i have a vlan and a lan. the lan has many servers on it plex, wireguard, openvpn, a bunch of cloud gaming servers. all these sevrers are port forwarded. i can reach the servers through the internet in the lan zone and through the internet (as expected) but in the vlan zone for some reason i cant reach any port forwarded servers in the lan zone. i also cant reach a port forwarded server in the vlan zone from the lan zone i have a parsec pc and a wireguard vpn server both work fine through the internet ie (on my phone or at another house. ps both zone can access normal websites just fine
You need to use the reflection_zone option.
https://forum.openwrt.org/t/how-to-make-available-nat-loopback-from-vlan-zone/146974/2
1 Like
Better avoid such access to the servers as it can have negative impact on the performance. Accessing the server directly has minor to none stress to the router. On the contrary when the traffic passes through the router you have all the checks and inspections from the firewall and the routing table.
1 Like
What's in /etc/config/network, /etc/config/firewall, and /etc/config/dhcp?
I dont think the router will be a problem. I use a dl360e g8 with openwrt 22. I think it’s powerful enough to handle it. Thanks for the advice i will use that info at my other house which has a very week router
This was in response to “it uses a a lot of router power”
...and don't care about my electricity bills! Or my hearing! 
yes that is the main problem to useng a server as a router. but there are some advantages like its super easy to get old 10 or 40 or 100g nics for less thn 30 bucks for it and i think thats the only advantage
here are my configs
cat network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
list ports 'eth1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option ip6assign '60'
option netmask '255.255.240.0'
option ipv6 '0'
option delegate '0'
config interface 'wan'
option proto 'dhcp'
option device 'eth3'
option ipv6 '0'
config interface 'wan6'
option proto 'dhcpv6'
option device 'eth3'
option reqaddress 'try'
option reqprefix 'auto'
config interface 'stratton'
option proto 'wireguard'
option private_key 'redacted'
list addresses '10.55.98.4/24'
option peerdns '0'
list dns '10.55.98.1'
config wireguard_stratton
option description 'router.conf'
option public_key 'redacted'
option preshared_key 'redacted'
list allowed_ips '192.168.50.0/24'
option endpoint_host 'redacted'
option endpoint_port '51820'
config route
option interface 'stratton'
option target '192.168.50.0/24'
option gateway '0.0.0.0'
option disabled '1'
config device
option type 'bridge'
option name 'guest_bridge'
list ports 'eth4'
list ports 'eth5'
list ports 'eth6'
list ports 'eth7'
option bridge_empty '1'
config interface 'surfshakr'
option proto 'wireguard'
option private_key 'redacted'
list addresses '10.14.0.2/16'
option peerdns '0'
list dns '162.252.172.57'
list dns '149.154.159.92'
config wireguard_surfshakr
option description 'vpn.conf'
option public_key 'reacted'
list allowed_ips '0.0.0.0/0'
option endpoint_host '37.19.199.204'
option endpoint_port '51820'
config device
option name 'eth2'
config device
option name 'eth2'
config interface 'guest'
option proto 'static'
option ipaddr '172.16.56.1'
option netmask '255.255.255.0'
option device 'guest_bridge'
config device
option type '8021q'
option ifname 'guest_bridge'
option vid '100'
option name 'bridge.100'
config interface 'jareds_vlan'
option proto 'static'
option device 'bridge.100'
option ipaddr '10.10.10.1'
option netmask '255.255.255.0'
cat firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'surfshakr'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
option dest 'lan'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option dest 'lan'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'wireguard'
option src 'wan'
option src_dport '51820'
option dest_ip '192.168.1.25'
option dest_port '51820'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'alexa1'
option src 'wan'
option src_dport '7226'
option dest_ip '192.168.1.175'
option dest_port '7226'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'alex2'
option src 'wan'
option src_dport '8226'
option dest_ip '192.168.1.175'
option dest_port '8226'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'automatrix'
option src 'wan'
option dest_ip '192.168.1.175'
option dest_port '443'
option src_dport '9443'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'filebrowser'
option src 'wan'
option src_dport '8080'
option dest_ip '192.168.1.32'
option dest_port '8080'
option enabled '0'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'automatrix1'
option src 'wan'
option dest_ip '192.168.1.175'
option dest_port '80'
option src_dport '980'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'plex'
option src 'wan'
option src_dport '32400'
option dest_port '32400'
option dest_ip '192.168.1.101'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
config zone
option name 'stratton'
option output 'ACCEPT'
option masq '1'
option input 'ACCEPT'
option forward 'ACCEPT'
list network 'stratton'
config forwarding
option src 'lan'
option dest 'stratton'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
config zone
option name 'surfshark'
option output 'ACCEPT'
option masq '1'
option input 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'wan'
option name 'nginx'
option src_dport '80'
option dest_port '80'
option dest_ip '192.168.3.16'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'wan'
option name 'nginx_https'
option src_dport '443'
option dest_port '443'
option dest_ip '192.168.3.16'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'dcs'
option src 'wan'
option src_dport '10308'
option dest_ip '192.168.1.49'
option dest_port '10308'
option enabled '0'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'office-smtp'
option src 'wan'
option src_dport '25'
option dest_ip '192.168.2.111'
option dest_port '25'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'office smtp1'
option src 'wan'
option src_dport '587'
option dest_ip '192.168.2.111'
option dest_port '587'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'office'
option src 'wan'
option src_dport '143'
option dest_ip '192.168.2.111'
option dest_port '143'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'wan'
option src_dport '110'
option dest_ip '192.168.2.111'
option dest_port '110'
config rule
option ac_enabled '1'
option src '*'
option dest 'wan'
option target 'REJECT'
option name 'vcenter'
list src_mac '00:0C:23:48:A4:12'
option enabled '0'
list proto 'all'
config zone
option name 'guest'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config zone
option name 'vlan100'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'jareds_vlan'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'openvpn'
option src 'wan'
option src_dport '1194'
option dest_ip '192.168.1.217'
option dest_port '1194'
config forwarding
option src 'vlan100'
option dest 'wan'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'jareds-vlan-vpn'
option src 'wan'
option dest_ip '10.10.10.133'
option src_dport '51825'
option dest_port '51825'
cat dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option port '53'
option confdir '/tmp/dnsmasq.d'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option dhcpv4 'server'
list dhcp_option '6,192.168.1.1, 1.1.1.1'
option start '255'
option limit '255'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option mac '3C:A8:2A:08:94:5E'
option ip '192.168.1.6'
config host
option mac 'D8:9D:67:68:5B:D2'
option ip '192.168.1.7'
config host
option mac '00:50:56:B0:3A:C3'
option ip '192.168.1.10'
config host
option mac '00:0C:29:02:ED:77'
option ip '192.168.1.19'
config host
option mac '00:50:56:BE:E2:11'
option ip '192.168.1.25'
config host
option mac '5C:F3:FC:EF:D8:E0'
option ip '192.168.1.29'
config host
option mac '00:50:56:B0:6B:43'
option ip '192.168.1.30'
config host
option mac '00:50:56:B0:D2:09'
option ip '192.168.1.32'
config host
option mac '00:50:56:B0:07:D3'
option ip '192.168.1.34'
config host
option mac '00:E0:4C:10:01:5C'
option ip '192.168.1.41'
config host
option mac '00:25:90:CE:4F:EA'
option ip '192.168.1.61'
config host
option mac 'A8:48:FA:95:C6:6C'
option ip '192.168.1.70'
config host
option mac '94:57:A5:65:F6:88'
option ip '192.168.1.82'
config host
option mac '3C:A8:2A:24:B6:C0'
option ip '192.168.1.83'
config host
option mac '10:60:4B:AC:2C:70'
option ip '192.168.1.84'
config host
option mac 'A0:D3:C1:FE:4E:08'
option ip '192.168.1.85'
config host
option mac 'A0:42:3F:28:3B:55'
option ip '192.168.1.86'
config host
option mac 'AC:16:2D:AD:94:E8'
option ip '192.168.1.87'
config host
option mac '00:C0:B7:69:72:AE'
option ip '192.168.1.93'
config host
option mac '00:C0:B7:81:3C:3B'
option ip '192.168.1.94'
config host
option mac 'D8:9D:67:60:12:9C'
option ip '192.168.1.109'
config host
option mac '9C:B6:54:0C:CF:34'
option ip '192.168.1.110'
config host
option mac 'A0:42:3F:28:3B:57'
option ip '192.168.1.111'
config host
option ip '192.168.1.136'
option name 'vcenter.local'
option dns '1'
option mac '00:0c:23:48:a4:12'
config host
option mac '00:18:FE:E2:D7:20'
option ip '192.168.1.143'
config host
option mac '10:60:4B:B0:D4:D2'
option ip '192.168.1.153'
config host
option mac '00:50:56:BE:FC:82'
option ip '192.168.1.155'
config host
option mac '98:5D:AD:46:F6:15'
option ip '192.168.1.175'
config host
option mac '98:4B:E1:DF:79:00'
option ip '192.168.1.196'
config host
option mac '50:DC:E7:19:FE:62'
option ip '192.168.1.209'
config host
option mac '00:50:56:B0:95:86'
option ip '192.168.1.219'
config host
option mac '00:50:B6:28:CA:02'
option ip '192.168.1.222'
config host
option mac '00:25:90:CC:E4:10'
option ip '192.168.1.225'
config host
option mac 'F0:45:DA:4A:41:54'
option ip '192.168.1.250'
config host
option name 'pihole'
option mac '00:50:56:B0:ED:19'
option ip '192.168.1.2'
config domain
option name 'vcenter.local'
option ip '192.168.1.136'
config host
option name 'openvpn'
option ip '192.168.2.32'
option mac '00:50:56:98:47:0B'
config host
option name 'nextcloud'
option ip '192.168.2.60'
option mac '00:50:56:98:00:F6'
config host
option name 'onlyoffice'
option ip '192.168.2.111'
option mac '00:50:56:98:52:98'
config host
option name 'OpenWrt-WAX202-2'
option ip '192.168.1.40'
option mac '80:CC:9C:E7:A9:A5'
config dhcp 'guest'
option interface 'guest'
option limit '150'
option leasetime '12h'
option start '10'
config host
option name 'DESKTOP-53KGUB8'
option ip '192.168.1.31'
option mac '00:50:56:B0:53:9B'
config host
option name 'chia-ubuntu'
option ip '192.168.1.97'
option mac '00:50:56:98:C4:ED'
config host
option name 'DESKTOP-Q3A1GUJ'
option ip '192.168.1.193'
option mac '00:50:56:B0:95:C4'
config host
option name 'OpenWrt-Garage'
option ip '192.168.1.42'
option mac '80:CC:9C:E7:A9:A3'
config host
option name 'plex-debian-on-ubuntu'
option ip '192.168.1.101'
option mac '00:50:56:98:21:D8'
config host
option name 'KohlerGen'
option ip '192.168.1.33'
option mac '00:14:6F:23:E6:17'
config host
option name 'openvpn'
option ip '192.168.1.217'
option mac '00:50:56:98:75:3A'
config dhcp 'jareds_vlan'
option interface 'jareds_vlan'
option start '100'
option limit '150'
option leasetime '12h'
config host
option name 'jareds-vlan-vpn'
option ip '10.10.10.133'
option mac '00:50:56:98:FE:F5'
Thanks for posting your configs. Would you mind editing your post, though?
Without indentations the configuration text is harder to read. If you paste the information between two ``` blocks it'll preserve the spacing.
For example:
This is a header.
And this is some indented text.
The highlighted button in this image will also achieve the same result:
sorry
cat network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
list ports 'eth1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option ip6assign '60'
option netmask '255.255.240.0'
option ipv6 '0'
option delegate '0'
config interface 'wan'
option proto 'dhcp'
option device 'eth3'
option ipv6 '0'
config interface 'wan6'
option proto 'dhcpv6'
option device 'eth3'
option reqaddress 'try'
option reqprefix 'auto'
config interface 'stratton'
option proto 'wireguard'
option private_key 'redacted'
list addresses '10.55.98.4/24'
option peerdns '0'
list dns '10.55.98.1'
config wireguard_stratton
option description 'router.conf'
option public_key 'redacted'
option preshared_key 'redacted'
list allowed_ips '192.168.50.0/24'
option endpoint_host 'redacted'
option endpoint_port '51820'
config route
option interface 'stratton'
option target '192.168.50.0/24'
option gateway '0.0.0.0'
option disabled '1'
config device
option type 'bridge'
option name 'guest_bridge'
list ports 'eth4'
list ports 'eth5'
list ports 'eth6'
list ports 'eth7'
option bridge_empty '1'
config interface 'surfshakr'
option proto 'wireguard'
option private_key 'redacted'
list addresses '10.14.0.2/16'
option peerdns '0'
list dns '162.252.172.57'
list dns '149.154.159.92'
config wireguard_surfshakr
option description 'vpn.conf'
option public_key 'reacted'
list allowed_ips '0.0.0.0/0'
option endpoint_host '37.19.199.204'
option endpoint_port '51820'
config device
option name 'eth2'
config device
option name 'eth2'
config interface 'guest'
option proto 'static'
option ipaddr '172.16.56.1'
option netmask '255.255.255.0'
option device 'guest_bridge'
config device
option type '8021q'
option ifname 'guest_bridge'
option vid '100'
option name 'bridge.100'
config interface 'jareds_vlan'
option proto 'static'
option device 'bridge.100'
option ipaddr '10.10.10.1'
option netmask '255.255.255.0'
cat firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'surfshakr'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
option dest 'lan'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option dest 'lan'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'wireguard'
option src 'wan'
option src_dport '51820'
option dest_ip '192.168.1.25'
option dest_port '51820'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'alexa1'
option src 'wan'
option src_dport '7226'
option dest_ip '192.168.1.175'
option dest_port '7226'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'alex2'
option src 'wan'
option src_dport '8226'
option dest_ip '192.168.1.175'
option dest_port '8226'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'automatrix'
option src 'wan'
option dest_ip '192.168.1.175'
option dest_port '443'
option src_dport '9443'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'filebrowser'
option src 'wan'
option src_dport '8080'
option dest_ip '192.168.1.32'
option dest_port '8080'
option enabled '0'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'automatrix1'
option src 'wan'
option dest_ip '192.168.1.175'
option dest_port '80'
option src_dport '980'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'plex'
option src 'wan'
option src_dport '32400'
option dest_port '32400'
option dest_ip '192.168.1.101'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
config zone
option name 'stratton'
option output 'ACCEPT'
option masq '1'
option input 'ACCEPT'
option forward 'ACCEPT'
list network 'stratton'
config forwarding
option src 'lan'
option dest 'stratton'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
config zone
option name 'surfshark'
option output 'ACCEPT'
option masq '1'
option input 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'wan'
option name 'nginx'
option src_dport '80'
option dest_port '80'
option dest_ip '192.168.3.16'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'wan'
option name 'nginx_https'
option src_dport '443'
option dest_port '443'
option dest_ip '192.168.3.16'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'dcs'
option src 'wan'
option src_dport '10308'
option dest_ip '192.168.1.49'
option dest_port '10308'
option enabled '0'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'office-smtp'
option src 'wan'
option src_dport '25'
option dest_ip '192.168.2.111'
option dest_port '25'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'office smtp1'
option src 'wan'
option src_dport '587'
option dest_ip '192.168.2.111'
option dest_port '587'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'office'
option src 'wan'
option src_dport '143'
option dest_ip '192.168.2.111'
option dest_port '143'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'wan'
option src_dport '110'
option dest_ip '192.168.2.111'
option dest_port '110'
config rule
option ac_enabled '1'
option src '*'
option dest 'wan'
option target 'REJECT'
option name 'vcenter'
list src_mac '00:0C:23:48:A4:12'
option enabled '0'
list proto 'all'
config zone
option name 'guest'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config zone
option name 'vlan100'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'jareds_vlan'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'openvpn'
option src 'wan'
option src_dport '1194'
option dest_ip '192.168.1.217'
option dest_port '1194'
config forwarding
option src 'vlan100'
option dest 'wan'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'jareds-vlan-vpn'
option src 'wan'
option dest_ip '10.10.10.133'
option src_dport '51825'
option dest_port '51825'
cat dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option port '53'
option confdir '/tmp/dnsmasq.d'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option dhcpv4 'server'
list dhcp_option '6,192.168.1.1, 1.1.1.1'
option start '255'
option limit '255'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option mac '3C:A8:2A:08:94:5E'
option ip '192.168.1.6'
config host
option mac 'D8:9D:67:68:5B:D2'
option ip '192.168.1.7'
config host
option mac '00:50:56:B0:3A:C3'
option ip '192.168.1.10'
config host
option mac '00:0C:29:02:ED:77'
option ip '192.168.1.19'
config host
option mac '00:50:56:BE:E2:11'
option ip '192.168.1.25'
config host
option mac '5C:F3:FC:EF:D8:E0'
option ip '192.168.1.29'
config host
option mac '00:50:56:B0:6B:43'
option ip '192.168.1.30'
config host
option mac '00:50:56:B0:D2:09'
option ip '192.168.1.32'
config host
option mac '00:50:56:B0:07:D3'
option ip '192.168.1.34'
config host
option mac '00:E0:4C:10:01:5C'
option ip '192.168.1.41'
config host
option mac '00:25:90:CE:4F:EA'
option ip '192.168.1.61'
config host
option mac 'A8:48:FA:95:C6:6C'
option ip '192.168.1.70'
config host
option mac '94:57:A5:65:F6:88'
option ip '192.168.1.82'
config host
option mac '3C:A8:2A:24:B6:C0'
option ip '192.168.1.83'
config host
option mac '10:60:4B:AC:2C:70'
option ip '192.168.1.84'
config host
option mac 'A0:D3:C1:FE:4E:08'
option ip '192.168.1.85'
config host
option mac 'A0:42:3F:28:3B:55'
option ip '192.168.1.86'
config host
option mac 'AC:16:2D:AD:94:E8'
option ip '192.168.1.87'
config host
option mac '00:C0:B7:69:72:AE'
option ip '192.168.1.93'
config host
option mac '00:C0:B7:81:3C:3B'
option ip '192.168.1.94'
config host
option mac 'D8:9D:67:60:12:9C'
option ip '192.168.1.109'
config host
option mac '9C:B6:54:0C:CF:34'
option ip '192.168.1.110'
config host
option mac 'A0:42:3F:28:3B:57'
option ip '192.168.1.111'
config host
option ip '192.168.1.136'
option name 'vcenter.local'
option dns '1'
option mac '00:0c:23:48:a4:12'
config host
option mac '00:18:FE:E2:D7:20'
option ip '192.168.1.143'
config host
option mac '10:60:4B:B0:D4:D2'
option ip '192.168.1.153'
config host
option mac '00:50:56:BE:FC:82'
option ip '192.168.1.155'
config host
option mac '98:5D:AD:46:F6:15'
option ip '192.168.1.175'
config host
option mac '98:4B:E1:DF:79:00'
option ip '192.168.1.196'
config host
option mac '50:DC:E7:19:FE:62'
option ip '192.168.1.209'
config host
option mac '00:50:56:B0:95:86'
option ip '192.168.1.219'
config host
option mac '00:50:B6:28:CA:02'
option ip '192.168.1.222'
config host
option mac '00:25:90:CC:E4:10'
option ip '192.168.1.225'
config host
option mac 'F0:45:DA:4A:41:54'
option ip '192.168.1.250'
config host
option name 'pihole'
option mac '00:50:56:B0:ED:19'
option ip '192.168.1.2'
config domain
option name 'vcenter.local'
option ip '192.168.1.136'
config host
option name 'openvpn'
option ip '192.168.2.32'
option mac '00:50:56:98:47:0B'
config host
option name 'nextcloud'
option ip '192.168.2.60'
option mac '00:50:56:98:00:F6'
config host
option name 'onlyoffice'
option ip '192.168.2.111'
option mac '00:50:56:98:52:98'
config host
option name 'OpenWrt-WAX202-2'
option ip '192.168.1.40'
option mac '80:CC:9C:E7:A9:A5'
config dhcp 'guest'
option interface 'guest'
option limit '150'
option leasetime '12h'
option start '10'
config host
option name 'DESKTOP-53KGUB8'
option ip '192.168.1.31'
option mac '00:50:56:B0:53:9B'
config host
option name 'chia-ubuntu'
option ip '192.168.1.97'
option mac '00:50:56:98:C4:ED'
config host
option name 'DESKTOP-Q3A1GUJ'
option ip '192.168.1.193'
option mac '00:50:56:B0:95:C4'
config host
option name 'OpenWrt-Garage'
option ip '192.168.1.42'
option mac '80:CC:9C:E7:A9:A3'
config host
option name 'plex-debian-on-ubuntu'
option ip '192.168.1.101'
option mac '00:50:56:98:21:D8'
config host
option name 'KohlerGen'
option ip '192.168.1.33'
option mac '00:14:6F:23:E6:17'
config host
option name 'openvpn'
option ip '192.168.1.217'
option mac '00:50:56:98:75:3A'
config dhcp 'jareds_vlan'
option interface 'jareds_vlan'
option start '100'
option limit '150'
option leasetime '12h'
config host
option name 'jareds-vlan-vpn'
option ip '10.10.10.133'
option mac '00:50:56:98:FE:F5'
Much better, thank you.
Looking through it now. Going to take a bit to digest.
Unless I'm missing something, it doesn't look like you have any explicit forwarding or rules configured for lan->vlan traffic and for vlan->lan traffic.
That might explain why nothing in lan can talk to anything in vlan and vice-versa.
no i dont want the devices to be able to talk to each other locally i want them to be able to talk over the internet. when i port forward something to the wan i want the vlan to be able to type in the internet address and access it from the internet.
Ah, I see. In which case I reckon that @pavelgl's suggestion of using reflection may be the way to go.
But I must confess to some curiosity. What benefit do you perceive from your proposed approach?
ok thanks ill try that out. is there any wya to do that on the gui, i dont like using cli
No idea; I've never played with NAT reflection. It might be possible in the GUI, but I wouldn't know where to look off the top of my head; possibly start with the Firewall section and see where you go from there.
The GUI does not expose everything that can be done at the CLI; it may be necessary to use the CLI for this.
ok thanks il try that out
If you're intending to employ this for added "security", then be aware that it won't offer any extra security but it will impose a performance (and troubleshooting) hit. I appreciate you're running a ProLiant pizza box as the router, so the performance hit might be negligible, but it'll be there nonetheless. It's not the most efficient way of solving your problem.
It's just as safe (and more performant) to open up the IP addresses and ports you want to control by means of firewall traffic rules.
The reflection is for when you do it try to port forward from the same zone. To achieve it from another zone you need another redirect from wan to vlan100 with destination IP of the server.
the current method achieved the goal i was looking for but is there a way to set the reflection to be on for all zones by defualt or is there a way i can include all zones simply when i add the reflection line in the cli