Cannot route betwen VLANs

Greetings all,

I am trying to rout from VLAN lan to VLANs Lan_Servers and Lan_Legacy. I believe that I set everything as per some threads o this forum but nothing seems to work.

cat /etc/config/network

config interface 'loopback'
      option device 'lo'
      option proto 'static'
      option ipaddr '127.0.0.1'
      option netmask '255.0.0.0'

config globals 'globals'
      option ula_prefix 'fdfa:a9a4:3d11::/48'

config interface 'wan'
      option device 'eth1'
      option proto 'dhcp'

config device
      option name 'br-lan'
      option type 'bridge'
      list ports 'eth0.1'

config interface 'lan'
      option device 'br-lan'
      option proto 'static'
      option ipaddr '192.168.1.1'
      option netmask '255.255.255.0'
      option ip6assign '60'

config switch
      option name 'switch0'
      option reset '1'
      option enable_vlan '1'

config switch_vlan
      option device 'switch0'
      option vlan '1'
      option vid '1'
      option ports '0t 3t 4'
      option description 'lan'

config device
      option name 'eth0.1'
      option type '8021q'
      option ifname 'eth0'
      option vid '1'
      option ipv6 '0'

config switch_vlan
      option device 'switch0'
      option vlan '2'
      option vid '2'
      option ports '0t 3t'
      option description 'Lan_Servers'

config switch_vlan
      option device 'switch0'
      option vlan '3'
      option vid '3'
      option description 'Lan_Legacy'
      option ports '0t 3t'

config device
      option name 'eth0.2'
      option type '8021q'
      option ifname 'eth0'
      option vid '2'
      option ipv6 '0'

config device
      option type '8021q'
      option ifname 'eth0'
      option vid '3'
      option name 'eth0.3'
      option ipv6 '0'

config interface 'Lan_Legacy'
      option proto 'static'
      option device 'eth0.3'
      option netmask '255.255.255.0'
      option ipaddr '192.168.0.5'

config interface 'Lan_Servers'
      option proto 'static'
      option device 'eth0.2'
      option ipaddr '192.168.2.1'
      option netmask '255.255.255.0'

cat /etc/config/firewalls

type or paste code hereconfig defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'Lan_Legacy'
        option output 'ACCEPT'
        list network 'Lan_Legacy'
        option input 'REJECT'
        option forward 'REJECT'

config forwarding
        option src 'lan'
        option dest 'Lan_Legacy'

config zone
        option name 'Lan_Servers'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'Lan_Servers'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'Lan_Servers'

Any help would be greatly appreciated.

Kindest regards,

M

what Device and which version you are using?

Looking at your configuration it seems on port3 there can be 3 VLANS tagged packets. is this the intended behavior? which is to say the devices connected to port 3 is configured to either of the vlan tags?

1 Like

Hi

you are mixing "swconfig" and traditional "vlan on eth" syntax
best is to reset, factory reset
then concentrate ONLY on swconfig syntax

1 Like

Hi @fOO223Fr,

thank you for your reply.

The tagging on the port is intended for creating a tagged tunnel(trunk( between the router - Ubiquiti airrouter - and a managed switch. As best as I can tell it is working in that when I plug a host in the configured port on the managed switch, it is assigned a correct sub-net by the router's DHCP server.

But, then again, I am complete novice, so perhaps the manner I set the tunnel is wrong?

Kindest regards,

M

Hi @NPeca75,

thank you for the reply.

It has been explained to me that my device is to be configured by "swconfig". So, I try to configure it as best as I understand the sparse documentation.

Please note that the system created the

so, I just continued with the syntax. Could you please advise what is wrong, as I cannot tell from the snippet that you posted.

Kindest regards,

M

wrong is the whole block i quoted

again
reset to factory
then ONLY in network->switch make adjustment for VLANs and nothing else !!!

1 Like

Hi @NPeca75,

thank you for the reply.

Regretfully, I am not sure what is the problem, so I am not sure how to fix it. Please note that it is the same syntax thatt the system created for eth0.1.

Kindest regards,

M

told you 2 times what you need to do !!!

once again, this will be the last
you are followed various tutorials for OWRT vlans
they are different tutorials for swconfig, vlans on PC, DSA etc

so, reset, and then from LuCI, network->switch, make vlans as you wish, and don't touch nothing more for vlans

Hi @NPeca75,

thank you for the reply.

Maybe you did tell me, but it am not sure that I follow. I need to create interfaces also no? Even if I reset to factory, the eth0.1 will still be the same, as it is created by the system.

If you are unwilling to explain it further, it is fine.

Kindest regards,

M

reset is not required... just deleting the 802.1q stanzas is sufficient.

The first thing to confirm is if the devices are connecting to the desired VLANs and if they have normal connectivity (i.e. can get a DHCP lease, internet access, etc.)... is that working as expected?

1 Like

Ok, my intention was to start with clean device
since OP have standard problems: novice + vlans + swconfig (dsa) confusion ...

but as you wish
maybe your advice is better

Hi @psherman,

as per my answer to @fOO223Fr, as best I can tell, the devices, when plugged into the relevant port on the managed switch are working correctly in that they receive the correct IP address from the DHCP server.

And, again the block for VLAN 02 and 03 are configured just like the VLAN 01 created by the system.

So, I am not quite sure what is @NPeca75 advising.

Kindest regards,

M

1 Like

What are the operating systems involved -- specifically, you appear to be trying to connect:

lan > Lan_Servers
lan > Lan_Legacy

so what is the OS on the device(s) you are trying to connect to on Lan_Servers and Lan_Legacy?

Hi @psherman,

currently, for testing purposes, all the hosts are Windows 10, but eventually they will be different. E.g., the servers are running FreeBSD, the lan will be mix of OSes,

Kindest regards,

M

Check your windows firewall settings. By default, they will not allow connections from other subnets. You have to adjust the firewall to allow incoming connections from another network. If you can't quickly find that specific setting, you can disable the firewall temporarily and test.

1 Like

Hi @psherman,

as you predicted, I could not find the setting quickly. So, since I am not connected to Internet, I disabled the firewall, but it did not help.

But, is the bigger problem not the fact that @NPeca75 suggested, i.e., misconfiguration of the VLANs/Interfaces?

Kindest regards,

M

Sure... I'll review the config now. But the Windows firewall is a potential barrier, so let's make sure that's disabled or otherwise set to a more permissive state.

Hi @psherman,

yes, it is disabled.

The interesting issue is, that I can ping some but not all of the devices on 192.168.0.X sub-net form the 192.168.1.1 sub-net.

Boy, this is frustrating.

Kindest regards,

M

Delete the 802.1q stanzas:

and these two:

At least for now, change the Lan_Legacy firewall zone input rule to ACCEPT.

Then restart and try again.

This is typical behavior for local (host level) firewalls.