Make server connected to LAN1 available on multiple VLANs

Installing and Using OpenWrt
1

I have the following set up with 2 VLANs (planning to add more). Each VLAN has a separate SSID attached to a separate network interface, connected via separate VPNs.

My issue is that on vlan2, I can't access the home server I have plugged into LAN port 1 on my router.

What is the VLAN configuration I need for devices on LAN port 1 to be available to devices on either VLAN?

My network config 
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='xxx'
network.globals.packet_steering='1'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ipv6='0'
network.@device[0].ports='eth0' 'lan1' 'lan2' 'lan3' 'lan4'
network.lan=interface
network.lan.device='br-lan.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.delegate='0'
network.lan.dns_search='lan'
network.lan.dns='192.168.1.xxx'
network.wan=interface
network.wan.device='wan'
network.wan.proto='dhcp'
network.wan.peerdns='0'
network.wan6=interface
network.wan6.device='wan'
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.wan6.peerdns='0'
network.@bridge-vlan[0]=bridge-vlan
network.@bridge-vlan[0].device='br-lan'
network.@bridge-vlan[0].vlan='1'
network.@bridge-vlan[0].ports='eth0:t*' 'lan1' 'lan2:u*' 'lan3:u*' 'lan4:u*'
network.@bridge-vlan[1]=bridge-vlan
network.@bridge-vlan[1].device='br-lan'
network.@bridge-vlan[1].vlan='2'
network.@bridge-vlan[1].ports='eth0:t' 'lan1'
network.vlan2=interface
network.vlan2.proto='static'
network.vlan2.device='br-lan.2'
network.vlan2.ipaddr='192.168.2.1'
network.vlan2.netmask='255.255.255.0'
network.vlan2.type='bridge'
network.vlan2.dns='192.168.1.xx'
network.vlan2.dns_search='lan'
network.vlan2.delegate='0'
network.wgiot=interface
network.wgiot.proto='wireguard'
network.wgiot.private_key='xxx'
network.wgiot.addresses='xxx/16'
network.wgiot.dns_metric='10'
network.wgiot.dns='xxx' 'xxx'
network.@wireguard_wgiot[0]=wireguard_wgiot
network.@wireguard_wgiot[0].description='Imported peer configuration'
network.@wireguard_wgiot[0].public_key='xxx'
network.@wireguard_wgiot[0].allowed_ips='0.0.0.0/0'
network.@wireguard_wgiot[0].endpoint_host='xxx'
network.@wireguard_wgiot[0].endpoint_port='xxx'
network.@wireguard_wgiot[0].persistent_keepalive='25'
network.@rule[0]=rule
network.@rule[0].in='vlan2'
network.@rule[0].lookup='1742'
network.@route[0]=route
network.@route[0].interface='wgiot'
network.@route[0].target='0.0.0.0'
network.@route[0].netmask='0.0.0.0'
network.@route[0].table='1742'
network.wgmvad=interface
network.wgmvad.proto='wireguard'
network.wgmvad.private_key='xxx'
network.wgmvad.defaultroute='0'
network.wgmvad.dns='192.168.1.xx'
network.wgmvad.addresses='xxx'
network.@wireguard_wgmvad[0]=wireguard_wgmvad
network.@wireguard_wgmvad[0].description='xx'
network.@wireguard_wgmvad[0].public_key='xxx'
network.@wireguard_wgmvad[0].allowed_ips='0.0.0.0/0' '::0/0'
network.@wireguard_wgmvad[0].endpoint_host='xxx'
network.@wireguard_wgmvad[0].endpoint_port='xxx'
network.@rule[1]=rule
network.@rule[1].in='lan'
network.@rule[1].lookup='1743'
network.@route[1]=route
network.@route[1].interface='wgmvad'
network.@route[1].target='0.0.0.0/0'
network.@route[1].netmark='0.0.0.0'
network.@route[1].table='1743'

Gracias :slight_smile:

2

Make a firewall rule allowing the traffic?

Unless I'm missing something, I don't see any PHY network device which VLAN2 has been assigned.

1 Like
3

Sorry for the basic questions:

  1. Why would a PHY network device need to be assigned to VLAN2?

  2. How should such a firewall rule be configured? I tried adding lan as a forwarding zone from vlan2 as follows:

    Screenshot 2023-10-03 at 23.40.17
    Screenshot 2023-10-03 at 23.40.171970×674 78.4 KB

4

because VLANs apply to ethernet. If you're creating a network for wifi use only (on an all-in-one wifi router device), you don't need VLANs... all you need is another subnet.

Often, though, the network should be associated with a bridge.

Would you mind reposting your config in the standard text format (as compared to uci readout)... I find it much easier to read,

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
3 Likes
5

Thank you @psherman

Does br-lan not count as an ethernet device in this case? and by extension also br-lan.2, both of which vlan2 is associated with?

Output 
{
	"kernel": "5.15.132",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "TP-Link Archer AX23 v1",
	"board_name": "tplink,archer-ax23-v1",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r23995-ce7209bd21",
		"target": "ramips/mt7621",
		"description": "OpenWrt SNAPSHOT r23995-ce7209bd21"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdee:e1a2:9fc4::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'eth0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option delegate '0'
	list dns_search 'lan'
	list dns '192.168.1.100'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth0:t*'
	list ports 'lan1:t'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'eth0:t'
	list ports 'lan1:t'

config interface 'vlan2'
	option proto 'static'
	option device 'br-lan.2'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option type 'bridge'
	list dns '192.168.1.100'
	list dns_search 'lan'
	option delegate '0'

config interface 'wgiot'
	option proto 'wireguard'
	option private_key 'xxx='
	list addresses 'xxx'
	option dns_metric '10'
	list dns 'xxx'
	list dns 'xxx'

config wireguard_wgiot
	option description 'Imported peer configuration'
	option public_key 'xxx='
	list allowed_ips '0.0.0.0/0'
	option endpoint_host 'xxx.com'
	option endpoint_port '51820'
	option persistent_keepalive '25'

config rule
	option in 'vlan2'
	option lookup '1742'

config route
	option interface 'wgiot'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option table '1742'

config interface 'wgmvad'
	option proto 'wireguard'
	option private_key 'xxx='
	option defaultroute '0'
	list dns '192.168.1.100'
	list addresses 'xxx'

config wireguard_wgmvad
	option description 'xxx.conf'
	option public_key 'xxx='
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::0/0'
	option endpoint_host 'xxx'
	option endpoint_port '51820'

config rule
	option in 'lan'
	option lookup '1743'

config route
	option interface 'wgmvad'
	option target '0.0.0.0/0'
	option netmark '0.0.0.0'
	option table '1743'

config rule
	option in 'vlan2'
	option dest '192.168.1.100/0'
	option lookup 'default'

config route
	option interface 'vlan2'
	option target '192.168.1.100/0'
	option table 'default'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option disabled '0'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'vlan2'
	option mode 'ap'
	option ssid 'OpenWrt2'
	option encryption 'sae-mixed'
	option key 'owrt2023'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option disabled '0'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'sae-mixed'
	option key 'owrt2023'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '11'
	option limit '150'
	option leasetime '2m'
	option dhcpv4 'server'
	option master '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'vlan2'
	option interface 'vlan2'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option force '1'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'wgiot'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	list network 'wgiot'
	option masq '1'

config forwarding
	option src 'wgiot'
	option dest 'wan'

config zone
	option name 'vlan2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'vlan2'

config forwarding
	option src 'vlan2'
	option dest 'wgiot'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config zone
	option name 'wgmvad'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wgmvad'

config forwarding
	option src 'wgmvad'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'wgmvad'

config forwarding
	option src 'vlan2'
	option dest 'lan'
6

yes... you've got a bridge already created and a bridge-vlan for this purpose, so that's fine.

Remove the option type bridge from this, it shouldn't be in the network interface stanza (and you've already got the bridge defined with br.lan and br-lan.2). You can also remove the DNS related options because they don't have an effect here.

You may need to remove (temporarily) your additional routes and rules... these are wrong, though... /0 means 'all IPs' -- it should be /32 if you're defining a single IP, or .0/24 if you're defining that network.

1 Like
7

Also my apologies, I did see a br-lan.2. To be clear VLAN 2 is only associated with br-lan.2, though.

8

But is there a way to associate it with br-lan.1 as well? It seems I have to remove the association with br-lan.2 to associate with br-lan.1?

I tried editing VLAN filtering to so data sent to LAN port 1 (my home server) is tagged for VLAN 1 and VLAN 2 but this makes it inaccessible from both.

Is there something I need to do on the home server (plugged into LAN port 1) for it to know that data coming in to it is tagged?

9

You're asking how to associate VLAN 1 with VLAN 2?

My simple answer is to make them one network - but I'm sure there's a reason you didn't do that?

Maybe I should note that when you append .x to an interface - that adds said VLAN tag.

1 Like
10

Yes so essentially I would like VLAN 2 to be my IOT network.

I am trying to get it to connect with my home server (IP 192.168.1.100) which acts as a local DNS resolver too with pihole and is on VLAN 1.

When configuring my VLANs, I tried to set LAN 1 to tagged on both VLANs but the only way I can access the device is to keep it as Untagged on VLAN 1. I need to access it via VLAN 2 because the home server will control my IOT devices and filter DNS requests from IOT devices on VLAN2.

1 Like
11

No... each network needs to be its own VLAN on its own bridge... assocating one network with multiple bridges would be a problem. However...

What is your goal -- I'm guessing you have an idea of what port(s) for each VLAN.... please provide a port-by-port assignment strategy (which ports are members of what VLANs, and the tagged/untagged status you need from each port on each network). and we'll go from there.

1 Like
12

network
network1200×1600 111 KB

I sketched out what I'm trying to achieve.

Based on my understanding of tagging, LAN ports 1 and 2 need to have VLAN tagging as they will get requests from devices on each VLAN. The eth/WAN port needs tagging too I believe.

LAN ports 3 and 4 will only be on VLAN 2 and therefore don't need tagging.

13

Ok... so I don't understand the 2 WANs you have shown in your diagram, but your lans seem pretty straight forward...

We'll start with just the network config, then we'll worry about the firewall later.

  • Ports 1 and 2 appear to be for direct connection to trusted lan devices (and an SSID for wifi).
  • Ports 3 and 4 appear to be connected directly to IoT devices (along with an SSID for IoT wifi devices).

Is that correct?

1 Like
14

Yes thats right, thank you for checking. The two wan ports just to match with the wan and wan6 which are two separate interfaces.

15

Ok... so what you want will look like this:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth0:t'
	list ports 'lan1:u*'
	list ports 'lan2:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'eth0:t'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

Once that is in place, devices connected to lan1 and lan2 should get addresses in the 192.168.1.0/24 network, and those connected to lan3 and lan4 will see 192.168.2.0/24.

Try that and let us know if that solves the first question/issue (i.e. network/physical port mapping).

1 Like
16

Thanks. I've just set this up.

As it stands devices in the 192.168.2.0/24 network can't access my DNS server and docker host machine on the 192.168.1.0/24 network. Do I need firewall rules to enable this?

17

Taking a closer look it seems that either i) I'm setting up firewall rules incorrectly (I think less likely) or ii) Something in my VLAN configuration is making my firewall rules irrelevant.

Is there anyting else I need to do for the devices plugged into LAN 1 and LAN 2 on my router to be available on both VLANs?

18

To answer that question it'd be useful to see your updated configs:

cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like
19

Sure I've added below. I deleted all my firewall rules so don't currently have any.

Configs

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fdee:e1a2:9fc4::/48'
option packet_steering '1'

config device
option name 'br-lan'
option type 'bridge'
option ipv6 '0'
list ports 'eth0'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'

config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option delegate '0'
list dns_search 'lan'
list dns '192.168.1.100'

config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'

config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'

config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'eth0:t'
list ports 'lan1:u*'
list ports 'lan2:u*'

config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'eth0:t'
list ports 'lan3:u*'
list ports 'lan4:u*'

config interface 'vlan2'
option proto 'static'
option device 'br-lan.2'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option delegate '0'

config interface 'wgiot'
option proto 'wireguard'
option private_key 'xxx='
list addresses 'xxx/16'
option dns_metric '10'
list dns '162.252.xxx'
list dns '149.154.xxx'

config wireguard_wgiot
option description 'Imported peer configuration'
option public_key 'xxx='
list allowed_ips '0.0.0.0/0'
option endpoint_host 'xxx.com'
option endpoint_port '51820'
option persistent_keepalive '25'

config rule
option in 'vlan2'
option lookup '1742'

config route
option interface 'wgiot'
option target '0.0.0.0'
option netmask '0.0.0.0'
option table '1742'

config interface 'wgmvad'
option proto 'wireguard'
option private_key 'xxx='
option defaultroute '0'
list dns '192.168.1.100'
list addresses 'xxx.75'

config wireguard_wgmvad
option description 'xxx.conf'
option public_key 'xxx='
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option endpoint_host 'xxx.66'
option endpoint_port '51820'

config rule
option in 'lan'
option lookup '1743'

config route
option interface 'wgmvad'
option target '0.0.0.0/0'
option netmark '0.0.0.0'
option table '1743'

config device
option name 'br-lan.1'
option type '8021q'
option ifname 'br-lan'
option vid '1'
option ipv6 '0'

config device
option name 'br-lan.2'
option type '8021q'
option ifname 'br-lan'
option vid '2'
option ipv6 '0'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
list server '192.168.1.100'

config dhcp 'lan'
option interface 'lan'
option start '11'
option limit '150'
option leasetime '2m'
option dhcpv4 'server'
option master '1'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'

config dhcp 'vlan2'
option interface 'vlan2'
option start '100'
option limit '150'
option leasetime '12h'
option force '1'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config zone
option name 'wgiot'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
list network 'wgiot'
option masq '1'

config forwarding
option src 'wgiot'
option dest 'wan'

config zone
option name 'vlan2'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vlan2'

config forwarding
option src 'vlan2'
option dest 'wgiot'

config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'

config zone
option name 'wgmvad'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wgmvad'

config forwarding
option src 'wgmvad'
option dest 'wan'

config forwarding
option src 'lan'
option dest 'wgmvad'

20

You need to allow forwarding between devices in your two lans. You can either do this by adding forwarding from one lan firewall zone to the other or, if you want to limit access, you can do it by adding specific firewall rules to only allow certain traffic to go from one zone to the other.