Cannot access clients in other router LAN

Hi,
my OpenWrt router is connected as DHCP client to ISP router's LAN.
From this router device I can ping any client in ISP router's LAN (subnet 192.168.1.0/24).
Now I'm connecting my laptop to OpenWrt router's LAN (172.16.1.0/24), but I cannot access any client in subnet 192.168.1.0/24.

This is my network configuration:

root@rb760igs:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd5f:2c94:d774::/48'
	option packet_steering '1'

config device
	option name 'sfp'
	option macaddr '08:xx:xx:xx:xx:5c'

config device
	option name 'wan'
	option macaddr '08:xx:xx:xx:xx:5c'

config device
	option name 'lan2'
	option macaddr '08:xx:xx:xx:xx:5d'

config device
	option name 'lan3'
	option macaddr '08:xx:xx:xx:xx:5d'

config device
	option name 'lan4'
	option macaddr '08:xx:xx:xx:xx:5d'

config device
	option name 'lan5'
	option macaddr '08:xx:xx:xx:xx:5d'

config device
	option type 'bridge'
	option name 'br-lan'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	list ports 'sfp'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '40'
	option name 'br-lan.40'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '100'
	option name 'br-lan.100'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option metric '100'
	option hostname '*'
	option peerdns '0'
	list dns '94.140.14.140'
	list dns '176.9.93.198'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	list dns '2a10:50c0::1:ff'
	list dns '2a01:4f8:151:34aa::198'

config interface 'iot'
	option proto 'dhcp'
	option device 'br-lan.40'

config interface 'lan'
	option device 'br-lan.100'
	option proto 'static'
	option ipaddr '172.16.1.1'
	option netmask '255.255.255.0'
	option defaultroute '1'
	option ip6assign '60'

config bridge-vlan
	option device 'br-lan'
	option vlan '40'
	list ports 'lan2:u*'
	list ports 'lan3:t'
	list ports 'lan4:t'
	list ports 'lan5:t'
	list ports 'sfp:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '100'
	list ports 'lan3:t'
	list ports 'lan4:t'
	list ports 'lan5:t'
	list ports 'sfp:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '999'
	option local '0'

And here's my firewall config:

root@rb760igs:~# cat /etc/config/firewall 

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'iot'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

config forwarding
	option src 'lan'
	option dest 'iot'

config rule
	option name 'IoT: Block-DNS-other-networks'
	list proto 'tcp'
	list proto 'udp'
	option src 'iot'
	option dest '*'
	option dest_port '53'
	option target 'REJECT'

config rule
	option name 'IoT: Block-all'
	list proto 'all'
	option src 'iot'
	option dest '*'
	option target 'REJECT'

I assume this forward rule is requisite:

config forwarding
	option src 'lan'
	option dest 'iot'

And I assume I need a static route, is this correct?

THX

Where is the iot network handled? Is the wan interface being used?

Nope.
It's OpenWrt's router device br-lan.40, interface iot, and ethernet port lan2 is physically connected to IPS router's ethernet port.
WAN interface is connected to modem using DHCP.

So the iot network is upstream of this router? If so, the rules you have made will not have any function.

If "upstream" means any client is sending packets via iot to internet, the answer is: no

iot is a network provided by ISP router, and OpenWrt router is just a client.
There's an dumb access point connected to OpenWrt router that provides a wifi interface connected to iot and lan. Actually this is the only use case for configuring OpenWrt router as client in 'iot' network.
I must access any client in iot network from OpenWrt's lan network.

So is your goal to use openwrt as an ap for the iot network and also create a separate secure trusted lan?

I would answer this question with: yes.
I assume I would need a route like this:

config route
	option interface 'lan'
	option target '192.168.1.0'
	option netmask '255.255.255.0'
	option gateway '192.168.1.4'

192.168.1.4 is the client IP assigned to OpenWrt via DHCP.
Again, from OpenWrt device access to iot network is working.

Here's my routing table accordingly:

root@rb760igs:~# ip r
default via 134.xxx.xxx.254 dev wan  src 134.xxx.xxx.168  metric 100 
134.xxx.xxx.0/23 dev wan scope link  metric 100 
172.16.1.0/24 dev br-lan.100 scope link  src 172.16.1.1 
192.168.1.0/24 dev br-lan.40 scope link  src 192.168.1.4 

In that case, you need to make a bunch of changes.

Delete these:

Delete everything below dhcp here since you’re not using the wan interface:

Delete this:

Delete this:

Change the iot zone input rule to reject. If your upstream router doesn’t support static routes, enable masquerading on the iot zone. Otherwise, make sure there is a static route on the upstream router for 172.16.1.0/24 via 192.168.4

Once this is done, reboot and test. If it still doesn’t work, post the updated configs.

Nope. This is a directly connected network. No static route is required.

Now that I look at your routing table, im actually confused.

Can you provide a topology diagram? I don’t understand how the devices are connect together and how you have the wan and the isp router connected.

I can't delete any VLAN because of dumb AP.
I can't delete WAN interface because this is my upstream link to internet.

I have 2 WAN interfaces with 2 public IPs:

  • 1 on ISP router
  • 1 on OpenWrt router

iot network is the only LAN of ISP router; any client in iot is using ISP router as upstream.
Any other network is using OpenWrt router as upstream.

We need to better understand your setup. The diagram is essential.

Can you advise a tool for simple creation of the network?

A pen and paper. And then your phone to take a picture and upload it here.

ISP router is running in "bridge mode", that means eth3 is modem only.

So eth3 is a bridged modem and you get a public ip on the openwrt wan port.

And eth 2 is the iot network 192.168.1.0/24?

Why not just put the iot network behind the openwrt router and not bother with the second connection?

This is correct.
I thought another physical separation of iot increases security.

Nope. But it does waste a port and increases the complexity of your network while also limiting the ability for you to fully control your iot network in terms of routing and firewall rules.

Agree.
But let's stick with this network layout for a moment.
Why is the connection from LAN client to iot network not working?

Does the isp router have a static route installed:

172.16.1.0/24 via 192.168.1.4

If not, does that device support static routes so that you can add it?

If the answer is no for the static route support, you need to enable masquerading on the IoT firewall zone.