Firewall traffic rule being ignored?

jeshuranpaul · November 24, 2023, 5:49am

Hello,
I have configured VLAN30 for my IOT devices. This VLAN is not allowed to reach WAN

If required, I allow specific device IPs access to WAN

As you can, I've added 4 IPs to this rule. 3 of the devices have internet access. However, 192.168.30.190 can't reach the internet

Here is the logread deny log on the router. OUT is not set to eth0.2 - which is the WAN interface

[48918.419991] reject iot_zone in: IN=br-iot OUT= MAC=REDACTED SRC=192.168.30.190 DST=192.168.30.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=854 DF PROTO=ICMP TYPE=8 CODE=0 ID=31 SEQ=4

Note: When I add zone forwarding i.e. IOT->WAN, the device can reach the internet.

On the server, here is the ip route:

┌──(kali㉿kali-raspberry-pi-zero-2-w)-[~]
└─$ ip route
default via 192.168.30.1 dev wlan0 proto dhcp src 192.168.30.190 metric 600 
192.168.30.0/24 dev wlan0 proto kernel scope link src 192.168.30.190 metric 600

How do I go about further debugging this?

jeshuranpaul · November 24, 2023, 5:53am

PS: I tried protocol to 'All' in the traffic rule without luck
Also, I can ping other devices in the VLAN30 network

jeshuranpaul · November 24, 2023, 10:52pm

Any help is appreciated

jow · November 25, 2023, 1:31am

The log above shows a connection attempt to the router itself (input). Is the IoT gadget using your router as DNS server? If yes, you will need to add input allow rules for that as well.