Firewall Port/Rule help needed.. Head Done In

RPi4 as router configured with 2 VLANS. 0.3 is lan and 0.4 IoT clients. Dumb AP (R7800) serving same VLANS mix of wired and wireless client devices. Both RPi & AP are connected to a managed switch.

I created a separate fw zone for 0.4 and setup rules to allow dhcp from lan (0.3) and allow access to DNS (Adguard home also on lan). All appears to work as expected BUT...... When logging into Luci on the RPi I do not see any of the clients listed on the status > overview page. Assuming I'm missing some other firewall rule. Any thoughts please ?? config attached..

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-DHCP-Renew-vlan4IoT'
	option family 'ipv4'
	list proto 'udp'
	option src 'vlan4IoT'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'ALLOW-DNS-vlan4IoT'
	option src 'vlan4IoT'
	list dest_ip '192.168.3.1'
	option dest_port '53'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config zone
	option name 'vlan4IoT'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'vlan4'

config forwarding
	option src 'vlan4IoT'
	option dest 'wan'

rpi works as dhcp server and sees hostnames and IPs, the dumb ap sees MAC and wifi signal strength.

Yep...When the firewall zone for the 0.4 devices are changed to lan, all clients appear in the list.

Remove this from the ALLOW-DNS-vlan4IoT as you haven't changed the nameserver in DHCP and they will be trying to access 192.168.4.1 .

Done that..restarted both network and firewall still no clients showing

Rebooted the AP and its forced it... You are my hero thank you @trendy

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.