Hi everyone,
I'm fairly new to OpenWRT and would appreciate some help. I've set up a small home lab with the following devices:
- Router: NanoPi R5S running OpenWRT
- Switch: Netgear GS308E with OpenWRT
- Access Point: Zyxel NWA50AX (managed via Nebula)
The network diagram is attached for reference.
I'm facing an issue where I can't reach the management IP of the switch (192.168.6.x subnet) from the rest of my network. Everything else (internet, routing, Wi-Fi) is working fine, but the switch's management interface is not accessible.
Any ideas on what might be wrong or what to check? I'm not sure if it's a VLAN/firewall issue or maybe a misconfiguration on the switch side.
Thanks in advance for your guidance!
R5S Configuration
root@LuviusWrt:~# ubus call system board
{
"kernel": "6.1.99",
"hostname": "LuviusWrt",
"system": "ARMv8 Processor rev 0",
"model": "FriendlyElec NanoPi R5S",
"board_name": "friendlyelec,nanopi-r5s",
"release": {
"distribution": "OpenWrt",
"version": "24.10.0",
"revision": "r28427-6df0e3d02a",
"target": "rockchip/armv8",
"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
"builddate": "1738624177"
}
}
root@LuviusWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd00:ab:cd::/48'
option packet_steering '1'
config device
option name 'eth0'
option macaddr '6a:40:d9:70:20:d9'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
config device
option name 'eth1'
option macaddr '6a:40:d9:70:20:da'
config device
option name 'eth2'
option macaddr '6a:40:d9:70:20:da'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.6.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'WG'
option proto 'wireguard'
option private_key '+EQHDrQjOwQpaoBL0T/gbXlUlYo9tuEP3UPmsMhJ8kY='
option listen_port '51820'
list addresses '10.14.0.1/24'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'eth1:t'
list ports 'eth2:u*'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'eth1:t'
config bridge-vlan
option device 'br-lan'
option vlan '50'
list ports 'eth1:t'
config interface 'vlanlan'
option proto 'static'
option device 'br-lan.10'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
config interface 'vlanIOT'
option proto 'static'
option device 'br-lan.50'
option ipaddr '192.168.50.1'
option netmask '255.255.255.0'
config interface 'vlanguest'
option proto 'static'
option device 'br-lan.20'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
root@LuviusWrt:~# cat /etc/config/wireless
root@LuviusWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'vlanlan'
option interface 'vlanlan'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'vlanIOT'
option interface 'vlanIOT'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'vlanguest'
option interface 'vlanguest'
option start '100'
option limit '150'
option leasetime '12h'
root@LuviusWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option fullcone '0'
option flow_offloading '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'WG'
list network 'vlanlan'
list network 'vlanIOT'
list network 'vlanguest'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option fullcone4 '1'
option fullcone6 '1'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Reject-IPv6'
option family 'ipv6'
option src 'wan'
option dest '*'
option target 'REJECT'
option enabled '0'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'WG'
list proto 'udp'
option src 'wan'
option src_dport '51820'
option dest_ip '192.168.1.1'
option dest_port '51820'
Netgear Switch OpenWRT config
root@luviusSwitch:~# ubus call system board
{
"kernel": "5.10.134",
"hostname": "luviusSwitch",
"system": "RTL8380",
"model": "Netgear GS308T v1",
"board_name": "netgear,gs308t-v1",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.0-rc6",
"revision": "r19590-042d558536",
"target": "realtek/rtl838x",
"description": "OpenWrt 22.03.0-rc6 r19590-042d558536"
}
}
root@luviusSwitch:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd8b:ea0c:4320::/48'
config device 'switch'
option name 'switch'
option type 'bridge'
option macaddr '94:18:65:65:7e:0c'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
list ports 'lan6'
list ports 'lan7'
list ports 'lan8'
config bridge-vlan 'lan_vlan'
option device 'switch'
option vlan '1'
list ports 'lan1:t'
list ports 'lan2:t'
list ports 'lan3:t'
list ports 'lan4'
list ports 'lan5'
list ports 'lan6'
list ports 'lan7'
list ports 'lan8:u*'
config device
option name 'switch.1'
option macaddr '94:18:65:65:7e:0c'
config interface 'lan'
option device 'switch.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.6.4'
option gateway '192.168.6.1'
config bridge-vlan
option device 'switch'
option vlan '10'
list ports 'lan1:t'
list ports 'lan2:t'
list ports 'lan3:t'
config bridge-vlan
option device 'switch'
option vlan '20'
list ports 'lan1:t'
list ports 'lan2:t'
list ports 'lan3:t'
config bridge-vlan
option device 'switch'
option vlan '50'
list ports 'lan1:t'
list ports 'lan2:t'
list ports 'lan3:t'
config device
option type '8021q'
option ifname 'switch.10'
option vid '10'
option name 'switch.10.10'
config device
option type '8021q'
option ifname 'switch.20'
option vid '20'
option name 'switch.20.20'
config device
option type '8021q'
option ifname 'switch.50'
option vid '50'
option name 'switch.50.50'
root@luviusSwitch:~# cat /etc/config/
dropbear luci rpcd ubootenv uhttpd
firewall network system ucitrack
root@luviusSwitch:~# cat /etc/config/dhcp
cat: can't open '/etc/config/dhcp': No such file or directory
root@luviusSwitch:~# cat /etc/config/firewall
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# block a specific mac on wan
#config rule
# option dest wan
# option src_mac 00:11:22:33:44:66
# option target REJECT
# block incoming ICMP traffic on a zone
#config rule
# option src lan
# option proto ICMP
# option target DROP
# port redirect port coming in on wan to lan
#config redirect
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
# port redirect of remapped ssh port (22001) on wan
#config redirect
# option src wan
# option src_dport 22001
# option dest lan
# option dest_port 22
# option proto tcp
### FULL CONFIG SECTIONS
#config rule
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 80
# option dest wan
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option target REJECT
#config redirect
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 1024
# option src_dport 80
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
