit=1ms TTL=64
Sorry I forgot that you changed the names in your second post, you have to change iot and lan to iotzone and lanzone to avoid the error. But you have already the correct firewall config, as @spence noted, so follow his suggestions, that could be routing issue, the rule I suggested coul be worth a try.
No problem, I added the rule with the correct zone names... it is not working.
After the changes I restart firewall/network services, but the problem persists.
I forget the typical config issue for this symptom though. Maybe it will come to me, or someone else will reply with the answer.
Another idea is to reboot the router if you did not do that since adding the additional networks and changing the firewall. I had to do that when setting up my added networks.
EDIT: restarting the network/firewall was not enough to get the added config to work. Similar reachability issues.
If you can set a wired port on the Archer7 to be in the 'iot' vlan, try doing that and connecting a device in to that port and verifying that it gets the right address and gateway. Is that reachable from your pc connected to the 'lan'?
If those ideas don't help. @giuliomagnifico recently had an issue that was fixed with an unexpected firewall config. Maybe he could pursue that possible change with your setup.
My issue was with specify both the device and the interface. In this case should be add list device 'br-iot'
to the firwall config. Like this is if I'm not wrong with @sude22 config.
config zone
option output 'ACCEPT'
option forward 'ACCEPT'
option input 'ACCEPT'
list network 'iot'
option name 'iotzone'
list device 'br-iot'
Thank you. I changed that, after a reboot the same behavoir.
What I don't understand why I can ping 192.168.2.1 from 'lan', but not the other devices (IP-cams).
AP config:
network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'br-lan'
option type 'bridge'
option bridge_empty '1'
list ports 'bat0.1'
list ports 'eth0'
option macaddr '02:BA:DE:AF:FE:03'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.3'
option gateway '192.168.1.1'
option broadcast '192.168.1.255'
option netmask '255.255.255.0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '0'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 2 4 6t'
config device
option name 'eth0'
config interface 'bat0'
option proto 'batadv'
option routing_algo 'BATMAN_IV'
option gw_mode 'off'
option hop_penalty '30'
option bridge_loop_avoidance '1'
config interface 'batmesh'
option proto 'batadv_hardif'
option master 'bat0'
option mtu '1532'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
list ports 'bat0.4'
option macaddr '02:BA:DE:AF:FE:13'
option ipv6 '0'
config interface 'GUEST'
option device 'br-guest'
option proto 'none'
config device
option name 'phy1-mesh0'
option mtu '1532'
config device
option name 'bat0'
option mtu '1532'
config device
option type 'bridge'
option name 'br-iot'
list ports 'bat0.2'
option bridge_empty '1'
option ipv6 '0'
option macaddr '02:BA:DE:AF:FE:23'
config interface 'iot'
option device 'br-iot'
option proto 'none'
option force_link '1'
option delegate '0'
option defaultroute '0'