Help with intra VLAN routing

I'm trying to set up the following:

WAN - openWRT router
      |- lan1
      |- lan2
      |- lan3
      `- lan4 - accespoint - n wifi devices (

luci git-21.222.69112-b41f377) / OpenWrt 19.07.7 r11306-c4a6851c72

All ports are their own untagged switch for the respective VLANs (lan4 is more complex, it have lan1 untagged for the AP admin interface, and lan4 tagged, and the AP is a switch which tags all client traffic, but that is not important, i think, only mentioning in case i'm wrong :slight_smile: )

DHCP is setup fine. everything works perfectly and is restricted to their own subnet.

My problem is the Firewall part. My goal is to have lan able to reach everything, and all the others going out only (later i plan to restrict traffic more, but i'm still failing on the basics)

At first i set up zones as:

  • zone1(lan1) -> wan: accept,accept,accept,[x] masquerade
  • zone2(lan2,3,4) -> wan: accept,accept,accept,[x] masquerade

(the above means, for line 1 for example, zone1, with covered networks lan1, allow forward destination to wan. then input,output,forward policies)

At this point all is fine. All devices access the internet via NAT. No cross subnet talk happens (except all lans can ping the router IPs, no matter the interface, which I dislike but haven't investigated)

My firewall troubles start when i try to add the rule: lan1 can access other lans. as such:

  • zone3(lan1) -> zone2(lan2,3,4): accept,accept,accept,[ ] masquerade

As soon as i press save on the dialog, luci ignores the zone3, and changes zone1 to be:

  • zone1(lan1) -> wan,zone2(lan2,3,4): accept,accept,accept,[x] masquerade

That is, luci adds the targete zone of the new rule (without masquerade) into the existing one that had masquerade...which will enable masquerade on everything, which is not my desire.

What am i doing wrong here?

Some progress! which i fear might be only half correct...

added zone3 as:

  • lan -> zone2(lan2,3,4): reject,accept,accept,[ ] masquerade

and things seems to be working. I can connect to a host on LAN2 and LAN3 (e.g. from LAN1 (e.g., but not the other way around.

Does this sound correct? input should be reject?

something bad with the above 'solution' (maybe from being lazy): now all lans in zone2 can reach them across subnets, all routed happily by the central router.

will not touch this now because this is good-enough. But not what i expected.

also tried to add:

  • zoneX(lan2,3,4) -> zone2(lan2,3,4): reject,reject,reject

and then tried

  • zoneY(land2,3,4): reject, reject, reject

but neither did anything useful. Everything remains the same:

  • lan1 -> lan{2,3,4} works
  • lan{2,3,4} -> lan1 blocked
  • lan{2,3,4} -> lan{2,3,4} works (would like to be blocked)


is this possible to do with luci? or should i deep dive in iptables alone? i'am afraid it will be more trouble to understand all the 'base' rules already there for NAT.

Masquerade should not be enabled on any network except for your WAN.

But the best way to review this is to see your config files.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

default policies for local zones should be accept,accept,reject or drop
masquerade on only for wan

Inside each zone in luci under edit, there is forward to zones and forward from zones.
forward to will allow communication from originating zone, and automatically keep
a channel open for return connection as it is an established connection already.
So a ping or any other connection will work if zone originates the request.
Even though return path is not explicitly allowed.

But for second zone to be able to originate an initial a connection to first zone it has
to be included in from zones in first zone.
Or have forward to first zone enabled in edit setting in second zone(same thing)

And this works only if under general settings forward is reject or drop ,
if it is accept, then everything is backwards , it will allow automatic forwarding
to any zone from any zone that exist on router and you have to deny
zones to zones under trafic rulles.

To lock down things further , unprivileged zones can be drop,accept,drop
But that means the zone not only will not be able to ping the router itself,
it will not be able to get DHCP nor dns , and then you need extra
dhcp and dns allow traffic rulles for the zone to the device.


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.