Hi, besides the default VLAN 1 i have made two other VLANS
- IoT = VLAN 30 subnet 192.168.30.1/24
- NoT = VLAN 40 192.168.40.1/24
- lan - VLAN 1 192.168.1.1/24
I have a ubuntu vm docker host on ip 192.168.1.3, and i want to ping from both VLAN 30 and 40 to 192.168.1.3. for some reason it only works on VLAN 40 but not from VLAN 30 and i can't figure out why it's not working. All my switch, interface, dhcp and firewall rules identical for both VLAN's.
please does anyone have any suggestions where i should look to get ping working from both VLAN's to 192.168.1.3?
You would say that this rule should be enough.
config rule
option dest 'lan'
option src 'IoT'
list dest_ip '192.168.1.3'
option target 'ACCEPT'
list proto 'all'
also see here my config files
cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd36:e403:1cf3::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config interface 'guest'
option proto 'static'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
option type 'bridge'
option ifname 'eth0.20'
config interface 'IoT'
option proto 'static'
option netmask '255.255.255.0'
option type 'bridge'
option ifname 'eth0.30'
option ipaddr '192.168.30.1'
option igmp_snooping '1'
config interface 'NoT'
option proto 'static'
option netmask '255.255.255.0'
option type 'bridge'
option ifname 'eth0.40'
option ipaddr '192.168.40.1'
option igmp_snooping '1'
config device 'lan_eth0_1_dev'
option name 'eth0.1'
option macaddr '18:e8:29:23:5d:f6'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr '18:e8:29:23:5d:f7'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '6t 1'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
option ports '6t 1t 0'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '20'
option ports '6t 1t'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '40'
option ports '6t 1t'
config switch_vlan
option device 'switch0'
option vlan '5'
option vid '30'
option ports '6t 1t'
cat /etc/config/dhcp
config dnsmasq
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '0'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config dhcp 'lan'
option start '10'
option limit '150'
option interface 'lan'
option leasetime '12h'
list dhcp_option '6,192.168.1.3'
config dhcp 'guest'
option start '100'
option limit '150'
option interface 'guest'
option leasetime '1h'
config dhcp 'NoT'
option start '100'
option limit '150'
option interface 'NoT'
option leasetime '12h'
config dhcp 'IoT'
option start '100'
option limit '150'
option interface 'IoT'
option leasetime '12h'
cat /etc/config/firewall
config include
option path '/etc/firewall.user'
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'wan'
list network 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'guest'
list network 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'IoT'
list network 'IoT'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'NoT'
list network 'NoT'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option family 'ipv4'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'IoT'
config forwarding
option src 'lan'
option dest 'NoT'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest_port '80'
option src 'wan'
option name 'NGINX'
option src_dport '80'
option target 'DNAT'
option dest_ip '192.168.1.3'
option dest 'lan'
config redirect
option dest_port '443'
option src 'wan'
option name 'NGINX'
option src_dport '443'
option target 'DNAT'
option dest_ip '192.168.1.3'
option dest 'lan'
config redirect
option dest_port '500'
option src 'wan'
option name 'VPN'
option src_dport '500'
option target 'DNAT'
option dest_ip '192.168.1.3'
option dest 'lan'
list proto 'udp'
config redirect
option dest_port '4500'
option src 'wan'
option name 'VPN'
option src_dport '4500'
option target 'DNAT'
option dest_ip '192.168.1.3'
option dest 'lan'
list proto 'udp'
config rule
option dest_port '67-68'
option src 'guest'
option target 'ACCEPT'
option family 'ipv4'
option name 'Allow-DHCP'
option src_port '67-68'
config rule
option dest_port '53'
option src 'guest'
option target 'ACCEPT'
option family 'ipv4'
option name 'Allow-DNS'
config rule
option target 'ACCEPT'
option src 'NoT'
option src_port '67-68'
option dest_port '67-68'
option family 'ipv4'
option name 'Allow-DHCP'
config rule
option dest_port '53'
option src 'NoT'
option target 'ACCEPT'
option family 'ipv4'
option name 'Allow-DNS'
config rule
option src_port '5353'
option src 'NoT'
option name 'Allow-mDNS'
option target 'ACCEPT'
list dest_ip '224.0.0.251'
option dest_port '5353'
list proto 'udp'
option family 'ipv4'
config rule
option src_port '6053'
option src 'NoT'
option target 'ACCEPT'
list dest_ip '192.168.1.3'
option dest_port '6053'
list proto 'tcp'
option name 'Allow-EspHome-API'
option dest 'lan'
option family 'ipv4'
config rule
option src_port '5683'
option src 'NoT'
option name 'Allow-CoIoT'
option dest 'lan'
list dest_ip '192.168.1.3'
option target 'ACCEPT'
option dest_port '5683'
option family 'ipv4'
config rule
option name 'Allow-NTP'
option src 'NoT'
option target 'ACCEPT'
option family 'ipv4'
list dest_ip '192.168.1.3'
option dest_port '123'
option dest 'lan'
list proto 'udp'
option enabled '0'
config rule
option dest_port '123'
option name 'Allow-NTP'
option target 'ACCEPT'
option family 'ipv4'
list dest_ip '192.168.1.3'
option dest 'lan'
list proto 'udp'
option src '*'
config rule
option dest_port '67 68'
option src 'IoT'
option name ' Allow-DHCP-IoT'
option target 'ACCEPT'
option src_port '67 68'
config rule
option dest_port '53'
option src 'IoT'
option name 'Allow-DNS-IoT'
option target 'ACCEPT'
config rule
option dest 'lan'
option src 'IoT'
list dest_ip '192.168.1.3'
option target 'ACCEPT'
list proto 'all'
config rule
option dest 'lan'
option src 'IoT'
list dest_ip '192.168.1.3'
option target 'ACCEPT'
list proto 'all'