Communication between network interfaces does not work

Hi Everyone,

I have two networks both with a different Wifi. I want my iot network to be able to connect to a server in my Lan network. I am not sure why it does not work. Internet works on both and it was working all the years before. It happen after I updated all packages. I reset all the configurations and tried to configure it again from scratch but it still does not work.

Any idea? Thanks a lot!

network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='XXXXXXXXXXXXXX'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan1' 'lan2' 'lan3' 'lan4'
network.@device[1]=device
network.@device[1].name='lan1'
network.@device[1].macaddr='XXXXXXXXXXXXXX'
network.@device[2]=device
network.@device[2].name='lan2'
network.@device[2].macaddr='XXXXXXXXXXXXXX'
network.@device[3]=device
network.@device[3].name='lan3'
network.@device[3].macaddr='XXXXXXXXXXXXXX'
network.@device[4]=device
network.@device[4].name='lan4'
network.@device[4].macaddr='XXXXXXXXXXXXXX'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='10.11.11.1'
network.lan.dns='10.11.11.243' '1.1.1.1'
network.@device[5]=device
network.@device[5].name='wan'
network.@device[5].macaddr='XXXXXXXXXXXXXX'
network.wan=interface
network.wan.device='wan'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.device='wan'
network.wan6.proto='dhcpv6'
network.Aiot24=interface
network.Aiot24.type='bridge'
network.Aiot24.proto='static'
network.Aiot24.ipaddr='10.11.13.1'
network.Aiot24.netmask='255.255.255.0'
network.Aiot24.dns='10.11.11.243' '1.1.1.1'





root@OpenWrt:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].input='DROP'
firewall.@defaults[0].forward='DROP'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan' 'wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'

firewall.Aiot24=zone
firewall.Aiot24.name='Aiot24'
firewall.Aiot24.network='Aiot24'
firewall.Aiot24.output='ACCEPT'
firewall.Aiot24.input='ACCEPT'
firewall.Aiot24.forward='ACCEPT'
firewall.Aiot24_dns=rule
firewall.Aiot24_dns.name='Allow-DNS-Aiot24'
firewall.Aiot24_dns.src='Aiot24'
firewall.Aiot24_dns.dest_port='53'
firewall.Aiot24_dns.proto='tcp udp'
firewall.Aiot24_dns.target='ACCEPT'
firewall.Aiot24_dhcp=rule
firewall.Aiot24_dhcp.name='Allow-DNS-Aiot24'
firewall.Aiot24_dhcp.src='Aiot24'
firewall.Aiot24_dhcp.dest_port='67'
firewall.Aiot24_dhcp.family='ipv4'
firewall.Aiot24_dhcp.proto='udp'
firewall.Aiot24_dhcp.target='ACCEPT'

firewall.@rule[2]=rule
firewall.@rule[2].name='IoT-InfluxDB'
firewall.@rule[2].src='Aiot24'
firewall.@rule[2].dest='lan'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[2].proto='tcp'
firewall.@rule[2].dest_ip='10.11.11.243'
firewall.@rule[2].dest_port='48086'

firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='Aiot24'
firewall.@forwarding[1].dest='lan'

firewall.@rule[3]=rule
firewall.@rule[3].name='NTP'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src='Aiot24'
firewall.@rule[3].dest='wan'
firewall.@rule[3].dest_port='123'
firewall.@rule[3].target='ACCEPT'

It will get very frustrating to find a fault if you only did this but not installed a completely new image to go with the new packages.
And then it stopped working.

1 Like

So ideally flashing a new image? I think in general these firewall rules do not really work well. I had so many issues.

You said it worked before making the package upgrade!?

But this question about package upgrade be or not to be comes and goes on the forum.
The firmware it self isn’t made to work by upgrading packages. Some do it anyway. Sometimes it work sometime it doesn’t work. You can always roll the dice, but when it fails you are beyond a simple rescue.

My experience is if you want a stable working OpenWrt you build new images and make new config files every time.

Thanks for sharing I was not aware. I flashed the sys upgrade image just now and configured everything again but I get the same result. Shall I flash it any other way? Any other idea?

Is it this rule we have problem with?

Does the other ntp (rule3) work?

Are you sure the ip 10.11.11.243 is still the correct one after all upgrades?
Is the port still correct from all sides?
Is it tcp traffic?
Is there another firewall on the server?
Does the server see any data at all on that port?

The IP is and port is correct and it is http traffic so tcp should be correct. I also tried it to just have any everywhere and it still does not work.
It seems non of the rules work. No other firewalls.

Do I maybe need to create a static route from network to network?

Maybe, I have a similar setup my self and it work so I don’t have any more ideas at this moment.

It works for me without static rute so I don’t know about that?

Let's see the complete config (now that you've reset and rebuilt). I'm going to ask for it in a different format -- I find the UCI output more difficult to read.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdde:b775:e1c2::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config device
	option name 'lan1'
	option macaddr 'XXXXXXXXXXXXX'

config device
	option name 'lan2'
	option macaddr 'XXXXXXXXXXXXX'

config device
	option name 'lan3'
	option macaddr 'XXXXXXXXXXXXX'

config device
	option name 'lan4'
	option macaddr 'XXXXXXXXXXXXX'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.11.11.1'

config device
	option name 'wan'
	option macaddr 'XXXXXXXXXXXXX'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'iot24'
	option proto 'static'
	option ipaddr '10.11.13.1'
	option netmask '255.255.255.0'







config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/soc:pcie@82000000/pci0000:00/0000:00:02.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option txpower '7'
	option country 'SG'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'soc/soc:pcie@82000000/pci0000:00/0000:00:03.0/0000:03:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'
	option country 'FR'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Aiot24'
	option encryption 'psk2'
	option key 'XXXXXXXXXXXXXXXXXXXXXXXXX'
	option network 'iot24'





config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'iot24'
	option interface 'iot24'
	option start '100'
	option limit '150'
	option leasetime '12h'

config host
	option name 'rasppi4'
	option ip '10.11.11.195'
	option mac 'XXXXXXXXXXXXXX'

config host
	option name 'syn720'
	option ip '10.11.11.243'
	option mac 'XXXXXXXXXXXXXx'





config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config zone
	option name 'Aiot24'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'iot24'

config forwarding
	option src 'Aiot24'
	option dest 'lan'

config rule
	option name 'Aiot24-InfluxDB'
	option src 'lan'
	list dest_ip '10.11.11.243'
	option dest_port '48086'
	option target 'ACCEPT'
	option dest 'Aiot24'

config rule
	option name 'aiot24-DNS'
	option src 'Aiot24'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Aiot24-NTP'
	option src 'Aiot24'
	option dest 'wan'
	option dest_port '123'
	option target 'ACCEPT'

config rule
	option name 'Aiot24-DHCP'
	list proto 'udp'
	option src 'Aiot24'
	option dest_port '67'
	option target 'ACCEPT'


Let's try this... put the iot24 network into the lan zone (and remove it from the Aiot24) as follows:

config zone
	option name 'lan'
	list network 'iot24'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'Aiot24'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

Test to see if you can connect as expected. If not, it is something related to your IoT devices (and/or your LAN hosts), or it has to do with the ability for certain traffic to be routed across subnets (such as mdns which does not, by default, cross broadcast domains).

This is wrong, I think you want src Aiot24 and dest lan since 10.11.11 IPs are in lan.

1 Like

Well spotted! Thanks! But it still does not work. I configured it wrongly after I newly flashed it again.

Do you know what interface/network I need to configure in the device setting?

Since the only connection to the network is a single wifi AP, you can leave Device blank. Generally you'd have a br-iot24 so you can have dual band wireless, or wifi + ethernet like lan works.

I'm a bit concerned about having capital letters in the zone name you might try using only lowercase.

If you set default input on the iot zone to REJECT, the exceptions for dns and dhcp should still work.

I'd highly recommend that you try associating your IoT network with the lan firewall zone as a means of testing inter-network connections. By having both the lan and the IoT networks in the same firewall zone (and with the zone setting forward = accept), there will be no restrictions on inter-network routing. This will be useful to prove that there aren't any issues with the host devices (such as local firewalls or services not working properly, etc.).

Be sure to restart the firewall service or the entire router after making the change.

Thanks both for your advise!

I tried it but not sure if I did it correctly. Like this? It still does not work

That looks correct.

Just to confirm, it appears you have another router upstream of your openwrt router. Is the other host connected to the openwrt router or the one in front of it?

I found the issue. The server I wanted to connect to has two nw interfaces and the interface I want to connect to was not set as standard gateway. Once changed that and disconnected the second nw interface it solved the issues.

There might have been more than one issue. What I learned is: re-flash the the router, put both networks into the same firewall zone and then check the actual server and other networks.

Thanks a lot everyone! You helped me a lot!!!