Hello ,

I have bridge eth 2 and eth 3 port to be on the same lan ip group. when clients join the network through wifi of eth2 or eth 3, both receive the same ip subnet.

however, i wasn't able to ping client connected using eth2 from client connected using eth3 and vice versa.

2020-11-23_18h34_17887×824 48.7 KB

is it because of my firewall?

cat /etc/config/network

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fdab:0ac0:e69f::/48'
option packet_steering '1'

config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth2 eth3'
option ipaddr '192.168.7.1'

config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
option metric '10'
option delegate '0'

config interface 'WANB'
option proto 'dhcp'
option ifname 'eth1'
option delegate '0'
option metric '20'

cat /etc/config/firewall

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option fullcone '1'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
option network 'lan'

config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
option network 'wan WANB'
option forward 'ACCEPT'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'

config include 'zerotier'
option type 'script'
option path '/etc/zerotier.start'
option reload '1'

config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'

config include 'adbyby'
option type 'script'
option path '/var/etc/adbyby.include'
option reload '1'

config rule 'adblock'
option name 'adblock'
option target 'DROP'
option src 'wan'
option proto 'tcp'
option dest_port '8118'

config include 'ipsecd'
option type 'script'
option path '/etc/ipsec.include'
option reload '1'

config rule 'ike'
option name 'ike'
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '500'

config rule 'ipsec'
option name 'ipsec'
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '4500'

config rule 'ah'
option name 'ah'
option target 'ACCEPT'
option src 'wan'
option proto 'ah'

config rule 'esp'
option name 'esp'
option target 'ACCEPT'
option src 'wan'
option proto 'esp'

config include 'passwall'
option type 'script'
option path '/var/etc/passwall.include'
option reload '1'

config include 'passwall_server'
option type 'script'
option path '/var/etc/passwall_server.include'
option reload '1'

config include 'softethervpn'
option type 'script'
option path '/usr/share/softethervpn/firewall.include'
option reload '1'

config include 'v2ray_server'
option type 'script'
option path '/usr/share/v2ray_server/firewall.include'
option reload '1'

config rule 'kms'
option name 'kms'
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '1688'

config include 'openclash'
option type 'script'
option path '/var/etc/openclash.include'
option reload '1'

config include 'shadowsocksr'
option type 'script'
option path '/var/etc/shadowsocksr.include'
option reload '1'

config include 'wrtbwmon'
option type 'script'
option path '/etc/wrtbwmon.include'
option reload '1'

config include 'mia'
option type 'script'
option path '/etc/mia.include'
option reload '1'

config rule 'openvpn'
option name 'openvpn'
option target 'ACCEPT'
option src 'wan'
option proto 'tcp udp'
option dest_port '1194'

config include 'unblockmusic'
option type 'script'
option path '/var/etc/unblockmusic.include'
option reload '1'

config forwarding
option dest 'lan'
option src 'wan'

config forwarding
option dest 'wan'
option src 'lan'

cat /etc/config/dhcp

config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option nonwildcard '1'
option localservice '1'
option filter_aaaa '1'
option port '53'
list server '127.0.0.1#5351'
option noresolv '1'

config dhcp 'lan'
option interface 'lan'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ra_management '1'
option start '30'
option limit '200'
option leasetime '30m'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'

config srvhost
option srv '_vlmcs._tcp'
option target 'OpenWrt'
option port '1688'
option class '0'
option weight '100'

Although it doesn't hurt to have lan FORWARD set to ACCEPT, it should not matter as they are bridged. Try that for a start.

Hello Trendy,

Thank you very much.. i just changed it and it is working now.

2020-11-23_21h02_331676×393 27.2 KB

actually may i know what does this "forward" means?

To allow forwarding between the interfaces of the zone. However this could mean that bridging might not work properly.
What is the output of ip -4 addr; iptables-save -c -t filter

Hello Sir,

below is my output.

ip -4 addr; iptables-save -c -t filter
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group defaul t qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group defa ult qlen 1000
inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0
valid_lft forever preferred_lft forever
5: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group defa ult qlen 1000
inet 192.168.0.3/24 brd 192.168.0.255 scope global eth1
valid_lft forever preferred_lft forever
14: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP gr oup default qlen 1000
inet 192.168.7.1/24 brd 192.168.7.255 scope global br-lan
valid_lft forever preferred_lft forever
20: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP g roup default
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever

Generated by iptables-save v1.8.4 on Mon Nov 23 22:47:21 2020

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER-USER - [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_DROP - [0:0]
[0:0] -A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
[12356:1139313] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[99090:20667491] -A INPUT -m comment --comment "!fw3: Custom input rule chain" - j input_rule
[33283:3169292] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment - -comment "!fw3" -j ACCEPT
[3430:196504] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[65471:17327587] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_inpu t
[16:3892] -A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
[320:166720] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
[0:0] -A FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
[2298004:780058466] -A FORWARD -j DOCKER-USER
[2298004:780058466] -A FORWARD -m comment --comment "!fw3: Custom forwarding rul e chain" -j forwarding_rule
[2218745:761327479] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m com ment --comment "!fw3" -j ACCEPT
[79251:18729939] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_fo rward
[8:1048] -A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -d 223.252.199.10/32 -j DROP
[0:0] -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
[12554:1155153] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[51229:8184406] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[30990:5671715] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1200:985936] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[15510:1195983] -A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
[3529:330772] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[2298004:780058466] -A DOCKER-USER -j RETURN
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-r eset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-un reachable
[3430:196504] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limi t --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[59948:17813064] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" - j ACCEPT
[79251:18729939] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forw arding rule chain" -j forwarding_lan_rule
[79251:18729939] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3 : Accept port forwards" -j ACCEPT
[58740:16826080] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_des t_ACCEPT
[65471:17327587] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[40:2472] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!f w3: Accept port redirections" -j ACCEPT
[65431:17325115] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_A CCEPT
[1200:985936] -A zone_lan_output -m comment --comment "!fw3: Custom lan output r ule chain" -j output_lan_rule
[1200:985936] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_AC CEPT
[65431:17325115] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNT RACKED -m comment --comment "!fw3" -j ACCEPT
[141:7040] -A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m com ment --comment "!fw3: Prevent NAT leakage" -j DROP
[23408:2023509] -A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j A CCEPT
[628:54961] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m co mment --comment "!fw3: Prevent NAT leakage" -j DROP
[15373:1345104] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j A CCEPT
[0:0] -A zone_wan_dest_DROP -o eth0 -m comment --comment "!fw3" -j DROP
[0:0] -A zone_wan_dest_DROP -o eth1 -m comment --comment "!fw3" -j DROP
[8:1048] -A zone_wan_forward -j MINIUPNPD
[8:1048] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding r ule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[8:1048] -A zone_wan_forward -m comment --comment "!fw3: Zone wan to lan forward ing policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3 : Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_DROP
[336:170612] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: All ow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3 : Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEP T
[0:0] -A zone_wan_input -p tcp -m tcp --dport 8118 -m comment --comment "!fw3: a dblock" -j DROP
[0:0] -A zone_wan_input -p udp -m udp --dport 500 -m comment --comment "!fw3: ik e" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 4500 -m comment --comment "!fw3: i psec" -j ACCEPT
[0:0] -A zone_wan_input -p ah -m comment --comment "!fw3: ah" -j ACCEPT
[0:0] -A zone_wan_input -p esp -m comment --comment "!fw3: esp" -j ACCEPT
[0:0] -A zone_wan_input -p tcp -m tcp --dport 1688 -m comment --comment "!fw3: k ms" -j ACCEPT
[0:0] -A zone_wan_input -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: o penvpn" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: o penvpn" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[336:170612] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_DROP
[19039:1526755] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[19039:1526755] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ ACCEPT
[16:3892] -A zone_wan_src_DROP -i eth0 -m comment --comment "!fw3" -j DROP
[320:166720] -A zone_wan_src_DROP -i eth1 -m comment --comment "!fw3" -j DROP
COMMIT

Please use the "Preformatted text </>" button for logs, scripts, configs and general console output.

Please edit your post accordingly. Thank you!