[Help] LAN to VLAN Routing Broken – Replies Not Reaching LAN Clients

Path-E-TechManagment · July 12, 2025, 11:28am

Hi all,

I'm experiencing a strange issue with inter-VLAN routing on my OpenWrt router and would appreciate any help.

Setup:

Device: Raspberry Pi Compute Module 4 with DFRobot Router Board.
OpenWrt Version: 24.10.2 r28739-d9340319c6
Kernel: 6.6.93
Networking: VLANs on br-lan.X subinterfaces
e.g
br-lan.10 Camera VLAN
br-lan.3 IoT VLAN
br-lan.4 Guest VLAN
br-lan.30 VPN VLAN

VLANs with forwarding allowed from LAN only

Issue:

Devices on the LAN (192.168.0.0/24) can no longer reach devices in my VPN_VLAN (192.168.30.0/24), even though this used to work, and all other VLANs (e.g. Cameras, IoT, Guests) are still reachable from the LAN.

Expected Behavior:

LAN → VPN_VLAN traffic should work (one-way forward)
Devices on VPN VLAN should not reach LAN (no reverse forwarding rule)

Actual Behavior:

LAN --> 192.168.30.50, 192.168.30.60, 192.168.30.101 Ping/HTTP/VNC requests time out
LAN --> 192.168.30.1 pings okay
OpenWrt can ping 192.168.30.50, 192.168.30.60 (Docker containers) 192.168.30.101 (Raspberry Pi host)
Tcpdump shows replies from 192.168.30.50 arriving on br-lan.30 but replies never show up on br-lan.99

Diagnostics:

tcpdump on OpenWrt
On VPN VLAN (br-lan.30):

ICMP echo request from 192.168.0.195 --> 192.168.30.50
ICMP echo reply from 192.168.30.50 --> 192.168.0.195
pings fine.

On LAN (br-lan.99):

Only requests seen from 192.168.0.195 --> 192.168.30.50
no ping replies.

conntrack -L | grep 192.168.30.50
no results.

Firewall Configuration:
PIA_VPN zone

config zone
   option name 'PIA_VPN'
   option input 'ACCEPT'
   option output 'ACCEPT'
   option forward 'ACCEPT'
   option network 'VPN_VLAN'

config forwarding
   option src 'lan'
   option dest 'PIA_VPN'

No reverse forwarding defined (VPN --> LAN) This is intentional for isolation, other VLANS e.g (IoT --> LAN and Camera --> LAN) are working fine with no reverse forwarding.

What I've Tried:

Tcpdump confirms replies are received by the router but not forwarded.
rp_filter is disabled (/proc/sys/net/ipv4/conf/all/rp_filter = 0)
nf_call_iptables not present (same as other working VLANs)
Routing tables look correct.
Devices on VPN VLAN have correct gateways and are replying.

Working VLAN Example:

Camera VLAN br-lan.10

config zone
   option name 'Camera_Zone'
   option input 'DROP'
   option output 'ACCEPT'
   option forward 'DROP'
   option network 'Cameras'

config forwarding
   option src 'lan'
   option dest 'Camera_Zone'

Ping from LAN to 192.168.10.xx (Camera VLAN) works fine.

What could cause this single VLAN (192.168.30.0/24) to stop routing return traffic to the LAN, despite replies being visible on the router (via tcpdump) No conntrack entries appearing and other VLANs working with the same config.

Any ideas would be appreciated!
Let me know if you want logs, uci show, or other configs.

Thanks in advance!

mattimat · July 12, 2025, 2:37pm

How did the problem start , did you make any changes in cabling or software updates or anything ?

psherman · July 12, 2025, 4:22pm

Let’s see the complete config so we can understand the full context.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

Path-E-TechManagment · July 12, 2025, 10:31pm

DHCP config

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '0'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'
	option boguspriv '0'
	option sequential_ip '1'
	option nonegcache '1'
	option enable_tftp '1'
	option tftp_root '/mnt/tftpboot/boot'
	option port '53'
	option cachesize '0'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv4 'server'
	option leasetime '24h'
	option start '101'
	option limit '99'
	list dhcp_option '3,192.168.0.1'
	list dhcp_option '15,lan'
	list dhcp_option '6,192.168.0.3'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'Guest'
	option interface 'Guest'
	option leasetime '1h'
	option start '50'
	option limit '100'
	list dhcp_option '6,192.168.0.3'
	list dhcp_option '3,192.168.5.1'
	list dhcp_option '15,lan'

config dhcp 'IOT'
	option interface 'IOT'
	option start '50'
	option limit '150'
	option leasetime 'infinite'
	list dhcp_option '3,192.168.3.1'
	list dhcp_option '6,192.168.0.3'
	list dhcp_option '15,lan'

config dhcp 'Cameras'
	option interface 'Cameras'
	option leasetime 'infinite'
	option start '100'
	option limit '50'
	list dhcp_option '3,192.168.10.1'
	list dhcp_option '6,192.168.0.3'
	list dhcp_option '15,lan'

config dhcp 'Security'
	option interface 'Security'
	option start '100'
	option leasetime '24h'
	option limit '50'
	list dhcp_option '3,192.168.20.1'
	list dhcp_option '6,192.168.0.3'
	list dhcp_option '15,lan'

config dhcp 'VPN_VLAN'
	option interface 'VPN_VLAN'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '3,192.168.30.1'
	list dhcp_option '6,192.168.30.1, 1.1.1.1'

config dhcp 'STV'
	option interface 'STV'
	option start '100'
	option limit '150'
	option leasetime '24h'
	list dhcp_option '3,192.168.40.1'
	list dhcp_option '6,192.168.0.3'
	list dhcp_option '15,lan'

config domain
	option name 'Wiser.lan'
	option ip '192.168.0.2'

config domain
	option name 'Deluge.lan'
	option ip '192.168.30.50'

config domain
	option name 'Wifi_Front.lan'
	option ip '192.168.0.5'

config domain
	option name 'WiFi_Rear.lan'
	option ip '192.168.0.10'

config domain
	option name 'Switch_Top.lan'
	option ip '192.168.0.11'

config domain
	option name 'Switch_Bottom.lan'
	option ip '192.168.0.12'

config domain
	option name 'Modulator.lan'
	option ip '192.168.0.253'

config domain
	option name 'PiHole.lan'
	option ip '192.168.0.3'

config domain
	option name 'Sondetracker1.lan'
	option ip '192.168.0.103'

config domain
	option name 'WiFi_IoT.lan'
	option ip '192.168.0.15'

config domain
	option name 'OpenHab.lan'
	option ip '192.168.0.100'

config domain
	option name 'HAS.lan'
	option ip '192.168.0.25'

config domain
	option name 'IPTV.lan'
	option ip '192.168.0.70'

config domain
	option name 'backup.lan'
	option ip '192.168.50.170'

config domain
	option name 'frigate.lan'
	option ip '192.168.0.4'

config domain
	option name 'Canon.lan'
	option ip '192.168.0.161'

config domain
	option name 'nas.lan'
	option ip '192.168.0.4'

config domain
	option name 'MQTT.lan'
	option ip '192.168.0.4'

config domain
	option name 'LcdProc.lan'
	option ip '192.168.0.30'

config domain
	option name 'NVR.lan'
	option ip '192.168.10.10'

config domain
	option name 'SonyTV.lan'
	option ip '192.168.40.11'

config domain
	option name 'Sheild.lan'
	option ip '192.168.40.10'

config domain
	option name 'Camera01.lan'
	option ip '192.168.10.11'

config domain
	option name 'Camera02.lan'
	option ip '192.168.10.12'

config domain
	option name 'Camera03.lan'
	option ip '192.168.10.13'

config domain
	option name 'Camera04.lan'
	option ip '192.168.10.14'

config domain
	option name 'Camera05.lan'
	option ip '192.168.10.15'

config domain
	option name 'Camera06.lan'
	option ip '192.168.10.16'

config domain
	option name 'Camera07.lan'
	option ip '192.168.10.17'

config domain
	option name 'Camera08.lan'
	option ip '192.168.10.18'

config domain
	option name 'Camera09.lan'
	option ip '192.168.10.19'

config domain
	option name 'Camera10.lan'
	option ip '192.168.10.20'

config domain
	option name 'Camera11.lan'
	option ip '192.168.10.21'

config domain
	option name 'Camera12.lan'
	option ip '192.168.10.22'

config domain
	option name 'Camera13.lan'
	option ip '192.168.10.23'

config domain
	option name 'Camera14.lan'
	option ip '192.168.10.24'

config domain
	option name 'Camera15.lan'
	option ip '192.168.10.25'

config domain
	option name 'Camera16.lan'
	option ip '192.168.10.26'

config domain
	option name 'Plug1.lan'
	option ip '192.168.3.57'

config domain
	option name 'Plug2.lan'
	option ip '192.168.3.64'

config domain
	option name 'Plug3.lan'
	option ip '192.168.3.63'

config domain
	option name 'TwinPlug.lan'
	option ip '192.168.3.54'

config domain
	option name 'Plug6.lan'
	option ip '192.168.3.50'

config domain
	option name 'Plug7.lan'
	option ip '192.168.3.62'

config domain
	option name 'Plug8.lan'
	option ip '192.168.3.58'

config domain
	option name 'Plug9.lan'
	option ip '192.168.3.52'

config domain
	option name 'Plug10.lan'
	option ip '192.168.3.66'

config domain
	option name 'Plug11.lan'
	option ip '192.168.3.192'

config domain
	option name 'Plug12.lan'
	option ip '192.168.3.69'

config domain
	option name 'Plug13.lan'
	option ip '192.168.3.67'

config domain
	option name 'PowerStrip.lan'
	option ip '192.168.3.61'

config domain
	option name 'MoonLamp.lan'
	option ip '192.168.3.70'

config domain
	option name 'OpenSprinkler.lan'
	option ip '192.168.3.56'

config domain
	option name 'Striplight.lan'
	option ip '192.168.3.60'

config domain
	option name 'Noddie.lan'
	option ip '192.168.3.65'

config domain
	option name 'Vtech.lan'
	option ip '192.168.3.51'

config domain
	option name 'VtechCamera.lan'
	option ip '192.168.3.53'

config domain
	option name 'IRBlaster1.lan'
	option ip '192.168.3.191'

config domain
	option name 'IRBlaster2.lan'
	option ip '192.168.3.194'

config domain
	option name 'AQS.lan'
	option ip '192.168.3.193'

config domain
	option name 'PowerMeter.lan'
	option ip '192.168.3.199'

config domain
	option name 'Google-Home-Mini-Laser.lan'
	option ip '192.168.3.185'

config domain
	option name 'Google-Home-Display-Bedroom.lan'
	option ip '192.168.3.186'

config domain
	option name 'Google-Home-Display-Kitchen.lan'
	option ip '192.168.3.187'

config domain
	option name 'Google-Home-Mini-Bedroom.lan'
	option ip '192.168.3.188'

config domain
	option name 'Google-Home-Mini-Office.lan'
	option ip '192.168.3.189'

config domain
	option name 'Google-Nest-DoorBell.lan'
	option ip '192.168.3.190'

config domain
	option name 'Elegoo.lan'
	option ip '192.168.3.59'

config domain
	option name 'K2.lan'
	option ip '192.168.3.2'

config domain
	option name 'K1.lan'
	option ip '192.168.3.3'

config domain
	option name 'Risco.lan'
	option ip '192.168.20.100'

config domain
	option name 'CNC.lan'
	option ip '192.168.4.50'

config domain
	option name 'Willow.lan'
	option ip '192.168.3.55'

config domain
	option name 'SondeTracker.lan'
	option ip '192.168.50.120'

config domain
	option name 'Kiosk.lan'
	option ip '192.168.0.115'

config domain
	option name 'ATAremote.lan'
	option ip '192.168.1.100'

config domain
	option name 'ATAhome.lan'
	option ip '192.168.0.81'

config domain
	option name 'Sondetracker2.lan'
	option ip '192.168.50.140'

config domain
	option name 'Streamio.lan'
	option ip '192.168.30.101'

config host
	option name 'PiHole'
	list mac 'Removed'
	option ip '192.168.0.3'

config host
	option name 'NAS.lan'
	list mac 'Removed'
	option ip '192.168.0.4'

config host
	option name 'HA'
	list mac 'Removed'
	option ip '192.168.0.25'

config host
	option name 'LcdProc'
	list mac 'Removed'
	option ip '192.168.0.30'

config host
	option name 'Frigate'
	list mac 'Removed'
	option ip '192.168.0.50'

config host
	option name 'IPTV'
	option ip '192.168.0.70'
	option dns '1'
	list mac 'Removed'

config host
	option name 'ATAhome'
	list mac 'Removed'
	option ip '192.168.0.81'

config host
	option name 'OpenHab'
	option ip '192.168.0.100'
	list mac 'Removed'

config host
	option name 'SondetrackerCNS'
	list mac 'Removed'
	option ip '192.168.0.103'

config host
	option name 'yoto-mini'
	option ip '192.168.0.107'
	option mac 'Removed'

config host
	option name 'Kiosk'
	list mac 'Removed'
	option ip '192.168.0.115'

config host
	option name 'Amys-Laptop'
	list mac 'Removed'
	option ip '192.168.0.116'

config host
	option name 'Kiosk3'
	list mac 'Removed'
	option ip '192.168.0.117'

config host
	option name 'Canon'
	option dns '1'
	list mac 'Removed'
	option ip '192.168.0.161'

config host
	option name 'iPhone'
	option ip '192.168.0.189'
	list mac 'Removed'

config host
	option name 'K2'
	option dns '1'
	list mac 'Removed'
	option ip '192.168.3.2'

config host
	option name 'K1'
	option ip '192.168.3.3'
	option dns '1'
	list mac 'Removed'

config host
	option name 'Plug6'
	option ip '192.168.3.50'
	list mac 'Removed'
	option dns '1'

config host
	option ip '192.168.3.51'
	option mac 'Removed'
	option name 'Vtech'

config host
	option name 'Plug9'
	list mac 'Removed'
	option ip '192.168.3.52'

config host
	option ip '192.168.3.53'
	option mac 'Removed'
	option name 'VtechCamera'

config host
	option name 'TwinPlug'
	option ip '192.168.3.54'
	list mac 'Removed'
	option dns '1'

config host
	option name 'Willow'
	list mac 'Removed'
	option ip '192.168.3.55'

config host
	option name 'OpenSprinkler'
	option ip '192.168.3.56'
	list mac 'Removed'
	option dns '1'

config host
	option name 'Plug1'
	option ip '192.168.3.57'
	option dns '1'
	list mac 'Removed'

config host
	option name 'Plug8'
	option ip '192.168.3.58'
	list mac 'Removed'
	option dns '1'

config host
	option name 'SaturnELEGOO'
	option ip '192.168.3.59'
	list mac 'Removed'
	option dns '1'

config host
	option name 'StripLight'
	option ip '192.168.3.60'
	list mac 'Removed'
	option dns '1'

config host
	option name 'PowerStrip'
	option ip '192.168.3.61'
	list mac 'Removed'
	option dns '1'

config host
	option name 'Plug7'
	option ip '192.168.3.62'
	list mac 'Removed'
	option dns '1'

config host
	option name 'Plug3'
	option ip '192.168.3.63'
	option dns '1'
	list mac 'Removed'

config host
	option name 'Plug2'
	option ip '192.168.3.64'
	option dns '1'
	list mac 'Removed'

config host
	option name 'Noddie'
	option dns '1'
	list mac 'Removed'
	option ip '192.168.3.65'

config host
	option name 'Plug10'
	list mac 'Removed'
	option ip '192.168.3.66'

config host
	option name 'Plug13'
	option ip '192.168.3.67'
	option mac 'Removed'

config host
	option name 'KC868-M16'
	list mac 'Removed'
	option ip '192.168.3.68'

config host
	option name 'Plug12'
	list mac 'Removed'
	option ip '192.168.3.69'

config host
	option name 'MoonLamp'
	option ip '192.168.3.70'
	list mac 'Removed'

config host
	option name 'Google-Home-Mini-Laser'
	option ip '192.168.3.185'
	option dns '1'
	list mac 'Removed'

config host
	option name 'Google-Home-Display-Bedroom'
	option ip '192.168.3.186'
	list mac 'Removed'
	option dns '1'

config host
	option name 'Google-Home-Display-Kitchen'
	option ip '192.168.3.187'
	list mac 'Removed'
	option dns '1'

config host
	option name 'Google-Home-Mini'
	option ip '192.168.3.188'
	list mac 'Removed'
	option dns '1'

config host
	option name 'Google-Home-Mini-Office'
	option ip '192.168.3.189'
	list mac 'Removed'
	option dns '1'

config host
	option name 'Nest-Doorbell-Battery'
	option ip '192.168.3.190'
	list mac 'Removed'
	option dns '1'

config host
	option name 'IrBlaster1'
	option ip '192.168.3.191'
	option mac 'Removed'

config host
	option name 'Plug11'
	option ip '192.168.3.192'
	option mac 'Removed'

config host
	option name 'AQS'
	option ip '192.168.3.193'
	option mac 'Removed'

config host
	option name 'IrBlaster2'
	option ip '192.168.3.194'
	option mac 'Removed'

config host
	option name 'PowerMeter'
	option ip '192.168.3.199'
	option dns '1'
	list mac 'Removed'

config host
	option name 'CnC'
	list mac 'Removed'
	option ip '192.168.4.50'

config host
	option name 'NVR'
	list mac 'Removed'
	option ip '192.168.10.10'

config host
	option name 'Camera01'
	option ip '192.168.10.11'
	list mac 'Removed'

config host
	option name 'Camera02'
	list mac 'Removed'
	option ip '192.168.10.12'

config host
	option name 'Camera03'
	list mac 'Removed'
	option ip '192.168.10.13'

config host
	option name 'Camera04'
	option ip '192.168.10.14'
	list mac 'Removed'

config host
	option name 'Camera05'
	list mac 'Removed'
	option ip '192.168.10.15'

config host
	option name 'Camera06'
	list mac 'Removed'
	option ip '192.168.10.16'

config host
	option name 'Camera07'
	list mac 'Removed'
	option ip '192.168.10.17'

config host
	option name 'Camera08'
	option ip '192.168.10.18'
	list mac 'Removed'

config host
	option name 'Camera09'
	option ip '192.168.10.19'
	list mac 'Removed'

config host
	option name 'Camera10'
	list mac 'Removed'
	option ip '192.168.10.20'

config host
	option name 'Camera11'
	option ip '192.168.10.21'
	list mac 'Removed'

config host
	option name 'Camera12'
	option ip '192.168.10.22'
	list mac 'Removed'

config host
	option name 'Camera13'
	list mac 'Removed'
	option ip '192.168.10.23'

config host
	option name 'Risco'
	option ip '192.168.20.100'
	option dns '1'
	list mac 'Removed'
	option leasetime '3h'

config host
	option name 'Streamio'
	option ip '192.168.30.101'
	list mac 'Removed'

config host
	option name 'Sheild'
	list mac 'Removed'
	option ip '192.168.40.10'

config host
	option name 'SonyTV'
	option dns '1'
	list mac 'Removed'
	option ip '192.168.40.11'

Firewall config


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'WAN'
	list network 'WAN6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'SNMP'
	list proto 'udp'
	option src 'lan'
	option target 'ACCEPT'
	option dest_port '161'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option dest_port '33434-33689'

config rule
	option name 'OpenVPN'
	option src 'wan'
	option proto 'udp'
	option target 'ACCEPT'
	option dest_port '9411'
	option enabled '0'

config redirect
	option dest_port '8888'
	option src 'wan'
	option name 'Wiser'
	option src_dport '8888'
	option target 'DNAT'
	option dest_ip '192.168.0.2'
	option dest 'lan'
	option enabled '0'

config redirect
	option dest_port '8889'
	option src 'wan'
	option name 'Wiser1'
	option src_dport '8889'
	option target 'DNAT'
	option dest_ip '192.168.0.2'
	option dest 'lan'
	option enabled '0'

config redirect
	option dest_port '80'
	option src 'wan'
	option name 'Wiser2'
	option src_dport '8080'
	option target 'DNAT'
	option dest_ip '192.168.0.2'
	option dest 'lan'
	option enabled '0'

config zone
	option name 'Iot_Zone'
	option output 'ACCEPT'
	option input 'DROP'
	option forward 'DROP'
	list network 'IOT'

config forwarding
	option src 'lan'
	option dest 'Iot_Zone'

config rule
	option src 'Iot_Zone'
	option target 'ACCEPT'
	option name 'IOT DHCP'
	list proto 'tcp'
	list proto 'udp'
	option dest_port '67 68'

config rule
	option src 'Iot_Zone'
	option target 'ACCEPT'
	option name 'IOT DNS'
	list proto 'tcp'
	list proto 'udp'
	option dest_port '53'
	option dest 'lan'
	list dest_ip '192.168.0.3'

config zone
	option name 'Guest_Zone'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'Guest'

config forwarding
	option src 'lan'
	option dest 'Guest_Zone'

config forwarding
	option src 'Guest_Zone'
	option dest 'wan'

config rule
	option name 'IOT MQTT'
	option src 'Iot_Zone'
	option dest 'lan'
	option target 'ACCEPT'
	list dest_ip '192.168.0.4'

config rule
	option name 'Time Server'
	option src 'Iot_Zone'
	option dest 'wan'
	option dest_port '123'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'

config rule
	option src 'Iot_Zone'
	option dest 'wan'
	option target 'ACCEPT'
	option name 'IoT Internet'
	list src_ip '192.168.3.186'
	list src_ip '192.168.3.187'
	list src_ip '192.168.3.188'
	list src_ip '192.168.3.189'
	list src_ip '192.168.3.190'
	list src_ip '192.168.3.65'
	list src_ip '192.168.3.185'
	list src_ip '192.168.3.55'

config rule
	option name 'IOT ICMP'
	list proto 'icmp'
	option src 'wan'
	option dest 'Iot_Zone'
	option target 'ACCEPT'

config zone
	option name 'Camera_Zone'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'Cameras'

config forwarding
	option src 'lan'
	option dest 'Camera_Zone'

config rule
	option name 'IOT ICMP outgoing'
	list proto 'icmp'
	option src 'Iot_Zone'
	option dest 'wan'
	option target 'ACCEPT'

config rule
	option name 'OpenSprinkler Weather'
	list proto 'tcp'
	option src 'Iot_Zone'
	list src_ip '192.168.3.56'
	option dest 'wan'
	list dest_ip '216.239.35.0'
	list dest_ip '216.239.35.8'
	list dest_ip '216.239.35.12'
	list dest_ip '216.239.35.4'
	option target 'ACCEPT'

config rule
	option name 'Sprinkler Time'
	list proto 'udp'
	option src 'Iot_Zone'
	list src_ip '192.168.3.56'
	option src_port '123'
	option dest 'wan'
	list dest_ip '159.196.3.239'
	option target 'ACCEPT'

config rule
	option name 'Sprinkler Weather'
	list proto 'tcp'
	option src 'Iot_Zone'
	list src_ip '192.168.3.56'
	option dest 'wan'
	option target 'ACCEPT'
	list dest_ip '104.26.9.48'
	list dest_ip '172.67.72.67'
	list dest_ip '104.26.8.48'
	option dest_port '80'

config rule
	option name 'Iammeter Docker'
	list proto 'tcp'
	option src 'Iot_Zone'
	list src_ip '192.168.3.199'
	option dest 'lan'
	option dest_port '5050'
	option target 'ACCEPT'
	list dest_ip '192.168.0.4'

config rule
	option name 'IoT ICMP Local Router'
	list proto 'icmp'
	option src 'Iot_Zone'
	list dest_ip '192.168.3.1'
	option target 'ACCEPT'

config rule
	option name '3d Printer WAN Access'
	option src 'Iot_Zone'
	list src_ip '192.168.3.2'
	list src_ip '192.168.3.3'
	option dest 'wan'
	option target 'ACCEPT'

config zone
	option name 'Security'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'Security'

config forwarding
	option src 'lan'
	option dest 'Security'

config rule
	option name 'Security DHCP'
	option src 'Security'
	option dest_port '67 68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Security DNS'
	option src 'Security'
	option dest_port '53'
	option target 'ACCEPT'
	option family 'ipv4'
	option dest 'lan'
	list dest_ip '192.168.0.3'

config rule
	option name 'Security Internet Access'
	option src 'Security'
	option dest 'wan'
	option target 'ACCEPT'
	list src_ip '192.168.20.100'

config zone
	option name 'PIA_VPN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'VPN_VLAN'

config zone
	option name 'VPN_WAN'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'tun1'
	list network 'vpn'

config rule
	option name 'VPN DHCP'
	option src 'PIA_VPN'
	option target 'ACCEPT'
	option dest_port '67 68'

config rule
	option name 'Deluge NFS'
	option src 'PIA_VPN'
	option dest 'lan'
	list dest_ip '192.168.0.4'
	option target 'ACCEPT'
	option dest_port '2049 20048 111'
	list src_ip '192.168.30.100'
	list proto 'tcp'
	list proto 'udp'
	option enabled '0'

config zone
	option name 'Wireguard'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wg0'

config rule
	option name 'Wireguard'
	option src 'wan'
	option target 'ACCEPT'
	list proto 'udp'
	option dest_port '51820'

config rule
	option name 'Camera DHCP'
	option src 'Camera_Zone'
	option dest_port '67 68'
	option target 'ACCEPT'

config rule
	option name 'Camera DNS'
	option src 'Camera_Zone'
	option dest_port '53'
	option target 'ACCEPT'
	option dest 'lan'
	list dest_ip '192.168.0.3'

config forwarding
	option src 'Wireguard'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'Wireguard'

config rule
	option name 'TP-Link'
	option src 'Camera_Zone'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	list src_ip '192.168.10.10'

config rule
	option name 'Camera Zone Time Server'
	option src 'Camera_Zone'
	option dest 'wan'
	option dest_port '123'
	option target 'ACCEPT'

config rule
	option target 'ACCEPT'
	option name 'Guest DHCP'
	list proto 'tcp'
	list proto 'udp'
	option src 'Guest_Zone'
	option dest_port '67 68'

config rule
	option target 'ACCEPT'
	option name 'Guest DNS'
	list proto 'tcp'
	list proto 'udp'
	option src 'Guest_Zone'
	option dest_port '53'
	option dest 'lan'
	list dest_ip '192.168.0.3'

config rule
	option name 'CNC SMB access'
	list proto 'tcp'
	option src 'Guest_Zone'
	list src_ip '192.168.4.50'
	option dest 'lan'
	list dest_ip '192.168.0.4'
	option dest_port '139 445'
	option target 'ACCEPT'

config rule
	option name 'Guest TFTP access'
	option src 'Guest_Zone'
	option dest 'lan'
	list dest_ip '192.168.0.4'
	option dest_port '69'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option name 'WireGuard Lan Access'
	option src 'Wireguard'
	option dest 'lan'
	option target 'ACCEPT'
	list src_ip '192.168.50.100'
	list src_ip '192.168.50.150'
	list src_ip '192.168.50.101'
	list src_ip '192.168.50.130'
	list src_ip '192.168.50.160'

config rule
	option name 'WireGuard IoT Access'
	option src 'Wireguard'
	option target 'ACCEPT'
	option dest 'Iot_Zone'
	list src_ip '192.168.50.150'
	list src_ip '192.168.50.100'
	list src_ip '192.168.50.130'
	list src_ip '192.168.50.160'

config rule
	option name 'Wireguard Camera Access'
	option src 'Wireguard'
	option dest 'Camera_Zone'
	option target 'ACCEPT'
	list src_ip '192.168.50.100'
	list src_ip '192.168.50.150'
	list src_ip '192.168.50.130'
	list src_ip '192.168.50.160'

config rule
	option name 'Backup SMB access'
	option src 'Wireguard'
	list src_ip '192.168.50.170'
	option dest 'lan'
	list dest_ip '192.168.0.4'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	option dest_port '139 445 138'

config rule
	option name 'Backup LCDproc access'
	option src 'Wireguard'
	list src_ip '192.168.50.170'
	option dest 'lan'
	list dest_ip '192.168.0.30'
	option dest_port '13666'
	option target 'ACCEPT'

config zone
	option name 'STV_zone'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'STV'

config forwarding
	option src 'STV_zone'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'STV_zone'

config rule
	option name 'STV DHCP'
	option src 'STV_zone'
	option dest_port '67 68'
	option target 'ACCEPT'

config rule
	option name 'STV DNS'
	option src 'STV_zone'
	option dest_port '53'
	option target 'ACCEPT'
	option dest 'lan'
	list dest_ip '192.168.0.3'

config rule
	option name 'STV IPTV'
	list proto 'udp'
	option src 'STV_zone'
	option dest 'lan'
	list dest_ip '192.168.0.70'
	option target 'ACCEPT'

config rule
	option name 'STV SMB Acsess'
	option src 'STV_zone'
	list dest_ip '192.168.0.4'
	option dest_port '139 445 138'
	option target 'ACCEPT'
	option dest 'lan'

config rule
	option name 'Allow SIP/RTP UDP'
	option src 'Wireguard'
	option target 'ACCEPT'
	option dest 'lan'
	list dest_ip '192.168.0.4'
	list src_ip '192.168.1.100'
	list src_ip '192.168.50.170'
	list proto 'udp'

config rule
	option name 'WireGuard to Deluge'
	option src 'Wireguard'
	option dest 'PIA_VPN'
	option target 'ACCEPT'
	list dest_ip '192.168.30.50'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'Iperf Test'
	option src 'Wireguard'
	list src_ip '192.168.50.170'
	option dest 'lan'
	list dest_ip '192.168.0.195'
	option target 'ACCEPT'
	option enabled '0'

config zone
	option name 'Wireguard_PIA'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wg_PIA'
	option masq '1'

config forwarding
	option src 'PIA_VPN'
	option dest 'Wireguard_PIA'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

config forwarding
	option src 'lan'
	option dest 'PIA_VPN'

PBR config


config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	list resolver_instance '*'
	option ipv6_enabled '0'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	option nft_rule_counter '0'
	option nft_set_auto_merge '1'
	option nft_set_counter '0'
	option nft_set_flags_interval '1'
	option nft_set_flags_timeout '0'
	option nft_set_policy 'performance'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	option procd_wan_interface 'WAN'
	list ignored_interface 'br-lan.3'
	list ignored_interface 'br-lan'
	list ignored_interface 'br-lan.4'
	list ignored_interface 'br-lan.10'
	list ignored_interface 'br-lan.20'
	list ignored_interface 'br-lan.40'
	list ignored_interface 'br-lan.99'
	list supported_interface 'WAN'
	list supported_interface 'vpn'
	list supported_interface 'wg_PIA'

config policy
	option name 'VLAN30 to VPN'
	option interface 'vpn'
	option src_addr '192.168.30.0/24'
	option dest_addr '!192.168.0.0/16'
	option enabled '0'

config policy
	option name 'VPN  via PIA'
	option src_port '8112'
	option dest_addr '192.168.30.0/24'
	option dest_port '8112'
	option interface 'wg_PIA'
	option enabled '0'

config dns_policy
	option name 'PIA DNS'
	option src_addr '192.168.30.0/24'
	option dest_dns 'wg_PIA'

config policy
	option name 'VPN VLAN via PIA_wg'
	option src_addr '192.168.30.0/24'
	option interface 'wg_PIA'

Path-E-TechManagment · July 12, 2025, 10:32pm

Network config


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd6:f4e6:e0f3::/48'
	option packet_steering '1'
	option ipv6 '0'
	option delegate '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	option ipv6 '0'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.0.1'
	option device 'br-lan.99'
	option broadcast '192.168.0.255'
	option delegate '0'

config device
	option type 'bridge'
	option name 'docker0'

config interface 'WAN'
	option proto 'dhcp'
	option device 'eth1'
	option macaddr 'Removed'
	option hostname '*'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'WAN6'
	option proto 'dhcpv6'
	option device 'eth1'
	option reqaddress 'try'
	option reqprefix 'auto'
	option metric '2'
	option macaddr 'Removed'
	option auto '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '99'
	list ports 'eth0:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'eth0:t'

config interface 'Guest'
	option proto 'static'
	option device 'br-lan.4'
	option netmask '255.255.255.0'
	option ipaddr '192.168.5.1'
	option broadcast '192.168.5.255'
	option delegate '0'

config interface 'IOT'
	option proto 'static'
	option device 'br-lan.3'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option broadcast '192.168.3.255'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'eth0:t'

config interface 'Cameras'
	option proto 'static'
	option device 'br-lan.10'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option broadcast '192.168.10.255'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'eth0:t'

config interface 'Security'
	option proto 'static'
	option device 'br-lan.20'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'
	option broadcast '192.168.20.255'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'eth0:t'

config interface 'VPN_VLAN'
	option proto 'static'
	option device 'br-lan.30'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'
	option broadcast '192.168.30.255'

config device
	option name 'br-lan.20'
	option type '8021q'
	option ifname 'br-lan'
	option vid '20'
	option ipv6 '0'

config device
	option name 'br-lan.10'
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'
	option ipv6 '0'

config device
	option name 'br-lan.99'
	option type '8021q'
	option ifname 'br-lan'
	option vid '99'
	option ipv6 '0'

config device
	option name 'br-lan.3'
	option type '8021q'
	option ifname 'br-lan'
	option vid '3'
	option ipv6 '0'

config device
	option name 'br-lan.30'
	option type '8021q'
	option ifname 'br-lan'
	option vid '30'
	option ipv6 '0'

config device
	option name 'br-lan.4'
	option type '8021q'
	option ifname 'br-lan'
	option vid '4'
	option ipv6 '0'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'Removed'
	option listen_port 'Removed'
	list addresses '192.168.50.1/24'
	option delegate '0'

config wireguard_wg0
	option public_key 'Removed'
	option private_key 'Removed'
	option description 'Mobile'
	list allowed_ips '192.168.50.100/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config wireguard_wg0
	option public_key 'Removed'
	option private_key 'Removed'
	option description 'GL_Router'
	list allowed_ips '192.168.50.150/32'
	option persistent_keepalive '25'
	option route_allowed_ips '1'

config wireguard_wg0
	option description 'Laptop'
	option public_key 'Removed'
	option private_key 'Removed'
	option persistent_keepalive '25'
	option route_allowed_ips '1'
	list allowed_ips '192.168.50.130/32'

config wireguard_wg0
	option description 'Mobile 2'
	option public_key 'Removed'
	option private_key 'Removed'
	list allowed_ips '192.168.50.101/32'
	option persistent_keepalive '25'
	option route_allowed_ips '1'

config wireguard_wg0
	option public_key 'Removed'
	option private_key 'Removed'
	option description 'Backup'
	option persistent_keepalive '25'
	option route_allowed_ips '1'
	list allowed_ips '192.168.50.170/32'
	list allowed_ips '192.168.1.0/24'
	list allowed_ips '192.168.1.100/32'

config wireguard_wg0
	option description 'SondeTracker 1'
	option public_key 'Removed'
	option private_key 'Removed'
	list allowed_ips '192.168.50.120/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '40'
	option name 'br-lan.40'
	option ipv6 '0'

config interface 'STV'
	option proto 'static'
	option device 'br-lan.40'
	option ipaddr '192.168.40.1'
	option netmask '255.255.255.0'
	option broadcast '192.168.40.255'
	option delegate '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '40'
	list ports 'eth0:t'

config wireguard_wg0
	option description 'GL_Inet_1300'
	option public_key 'Removed'
	option private_key 'Removed'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '192.168.50.160/32'

config interface 'vpn'
	option proto 'none'
	option device 'tun0'

config wireguard_wg0
	option description 'Sondetracker 2'
	option public_key 'Removed'
	option private_key 'Removed'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '192.168.50.140/32'

config interface 'wg_PIA'
	option proto 'wireguard'
	option private_key 'Removed'
	list addresses 'Removed'
	list dns 'Removed'
	option delegate '0'

config wireguard_wg_PIA
	option description 'Imported peer configuration'
	option public_key 'Removed'
	list allowed_ips '0.0.0.0/0'
	option persistent_keepalive '25'
	option endpoint_host 'Removed'
	option endpoint_port 'Removed'

config route
	option interface 'wg0'
	option target '192.168.1.0/24'
	option gateway '192.168.50.170'

Path-E-TechManagment · July 12, 2025, 10:42pm

Not sure when the issue started as its been a few weeks since I have needed to access anything on that particular VPN VLAN.
There have been no changes in cabling and the only updates were on the server where the 2 docker containers reside 192.68.30.50 and 192.168.30.60, however this has unlikely contributed as the same issue exists for other host on that VLAN 192.168.30.101 which is not a docker but a standalone Raspberry Pi.

If I use my laptop and connect it directly to the VLAN it has no issue accessing any of the hosts on that network Ping/HTTP/VNC etc.

psherman · July 13, 2025, 12:26am

There's really a lot going on... I'd suggest starting by disabling PBR and your VPNs and see if that fixes the issue.

Path-E-TechManagment · July 13, 2025, 12:06pm

Ok, so after stopping both Wireguard interfaces and PBR I was able to access hosts on the 192.168.30.xx VLAN again, however enabling one at a time I can still access the VLAN now without issues. I'm not sure why resetting the router made no difference but shutting down and manually restarting the interfaces did.
Anyway I will mark this as resolved for now and if it does it again I will hopefully be able to fix it by just restarting the services

system · July 23, 2025, 12:06pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.