Forwarding between VLANs

Hello. I am trying to do something quite simple as a starting point for something more complex down the road.

For now, what I am trying to achieve is adding an extra VLAN to my router and enable connectivity between the LAN network (i.e. the OpenWRT default VLAN 1) and my new VLAN10 by allowing forwarding in the firewall. My understanding is that this should just work, but it doesn't. Machines in VLAN10 are not able to communicate with machines in the LAN. My config files are below. What am I doing wrong here?

/etc/config/network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd74:d4ca:b537::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr 'fc:ec:da:71:1c:3e'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr 'fc:ec:da:71:1c:3f'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
       option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '1t 2 3 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 6t'
        option vid '2'

config interface 'modem'
        option proto 'dhcp'
        option ifname 'eth0.2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '10'
        option ports '1t 4 6t'

config interface 'vlan10'
        option ifname 'eth0.10'
        option proto 'static'
        option netmask '255.255.255.0'
        option type 'bridge'
        option ipaddr '192.168.10.1'
        option ip6assign '60'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option ports '1t 6t'
        option vid '20'

/etc/config/firewall:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config zone
        option network 'vlan10'
        option input 'ACCEPT'
        option name 'vlan10'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
       list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config forwarding
        option dest 'lan'
        option src 'vlan10'

Can the hosts in vlan10 get dhcp settings from the OpenWrt? Can they ping OpenWrt address?

Can the hosts in vlan10 get dhcp settings from the OpenWrt?

Yes; hosts in vlan10 successfully get assigned a IP address.

Can they ping OpenWrt address?

Yes; hosts in VLAN10 can ping the router, ssh to the router, and load the Luci management interface all at 192.168.1.1. What they can't do is reach another machine at 192.168.1.2 - in all cases when I try that, the connection times out.

I have a suspicion I have somehow set up a network loop. Running a traceroute 192.168.1.2 from a VLAN10 machine shows a single hope to the router, and then 29 hops to *.

Do a fw3 restart and post here the output.
Also the iptables-save -c

fw3 restart output:

Warning: Unable to locate ipset utility, disabling ipset support
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Forward 'lan' -> 'wan'
   * Forward 'vlan10' -> 'lan'
   * Forward 'lan' -> 'vlan10'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vlan10'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vlan10'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vlan10'
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Forward 'lan' -> 'wan'
   * Forward 'vlan10' -> 'lan'
   * Forward 'lan' -> 'vlan10'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vlan10'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vlan10'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'

iptables-save -c output:

# iptables-save -c
# Generated by iptables-save v1.8.3 on Sun May 17 11:12:09 2020
*nat
:PREROUTING ACCEPT [88:8062]
:INPUT ACCEPT [72:5232]
:OUTPUT ACCEPT [6:472]
:POSTROUTING ACCEPT [6:472]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vlan10_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vlan10_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vlan10_postrouting - [0:0]
:zone_vlan10_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[88:8062] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[88:8062] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i br-vlan10 -m comment --comment "!fw3" -j zone_vlan10_prerouting
[5:340] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o br-vlan10 -m comment --comment "!fw3" -j zone_vlan10_postrouting
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[88:8062] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_vlan10_postrouting -m comment --comment "!fw3: Custom vlan10 postrouting rule chain" -j postrouting_vlan10_rule
[0:0] -A zone_vlan10_prerouting -m comment --comment "!fw3: Custom vlan10 prerouting rule chain" -j prerouting_vlan10_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Sun May 17 11:12:09 2020
# Generated by iptables-save v1.8.3 on Sun May 17 11:12:09 2020
*mangle
:PREROUTING ACCEPT [321:25176]
:INPUT ACCEPT [295:20780]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [295:26835]
:POSTROUTING ACCEPT [295:26835]
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sun May 17 11:12:09 2020
# Generated by iptables-save v1.8.3 on Sun May 17 11:12:09 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vlan10_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vlan10_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vlan10_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vlan10_dest_ACCEPT - [0:0]
:zone_vlan10_forward - [0:0]
:zone_vlan10_input - [0:0]
:zone_vlan10_output - [0:0]
:zone_vlan10_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[40:2720] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[264:18528] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[120:8064] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[144:10464] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i br-vlan10 -m comment --comment "!fw3" -j zone_vlan10_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i br-vlan10 -m comment --comment "!fw3" -j zone_vlan10_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[40:2720] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[265:25867] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[258:24602] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[7:1265] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o br-vlan10 -m comment --comment "!fw3" -j zone_vlan10_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[7:1265] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to vlan10 forwarding policy" -j zone_vlan10_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[144:10464] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[144:10464] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[7:1265] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[7:1265] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[144:10464] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vlan10_dest_ACCEPT -o br-vlan10 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vlan10_forward -m comment --comment "!fw3: Custom vlan10 forwarding rule chain" -j forwarding_vlan10_rule
[0:0] -A zone_vlan10_forward -m comment --comment "!fw3: Zone vlan10 to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_vlan10_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_vlan10_forward -m comment --comment "!fw3" -j zone_vlan10_dest_ACCEPT
[0:0] -A zone_vlan10_input -m comment --comment "!fw3: Custom vlan10 input rule chain" -j input_vlan10_rule
[0:0] -A zone_vlan10_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_vlan10_input -m comment --comment "!fw3" -j zone_vlan10_src_ACCEPT
[0:0] -A zone_vlan10_output -m comment --comment "!fw3: Custom vlan10 output rule chain" -j output_vlan10_rule
[0:0] -A zone_vlan10_output -m comment --comment "!fw3" -j zone_vlan10_dest_ACCEPT
[0:0] -A zone_vlan10_src_ACCEPT -i br-vlan10 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sun May 17 11:12:09 2020

Forwardings are configured fine and are not blocked.
Have you checked for firewall on the hosts blocking different subnets? Windows by default block incoming requests from different subnets.

Thanks for confirming.

The other host, 192.168.1.2 is another openwrt dumb AP, and my desktop is a linux box. So all is well there, I believe.

I wonder if this is an issue with having all of the VLANs tagged for the CPU port?

Vlans must be tagged on the CPU port, otherwise it won't be able to distinguish them.
Try the following. Run a tcpdump on the router to verify that packets come and go out of the correct interfaces:
tcpdump -i br-lan -evn icmp and host 192.168.1.2
in another shell run
tcpdump -i br-vlan10 -evn icmp and host 192.168.1.2
Start a ping from a vlan10 host to the .2 and post here the outputs.

1 Like

Thanks very much @trendy - that set of commands and the thinking behind them made me realize my problem: the 192.168.1.2 host did not have a default gateway set. So, packets were reaching it, but the reply packets were being dropped. This is a good reminder that, for a dumb AP, even when using VLANs, setting the default gateway to point to the router is essential.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.