Can not communicate between Firewall Zones

Hello,

I have configured different VLANs, which are connected to their specific interface. Each interface is part of a specific Firewall Zone. My problem is that I cannot communicate between the zones. For example, I want to access a PC at 192.168.2.105 on my IOT interface from the 192.168.1.0/24 LAN network. I however cannot access anything on the other networks. When I try it from the same network, everything works fine. I have enabled Zone Forwardings from LAN -> IOT and IOT -> LAN, but it doesn't seem to change anything. I also tried logging the rejected packages, however, I cannot see any logs in the system log coming from LAN and going to my PC at 192.168.2.105.

Here is the /etc/config/firewall:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'lan'
	option forward 'REJECT'
	option log '1'
	option log_limit '1000'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	option log '1'
	option log_limit '100'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config zone
	option name 'wan_vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'OpenVPN'

config forwarding
	option src 'guest'
	option dest 'wan'

config zone
	option name 'lan_vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan_vpn'

config forwarding
	option src 'lan_vpn'
	option dest 'wan_vpn'

config zone
	option name 'iot'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

config forwarding
	option src 'iot'
	option dest 'lan'

config forwarding
	option src 'iot'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'iot'

Your configuration is correct.
The explanation for your issue is the host firewall not allowing communication from other subnets. This is quite typical in windows.

Ok, so first of all, the pc on the IOT network is running ubuntu server. In order to test this, I also connected other devices to the IOT network, like smart devices, an android phone etc. I cannot reach any of them by pinging them. I try to ping them from a windows computer. I also tried to ping them from a android phone on the LAN network, the same thing happens.

Alright, then there is another way to verify that.
opkg update; opkg install tcpdump; tcpdump -i any -c 10 -vn host 192.168.2.105
Start a ping from a lan host, let it capture 10 packets and exit and post here the output.

13:15:09.969485 ethertype IPv4, IP (tos 0x0, ttl 128, id 5277, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.1.173 > 192.168.2.105: ICMP echo request, id 1, seq 295, length 40
13:15:09.969485 IP (tos 0x0, ttl 128, id 5277, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.1.173 > 192.168.2.105: ICMP echo request, id 1, seq 295, length 40
13:15:09.969485 IP (tos 0x0, ttl 128, id 5277, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.1.173 > 192.168.2.105: ICMP echo request, id 1, seq 295, length 40
13:15:09.969654 IP (tos 0x0, ttl 127, id 5277, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.178.130 > 192.168.2.105: ICMP echo request, id 1, seq 295, length 40
13:15:14.673860 ethertype IPv4, IP (tos 0x0, ttl 128, id 5278, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.1.173 > 192.168.2.105: ICMP echo request, id 1, seq 296, length 40
13:15:14.673860 IP (tos 0x0, ttl 128, id 5278, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.1.173 > 192.168.2.105: ICMP echo request, id 1, seq 296, length 40
13:15:14.673860 IP (tos 0x0, ttl 128, id 5278, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.1.173 > 192.168.2.105: ICMP echo request, id 1, seq 296, length 40
13:15:14.673993 IP (tos 0x0, ttl 127, id 5278, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.178.130 > 192.168.2.105: ICMP echo request, id 1, seq 296, length 40
13:15:19.671419 ethertype IPv4, IP (tos 0x0, ttl 128, id 5279, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.1.173 > 192.168.2.105: ICMP echo request, id 1, seq 297, length 40
13:15:19.671419 IP (tos 0x0, ttl 128, id 5279, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.1.173 > 192.168.2.105: ICMP echo request, id 1, seq 297, length 40
10 packets captured
12 packets received by filter
0 packets dropped by kernel

the PC I sent them from has the IP 192.168.1.173

It seems that you have messed up routing as I see 4 times the same packet and the last time is sent with source IP 192.168.178.130
Let's see the whole picture.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

{
        "kernel": "5.10.146",
        "hostname": "OpenWrt",
        "system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
        "model": "TP-Link Archer C7 v2",
        "board_name": "tplink,archer-c7-v2",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.2",
                "revision": "r19803-9a599fee93",
                "target": "ath79/generic",
                "description": "OpenWrt 22.03.2 r19803-9a599fee93"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde6:f3dc:fa4f::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 2t 3 4 5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '1 6t'

config device 'guest_dev'
        option type 'bridge'
        option name 'br-guest'
        list ports 'eth1.3'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option device 'br-guest'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 2t'
        option vid '3'
        option description 'Guest'

config interface 'iot'
        option proto 'static'
        option device 'br-iot'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

config device
        option type 'bridge'
        option name 'br-iot'
        list ports 'eth1.4'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option ports '0t 2t'
        option vid '4'
        option description 'IOT'

config interface 'OpenVPN'
        option device 'tun0'
        option proto 'none'
        option peerdns '0'
        option auto '0'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option ports '0t 2t'
        option vid '5'
        option description 'VPN'

config rule
        option in 'lan'
        option lookup '100'

config route
        option interface 'wan'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option gateway '192.168.178.1'
        option table '100'

config interface 'lan_vpn'
        option proto 'static'
        option device 'br-vpn'
        option ipaddr '192.168.5.1'
        option netmask '255.255.255.0'

config device
        option name 'br-vpn'
        option type 'bridge'
        list ports 'eth1.5'
        option bridge_empty '1'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'lan'
        option forward 'REJECT'
        option log '1'
        option log_limit '1000'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        option log '1'
        option log_limit '100'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'guest'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config zone
        option name 'wan_vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'OpenVPN'

config forwarding
        option src 'guest'
        option dest 'wan'

config zone
        option name 'lan_vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'lan_vpn'

config forwarding
        option src 'lan_vpn'
        option dest 'wan_vpn'

config zone
        option name 'iot'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'iot'

config forwarding
        option src 'iot'
        option dest 'lan'

config forwarding
        option src 'iot'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'iot'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.3.1/24 brd 192.168.3.255 scope global br-guest
       valid_lft forever preferred_lft forever
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
13: br-vpn: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.5.1/24 brd 192.168.5.255 scope global br-vpn
       valid_lft forever preferred_lft forever
15: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.178.130/24 brd 192.168.178.255 scope global eth0.2
       valid_lft forever preferred_lft forever
19: br-iot: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-iot
       valid_lft forever preferred_lft forever
default via 192.168.178.1 dev eth0.2 table 100
default via 192.168.178.1 dev eth0.2  src 192.168.178.130
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
192.168.2.0/24 dev br-iot scope link  src 192.168.2.1
192.168.3.0/24 dev br-guest scope link  src 192.168.3.1
192.168.5.0/24 dev br-vpn scope link  src 192.168.5.1
192.168.178.0/24 dev eth0.2 scope link  src 192.168.178.130
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local scope link  src 192.168.1.1
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1
broadcast 192.168.2.0 dev br-iot table local scope link  src 192.168.2.1
local 192.168.2.1 dev br-iot table local scope host  src 192.168.2.1
broadcast 192.168.2.255 dev br-iot table local scope link  src 192.168.2.1
broadcast 192.168.3.0 dev br-guest table local scope link  src 192.168.3.1
local 192.168.3.1 dev br-guest table local scope host  src 192.168.3.1
broadcast 192.168.3.255 dev br-guest table local scope link  src 192.168.3.1
broadcast 192.168.5.0 dev br-vpn table local scope link  src 192.168.5.1
local 192.168.5.1 dev br-vpn table local scope host  src 192.168.5.1
broadcast 192.168.5.255 dev br-vpn table local scope link  src 192.168.5.1
broadcast 192.168.178.0 dev eth0.2 table local scope link  src 192.168.178.130
local 192.168.178.130 dev eth0.2 table local scope host  src 192.168.178.130
broadcast 192.168.178.255 dev eth0.2 table local scope link  src 192.168.178.130
0:      from all lookup local
1:      from all iif br-lan lookup 100
32766:  from all lookup main
32767:  from all lookup default

So my Openwrt router is behind a router/modem combo. This network is 192.168.178.0/24 and the 192.168.178.130 address belongs to the Openwrt router. I do not understand why the ping is sent upstream to the router/modem combo, instead of simply routed to the other zone.

Because of the following:

Add also this:

config route
        option interface 'iot'
        option target '192.168.2.0'
        option netmask '255.255.255.0'
        option table '100'

and restart networking.

Oh, I used this rule to somehow get the OpenVPN to work(but this did not fix my problem) and did not know what the rule exactly did. After removing it, everything works fine, I did not need to add the extra route. Thank you very much for you time, have a great day!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.