I need help accessing different VLAN

Penecho · July 29, 2023, 7:35am

I made the switch from my Providers Router (switched it into Bridge Mode) to my Openwrt router (Banana Pi BPI-R3 yesterday. I did configure the Openwrt device beforehand and "thought" I had everyting figured out, which of course was not the case...

Internet is working, the devices are in the VLANs they are supposed to be, but I can't access the IOT devices in the different VLAN (most connected via Wifi if that makes any difference).

The VLANS in question are 192.168.1.0/24 ("regular zone") + 192.168.30.0/24 ("IOT" zone, VLAN 30). From what I read so far, in most cases it is a firewall setting, but I can't figure out what I did wrong/what I need to change. I am also not entirely sure I did the tagging part correct.

Firewall settings:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'VLAN_IOT'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'VLAN_IOT'

config zone
	option name 'VLAN_20'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'VLAN_20'

config forwarding
	option src 'VLAN_20'
	option dest 'wan'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'FTPRush'
	option src 'wan'
	option src_dport '8999'
	option dest_ip '192.168.1.233'
	option dest_port '8999'

config forwarding
	option src 'lan'
	option dest 'VLAN_IOT'

Network settings:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxxxxxx'

config interface 'lan'
	option device 'switch.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'br-wan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'wan'

config device
	option name 'eth1'
	option macaddr 'xxxxxxxx'

config device
	option name 'wan'
	option macaddr 'xxxxxxxx'

config interface 'wan'
	option device 'br-wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'br-wan'
	option proto 'dhcpv6'

config device
	option type 'bridge'
	option name 'switch'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'switch'
	option vlan '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'switch'
	option vlan '20'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan3:t'
	list ports 'lan4:t'

config bridge-vlan
	option device 'switch'
	option vlan '30'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'VLAN_IOT'
	option proto 'static'
	option device 'switch.30'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'

config interface 'VLAN_20'
	option proto 'static'
	option device 'switch.20'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'

config device
	option name 'switch.30'
	option type '8021q'
	option ifname 'switch'
	option vid '30'

ulmwind · July 29, 2023, 8:46am

Can you ping router IP from different VLANs?

ulmwind · July 29, 2023, 8:47am

What does it mean?

Penecho · July 29, 2023, 8:57am

When I'm connected to the "main gateway" 192.168.1.1 I can ping 192.168.30.1 but not one of the devices connected to it.

From 192.168.1.xxx I can ping 192.168.30.1 but not 192.168.30.xxx (a device)
From 192.168.30.xxx I can not ping 192.168.1.1

I bundled my lans to a bridge calles witch:

ulmwind · July 29, 2023, 10:05am

OK, but it is really strange. Untagged ports in different VLANs.

ulmwind · July 29, 2023, 10:06am

Forwarding FROM -> TO is configured in such way, so you should add forwarding from 30 to lan.

Penecho · July 29, 2023, 10:06am

I'm not entirely sure, but I think it was the DNS Server of the DHCP setting of the IOT VLAN. I added the DNS Server (192.168.1.1) in the Interface of my IOT VLAN (192.168.30.1) and I can now access the devices. I am using Adguard.

ulmwind · July 29, 2023, 10:07am

It is bad configuration, check, whether you can ping CORRESPONDING IP of router, so from 192.168.30.X 192.168.30.1, etc.

ulmwind · July 29, 2023, 10:09am

Has it been in default configuration?

system · August 8, 2023, 10:11am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.